[automerger skipped] crash_dump: disallow ptrace of TCB components am: f0e6a70ab5 am: 7f6df93026
am: db8835e0c3 -s ours
Change-Id: I29ed491f8e482f0233f5e68847b96f98c147b47b
diff --git a/Android.bp b/Android.bp
index 9952a8f..1785342 100644
--- a/Android.bp
+++ b/Android.bp
@@ -1 +1,4 @@
-subdirs = ["tests"]
+subdirs = [
+ "tests",
+ "build",
+]
diff --git a/Android.mk b/Android.mk
index e5b244b..f0c6a64 100644
--- a/Android.mk
+++ b/Android.mk
@@ -2,30 +2,6 @@
include $(LOCAL_PATH)/definitions.mk
-# PLATFORM_SEPOLICY_VERSION is a number of the form "NN.m" with "NN" mapping to
-# PLATFORM_SDK_VERSION and "m" as a minor number which allows for SELinux
-# changes independent of PLATFORM_SDK_VERSION. This value will be set to
-# 10000.0 to represent tip-of-tree development that is inherently unstable and
-# thus designed not to work with any shipping vendor policy. This is similar in
-# spirit to how DEFAULT_APP_TARGET_SDK is set.
-# The minor version ('m' component) must be updated every time a platform release
-# is made which breaks compatibility with the previous platform sepolicy version,
-# not just on every increase in PLATFORM_SDK_VERSION. The minor version should
-# be reset to 0 on every bump of the PLATFORM_SDK_VERSION.
-sepolicy_major_vers := 27
-sepolicy_minor_vers := 0
-
-ifneq ($(sepolicy_major_vers), $(PLATFORM_SDK_VERSION))
-$(error sepolicy_major_version does not match PLATFORM_SDK_VERSION, please update.)
-endif
-ifneq (REL,$(PLATFORM_VERSION_CODENAME))
- sepolicy_major_vers := 10000
- sepolicy_minor_vers := 0
-endif
-PLATFORM_SEPOLICY_VERSION := $(join $(addsuffix .,$(sepolicy_major_vers)), $(sepolicy_minor_vers))
-sepolicy_major_vers :=
-sepolicy_minor_vers :=
-
include $(CLEAR_VARS)
# SELinux policy version.
# Must be <= /sys/fs/selinux/policyvers reported by the Android kernel.
@@ -85,20 +61,12 @@
PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/public
ifneq ( ,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))
-ifneq (1, $(words $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)))
-$(error BOARD_PLAT_PUBLIC_SEPOLICY_DIR must only contain one directory)
-else
PLAT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
endif
-endif
PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
ifneq ( ,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))
-ifneq (1, $(words $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)))
-$(error BOARD_PLAT_PRIVATE_SEPOLICY_DIR must only contain one directory)
-else
PLAT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
endif
-endif
PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
@@ -113,6 +81,30 @@
BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION)
endif
+NEVERALLOW_ARG :=
+ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ifeq ($(TARGET_BUILD_VARIANT),user)
+$(error SELINUX_IGNORE_NEVERALLOWS := true cannot be used in user builds)
+endif
+$(warning Be careful when using the SELINUX_IGNORE_NEVERALLOWS flag. \
+ It does not work in user builds and using it will \
+ not stop you from failing CTS.)
+NEVERALLOW_ARG := -N
+endif
+
+# BOARD_SEPOLICY_DIRS was used for vendor/odm sepolicy customization before.
+# It has been replaced by BOARD_VENDOR_SEPOLICY_DIRS (mandatory) and
+# BOARD_ODM_SEPOLICY_DIRS (optional). BOARD_SEPOLICY_DIRS is still allowed for
+# backward compatibility, which will be merged into BOARD_VENDOR_SEPOLICY_DIRS.
+ifdef BOARD_SEPOLICY_DIRS
+BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
+endif
+
+ifdef BOARD_ODM_SEPOLICY_DIRS
+ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
+$(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS)
+endif
+endif
platform_mapping_file := $(BOARD_SEPOLICY_VERS).cil
@@ -126,9 +118,12 @@
$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))
endef
-# Builds paths for all policy files found in BOARD_SEPOLICY_DIRS.
+# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
# $(1): the set of policy name paths to build
-build_device_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
+build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+
+# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS.
+build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS))
# Add a file containing only a newline in-between each policy configuration
# 'contexts' file. This will allow OEM policy configuration files without a
@@ -176,48 +171,133 @@
with_asan := true
endif
+# Library extension for host-side tests
+ifeq ($(HOST_OS),darwin)
+SHAREDLIB_EXT=dylib
+else
+SHAREDLIB_EXT=so
+endif
+
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy
LOCAL_MODULE_TAGS := optional
# Include SELinux policy. We do this here because different modules
-# need to be included based on the value of PRODUCT_FULL_TREBLE. This
+# need to be included based on the value of PRODUCT_SEPOLICY_SPLIT. This
# type of conditional inclusion cannot be done in top-level files such
# as build/target/product/embedded.mk.
# This conditional inclusion closely mimics the conditional logic
# inside init/init.cpp for loading SELinux policy from files.
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
# Use split SELinux policy
LOCAL_REQUIRED_MODULES += \
$(platform_mapping_file) \
- 26.0.cil \
- nonplat_sepolicy.cil \
+ $(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
+ plat_pub_versioned.cil \
+ vendor_sepolicy.cil \
plat_sepolicy.cil \
plat_and_mapping_sepolicy.cil.sha256 \
secilc \
- plat_sepolicy_vers.txt
-
-ifneq ($(with_asan),true)
-LOCAL_REQUIRED_MODULES += \
- treble_sepolicy_tests \
- sepolicy_tests
-endif
+ plat_sepolicy_vers.txt \
# Include precompiled policy, unless told otherwise
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat_and_mapping.sha256
endif
else
-# Use monolithic SELinux policy
-LOCAL_REQUIRED_MODULES += sepolicy
+# The following files are only allowed for non-Treble devices.
+LOCAL_REQUIRED_MODULES += \
+ sepolicy \
+ vendor_service_contexts
endif
LOCAL_REQUIRED_MODULES += \
- nonplat_file_contexts \
- plat_file_contexts
+ build_sepolicy \
+ vendor_file_contexts \
+ vendor_mac_permissions.xml \
+ vendor_property_contexts \
+ vendor_seapp_contexts \
+ vendor_hwservice_contexts \
+ plat_file_contexts \
+ plat_mac_permissions.xml \
+ plat_property_contexts \
+ plat_seapp_contexts \
+ plat_service_contexts \
+ plat_hwservice_contexts \
+ searchpolicy \
+ vndservice_contexts \
+
+ifneq ($(TARGET_BUILD_VARIANT), user)
+LOCAL_REQUIRED_MODULES += \
+ selinux_denial_metadata \
+
+endif
+
+ifneq ($(with_asan),true)
+ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
+LOCAL_REQUIRED_MODULES += \
+ sepolicy_tests \
+ treble_sepolicy_tests_26.0 \
+ treble_sepolicy_tests_27.0 \
+
+endif
+endif
+
+ifdef BOARD_ODM_SEPOLICY_DIRS
+LOCAL_REQUIRED_MODULES += \
+ odm_sepolicy.cil \
+ odm_file_contexts \
+ odm_seapp_contexts \
+ odm_property_contexts \
+ odm_hwservice_contexts \
+ odm_mac_permissions.xml
+endif
+
+ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+LOCAL_REQUIRED_MODULES += \
+ sepolicy_freeze_test \
+
+endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
include $(BUILD_PHONY_PACKAGE)
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := sepolicy_neverallows
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# sepolicy_policy.conf - All of the policy for the device. This is only used to
+# check neverallow rules.
+sepolicy_policy.conf := $(intermediates)/policy.conf
+$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
+ $(transform-policy-to-conf)
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+ rm -f $@
+ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
+ $(POLICYVERS) -o $@ $<
+else # ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) touch $@
+endif # ($(SELINUX_IGNORE_NEVERALLOWS),true)
+
+sepolicy_policy.conf :=
+built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE)
+
##################################
# reqd_policy_mask - a policy.conf file which contains only the bare minimum
# policy necessary to use checkpolicy. This bare-minimum policy needs to be
@@ -229,10 +309,12 @@
reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf
$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(reqd_policy_mask.conf): PRIVATE_FULL_TREBLE := $(PRODUCT_FULL_TREBLE)
+$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(reqd_policy_mask.conf): $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
$(transform-policy-to-conf)
# b/37755687
@@ -255,10 +337,12 @@
plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_pub_policy.conf): PRIVATE_FULL_TREBLE := $(PRODUCT_FULL_TREBLE)
+$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(plat_pub_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
$(transform-policy-to-conf)
@@ -303,10 +387,12 @@
plat_policy.conf := $(intermediates)/plat_policy.conf
$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(plat_policy.conf): PRIVATE_FULL_TREBLE := $(PRODUCT_FULL_TREBLE)
+$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
$(transform-policy-to-conf)
@@ -314,14 +400,16 @@
$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+ $(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
$(POLICYVERS) -o $@ $<
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) $@ -o /dev/null -f /dev/null
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o /dev/null -f /dev/null
built_plat_cil := $(LOCAL_BUILT_MODULE)
plat_policy.conf :=
@@ -379,6 +467,16 @@
#################################
include $(CLEAR_VARS)
+LOCAL_MODULE := 27.0.cil
+LOCAL_SRC_FILES := private/compat/27.0/27.0.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
+
+include $(BUILD_PREBUILT)
+#################################
+include $(CLEAR_VARS)
+
LOCAL_MODULE := 26.0.cil
LOCAL_SRC_FILES := private/compat/26.0/26.0.cil
LOCAL_MODULE_CLASS := ETC
@@ -402,7 +500,9 @@
#################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_sepolicy.cil
+# plat_pub_versioned.cil - the exported platform policy associated with the version
+# that non-platform policy targets.
+LOCAL_MODULE := plat_pub_versioned.cil
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -410,46 +510,112 @@
include $(BUILD_SYSTEM)/base_rules.mk
-# nonplat_policy.conf - A combination of the non-platform private, vendor and
-# the exported platform policy associated with the version the non-platform
-# policy targets. This needs attributization and to be combined with the
-# platform-provided policy. Like plat_pub_policy.conf, this needs to make use
-# of the reqd_policy_mask files from private policy in order to use checkpolicy.
-nonplat_policy.conf := $(intermediates)/nonplat_policy.conf
-$(nonplat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(nonplat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(nonplat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(nonplat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(nonplat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_policy.conf): PRIVATE_FULL_TREBLE := $(PRODUCT_FULL_TREBLE)
-$(nonplat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
+$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(plat_pub_policy.cil)
+$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
+ $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_mapping_cil)
+ @mkdir -p $(dir $@)
+ $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
+ $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
+
+built_plat_pub_vers_cil := $(LOCAL_BUILT_MODULE)
+
+#################################
+include $(CLEAR_VARS)
+
+# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
+# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
+# policy and the platform public policy files in order to use checkpolicy.
+LOCAL_MODULE := vendor_sepolicy.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+vendor_policy.conf := $(intermediates)/vendor_policy.conf
+$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(vendor_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
$(transform-policy-to-conf)
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-nonplat_policy_raw := $(intermediates)/nonplat_policy_raw.cil
-$(nonplat_policy_raw): PRIVATE_POL_CONF := $(nonplat_policy.conf)
-$(nonplat_policy_raw): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(nonplat_policy_raw): $(HOST_OUT_EXECUTABLES)/checkpolicy $(nonplat_policy.conf) \
-$(reqd_policy_mask.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf)
+$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(plat_pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_plat_pub_vers_cil)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
+ $(vendor_policy.conf) $(reqd_policy_mask.cil) $(plat_pub_policy.cil) \
+ $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil)
@mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@.tmp $(PRIVATE_POL_CONF)
- $(hide) grep -Fxv -f $(PRIVATE_REQD_MASK) $@.tmp > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
+ -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
+ -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL) \
+ -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@
-$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(nonplat_policy_raw)
-$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_mapping_cil)
-$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(nonplat_policy_raw) \
-$(HOST_OUT_EXECUTABLES)/version_policy $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil) $(built_mapping_cil)
+built_vendor_cil := $(LOCAL_BUILT_MODULE)
+vendor_policy.conf :=
+
+#################################
+include $(CLEAR_VARS)
+
+# odm_policy.cil - the odm sepolicy. This needs attributization and to be combined
+# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
+# policy and the platform public policy files in order to use checkpolicy.
+LOCAL_MODULE := odm_sepolicy.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+odm_policy.conf := $(intermediates)/odm_policy.conf
+$(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(odm_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) \
+ $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+ $(transform-policy-to-conf)
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf)
+$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(plat_pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_plat_pub_vers_cil) \
+ $(built_mapping_cil) $(built_vendor_cil)
+$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_plat_pub_vers_cil) $(built_vendor_cil)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
+ $(odm_policy.conf) $(reqd_policy_mask.cil) $(plat_pub_policy.cil) \
+ $(built_plat_cil) $(built_plat_pub_vers_cil) $(built_mapping_cil) $(built_vendor_cil)
@mkdir -p $(dir $@)
- $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -N -c $(POLICYVERS) \
- $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
+ -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
+ -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL_FILES) \
+ -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@
-built_nonplat_cil := $(LOCAL_BUILT_MODULE)
-nonplat_policy.conf :=
-nonplat_policy_raw :=
+built_odm_cil := $(LOCAL_BUILT_MODULE)
+odm_policy.conf :=
+odm_policy_raw :=
#################################
include $(CLEAR_VARS)
@@ -458,18 +624,33 @@
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
+
+ifeq ($(BOARD_USES_ODMIMAGE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+else
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+endif
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := \
-$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil) $(built_mapping_cil) $(built_nonplat_cil)
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) \
+all_cil_files := \
+ $(built_plat_cil) \
+ $(built_mapping_cil) \
+ $(built_plat_pub_vers_cil) \
+ $(built_vendor_cil)
+
+ifdef BOARD_ODM_SEPOLICY_DIRS
+all_cil_files += $(built_odm_cil)
+endif
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows)
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \
$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
+all_cil_files :=
#################################
# SHA-256 digest of the plat_sepolicy.cil and mapping_sepolicy.cil files against
@@ -480,7 +661,12 @@
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
+
+ifeq ($(BOARD_USES_ODMIMAGE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+else
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+endif
include $(BUILD_SYSTEM)/base_rules.mk
@@ -502,12 +688,19 @@
all_cil_files := \
$(built_plat_cil) \
$(built_mapping_cil) \
- $(built_nonplat_cil)
+ $(built_plat_pub_vers_cil) \
+ $(built_vendor_cil)
+
+ifdef BOARD_ODM_SEPOLICY_DIRS
+all_cil_files += $(built_odm_cil)
+endif
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \
+$(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
- $(hide) $< -M true -G -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
+ $(hide) $< -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
$(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
$(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
echo "==========" 1>&2; \
@@ -525,6 +718,7 @@
include $(CLEAR_VARS)
# keep concrete sepolicy for neverallow checks
+# If SELINUX_IGNORE_NEVERALLOWS is set, we use sed to remove the neverallow lines before compiling.
LOCAL_MODULE := sepolicy.recovery
LOCAL_MODULE_STEM := sepolicy
@@ -537,15 +731,21 @@
sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf
$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy.recovery.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
$(sepolicy.recovery.conf): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
- $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS))
+ $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \
+ $(BOARD_ODM_SEPOLICY_DIRS))
$(transform-policy-to-conf)
$(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) sed -z 's/\n\s*neverallow[^;]*;/\n/g' $@ > $@.neverallow
+ $(hide) mv $@.neverallow $@
+endif
$(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/sepolicy-analyze
@@ -578,9 +778,11 @@
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user
$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
-$(LOCAL_BUILT_MODULE): PRIVATE_FULL_TREBLE := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
$(LOCAL_BUILT_MODULE): $(call build_policy, $(sepolicy_build_files), \
$(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
$(transform-policy-to-conf)
@@ -625,7 +827,12 @@
@mkdir -p $(dir $@)
$(hide) m4 -s $^ > $@
-device_fc_files := $(call build_device_policy, file_contexts)
+device_fc_files := $(call build_vendor_policy, file_contexts)
+
+ifdef BOARD_ODM_SEPOLICY_DIRS
+device_fc_files += $(call build_odm_policy, file_contexts)
+endif
+
device_fcfiles_with_nl := $(call add_nl, $(device_fc_files), $(built_nl))
file_contexts.device.tmp := $(intermediates)/file_contexts.device.tmp
@@ -636,7 +843,8 @@
file_contexts.device.sorted.tmp := $(intermediates)/file_contexts.device.sorted.tmp
$(file_contexts.device.sorted.tmp): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc
+$(file_contexts.device.sorted.tmp): $(file_contexts.device.tmp) $(built_sepolicy) \
+ $(HOST_OUT_EXECUTABLES)/fc_sort $(HOST_OUT_EXECUTABLES)/checkfc
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e $(PRIVATE_SEPOLICY) $<
$(hide) $(HOST_OUT_EXECUTABLES)/fc_sort $< $@
@@ -663,12 +871,30 @@
file_contexts.local.tmp :=
##################################
+ifneq ($(TARGET_BUILD_VARIANT), user)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := selinux_denial_metadata
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+bug_files := $(call build_policy, bug_map, $(LOCAL_PATH) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(PLAT_PUBLIC_POLICY))
+
+$(LOCAL_BUILT_MODULE) : $(bug_files)
+ @mkdir -p $(dir $@)
+ cat $^ > $@
+
+bug_files :=
+endif
+##################################
include $(CLEAR_VARS)
LOCAL_MODULE := plat_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -699,10 +925,10 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_file_contexts
+LOCAL_MODULE := vendor_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -710,22 +936,49 @@
include $(BUILD_SYSTEM)/base_rules.mk
-nonplat_fc_files := $(call build_device_policy, file_contexts)
-nonplat_fcfiles_with_nl := $(call add_nl, $(nonplat_fc_files), $(built_nl))
+vendor_fc_files := $(call build_vendor_policy, file_contexts)
+vendor_fcfiles_with_nl := $(call add_nl, $(vendor_fc_files), $(built_nl))
-$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(nonplat_fcfiles_with_nl)
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(vendor_fcfiles_with_nl)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
-$(nonplat_fcfiles_with_nl) $(built_sepolicy)
+$(vendor_fcfiles_with_nl) $(built_sepolicy)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
$(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
$(hide) $(PRIVATE_FC_SORT) $@.tmp $@
-built_nonplat_fc := $(LOCAL_BUILT_MODULE)
-nonplat_fc_files :=
-nonplat_fcfiles_with_nl :=
+built_vendor_fc := $(LOCAL_BUILT_MODULE)
+vendor_fc_files :=
+vendor_fcfiles_with_nl :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := odm_file_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+odm_fc_files := $(call build_odm_policy, file_contexts)
+odm_fcfiles_with_nl := $(call add_nl, $(odm_fc_files), $(built_nl))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_FILES := $(odm_fcfiles_with_nl)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_FC_SORT := $(HOST_OUT_EXECUTABLES)/fc_sort
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/checkfc $(HOST_OUT_EXECUTABLES)/fc_sort \
+$(odm_fcfiles_with_nl) $(built_sepolicy)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_FC_FILES) > $@.tmp
+ $(hide) $< $(PRIVATE_SEPOLICY) $@.tmp
+ $(hide) $(PRIVATE_FC_SORT) $@.tmp $@
+
+built_odm_fc := $(LOCAL_BUILT_MODULE)
+odm_fc_files :=
+odm_fcfiles_with_nl :=
##################################
include $(CLEAR_VARS)
@@ -743,15 +996,28 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_file_contexts.recovery
-LOCAL_MODULE_STEM := nonplat_file_contexts
+LOCAL_MODULE := vendor_file_contexts.recovery
+LOCAL_MODULE_STEM := vendor_file_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(built_nonplat_fc)
+$(LOCAL_BUILT_MODULE): $(built_vendor_fc)
+ $(hide) cp -f $< $@
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := odm_file_contexts.recovery
+LOCAL_MODULE_STEM := odm_file_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_odm_fc)
$(hide) cp -f $< $@
##################################
@@ -759,7 +1025,7 @@
LOCAL_MODULE := plat_seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -780,10 +1046,10 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_seapp_contexts
+LOCAL_MODULE := vendor_seapp_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -791,19 +1057,42 @@
include $(BUILD_SYSTEM)/base_rules.mk
-nonplat_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vendor_sc_files := $(call build_policy, seapp_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(nonplat_sc_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(vendor_sc_files)
$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
-$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(nonplat_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(vendor_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
@mkdir -p $(dir $@)
$(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
$(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
-built_nonplat_sc := $(LOCAL_BUILT_MODULE)
-nonplat_sc_files :=
+built_vendor_sc := $(LOCAL_BUILT_MODULE)
+vendor_sc_files :=
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := odm_seapp_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+odm_sc_files := $(call build_policy, seapp_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
+plat_sc_neverallow_files := $(call build_policy, seapp_contexts, $(PLAT_PRIVATE_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_FILES := $(odm_sc_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_SC_NEVERALLOW_FILES := $(plat_sc_neverallow_files)
+$(LOCAL_BUILT_MODULE): $(built_sepolicy) $(odm_sc_files) $(HOST_OUT_EXECUTABLES)/checkseapp $(plat_sc_neverallow_files)
+ @mkdir -p $(dir $@)
+ $(hide) grep -ihe '^neverallow' $(PRIVATE_SC_NEVERALLOW_FILES) > $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkseapp -p $(PRIVATE_SEPOLICY) -o $@ $(PRIVATE_SC_FILES) $@.tmp
+
+built_odm_sc := $(LOCAL_BUILT_MODULE)
+odm_sc_files :=
##################################
include $(CLEAR_VARS)
@@ -826,7 +1115,7 @@
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -835,6 +1124,9 @@
include $(BUILD_SYSTEM)/base_rules.mk
plat_pcfiles := $(call build_policy, property_contexts, $(PLAT_PRIVATE_POLICY))
+ifeq ($(PRODUCT_COMPATIBLE_PROPERTY),true)
+plat_pcfiles += $(LOCAL_PATH)/public/property_contexts
+endif
plat_property_contexts.tmp := $(intermediates)/plat_property_contexts.tmp
$(plat_property_contexts.tmp): PRIVATE_PC_FILES := $(plat_pcfiles)
@@ -843,10 +1135,10 @@
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(plat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+$(LOCAL_BUILT_MODULE): $(plat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/property_info_checker
@mkdir -p $(dir $@)
- $(hide) sed -e 's/#.*$$//' -e '/^$$/d' $< | sort -u -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
+ $(hide) cp -f $< $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $@
built_plat_pc := $(LOCAL_BUILT_MODULE)
plat_pcfiles :=
@@ -854,11 +1146,11 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_property_contexts
+LOCAL_MODULE := vendor_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -866,25 +1158,56 @@
include $(BUILD_SYSTEM)/base_rules.mk
-nonplat_pcfiles := $(call build_policy, property_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vendor_pcfiles := $(call build_policy, property_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-nonplat_property_contexts.tmp := $(intermediates)/nonplat_property_contexts.tmp
-$(nonplat_property_contexts.tmp): PRIVATE_PC_FILES := $(nonplat_pcfiles)
-$(nonplat_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_property_contexts.tmp): $(nonplat_pcfiles)
+vendor_property_contexts.tmp := $(intermediates)/vendor_property_contexts.tmp
+$(vendor_property_contexts.tmp): PRIVATE_PC_FILES := $(vendor_pcfiles)
+$(vendor_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_property_contexts.tmp): $(vendor_pcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_PLAT_PC := $(built_plat_pc)
+$(LOCAL_BUILT_MODULE): $(vendor_property_contexts.tmp) $(built_sepolicy) $(built_plat_pc) $(HOST_OUT_EXECUTABLES)/property_info_checker
+ @mkdir -p $(dir $@)
+ $(hide) cp -f $< $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $(PRIVATE_BUILT_PLAT_PC) $@
+
+built_vendor_pc := $(LOCAL_BUILT_MODULE)
+vendor_pcfiles :=
+vendor_property_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := odm_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+odm_pcfiles := $(call build_policy, property_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
+
+odm_property_contexts.tmp := $(intermediates)/odm_property_contexts.tmp
+$(odm_property_contexts.tmp): PRIVATE_PC_FILES := $(odm_pcfiles)
+$(odm_property_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(odm_property_contexts.tmp): $(odm_pcfiles)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_PC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(nonplat_property_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc
+$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_PLAT_PC := $(built_plat_pc)
+$(LOCAL_BUILT_MODULE): PRIVATE_BUILT_VENDOR_PC := $(built_vendor_pc)
+$(LOCAL_BUILT_MODULE): $(odm_property_contexts.tmp) $(built_sepolicy) $(built_plat_pc) $(built_vendor_pc) $(HOST_OUT_EXECUTABLES)/property_info_checker
@mkdir -p $(dir $@)
- $(hide) sed -e 's/#.*$$//' -e '/^$$/d' $< | sort -u -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -p $(PRIVATE_SEPOLICY) $@
+ $(hide) cp -f $< $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/property_info_checker $(PRIVATE_SEPOLICY) $(PRIVATE_BUILT_PLAT_PC) $(PRIVATE_BUILT_VENDOR_PC) $@
-built_nonplat_pc := $(LOCAL_BUILT_MODULE)
-nonplat_pcfiles :=
-nonplat_property_contexts.tmp :=
+built_odm_pc := $(LOCAL_BUILT_MODULE)
+odm_pcfiles :=
+odm_property_contexts.tmp :=
##################################
include $(CLEAR_VARS)
@@ -902,15 +1225,28 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_property_contexts.recovery
-LOCAL_MODULE_STEM := nonplat_property_contexts
+LOCAL_MODULE := vendor_property_contexts.recovery
+LOCAL_MODULE_STEM := vendor_property_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(built_nonplat_pc)
+$(LOCAL_BUILT_MODULE): $(built_vendor_pc)
+ $(hide) cp -f $< $@
+
+##################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := odm_property_contexts.recovery
+LOCAL_MODULE_STEM := odm_property_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_odm_pc)
$(hide) cp -f $< $@
##################################
@@ -919,7 +1255,7 @@
LOCAL_MODULE := plat_service_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -947,37 +1283,38 @@
plat_service_contexts.tmp :=
##################################
+# nonplat_service_contexts is only allowed on non-full-treble devices
+ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
+
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_service_contexts
+LOCAL_MODULE := vendor_service_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
-LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
-else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
-endif
include $(BUILD_SYSTEM)/base_rules.mk
-nonplat_svcfiles := $(call build_policy, service_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vendor_svcfiles := $(call build_policy, service_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-nonplat_service_contexts.tmp := $(intermediates)/nonplat_service_contexts.tmp
-$(nonplat_service_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_svcfiles)
-$(nonplat_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_service_contexts.tmp): $(nonplat_svcfiles)
+vendor_service_contexts.tmp := $(intermediates)/vendor_service_contexts.tmp
+$(vendor_service_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_svcfiles)
+$(vendor_service_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_service_contexts.tmp): $(vendor_svcfiles)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(nonplat_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+$(LOCAL_BUILT_MODULE): $(vendor_service_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@mkdir -p $(dir $@)
sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -s $(PRIVATE_SEPOLICY) $@
-built_nonplat_svc := $(LOCAL_BUILT_MODULE)
-nonplat_svcfiles :=
-nonplat_service_contexts.tmp :=
+built_vendor_svc := $(LOCAL_BUILT_MODULE)
+vendor_svcfiles :=
+vendor_service_contexts.tmp :=
+
+endif
##################################
include $(CLEAR_VARS)
@@ -985,7 +1322,7 @@
LOCAL_MODULE := plat_hwservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -1014,10 +1351,10 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_hwservice_contexts
+LOCAL_MODULE := vendor_hwservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -1025,23 +1362,51 @@
include $(BUILD_SYSTEM)/base_rules.mk
-nonplat_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vendor_hwsvcfiles := $(call build_policy, hwservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-nonplat_hwservice_contexts.tmp := $(intermediates)/nonplat_hwservice_contexts.tmp
-$(nonplat_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(nonplat_hwsvcfiles)
-$(nonplat_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_hwservice_contexts.tmp): $(nonplat_hwsvcfiles)
+vendor_hwservice_contexts.tmp := $(intermediates)/vendor_hwservice_contexts.tmp
+$(vendor_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(vendor_hwsvcfiles)
+$(vendor_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_hwservice_contexts.tmp): $(vendor_hwsvcfiles)
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(LOCAL_BUILT_MODULE): $(nonplat_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+$(LOCAL_BUILT_MODULE): $(vendor_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
@mkdir -p $(dir $@)
sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
$(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
-nonplat_hwsvcfiles :=
-nonplat_hwservice_contexts.tmp :=
+vendor_hwsvcfiles :=
+vendor_hwservice_contexts.tmp :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := odm_hwservice_contexts
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+odm_hwsvcfiles := $(call build_policy, hwservice_contexts, $(BOARD_ODM_SEPOLICY_DIRS))
+
+odm_hwservice_contexts.tmp := $(intermediates)/odm_hwservice_contexts.tmp
+$(odm_hwservice_contexts.tmp): PRIVATE_SVC_FILES := $(odm_hwsvcfiles)
+$(odm_hwservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(odm_hwservice_contexts.tmp): $(odm_hwsvcfiles)
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(odm_hwservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -l $(PRIVATE_SEPOLICY) $@
+
+odm_hwsvcfiles :=
+odm_hwservice_contexts.tmp :=
##################################
include $(CLEAR_VARS)
@@ -1049,7 +1414,7 @@
LOCAL_MODULE := vndservice_contexts
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
-ifeq ($(PRODUCT_FULL_TREBLE),true)
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
else
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -1057,7 +1422,7 @@
include $(BUILD_SYSTEM)/base_rules.mk
-vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
@@ -1111,7 +1476,7 @@
##################################
include $(CLEAR_VARS)
-LOCAL_MODULE := nonplat_mac_permissions.xml
+LOCAL_MODULE := vendor_mac_permissions.xml
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -1119,22 +1484,50 @@
include $(BUILD_SYSTEM)/base_rules.mk
# Build keys.conf
-nonplat_mac_perms_keys.tmp := $(intermediates)/nonplat_keys.tmp
-$(nonplat_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(nonplat_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp
+$(vendor_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
@mkdir -p $(dir $@)
$(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
-all_nonplat_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
-$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_nonplat_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(nonplat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
-$(all_nonplat_mac_perms_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(all_vendor_mac_perms_files)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
-nonplat_mac_perms_keys.tmp :=
-all_nonplat_mac_perms_files :=
+vendor_mac_perms_keys.tmp :=
+all_vendor_mac_perms_files :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := odm_mac_permissions.xml
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# Build keys.conf
+odm_mac_perms_keys.tmp := $(intermediates)/odm_keys.tmp
+$(odm_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(odm_mac_perms_keys.tmp): $(call build_policy, keys.conf, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+ @mkdir -p $(dir $@)
+ $(hide) m4 -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
+
+all_odm_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_ODM_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_odm_mac_perms_files)
+$(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
+$(all_odm_mac_perms_files)
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+
+odm_mac_perms_keys.tmp :=
+all_odm_mac_perms_files :=
#################################
include $(CLEAR_VARS)
@@ -1144,83 +1537,25 @@
include $(BUILD_SYSTEM)/base_rules.mk
+all_fc_files := $(built_plat_fc) $(built_vendor_fc)
+ifdef BOARD_ODM_SEPOLICY_DIRS
+all_fc_files += $(built_odm_fc)
+endif
+all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
+
sepolicy_tests := $(intermediates)/sepolicy_tests
-$(sepolicy_tests): PRIVATE_PLAT_FC := $(built_plat_fc)
-$(sepolicy_tests): PRIVATE_NONPLAT_FC := $(built_nonplat_fc)
+$(sepolicy_tests): ALL_FC_ARGS := $(all_fc_args)
$(sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(sepolicy_tests): $(HOST_OUT_EXECUTABLES)/sepolicy_tests.py \
-$(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy)
+$(sepolicy_tests): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
@mkdir -p $(dir $@)
- $(hide) python $(HOST_OUT_EXECUTABLES)/sepolicy_tests.py -l $(HOST_OUT)/lib64 -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) -p $(PRIVATE_SEPOLICY)
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \
+ $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
$(hide) touch $@
##################################
-ifeq ($(PRODUCT_FULL_TREBLE),true)
-include $(CLEAR_VARS)
-# For Treble builds run tests verifying that processes are properly labeled and
-# permissions granted do not violate the treble model. Also ensure that treble
-# compatibility guarantees are upheld between SELinux version bumps.
-LOCAL_MODULE := treble_sepolicy_tests
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MODULE_TAGS := tests
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
-include $(BUILD_SYSTEM)/base_rules.mk
-
-# 26.0_plat - the platform policy shipped as part of the 26.0 release. This is
-# built to enable us to determine the diff between the current policy and the
-# 26.0 policy, which will be used in tests to make sure that compatibility has
-# been maintained by our mapping files.
