private/compat/28.0/28.0.compat.cil - platform/system/sepolicy - Git at Google

 ;; complement CIL file for compatibility between ToT policy and 28.0 vendors.
 ;; will be compiled along with other normal policy files, on 28.0 vendors.
 ;;

 (typeattribute vendordomain)
 (typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
 (allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
 (allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
 (allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))

 (typeattributeset mlsvendorcompat (and appdomain vendordomain))
 (allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
 (allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
 (allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
 (allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
	;; complement CIL file for compatibility between ToT policy and 28.0 vendors.
	;; will be compiled along with other normal policy files, on 28.0 vendors.
	;;

	(typeattribute vendordomain)
	(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
	(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
	(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
	(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))

	(typeattributeset mlsvendorcompat (and appdomain vendordomain))
	(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
	(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
	(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
	(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))