-26.0_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/26.0/public
-26.0_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/26.0/private
-26.0_plat_policy.conf := $(intermediates)/26.0_plat_policy.conf
-$(26.0_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(26.0_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(26.0_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(26.0_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(26.0_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(26.0_plat_policy.conf): PRIVATE_FULL_TREBLE := true
-$(26.0_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
-$(26.0_PLAT_PUBLIC_POLICY) $(26.0_PLAT_PRIVATE_POLICY))
- $(transform-policy-to-conf)
- $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
-
-built_26.0_plat_sepolicy := $(intermediates)/built_26.0_plat_sepolicy
-$(built_26.0_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, technical_debt.cil , $(26.0_PLAT_PRIVATE_POLICY))
-$(built_26.0_plat_sepolicy): $(26.0_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, technical_debt.cil, $(26.0_PLAT_PRIVATE_POLICY))
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) $@ -o $@ -f /dev/null
-
-26.0_plat_policy.conf :=
-
-
-# 26.0_compat - the current plat_sepolicy.cil built with the compatibility file
-# targeting the 26.0 SELinux release. This ensures that our policy will build
-# when used on a device that has non-platform policy targetting the 26.0 release.
-26.0_compat := $(intermediates)/26.0_compat
-26.0_mapping.cil := $(LOCAL_PATH)/private/compat/26.0/26.0.cil
-26.0_mapping.ignore.cil := $(LOCAL_PATH)/private/compat/26.0/26.0.ignore.cil
-26.0_nonplat := $(LOCAL_PATH)/prebuilts/api/26.0/nonplat_sepolicy.cil
-$(26.0_compat): PRIVATE_CIL_FILES := \
-$(built_plat_cil) $(26.0_mapping.cil) $(26.0_nonplat)
-$(26.0_compat): $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil) $(26.0_mapping.cil) $(26.0_nonplat)
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -N -c $(POLICYVERS) \
- $(PRIVATE_CIL_FILES) -o $@ -f /dev/null
-
-# 26.0_mapping.combined.cil - a combination of the mapping file used when
-# combining the current platform policy with nonplatform policy based on the
-# 26.0 policy release and also a special ignored file that exists purely for
-# these tests.
-26.0_mapping.combined.cil := $(intermediates)/26.0_mapping.combined.cil
-$(26.0_mapping.combined.cil): $(26.0_mapping.cil) $(26.0_mapping.ignore.cil)
- mkdir -p $(dir $@)
- cat $^ > $@
+intermediates := $(call intermediates-dir-for,ETC,built_plat_sepolicy,,,,)
# plat_sepolicy - the current platform policy only, built into a policy binary.
# TODO - this currently excludes partner extensions, but support should be added
@@ -1230,10 +1565,12 @@
base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
$(base_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
$(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_plat_policy.conf): PRIVATE_FULL_TREBLE := true
+$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
$(BASE_PLAT_PUBLIC_POLICY) $(BASE_PLAT_PRIVATE_POLICY))
$(transform-policy-to-conf)
@@ -1242,65 +1579,101 @@
built_plat_sepolicy := $(intermediates)/built_plat_sepolicy
$(built_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
$(call build_policy, $(sepolicy_build_cil_workaround_files), $(BASE_PLAT_PRIVATE_POLICY))
+$(built_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(built_plat_sepolicy): $(base_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
$(HOST_OUT_EXECUTABLES)/secilc \
-$(call build_policy, $(sepolicy_build_cil_workaround_files), $(BASE_PLAT_PRIVATE_POLICY))
+$(call build_policy, $(sepolicy_build_cil_workaround_files), $(BASE_PLAT_PRIVATE_POLICY)) \
+$(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
$(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
$(POLICYVERS) -o $@ $<
$(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -M true -G -c $(POLICYVERS) $@ -o $@ -f /dev/null
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-treble_sepolicy_tests := $(intermediates)/treble_sepolicy_tests
-$(treble_sepolicy_tests): PRIVATE_PLAT_FC := $(built_plat_fc)
-$(treble_sepolicy_tests): PRIVATE_NONPLAT_FC := $(built_nonplat_fc)
-$(treble_sepolicy_tests): PRIVATE_SEPOLICY := $(built_sepolicy)
-$(treble_sepolicy_tests): PRIVATE_SEPOLICY_OLD := $(built_26.0_plat_sepolicy)
-$(treble_sepolicy_tests): PRIVATE_COMBINED_MAPPING := $(26.0_mapping.combined.cil)
-$(treble_sepolicy_tests): PRIVATE_PLAT_SEPOLICY := $(built_plat_sepolicy)
-$(treble_sepolicy_tests): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests.py \
-$(built_plat_fc) $(built_nonplat_fc) $(built_sepolicy) $(built_plat_sepolicy) \
-$(built_26.0_plat_sepolicy) $(26.0_compat) $(26.0_mapping.combined.cil)
- @mkdir -p $(dir $@)
- $(hide) python $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests.py -l \
- $(HOST_OUT)/lib64 -f $(PRIVATE_PLAT_FC) -f $(PRIVATE_NONPLAT_FC) \
- -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
- -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY)
- $(hide) touch $@
+all_fc_files := $(built_plat_fc) $(built_vendor_fc)
+ifdef BOARD_ODM_SEPOLICY_DIRS
+all_fc_files += $(built_odm_fc)
+endif
+all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
-26.0_PLAT_PUBLIC_POLICY :=
-26.0_PLAT_PRIVATE_POLICY :=
-26.0_compat :=
-26.0_mapping.cil :=
-26.0_mapping.combined.cil :=
-26.0_mapping.ignore.cil :=
-26.0_nonplat :=
+# Tests for Treble compatibility of current platform policy and vendor policy of
+# given release version.
+version_under_treble_tests := 26.0
+include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
+
+version_under_treble_tests := 27.0
+include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
+
BASE_PLAT_PUBLIC_POLICY :=
BASE_PLAT_PRIVATE_POLICY :=
base_plat_policy.conf :=
-built_26.0_plat_sepolicy :=
plat_sepolicy :=
-endif # ($(PRODUCT_FULL_TREBLE),true)
+endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
+
+#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := sepolicy_freeze_test
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := tests
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+base_plat_public := $(LOCAL_PATH)/public
+base_plat_private := $(LOCAL_PATH)/private
+base_plat_public_prebuilt := \
+ $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/public
+base_plat_private_prebuilt := \
+ $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/private
+
+all_frozen_files := $(call build_policy,$(sepolicy_build_files), \
+$(base_plat_public) $(base_plat_private) $(base_plat_public_prebuilt) $(base_plat_private_prebuilt))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC := $(base_plat_public)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt)
+$(LOCAL_BUILT_MODULE): $(all_frozen_files)
+ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+ @diff -rq $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC)
+ @diff -rq $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE)
+endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+ $(hide) touch $@
+
+base_plat_public :=
+base_plat_private :=
+base_plat_public_prebuilt :=
+base_plat_private_prebuilt :=
+all_frozen_files :=
+
#################################
+
add_nl :=
-build_device_policy :=
+build_vendor_policy :=
+build_odm_policy :=
build_policy :=
built_plat_fc :=
-built_nonplat_fc :=
+built_vendor_fc :=
+built_odm_fc :=
built_nl :=
built_plat_cil :=
+built_plat_pub_vers_cil :=
built_mapping_cil :=
built_plat_pc :=
-built_nonplat_cil :=
-built_nonplat_pc :=
-built_nonplat_sc :=
+built_vendor_cil :=
+built_vendor_pc :=
+built_vendor_sc :=
+built_odm_cil :=
+built_odm_pc :=
+built_odm_sc :=
built_plat_sc :=
built_precompiled_sepolicy :=
built_sepolicy :=
+built_sepolicy_neverallows :=
built_plat_svc :=
-built_nonplat_svc :=
+built_vendor_svc :=
+built_plat_sepolicy :=
mapping_policy :=
my_target_arch :=
plat_pub_policy.cil :=
diff --git a/CleanSpec.mk b/CleanSpec.mk
index 0933115..c9ac5be 100644
--- a/CleanSpec.mk
+++ b/CleanSpec.mk
@@ -71,3 +71,52 @@
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/plat_sepolicy.cil.sha256)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/precompiled_sepolicy.plat.sha256)
$(call add-clean-step, rm -rf $(PRODUCT_OUT)/system/etc/selinux/mapping_sepolicy.cil)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/vendor/etc/selinux/nonplat_service_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/obj/ETC/nonplat_service_contexts_intermediates)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/obj/NOTICE_FILES/src/vendor/etc/selinux/nonplat_service_contexts.txt)
+
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_sepolicy.cil)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_file_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_hwservice_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_mac_permissions.xml)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_seapp_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_file_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_property_contexts)
+# For non-Treble devices.
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_file_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_hwservice_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_seapp_contexts)
+
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_sepolicy.cil)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_hwservice_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_mac_permissions.xml)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_property_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/vendor_seapp_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/vendor_file_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/vendor_property_contexts)
+# For non-Treble devices.
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/vendor_file_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/vendor_hwservice_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/vendor_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/vendor_seapp_contexts)
+
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_sepolicy.cil)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_file_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_hwservice_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_mac_permissions.xml)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(TARGET_OUT_VENDOR)/etc/selinux/nonplat_seapp_contexts)
+
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_file_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_hwservice_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_seapp_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/recovery/root/nonplat_service_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_file_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_hwservice_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_property_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_seapp_contexts)
+$(call add-clean-step, rm -rf $(PRODUCT_OUT)/root/nonplat_service_contexts)
diff --git a/OWNERS b/OWNERS
index 4bd7e34..9d3f1b1 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,6 +1,9 @@
-nnk@google.com
-jeffv@google.com
-klyubin@google.com
+alanstokes@google.com
+bowgotsai@google.com
dcashman@google.com
jbires@google.com
+jeffv@google.com
+jgalenson@google.com
sspatil@google.com
+tomcherry@google.com
+trong@google.com
diff --git a/build/Android.bp b/build/Android.bp
new file mode 100644
index 0000000..d3f1fc3
--- /dev/null
+++ b/build/Android.bp
@@ -0,0 +1,34 @@
+// Copyright (C) 2018 The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+python_binary_host {
+ name: "build_sepolicy",
+ srcs: [
+ "build_sepolicy.py",
+ "file_utils.py",
+ ],
+ required: [
+ "checkpolicy",
+ "secilc",
+ "version_policy",
+ ],
+ version: {
+ py2: {
+ enabled: true,
+ },
+ py3: {
+ enabled: false,
+ },
+ },
+}
diff --git a/build/build_sepolicy.py b/build/build_sepolicy.py
new file mode 100644
index 0000000..ff2ff07
--- /dev/null
+++ b/build/build_sepolicy.py
@@ -0,0 +1,140 @@
+# Copyright 2018 - The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""Command-line tool to build SEPolicy files."""
+
+import argparse
+import os
+import subprocess
+import sys
+
+import file_utils
+
+
+# All supported commands in this module.
+# For each command, need to add two functions. Take 'build_cil' for example:
+# - setup_build_cil()
+# - Sets up command parsers and sets default function to do_build_cil().
+# - do_build_cil()
+_SUPPORTED_COMMANDS = ('build_cil',)
+
+
+def run_host_command(args, **kwargs):
+ """Runs a host command and prints output."""
+ if kwargs.get('shell'):
+ command_log = args
+ else:
+ command_log = ' '.join(args) # For args as a sequence.
+
+ try:
+ subprocess.check_call(args, **kwargs)
+ except subprocess.CalledProcessError as err:
+ sys.stderr.write(
+ 'build_sepolicy - failed to run command: {!r} (ret:{})\n'.format(
+ command_log, err.returncode))
+ sys.exit(err.returncode)
+
+
+def do_build_cil(args):
+ """Builds a sepolicy CIL (Common Intermediate Language) file.
+
+ This functions invokes some host utils (e.g., secilc, checkpolicy,
+ version_sepolicy) to generate a .cil file.
+
+ Args:
+ args: the parsed command arguments.
+ """
+ # Determines the raw CIL file name.
+ input_file_name = os.path.splitext(args.input_policy_conf)[0]
+ raw_cil_file = input_file_name + '_raw.cil'
+ # Builds the raw CIL.
+ file_utils.make_parent_dirs(raw_cil_file)
+ checkpolicy_cmd = [args.checkpolicy_env]
+ checkpolicy_cmd += [os.path.join(args.android_host_path, 'checkpolicy'),
+ '-C', '-M', '-c', args.policy_vers,
+ '-o', raw_cil_file, args.input_policy_conf]
+ # Using shell=True to setup args.checkpolicy_env variables.
+ run_host_command(' '.join(checkpolicy_cmd), shell=True)
+ file_utils.filter_out([args.reqd_mask], raw_cil_file)
+
+ # Builds the output CIL by versioning the above raw CIL.
+ output_file = args.output_cil
+ if output_file is None:
+ output_file = input_file_name + '.cil'
+ file_utils.make_parent_dirs(output_file)
+
+ run_host_command([os.path.join(args.android_host_path, 'version_policy'),
+ '-b', args.base_policy, '-t', raw_cil_file,
+ '-n', args.treble_sepolicy_vers, '-o', output_file])
+ if args.filter_out_files:
+ file_utils.filter_out(args.filter_out_files, output_file)
+
+ # Tests that the output file can be merged with the given CILs.
+ if args.dependent_cils:
+ merge_cmd = [os.path.join(args.android_host_path, 'secilc'),
+ '-m', '-M', 'true', '-G', '-N', '-c', args.policy_vers]
+ merge_cmd += args.dependent_cils # the give CILs to merge
+ merge_cmd += [output_file, '-o', '/dev/null', '-f', '/dev/null']
+ run_host_command(merge_cmd)
+
+
+def setup_build_cil(subparsers):
+ """Sets up command args for 'build_cil' command."""
+
+ # Required arguments.
+ parser = subparsers.add_parser('build_cil', help='build CIL files')
+ parser.add_argument('-i', '--input_policy_conf', required=True,
+ help='source policy.conf')
+ parser.add_argument('-m', '--reqd_mask', required=True,
+ help='the bare minimum policy.conf to use checkpolicy')
+ parser.add_argument('-b', '--base_policy', required=True,
+ help='base policy for versioning')
+ parser.add_argument('-t', '--treble_sepolicy_vers', required=True,
+ help='the version number to use for Treble-OTA')
+ parser.add_argument('-p', '--policy_vers', required=True,
+ help='SELinux policy version')
+
+ # Optional arguments.
+ parser.add_argument('-c', '--checkpolicy_env',
+ help='environment variables passed to checkpolicy')
+ parser.add_argument('-f', '--filter_out_files', nargs='+',
+ help='the pattern files to filter out the output cil')
+ parser.add_argument('-d', '--dependent_cils', nargs='+',
+ help=('check the output file can be merged with '
+ 'the dependent cil files'))
+ parser.add_argument('-o', '--output_cil', help='the output cil file')
+
+ # The function that performs the actual works.
+ parser.set_defaults(func=do_build_cil)
+
+
+def run(argv):
+ """Sets up command parser and execuates sub-command."""
+ parser = argparse.ArgumentParser()
+
+ # Adds top-level arguments.
+ parser.add_argument('-a', '--android_host_path', default='',
+ help='a path to host out executables')
+
+ # Adds subparsers for each COMMAND.
+ subparsers = parser.add_subparsers(title='COMMAND')
+ for command in _SUPPORTED_COMMANDS:
+ globals()['setup_' + command](subparsers)
+
+ args = parser.parse_args(argv[1:])
+ args.func(args)
+
+
+if __name__ == '__main__':
+ run(sys.argv)
diff --git a/build/file_utils.py b/build/file_utils.py
new file mode 100644
index 0000000..1559a9b
--- /dev/null
+++ b/build/file_utils.py
@@ -0,0 +1,49 @@
+# Copyright 2018 - The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+"""File-related utilities."""
+
+
+import os
+import shutil
+import tempfile
+
+
+def make_parent_dirs(file_path):
+ """Creates parent directories for the file_path."""
+ if os.path.exists(file_path):
+ return
+
+ parent_dir = os.path.dirname(file_path)
+ if parent_dir and not os.path.exists(parent_dir):
+ os.makedirs(parent_dir)
+
+
+def filter_out(pattern_files, input_file):
+ """"Removes lines in input_file that match any line in pattern_files."""
+
+ # Prepares patterns.
+ patterns = []
+ for f in pattern_files:
+ patterns.extend(open(f).readlines())
+
+ # Copy lines that are not in the pattern.
+ tmp_output = tempfile.NamedTemporaryFile()
+ with open(input_file, 'r') as in_file:
+ tmp_output.writelines(line for line in in_file.readlines()
+ if line not in patterns)
+ tmp_output.flush()
+
+ # Replaces the input_file.
+ shutil.copyfile(tmp_output.name, input_file)
diff --git a/definitions.mk b/definitions.mk
index 47d0004..4b9e098 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -4,11 +4,12 @@
@mkdir -p $(dir $@)
$(hide) m4 $(PRIVATE_ADDITIONAL_M4DEFS) \
-D mls_num_sens=$(PRIVATE_MLS_SENS) -D mls_num_cats=$(PRIVATE_MLS_CATS) \
- -D target_build_variant=$(TARGET_BUILD_VARIANT) \
+ -D target_build_variant=$(PRIVATE_TARGET_BUILD_VARIANT) \
-D target_with_dexpreopt=$(WITH_DEXPREOPT) \
-D target_arch=$(PRIVATE_TGT_ARCH) \
-D target_with_asan=$(PRIVATE_TGT_WITH_ASAN) \
- -D target_full_treble=$(PRIVATE_FULL_TREBLE) \
+ -D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
+ -D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
$(PRIVATE_TGT_RECOVERY) \
-s $^ > $@
endef
diff --git a/prebuilts/api/26.0/private/service_contexts b/prebuilts/api/26.0/private/service_contexts
index dc77cb9..ff97d66 100644
--- a/prebuilts/api/26.0/private/service_contexts
+++ b/prebuilts/api/26.0/private/service_contexts
@@ -142,6 +142,7 @@
soundtrigger u:object_r:voiceinteraction_service:s0
statusbar u:object_r:statusbar_service:s0
storaged u:object_r:storaged_service:s0
+storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
task u:object_r:task_service:s0
diff --git a/prebuilts/api/27.0/nonplat_sepolicy.cil b/prebuilts/api/27.0/nonplat_sepolicy.cil
new file mode 100644
index 0000000..da550c1
--- /dev/null
+++ b/prebuilts/api/27.0/nonplat_sepolicy.cil
@@ -0,0 +1,6660 @@
+(roletype r domain)
+(typeattributeset dev_type (device_27_0 alarm_device_27_0 ashmem_device_27_0 audio_device_27_0 audio_timer_device_27_0 audio_seq_device_27_0 binder_device_27_0 hwbinder_device_27_0 vndbinder_device_27_0 block_device_27_0 camera_device_27_0 dm_device_27_0 keychord_device_27_0 loop_control_device_27_0 loop_device_27_0 pmsg_device_27_0 radio_device_27_0 ram_device_27_0 rtc_device_27_0 vold_device_27_0 console_device_27_0 cpuctl_device_27_0 fscklogs_27_0 full_device_27_0 gpu_device_27_0 graphics_device_27_0 hw_random_device_27_0 input_device_27_0 kmem_device_27_0 port_device_27_0 mtd_device_27_0 mtp_device_27_0 nfc_device_27_0 ptmx_device_27_0 kmsg_device_27_0 kmsg_debug_device_27_0 null_device_27_0 random_device_27_0 sensors_device_27_0 serial_device_27_0 socket_device_27_0 owntty_device_27_0 tty_device_27_0 video_device_27_0 vcs_device_27_0 zero_device_27_0 fuse_device_27_0 iio_device_27_0 ion_device_27_0 qtaguid_device_27_0 watchdog_device_27_0 uhid_device_27_0 uio_device_27_0 tun_device_27_0 usbaccessory_device_27_0 usb_device_27_0 properties_device_27_0 properties_serial_27_0 i2c_device_27_0 hci_attach_dev_27_0 rpmsg_device_27_0 root_block_device_27_0 frp_block_device_27_0 system_block_device_27_0 recovery_block_device_27_0 boot_block_device_27_0 userdata_block_device_27_0 cache_block_device_27_0 swap_block_device_27_0 metadata_block_device_27_0 misc_block_device_27_0 ppp_device_27_0 tee_device_27_0 qemu_device))
+(typeattributeset domain (adbd_27_0 audioserver_27_0 blkid_27_0 blkid_untrusted_27_0 bluetooth_27_0 bootanim_27_0 bootstat_27_0 bufferhubd_27_0 cameraserver_27_0 charger_27_0 clatd_27_0 cppreopts_27_0 crash_dump_27_0 dex2oat_27_0 dhcp_27_0 dnsmasq_27_0 drmserver_27_0 dumpstate_27_0 e2fs_27_0 ephemeral_app_27_0 fingerprintd_27_0 fsck_27_0 fsck_untrusted_27_0 gatekeeperd_27_0 healthd_27_0 hwservicemanager_27_0 idmap_27_0 incident_27_0 incidentd_27_0 init_27_0 inputflinger_27_0 install_recovery_27_0 installd_27_0 isolated_app_27_0 kernel_27_0 keystore_27_0 lmkd_27_0 logd_27_0 logpersist_27_0 mdnsd_27_0 mediacodec_27_0 mediadrmserver_27_0 mediaextractor_27_0 mediametrics_27_0 mediaprovider_27_0 mediaserver_27_0 modprobe_27_0 mtp_27_0 netd_27_0 netutils_wrapper_27_0 nfc_27_0 otapreopt_chroot_27_0 otapreopt_slot_27_0 performanced_27_0 perfprofd_27_0 platform_app_27_0 postinstall_27_0 postinstall_dexopt_27_0 ppp_27_0 preopt2cachename_27_0 priv_app_27_0 profman_27_0 racoon_27_0 radio_27_0 recovery_27_0 recovery_persist_27_0 recovery_refresh_27_0 rild_27_0 runas_27_0 sdcardd_27_0 servicemanager_27_0 sgdisk_27_0 shared_relro_27_0 shell_27_0 slideshow_27_0 su_27_0 surfaceflinger_27_0 system_app_27_0 system_server_27_0 tee_27_0 thermalserviced_27_0 tombstoned_27_0 toolbox_27_0 tzdatacheck_27_0 ueventd_27_0 uncrypt_27_0 untrusted_app_27_0 untrusted_app_25_27_0 untrusted_v2_app_27_0 update_engine_27_0 update_verifier_27_0 vdc_27_0 virtual_touchpad_27_0 vndservicemanager_27_0 vold_27_0 vr_hwc_27_0 watchdogd_27_0 webview_zygote_27_0 wificond_27_0 zygote_27_0 hal_audio_default hal_bluetooth_default hal_bootctl_default hal_broadcastradio_default hal_camera_default hal_cas_default hal_configstore_default hal_contexthub_default hal_drm_default hal_dumpstate_default hal_fingerprint_default hal_gatekeeper_default hal_gnss_default hal_graphics_allocator_default hal_graphics_composer_default hal_health_default hal_ir_default hal_keymaster_default hal_light_default hal_memtrack_default hal_nfc_default hal_power_default hal_sensors_default hal_tetheroffload_default hal_thermal_default hal_tv_cec_default hal_tv_input_default hal_usb_default hal_vibrator_default hal_vr_default hal_wifi_default hal_wifi_offload_default hal_wifi_supplicant_default hostapd vendor_modprobe goldfish_setup hal_drm_widevine qemu_props))
+(typeattributeset fs_type (device_27_0 labeledfs_27_0 pipefs_27_0 sockfs_27_0 rootfs_27_0 proc_27_0 proc_security_27_0 proc_drop_caches_27_0 proc_overcommit_memory_27_0 usermodehelper_27_0 sysfs_usermodehelper_27_0 qtaguid_proc_27_0 proc_bluetooth_writable_27_0 proc_cpuinfo_27_0 proc_interrupts_27_0 proc_iomem_27_0 proc_meminfo_27_0 proc_misc_27_0 proc_modules_27_0 proc_net_27_0 proc_perf_27_0 proc_stat_27_0 proc_sysrq_27_0 proc_timer_27_0 proc_tty_drivers_27_0 proc_uid_cputime_showstat_27_0 proc_uid_cputime_removeuid_27_0 proc_uid_io_stats_27_0 proc_uid_procstat_set_27_0 proc_uid_time_in_state_27_0 proc_zoneinfo_27_0 selinuxfs_27_0 cgroup_27_0 sysfs_27_0 sysfs_uio_27_0 sysfs_batteryinfo_27_0 sysfs_bluetooth_writable_27_0 sysfs_leds_27_0 sysfs_hwrandom_27_0 sysfs_nfc_power_writable_27_0 sysfs_wake_lock_27_0 sysfs_mac_address_27_0 sysfs_fs_ext4_features_27_0 configfs_27_0 sysfs_devices_system_cpu_27_0 sysfs_lowmemorykiller_27_0 sysfs_wlan_fwpath_27_0 sysfs_vibrator_27_0 sysfs_thermal_27_0 sysfs_zram_27_0 sysfs_zram_uevent_27_0 inotify_27_0 devpts_27_0 tmpfs_27_0 shm_27_0 mqueue_27_0 fuse_27_0 sdcardfs_27_0 vfat_27_0 debugfs_27_0 debugfs_mmc_27_0 debugfs_trace_marker_27_0 debugfs_tracing_27_0 debugfs_tracing_debug_27_0 debugfs_tracing_instances_27_0 debugfs_wifi_tracing_27_0 pstorefs_27_0 functionfs_27_0 oemfs_27_0 usbfs_27_0 binfmt_miscfs_27_0 app_fusefs_27_0 sysfs_writable))
+(typeattributeset contextmount_type (oemfs_27_0 app_fusefs_27_0))
+(typeattributeset file_type (adbd_exec_27_0 bootanim_exec_27_0 bootstat_exec_27_0 bufferhubd_exec_27_0 cameraserver_exec_27_0 clatd_exec_27_0 cppreopts_exec_27_0 crash_dump_exec_27_0 dex2oat_exec_27_0 dhcp_exec_27_0 dnsmasq_exec_27_0 drmserver_exec_27_0 drmserver_socket_27_0 dumpstate_exec_27_0 e2fs_exec_27_0 sysfs_usb_27_0 unlabeled_27_0 system_file_27_0 vendor_hal_file_27_0 vendor_file_27_0 vendor_app_file_27_0 vendor_configs_file_27_0 same_process_hal_file_27_0 vndk_sp_file_27_0 vendor_framework_file_27_0 vendor_overlay_file_27_0 runtime_event_log_tags_file_27_0 logcat_exec_27_0 coredump_file_27_0 system_data_file_27_0 unencrypted_data_file_27_0 install_data_file_27_0 drm_data_file_27_0 adb_data_file_27_0 anr_data_file_27_0 tombstone_data_file_27_0 apk_data_file_27_0 apk_tmp_file_27_0 apk_private_data_file_27_0 apk_private_tmp_file_27_0 dalvikcache_data_file_27_0 ota_data_file_27_0 ota_package_file_27_0 user_profile_data_file_27_0 profman_dump_data_file_27_0 resourcecache_data_file_27_0 shell_data_file_27_0 property_data_file_27_0 bootchart_data_file_27_0 heapdump_data_file_27_0 nativetest_data_file_27_0 ringtone_file_27_0 preloads_data_file_27_0 preloads_media_file_27_0 dhcp_data_file_27_0 mnt_media_rw_file_27_0 mnt_user_file_27_0 mnt_expand_file_27_0 storage_file_27_0 mnt_media_rw_stub_file_27_0 storage_stub_file_27_0 postinstall_mnt_dir_27_0 postinstall_file_27_0 adb_keys_file_27_0 audio_data_file_27_0 audiohal_data_file_27_0 audioserver_data_file_27_0 bluetooth_data_file_27_0 bluetooth_logs_data_file_27_0 bootstat_data_file_27_0 boottrace_data_file_27_0 camera_data_file_27_0 gatekeeper_data_file_27_0 incident_data_file_27_0 keychain_data_file_27_0 keystore_data_file_27_0 media_data_file_27_0 media_rw_data_file_27_0 misc_user_data_file_27_0 net_data_file_27_0 nfc_data_file_27_0 radio_data_file_27_0 reboot_data_file_27_0 recovery_data_file_27_0 shared_relro_file_27_0 systemkeys_data_file_27_0 textclassifier_data_file_27_0 vpn_data_file_27_0 wifi_data_file_27_0 zoneinfo_data_file_27_0 vold_data_file_27_0 perfprofd_data_file_27_0 tee_data_file_27_0 update_engine_data_file_27_0 method_trace_data_file_27_0 app_data_file_27_0 system_app_data_file_27_0 cache_file_27_0 cache_backup_file_27_0 cache_private_backup_file_27_0 cache_recovery_file_27_0 efs_file_27_0 wallpaper_file_27_0 shortcut_manager_icons_27_0 icon_file_27_0 asec_apk_file_27_0 asec_public_file_27_0 asec_image_file_27_0 backup_data_file_27_0 bluetooth_efs_file_27_0 fingerprintd_data_file_27_0 app_fuse_file_27_0 adbd_socket_27_0 bluetooth_socket_27_0 dnsproxyd_socket_27_0 dumpstate_socket_27_0 fwmarkd_socket_27_0 lmkd_socket_27_0 logd_socket_27_0 logdr_socket_27_0 logdw_socket_27_0 mdns_socket_27_0 mdnsd_socket_27_0 misc_logd_file_27_0 mtpd_socket_27_0 netd_socket_27_0 property_socket_27_0 racoon_socket_27_0 rild_socket_27_0 rild_debug_socket_27_0 system_wpa_socket_27_0 system_ndebug_socket_27_0 tombstoned_crash_socket_27_0 tombstoned_java_trace_socket_27_0 tombstoned_intercept_socket_27_0 uncrypt_socket_27_0 vold_socket_27_0 webview_zygote_socket_27_0 wpa_socket_27_0 zygote_socket_27_0 gps_control_27_0 pdx_display_dir_27_0 pdx_performance_dir_27_0 pdx_bufferhub_dir_27_0 pdx_display_client_endpoint_socket_27_0 pdx_display_manager_endpoint_socket_27_0 pdx_display_screenshot_endpoint_socket_27_0 pdx_display_vsync_endpoint_socket_27_0 pdx_performance_client_endpoint_socket_27_0 pdx_bufferhub_client_endpoint_socket_27_0 file_contexts_file_27_0 mac_perms_file_27_0 property_contexts_file_27_0 seapp_contexts_file_27_0 sepolicy_file_27_0 service_contexts_file_27_0 nonplat_service_contexts_file_27_0 hwservice_contexts_file_27_0 vndservice_contexts_file_27_0 fingerprintd_exec_27_0 fsck_exec_27_0 gatekeeperd_exec_27_0 healthd_exec_27_0 hwservicemanager_exec_27_0 idmap_exec_27_0 init_exec_27_0 inputflinger_exec_27_0 install_recovery_exec_27_0 installd_exec_27_0 keystore_exec_27_0 lmkd_exec_27_0 logd_exec_27_0 mediacodec_exec_27_0 mediadrmserver_exec_27_0 mediaextractor_exec_27_0 mediametrics_exec_27_0 mediaserver_exec_27_0 mtp_exec_27_0 netd_exec_27_0 netutils_wrapper_exec_27_0 otapreopt_chroot_exec_27_0 otapreopt_slot_exec_27_0 performanced_exec_27_0 perfprofd_exec_27_0 ppp_exec_27_0 preopt2cachename_exec_27_0 profman_exec_27_0 racoon_exec_27_0 recovery_persist_exec_27_0 recovery_refresh_exec_27_0 runas_exec_27_0 sdcardd_exec_27_0 servicemanager_exec_27_0 sgdisk_exec_27_0 shell_exec_27_0 su_exec_27_0 thermalserviced_exec_27_0 tombstoned_exec_27_0 toolbox_exec_27_0 tzdatacheck_exec_27_0 uncrypt_exec_27_0 update_engine_exec_27_0 update_verifier_exec_27_0 vdc_exec_27_0 vendor_shell_exec_27_0 vendor_toolbox_exec_27_0 virtual_touchpad_exec_27_0 vold_exec_27_0 vr_hwc_exec_27_0 webview_zygote_exec_27_0 wificond_exec_27_0 zygote_exec_27_0 hostapd_socket hal_audio_default_exec hal_audio_default_tmpfs hal_bluetooth_default_exec hal_bluetooth_default_tmpfs hal_bootctl_default_exec hal_bootctl_default_tmpfs hal_broadcastradio_default_exec hal_broadcastradio_default_tmpfs hal_camera_default_exec hal_camera_default_tmpfs hal_cas_default_exec hal_cas_default_tmpfs hal_configstore_default_exec hal_configstore_default_tmpfs hal_contexthub_default_exec hal_contexthub_default_tmpfs hal_drm_default_exec hal_drm_default_tmpfs hal_dumpstate_default_exec hal_dumpstate_default_tmpfs hal_fingerprint_default_exec hal_fingerprint_default_tmpfs hal_gatekeeper_default_exec hal_gatekeeper_default_tmpfs hal_gnss_default_exec hal_gnss_default_tmpfs hal_graphics_allocator_default_exec hal_graphics_allocator_default_tmpfs hal_graphics_composer_default_exec hal_graphics_composer_default_tmpfs hal_health_default_exec hal_health_default_tmpfs hal_ir_default_exec hal_ir_default_tmpfs hal_keymaster_default_exec hal_keymaster_default_tmpfs hal_light_default_exec hal_light_default_tmpfs hal_memtrack_default_exec hal_memtrack_default_tmpfs hal_nfc_default_exec hal_nfc_default_tmpfs mediacodec_tmpfs hal_power_default_exec hal_power_default_tmpfs hal_sensors_default_exec hal_sensors_default_tmpfs hal_tetheroffload_default_exec hal_tetheroffload_default_tmpfs hal_thermal_default_exec hal_thermal_default_tmpfs hal_tv_cec_default_exec hal_tv_cec_default_tmpfs hal_tv_input_default_exec hal_tv_input_default_tmpfs hal_usb_default_exec hal_usb_default_tmpfs hal_vibrator_default_exec hal_vibrator_default_tmpfs hal_vr_default_exec hal_vr_default_tmpfs hal_wifi_default_exec hal_wifi_default_tmpfs hal_wifi_offload_default_exec hal_wifi_offload_default_tmpfs hal_wifi_supplicant_default_exec hal_wifi_supplicant_default_tmpfs hostapd_exec hostapd_tmpfs rild_exec rild_tmpfs tee_exec tee_tmpfs vndservicemanager_exec vndservicemanager_tmpfs goldfish_setup_exec goldfish_setup_tmpfs hal_drm_widevine_exec hal_drm_widevine_tmpfs qemu_props_exec qemu_props_tmpfs))
+(typeattributeset exec_type (adbd_exec_27_0 bootanim_exec_27_0 bootstat_exec_27_0 bufferhubd_exec_27_0 cameraserver_exec_27_0 clatd_exec_27_0 cppreopts_exec_27_0 crash_dump_exec_27_0 dex2oat_exec_27_0 dhcp_exec_27_0 dnsmasq_exec_27_0 drmserver_exec_27_0 dumpstate_exec_27_0 e2fs_exec_27_0 logcat_exec_27_0 fingerprintd_exec_27_0 fsck_exec_27_0 gatekeeperd_exec_27_0 healthd_exec_27_0 hwservicemanager_exec_27_0 idmap_exec_27_0 init_exec_27_0 inputflinger_exec_27_0 install_recovery_exec_27_0 installd_exec_27_0 keystore_exec_27_0 lmkd_exec_27_0 logd_exec_27_0 mediacodec_exec_27_0 mediadrmserver_exec_27_0 mediaextractor_exec_27_0 mediametrics_exec_27_0 mediaserver_exec_27_0 mtp_exec_27_0 netd_exec_27_0 netutils_wrapper_exec_27_0 otapreopt_chroot_exec_27_0 otapreopt_slot_exec_27_0 performanced_exec_27_0 perfprofd_exec_27_0 ppp_exec_27_0 preopt2cachename_exec_27_0 profman_exec_27_0 racoon_exec_27_0 recovery_persist_exec_27_0 recovery_refresh_exec_27_0 runas_exec_27_0 sdcardd_exec_27_0 servicemanager_exec_27_0 sgdisk_exec_27_0 shell_exec_27_0 su_exec_27_0 thermalserviced_exec_27_0 tombstoned_exec_27_0 toolbox_exec_27_0 tzdatacheck_exec_27_0 uncrypt_exec_27_0 update_engine_exec_27_0 update_verifier_exec_27_0 vdc_exec_27_0 vendor_shell_exec_27_0 vendor_toolbox_exec_27_0 virtual_touchpad_exec_27_0 vold_exec_27_0 vr_hwc_exec_27_0 webview_zygote_exec_27_0 wificond_exec_27_0 zygote_exec_27_0 hal_audio_default_exec hal_bluetooth_default_exec hal_bootctl_default_exec hal_broadcastradio_default_exec hal_camera_default_exec hal_cas_default_exec hal_configstore_default_exec hal_contexthub_default_exec hal_drm_default_exec hal_dumpstate_default_exec hal_fingerprint_default_exec hal_gatekeeper_default_exec hal_gnss_default_exec hal_graphics_allocator_default_exec hal_graphics_composer_default_exec hal_health_default_exec hal_ir_default_exec hal_keymaster_default_exec hal_light_default_exec hal_memtrack_default_exec hal_nfc_default_exec hal_power_default_exec hal_sensors_default_exec hal_tetheroffload_default_exec hal_thermal_default_exec hal_tv_cec_default_exec hal_tv_input_default_exec hal_usb_default_exec hal_vibrator_default_exec hal_vr_default_exec hal_wifi_default_exec hal_wifi_offload_default_exec hal_wifi_supplicant_default_exec hostapd_exec rild_exec tee_exec vndservicemanager_exec goldfish_setup_exec hal_drm_widevine_exec qemu_props_exec))
+(expandtypeattribute (data_file_type) false)
+(typeattributeset data_file_type (system_data_file_27_0 unencrypted_data_file_27_0 install_data_file_27_0 drm_data_file_27_0 adb_data_file_27_0 anr_data_file_27_0 tombstone_data_file_27_0 apk_data_file_27_0 apk_tmp_file_27_0 apk_private_data_file_27_0 apk_private_tmp_file_27_0 dalvikcache_data_file_27_0 ota_data_file_27_0 ota_package_file_27_0 user_profile_data_file_27_0 profman_dump_data_file_27_0 resourcecache_data_file_27_0 shell_data_file_27_0 property_data_file_27_0 bootchart_data_file_27_0 heapdump_data_file_27_0 nativetest_data_file_27_0 ringtone_file_27_0 preloads_data_file_27_0 preloads_media_file_27_0 dhcp_data_file_27_0 adb_keys_file_27_0 audio_data_file_27_0 audiohal_data_file_27_0 audioserver_data_file_27_0 bluetooth_data_file_27_0 bluetooth_logs_data_file_27_0 bootstat_data_file_27_0 boottrace_data_file_27_0 camera_data_file_27_0 gatekeeper_data_file_27_0 incident_data_file_27_0 keychain_data_file_27_0 keystore_data_file_27_0 media_data_file_27_0 media_rw_data_file_27_0 misc_user_data_file_27_0 net_data_file_27_0 nfc_data_file_27_0 radio_data_file_27_0 reboot_data_file_27_0 recovery_data_file_27_0 shared_relro_file_27_0 systemkeys_data_file_27_0 textclassifier_data_file_27_0 vpn_data_file_27_0 wifi_data_file_27_0 zoneinfo_data_file_27_0 vold_data_file_27_0 perfprofd_data_file_27_0 tee_data_file_27_0 update_engine_data_file_27_0 method_trace_data_file_27_0 app_data_file_27_0 system_app_data_file_27_0 cache_file_27_0 cache_backup_file_27_0 cache_private_backup_file_27_0 cache_recovery_file_27_0 wallpaper_file_27_0 shortcut_manager_icons_27_0 icon_file_27_0 asec_apk_file_27_0 asec_public_file_27_0 asec_image_file_27_0 backup_data_file_27_0 fingerprintd_data_file_27_0 app_fuse_file_27_0 bluetooth_socket_27_0 misc_logd_file_27_0 system_wpa_socket_27_0 system_ndebug_socket_27_0 wpa_socket_27_0 hostapd_socket))
+(typeattributeset core_data_file_type (system_data_file_27_0 unencrypted_data_file_27_0 install_data_file_27_0 drm_data_file_27_0 adb_data_file_27_0 anr_data_file_27_0 tombstone_data_file_27_0 apk_data_file_27_0 apk_tmp_file_27_0 apk_private_data_file_27_0 apk_private_tmp_file_27_0 dalvikcache_data_file_27_0 ota_data_file_27_0 ota_package_file_27_0 user_profile_data_file_27_0 profman_dump_data_file_27_0 resourcecache_data_file_27_0 shell_data_file_27_0 property_data_file_27_0 bootchart_data_file_27_0 heapdump_data_file_27_0 nativetest_data_file_27_0 ringtone_file_27_0 preloads_data_file_27_0 preloads_media_file_27_0 dhcp_data_file_27_0 adb_keys_file_27_0 audio_data_file_27_0 audiohal_data_file_27_0 audioserver_data_file_27_0 bluetooth_data_file_27_0 bluetooth_logs_data_file_27_0 bootstat_data_file_27_0 boottrace_data_file_27_0 camera_data_file_27_0 gatekeeper_data_file_27_0 incident_data_file_27_0 keychain_data_file_27_0 keystore_data_file_27_0 media_data_file_27_0 media_rw_data_file_27_0 misc_user_data_file_27_0 net_data_file_27_0 nfc_data_file_27_0 radio_data_file_27_0 reboot_data_file_27_0 recovery_data_file_27_0 shared_relro_file_27_0 systemkeys_data_file_27_0 textclassifier_data_file_27_0 vpn_data_file_27_0 wifi_data_file_27_0 zoneinfo_data_file_27_0 vold_data_file_27_0 perfprofd_data_file_27_0 update_engine_data_file_27_0 method_trace_data_file_27_0 app_data_file_27_0 system_app_data_file_27_0 wallpaper_file_27_0 shortcut_manager_icons_27_0 icon_file_27_0 asec_apk_file_27_0 asec_public_file_27_0 asec_image_file_27_0 backup_data_file_27_0 fingerprintd_data_file_27_0 app_fuse_file_27_0))
+(typeattributeset vendor_file_type (vendor_hal_file_27_0 vendor_file_27_0 vendor_app_file_27_0 vendor_configs_file_27_0 same_process_hal_file_27_0 vndk_sp_file_27_0 vendor_framework_file_27_0 vendor_overlay_file_27_0 mediacodec_exec_27_0 vendor_shell_exec_27_0 vendor_toolbox_exec_27_0 hal_audio_default_exec hal_bluetooth_default_exec hal_bootctl_default_exec hal_broadcastradio_default_exec hal_camera_default_exec hal_cas_default_exec hal_configstore_default_exec hal_contexthub_default_exec hal_drm_default_exec hal_dumpstate_default_exec hal_fingerprint_default_exec hal_gatekeeper_default_exec hal_gnss_default_exec hal_graphics_allocator_default_exec hal_graphics_composer_default_exec hal_health_default_exec hal_ir_default_exec hal_keymaster_default_exec hal_light_default_exec hal_memtrack_default_exec hal_nfc_default_exec hal_power_default_exec hal_sensors_default_exec hal_tetheroffload_default_exec hal_thermal_default_exec hal_tv_cec_default_exec hal_tv_input_default_exec hal_usb_default_exec hal_vibrator_default_exec hal_vr_default_exec hal_wifi_default_exec hal_wifi_offload_default_exec hal_wifi_supplicant_default_exec hostapd_exec rild_exec tee_exec vndservicemanager_exec goldfish_setup_exec hal_drm_widevine_exec qemu_props_exec))
+(typeattributeset sysfs_type (sysfs_usermodehelper_27_0 sysfs_27_0 sysfs_uio_27_0 sysfs_batteryinfo_27_0 sysfs_bluetooth_writable_27_0 sysfs_leds_27_0 sysfs_hwrandom_27_0 sysfs_nfc_power_writable_27_0 sysfs_wake_lock_27_0 sysfs_mac_address_27_0 sysfs_usb_27_0 sysfs_fs_ext4_features_27_0 sysfs_devices_system_cpu_27_0 sysfs_lowmemorykiller_27_0 sysfs_wlan_fwpath_27_0 sysfs_vibrator_27_0 sysfs_thermal_27_0 sysfs_zram_27_0 sysfs_zram_uevent_27_0 sysfs_writable))
+(typeattributeset debugfs_type (debugfs_27_0 debugfs_mmc_27_0 debugfs_trace_marker_27_0 debugfs_tracing_27_0 debugfs_tracing_debug_27_0 debugfs_tracing_instances_27_0 debugfs_wifi_tracing_27_0))
+(typeattributeset sdcard_type (fuse_27_0 sdcardfs_27_0 vfat_27_0))
+(typeattributeset node_type (node_27_0))
+(typeattributeset netif_type (netif_27_0))
+(typeattributeset port_type (port_27_0))
+(typeattributeset property_type (audio_prop_27_0 boottime_prop_27_0 bluetooth_prop_27_0 config_prop_27_0 cppreopt_prop_27_0 ctl_bootanim_prop_27_0 ctl_bugreport_prop_27_0 ctl_console_prop_27_0 ctl_default_prop_27_0 ctl_dumpstate_prop_27_0 ctl_fuse_prop_27_0 ctl_mdnsd_prop_27_0 ctl_rildaemon_prop_27_0 dalvik_prop_27_0 debuggerd_prop_27_0 debug_prop_27_0 default_prop_27_0 device_logging_prop_27_0 dhcp_prop_27_0 dumpstate_options_prop_27_0 dumpstate_prop_27_0 ffs_prop_27_0 fingerprint_prop_27_0 firstboot_prop_27_0 hwservicemanager_prop_27_0 logd_prop_27_0 logpersistd_logging_prop_27_0 log_prop_27_0 log_tag_prop_27_0 mmc_prop_27_0 net_dns_prop_27_0 net_radio_prop_27_0 netd_stable_secret_prop_27_0 nfc_prop_27_0 overlay_prop_27_0 pan_result_prop_27_0 persist_debug_prop_27_0 persistent_properties_ready_prop_27_0 powerctl_prop_27_0 radio_prop_27_0 restorecon_prop_27_0 safemode_prop_27_0 serialno_prop_27_0 shell_prop_27_0 system_prop_27_0 system_radio_prop_27_0 vold_prop_27_0 wifi_log_prop_27_0 wifi_prop_27_0 qemu_prop qemu_cmdline radio_noril_prop opengles_prop))
+(typeattributeset core_property_type (audio_prop_27_0 config_prop_27_0 cppreopt_prop_27_0 dalvik_prop_27_0 debuggerd_prop_27_0 debug_prop_27_0 default_prop_27_0 dhcp_prop_27_0 dumpstate_prop_27_0 ffs_prop_27_0 fingerprint_prop_27_0 logd_prop_27_0 net_radio_prop_27_0 nfc_prop_27_0 pan_result_prop_27_0 persist_debug_prop_27_0 powerctl_prop_27_0 radio_prop_27_0 restorecon_prop_27_0 shell_prop_27_0 system_prop_27_0 system_radio_prop_27_0 vold_prop_27_0))
+(typeattributeset log_property_type (log_prop_27_0 log_tag_prop_27_0 wifi_log_prop_27_0))
+(typeattributeset system_server_service (accessibility_service_27_0 account_service_27_0 activity_service_27_0 alarm_service_27_0 appops_service_27_0 appwidget_service_27_0 assetatlas_service_27_0 audio_service_27_0 autofill_service_27_0 backup_service_27_0 batterystats_service_27_0 battery_service_27_0 bluetooth_manager_service_27_0 broadcastradio_service_27_0 cameraproxy_service_27_0 clipboard_service_27_0 contexthub_service_27_0 IProxyService_service_27_0 commontime_management_service_27_0 companion_device_service_27_0 connectivity_service_27_0 connmetrics_service_27_0 consumer_ir_service_27_0 content_service_27_0 country_detector_service_27_0 coverage_service_27_0 cpuinfo_service_27_0 dbinfo_service_27_0 device_policy_service_27_0 deviceidle_service_27_0 device_identifiers_service_27_0 devicestoragemonitor_service_27_0 diskstats_service_27_0 display_service_27_0 font_service_27_0 netd_listener_service_27_0 DockObserver_service_27_0 dreams_service_27_0 dropbox_service_27_0 ethernet_service_27_0 fingerprint_service_27_0 gfxinfo_service_27_0 graphicsstats_service_27_0 hardware_service_27_0 hardware_properties_service_27_0 hdmi_control_service_27_0 input_method_service_27_0 input_service_27_0 imms_service_27_0 ipsec_service_27_0 jobscheduler_service_27_0 launcherapps_service_27_0 location_service_27_0 lock_settings_service_27_0 media_projection_service_27_0 media_router_service_27_0 media_session_service_27_0 meminfo_service_27_0 midi_service_27_0 mount_service_27_0 netpolicy_service_27_0 netstats_service_27_0 network_management_service_27_0 network_score_service_27_0 network_time_update_service_27_0 notification_service_27_0 oem_lock_service_27_0 otadexopt_service_27_0 overlay_service_27_0 package_service_27_0 package_native_service_27_0 permission_service_27_0 persistent_data_block_service_27_0 pinner_service_27_0 power_service_27_0 print_service_27_0 processinfo_service_27_0 procstats_service_27_0 recovery_service_27_0 registry_service_27_0 restrictions_service_27_0 rttmanager_service_27_0 samplingprofiler_service_27_0 scheduling_policy_service_27_0 search_service_27_0 sec_key_att_app_id_provider_service_27_0 sensorservice_service_27_0 serial_service_27_0 servicediscovery_service_27_0 settings_service_27_0 shortcut_service_27_0 statusbar_service_27_0 storagestats_service_27_0 task_service_27_0 textclassification_service_27_0 textservices_service_27_0 telecom_service_27_0 timezone_service_27_0 trust_service_27_0 tv_input_service_27_0 uimode_service_27_0 updatelock_service_27_0 usagestats_service_27_0 usb_service_27_0 user_service_27_0 vibrator_service_27_0 voiceinteraction_service_27_0 vr_manager_service_27_0 wallpaper_service_27_0 webviewupdate_service_27_0 wifip2p_service_27_0 wifiscanner_service_27_0 wifi_service_27_0 wifiaware_service_27_0 window_service_27_0))
+(typeattributeset app_api_service (batteryproperties_service_27_0 gatekeeper_service_27_0 accessibility_service_27_0 account_service_27_0 activity_service_27_0 alarm_service_27_0 appops_service_27_0 appwidget_service_27_0 assetatlas_service_27_0 audio_service_27_0 autofill_service_27_0 backup_service_27_0 batterystats_service_27_0 bluetooth_manager_service_27_0 clipboard_service_27_0 contexthub_service_27_0 IProxyService_service_27_0 companion_device_service_27_0 connectivity_service_27_0 connmetrics_service_27_0 consumer_ir_service_27_0 content_service_27_0 country_detector_service_27_0 device_policy_service_27_0 deviceidle_service_27_0 device_identifiers_service_27_0 display_service_27_0 font_service_27_0 dreams_service_27_0 dropbox_service_27_0 ethernet_service_27_0 fingerprint_service_27_0 graphicsstats_service_27_0 hardware_properties_service_27_0 input_method_service_27_0 input_service_27_0 imms_service_27_0 ipsec_service_27_0 jobscheduler_service_27_0 launcherapps_service_27_0 location_service_27_0 media_projection_service_27_0 media_router_service_27_0 media_session_service_27_0 midi_service_27_0 mount_service_27_0 netpolicy_service_27_0 netstats_service_27_0 network_management_service_27_0 notification_service_27_0 package_service_27_0 permission_service_27_0 power_service_27_0 print_service_27_0 procstats_service_27_0 registry_service_27_0 restrictions_service_27_0 rttmanager_service_27_0 search_service_27_0 sec_key_att_app_id_provider_service_27_0 sensorservice_service_27_0 servicediscovery_service_27_0 settings_service_27_0 shortcut_service_27_0 statusbar_service_27_0 storagestats_service_27_0 textclassification_service_27_0 textservices_service_27_0 telecom_service_27_0 trust_service_27_0 tv_input_service_27_0 uimode_service_27_0 usagestats_service_27_0 usb_service_27_0 user_service_27_0 vibrator_service_27_0 voiceinteraction_service_27_0 wallpaper_service_27_0 webviewupdate_service_27_0 wifip2p_service_27_0 wifi_service_27_0 wifiaware_service_27_0))
+(typeattributeset ephemeral_app_api_service (batteryproperties_service_27_0 accessibility_service_27_0 account_service_27_0 activity_service_27_0 alarm_service_27_0 appops_service_27_0 appwidget_service_27_0 assetatlas_service_27_0 audio_service_27_0 autofill_service_27_0 backup_service_27_0 batterystats_service_27_0 bluetooth_manager_service_27_0 clipboard_service_27_0 IProxyService_service_27_0 companion_device_service_27_0 connectivity_service_27_0 connmetrics_service_27_0 consumer_ir_service_27_0 content_service_27_0 country_detector_service_27_0 deviceidle_service_27_0 device_identifiers_service_27_0 display_service_27_0 font_service_27_0 dreams_service_27_0 dropbox_service_27_0 graphicsstats_service_27_0 hardware_properties_service_27_0 input_method_service_27_0 input_service_27_0 imms_service_27_0 ipsec_service_27_0 jobscheduler_service_27_0 launcherapps_service_27_0 location_service_27_0 media_projection_service_27_0 media_router_service_27_0 media_session_service_27_0 midi_service_27_0 mount_service_27_0 netpolicy_service_27_0 netstats_service_27_0 network_management_service_27_0 notification_service_27_0 package_service_27_0 permission_service_27_0 power_service_27_0 print_service_27_0 procstats_service_27_0 registry_service_27_0 restrictions_service_27_0 rttmanager_service_27_0 search_service_27_0 sensorservice_service_27_0 servicediscovery_service_27_0 settings_service_27_0 statusbar_service_27_0 storagestats_service_27_0 textclassification_service_27_0 textservices_service_27_0 telecom_service_27_0 tv_input_service_27_0 uimode_service_27_0 usagestats_service_27_0 user_service_27_0 vibrator_service_27_0 voiceinteraction_service_27_0 webviewupdate_service_27_0))
+(typeattributeset system_api_service (cpuinfo_service_27_0 dbinfo_service_27_0 diskstats_service_27_0 gfxinfo_service_27_0 hdmi_control_service_27_0 lock_settings_service_27_0 meminfo_service_27_0 network_score_service_27_0 oem_lock_service_27_0 overlay_service_27_0 persistent_data_block_service_27_0 serial_service_27_0 updatelock_service_27_0 wifiscanner_service_27_0 window_service_27_0))
+(typeattributeset service_manager_type (audioserver_service_27_0 batteryproperties_service_27_0 bluetooth_service_27_0 cameraserver_service_27_0 default_android_service_27_0 drmserver_service_27_0 dumpstate_service_27_0 fingerprintd_service_27_0 hal_fingerprint_service_27_0 gatekeeper_service_27_0 gpu_service_27_0 inputflinger_service_27_0 incident_service_27_0 installd_service_27_0 keystore_service_27_0 mediaserver_service_27_0 mediametrics_service_27_0 mediaextractor_service_27_0 mediacodec_service_27_0 mediadrmserver_service_27_0 netd_service_27_0 nfc_service_27_0 radio_service_27_0 storaged_service_27_0 surfaceflinger_service_27_0 system_app_service_27_0 thermal_service_27_0 update_engine_service_27_0 virtual_touchpad_service_27_0 vr_hwc_service_27_0 accessibility_service_27_0 account_service_27_0 activity_service_27_0 alarm_service_27_0 appops_service_27_0 appwidget_service_27_0 assetatlas_service_27_0 audio_service_27_0 autofill_service_27_0 backup_service_27_0 batterystats_service_27_0 battery_service_27_0 bluetooth_manager_service_27_0 broadcastradio_service_27_0 cameraproxy_service_27_0 clipboard_service_27_0 contexthub_service_27_0 IProxyService_service_27_0 commontime_management_service_27_0 companion_device_service_27_0 connectivity_service_27_0 connmetrics_service_27_0 consumer_ir_service_27_0 content_service_27_0 country_detector_service_27_0 coverage_service_27_0 cpuinfo_service_27_0 dbinfo_service_27_0 device_policy_service_27_0 deviceidle_service_27_0 device_identifiers_service_27_0 devicestoragemonitor_service_27_0 diskstats_service_27_0 display_service_27_0 font_service_27_0 netd_listener_service_27_0 DockObserver_service_27_0 dreams_service_27_0 dropbox_service_27_0 ethernet_service_27_0 fingerprint_service_27_0 gfxinfo_service_27_0 graphicsstats_service_27_0 hardware_service_27_0 hardware_properties_service_27_0 hdmi_control_service_27_0 input_method_service_27_0 input_service_27_0 imms_service_27_0 ipsec_service_27_0 jobscheduler_service_27_0 launcherapps_service_27_0 location_service_27_0 lock_settings_service_27_0 media_projection_service_27_0 media_router_service_27_0 media_session_service_27_0 meminfo_service_27_0 midi_service_27_0 mount_service_27_0 netpolicy_service_27_0 netstats_service_27_0 network_management_service_27_0 network_score_service_27_0 network_time_update_service_27_0 notification_service_27_0 oem_lock_service_27_0 otadexopt_service_27_0 overlay_service_27_0 package_service_27_0 package_native_service_27_0 permission_service_27_0 persistent_data_block_service_27_0 pinner_service_27_0 power_service_27_0 print_service_27_0 processinfo_service_27_0 procstats_service_27_0 recovery_service_27_0 registry_service_27_0 restrictions_service_27_0 rttmanager_service_27_0 samplingprofiler_service_27_0 scheduling_policy_service_27_0 search_service_27_0 sec_key_att_app_id_provider_service_27_0 sensorservice_service_27_0 serial_service_27_0 servicediscovery_service_27_0 settings_service_27_0 shortcut_service_27_0 statusbar_service_27_0 storagestats_service_27_0 task_service_27_0 textclassification_service_27_0 textservices_service_27_0 telecom_service_27_0 timezone_service_27_0 trust_service_27_0 tv_input_service_27_0 uimode_service_27_0 updatelock_service_27_0 usagestats_service_27_0 usb_service_27_0 user_service_27_0 vibrator_service_27_0 voiceinteraction_service_27_0 vr_manager_service_27_0 wallpaper_service_27_0 webviewupdate_service_27_0 wifip2p_service_27_0 wifiscanner_service_27_0 wifi_service_27_0 wificond_service_27_0 wifiaware_service_27_0 window_service_27_0))
+(typeattributeset hwservice_manager_type (default_android_hwservice_27_0 fwk_display_hwservice_27_0 fwk_scheduler_hwservice_27_0 fwk_sensor_hwservice_27_0 hal_audio_hwservice_27_0 hal_bluetooth_hwservice_27_0 hal_bootctl_hwservice_27_0 hal_broadcastradio_hwservice_27_0 hal_camera_hwservice_27_0 hal_configstore_ISurfaceFlingerConfigs_27_0 hal_contexthub_hwservice_27_0 hal_drm_hwservice_27_0 hal_cas_hwservice_27_0 hal_dumpstate_hwservice_27_0 hal_fingerprint_hwservice_27_0 hal_gatekeeper_hwservice_27_0 hal_gnss_hwservice_27_0 hal_graphics_allocator_hwservice_27_0 hal_graphics_composer_hwservice_27_0 hal_graphics_mapper_hwservice_27_0 hal_health_hwservice_27_0 hal_ir_hwservice_27_0 hal_keymaster_hwservice_27_0 hal_light_hwservice_27_0 hal_memtrack_hwservice_27_0 hal_neuralnetworks_hwservice_27_0 hal_nfc_hwservice_27_0 hal_oemlock_hwservice_27_0 hal_omx_hwservice_27_0 hal_power_hwservice_27_0 hal_renderscript_hwservice_27_0 hal_sensors_hwservice_27_0 hal_telephony_hwservice_27_0 hal_tetheroffload_hwservice_27_0 hal_thermal_hwservice_27_0 hal_tv_cec_hwservice_27_0 hal_tv_input_hwservice_27_0 hal_usb_hwservice_27_0 hal_vibrator_hwservice_27_0 hal_vr_hwservice_27_0 hal_weaver_hwservice_27_0 hal_wifi_hwservice_27_0 hal_wifi_offload_hwservice_27_0 hal_wifi_supplicant_hwservice_27_0 hidl_allocator_hwservice_27_0 hidl_base_hwservice_27_0 hidl_manager_hwservice_27_0 hidl_memory_hwservice_27_0 hidl_token_hwservice_27_0 system_net_netd_hwservice_27_0 system_wifi_keystore_hwservice_27_0 thermalcallback_hwservice_27_0))
+(typeattributeset same_process_hwservice (hal_graphics_mapper_hwservice_27_0 hal_renderscript_hwservice_27_0))
+(typeattributeset coredomain_hwservice (fwk_display_hwservice_27_0 fwk_scheduler_hwservice_27_0 fwk_sensor_hwservice_27_0 hidl_allocator_hwservice_27_0 hidl_manager_hwservice_27_0 hidl_memory_hwservice_27_0 hidl_token_hwservice_27_0 system_net_netd_hwservice_27_0 system_wifi_keystore_hwservice_27_0))
+(typeattributeset vndservice_manager_type (default_android_vndservice_27_0))
+(typeattributeset mlstrustedsubject (bufferhubd_27_0 cppreopts_27_0 drmserver_27_0 dumpstate_27_0 pdx_display_client_endpoint_socket_27_0 pdx_display_manager_endpoint_socket_27_0 pdx_display_screenshot_endpoint_socket_27_0 pdx_display_vsync_endpoint_socket_27_0 pdx_performance_client_endpoint_socket_27_0 pdx_bufferhub_client_endpoint_socket_27_0 hwservicemanager_27_0 init_27_0 installd_27_0 kernel_27_0 keystore_27_0 lmkd_27_0 logd_27_0 mediacodec_27_0 mediadrmserver_27_0 mediaextractor_27_0 mediaserver_27_0 netd_27_0 otapreopt_slot_27_0 performanced_27_0 perfprofd_27_0 racoon_27_0 radio_27_0 runas_27_0 servicemanager_27_0 shell_27_0 su_27_0 tombstoned_27_0 uncrypt_27_0 vold_27_0))
+(typeattributeset mlstrustedobject (alarm_device_27_0 ashmem_device_27_0 binder_device_27_0 hwbinder_device_27_0 pmsg_device_27_0 gpu_device_27_0 mtp_device_27_0 ptmx_device_27_0 null_device_27_0 random_device_27_0 owntty_device_27_0 zero_device_27_0 fuse_device_27_0 ion_device_27_0 tun_device_27_0 usbaccessory_device_27_0 usb_device_27_0 qtaguid_proc_27_0 selinuxfs_27_0 cgroup_27_0 sysfs_27_0 sysfs_bluetooth_writable_27_0 sysfs_nfc_power_writable_27_0 sysfs_usb_27_0 inotify_27_0 devpts_27_0 fuse_27_0 sdcardfs_27_0 vfat_27_0 debugfs_trace_marker_27_0 functionfs_27_0 anr_data_file_27_0 tombstone_data_file_27_0 apk_tmp_file_27_0 apk_private_tmp_file_27_0 ota_package_file_27_0 user_profile_data_file_27_0 shell_data_file_27_0 heapdump_data_file_27_0 ringtone_file_27_0 media_rw_data_file_27_0 radio_data_file_27_0 perfprofd_data_file_27_0 method_trace_data_file_27_0 system_app_data_file_27_0 cache_file_27_0 cache_backup_file_27_0 cache_recovery_file_27_0 wallpaper_file_27_0 shortcut_manager_icons_27_0 asec_apk_file_27_0 backup_data_file_27_0 app_fuse_file_27_0 dnsproxyd_socket_27_0 fwmarkd_socket_27_0 logd_socket_27_0 logdr_socket_27_0 logdw_socket_27_0 mdnsd_socket_27_0 property_socket_27_0 system_ndebug_socket_27_0 tombstoned_crash_socket_27_0 tombstoned_java_trace_socket_27_0 pdx_display_client_endpoint_socket_27_0 pdx_display_manager_endpoint_socket_27_0 pdx_display_screenshot_endpoint_socket_27_0 pdx_display_vsync_endpoint_socket_27_0 pdx_performance_client_endpoint_socket_27_0 pdx_bufferhub_client_endpoint_socket_27_0 qemu_device sysfs_writable))
+(typeattributeset netdomain (clatd_27_0 dhcp_27_0 dnsmasq_27_0 drmserver_27_0 dumpstate_27_0 mediadrmserver_27_0 mediaserver_27_0 mtp_27_0 netd_27_0 ppp_27_0 racoon_27_0 radio_27_0 rild_27_0 shell_27_0 su_27_0 update_engine_27_0 hal_wifi_supplicant_default hostapd))
+(typeattributeset bluetoothdomain (radio_27_0))
+(typeattributeset binderservicedomain (cameraserver_27_0 drmserver_27_0 gatekeeperd_27_0 healthd_27_0 inputflinger_27_0 keystore_27_0 mediadrmserver_27_0 mediaextractor_27_0 mediametrics_27_0 mediaserver_27_0 radio_27_0 thermalserviced_27_0 virtual_touchpad_27_0 vr_hwc_27_0))
+(typeattributeset update_engine_common (update_engine_27_0))
+(typeattributeset coredomain (e2fs_27_0 perfprofd_27_0))
+(typeattributeset coredomain_socket (adbd_socket_27_0 bluetooth_socket_27_0 dnsproxyd_socket_27_0 dumpstate_socket_27_0 fwmarkd_socket_27_0 lmkd_socket_27_0 logd_socket_27_0 logdr_socket_27_0 logdw_socket_27_0 mdns_socket_27_0 mdnsd_socket_27_0 misc_logd_file_27_0 mtpd_socket_27_0 netd_socket_27_0 property_socket_27_0 racoon_socket_27_0 system_wpa_socket_27_0 system_ndebug_socket_27_0 tombstoned_crash_socket_27_0 tombstoned_intercept_socket_27_0 uncrypt_socket_27_0 vold_socket_27_0 webview_zygote_socket_27_0 zygote_socket_27_0 pdx_display_client_endpoint_socket_27_0 pdx_display_client_channel_socket_27_0 pdx_display_manager_endpoint_socket_27_0 pdx_display_manager_channel_socket_27_0 pdx_display_screenshot_endpoint_socket_27_0 pdx_display_screenshot_channel_socket_27_0 pdx_display_vsync_endpoint_socket_27_0 pdx_display_vsync_channel_socket_27_0 pdx_performance_client_endpoint_socket_27_0 pdx_performance_client_channel_socket_27_0 pdx_bufferhub_client_endpoint_socket_27_0 pdx_bufferhub_client_channel_socket_27_0))
+(expandtypeattribute (binder_in_vendor_violators) false)
+(expandtypeattribute (socket_between_core_and_vendor_violators) false)
+(expandtypeattribute (vendor_executes_system_violators) false)
+(expandtypeattribute (untrusted_app_visible_hwservice) false)
+(expandtypeattribute (untrusted_app_visible_halserver) false)
+(typeattributeset pdx_endpoint_dir_type (pdx_display_dir_27_0 pdx_performance_dir_27_0 pdx_bufferhub_dir_27_0))
+(expandtypeattribute (pdx_endpoint_socket_type) false)
+(typeattributeset pdx_endpoint_socket_type (pdx_display_client_endpoint_socket_27_0 pdx_display_manager_endpoint_socket_27_0 pdx_display_screenshot_endpoint_socket_27_0 pdx_display_vsync_endpoint_socket_27_0 pdx_performance_client_endpoint_socket_27_0 pdx_bufferhub_client_endpoint_socket_27_0))
+(expandtypeattribute (pdx_channel_socket_type) false)
+(typeattributeset pdx_channel_socket_type (pdx_display_client_channel_socket_27_0 pdx_display_manager_channel_socket_27_0 pdx_display_screenshot_channel_socket_27_0 pdx_display_vsync_channel_socket_27_0 pdx_performance_client_channel_socket_27_0 pdx_bufferhub_client_channel_socket_27_0))
+(typeattributeset pdx_display_client_endpoint_dir_type (pdx_display_dir_27_0))
+(typeattributeset pdx_display_client_endpoint_socket_type (pdx_display_client_endpoint_socket_27_0))
+(typeattributeset pdx_display_client_channel_socket_type (pdx_display_client_channel_socket_27_0))
+(typeattributeset pdx_display_manager_endpoint_dir_type (pdx_display_dir_27_0))
+(typeattributeset pdx_display_manager_endpoint_socket_type (pdx_display_manager_endpoint_socket_27_0))
+(typeattributeset pdx_display_manager_channel_socket_type (pdx_display_manager_channel_socket_27_0))
+(typeattributeset pdx_display_screenshot_endpoint_dir_type (pdx_display_dir_27_0))
+(typeattributeset pdx_display_screenshot_endpoint_socket_type (pdx_display_screenshot_endpoint_socket_27_0))
+(typeattributeset pdx_display_screenshot_channel_socket_type (pdx_display_screenshot_channel_socket_27_0))
+(typeattributeset pdx_display_vsync_endpoint_dir_type (pdx_display_dir_27_0))
+(typeattributeset pdx_display_vsync_endpoint_socket_type (pdx_display_vsync_endpoint_socket_27_0))
+(typeattributeset pdx_display_vsync_channel_socket_type (pdx_display_vsync_channel_socket_27_0))
+(typeattributeset pdx_performance_client_endpoint_dir_type (pdx_performance_dir_27_0))
+(typeattributeset pdx_performance_client_endpoint_socket_type (pdx_performance_client_endpoint_socket_27_0))
+(typeattributeset pdx_performance_client_channel_socket_type (pdx_performance_client_channel_socket_27_0))
+(typeattributeset pdx_performance_client_server_type (performanced_27_0))
+(typeattributeset pdx_bufferhub_client_endpoint_dir_type (pdx_bufferhub_dir_27_0))
+(typeattributeset pdx_bufferhub_client_endpoint_socket_type (pdx_bufferhub_client_endpoint_socket_27_0))
+(typeattributeset pdx_bufferhub_client_channel_socket_type (pdx_bufferhub_client_channel_socket_27_0))
+(typeattributeset pdx_bufferhub_client_server_type (bufferhubd_27_0))
+(typeattributeset halserverdomain (rild_27_0 hal_audio_default hal_bluetooth_default hal_bootctl_default hal_broadcastradio_default hal_camera_default hal_cas_default hal_configstore_default hal_contexthub_default hal_drm_default hal_dumpstate_default hal_fingerprint_default hal_gatekeeper_default hal_gnss_default hal_graphics_allocator_default hal_graphics_composer_default hal_health_default hal_ir_default hal_keymaster_default hal_light_default hal_memtrack_default hal_nfc_default hal_power_default hal_sensors_default hal_tetheroffload_default hal_thermal_default hal_tv_cec_default hal_tv_input_default hal_usb_default hal_vibrator_default hal_vr_default hal_wifi_default hal_wifi_offload_default hal_wifi_supplicant_default hal_drm_widevine))
+(expandtypeattribute (halclientdomain) true)
+(typeattributeset halclientdomain (bootanim_27_0 bufferhubd_27_0 cameraserver_27_0 dumpstate_27_0 gatekeeperd_27_0 healthd_27_0 mediacodec_27_0 mediadrmserver_27_0 mediaextractor_27_0 mediaserver_27_0 radio_27_0 thermalserviced_27_0 update_engine_27_0 update_verifier_27_0 vold_27_0 vr_hwc_27_0 hal_audio_default hal_camera_default hal_drm_default hal_drm_widevine))
+(expandtypeattribute (hal_allocator) true)
+(expandtypeattribute (hal_allocator_client) true)
+(typeattributeset hal_allocator_client (mediacodec_27_0 mediaserver_27_0 hal_audio_default))
+(expandtypeattribute (hal_allocator_server) false)
+(expandtypeattribute (hal_audio) false)
+(typeattributeset hal_audio (hal_audio_default))
+(expandtypeattribute (hal_audio_client) true)
+(expandtypeattribute (hal_audio_server) false)
+(typeattributeset hal_audio_server (hal_audio_default))
+(expandtypeattribute (hal_bluetooth) true)
+(typeattributeset hal_bluetooth (hal_bluetooth_default))
+(expandtypeattribute (hal_bluetooth_client) true)
+(expandtypeattribute (hal_bluetooth_server) false)
+(typeattributeset hal_bluetooth_server (hal_bluetooth_default))
+(expandtypeattribute (hal_bootctl) false)
+(typeattributeset hal_bootctl (hal_bootctl_default))
+(expandtypeattribute (hal_bootctl_client) true)
+(typeattributeset hal_bootctl_client (update_engine_27_0 update_verifier_27_0))
+(expandtypeattribute (hal_bootctl_server) false)
+(typeattributeset hal_bootctl_server (hal_bootctl_default))
+(expandtypeattribute (hal_broadcastradio) true)
+(typeattributeset hal_broadcastradio (hal_broadcastradio_default))
+(expandtypeattribute (hal_broadcastradio_client) true)
+(expandtypeattribute (hal_broadcastradio_server) false)
+(typeattributeset hal_broadcastradio_server (hal_broadcastradio_default))
+(expandtypeattribute (hal_camera) false)
+(typeattributeset hal_camera (hal_camera_default))
+(expandtypeattribute (hal_camera_client) true)
+(typeattributeset hal_camera_client (cameraserver_27_0))
+(expandtypeattribute (hal_camera_server) false)
+(typeattributeset hal_camera_server (hal_camera_default))
+(expandtypeattribute (hal_configstore) true)
+(typeattributeset hal_configstore (hal_configstore_default))
+(expandtypeattribute (hal_configstore_client) true)
+(typeattributeset hal_configstore_client (bootanim_27_0))
+(expandtypeattribute (hal_configstore_server) false)
+(typeattributeset hal_configstore_server (hal_configstore_default))
+(expandtypeattribute (hal_contexthub) true)
+(typeattributeset hal_contexthub (hal_contexthub_default))
+(expandtypeattribute (hal_contexthub_client) true)
+(expandtypeattribute (hal_contexthub_server) false)
+(typeattributeset hal_contexthub_server (hal_contexthub_default))
+(expandtypeattribute (hal_drm) false)
+(typeattributeset hal_drm (hal_drm_default hal_drm_widevine))
+(expandtypeattribute (hal_drm_client) true)
+(typeattributeset hal_drm_client (mediadrmserver_27_0))
+(expandtypeattribute (hal_drm_server) false)
+(typeattributeset hal_drm_server (hal_drm_default hal_drm_widevine))
+(expandtypeattribute (hal_cas) false)
+(typeattributeset hal_cas (hal_cas_default))
+(expandtypeattribute (hal_cas_client) true)
+(typeattributeset hal_cas_client (mediacodec_27_0 mediaextractor_27_0))
+(expandtypeattribute (hal_cas_server) false)
+(typeattributeset hal_cas_server (hal_cas_default))
+(expandtypeattribute (hal_dumpstate) true)
+(typeattributeset hal_dumpstate (hal_dumpstate_default))
+(expandtypeattribute (hal_dumpstate_client) true)
+(typeattributeset hal_dumpstate_client (dumpstate_27_0))
+(expandtypeattribute (hal_dumpstate_server) false)
+(typeattributeset hal_dumpstate_server (hal_dumpstate_default))
+(expandtypeattribute (hal_fingerprint) true)
+(typeattributeset hal_fingerprint (hal_fingerprint_default))
+(expandtypeattribute (hal_fingerprint_client) true)
+(expandtypeattribute (hal_fingerprint_server) false)
+(typeattributeset hal_fingerprint_server (hal_fingerprint_default))
+(expandtypeattribute (hal_gatekeeper) true)
+(typeattributeset hal_gatekeeper (hal_gatekeeper_default))
+(expandtypeattribute (hal_gatekeeper_client) true)
+(typeattributeset hal_gatekeeper_client (gatekeeperd_27_0))
+(expandtypeattribute (hal_gatekeeper_server) false)
+(typeattributeset hal_gatekeeper_server (hal_gatekeeper_default))
+(expandtypeattribute (hal_gnss) true)
+(typeattributeset hal_gnss (hal_gnss_default))
+(expandtypeattribute (hal_gnss_client) true)
+(expandtypeattribute (hal_gnss_server) false)
+(typeattributeset hal_gnss_server (hal_gnss_default))
+(expandtypeattribute (hal_graphics_allocator) true)
+(typeattributeset hal_graphics_allocator (hal_graphics_allocator_default))
+(expandtypeattribute (hal_graphics_allocator_client) true)
+(typeattributeset hal_graphics_allocator_client (bootanim_27_0 bufferhubd_27_0 cameraserver_27_0 dumpstate_27_0 mediacodec_27_0 vr_hwc_27_0))
+(expandtypeattribute (hal_graphics_allocator_server) false)
+(typeattributeset hal_graphics_allocator_server (hal_graphics_allocator_default))
+(expandtypeattribute (hal_graphics_composer) true)
+(typeattributeset hal_graphics_composer (hal_graphics_composer_default))
+(expandtypeattribute (hal_graphics_composer_client) true)
+(typeattributeset hal_graphics_composer_client (bootanim_27_0 hal_camera_default hal_drm_default hal_drm_widevine))
+(expandtypeattribute (hal_graphics_composer_server) false)
+(typeattributeset hal_graphics_composer_server (hal_graphics_composer_default))
+(expandtypeattribute (hal_health) true)
+(typeattributeset hal_health (hal_health_default))
+(expandtypeattribute (hal_health_client) true)
+(typeattributeset hal_health_client (healthd_27_0))
+(expandtypeattribute (hal_health_server) false)
+(typeattributeset hal_health_server (hal_health_default))
+(expandtypeattribute (hal_ir) true)
+(typeattributeset hal_ir (hal_ir_default))
+(expandtypeattribute (hal_ir_client) true)
+(expandtypeattribute (hal_ir_server) false)
+(typeattributeset hal_ir_server (hal_ir_default))
+(expandtypeattribute (hal_keymaster) true)
+(typeattributeset hal_keymaster (hal_keymaster_default))
+(expandtypeattribute (hal_keymaster_client) true)
+(typeattributeset hal_keymaster_client (vold_27_0))
+(expandtypeattribute (hal_keymaster_server) false)
+(typeattributeset hal_keymaster_server (hal_keymaster_default))
+(expandtypeattribute (hal_light) true)
+(typeattributeset hal_light (hal_light_default))
+(expandtypeattribute (hal_light_client) true)
+(expandtypeattribute (hal_light_server) false)
+(typeattributeset hal_light_server (hal_light_default))
+(expandtypeattribute (hal_memtrack) true)
+(typeattributeset hal_memtrack (hal_memtrack_default))
+(expandtypeattribute (hal_memtrack_client) true)
+(expandtypeattribute (hal_memtrack_server) false)
+(typeattributeset hal_memtrack_server (hal_memtrack_default))
+(expandtypeattribute (hal_neuralnetworks) true)
+(expandtypeattribute (hal_neuralnetworks_client) true)
+(expandtypeattribute (hal_neuralnetworks_server) false)
+(expandtypeattribute (hal_nfc) true)
+(typeattributeset hal_nfc (hal_nfc_default))
+(expandtypeattribute (hal_nfc_client) true)
+(expandtypeattribute (hal_nfc_server) false)
+(typeattributeset hal_nfc_server (hal_nfc_default))
+(expandtypeattribute (hal_oemlock) true)
+(expandtypeattribute (hal_oemlock_client) true)
+(expandtypeattribute (hal_oemlock_server) false)
+(expandtypeattribute (hal_power) true)
+(typeattributeset hal_power (hal_power_default))
+(expandtypeattribute (hal_power_client) true)
+(expandtypeattribute (hal_power_server) false)
+(typeattributeset hal_power_server (hal_power_default))
+(expandtypeattribute (hal_sensors) true)
+(typeattributeset hal_sensors (hal_sensors_default))
+(expandtypeattribute (hal_sensors_client) true)
+(expandtypeattribute (hal_sensors_server) false)
+(typeattributeset hal_sensors_server (hal_sensors_default))
+(expandtypeattribute (hal_telephony) true)
+(typeattributeset hal_telephony (rild_27_0))
+(expandtypeattribute (hal_telephony_client) true)
+(typeattributeset hal_telephony_client (radio_27_0))
+(expandtypeattribute (hal_telephony_server) false)
+(typeattributeset hal_telephony_server (rild_27_0))
+(expandtypeattribute (hal_tetheroffload) true)
+(typeattributeset hal_tetheroffload (hal_tetheroffload_default))
+(expandtypeattribute (hal_tetheroffload_client) true)
+(expandtypeattribute (hal_tetheroffload_server) false)
+(typeattributeset hal_tetheroffload_server (hal_tetheroffload_default))
+(expandtypeattribute (hal_thermal) true)
+(typeattributeset hal_thermal (hal_thermal_default))
+(expandtypeattribute (hal_thermal_client) true)
+(typeattributeset hal_thermal_client (thermalserviced_27_0))
+(expandtypeattribute (hal_thermal_server) false)
+(typeattributeset hal_thermal_server (hal_thermal_default))
+(expandtypeattribute (hal_tv_cec) true)
+(typeattributeset hal_tv_cec (hal_tv_cec_default))
+(expandtypeattribute (hal_tv_cec_client) true)
+(expandtypeattribute (hal_tv_cec_server) false)
+(typeattributeset hal_tv_cec_server (hal_tv_cec_default))
+(expandtypeattribute (hal_tv_input) true)
+(typeattributeset hal_tv_input (hal_tv_input_default))
+(expandtypeattribute (hal_tv_input_client) true)
+(expandtypeattribute (hal_tv_input_server) false)
+(typeattributeset hal_tv_input_server (hal_tv_input_default))
+(expandtypeattribute (hal_usb) true)
+(typeattributeset hal_usb (hal_usb_default))
+(expandtypeattribute (hal_usb_client) true)
+(expandtypeattribute (hal_usb_server) false)
+(typeattributeset hal_usb_server (hal_usb_default))
+(expandtypeattribute (hal_vibrator) true)
+(typeattributeset hal_vibrator (hal_vibrator_default))
+(expandtypeattribute (hal_vibrator_client) true)
+(typeattributeset hal_vibrator_client (dumpstate_27_0))
+(expandtypeattribute (hal_vibrator_server) false)
+(typeattributeset hal_vibrator_server (hal_vibrator_default))
+(expandtypeattribute (hal_vr) true)
+(typeattributeset hal_vr (hal_vr_default))
+(expandtypeattribute (hal_vr_client) true)
+(expandtypeattribute (hal_vr_server) false)
+(typeattributeset hal_vr_server (hal_vr_default))
+(expandtypeattribute (hal_weaver) true)
+(expandtypeattribute (hal_weaver_client) true)
+(expandtypeattribute (hal_weaver_server) false)
+(expandtypeattribute (hal_wifi) true)
+(typeattributeset hal_wifi (hal_wifi_default))
+(expandtypeattribute (hal_wifi_client) true)
+(expandtypeattribute (hal_wifi_server) false)
+(typeattributeset hal_wifi_server (hal_wifi_default))
+(expandtypeattribute (hal_wifi_offload) true)
+(typeattributeset hal_wifi_offload (hal_wifi_offload_default))
+(expandtypeattribute (hal_wifi_offload_client) true)
+(expandtypeattribute (hal_wifi_offload_server) false)
+(typeattributeset hal_wifi_offload_server (hal_wifi_offload_default))
+(expandtypeattribute (hal_wifi_supplicant) true)
+(typeattributeset hal_wifi_supplicant (hal_wifi_supplicant_default))
+(expandtypeattribute (hal_wifi_supplicant_client) true)
+(expandtypeattribute (hal_wifi_supplicant_server) false)
+(typeattributeset hal_wifi_supplicant_server (hal_wifi_supplicant_default))
+(typeattribute adbd_27_0)
+(roletype object_r adbd_27_0)
+(typeattribute adbd_exec_27_0)
+(roletype object_r adbd_exec_27_0)
+(typeattribute audioserver_27_0)
+(roletype object_r audioserver_27_0)
+(typeattribute blkid_27_0)
+(roletype object_r blkid_27_0)
+(typeattribute blkid_untrusted_27_0)
+(roletype object_r blkid_untrusted_27_0)
+(typeattribute bluetooth_27_0)
+(roletype object_r bluetooth_27_0)
+(typeattribute bootanim_27_0)
+(roletype object_r bootanim_27_0)
+(typeattribute bootanim_exec_27_0)
+(roletype object_r bootanim_exec_27_0)
+(typeattribute bootstat_27_0)
+(roletype object_r bootstat_27_0)
+(typeattribute bootstat_exec_27_0)
+(roletype object_r bootstat_exec_27_0)
+(typeattribute bufferhubd_27_0)
+(roletype object_r bufferhubd_27_0)
+(typeattribute bufferhubd_exec_27_0)
+(roletype object_r bufferhubd_exec_27_0)
+(typeattribute cameraserver_27_0)
+(roletype object_r cameraserver_27_0)
+(typeattribute cameraserver_exec_27_0)
+(roletype object_r cameraserver_exec_27_0)
+(typeattribute charger_27_0)
+(roletype object_r charger_27_0)
+(typeattribute clatd_27_0)
+(roletype object_r clatd_27_0)
+(typeattribute clatd_exec_27_0)
+(roletype object_r clatd_exec_27_0)
+(typeattribute cppreopts_27_0)
+(roletype object_r cppreopts_27_0)
+(typeattribute cppreopts_exec_27_0)
+(roletype object_r cppreopts_exec_27_0)
+(typeattribute crash_dump_27_0)
+(roletype object_r crash_dump_27_0)
+(typeattribute crash_dump_exec_27_0)
+(roletype object_r crash_dump_exec_27_0)
+(typeattribute device_27_0)
+(roletype object_r device_27_0)
+(typeattribute alarm_device_27_0)
+(roletype object_r alarm_device_27_0)
+(typeattribute ashmem_device_27_0)
+(roletype object_r ashmem_device_27_0)
+(typeattribute audio_device_27_0)
+(roletype object_r audio_device_27_0)
+(typeattribute audio_timer_device_27_0)
+(roletype object_r audio_timer_device_27_0)
+(typeattribute audio_seq_device_27_0)
+(roletype object_r audio_seq_device_27_0)
+(typeattribute binder_device_27_0)
+(roletype object_r binder_device_27_0)
+(typeattribute hwbinder_device_27_0)
+(roletype object_r hwbinder_device_27_0)
+(typeattribute vndbinder_device_27_0)
+(roletype object_r vndbinder_device_27_0)
+(typeattribute block_device_27_0)
+(roletype object_r block_device_27_0)
+(typeattribute camera_device_27_0)
+(roletype object_r camera_device_27_0)
+(typeattribute dm_device_27_0)
+(roletype object_r dm_device_27_0)
+(typeattribute keychord_device_27_0)
+(roletype object_r keychord_device_27_0)
+(typeattribute loop_control_device_27_0)
+(roletype object_r loop_control_device_27_0)
+(typeattribute loop_device_27_0)
+(roletype object_r loop_device_27_0)
+(typeattribute pmsg_device_27_0)
+(roletype object_r pmsg_device_27_0)
+(typeattribute radio_device_27_0)
+(roletype object_r radio_device_27_0)
+(typeattribute ram_device_27_0)
+(roletype object_r ram_device_27_0)
+(typeattribute rtc_device_27_0)
+(roletype object_r rtc_device_27_0)
+(typeattribute vold_device_27_0)
+(roletype object_r vold_device_27_0)
+(typeattribute console_device_27_0)
+(roletype object_r console_device_27_0)
+(typeattribute cpuctl_device_27_0)
+(roletype object_r cpuctl_device_27_0)
+(typeattribute fscklogs_27_0)
+(roletype object_r fscklogs_27_0)
+(typeattribute full_device_27_0)
+(roletype object_r full_device_27_0)
+(typeattribute gpu_device_27_0)
+(roletype object_r gpu_device_27_0)
+(typeattribute graphics_device_27_0)
+(roletype object_r graphics_device_27_0)
+(typeattribute hw_random_device_27_0)
+(roletype object_r hw_random_device_27_0)
+(typeattribute input_device_27_0)
+(roletype object_r input_device_27_0)
+(typeattribute kmem_device_27_0)
+(roletype object_r kmem_device_27_0)
+(typeattribute port_device_27_0)
+(roletype object_r port_device_27_0)
+(typeattribute mtd_device_27_0)
+(roletype object_r mtd_device_27_0)
+(typeattribute mtp_device_27_0)
+(roletype object_r mtp_device_27_0)
+(typeattribute nfc_device_27_0)
+(roletype object_r nfc_device_27_0)
+(typeattribute ptmx_device_27_0)
+(roletype object_r ptmx_device_27_0)
+(typeattribute kmsg_device_27_0)
+(roletype object_r kmsg_device_27_0)
+(typeattribute kmsg_debug_device_27_0)
+(roletype object_r kmsg_debug_device_27_0)
+(typeattribute null_device_27_0)
+(roletype object_r null_device_27_0)
+(typeattribute random_device_27_0)
+(roletype object_r random_device_27_0)
+(typeattribute sensors_device_27_0)
+(roletype object_r sensors_device_27_0)
+(typeattribute serial_device_27_0)
+(roletype object_r serial_device_27_0)
+(typeattribute socket_device_27_0)
+(roletype object_r socket_device_27_0)
+(typeattribute owntty_device_27_0)
+(roletype object_r owntty_device_27_0)
+(typeattribute tty_device_27_0)
+(roletype object_r tty_device_27_0)
+(typeattribute video_device_27_0)
+(roletype object_r video_device_27_0)
+(typeattribute vcs_device_27_0)
+(roletype object_r vcs_device_27_0)
+(typeattribute zero_device_27_0)
+(roletype object_r zero_device_27_0)
+(typeattribute fuse_device_27_0)
+(roletype object_r fuse_device_27_0)
+(typeattribute iio_device_27_0)
+(roletype object_r iio_device_27_0)
+(typeattribute ion_device_27_0)
+(roletype object_r ion_device_27_0)
+(typeattribute qtaguid_device_27_0)
+(roletype object_r qtaguid_device_27_0)
+(typeattribute watchdog_device_27_0)
+(roletype object_r watchdog_device_27_0)
+(typeattribute uhid_device_27_0)
+(roletype object_r uhid_device_27_0)
+(typeattribute uio_device_27_0)
+(roletype object_r uio_device_27_0)
+(typeattribute tun_device_27_0)
+(roletype object_r tun_device_27_0)
+(typeattribute usbaccessory_device_27_0)
+(roletype object_r usbaccessory_device_27_0)
+(typeattribute usb_device_27_0)
+(roletype object_r usb_device_27_0)
+(typeattribute properties_device_27_0)
+(roletype object_r properties_device_27_0)
+(typeattribute properties_serial_27_0)
+(roletype object_r properties_serial_27_0)
+(typeattribute i2c_device_27_0)
+(roletype object_r i2c_device_27_0)
+(typeattribute hci_attach_dev_27_0)
+(roletype object_r hci_attach_dev_27_0)
+(typeattribute rpmsg_device_27_0)
+(roletype object_r rpmsg_device_27_0)
+(typeattribute root_block_device_27_0)
+(roletype object_r root_block_device_27_0)
+(typeattribute frp_block_device_27_0)
+(roletype object_r frp_block_device_27_0)
+(typeattribute system_block_device_27_0)
+(roletype object_r system_block_device_27_0)
+(typeattribute recovery_block_device_27_0)
+(roletype object_r recovery_block_device_27_0)
+(typeattribute boot_block_device_27_0)
+(roletype object_r boot_block_device_27_0)
+(typeattribute userdata_block_device_27_0)
+(roletype object_r userdata_block_device_27_0)
+(typeattribute cache_block_device_27_0)
+(roletype object_r cache_block_device_27_0)
+(typeattribute swap_block_device_27_0)
+(roletype object_r swap_block_device_27_0)
+(typeattribute metadata_block_device_27_0)
+(roletype object_r metadata_block_device_27_0)
+(typeattribute misc_block_device_27_0)
+(roletype object_r misc_block_device_27_0)
+(typeattribute dex2oat_27_0)
+(roletype object_r dex2oat_27_0)
+(typeattribute dex2oat_exec_27_0)
+(roletype object_r dex2oat_exec_27_0)
+(typeattribute dhcp_27_0)
+(roletype object_r dhcp_27_0)
+(typeattribute dhcp_exec_27_0)
+(roletype object_r dhcp_exec_27_0)
+(typeattribute dnsmasq_27_0)
+(roletype object_r dnsmasq_27_0)
+(typeattribute dnsmasq_exec_27_0)
+(roletype object_r dnsmasq_exec_27_0)
+(typeattribute drmserver_27_0)
+(roletype object_r drmserver_27_0)
+(typeattribute drmserver_exec_27_0)
+(roletype object_r drmserver_exec_27_0)
+(typeattribute drmserver_socket_27_0)
+(roletype object_r drmserver_socket_27_0)
+(typeattribute dumpstate_27_0)
+(roletype object_r dumpstate_27_0)
+(typeattribute dumpstate_exec_27_0)
+(roletype object_r dumpstate_exec_27_0)
+(typeattribute e2fs_27_0)
+(roletype object_r e2fs_27_0)
+(typeattribute e2fs_exec_27_0)
+(roletype object_r e2fs_exec_27_0)
+(typeattribute ephemeral_app_27_0)
+(roletype object_r ephemeral_app_27_0)
+(typeattribute labeledfs_27_0)
+(roletype object_r labeledfs_27_0)
+(typeattribute pipefs_27_0)
+(roletype object_r pipefs_27_0)
+(typeattribute sockfs_27_0)
+(roletype object_r sockfs_27_0)
+(typeattribute rootfs_27_0)
+(roletype object_r rootfs_27_0)
+(typeattribute proc_27_0)
+(roletype object_r proc_27_0)
+(typeattribute proc_security_27_0)
+(roletype object_r proc_security_27_0)
+(typeattribute proc_drop_caches_27_0)
+(roletype object_r proc_drop_caches_27_0)
+(typeattribute proc_overcommit_memory_27_0)
+(roletype object_r proc_overcommit_memory_27_0)
+(typeattribute usermodehelper_27_0)
+(roletype object_r usermodehelper_27_0)
+(typeattribute sysfs_usermodehelper_27_0)
+(roletype object_r sysfs_usermodehelper_27_0)
+(typeattribute qtaguid_proc_27_0)
+(roletype object_r qtaguid_proc_27_0)
+(typeattribute proc_bluetooth_writable_27_0)
+(roletype object_r proc_bluetooth_writable_27_0)
+(typeattribute proc_cpuinfo_27_0)
+(roletype object_r proc_cpuinfo_27_0)
+(typeattribute proc_interrupts_27_0)
+(roletype object_r proc_interrupts_27_0)
+(typeattribute proc_iomem_27_0)
+(roletype object_r proc_iomem_27_0)
+(typeattribute proc_meminfo_27_0)
+(roletype object_r proc_meminfo_27_0)
+(typeattribute proc_misc_27_0)
+(roletype object_r proc_misc_27_0)
+(typeattribute proc_modules_27_0)
+(roletype object_r proc_modules_27_0)
+(typeattribute proc_net_27_0)
+(roletype object_r proc_net_27_0)
+(typeattribute proc_perf_27_0)
+(roletype object_r proc_perf_27_0)
+(typeattribute proc_stat_27_0)
+(roletype object_r proc_stat_27_0)
+(typeattribute proc_sysrq_27_0)
+(roletype object_r proc_sysrq_27_0)
+(typeattribute proc_timer_27_0)
+(roletype object_r proc_timer_27_0)
+(typeattribute proc_tty_drivers_27_0)
+(roletype object_r proc_tty_drivers_27_0)
+(typeattribute proc_uid_cputime_showstat_27_0)
+(roletype object_r proc_uid_cputime_showstat_27_0)
+(typeattribute proc_uid_cputime_removeuid_27_0)
+(roletype object_r proc_uid_cputime_removeuid_27_0)
+(typeattribute proc_uid_io_stats_27_0)
+(roletype object_r proc_uid_io_stats_27_0)
+(typeattribute proc_uid_procstat_set_27_0)
+(roletype object_r proc_uid_procstat_set_27_0)
+(typeattribute proc_uid_time_in_state_27_0)
+(roletype object_r proc_uid_time_in_state_27_0)
+(typeattribute proc_zoneinfo_27_0)
+(roletype object_r proc_zoneinfo_27_0)
+(typeattribute selinuxfs_27_0)
+(roletype object_r selinuxfs_27_0)
+(typeattribute cgroup_27_0)
+(roletype object_r cgroup_27_0)
+(typeattribute sysfs_27_0)
+(roletype object_r sysfs_27_0)
+(typeattribute sysfs_uio_27_0)
+(roletype object_r sysfs_uio_27_0)
+(typeattribute sysfs_batteryinfo_27_0)
+(roletype object_r sysfs_batteryinfo_27_0)
+(typeattribute sysfs_bluetooth_writable_27_0)
+(roletype object_r sysfs_bluetooth_writable_27_0)
+(typeattribute sysfs_leds_27_0)
+(roletype object_r sysfs_leds_27_0)
+(typeattribute sysfs_hwrandom_27_0)
+(roletype object_r sysfs_hwrandom_27_0)
+(typeattribute sysfs_nfc_power_writable_27_0)
+(roletype object_r sysfs_nfc_power_writable_27_0)
+(typeattribute sysfs_wake_lock_27_0)
+(roletype object_r sysfs_wake_lock_27_0)
+(typeattribute sysfs_mac_address_27_0)
+(roletype object_r sysfs_mac_address_27_0)
+(typeattribute sysfs_usb_27_0)
+(roletype object_r sysfs_usb_27_0)
+(typeattribute sysfs_fs_ext4_features_27_0)
+(roletype object_r sysfs_fs_ext4_features_27_0)
+(typeattribute configfs_27_0)
+(roletype object_r configfs_27_0)
+(typeattribute sysfs_devices_system_cpu_27_0)
+(roletype object_r sysfs_devices_system_cpu_27_0)
+(typeattribute sysfs_lowmemorykiller_27_0)
+(roletype object_r sysfs_lowmemorykiller_27_0)
+(typeattribute sysfs_wlan_fwpath_27_0)
+(roletype object_r sysfs_wlan_fwpath_27_0)
+(typeattribute sysfs_vibrator_27_0)
+(roletype object_r sysfs_vibrator_27_0)
+(typeattribute sysfs_thermal_27_0)
+(roletype object_r sysfs_thermal_27_0)
+(typeattribute sysfs_zram_27_0)
+(roletype object_r sysfs_zram_27_0)
+(typeattribute sysfs_zram_uevent_27_0)
+(roletype object_r sysfs_zram_uevent_27_0)
+(typeattribute inotify_27_0)
+(roletype object_r inotify_27_0)
+(typeattribute devpts_27_0)
+(roletype object_r devpts_27_0)
+(typeattribute tmpfs_27_0)
+(roletype object_r tmpfs_27_0)
+(typeattribute shm_27_0)
+(roletype object_r shm_27_0)
+(typeattribute mqueue_27_0)
+(roletype object_r mqueue_27_0)
+(typeattribute fuse_27_0)
+(roletype object_r fuse_27_0)
+(typeattribute sdcardfs_27_0)
+(roletype object_r sdcardfs_27_0)
+(typeattribute vfat_27_0)
+(roletype object_r vfat_27_0)
+(typeattribute debugfs_27_0)
+(roletype object_r debugfs_27_0)
+(typeattribute debugfs_mmc_27_0)
+(roletype object_r debugfs_mmc_27_0)
+(typeattribute debugfs_trace_marker_27_0)
+(roletype object_r debugfs_trace_marker_27_0)
+(typeattribute debugfs_tracing_27_0)
+(roletype object_r debugfs_tracing_27_0)
+(typeattribute debugfs_tracing_debug_27_0)
+(roletype object_r debugfs_tracing_debug_27_0)
+(typeattribute debugfs_tracing_instances_27_0)
+(roletype object_r debugfs_tracing_instances_27_0)
+(typeattribute debugfs_wifi_tracing_27_0)
+(roletype object_r debugfs_wifi_tracing_27_0)
+(typeattribute pstorefs_27_0)
+(roletype object_r pstorefs_27_0)
+(typeattribute functionfs_27_0)
+(roletype object_r functionfs_27_0)
+(typeattribute oemfs_27_0)
+(roletype object_r oemfs_27_0)
+(typeattribute usbfs_27_0)
+(roletype object_r usbfs_27_0)
+(typeattribute binfmt_miscfs_27_0)
+(roletype object_r binfmt_miscfs_27_0)
+(typeattribute app_fusefs_27_0)
+(roletype object_r app_fusefs_27_0)
+(typeattribute unlabeled_27_0)
+(roletype object_r unlabeled_27_0)
+(typeattribute system_file_27_0)
+(roletype object_r system_file_27_0)
+(typeattribute vendor_hal_file_27_0)
+(roletype object_r vendor_hal_file_27_0)
+(typeattribute vendor_file_27_0)
+(roletype object_r vendor_file_27_0)
+(typeattribute vendor_app_file_27_0)
+(roletype object_r vendor_app_file_27_0)
+(typeattribute vendor_configs_file_27_0)
+(roletype object_r vendor_configs_file_27_0)
+(typeattribute same_process_hal_file_27_0)
+(roletype object_r same_process_hal_file_27_0)
+(typeattribute vndk_sp_file_27_0)
+(roletype object_r vndk_sp_file_27_0)
+(typeattribute vendor_framework_file_27_0)
+(roletype object_r vendor_framework_file_27_0)
+(typeattribute vendor_overlay_file_27_0)
+(roletype object_r vendor_overlay_file_27_0)
+(typeattribute runtime_event_log_tags_file_27_0)
+(roletype object_r runtime_event_log_tags_file_27_0)
+(typeattribute logcat_exec_27_0)
+(roletype object_r logcat_exec_27_0)
+(typeattribute coredump_file_27_0)
+(roletype object_r coredump_file_27_0)
+(typeattribute system_data_file_27_0)
+(roletype object_r system_data_file_27_0)
+(typeattribute unencrypted_data_file_27_0)
+(roletype object_r unencrypted_data_file_27_0)
+(typeattribute install_data_file_27_0)
+(roletype object_r install_data_file_27_0)
+(typeattribute drm_data_file_27_0)
+(roletype object_r drm_data_file_27_0)
+(typeattribute adb_data_file_27_0)
+(roletype object_r adb_data_file_27_0)
+(typeattribute anr_data_file_27_0)
+(roletype object_r anr_data_file_27_0)
+(typeattribute tombstone_data_file_27_0)
+(roletype object_r tombstone_data_file_27_0)
+(typeattribute apk_data_file_27_0)
+(roletype object_r apk_data_file_27_0)
+(typeattribute apk_tmp_file_27_0)
+(roletype object_r apk_tmp_file_27_0)
+(typeattribute apk_private_data_file_27_0)
+(roletype object_r apk_private_data_file_27_0)
+(typeattribute apk_private_tmp_file_27_0)
+(roletype object_r apk_private_tmp_file_27_0)
+(typeattribute dalvikcache_data_file_27_0)
+(roletype object_r dalvikcache_data_file_27_0)
+(typeattribute ota_data_file_27_0)
+(roletype object_r ota_data_file_27_0)
+(typeattribute ota_package_file_27_0)
+(roletype object_r ota_package_file_27_0)
+(typeattribute user_profile_data_file_27_0)
+(roletype object_r user_profile_data_file_27_0)
+(typeattribute profman_dump_data_file_27_0)
+(roletype object_r profman_dump_data_file_27_0)
+(typeattribute resourcecache_data_file_27_0)
+(roletype object_r resourcecache_data_file_27_0)
+(typeattribute shell_data_file_27_0)
+(roletype object_r shell_data_file_27_0)
+(typeattribute property_data_file_27_0)
+(roletype object_r property_data_file_27_0)
+(typeattribute bootchart_data_file_27_0)
+(roletype object_r bootchart_data_file_27_0)
+(typeattribute heapdump_data_file_27_0)
+(roletype object_r heapdump_data_file_27_0)
+(typeattribute nativetest_data_file_27_0)
+(roletype object_r nativetest_data_file_27_0)
+(typeattribute ringtone_file_27_0)
+(roletype object_r ringtone_file_27_0)
+(typeattribute preloads_data_file_27_0)
+(roletype object_r preloads_data_file_27_0)
+(typeattribute preloads_media_file_27_0)
+(roletype object_r preloads_media_file_27_0)
+(typeattribute dhcp_data_file_27_0)
+(roletype object_r dhcp_data_file_27_0)
+(typeattribute mnt_media_rw_file_27_0)
+(roletype object_r mnt_media_rw_file_27_0)
+(typeattribute mnt_user_file_27_0)
+(roletype object_r mnt_user_file_27_0)
+(typeattribute mnt_expand_file_27_0)
+(roletype object_r mnt_expand_file_27_0)
+(typeattribute storage_file_27_0)
+(roletype object_r storage_file_27_0)
+(typeattribute mnt_media_rw_stub_file_27_0)
+(roletype object_r mnt_media_rw_stub_file_27_0)
+(typeattribute storage_stub_file_27_0)
+(roletype object_r storage_stub_file_27_0)
+(typeattribute postinstall_mnt_dir_27_0)
+(roletype object_r postinstall_mnt_dir_27_0)
+(typeattribute postinstall_file_27_0)
+(roletype object_r postinstall_file_27_0)
+(typeattribute adb_keys_file_27_0)
+(roletype object_r adb_keys_file_27_0)
+(typeattribute audio_data_file_27_0)
+(roletype object_r audio_data_file_27_0)
+(typeattribute audiohal_data_file_27_0)
+(roletype object_r audiohal_data_file_27_0)
+(typeattribute audioserver_data_file_27_0)
+(roletype object_r audioserver_data_file_27_0)
+(typeattribute bluetooth_data_file_27_0)
+(roletype object_r bluetooth_data_file_27_0)
+(typeattribute bluetooth_logs_data_file_27_0)
+(roletype object_r bluetooth_logs_data_file_27_0)
+(typeattribute bootstat_data_file_27_0)
+(roletype object_r bootstat_data_file_27_0)
+(typeattribute boottrace_data_file_27_0)
+(roletype object_r boottrace_data_file_27_0)
+(typeattribute camera_data_file_27_0)
+(roletype object_r camera_data_file_27_0)
+(typeattribute gatekeeper_data_file_27_0)
+(roletype object_r gatekeeper_data_file_27_0)
+(typeattribute incident_data_file_27_0)
+(roletype object_r incident_data_file_27_0)
+(typeattribute keychain_data_file_27_0)
+(roletype object_r keychain_data_file_27_0)
+(typeattribute keystore_data_file_27_0)
+(roletype object_r keystore_data_file_27_0)
+(typeattribute media_data_file_27_0)
+(roletype object_r media_data_file_27_0)
+(typeattribute media_rw_data_file_27_0)
+(roletype object_r media_rw_data_file_27_0)
+(typeattribute misc_user_data_file_27_0)
+(roletype object_r misc_user_data_file_27_0)
+(typeattribute net_data_file_27_0)
+(roletype object_r net_data_file_27_0)
+(typeattribute nfc_data_file_27_0)
+(roletype object_r nfc_data_file_27_0)
+(typeattribute radio_data_file_27_0)
+(roletype object_r radio_data_file_27_0)
+(typeattribute reboot_data_file_27_0)
+(roletype object_r reboot_data_file_27_0)
+(typeattribute recovery_data_file_27_0)
+(roletype object_r recovery_data_file_27_0)
+(typeattribute shared_relro_file_27_0)
+(roletype object_r shared_relro_file_27_0)
+(typeattribute systemkeys_data_file_27_0)
+(roletype object_r systemkeys_data_file_27_0)
+(typeattribute textclassifier_data_file_27_0)
+(roletype object_r textclassifier_data_file_27_0)
+(typeattribute vpn_data_file_27_0)
+(roletype object_r vpn_data_file_27_0)
+(typeattribute wifi_data_file_27_0)
+(roletype object_r wifi_data_file_27_0)
+(typeattribute zoneinfo_data_file_27_0)
+(roletype object_r zoneinfo_data_file_27_0)
+(typeattribute vold_data_file_27_0)
+(roletype object_r vold_data_file_27_0)
+(typeattribute perfprofd_data_file_27_0)
+(roletype object_r perfprofd_data_file_27_0)
+(typeattribute tee_data_file_27_0)
+(roletype object_r tee_data_file_27_0)
+(typeattribute update_engine_data_file_27_0)
+(roletype object_r update_engine_data_file_27_0)
+(typeattribute method_trace_data_file_27_0)
+(roletype object_r method_trace_data_file_27_0)
+(typeattribute app_data_file_27_0)
+(roletype object_r app_data_file_27_0)
+(typeattribute system_app_data_file_27_0)
+(roletype object_r system_app_data_file_27_0)
+(typeattribute cache_file_27_0)
+(roletype object_r cache_file_27_0)
+(typeattribute cache_backup_file_27_0)
+(roletype object_r cache_backup_file_27_0)
+(typeattribute cache_private_backup_file_27_0)
+(roletype object_r cache_private_backup_file_27_0)
+(typeattribute cache_recovery_file_27_0)
+(roletype object_r cache_recovery_file_27_0)
+(typeattribute efs_file_27_0)
+(roletype object_r efs_file_27_0)
+(typeattribute wallpaper_file_27_0)
+(roletype object_r wallpaper_file_27_0)
+(typeattribute shortcut_manager_icons_27_0)
+(roletype object_r shortcut_manager_icons_27_0)
+(typeattribute icon_file_27_0)
+(roletype object_r icon_file_27_0)
+(typeattribute asec_apk_file_27_0)
+(roletype object_r asec_apk_file_27_0)
+(typeattribute asec_public_file_27_0)
+(roletype object_r asec_public_file_27_0)
+(typeattribute asec_image_file_27_0)
+(roletype object_r asec_image_file_27_0)
+(typeattribute backup_data_file_27_0)
+(roletype object_r backup_data_file_27_0)
+(typeattribute bluetooth_efs_file_27_0)
+(roletype object_r bluetooth_efs_file_27_0)
+(typeattribute fingerprintd_data_file_27_0)
+(roletype object_r fingerprintd_data_file_27_0)
+(typeattribute app_fuse_file_27_0)
+(roletype object_r app_fuse_file_27_0)
+(typeattribute adbd_socket_27_0)
+(roletype object_r adbd_socket_27_0)
+(typeattribute bluetooth_socket_27_0)
+(roletype object_r bluetooth_socket_27_0)
+(typeattribute dnsproxyd_socket_27_0)
+(roletype object_r dnsproxyd_socket_27_0)
+(typeattribute dumpstate_socket_27_0)
+(roletype object_r dumpstate_socket_27_0)
+(typeattribute fwmarkd_socket_27_0)
+(roletype object_r fwmarkd_socket_27_0)
+(typeattribute lmkd_socket_27_0)
+(roletype object_r lmkd_socket_27_0)
+(typeattribute logd_socket_27_0)
+(roletype object_r logd_socket_27_0)
+(typeattribute logdr_socket_27_0)
+(roletype object_r logdr_socket_27_0)
+(typeattribute logdw_socket_27_0)
+(roletype object_r logdw_socket_27_0)
+(typeattribute mdns_socket_27_0)
+(roletype object_r mdns_socket_27_0)
+(typeattribute mdnsd_socket_27_0)
+(roletype object_r mdnsd_socket_27_0)
+(typeattribute misc_logd_file_27_0)
+(roletype object_r misc_logd_file_27_0)
+(typeattribute mtpd_socket_27_0)
+(roletype object_r mtpd_socket_27_0)
+(typeattribute netd_socket_27_0)
+(roletype object_r netd_socket_27_0)
+(typeattribute property_socket_27_0)
+(roletype object_r property_socket_27_0)
+(typeattribute racoon_socket_27_0)
+(roletype object_r racoon_socket_27_0)
+(typeattribute rild_socket_27_0)
+(roletype object_r rild_socket_27_0)
+(typeattribute rild_debug_socket_27_0)
+(roletype object_r rild_debug_socket_27_0)
+(typeattribute system_wpa_socket_27_0)
+(roletype object_r system_wpa_socket_27_0)
+(typeattribute system_ndebug_socket_27_0)
+(roletype object_r system_ndebug_socket_27_0)
+(typeattribute tombstoned_crash_socket_27_0)
+(roletype object_r tombstoned_crash_socket_27_0)
+(typeattribute tombstoned_java_trace_socket_27_0)
+(roletype object_r tombstoned_java_trace_socket_27_0)
+(typeattribute tombstoned_intercept_socket_27_0)
+(roletype object_r tombstoned_intercept_socket_27_0)
+(typeattribute uncrypt_socket_27_0)
+(roletype object_r uncrypt_socket_27_0)
+(typeattribute vold_socket_27_0)
+(roletype object_r vold_socket_27_0)
+(typeattribute webview_zygote_socket_27_0)
+(roletype object_r webview_zygote_socket_27_0)
+(typeattribute wpa_socket_27_0)
+(roletype object_r wpa_socket_27_0)
+(typeattribute zygote_socket_27_0)
+(roletype object_r zygote_socket_27_0)
+(typeattribute gps_control_27_0)
+(roletype object_r gps_control_27_0)
+(typeattribute pdx_display_dir_27_0)
+(roletype object_r pdx_display_dir_27_0)
+(typeattribute pdx_performance_dir_27_0)
+(roletype object_r pdx_performance_dir_27_0)
+(typeattribute pdx_bufferhub_dir_27_0)
+(roletype object_r pdx_bufferhub_dir_27_0)
+(typeattribute pdx_display_client_endpoint_socket_27_0)
+(roletype object_r pdx_display_client_endpoint_socket_27_0)
+(typeattribute pdx_display_client_channel_socket_27_0)
+(roletype object_r pdx_display_client_channel_socket_27_0)
+(typeattribute pdx_display_manager_endpoint_socket_27_0)
+(roletype object_r pdx_display_manager_endpoint_socket_27_0)
+(typeattribute pdx_display_manager_channel_socket_27_0)
+(roletype object_r pdx_display_manager_channel_socket_27_0)
+(typeattribute pdx_display_screenshot_endpoint_socket_27_0)
+(roletype object_r pdx_display_screenshot_endpoint_socket_27_0)
+(typeattribute pdx_display_screenshot_channel_socket_27_0)
+(roletype object_r pdx_display_screenshot_channel_socket_27_0)
+(typeattribute pdx_display_vsync_endpoint_socket_27_0)
+(roletype object_r pdx_display_vsync_endpoint_socket_27_0)
+(typeattribute pdx_display_vsync_channel_socket_27_0)
+(roletype object_r pdx_display_vsync_channel_socket_27_0)
+(typeattribute pdx_performance_client_endpoint_socket_27_0)
+(roletype object_r pdx_performance_client_endpoint_socket_27_0)
+(typeattribute pdx_performance_client_channel_socket_27_0)
+(roletype object_r pdx_performance_client_channel_socket_27_0)
+(typeattribute pdx_bufferhub_client_endpoint_socket_27_0)
+(roletype object_r pdx_bufferhub_client_endpoint_socket_27_0)
+(typeattribute pdx_bufferhub_client_channel_socket_27_0)
+(roletype object_r pdx_bufferhub_client_channel_socket_27_0)
+(typeattribute file_contexts_file_27_0)
+(roletype object_r file_contexts_file_27_0)
+(typeattribute mac_perms_file_27_0)
+(roletype object_r mac_perms_file_27_0)
+(typeattribute property_contexts_file_27_0)
+(roletype object_r property_contexts_file_27_0)
+(typeattribute seapp_contexts_file_27_0)
+(roletype object_r seapp_contexts_file_27_0)
+(typeattribute sepolicy_file_27_0)
+(roletype object_r sepolicy_file_27_0)
+(typeattribute service_contexts_file_27_0)
+(roletype object_r service_contexts_file_27_0)
+(typeattribute nonplat_service_contexts_file_27_0)
+(roletype object_r nonplat_service_contexts_file_27_0)
+(typeattribute hwservice_contexts_file_27_0)
+(roletype object_r hwservice_contexts_file_27_0)
+(typeattribute vndservice_contexts_file_27_0)
+(roletype object_r vndservice_contexts_file_27_0)
+(typeattribute fingerprintd_27_0)
+(roletype object_r fingerprintd_27_0)
+(typeattribute fingerprintd_exec_27_0)
+(roletype object_r fingerprintd_exec_27_0)
+(typeattribute fsck_27_0)
+(roletype object_r fsck_27_0)
+(typeattribute fsck_exec_27_0)
+(roletype object_r fsck_exec_27_0)
+(typeattribute fsck_untrusted_27_0)
+(roletype object_r fsck_untrusted_27_0)
+(typeattribute gatekeeperd_27_0)
+(roletype object_r gatekeeperd_27_0)
+(typeattribute gatekeeperd_exec_27_0)
+(roletype object_r gatekeeperd_exec_27_0)
+(typeattribute healthd_27_0)
+(roletype object_r healthd_27_0)
+(typeattribute healthd_exec_27_0)
+(roletype object_r healthd_exec_27_0)
+(typeattribute default_android_hwservice_27_0)
+(roletype object_r default_android_hwservice_27_0)
+(typeattribute fwk_display_hwservice_27_0)
+(roletype object_r fwk_display_hwservice_27_0)
+(typeattribute fwk_scheduler_hwservice_27_0)
+(roletype object_r fwk_scheduler_hwservice_27_0)
+(typeattribute fwk_sensor_hwservice_27_0)
+(roletype object_r fwk_sensor_hwservice_27_0)
+(typeattribute hal_audio_hwservice_27_0)
+(roletype object_r hal_audio_hwservice_27_0)
+(typeattribute hal_bluetooth_hwservice_27_0)
+(roletype object_r hal_bluetooth_hwservice_27_0)
+(typeattribute hal_bootctl_hwservice_27_0)
+(roletype object_r hal_bootctl_hwservice_27_0)
+(typeattribute hal_broadcastradio_hwservice_27_0)
+(roletype object_r hal_broadcastradio_hwservice_27_0)
+(typeattribute hal_camera_hwservice_27_0)
+(roletype object_r hal_camera_hwservice_27_0)
+(typeattribute hal_configstore_ISurfaceFlingerConfigs_27_0)
+(roletype object_r hal_configstore_ISurfaceFlingerConfigs_27_0)
+(typeattribute hal_contexthub_hwservice_27_0)
+(roletype object_r hal_contexthub_hwservice_27_0)
+(typeattribute hal_drm_hwservice_27_0)
+(roletype object_r hal_drm_hwservice_27_0)
+(typeattribute hal_cas_hwservice_27_0)
+(roletype object_r hal_cas_hwservice_27_0)
+(typeattribute hal_dumpstate_hwservice_27_0)
+(roletype object_r hal_dumpstate_hwservice_27_0)
+(typeattribute hal_fingerprint_hwservice_27_0)
+(roletype object_r hal_fingerprint_hwservice_27_0)
+(typeattribute hal_gatekeeper_hwservice_27_0)
+(roletype object_r hal_gatekeeper_hwservice_27_0)
+(typeattribute hal_gnss_hwservice_27_0)
+(roletype object_r hal_gnss_hwservice_27_0)
+(typeattribute hal_graphics_allocator_hwservice_27_0)
+(roletype object_r hal_graphics_allocator_hwservice_27_0)
+(typeattribute hal_graphics_composer_hwservice_27_0)
+(roletype object_r hal_graphics_composer_hwservice_27_0)
+(typeattribute hal_graphics_mapper_hwservice_27_0)
+(roletype object_r hal_graphics_mapper_hwservice_27_0)
+(typeattribute hal_health_hwservice_27_0)
+(roletype object_r hal_health_hwservice_27_0)
+(typeattribute hal_ir_hwservice_27_0)
+(roletype object_r hal_ir_hwservice_27_0)
+(typeattribute hal_keymaster_hwservice_27_0)
+(roletype object_r hal_keymaster_hwservice_27_0)
+(typeattribute hal_light_hwservice_27_0)
+(roletype object_r hal_light_hwservice_27_0)
+(typeattribute hal_memtrack_hwservice_27_0)
+(roletype object_r hal_memtrack_hwservice_27_0)
+(typeattribute hal_neuralnetworks_hwservice_27_0)
+(roletype object_r hal_neuralnetworks_hwservice_27_0)
+(typeattribute hal_nfc_hwservice_27_0)
+(roletype object_r hal_nfc_hwservice_27_0)
+(typeattribute hal_oemlock_hwservice_27_0)
+(roletype object_r hal_oemlock_hwservice_27_0)
+(typeattribute hal_omx_hwservice_27_0)
+(roletype object_r hal_omx_hwservice_27_0)
+(typeattribute hal_power_hwservice_27_0)
+(roletype object_r hal_power_hwservice_27_0)
+(typeattribute hal_renderscript_hwservice_27_0)
+(roletype object_r hal_renderscript_hwservice_27_0)
+(typeattribute hal_sensors_hwservice_27_0)
+(roletype object_r hal_sensors_hwservice_27_0)
+(typeattribute hal_telephony_hwservice_27_0)
+(roletype object_r hal_telephony_hwservice_27_0)
+(typeattribute hal_tetheroffload_hwservice_27_0)
+(roletype object_r hal_tetheroffload_hwservice_27_0)
+(typeattribute hal_thermal_hwservice_27_0)
+(roletype object_r hal_thermal_hwservice_27_0)
+(typeattribute hal_tv_cec_hwservice_27_0)
+(roletype object_r hal_tv_cec_hwservice_27_0)
+(typeattribute hal_tv_input_hwservice_27_0)
+(roletype object_r hal_tv_input_hwservice_27_0)
+(typeattribute hal_usb_hwservice_27_0)
+(roletype object_r hal_usb_hwservice_27_0)
+(typeattribute hal_vibrator_hwservice_27_0)
+(roletype object_r hal_vibrator_hwservice_27_0)
+(typeattribute hal_vr_hwservice_27_0)
+(roletype object_r hal_vr_hwservice_27_0)
+(typeattribute hal_weaver_hwservice_27_0)
+(roletype object_r hal_weaver_hwservice_27_0)
+(typeattribute hal_wifi_hwservice_27_0)
+(roletype object_r hal_wifi_hwservice_27_0)
+(typeattribute hal_wifi_offload_hwservice_27_0)
+(roletype object_r hal_wifi_offload_hwservice_27_0)
+(typeattribute hal_wifi_supplicant_hwservice_27_0)
+(roletype object_r hal_wifi_supplicant_hwservice_27_0)
+(typeattribute hidl_allocator_hwservice_27_0)
+(roletype object_r hidl_allocator_hwservice_27_0)
+(typeattribute hidl_base_hwservice_27_0)
+(roletype object_r hidl_base_hwservice_27_0)
+(typeattribute hidl_manager_hwservice_27_0)
+(roletype object_r hidl_manager_hwservice_27_0)
+(typeattribute hidl_memory_hwservice_27_0)
+(roletype object_r hidl_memory_hwservice_27_0)
+(typeattribute hidl_token_hwservice_27_0)
+(roletype object_r hidl_token_hwservice_27_0)
+(typeattribute system_net_netd_hwservice_27_0)
+(roletype object_r system_net_netd_hwservice_27_0)
+(typeattribute system_wifi_keystore_hwservice_27_0)
+(roletype object_r system_wifi_keystore_hwservice_27_0)
+(typeattribute thermalcallback_hwservice_27_0)
+(roletype object_r thermalcallback_hwservice_27_0)
+(typeattribute hwservicemanager_27_0)
+(roletype object_r hwservicemanager_27_0)
+(typeattribute hwservicemanager_exec_27_0)
+(roletype object_r hwservicemanager_exec_27_0)
+(typeattribute idmap_27_0)
+(roletype object_r idmap_27_0)
+(typeattribute idmap_exec_27_0)
+(roletype object_r idmap_exec_27_0)
+(typeattribute incident_27_0)
+(roletype object_r incident_27_0)
+(typeattribute incidentd_27_0)
+(roletype object_r incidentd_27_0)
+(typeattribute init_27_0)
+(roletype object_r init_27_0)
+(typeattribute init_exec_27_0)
+(roletype object_r init_exec_27_0)
+(typeattribute inputflinger_27_0)
+(roletype object_r inputflinger_27_0)
+(typeattribute inputflinger_exec_27_0)
+(roletype object_r inputflinger_exec_27_0)
+(typeattribute install_recovery_27_0)
+(roletype object_r install_recovery_27_0)
+(typeattribute install_recovery_exec_27_0)
+(roletype object_r install_recovery_exec_27_0)
+(typeattribute installd_27_0)
+(roletype object_r installd_27_0)
+(typeattribute installd_exec_27_0)
+(roletype object_r installd_exec_27_0)
+(typeattribute isolated_app_27_0)
+(roletype object_r isolated_app_27_0)
+(typeattribute kernel_27_0)
+(roletype object_r kernel_27_0)
+(typeattribute keystore_27_0)
+(roletype object_r keystore_27_0)
+(typeattribute keystore_exec_27_0)
+(roletype object_r keystore_exec_27_0)
+(typeattribute lmkd_27_0)
+(roletype object_r lmkd_27_0)
+(typeattribute lmkd_exec_27_0)
+(roletype object_r lmkd_exec_27_0)
+(typeattribute logd_27_0)
+(roletype object_r logd_27_0)
+(typeattribute logd_exec_27_0)
+(roletype object_r logd_exec_27_0)
+(typeattribute logpersist_27_0)
+(roletype object_r logpersist_27_0)
+(typeattribute mdnsd_27_0)
+(roletype object_r mdnsd_27_0)
+(typeattribute mediacodec_27_0)
+(roletype object_r mediacodec_27_0)
+(typeattribute mediacodec_exec_27_0)
+(roletype object_r mediacodec_exec_27_0)
+(typeattribute mediadrmserver_27_0)
+(roletype object_r mediadrmserver_27_0)
+(typeattribute mediadrmserver_exec_27_0)
+(roletype object_r mediadrmserver_exec_27_0)
+(typeattribute mediaextractor_27_0)
+(roletype object_r mediaextractor_27_0)
+(typeattribute mediaextractor_exec_27_0)
+(roletype object_r mediaextractor_exec_27_0)
+(typeattribute mediametrics_27_0)
+(roletype object_r mediametrics_27_0)
+(typeattribute mediametrics_exec_27_0)
+(roletype object_r mediametrics_exec_27_0)
+(typeattribute mediaprovider_27_0)
+(roletype object_r mediaprovider_27_0)
+(typeattribute mediaserver_27_0)
+(roletype object_r mediaserver_27_0)
+(typeattribute mediaserver_exec_27_0)
+(roletype object_r mediaserver_exec_27_0)
+(typeattribute modprobe_27_0)
+(roletype object_r modprobe_27_0)
+(typeattribute mtp_27_0)
+(roletype object_r mtp_27_0)
+(typeattribute mtp_exec_27_0)
+(roletype object_r mtp_exec_27_0)
+(typeattribute node_27_0)
+(roletype object_r node_27_0)
+(typeattribute netif_27_0)
+(roletype object_r netif_27_0)
+(typeattribute port_27_0)
+(roletype object_r port_27_0)
+(typeattribute netd_27_0)
+(roletype object_r netd_27_0)
+(typeattribute netd_exec_27_0)
+(roletype object_r netd_exec_27_0)
+(typeattribute netutils_wrapper_27_0)
+(roletype object_r netutils_wrapper_27_0)
+(typeattribute netutils_wrapper_exec_27_0)
+(roletype object_r netutils_wrapper_exec_27_0)
+(typeattribute nfc_27_0)
+(roletype object_r nfc_27_0)
+(typeattribute otapreopt_chroot_27_0)
+(roletype object_r otapreopt_chroot_27_0)
+(typeattribute otapreopt_chroot_exec_27_0)
+(roletype object_r otapreopt_chroot_exec_27_0)
+(typeattribute otapreopt_slot_27_0)
+(roletype object_r otapreopt_slot_27_0)
+(typeattribute otapreopt_slot_exec_27_0)
+(roletype object_r otapreopt_slot_exec_27_0)
+(typeattribute performanced_27_0)
+(roletype object_r performanced_27_0)
+(typeattribute performanced_exec_27_0)
+(roletype object_r performanced_exec_27_0)
+(typeattribute perfprofd_27_0)
+(roletype object_r perfprofd_27_0)
+(typeattribute perfprofd_exec_27_0)
+(roletype object_r perfprofd_exec_27_0)
+(typeattribute platform_app_27_0)
+(roletype object_r platform_app_27_0)
+(typeattribute postinstall_27_0)
+(roletype object_r postinstall_27_0)
+(typeattribute postinstall_dexopt_27_0)
+(roletype object_r postinstall_dexopt_27_0)
+(typeattribute ppp_27_0)
+(roletype object_r ppp_27_0)
+(typeattribute ppp_device_27_0)
+(roletype object_r ppp_device_27_0)
+(typeattribute ppp_exec_27_0)
+(roletype object_r ppp_exec_27_0)
+(typeattribute preopt2cachename_27_0)
+(roletype object_r preopt2cachename_27_0)
+(typeattribute preopt2cachename_exec_27_0)
+(roletype object_r preopt2cachename_exec_27_0)
+(typeattribute priv_app_27_0)
+(roletype object_r priv_app_27_0)
+(typeattribute profman_27_0)
+(roletype object_r profman_27_0)
+(typeattribute profman_exec_27_0)
+(roletype object_r profman_exec_27_0)
+(typeattribute audio_prop_27_0)
+(roletype object_r audio_prop_27_0)
+(typeattribute boottime_prop_27_0)
+(roletype object_r boottime_prop_27_0)
+(typeattribute bluetooth_prop_27_0)
+(roletype object_r bluetooth_prop_27_0)
+(typeattribute config_prop_27_0)
+(roletype object_r config_prop_27_0)
+(typeattribute cppreopt_prop_27_0)
+(roletype object_r cppreopt_prop_27_0)
+(typeattribute ctl_bootanim_prop_27_0)
+(roletype object_r ctl_bootanim_prop_27_0)
+(typeattribute ctl_bugreport_prop_27_0)
+(roletype object_r ctl_bugreport_prop_27_0)
+(typeattribute ctl_console_prop_27_0)
+(roletype object_r ctl_console_prop_27_0)
+(typeattribute ctl_default_prop_27_0)
+(roletype object_r ctl_default_prop_27_0)
+(typeattribute ctl_dumpstate_prop_27_0)
+(roletype object_r ctl_dumpstate_prop_27_0)
+(typeattribute ctl_fuse_prop_27_0)
+(roletype object_r ctl_fuse_prop_27_0)
+(typeattribute ctl_mdnsd_prop_27_0)
+(roletype object_r ctl_mdnsd_prop_27_0)
+(typeattribute ctl_rildaemon_prop_27_0)
+(roletype object_r ctl_rildaemon_prop_27_0)
+(typeattribute dalvik_prop_27_0)
+(roletype object_r dalvik_prop_27_0)
+(typeattribute debuggerd_prop_27_0)
+(roletype object_r debuggerd_prop_27_0)
+(typeattribute debug_prop_27_0)
+(roletype object_r debug_prop_27_0)
+(typeattribute default_prop_27_0)
+(roletype object_r default_prop_27_0)
+(typeattribute device_logging_prop_27_0)
+(roletype object_r device_logging_prop_27_0)
+(typeattribute dhcp_prop_27_0)
+(roletype object_r dhcp_prop_27_0)
+(typeattribute dumpstate_options_prop_27_0)
+(roletype object_r dumpstate_options_prop_27_0)
+(typeattribute dumpstate_prop_27_0)
+(roletype object_r dumpstate_prop_27_0)
+(typeattribute ffs_prop_27_0)
+(roletype object_r ffs_prop_27_0)
+(typeattribute fingerprint_prop_27_0)
+(roletype object_r fingerprint_prop_27_0)
+(typeattribute firstboot_prop_27_0)
+(roletype object_r firstboot_prop_27_0)
+(typeattribute hwservicemanager_prop_27_0)
+(roletype object_r hwservicemanager_prop_27_0)
+(typeattribute logd_prop_27_0)
+(roletype object_r logd_prop_27_0)
+(typeattribute logpersistd_logging_prop_27_0)
+(roletype object_r logpersistd_logging_prop_27_0)
+(typeattribute log_prop_27_0)
+(roletype object_r log_prop_27_0)
+(typeattribute log_tag_prop_27_0)
+(roletype object_r log_tag_prop_27_0)
+(typeattribute mmc_prop_27_0)
+(roletype object_r mmc_prop_27_0)
+(typeattribute net_dns_prop_27_0)
+(roletype object_r net_dns_prop_27_0)
+(typeattribute net_radio_prop_27_0)
+(roletype object_r net_radio_prop_27_0)
+(typeattribute netd_stable_secret_prop_27_0)
+(roletype object_r netd_stable_secret_prop_27_0)
+(typeattribute nfc_prop_27_0)
+(roletype object_r nfc_prop_27_0)
+(typeattribute overlay_prop_27_0)
+(roletype object_r overlay_prop_27_0)
+(typeattribute pan_result_prop_27_0)
+(roletype object_r pan_result_prop_27_0)
+(typeattribute persist_debug_prop_27_0)
+(roletype object_r persist_debug_prop_27_0)
+(typeattribute persistent_properties_ready_prop_27_0)
+(roletype object_r persistent_properties_ready_prop_27_0)
+(typeattribute powerctl_prop_27_0)
+(roletype object_r powerctl_prop_27_0)
+(typeattribute radio_prop_27_0)
+(roletype object_r radio_prop_27_0)
+(typeattribute restorecon_prop_27_0)
+(roletype object_r restorecon_prop_27_0)
+(typeattribute safemode_prop_27_0)
+(roletype object_r safemode_prop_27_0)
+(typeattribute serialno_prop_27_0)
+(roletype object_r serialno_prop_27_0)
+(typeattribute shell_prop_27_0)
+(roletype object_r shell_prop_27_0)
+(typeattribute system_prop_27_0)
+(roletype object_r system_prop_27_0)
+(typeattribute system_radio_prop_27_0)
+(roletype object_r system_radio_prop_27_0)
+(typeattribute vold_prop_27_0)
+(roletype object_r vold_prop_27_0)
+(typeattribute wifi_log_prop_27_0)
+(roletype object_r wifi_log_prop_27_0)
+(typeattribute wifi_prop_27_0)
+(roletype object_r wifi_prop_27_0)
+(typeattribute racoon_27_0)
+(roletype object_r racoon_27_0)
+(typeattribute racoon_exec_27_0)
+(roletype object_r racoon_exec_27_0)
+(typeattribute radio_27_0)
+(roletype object_r radio_27_0)
+(typeattribute recovery_27_0)
+(roletype object_r recovery_27_0)
+(typeattribute recovery_persist_27_0)
+(roletype object_r recovery_persist_27_0)
+(typeattribute recovery_persist_exec_27_0)
+(roletype object_r recovery_persist_exec_27_0)
+(typeattribute recovery_refresh_27_0)
+(roletype object_r recovery_refresh_27_0)
+(typeattribute recovery_refresh_exec_27_0)
+(roletype object_r recovery_refresh_exec_27_0)
+(typeattribute rild_27_0)
+(roletype object_r rild_27_0)
+(typeattribute runas_27_0)
+(roletype object_r runas_27_0)
+(typeattribute runas_exec_27_0)
+(roletype object_r runas_exec_27_0)
+(typeattribute sdcardd_27_0)
+(roletype object_r sdcardd_27_0)
+(typeattribute sdcardd_exec_27_0)
+(roletype object_r sdcardd_exec_27_0)
+(typeattribute audioserver_service_27_0)
+(roletype object_r audioserver_service_27_0)
+(typeattribute batteryproperties_service_27_0)
+(roletype object_r batteryproperties_service_27_0)
+(typeattribute bluetooth_service_27_0)
+(roletype object_r bluetooth_service_27_0)
+(typeattribute cameraserver_service_27_0)
+(roletype object_r cameraserver_service_27_0)
+(typeattribute default_android_service_27_0)
+(roletype object_r default_android_service_27_0)
+(typeattribute drmserver_service_27_0)
+(roletype object_r drmserver_service_27_0)
+(typeattribute dumpstate_service_27_0)
+(roletype object_r dumpstate_service_27_0)
+(typeattribute fingerprintd_service_27_0)
+(roletype object_r fingerprintd_service_27_0)
+(typeattribute hal_fingerprint_service_27_0)
+(roletype object_r hal_fingerprint_service_27_0)
+(typeattribute gatekeeper_service_27_0)
+(roletype object_r gatekeeper_service_27_0)
+(typeattribute gpu_service_27_0)
+(roletype object_r gpu_service_27_0)
+(typeattribute inputflinger_service_27_0)
+(roletype object_r inputflinger_service_27_0)
+(typeattribute incident_service_27_0)
+(roletype object_r incident_service_27_0)
+(typeattribute installd_service_27_0)
+(roletype object_r installd_service_27_0)
+(typeattribute keystore_service_27_0)
+(roletype object_r keystore_service_27_0)
+(typeattribute mediaserver_service_27_0)
+(roletype object_r mediaserver_service_27_0)
+(typeattribute mediametrics_service_27_0)
+(roletype object_r mediametrics_service_27_0)
+(typeattribute mediaextractor_service_27_0)
+(roletype object_r mediaextractor_service_27_0)
+(typeattribute mediacodec_service_27_0)
+(roletype object_r mediacodec_service_27_0)
+(typeattribute mediadrmserver_service_27_0)
+(roletype object_r mediadrmserver_service_27_0)
+(typeattribute netd_service_27_0)
+(roletype object_r netd_service_27_0)
+(typeattribute nfc_service_27_0)
+(roletype object_r nfc_service_27_0)
+(typeattribute radio_service_27_0)
+(roletype object_r radio_service_27_0)
+(typeattribute storaged_service_27_0)
+(roletype object_r storaged_service_27_0)
+(typeattribute surfaceflinger_service_27_0)
+(roletype object_r surfaceflinger_service_27_0)
+(typeattribute system_app_service_27_0)
+(roletype object_r system_app_service_27_0)
+(typeattribute thermal_service_27_0)
+(roletype object_r thermal_service_27_0)
+(typeattribute update_engine_service_27_0)
+(roletype object_r update_engine_service_27_0)
+(typeattribute virtual_touchpad_service_27_0)
+(roletype object_r virtual_touchpad_service_27_0)
+(typeattribute vr_hwc_service_27_0)
+(roletype object_r vr_hwc_service_27_0)
+(typeattribute accessibility_service_27_0)
+(roletype object_r accessibility_service_27_0)
+(typeattribute account_service_27_0)
+(roletype object_r account_service_27_0)
+(typeattribute activity_service_27_0)
+(roletype object_r activity_service_27_0)
+(typeattribute alarm_service_27_0)
+(roletype object_r alarm_service_27_0)
+(typeattribute appops_service_27_0)
+(roletype object_r appops_service_27_0)
+(typeattribute appwidget_service_27_0)
+(roletype object_r appwidget_service_27_0)
+(typeattribute assetatlas_service_27_0)
+(roletype object_r assetatlas_service_27_0)
+(typeattribute audio_service_27_0)
+(roletype object_r audio_service_27_0)
+(typeattribute autofill_service_27_0)
+(roletype object_r autofill_service_27_0)
+(typeattribute backup_service_27_0)
+(roletype object_r backup_service_27_0)
+(typeattribute batterystats_service_27_0)
+(roletype object_r batterystats_service_27_0)
+(typeattribute battery_service_27_0)
+(roletype object_r battery_service_27_0)
+(typeattribute bluetooth_manager_service_27_0)
+(roletype object_r bluetooth_manager_service_27_0)
+(typeattribute broadcastradio_service_27_0)
+(roletype object_r broadcastradio_service_27_0)
+(typeattribute cameraproxy_service_27_0)
+(roletype object_r cameraproxy_service_27_0)
+(typeattribute clipboard_service_27_0)
+(roletype object_r clipboard_service_27_0)
+(typeattribute contexthub_service_27_0)
+(roletype object_r contexthub_service_27_0)
+(typeattribute IProxyService_service_27_0)
+(roletype object_r IProxyService_service_27_0)
+(typeattribute commontime_management_service_27_0)
+(roletype object_r commontime_management_service_27_0)
+(typeattribute companion_device_service_27_0)
+(roletype object_r companion_device_service_27_0)
+(typeattribute connectivity_service_27_0)
+(roletype object_r connectivity_service_27_0)
+(typeattribute connmetrics_service_27_0)
+(roletype object_r connmetrics_service_27_0)
+(typeattribute consumer_ir_service_27_0)
+(roletype object_r consumer_ir_service_27_0)
+(typeattribute content_service_27_0)
+(roletype object_r content_service_27_0)
+(typeattribute country_detector_service_27_0)
+(roletype object_r country_detector_service_27_0)
+(typeattribute coverage_service_27_0)
+(roletype object_r coverage_service_27_0)
+(typeattribute cpuinfo_service_27_0)
+(roletype object_r cpuinfo_service_27_0)
+(typeattribute dbinfo_service_27_0)
+(roletype object_r dbinfo_service_27_0)
+(typeattribute device_policy_service_27_0)
+(roletype object_r device_policy_service_27_0)
+(typeattribute deviceidle_service_27_0)
+(roletype object_r deviceidle_service_27_0)
+(typeattribute device_identifiers_service_27_0)
+(roletype object_r device_identifiers_service_27_0)
+(typeattribute devicestoragemonitor_service_27_0)
+(roletype object_r devicestoragemonitor_service_27_0)
+(typeattribute diskstats_service_27_0)
+(roletype object_r diskstats_service_27_0)
+(typeattribute display_service_27_0)
+(roletype object_r display_service_27_0)
+(typeattribute font_service_27_0)
+(roletype object_r font_service_27_0)
+(typeattribute netd_listener_service_27_0)
+(roletype object_r netd_listener_service_27_0)
+(typeattribute DockObserver_service_27_0)
+(roletype object_r DockObserver_service_27_0)
+(typeattribute dreams_service_27_0)
+(roletype object_r dreams_service_27_0)
+(typeattribute dropbox_service_27_0)
+(roletype object_r dropbox_service_27_0)
+(typeattribute ethernet_service_27_0)
+(roletype object_r ethernet_service_27_0)
+(typeattribute fingerprint_service_27_0)
+(roletype object_r fingerprint_service_27_0)
+(typeattribute gfxinfo_service_27_0)
+(roletype object_r gfxinfo_service_27_0)
+(typeattribute graphicsstats_service_27_0)
+(roletype object_r graphicsstats_service_27_0)
+(typeattribute hardware_service_27_0)
+(roletype object_r hardware_service_27_0)
+(typeattribute hardware_properties_service_27_0)
+(roletype object_r hardware_properties_service_27_0)
+(typeattribute hdmi_control_service_27_0)
+(roletype object_r hdmi_control_service_27_0)
+(typeattribute input_method_service_27_0)
+(roletype object_r input_method_service_27_0)
+(typeattribute input_service_27_0)
+(roletype object_r input_service_27_0)
+(typeattribute imms_service_27_0)
+(roletype object_r imms_service_27_0)
+(typeattribute ipsec_service_27_0)
+(roletype object_r ipsec_service_27_0)
+(typeattribute jobscheduler_service_27_0)
+(roletype object_r jobscheduler_service_27_0)
+(typeattribute launcherapps_service_27_0)
+(roletype object_r launcherapps_service_27_0)
+(typeattribute location_service_27_0)
+(roletype object_r location_service_27_0)
+(typeattribute lock_settings_service_27_0)
+(roletype object_r lock_settings_service_27_0)
+(typeattribute media_projection_service_27_0)
+(roletype object_r media_projection_service_27_0)
+(typeattribute media_router_service_27_0)
+(roletype object_r media_router_service_27_0)
+(typeattribute media_session_service_27_0)
+(roletype object_r media_session_service_27_0)
+(typeattribute meminfo_service_27_0)
+(roletype object_r meminfo_service_27_0)
+(typeattribute midi_service_27_0)
+(roletype object_r midi_service_27_0)
+(typeattribute mount_service_27_0)
+(roletype object_r mount_service_27_0)
+(typeattribute netpolicy_service_27_0)
+(roletype object_r netpolicy_service_27_0)
+(typeattribute netstats_service_27_0)
+(roletype object_r netstats_service_27_0)
+(typeattribute network_management_service_27_0)
+(roletype object_r network_management_service_27_0)
+(typeattribute network_score_service_27_0)
+(roletype object_r network_score_service_27_0)
+(typeattribute network_time_update_service_27_0)
+(roletype object_r network_time_update_service_27_0)
+(typeattribute notification_service_27_0)
+(roletype object_r notification_service_27_0)
+(typeattribute oem_lock_service_27_0)
+(roletype object_r oem_lock_service_27_0)
+(typeattribute otadexopt_service_27_0)
+(roletype object_r otadexopt_service_27_0)
+(typeattribute overlay_service_27_0)
+(roletype object_r overlay_service_27_0)
+(typeattribute package_service_27_0)
+(roletype object_r package_service_27_0)
+(typeattribute package_native_service_27_0)
+(roletype object_r package_native_service_27_0)
+(typeattribute permission_service_27_0)
+(roletype object_r permission_service_27_0)
+(typeattribute persistent_data_block_service_27_0)
+(roletype object_r persistent_data_block_service_27_0)
+(typeattribute pinner_service_27_0)
+(roletype object_r pinner_service_27_0)
+(typeattribute power_service_27_0)
+(roletype object_r power_service_27_0)
+(typeattribute print_service_27_0)
+(roletype object_r print_service_27_0)
+(typeattribute processinfo_service_27_0)
+(roletype object_r processinfo_service_27_0)
+(typeattribute procstats_service_27_0)
+(roletype object_r procstats_service_27_0)
+(typeattribute recovery_service_27_0)
+(roletype object_r recovery_service_27_0)
+(typeattribute registry_service_27_0)
+(roletype object_r registry_service_27_0)
+(typeattribute restrictions_service_27_0)
+(roletype object_r restrictions_service_27_0)
+(typeattribute rttmanager_service_27_0)
+(roletype object_r rttmanager_service_27_0)
+(typeattribute samplingprofiler_service_27_0)
+(roletype object_r samplingprofiler_service_27_0)
+(typeattribute scheduling_policy_service_27_0)
+(roletype object_r scheduling_policy_service_27_0)
+(typeattribute search_service_27_0)
+(roletype object_r search_service_27_0)
+(typeattribute sec_key_att_app_id_provider_service_27_0)
+(roletype object_r sec_key_att_app_id_provider_service_27_0)
+(typeattribute sensorservice_service_27_0)
+(roletype object_r sensorservice_service_27_0)
+(typeattribute serial_service_27_0)
+(roletype object_r serial_service_27_0)
+(typeattribute servicediscovery_service_27_0)
+(roletype object_r servicediscovery_service_27_0)
+(typeattribute settings_service_27_0)
+(roletype object_r settings_service_27_0)
+(typeattribute shortcut_service_27_0)
+(roletype object_r shortcut_service_27_0)
+(typeattribute statusbar_service_27_0)
+(roletype object_r statusbar_service_27_0)
+(typeattribute storagestats_service_27_0)
+(roletype object_r storagestats_service_27_0)
+(typeattribute task_service_27_0)
+(roletype object_r task_service_27_0)
+(typeattribute textclassification_service_27_0)
+(roletype object_r textclassification_service_27_0)
+(typeattribute textservices_service_27_0)
+(roletype object_r textservices_service_27_0)
+(typeattribute telecom_service_27_0)
+(roletype object_r telecom_service_27_0)
+(typeattribute timezone_service_27_0)
+(roletype object_r timezone_service_27_0)
+(typeattribute trust_service_27_0)
+(roletype object_r trust_service_27_0)
+(typeattribute tv_input_service_27_0)
+(roletype object_r tv_input_service_27_0)
+(typeattribute uimode_service_27_0)
+(roletype object_r uimode_service_27_0)
+(typeattribute updatelock_service_27_0)
+(roletype object_r updatelock_service_27_0)
+(typeattribute usagestats_service_27_0)
+(roletype object_r usagestats_service_27_0)
+(typeattribute usb_service_27_0)
+(roletype object_r usb_service_27_0)
+(typeattribute user_service_27_0)
+(roletype object_r user_service_27_0)
+(typeattribute vibrator_service_27_0)
+(roletype object_r vibrator_service_27_0)
+(typeattribute voiceinteraction_service_27_0)
+(roletype object_r voiceinteraction_service_27_0)
+(typeattribute vr_manager_service_27_0)
+(roletype object_r vr_manager_service_27_0)
+(typeattribute wallpaper_service_27_0)
+(roletype object_r wallpaper_service_27_0)
+(typeattribute webviewupdate_service_27_0)
+(roletype object_r webviewupdate_service_27_0)
+(typeattribute wifip2p_service_27_0)
+(roletype object_r wifip2p_service_27_0)
+(typeattribute wifiscanner_service_27_0)
+(roletype object_r wifiscanner_service_27_0)
+(typeattribute wifi_service_27_0)
+(roletype object_r wifi_service_27_0)
+(typeattribute wificond_service_27_0)
+(roletype object_r wificond_service_27_0)
+(typeattribute wifiaware_service_27_0)
+(roletype object_r wifiaware_service_27_0)
+(typeattribute window_service_27_0)
+(roletype object_r window_service_27_0)
+(typeattribute servicemanager_27_0)
+(roletype object_r servicemanager_27_0)
+(typeattribute servicemanager_exec_27_0)
+(roletype object_r servicemanager_exec_27_0)
+(typeattribute sgdisk_27_0)
+(roletype object_r sgdisk_27_0)
+(typeattribute sgdisk_exec_27_0)
+(roletype object_r sgdisk_exec_27_0)
+(typeattribute shared_relro_27_0)
+(roletype object_r shared_relro_27_0)
+(typeattribute shell_27_0)
+(roletype object_r shell_27_0)
+(typeattribute shell_exec_27_0)
+(roletype object_r shell_exec_27_0)
+(typeattribute slideshow_27_0)
+(roletype object_r slideshow_27_0)
+(typeattribute su_27_0)
+(roletype object_r su_27_0)
+(typeattribute su_exec_27_0)
+(roletype object_r su_exec_27_0)
+(typeattribute surfaceflinger_27_0)
+(roletype object_r surfaceflinger_27_0)
+(typeattribute system_app_27_0)
+(roletype object_r system_app_27_0)
+(typeattribute system_server_27_0)
+(roletype object_r system_server_27_0)
+(typeattribute tee_27_0)
+(roletype object_r tee_27_0)
+(typeattribute tee_device_27_0)
+(roletype object_r tee_device_27_0)
+(typeattribute thermalserviced_27_0)
+(roletype object_r thermalserviced_27_0)
+(typeattribute thermalserviced_exec_27_0)
+(roletype object_r thermalserviced_exec_27_0)
+(typeattribute tombstoned_27_0)
+(roletype object_r tombstoned_27_0)
+(typeattribute tombstoned_exec_27_0)
+(roletype object_r tombstoned_exec_27_0)
+(typeattribute toolbox_27_0)
+(roletype object_r toolbox_27_0)
+(typeattribute toolbox_exec_27_0)
+(roletype object_r toolbox_exec_27_0)
+(typeattribute tzdatacheck_27_0)
+(roletype object_r tzdatacheck_27_0)
+(typeattribute tzdatacheck_exec_27_0)
+(roletype object_r tzdatacheck_exec_27_0)
+(typeattribute ueventd_27_0)
+(roletype object_r ueventd_27_0)
+(typeattribute uncrypt_27_0)
+(roletype object_r uncrypt_27_0)
+(typeattribute uncrypt_exec_27_0)
+(roletype object_r uncrypt_exec_27_0)
+(typeattribute untrusted_app_27_0)
+(roletype object_r untrusted_app_27_0)
+(typeattribute untrusted_app_25_27_0)
+(roletype object_r untrusted_app_25_27_0)
+(typeattribute untrusted_v2_app_27_0)
+(roletype object_r untrusted_v2_app_27_0)
+(typeattribute update_engine_27_0)
+(roletype object_r update_engine_27_0)
+(typeattribute update_engine_exec_27_0)
+(roletype object_r update_engine_exec_27_0)
+(typeattribute update_verifier_27_0)
+(roletype object_r update_verifier_27_0)
+(typeattribute update_verifier_exec_27_0)
+(roletype object_r update_verifier_exec_27_0)
+(typeattribute vdc_27_0)
+(roletype object_r vdc_27_0)
+(typeattribute vdc_exec_27_0)
+(roletype object_r vdc_exec_27_0)
+(typeattribute vendor_shell_exec_27_0)
+(roletype object_r vendor_shell_exec_27_0)
+(typeattribute vendor_toolbox_exec_27_0)
+(roletype object_r vendor_toolbox_exec_27_0)
+(typeattribute virtual_touchpad_27_0)
+(roletype object_r virtual_touchpad_27_0)
+(typeattribute virtual_touchpad_exec_27_0)
+(roletype object_r virtual_touchpad_exec_27_0)
+(typeattribute default_android_vndservice_27_0)
+(roletype object_r default_android_vndservice_27_0)
+(typeattribute vndservicemanager_27_0)
+(roletype object_r vndservicemanager_27_0)
+(typeattribute vold_27_0)
+(roletype object_r vold_27_0)
+(typeattribute vold_exec_27_0)
+(roletype object_r vold_exec_27_0)
+(typeattribute vr_hwc_27_0)
+(roletype object_r vr_hwc_27_0)
+(typeattribute vr_hwc_exec_27_0)
+(roletype object_r vr_hwc_exec_27_0)
+(typeattribute watchdogd_27_0)
+(roletype object_r watchdogd_27_0)
+(typeattribute webview_zygote_27_0)
+(roletype object_r webview_zygote_27_0)
+(typeattribute webview_zygote_exec_27_0)
+(roletype object_r webview_zygote_exec_27_0)
+(typeattribute wificond_27_0)
+(roletype object_r wificond_27_0)
+(typeattribute wificond_exec_27_0)
+(roletype object_r wificond_exec_27_0)
+(typeattribute zygote_27_0)
+(roletype object_r zygote_27_0)
+(typeattribute zygote_exec_27_0)
+(roletype object_r zygote_exec_27_0)
+(type hostapd_socket)
+(roletype object_r hostapd_socket)
+(type hal_audio_default)
+(roletype object_r hal_audio_default)
+(type hal_audio_default_exec)
+(roletype object_r hal_audio_default_exec)
+(type hal_audio_default_tmpfs)
+(roletype object_r hal_audio_default_tmpfs)
+(type hal_bluetooth_default)
+(roletype object_r hal_bluetooth_default)
+(type hal_bluetooth_default_exec)
+(roletype object_r hal_bluetooth_default_exec)
+(type hal_bluetooth_default_tmpfs)
+(roletype object_r hal_bluetooth_default_tmpfs)
+(type hal_bootctl_default)
+(roletype object_r hal_bootctl_default)
+(type hal_bootctl_default_exec)
+(roletype object_r hal_bootctl_default_exec)
+(type hal_bootctl_default_tmpfs)
+(roletype object_r hal_bootctl_default_tmpfs)
+(type hal_broadcastradio_default)
+(roletype object_r hal_broadcastradio_default)
+(type hal_broadcastradio_default_exec)
+(roletype object_r hal_broadcastradio_default_exec)
+(type hal_broadcastradio_default_tmpfs)
+(roletype object_r hal_broadcastradio_default_tmpfs)
+(type hal_camera_default)
+(roletype object_r hal_camera_default)
+(type hal_camera_default_exec)
+(roletype object_r hal_camera_default_exec)
+(type hal_camera_default_tmpfs)
+(roletype object_r hal_camera_default_tmpfs)
+(type hal_cas_default)
+(roletype object_r hal_cas_default)
+(type hal_cas_default_exec)
+(roletype object_r hal_cas_default_exec)
+(type hal_cas_default_tmpfs)
+(roletype object_r hal_cas_default_tmpfs)
+(type hal_configstore_default)
+(roletype object_r hal_configstore_default)
+(type hal_configstore_default_exec)
+(roletype object_r hal_configstore_default_exec)
+(type hal_configstore_default_tmpfs)
+(roletype object_r hal_configstore_default_tmpfs)
+(type hal_contexthub_default)
+(roletype object_r hal_contexthub_default)
+(type hal_contexthub_default_exec)
+(roletype object_r hal_contexthub_default_exec)
+(type hal_contexthub_default_tmpfs)
+(roletype object_r hal_contexthub_default_tmpfs)
+(type hal_drm_default)
+(roletype object_r hal_drm_default)
+(type hal_drm_default_exec)
+(roletype object_r hal_drm_default_exec)
+(type hal_drm_default_tmpfs)
+(roletype object_r hal_drm_default_tmpfs)
+(type hal_dumpstate_default)
+(roletype object_r hal_dumpstate_default)
+(type hal_dumpstate_default_exec)
+(roletype object_r hal_dumpstate_default_exec)
+(type hal_dumpstate_default_tmpfs)
+(roletype object_r hal_dumpstate_default_tmpfs)
+(type hal_fingerprint_default)
+(roletype object_r hal_fingerprint_default)
+(type hal_fingerprint_default_exec)
+(roletype object_r hal_fingerprint_default_exec)
+(type hal_fingerprint_default_tmpfs)
+(roletype object_r hal_fingerprint_default_tmpfs)
+(type hal_gatekeeper_default)
+(roletype object_r hal_gatekeeper_default)
+(type hal_gatekeeper_default_exec)
+(roletype object_r hal_gatekeeper_default_exec)
+(type hal_gatekeeper_default_tmpfs)
+(roletype object_r hal_gatekeeper_default_tmpfs)
+(type hal_gnss_default)
+(roletype object_r hal_gnss_default)
+(type hal_gnss_default_exec)
+(roletype object_r hal_gnss_default_exec)
+(type hal_gnss_default_tmpfs)
+(roletype object_r hal_gnss_default_tmpfs)
+(type hal_graphics_allocator_default)
+(roletype object_r hal_graphics_allocator_default)
+(type hal_graphics_allocator_default_exec)
+(roletype object_r hal_graphics_allocator_default_exec)
+(type hal_graphics_allocator_default_tmpfs)
+(roletype object_r hal_graphics_allocator_default_tmpfs)
+(type hal_graphics_composer_default)
+(roletype object_r hal_graphics_composer_default)
+(type hal_graphics_composer_default_exec)
+(roletype object_r hal_graphics_composer_default_exec)
+(type hal_graphics_composer_default_tmpfs)
+(roletype object_r hal_graphics_composer_default_tmpfs)
+(type hal_health_default)
+(roletype object_r hal_health_default)
+(type hal_health_default_exec)
+(roletype object_r hal_health_default_exec)
+(type hal_health_default_tmpfs)
+(roletype object_r hal_health_default_tmpfs)
+(type hal_ir_default)
+(roletype object_r hal_ir_default)
+(type hal_ir_default_exec)
+(roletype object_r hal_ir_default_exec)
+(type hal_ir_default_tmpfs)
+(roletype object_r hal_ir_default_tmpfs)
+(type hal_keymaster_default)
+(roletype object_r hal_keymaster_default)
+(type hal_keymaster_default_exec)
+(roletype object_r hal_keymaster_default_exec)
+(type hal_keymaster_default_tmpfs)
+(roletype object_r hal_keymaster_default_tmpfs)
+(type hal_light_default)
+(roletype object_r hal_light_default)
+(type hal_light_default_exec)
+(roletype object_r hal_light_default_exec)
+(type hal_light_default_tmpfs)
+(roletype object_r hal_light_default_tmpfs)
+(type hal_memtrack_default)
+(roletype object_r hal_memtrack_default)
+(type hal_memtrack_default_exec)
+(roletype object_r hal_memtrack_default_exec)
+(type hal_memtrack_default_tmpfs)
+(roletype object_r hal_memtrack_default_tmpfs)
+(type hal_nfc_default)
+(roletype object_r hal_nfc_default)
+(type hal_nfc_default_exec)
+(roletype object_r hal_nfc_default_exec)
+(type hal_nfc_default_tmpfs)
+(roletype object_r hal_nfc_default_tmpfs)
+(type mediacodec_tmpfs)
+(roletype object_r mediacodec_tmpfs)
+(type hal_power_default)
+(roletype object_r hal_power_default)
+(type hal_power_default_exec)
+(roletype object_r hal_power_default_exec)
+(type hal_power_default_tmpfs)
+(roletype object_r hal_power_default_tmpfs)
+(type hal_sensors_default)
+(roletype object_r hal_sensors_default)
+(type hal_sensors_default_exec)
+(roletype object_r hal_sensors_default_exec)
+(type hal_sensors_default_tmpfs)
+(roletype object_r hal_sensors_default_tmpfs)
+(type hal_tetheroffload_default)
+(roletype object_r hal_tetheroffload_default)
+(type hal_tetheroffload_default_exec)
+(roletype object_r hal_tetheroffload_default_exec)
+(type hal_tetheroffload_default_tmpfs)
+(roletype object_r hal_tetheroffload_default_tmpfs)
+(type hal_thermal_default)
+(roletype object_r hal_thermal_default)
+(type hal_thermal_default_exec)
+(roletype object_r hal_thermal_default_exec)
+(type hal_thermal_default_tmpfs)
+(roletype object_r hal_thermal_default_tmpfs)
+(type hal_tv_cec_default)
+(roletype object_r hal_tv_cec_default)
+(type hal_tv_cec_default_exec)
+(roletype object_r hal_tv_cec_default_exec)
+(type hal_tv_cec_default_tmpfs)
+(roletype object_r hal_tv_cec_default_tmpfs)
+(type hal_tv_input_default)
+(roletype object_r hal_tv_input_default)
+(type hal_tv_input_default_exec)
+(roletype object_r hal_tv_input_default_exec)
+(type hal_tv_input_default_tmpfs)
+(roletype object_r hal_tv_input_default_tmpfs)
+(type hal_usb_default)
+(roletype object_r hal_usb_default)
+(type hal_usb_default_exec)
+(roletype object_r hal_usb_default_exec)
+(type hal_usb_default_tmpfs)
+(roletype object_r hal_usb_default_tmpfs)
+(type hal_vibrator_default)
+(roletype object_r hal_vibrator_default)
+(type hal_vibrator_default_exec)
+(roletype object_r hal_vibrator_default_exec)
+(type hal_vibrator_default_tmpfs)
+(roletype object_r hal_vibrator_default_tmpfs)
+(type hal_vr_default)
+(roletype object_r hal_vr_default)
+(type hal_vr_default_exec)
+(roletype object_r hal_vr_default_exec)
+(type hal_vr_default_tmpfs)
+(roletype object_r hal_vr_default_tmpfs)
+(type hal_wifi_default)
+(roletype object_r hal_wifi_default)
+(type hal_wifi_default_exec)
+(roletype object_r hal_wifi_default_exec)
+(type hal_wifi_default_tmpfs)
+(roletype object_r hal_wifi_default_tmpfs)
+(type hal_wifi_offload_default)
+(roletype object_r hal_wifi_offload_default)
+(type hal_wifi_offload_default_exec)
+(roletype object_r hal_wifi_offload_default_exec)
+(type hal_wifi_offload_default_tmpfs)
+(roletype object_r hal_wifi_offload_default_tmpfs)
+(type hal_wifi_supplicant_default)
+(roletype object_r hal_wifi_supplicant_default)
+(type hal_wifi_supplicant_default_exec)
+(roletype object_r hal_wifi_supplicant_default_exec)
+(type hal_wifi_supplicant_default_tmpfs)
+(roletype object_r hal_wifi_supplicant_default_tmpfs)
+(type hostapd)
+(roletype object_r hostapd)
+(type hostapd_exec)
+(roletype object_r hostapd_exec)
+(type hostapd_tmpfs)
+(roletype object_r hostapd_tmpfs)
+(type rild_exec)
+(roletype object_r rild_exec)
+(type rild_tmpfs)
+(roletype object_r rild_tmpfs)
+(type tee_exec)
+(roletype object_r tee_exec)
+(type tee_tmpfs)
+(roletype object_r tee_tmpfs)
+(type vendor_modprobe)
+(roletype object_r vendor_modprobe)
+(type vndservicemanager_exec)
+(roletype object_r vndservicemanager_exec)
+(type vndservicemanager_tmpfs)
+(roletype object_r vndservicemanager_tmpfs)
+(type qemu_device)
+(roletype object_r qemu_device)
+(type sysfs_writable)
+(roletype object_r sysfs_writable)
+(type goldfish_setup)
+(roletype object_r goldfish_setup)
+(type goldfish_setup_exec)
+(roletype object_r goldfish_setup_exec)
+(type goldfish_setup_tmpfs)
+(roletype object_r goldfish_setup_tmpfs)
+(type hal_drm_widevine)
+(roletype object_r hal_drm_widevine)
+(type hal_drm_widevine_exec)
+(roletype object_r hal_drm_widevine_exec)
+(type hal_drm_widevine_tmpfs)
+(roletype object_r hal_drm_widevine_tmpfs)
+(type qemu_prop)
+(roletype object_r qemu_prop)
+(type qemu_cmdline)
+(roletype object_r qemu_cmdline)
+(type radio_noril_prop)
+(roletype object_r radio_noril_prop)
+(type opengles_prop)
+(roletype object_r opengles_prop)
+(type qemu_props)
+(roletype object_r qemu_props)
+(type qemu_props_exec)
+(roletype object_r qemu_props_exec)
+(type qemu_props_tmpfs)
+(roletype object_r qemu_props_tmpfs)
+(allow bootanim_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 bootanim_27_0 (dir (search)))
+(allow servicemanager_27_0 bootanim_27_0 (file (read open)))
+(allow servicemanager_27_0 bootanim_27_0 (process (getattr)))
+(allow bootanim_27_0 surfaceflinger_27_0 (binder (call transfer)))
+(allow surfaceflinger_27_0 bootanim_27_0 (binder (transfer)))
+(allow bootanim_27_0 surfaceflinger_27_0 (fd (use)))
+(allow bootanim_27_0 audioserver_27_0 (binder (call transfer)))
+(allow audioserver_27_0 bootanim_27_0 (binder (transfer)))
+(allow bootanim_27_0 audioserver_27_0 (fd (use)))
+(allow bootanim_27_0 hwservicemanager_27_0 (binder (call transfer)))
+(allow hwservicemanager_27_0 bootanim_27_0 (binder (call transfer)))
+(allow hwservicemanager_27_0 bootanim_27_0 (dir (search)))
+(allow hwservicemanager_27_0 bootanim_27_0 (file (read open)))
+(allow hwservicemanager_27_0 bootanim_27_0 (process (getattr)))
+(allow bootanim_27_0 gpu_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow bootanim_27_0 oemfs_27_0 (dir (search)))
+(allow bootanim_27_0 oemfs_27_0 (file (ioctl read getattr lock map open)))
+(allow bootanim_27_0 audio_device_27_0 (dir (ioctl read getattr lock search open)))
+(allow bootanim_27_0 audio_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow bootanim_27_0 audioserver_service_27_0 (service_manager (find)))
+(allow bootanim_27_0 surfaceflinger_service_27_0 (service_manager (find)))
+(allow bootanim_27_0 ion_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow bootanim_27_0 hal_graphics_allocator (fd (use)))
+(allow bootanim_27_0 hal_graphics_composer (fd (use)))
+(allow bootanim_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
+(allow bootanim_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
+(allow bootanim_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow bootanim_27_0 proc_meminfo_27_0 (file (ioctl read getattr lock map open)))
+(allow bootanim_27_0 sysfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow bootanim_27_0 sysfs_27_0 (file (ioctl read getattr lock map open)))
+(allow bootanim_27_0 sysfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow bootanim_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow bootanim_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow bootanim_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow bootanim_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow bootstat_27_0 runtime_event_log_tags_file_27_0 (file (ioctl read getattr lock map open)))
+(allow bootstat_27_0 bootstat_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow bootstat_27_0 bootstat_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow bootstat_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
+(allow bootstat_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
+(allow bootstat_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow bootstat_27_0 boottime_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow init_27_0 pdx_bufferhub_client_endpoint_socket_type (unix_stream_socket (create bind)))
+(allow bufferhubd_27_0 pdx_bufferhub_client_endpoint_socket_type (unix_stream_socket (read write getattr setattr lock append listen accept getopt setopt shutdown)))
+(allow bufferhubd_27_0 self (process (setsockcreate)))
+(allow bufferhubd_27_0 pdx_bufferhub_client_channel_socket_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
+(neverallow base_typeattr_1_27_0 pdx_bufferhub_client_endpoint_socket_type (unix_stream_socket (listen accept)))
+(allow bufferhubd_27_0 pdx_performance_client_endpoint_dir_type (dir (ioctl read getattr lock search open)))
+(allow bufferhubd_27_0 pdx_performance_client_endpoint_socket_type (sock_file (ioctl read write getattr lock append map open)))
+(allow bufferhubd_27_0 pdx_performance_client_endpoint_socket_type (unix_stream_socket (read write shutdown connectto)))
+(allow bufferhubd_27_0 pdx_performance_client_channel_socket_type (unix_stream_socket (read write getattr setattr lock append getopt setopt shutdown)))
+(allow bufferhubd_27_0 pdx_performance_client_server_type (fd (use)))
+(allow pdx_performance_client_server_type bufferhubd_27_0 (fd (use)))
+(allow bufferhubd_27_0 gpu_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow bufferhubd_27_0 ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow bufferhubd_27_0 mediacodec_27_0 (fd (use)))
+(allow cameraserver_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 cameraserver_27_0 (dir (search)))
+(allow servicemanager_27_0 cameraserver_27_0 (file (read open)))
+(allow servicemanager_27_0 cameraserver_27_0 (process (getattr)))
+(allow cameraserver_27_0 binderservicedomain (binder (call transfer)))
+(allow binderservicedomain cameraserver_27_0 (binder (transfer)))
+(allow cameraserver_27_0 binderservicedomain (fd (use)))
+(allow cameraserver_27_0 appdomain (binder (call transfer)))
+(allow appdomain cameraserver_27_0 (binder (transfer)))
+(allow cameraserver_27_0 appdomain (fd (use)))
+(allow cameraserver_27_0 ion_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow cameraserver_27_0 hal_graphics_composer (fd (use)))
+(allow cameraserver_27_0 cameraserver_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_2_27_0 cameraserver_service_27_0 (service_manager (add)))
+(allow cameraserver_27_0 appops_service_27_0 (service_manager (find)))
+(allow cameraserver_27_0 audioserver_service_27_0 (service_manager (find)))
+(allow cameraserver_27_0 batterystats_service_27_0 (service_manager (find)))
+(allow cameraserver_27_0 cameraproxy_service_27_0 (service_manager (find)))
+(allow cameraserver_27_0 mediaserver_service_27_0 (service_manager (find)))
+(allow cameraserver_27_0 processinfo_service_27_0 (service_manager (find)))
+(allow cameraserver_27_0 scheduling_policy_service_27_0 (service_manager (find)))
+(allow cameraserver_27_0 surfaceflinger_service_27_0 (service_manager (find)))
+(allow cameraserver_27_0 hidl_token_hwservice_27_0 (hwservice_manager (find)))
+(neverallow cameraserver_27_0 fs_type (file (execute_no_trans)))
+(neverallow cameraserver_27_0 file_type (file (execute_no_trans)))
+(neverallow cameraserver_27_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
+(neverallow cameraserver_27_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(neverallow cameraserver_27_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(allow charger_27_0 kmsg_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow charger_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
+(allow charger_27_0 sysfs_type (file (ioctl read getattr lock map open)))
+(allow charger_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
+(allow charger_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow charger_27_0 rootfs_27_0 (file (ioctl read getattr lock map open)))
+(allow charger_27_0 rootfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow charger_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow charger_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow charger_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow charger_27_0 self (capability (sys_tty_config)))
+(allow charger_27_0 self (capability (sys_boot)))
+(allow charger_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
+(allow charger_27_0 self (capability2 (block_suspend)))
+(allow charger_27_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow charger_27_0 sysfs_27_0 (file (write)))
+(allow charger_27_0 sysfs_batteryinfo_27_0 (file (ioctl read getattr lock map open)))
+(allow charger_27_0 pstorefs_27_0 (dir (ioctl read getattr lock search open)))
+(allow charger_27_0 pstorefs_27_0 (file (ioctl read getattr lock map open)))
+(allow charger_27_0 graphics_device_27_0 (dir (ioctl read getattr lock search open)))
+(allow charger_27_0 graphics_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow charger_27_0 input_device_27_0 (dir (ioctl read getattr lock search open)))
+(allow charger_27_0 input_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow charger_27_0 tty_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow charger_27_0 proc_sysrq_27_0 (file (ioctl read write getattr lock append map open)))
+(allow charger_27_0 property_socket_27_0 (sock_file (write)))
+(allow charger_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow charger_27_0 system_prop_27_0 (property_service (set)))
+(allow charger_27_0 system_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow clatd_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
+(allow clatd_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
+(allow clatd_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow clatd_27_0 netd_27_0 (fd (use)))
+(allow clatd_27_0 netd_27_0 (fifo_file (read write)))
+(allow clatd_27_0 netd_27_0 (netlink_kobject_uevent_socket (read write)))
+(allow clatd_27_0 netd_27_0 (netlink_nflog_socket (read write)))
+(allow clatd_27_0 netd_27_0 (netlink_route_socket (read write)))
+(allow clatd_27_0 netd_27_0 (udp_socket (read write)))
+(allow clatd_27_0 netd_27_0 (unix_stream_socket (read write)))
+(allow clatd_27_0 netd_27_0 (unix_dgram_socket (read write)))
+(allow clatd_27_0 self (capability (setgid setuid net_admin net_raw)))
+(allow clatd_27_0 self (capability (ipc_lock)))
+(allow clatd_27_0 self (netlink_route_socket (nlmsg_write)))
+(allow clatd_27_0 self (rawip_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow clatd_27_0 self (packet_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow clatd_27_0 self (tun_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow clatd_27_0 tun_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow cppreopts_27_0 dalvikcache_data_file_27_0 (dir (write add_name remove_name search)))
+(allow cppreopts_27_0 dalvikcache_data_file_27_0 (file (read write create getattr rename open)))
+(allow cppreopts_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow cppreopts_27_0 system_file_27_0 (dir (read open)))
+(allow cppreopts_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow crash_dump_27_0 base_typeattr_3_27_0 (process (sigchld sigkill sigstop signal ptrace)))
+(dontaudit crash_dump_27_0 self (capability (sys_ptrace)))
+(allow crash_dump_27_0 logd_27_0 (process (sigchld sigkill sigstop signal ptrace)))
+(allow crash_dump_27_0 kmsg_debug_device_27_0 (chr_file (append open)))
+(allow crash_dump_27_0 domain (fd (use)))
+(allow crash_dump_27_0 domain (fifo_file (write append)))
+(allow crash_dump_27_0 domain (dir (ioctl read getattr lock search open)))
+(allow crash_dump_27_0 domain (file (ioctl read getattr lock map open)))
+(allow crash_dump_27_0 domain (lnk_file (ioctl read getattr lock map open)))
+(allow crash_dump_27_0 exec_type (file (ioctl read getattr lock map open)))
+(allow crash_dump_27_0 dalvikcache_data_file_27_0 (dir (getattr search)))
+(allow crash_dump_27_0 dalvikcache_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow crash_dump_27_0 apk_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow crash_dump_27_0 apk_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow crash_dump_27_0 apk_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow crash_dump_27_0 vendor_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow crash_dump_27_0 same_process_hal_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow crash_dump_27_0 vendor_file_27_0 (file (ioctl read getattr lock map open)))
+(allow crash_dump_27_0 vendor_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow crash_dump_27_0 same_process_hal_file_27_0 (file (ioctl read getattr lock map open)))
+(allow crash_dump_27_0 same_process_hal_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow crash_dump_27_0 tombstoned_crash_socket_27_0 (sock_file (write)))
+(allow crash_dump_27_0 tombstoned_27_0 (unix_stream_socket (connectto)))
+(allow crash_dump_27_0 system_ndebug_socket_27_0 (sock_file (write)))
+(allow crash_dump_27_0 system_server_27_0 (unix_stream_socket (connectto)))
+(allow crash_dump_27_0 anr_data_file_27_0 (file (getattr append)))
+(allow crash_dump_27_0 tombstone_data_file_27_0 (file (getattr append)))
+(allow crash_dump_27_0 logcat_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow crash_dump_27_0 logdr_socket_27_0 (sock_file (write)))
+(allow crash_dump_27_0 logd_27_0 (unix_stream_socket (connectto)))
+(neverallow domain crash_dump_exec_27_0 (file (execute_no_trans)))
+(allow dex2oat_27_0 apk_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow dex2oat_27_0 apk_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow dex2oat_27_0 apk_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow dex2oat_27_0 vendor_app_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow dex2oat_27_0 vendor_app_file_27_0 (file (ioctl read getattr lock map open)))
+(allow dex2oat_27_0 vendor_app_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow dex2oat_27_0 vendor_framework_file_27_0 (dir (getattr search)))
+(allow dex2oat_27_0 vendor_framework_file_27_0 (file (read getattr open)))
+(allow dex2oat_27_0 tmpfs_27_0 (file (read getattr)))
+(allow dex2oat_27_0 dalvikcache_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow dex2oat_27_0 dalvikcache_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow dex2oat_27_0 dalvikcache_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow dex2oat_27_0 dalvikcache_data_file_27_0 (file (write)))
+(allow dex2oat_27_0 dalvikcache_data_file_27_0 (lnk_file (read)))
+(allow dex2oat_27_0 installd_27_0 (fd (use)))
+(allow dex2oat_27_0 system_file_27_0 (file (lock)))
+(allow dex2oat_27_0 asec_apk_file_27_0 (file (read)))
+(allow dex2oat_27_0 unlabeled_27_0 (file (read)))
+(allow dex2oat_27_0 oemfs_27_0 (file (read)))
+(allow dex2oat_27_0 apk_tmp_file_27_0 (dir (search)))
+(allow dex2oat_27_0 apk_tmp_file_27_0 (file (ioctl read getattr lock map open)))
+(allow dex2oat_27_0 user_profile_data_file_27_0 (file (read getattr lock)))
+(allow dex2oat_27_0 app_data_file_27_0 (file (read write getattr lock)))
+(allow dex2oat_27_0 postinstall_dexopt_27_0 (fd (use)))
+(allow dex2oat_27_0 postinstall_file_27_0 (dir (getattr search)))
+(allow dex2oat_27_0 postinstall_file_27_0 (filesystem (getattr)))
+(allow dex2oat_27_0 postinstall_file_27_0 (lnk_file (read)))
+(allow dex2oat_27_0 ota_data_file_27_0 (dir (ioctl read write getattr lock add_name search open)))
+(allow dex2oat_27_0 ota_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow dex2oat_27_0 ota_data_file_27_0 (lnk_file (read create)))
+(allow dex2oat_27_0 ota_data_file_27_0 (file (write create setattr lock append map open)))
+(neverallow dex2oat_27_0 app_data_file_27_0 (file (open)))
+(neverallow dex2oat_27_0 app_data_file_27_0 (lnk_file (open)))
+(neverallow dex2oat_27_0 app_data_file_27_0 (sock_file (open)))
+(neverallow dex2oat_27_0 app_data_file_27_0 (fifo_file (open)))
+(allow dhcp_27_0 cgroup_27_0 (dir (write create add_name)))
+(allow dhcp_27_0 self (capability (setgid setuid net_bind_service net_admin net_raw)))
+(allow dhcp_27_0 self (packet_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow dhcp_27_0 self (netlink_route_socket (nlmsg_write)))
+(allow dhcp_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow dhcp_27_0 system_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow dhcp_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow dhcp_27_0 proc_net_27_0 (file (write)))
+(allow dhcp_27_0 property_socket_27_0 (sock_file (write)))
+(allow dhcp_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow dhcp_27_0 dhcp_prop_27_0 (property_service (set)))
+(allow dhcp_27_0 dhcp_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow dhcp_27_0 property_socket_27_0 (sock_file (write)))
+(allow dhcp_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow dhcp_27_0 pan_result_prop_27_0 (property_service (set)))
+(allow dhcp_27_0 pan_result_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow dhcp_27_0 dhcp_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow dhcp_27_0 dhcp_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow dhcp_27_0 netd_27_0 (fd (use)))
+(allow dhcp_27_0 netd_27_0 (fifo_file (ioctl read write getattr lock append map open)))
+(allow dhcp_27_0 netd_27_0 (udp_socket (read write)))
+(allow dhcp_27_0 netd_27_0 (unix_stream_socket (read write)))
+(allow dhcp_27_0 netd_27_0 (unix_dgram_socket (read write)))
+(allow dhcp_27_0 netd_27_0 (netlink_route_socket (read write)))
+(allow dhcp_27_0 netd_27_0 (netlink_nflog_socket (read write)))
+(allow dhcp_27_0 netd_27_0 (netlink_kobject_uevent_socket (read write)))
+(allow display_service_server fwk_display_hwservice_27_0 (hwservice_manager (add find)))
+(allow display_service_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_4_27_0 fwk_display_hwservice_27_0 (hwservice_manager (add)))
+(allowx dnsmasq_27_0 self (ioctl udp_socket (0x6900 0x6902)))
+(allowx dnsmasq_27_0 self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(allowx dnsmasq_27_0 self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(allow dnsmasq_27_0 self (capability (dac_override)))
+(allow dnsmasq_27_0 self (capability (setgid setuid net_bind_service net_admin net_raw)))
+(allow dnsmasq_27_0 dhcp_data_file_27_0 (dir (write lock add_name remove_name search open)))
+(allow dnsmasq_27_0 dhcp_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow dnsmasq_27_0 netd_27_0 (fd (use)))
+(allow dnsmasq_27_0 netd_27_0 (fifo_file (read write)))
+(allow dnsmasq_27_0 netd_27_0 (netlink_kobject_uevent_socket (read write)))
+(allow dnsmasq_27_0 netd_27_0 (netlink_nflog_socket (read write)))
+(allow dnsmasq_27_0 netd_27_0 (netlink_route_socket (read write)))
+(allow dnsmasq_27_0 netd_27_0 (unix_stream_socket (read write)))
+(allow dnsmasq_27_0 netd_27_0 (unix_dgram_socket (read write)))
+(allow dnsmasq_27_0 netd_27_0 (udp_socket (read write)))
+(allow domain init_27_0 (process (sigchld)))
+(allow domain self (process (fork sigchld sigkill sigstop signull signal getsched setsched getsession getpgid setpgid getcap setcap getattr setrlimit)))
+(allow domain self (fd (use)))
+(allow domain proc_27_0 (dir (ioctl read getattr lock search open)))
+(allow domain proc_net_27_0 (dir (search)))
+(allow domain self (dir (ioctl read getattr lock search open)))
+(allow domain self (file (ioctl read getattr lock map open)))
+(allow domain self (lnk_file (ioctl read getattr lock map open)))
+(allow domain self (file (ioctl read write getattr lock append map open)))
+(allow domain self (fifo_file (ioctl read write getattr lock append map open)))
+(allow domain self (unix_dgram_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown sendto)))
+(allow domain self (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown connectto)))
+(allow domain init_27_0 (fd (use)))
+(allow domain su_27_0 (unix_stream_socket (connectto)))
+(allow domain su_27_0 (fd (use)))
+(allow domain su_27_0 (unix_stream_socket (read write getattr getopt shutdown)))
+(allow base_typeattr_5_27_0 su_27_0 (binder (call transfer)))
+(allow base_typeattr_5_27_0 su_27_0 (fd (use)))
+(allow domain su_27_0 (fifo_file (write getattr)))
+(allow domain su_27_0 (process (sigchld)))
+(allow domain coredump_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow domain coredump_file_27_0 (dir (ioctl read write getattr lock add_name search open)))
+(allow domain rootfs_27_0 (dir (search)))
+(allow domain rootfs_27_0 (lnk_file (read getattr)))
+(allow domain device_27_0 (dir (search)))
+(allow domain dev_type (lnk_file (ioctl read getattr lock map open)))
+(allow domain devpts_27_0 (dir (search)))
+(allow domain socket_device_27_0 (dir (ioctl read getattr lock search open)))
+(allow domain owntty_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow domain null_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow domain zero_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow domain ashmem_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow base_typeattr_6_27_0 binder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow base_typeattr_7_27_0 hwbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow domain ptmx_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow domain alarm_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow domain random_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow domain properties_device_27_0 (dir (getattr search)))
+(allow domain properties_serial_27_0 (file (ioctl read getattr lock map open)))
+(allow domain core_property_type (file (ioctl read getattr lock map open)))
+(allow domain log_property_type (file (ioctl read getattr lock map open)))
+(dontaudit domain property_type (file (audit_access)))
+(allow domain property_contexts_file_27_0 (file (ioctl read getattr lock map open)))
+(allow domain init_27_0 (key (search)))
+(allow domain vold_27_0 (key (search)))
+(allow domain logdw_socket_27_0 (sock_file (write)))
+(allow domain logd_27_0 (unix_dgram_socket (sendto)))
+(allow domain pmsg_device_27_0 (chr_file (write lock append map open)))
+(allow domain system_file_27_0 (dir (getattr search)))
+(allow domain system_file_27_0 (file (read getattr map execute open)))
+(allow domain system_file_27_0 (lnk_file (read getattr)))
+(allow domain vendor_hal_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow domain same_process_hal_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow domain same_process_hal_file_27_0 (file (read getattr map execute open)))
+(allow domain vndk_sp_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow domain vndk_sp_file_27_0 (file (read getattr map execute open)))
+(allow domain vendor_configs_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow domain vendor_configs_file_27_0 (file (read getattr open)))
+(allow domain vendor_file_27_0 (lnk_file (read getattr open)))
+(allow domain vendor_file_27_0 (dir (getattr search)))
+(allow base_typeattr_8_27_0 vendor_file_type (dir (ioctl read getattr lock search open)))
+(allow base_typeattr_8_27_0 vendor_file_type (file (read getattr map execute open)))
+(allow base_typeattr_8_27_0 vendor_file_type (lnk_file (read getattr)))
+(allow domain sysfs_27_0 (lnk_file (read getattr)))
+(allow domain zoneinfo_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow domain zoneinfo_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow domain zoneinfo_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow domain sysfs_devices_system_cpu_27_0 (dir (ioctl read getattr lock search open)))
+(allow domain sysfs_devices_system_cpu_27_0 (file (ioctl read getattr lock map open)))
+(allow domain sysfs_devices_system_cpu_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow domain sysfs_usb_27_0 (dir (ioctl read getattr lock search open)))
+(allow domain sysfs_usb_27_0 (file (ioctl read getattr lock map open)))
+(allow domain sysfs_usb_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow appdomain system_data_file_27_0 (dir (getattr)))
+(allow coredomain system_data_file_27_0 (dir (getattr)))
+(allow domain system_data_file_27_0 (dir (search)))
+(allow domain proc_27_0 (lnk_file (read getattr)))
+(allow domain proc_cpuinfo_27_0 (file (ioctl read getattr lock map open)))
+(allow domain proc_overcommit_memory_27_0 (file (ioctl read getattr lock map open)))
+(allow domain proc_perf_27_0 (file (ioctl read getattr lock map open)))
+(allow domain selinuxfs_27_0 (dir (search)))
+(allow domain selinuxfs_27_0 (file (getattr)))
+(allow domain sysfs_27_0 (dir (search)))
+(allow domain selinuxfs_27_0 (filesystem (getattr)))
+(allow domain cgroup_27_0 (dir (write search)))
+(allow domain cgroup_27_0 (file (write lock append map open)))
+(allow domain debugfs_27_0 (dir (search)))
+(allow domain debugfs_tracing_27_0 (dir (search)))
+(allow domain debugfs_trace_marker_27_0 (file (write lock append map open)))
+(allow domain fs_type (filesystem (getattr)))
+(allow domain fs_type (dir (getattr)))
+(allowx domain domain (ioctl tcp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
+(allowx domain domain (ioctl udp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
+(allowx domain domain (ioctl rawip_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
+(allowx domain domain (ioctl tcp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
+(allowx domain domain (ioctl udp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
+(allowx domain domain (ioctl rawip_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
+(allowx domain domain (ioctl tcp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
+(allowx domain domain (ioctl udp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
+(allowx domain domain (ioctl rawip_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
+(allowx domain domain (ioctl unix_stream_socket (0x5401 0x5411 ((range 0x5413 0x5414)) 0x541b 0x5451)))
+(allowx domain domain (ioctl unix_dgram_socket (0x5401 0x5411 ((range 0x5413 0x5414)) 0x541b 0x5451)))
+(allowx domain devpts_27_0 (ioctl chr_file (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
+(allow base_typeattr_9_27_0 hwservice_manager_type (hwservice_manager (add find)))
+(allow base_typeattr_9_27_0 vndservice_manager_type (service_manager (add find)))
+(neverallowx domain domain (ioctl socket (0x0)))
+(neverallowx domain domain (ioctl tcp_socket (0x0)))
+(neverallowx domain domain (ioctl udp_socket (0x0)))
+(neverallowx domain domain (ioctl rawip_socket (0x0)))
+(neverallowx domain domain (ioctl netlink_socket (0x0)))
+(neverallowx domain domain (ioctl packet_socket (0x0)))
+(neverallowx domain domain (ioctl key_socket (0x0)))
+(neverallowx domain domain (ioctl unix_stream_socket (0x0)))
+(neverallowx domain domain (ioctl unix_dgram_socket (0x0)))
+(neverallowx domain domain (ioctl netlink_route_socket (0x0)))
+(neverallowx domain domain (ioctl netlink_tcpdiag_socket (0x0)))
+(neverallowx domain domain (ioctl netlink_nflog_socket (0x0)))
+(neverallowx domain domain (ioctl netlink_xfrm_socket (0x0)))
+(neverallowx domain domain (ioctl netlink_selinux_socket (0x0)))
+(neverallowx domain domain (ioctl netlink_audit_socket (0x0)))
+(neverallowx domain domain (ioctl netlink_dnrt_socket (0x0)))
+(neverallowx domain domain (ioctl netlink_kobject_uevent_socket (0x0)))
+(neverallowx domain domain (ioctl appletalk_socket (0x0)))
+(neverallowx domain domain (ioctl tun_socket (0x0)))
+(neverallowx domain domain (ioctl netlink_iscsi_socket (0x0)))
+(neverallowx domain domain (ioctl netlink_fib_lookup_socket (0x0)))
+(neverallowx domain domain (ioctl netlink_connector_socket (0x0)))
+(neverallowx domain domain (ioctl netlink_netfilter_socket (0x0)))
+(neverallowx domain domain (ioctl netlink_generic_socket (0x0)))
+(neverallowx domain domain (ioctl netlink_scsitransport_socket (0x0)))
+(neverallowx domain domain (ioctl netlink_rdma_socket (0x0)))
+(neverallowx domain domain (ioctl netlink_crypto_socket (0x0)))
+(neverallowx domain domain (ioctl sctp_socket (0x0)))
+(neverallowx domain domain (ioctl icmp_socket (0x0)))
+(neverallowx domain domain (ioctl ax25_socket (0x0)))
+(neverallowx domain domain (ioctl ipx_socket (0x0)))
+(neverallowx domain domain (ioctl netrom_socket (0x0)))
+(neverallowx domain domain (ioctl atmpvc_socket (0x0)))
+(neverallowx domain domain (ioctl x25_socket (0x0)))
+(neverallowx domain domain (ioctl rose_socket (0x0)))
+(neverallowx domain domain (ioctl decnet_socket (0x0)))
+(neverallowx domain domain (ioctl atmsvc_socket (0x0)))
+(neverallowx domain domain (ioctl rds_socket (0x0)))
+(neverallowx domain domain (ioctl irda_socket (0x0)))
+(neverallowx domain domain (ioctl pppox_socket (0x0)))
+(neverallowx domain domain (ioctl llc_socket (0x0)))
+(neverallowx domain domain (ioctl can_socket (0x0)))
+(neverallowx domain domain (ioctl tipc_socket (0x0)))
+(neverallowx domain domain (ioctl bluetooth_socket (0x0)))
+(neverallowx domain domain (ioctl iucv_socket (0x0)))
+(neverallowx domain domain (ioctl rxrpc_socket (0x0)))
+(neverallowx domain domain (ioctl isdn_socket (0x0)))
+(neverallowx domain domain (ioctl phonet_socket (0x0)))
+(neverallowx domain domain (ioctl ieee802154_socket (0x0)))
+(neverallowx domain domain (ioctl caif_socket (0x0)))
+(neverallowx domain domain (ioctl alg_socket (0x0)))
+(neverallowx domain domain (ioctl nfc_socket (0x0)))
+(neverallowx domain domain (ioctl vsock_socket (0x0)))
+(neverallowx domain domain (ioctl kcm_socket (0x0)))
+(neverallowx domain domain (ioctl qipcrtr_socket (0x0)))
+(neverallowx domain domain (ioctl smc_socket (0x0)))
+(neverallowx base_typeattr_10_27_0 devpts_27_0 (ioctl chr_file (0x5412)))
+(neverallow base_typeattr_11_27_0 unlabeled_27_0 (file (create)))
+(neverallow base_typeattr_11_27_0 unlabeled_27_0 (dir (create)))
+(neverallow base_typeattr_11_27_0 unlabeled_27_0 (lnk_file (create)))
+(neverallow base_typeattr_11_27_0 unlabeled_27_0 (chr_file (create)))
+(neverallow base_typeattr_11_27_0 unlabeled_27_0 (blk_file (create)))
+(neverallow base_typeattr_11_27_0 unlabeled_27_0 (sock_file (create)))
+(neverallow base_typeattr_11_27_0 unlabeled_27_0 (fifo_file (create)))
+(neverallow base_typeattr_12_27_0 self (capability (mknod)))
+(neverallow base_typeattr_13_27_0 self (capability (sys_rawio)))
+(neverallow base_typeattr_10_27_0 self (memprotect (mmap_zero)))
+(neverallow base_typeattr_10_27_0 self (capability2 (mac_override)))
+(neverallow base_typeattr_14_27_0 self (capability2 (mac_admin)))
+(neverallow base_typeattr_10_27_0 kernel_27_0 (security (load_policy)))
+(neverallow base_typeattr_10_27_0 kernel_27_0 (security (setenforce)))
+(neverallow base_typeattr_15_27_0 kernel_27_0 (security (setcheckreqprot)))
+(neverallow base_typeattr_10_27_0 kernel_27_0 (security (setbool)))
+(neverallow base_typeattr_5_27_0 kernel_27_0 (security (setsecparam)))
+(neverallow base_typeattr_16_27_0 hw_random_device_27_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow base_typeattr_10_27_0 base_typeattr_17_27_0 (file (entrypoint)))
+(neverallow base_typeattr_18_27_0 kmem_device_27_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow base_typeattr_10_27_0 kmem_device_27_0 (chr_file (ioctl read write lock relabelfrom append map link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow base_typeattr_18_27_0 port_device_27_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow base_typeattr_10_27_0 port_device_27_0 (chr_file (ioctl read write lock relabelfrom append map link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow base_typeattr_5_27_0 usermodehelper_27_0 (file (write append)))
+(neverallow base_typeattr_19_27_0 sysfs_usermodehelper_27_0 (file (write append)))
+(neverallow base_typeattr_5_27_0 proc_security_27_0 (file (read write append open)))
+(neverallow base_typeattr_10_27_0 init_27_0 (process (ptrace)))
+(neverallow base_typeattr_10_27_0 init_27_0 (binder (impersonate call set_context_mgr transfer)))
+(neverallow base_typeattr_20_27_0 block_device_27_0 (blk_file (read write open)))
+(neverallow base_typeattr_10_27_0 base_typeattr_10_27_0 (chr_file (rename)))
+(neverallow base_typeattr_10_27_0 base_typeattr_10_27_0 (blk_file (rename)))
+(neverallow domain device_27_0 (chr_file (read write open)))
+(neverallow base_typeattr_21_27_0 base_typeattr_22_27_0 (filesystem (mount remount relabelfrom relabelto)))
+(neverallow base_typeattr_23_27_0 base_typeattr_24_27_0 (file (execute)))
+(neverallow base_typeattr_25_27_0 base_typeattr_26_27_0 (file (execute)))
+(neverallow domain cache_file_27_0 (file (execute)))
+(neverallow domain cache_backup_file_27_0 (file (execute)))
+(neverallow domain cache_private_backup_file_27_0 (file (execute)))
+(neverallow domain cache_recovery_file_27_0 (file (execute)))
+(neverallow base_typeattr_27_27_0 base_typeattr_28_27_0 (file (execute execute_no_trans)))
+(neverallow base_typeattr_29_27_0 nativetest_data_file_27_0 (file (execute execute_no_trans)))
+(neverallow base_typeattr_5_27_0 property_data_file_27_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
+(neverallow base_typeattr_5_27_0 property_data_file_27_0 (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
+(neverallow base_typeattr_5_27_0 property_type (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
+(neverallow base_typeattr_5_27_0 properties_device_27_0 (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
+(neverallow base_typeattr_5_27_0 properties_serial_27_0 (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
+(neverallow base_typeattr_14_27_0 exec_type (file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 exec_type (dir (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 exec_type (lnk_file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 exec_type (chr_file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 exec_type (blk_file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 exec_type (sock_file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 exec_type (fifo_file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 vendor_file_type (file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 vendor_file_type (dir (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 vendor_file_type (lnk_file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 vendor_file_type (chr_file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 vendor_file_type (blk_file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 vendor_file_type (sock_file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 vendor_file_type (fifo_file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 system_file_27_0 (file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 system_file_27_0 (dir (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 system_file_27_0 (lnk_file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 system_file_27_0 (chr_file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 system_file_27_0 (blk_file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 system_file_27_0 (sock_file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_14_27_0 system_file_27_0 (fifo_file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_30_27_0 exec_type (file (relabelto)))
+(neverallow base_typeattr_30_27_0 exec_type (dir (relabelto)))
+(neverallow base_typeattr_30_27_0 exec_type (lnk_file (relabelto)))
+(neverallow base_typeattr_30_27_0 exec_type (chr_file (relabelto)))
+(neverallow base_typeattr_30_27_0 exec_type (blk_file (relabelto)))
+(neverallow base_typeattr_30_27_0 exec_type (sock_file (relabelto)))
+(neverallow base_typeattr_30_27_0 exec_type (fifo_file (relabelto)))
+(neverallow base_typeattr_30_27_0 vendor_file_type (file (relabelto)))
+(neverallow base_typeattr_30_27_0 vendor_file_type (dir (relabelto)))
+(neverallow base_typeattr_30_27_0 vendor_file_type (lnk_file (relabelto)))
+(neverallow base_typeattr_30_27_0 vendor_file_type (chr_file (relabelto)))
+(neverallow base_typeattr_30_27_0 vendor_file_type (blk_file (relabelto)))
+(neverallow base_typeattr_30_27_0 vendor_file_type (sock_file (relabelto)))
+(neverallow base_typeattr_30_27_0 vendor_file_type (fifo_file (relabelto)))
+(neverallow base_typeattr_30_27_0 system_file_27_0 (file (relabelto)))
+(neverallow base_typeattr_30_27_0 system_file_27_0 (dir (relabelto)))
+(neverallow base_typeattr_30_27_0 system_file_27_0 (lnk_file (relabelto)))
+(neverallow base_typeattr_30_27_0 system_file_27_0 (chr_file (relabelto)))
+(neverallow base_typeattr_30_27_0 system_file_27_0 (blk_file (relabelto)))
+(neverallow base_typeattr_30_27_0 system_file_27_0 (sock_file (relabelto)))
+(neverallow base_typeattr_30_27_0 system_file_27_0 (fifo_file (relabelto)))
+(neverallow base_typeattr_10_27_0 exec_type (file (mounton)))
+(neverallow base_typeattr_10_27_0 exec_type (dir (mounton)))
+(neverallow base_typeattr_10_27_0 exec_type (lnk_file (mounton)))
+(neverallow base_typeattr_10_27_0 exec_type (chr_file (mounton)))
+(neverallow base_typeattr_10_27_0 exec_type (blk_file (mounton)))
+(neverallow base_typeattr_10_27_0 exec_type (sock_file (mounton)))
+(neverallow base_typeattr_10_27_0 exec_type (fifo_file (mounton)))
+(neverallow base_typeattr_5_27_0 vendor_file_type (file (mounton)))
+(neverallow base_typeattr_5_27_0 vendor_file_type (dir (mounton)))
+(neverallow base_typeattr_5_27_0 vendor_file_type (lnk_file (mounton)))
+(neverallow base_typeattr_5_27_0 vendor_file_type (chr_file (mounton)))
+(neverallow base_typeattr_5_27_0 vendor_file_type (blk_file (mounton)))
+(neverallow base_typeattr_5_27_0 vendor_file_type (sock_file (mounton)))
+(neverallow base_typeattr_5_27_0 vendor_file_type (fifo_file (mounton)))
+(neverallow base_typeattr_5_27_0 system_file_27_0 (file (mounton)))
+(neverallow base_typeattr_5_27_0 system_file_27_0 (dir (mounton)))
+(neverallow base_typeattr_5_27_0 system_file_27_0 (lnk_file (mounton)))
+(neverallow base_typeattr_5_27_0 system_file_27_0 (chr_file (mounton)))
+(neverallow base_typeattr_5_27_0 system_file_27_0 (blk_file (mounton)))
+(neverallow base_typeattr_5_27_0 system_file_27_0 (sock_file (mounton)))
+(neverallow base_typeattr_5_27_0 system_file_27_0 (fifo_file (mounton)))
+(neverallow base_typeattr_10_27_0 rootfs_27_0 (file (write create setattr relabelto append unlink link rename)))
+(neverallow base_typeattr_10_27_0 base_typeattr_31_27_0 (filesystem (relabelto)))
+(neverallow base_typeattr_14_27_0 contextmount_type (file (write create setattr relabelfrom relabelto append unlink link rename)))
+(neverallow base_typeattr_14_27_0 contextmount_type (dir (write create setattr relabelfrom relabelto append unlink link rename)))
+(neverallow base_typeattr_14_27_0 contextmount_type (lnk_file (write create setattr relabelfrom relabelto append unlink link rename)))
+(neverallow base_typeattr_14_27_0 contextmount_type (chr_file (write create setattr relabelfrom relabelto append unlink link rename)))
+(neverallow base_typeattr_14_27_0 contextmount_type (blk_file (write create setattr relabelfrom relabelto append unlink link rename)))
+(neverallow base_typeattr_14_27_0 contextmount_type (sock_file (write create setattr relabelfrom relabelto append unlink link rename)))
+(neverallow base_typeattr_14_27_0 contextmount_type (fifo_file (write create setattr relabelfrom relabelto append unlink link rename)))
+(neverallow base_typeattr_10_27_0 default_android_service_27_0 (service_manager (add)))
+(neverallow base_typeattr_10_27_0 default_android_vndservice_27_0 (service_manager (add find)))
+(neverallow base_typeattr_10_27_0 default_android_hwservice_27_0 (hwservice_manager (add find)))
+(neverallow base_typeattr_10_27_0 hidl_base_hwservice_27_0 (hwservice_manager (find)))
+(neverallow base_typeattr_5_27_0 default_prop_27_0 (property_service (set)))
+(neverallow base_typeattr_5_27_0 mmc_prop_27_0 (property_service (set)))
+(neverallow base_typeattr_32_27_0 serialno_prop_27_0 (file (ioctl read getattr lock map open)))
+(neverallow base_typeattr_33_27_0 firstboot_prop_27_0 (file (ioctl read getattr lock map open)))
+(neverallow base_typeattr_34_27_0 frp_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow base_typeattr_35_27_0 metadata_block_device_27_0 (blk_file (ioctl read write lock append link rename open)))
+(neverallow base_typeattr_36_27_0 system_block_device_27_0 (blk_file (write)))
+(neverallow base_typeattr_37_27_0 recovery_block_device_27_0 (blk_file (write)))
+(neverallow base_typeattr_38_27_0 misc_block_device_27_0 (blk_file (ioctl read write lock relabelfrom append link rename open)))
+(neverallow base_typeattr_39_27_0 base_typeattr_10_27_0 (binder (set_context_mgr)))
+(neverallow servicemanager_27_0 hwbinder_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow servicemanager_27_0 vndbinder_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow hwservicemanager_27_0 binder_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow hwservicemanager_27_0 vndbinder_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow vndservicemanager_27_0 binder_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow vndservicemanager_27_0 hwbinder_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow base_typeattr_40_27_0 binder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(neverallow base_typeattr_40_27_0 service_manager_type (service_manager (find)))
+(neverallow base_typeattr_41_27_0 base_typeattr_42_27_0 (service_manager (find)))
+(neverallow base_typeattr_40_27_0 servicemanager_27_0 (binder (call transfer)))
+(neverallow base_typeattr_43_27_0 vndbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(neverallow ueventd_27_0 vndbinder_device_27_0 (chr_file (ioctl read write append)))
+(neverallow base_typeattr_44_27_0 vndservice_manager_type (service_manager (add find list)))
+(neverallow base_typeattr_44_27_0 vndservicemanager_27_0 (binder (impersonate call set_context_mgr transfer)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (tcp_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (udp_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (rawip_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (packet_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (key_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (unix_stream_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (unix_dgram_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_route_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_tcpdiag_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_nflog_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_xfrm_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_selinux_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_audit_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_dnrt_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_kobject_uevent_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (appletalk_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (tun_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_iscsi_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_fib_lookup_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_connector_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_netfilter_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_generic_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_scsitransport_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_rdma_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netlink_crypto_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (sctp_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (icmp_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (ax25_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (ipx_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (netrom_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (atmpvc_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (x25_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (rose_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (decnet_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (atmsvc_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (rds_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (irda_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (pppox_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (llc_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (can_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (tipc_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (bluetooth_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (iucv_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (rxrpc_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (isdn_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (phonet_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (ieee802154_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (caif_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (alg_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (nfc_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (vsock_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (kcm_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (qipcrtr_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (smc_socket (connect sendto)))
+(neverallow base_typeattr_45_27_0 base_typeattr_46_27_0 (unix_stream_socket (connectto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (tcp_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (udp_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (rawip_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (packet_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (key_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (unix_stream_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (unix_dgram_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_route_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_tcpdiag_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_nflog_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_xfrm_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_selinux_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_audit_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_dnrt_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_kobject_uevent_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (appletalk_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (tun_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_iscsi_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_fib_lookup_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_connector_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_netfilter_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_generic_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_scsitransport_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_rdma_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netlink_crypto_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (sctp_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (icmp_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (ax25_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (ipx_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (netrom_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (atmpvc_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (x25_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (rose_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (decnet_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (atmsvc_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (rds_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (irda_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (pppox_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (llc_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (can_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (tipc_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (bluetooth_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (iucv_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (rxrpc_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (isdn_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (phonet_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (ieee802154_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (caif_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (alg_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (nfc_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (vsock_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (kcm_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (qipcrtr_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (smc_socket (connect sendto)))
+(neverallow base_typeattr_47_27_0 base_typeattr_48_27_0 (unix_stream_socket (connectto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (tcp_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (udp_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (rawip_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (packet_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (key_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (unix_stream_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (unix_dgram_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_route_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_tcpdiag_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_nflog_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_xfrm_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_selinux_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_audit_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_dnrt_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_kobject_uevent_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (appletalk_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (tun_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_iscsi_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_fib_lookup_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_connector_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_netfilter_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_generic_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_scsitransport_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_rdma_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netlink_crypto_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (sctp_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (icmp_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (ax25_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (ipx_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (netrom_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (atmpvc_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (x25_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (rose_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (decnet_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (atmsvc_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (rds_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (irda_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (pppox_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (llc_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (can_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (tipc_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (bluetooth_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (iucv_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (rxrpc_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (isdn_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (phonet_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (ieee802154_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (caif_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (alg_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (nfc_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (vsock_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (kcm_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (qipcrtr_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (smc_socket (connect sendto)))
+(neverallow base_typeattr_49_27_0 netd_27_0 (unix_stream_socket (connectto)))
+(neverallow base_typeattr_47_27_0 core_data_file_type (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow base_typeattr_47_27_0 coredomain_socket (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow base_typeattr_47_27_0 unlabeled_27_0 (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow base_typeattr_41_27_0 base_typeattr_50_27_0 (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow base_typeattr_51_27_0 base_typeattr_52_27_0 (sock_file (create setattr lock relabelfrom relabelto map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow base_typeattr_53_27_0 vendor_app_file_27_0 (dir (read getattr search open)))
+(neverallow base_typeattr_53_27_0 vendor_app_file_27_0 (file (ioctl read getattr lock map open)))
+(neverallow base_typeattr_53_27_0 vendor_app_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(neverallow base_typeattr_54_27_0 vendor_overlay_file_27_0 (dir (read getattr search open)))
+(neverallow base_typeattr_54_27_0 vendor_overlay_file_27_0 (file (ioctl read getattr lock map open)))
+(neverallow base_typeattr_54_27_0 vendor_overlay_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(neverallow base_typeattr_55_27_0 vendor_shell_exec_27_0 (file (execute execute_no_trans)))
+(neverallow base_typeattr_56_27_0 base_typeattr_57_27_0 (file (execute execute_no_trans entrypoint)))
+(neverallow base_typeattr_58_27_0 dalvikcache_data_file_27_0 (file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_58_27_0 dalvikcache_data_file_27_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
+(neverallow base_typeattr_59_27_0 zygote_27_0 (unix_stream_socket (connectto)))
+(neverallow base_typeattr_60_27_0 zygote_socket_27_0 (sock_file (write)))
+(neverallow base_typeattr_61_27_0 webview_zygote_27_0 (unix_stream_socket (connectto)))
+(neverallow base_typeattr_60_27_0 webview_zygote_socket_27_0 (sock_file (write)))
+(neverallow base_typeattr_62_27_0 tombstoned_crash_socket_27_0 (unix_stream_socket (connectto)))
+(neverallow base_typeattr_63_27_0 tombstoned_intercept_socket_27_0 (sock_file (write)))
+(neverallow base_typeattr_63_27_0 tombstoned_intercept_socket_27_0 (unix_stream_socket (connectto)))
+(neverallow base_typeattr_10_27_0 base_typeattr_10_27_0 (sem (create destroy getattr setattr read write associate unix_read unix_write)))
+(neverallow base_typeattr_10_27_0 base_typeattr_10_27_0 (msg (send receive)))
+(neverallow base_typeattr_10_27_0 base_typeattr_10_27_0 (msgq (create destroy getattr setattr read write associate unix_read unix_write enqueue)))
+(neverallow base_typeattr_10_27_0 base_typeattr_10_27_0 (shm (create destroy getattr setattr read write associate unix_read unix_write lock)))
+(neverallow base_typeattr_10_27_0 dev_type (lnk_file (mounton)))
+(neverallow base_typeattr_10_27_0 dev_type (sock_file (mounton)))
+(neverallow base_typeattr_10_27_0 dev_type (fifo_file (mounton)))
+(neverallow base_typeattr_10_27_0 fs_type (lnk_file (mounton)))
+(neverallow base_typeattr_10_27_0 fs_type (sock_file (mounton)))
+(neverallow base_typeattr_10_27_0 fs_type (fifo_file (mounton)))
+(neverallow base_typeattr_10_27_0 file_type (lnk_file (mounton)))
+(neverallow base_typeattr_10_27_0 file_type (sock_file (mounton)))
+(neverallow base_typeattr_10_27_0 file_type (fifo_file (mounton)))
+(neverallow base_typeattr_64_27_0 su_exec_27_0 (file (execute execute_no_trans)))
+(neverallow base_typeattr_10_27_0 base_typeattr_65_27_0 (file (execmod)))
+(neverallow base_typeattr_10_27_0 self (process (execstack execheap)))
+(neverallow base_typeattr_66_27_0 file_type (file (execmod)))
+(neverallow base_typeattr_5_27_0 proc_27_0 (file (mounton)))
+(neverallow base_typeattr_5_27_0 proc_27_0 (dir (mounton)))
+(neverallow base_typeattr_67_27_0 domain (process (transition dyntransition)))
+(neverallow base_typeattr_68_27_0 system_data_file_27_0 (file (write create setattr relabelfrom append unlink link rename)))
+(neverallow installd_27_0 system_data_file_27_0 (file (write create setattr relabelto append link rename execute quotaon mounton execute_no_trans entrypoint execmod audit_access)))
+(neverallow base_typeattr_69_27_0 system_app_data_file_27_0 (file (create unlink open)))
+(neverallow base_typeattr_69_27_0 system_app_data_file_27_0 (dir (create unlink open)))
+(neverallow base_typeattr_69_27_0 system_app_data_file_27_0 (lnk_file (create unlink open)))
+(neverallow base_typeattr_69_27_0 system_app_data_file_27_0 (chr_file (create unlink open)))
+(neverallow base_typeattr_69_27_0 system_app_data_file_27_0 (blk_file (create unlink open)))
+(neverallow base_typeattr_69_27_0 system_app_data_file_27_0 (sock_file (create unlink open)))
+(neverallow base_typeattr_69_27_0 system_app_data_file_27_0 (fifo_file (create unlink open)))
+(neverallow untrusted_app_all system_app_data_file_27_0 (file (create unlink open)))
+(neverallow untrusted_app_all system_app_data_file_27_0 (dir (create unlink open)))
+(neverallow untrusted_app_all system_app_data_file_27_0 (lnk_file (create unlink open)))
+(neverallow untrusted_app_all system_app_data_file_27_0 (chr_file (create unlink open)))
+(neverallow untrusted_app_all system_app_data_file_27_0 (blk_file (create unlink open)))
+(neverallow untrusted_app_all system_app_data_file_27_0 (sock_file (create unlink open)))
+(neverallow untrusted_app_all system_app_data_file_27_0 (fifo_file (create unlink open)))
+(neverallow ephemeral_app_27_0 system_app_data_file_27_0 (file (create unlink open)))
+(neverallow ephemeral_app_27_0 system_app_data_file_27_0 (dir (create unlink open)))
+(neverallow ephemeral_app_27_0 system_app_data_file_27_0 (lnk_file (create unlink open)))
+(neverallow ephemeral_app_27_0 system_app_data_file_27_0 (chr_file (create unlink open)))
+(neverallow ephemeral_app_27_0 system_app_data_file_27_0 (blk_file (create unlink open)))
+(neverallow ephemeral_app_27_0 system_app_data_file_27_0 (sock_file (create unlink open)))
+(neverallow ephemeral_app_27_0 system_app_data_file_27_0 (fifo_file (create unlink open)))
+(neverallow isolated_app_27_0 system_app_data_file_27_0 (file (create unlink open)))
+(neverallow isolated_app_27_0 system_app_data_file_27_0 (dir (create unlink open)))
+(neverallow isolated_app_27_0 system_app_data_file_27_0 (lnk_file (create unlink open)))
+(neverallow isolated_app_27_0 system_app_data_file_27_0 (chr_file (create unlink open)))
+(neverallow isolated_app_27_0 system_app_data_file_27_0 (blk_file (create unlink open)))
+(neverallow isolated_app_27_0 system_app_data_file_27_0 (sock_file (create unlink open)))
+(neverallow isolated_app_27_0 system_app_data_file_27_0 (fifo_file (create unlink open)))
+(neverallow priv_app_27_0 system_app_data_file_27_0 (file (create unlink open)))
+(neverallow priv_app_27_0 system_app_data_file_27_0 (dir (create unlink open)))
+(neverallow priv_app_27_0 system_app_data_file_27_0 (lnk_file (create unlink open)))
+(neverallow priv_app_27_0 system_app_data_file_27_0 (chr_file (create unlink open)))
+(neverallow priv_app_27_0 system_app_data_file_27_0 (blk_file (create unlink open)))
+(neverallow priv_app_27_0 system_app_data_file_27_0 (sock_file (create unlink open)))
+(neverallow priv_app_27_0 system_app_data_file_27_0 (fifo_file (create unlink open)))
+(neverallow base_typeattr_70_27_0 app_data_file_27_0 (file (create unlink)))
+(neverallow base_typeattr_70_27_0 app_data_file_27_0 (dir (create unlink)))
+(neverallow base_typeattr_70_27_0 app_data_file_27_0 (lnk_file (create unlink)))
+(neverallow base_typeattr_70_27_0 app_data_file_27_0 (chr_file (create unlink)))
+(neverallow base_typeattr_70_27_0 app_data_file_27_0 (blk_file (create unlink)))
+(neverallow base_typeattr_70_27_0 app_data_file_27_0 (sock_file (create unlink)))
+(neverallow base_typeattr_70_27_0 app_data_file_27_0 (fifo_file (create unlink)))
+(neverallow base_typeattr_71_27_0 shell_27_0 (process (transition dyntransition)))
+(neverallow base_typeattr_72_27_0 base_typeattr_73_27_0 (process (transition dyntransition)))
+(neverallow base_typeattr_74_27_0 app_data_file_27_0 (lnk_file (read)))
+(neverallow base_typeattr_75_27_0 shell_data_file_27_0 (lnk_file (read)))
+(neverallow base_typeattr_76_27_0 shell_data_file_27_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
+(neverallow base_typeattr_77_27_0 shell_data_file_27_0 (dir (search open)))
+(neverallow base_typeattr_78_27_0 shell_data_file_27_0 (file (open)))
+(neverallow base_typeattr_10_27_0 base_typeattr_79_27_0 (service_manager (list)))
+(neverallow base_typeattr_10_27_0 base_typeattr_80_27_0 (hwservice_manager (list)))
+(neverallow base_typeattr_10_27_0 domain (file (execute execute_no_trans entrypoint)))
+(neverallow base_typeattr_81_27_0 debugfs_27_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow base_typeattr_82_27_0 profman_exec_27_0 (file (execute execute_no_trans)))
+(neverallow base_typeattr_10_27_0 base_typeattr_83_27_0 (system (module_load)))
+(neverallow base_typeattr_14_27_0 self (capability (setfcap)))
+(neverallow domain crash_dump_27_0 (process (noatsecure)))
+(neverallow base_typeattr_84_27_0 coredomain_hwservice (hwservice_manager (add)))
+(neverallow base_typeattr_10_27_0 same_process_hwservice (hwservice_manager (add)))
+(allow drmserver_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 drmserver_27_0 (dir (search)))
+(allow servicemanager_27_0 drmserver_27_0 (file (read open)))
+(allow servicemanager_27_0 drmserver_27_0 (process (getattr)))
+(allow drmserver_27_0 system_server_27_0 (binder (call transfer)))
+(allow system_server_27_0 drmserver_27_0 (binder (transfer)))
+(allow drmserver_27_0 system_server_27_0 (fd (use)))
+(allow drmserver_27_0 appdomain (binder (call transfer)))
+(allow appdomain drmserver_27_0 (binder (transfer)))
+(allow drmserver_27_0 appdomain (fd (use)))
+(allow drmserver_27_0 system_server_27_0 (fd (use)))
+(allow drmserver_27_0 mediaserver_27_0 (binder (call transfer)))
+(allow mediaserver_27_0 drmserver_27_0 (binder (transfer)))
+(allow drmserver_27_0 mediaserver_27_0 (fd (use)))
+(allow drmserver_27_0 sdcard_type (dir (search)))
+(allow drmserver_27_0 drm_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow drmserver_27_0 drm_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow drmserver_27_0 tee_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow drmserver_27_0 app_data_file_27_0 (file (read write getattr)))
+(allow drmserver_27_0 sdcard_type (file (read write getattr)))
+(allow drmserver_27_0 efs_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow drmserver_27_0 efs_file_27_0 (file (ioctl read getattr lock map open)))
+(allow drmserver_27_0 efs_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow drmserver_27_0 apk_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow drmserver_27_0 drmserver_socket_27_0 (sock_file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow drmserver_27_0 apk_data_file_27_0 (sock_file (unlink)))
+(allow drmserver_27_0 media_rw_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow drmserver_27_0 media_rw_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow drmserver_27_0 media_rw_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow drmserver_27_0 apk_data_file_27_0 (file (read getattr)))
+(allow drmserver_27_0 asec_apk_file_27_0 (file (read getattr)))
+(allow drmserver_27_0 ringtone_file_27_0 (file (read getattr)))
+(allow drmserver_27_0 radio_data_file_27_0 (file (read getattr)))
+(allow drmserver_27_0 oemfs_27_0 (dir (search)))
+(allow drmserver_27_0 oemfs_27_0 (file (ioctl read getattr lock map open)))
+(allow drmserver_27_0 drmserver_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_85_27_0 drmserver_service_27_0 (service_manager (add)))
+(allow drmserver_27_0 permission_service_27_0 (service_manager (find)))
+(allow drmserver_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow drmserver_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
+(allow drmserver_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow drmserver_27_0 selinuxfs_27_0 (file (write lock append map open)))
+(allow drmserver_27_0 kernel_27_0 (security (compute_av)))
+(allow drmserver_27_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(allow drmserver_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow drmserver_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow drmserver_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow drmserver_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow drmserver_27_0 system_file_27_0 (file (ioctl read getattr lock map open)))
+(allow drmserver_27_0 system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 dumpstate_27_0 (dir (search)))
+(allow servicemanager_27_0 dumpstate_27_0 (file (read open)))
+(allow servicemanager_27_0 dumpstate_27_0 (process (getattr)))
+(allow dumpstate_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
+(allow dumpstate_27_0 self (capability2 (block_suspend)))
+(allow dumpstate_27_0 self (capability (setgid setuid sys_resource)))
+(allow dumpstate_27_0 domain (dir (ioctl read getattr lock search open)))
+(allow dumpstate_27_0 domain (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 domain (lnk_file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 self (capability (kill net_admin net_raw)))
+(allow dumpstate_27_0 system_file_27_0 (file (execute_no_trans)))
+(allow dumpstate_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow dumpstate_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow dumpstate_27_0 self (capability (chown dac_override fowner fsetid)))
+(allow dumpstate_27_0 anr_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow dumpstate_27_0 anr_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow dumpstate_27_0 system_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 self (capability2 (syslog)))
+(allow dumpstate_27_0 kernel_27_0 (system (syslog_read)))
+(allow dumpstate_27_0 pstorefs_27_0 (dir (ioctl read getattr lock search open)))
+(allow dumpstate_27_0 pstorefs_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 domain (process (getattr)))
+(allow dumpstate_27_0 appdomain (process (signal)))
+(allow dumpstate_27_0 system_server_27_0 (process (signal)))
+(allow dumpstate_27_0 hal_audio_server (process (signal)))
+(allow dumpstate_27_0 hal_bluetooth_server (process (signal)))
+(allow dumpstate_27_0 hal_camera_server (process (signal)))
+(allow dumpstate_27_0 hal_graphics_composer_server (process (signal)))
+(allow dumpstate_27_0 hal_sensors_server (process (signal)))
+(allow dumpstate_27_0 hal_vr_server (process (signal)))
+(allow dumpstate_27_0 audioserver_27_0 (process (signal)))
+(allow dumpstate_27_0 cameraserver_27_0 (process (signal)))
+(allow dumpstate_27_0 drmserver_27_0 (process (signal)))
+(allow dumpstate_27_0 inputflinger_27_0 (process (signal)))
+(allow dumpstate_27_0 mediacodec_27_0 (process (signal)))
+(allow dumpstate_27_0 mediadrmserver_27_0 (process (signal)))
+(allow dumpstate_27_0 mediaextractor_27_0 (process (signal)))
+(allow dumpstate_27_0 mediaserver_27_0 (process (signal)))
+(allow dumpstate_27_0 sdcardd_27_0 (process (signal)))
+(allow dumpstate_27_0 surfaceflinger_27_0 (process (signal)))
+(allow dumpstate_27_0 tombstoned_intercept_socket_27_0 (sock_file (write)))
+(allow dumpstate_27_0 tombstoned_27_0 (unix_stream_socket (connectto)))
+(allow dumpstate_27_0 sysfs_usb_27_0 (file (write lock append map open)))
+(allow dumpstate_27_0 qtaguid_proc_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 debugfs_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 block_device_27_0 (dir (getattr search)))
+(allow dumpstate_27_0 rootfs_27_0 (dir (getattr search)))
+(allow dumpstate_27_0 selinuxfs_27_0 (dir (getattr search)))
+(allow dumpstate_27_0 tmpfs_27_0 (dir (getattr search)))
+(allow dumpstate_27_0 storage_file_27_0 (dir (getattr search)))
+(allow dumpstate_27_0 cache_file_27_0 (dir (getattr search)))
+(allow dumpstate_27_0 fuse_device_27_0 (chr_file (getattr)))
+(allow dumpstate_27_0 dm_device_27_0 (blk_file (getattr)))
+(allow dumpstate_27_0 cache_block_device_27_0 (blk_file (getattr)))
+(allow dumpstate_27_0 rootfs_27_0 (lnk_file (read getattr)))
+(allow dumpstate_27_0 cache_file_27_0 (lnk_file (read getattr)))
+(allow dumpstate_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow dumpstate_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 binderservicedomain (binder (call transfer)))
+(allow binderservicedomain dumpstate_27_0 (binder (transfer)))
+(allow dumpstate_27_0 binderservicedomain (fd (use)))
+(allow dumpstate_27_0 appdomain (binder (call transfer)))
+(allow dumpstate_27_0 netd_27_0 (binder (call transfer)))
+(allow dumpstate_27_0 wificond_27_0 (binder (call transfer)))
+(allow appdomain dumpstate_27_0 (binder (transfer)))
+(allow netd_27_0 dumpstate_27_0 (binder (transfer)))
+(allow wificond_27_0 dumpstate_27_0 (binder (transfer)))
+(allow dumpstate_27_0 appdomain (fd (use)))
+(allow dumpstate_27_0 netd_27_0 (fd (use)))
+(allow dumpstate_27_0 wificond_27_0 (fd (use)))
+(allow dumpstate_27_0 sysfs_vibrator_27_0 (file (ioctl read write getattr lock append map open)))
+(allow dumpstate_27_0 self (capability (sys_ptrace)))
+(allow dumpstate_27_0 shell_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow dumpstate_27_0 shell_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow dumpstate_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow dumpstate_27_0 zygote_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow dumpstate_27_0 ashmem_device_27_0 (chr_file (execute)))
+(allow dumpstate_27_0 self (process (execmem)))
+(allow dumpstate_27_0 dalvikcache_data_file_27_0 (dir (getattr search)))
+(allow dumpstate_27_0 dalvikcache_data_file_27_0 (file (ioctl read getattr lock map execute open)))
+(allow dumpstate_27_0 dalvikcache_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 bluetooth_data_file_27_0 (dir (search)))
+(allow dumpstate_27_0 bluetooth_logs_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow dumpstate_27_0 bluetooth_logs_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 gpu_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow dumpstate_27_0 logcat_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow dumpstate_27_0 logdr_socket_27_0 (sock_file (write)))
+(allow dumpstate_27_0 logd_27_0 (unix_stream_socket (connectto)))
+(allow dumpstate_27_0 logd_socket_27_0 (sock_file (write)))
+(allow dumpstate_27_0 logd_27_0 (unix_stream_socket (connectto)))
+(allow dumpstate_27_0 runtime_event_log_tags_file_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 proc_meminfo_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
+(allow dumpstate_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 net_data_file_27_0 (dir (search)))
+(allow dumpstate_27_0 net_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 self (netlink_tcpdiag_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read)))
+(allow dumpstate_27_0 tombstone_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow dumpstate_27_0 tombstone_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 cache_recovery_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow dumpstate_27_0 cache_recovery_file_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 recovery_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow dumpstate_27_0 recovery_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 user_profile_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow dumpstate_27_0 user_profile_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 misc_logd_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow dumpstate_27_0 misc_logd_file_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 base_typeattr_86_27_0 (service_manager (find)))
+(allow dumpstate_27_0 servicemanager_27_0 (service_manager (list)))
+(allow dumpstate_27_0 hwservicemanager_27_0 (hwservice_manager (list)))
+(allow dumpstate_27_0 devpts_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow dumpstate_27_0 property_socket_27_0 (sock_file (write)))
+(allow dumpstate_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow dumpstate_27_0 dumpstate_prop_27_0 (property_service (set)))
+(allow dumpstate_27_0 dumpstate_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 property_socket_27_0 (sock_file (write)))
+(allow dumpstate_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow dumpstate_27_0 dumpstate_options_prop_27_0 (property_service (set)))
+(allow dumpstate_27_0 dumpstate_options_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 serialno_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 device_logging_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 media_rw_data_file_27_0 (dir (getattr)))
+(allow dumpstate_27_0 proc_interrupts_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 proc_zoneinfo_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 dumpstate_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_87_27_0 dumpstate_service_27_0 (service_manager (add)))
+(allow dumpstate_27_0 ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 sysfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow dumpstate_27_0 sysfs_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 sysfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 proc_stat_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 sysfs_leds_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 sysfs_leds_27_0 (file (ioctl read getattr lock map open)))
+(allow dumpstate_27_0 sysfs_leds_27_0 (dir (search)))
+(allow dumpstate_27_0 installd_27_0 (binder (call transfer)))
+(allow installd_27_0 dumpstate_27_0 (binder (transfer)))
+(allow dumpstate_27_0 installd_27_0 (fd (use)))
+(allow dumpstate_27_0 self (netlink_xfrm_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read)))
+(neverallow dumpstate_27_0 base_typeattr_10_27_0 (process (ptrace)))
+(neverallow base_typeattr_88_27_0 dumpstate_service_27_0 (service_manager (find)))
+(neverallow dumpstate_27_0 sysfs_27_0 (file (write create setattr relabelfrom append unlink link rename)))
+(allow e2fs_27_0 block_device_27_0 (blk_file (getattr)))
+(allow e2fs_27_0 block_device_27_0 (dir (search)))
+(allow e2fs_27_0 userdata_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
+(allow e2fs_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
+(allow e2fs_27_0 sysfs_fs_ext4_features_27_0 (file (ioctl read getattr lock map open)))
+(allow e2fs_27_0 file_contexts_file_27_0 (file (read getattr open)))
+(dontaudit su_27_0 pdx_display_client_endpoint_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
+(dontaudit su_27_0 pdx_display_client_channel_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
+(dontaudit su_27_0 pdx_display_manager_endpoint_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
+(dontaudit su_27_0 pdx_display_manager_channel_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
+(dontaudit su_27_0 pdx_display_screenshot_endpoint_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
+(dontaudit su_27_0 pdx_display_screenshot_channel_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
+(dontaudit su_27_0 pdx_display_vsync_endpoint_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
+(dontaudit su_27_0 pdx_display_vsync_channel_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
+(dontaudit su_27_0 pdx_performance_client_endpoint_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
+(dontaudit su_27_0 pdx_performance_client_channel_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
+(dontaudit su_27_0 pdx_bufferhub_client_endpoint_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
+(dontaudit su_27_0 pdx_bufferhub_client_channel_socket_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
+(allow fs_type self (filesystem (associate)))
+(allow cgroup_27_0 tmpfs_27_0 (filesystem (associate)))
+(allow sysfs_type sysfs_27_0 (filesystem (associate)))
+(allow debugfs_type debugfs_27_0 (filesystem (associate)))
+(allow debugfs_type debugfs_tracing_27_0 (filesystem (associate)))
+(allow file_type labeledfs_27_0 (filesystem (associate)))
+(allow file_type tmpfs_27_0 (filesystem (associate)))
+(allow file_type rootfs_27_0 (filesystem (associate)))
+(allow dev_type tmpfs_27_0 (filesystem (associate)))
+(allow app_fuse_file_27_0 app_fusefs_27_0 (filesystem (associate)))
+(allow postinstall_file_27_0 self (filesystem (associate)))
+(neverallow fs_type file_type (filesystem (associate)))
+(allow fingerprintd_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 fingerprintd_27_0 (dir (search)))
+(allow servicemanager_27_0 fingerprintd_27_0 (file (read open)))
+(allow servicemanager_27_0 fingerprintd_27_0 (process (getattr)))
+(allow fingerprintd_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow fingerprintd_27_0 fingerprintd_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_89_27_0 fingerprintd_service_27_0 (service_manager (add)))
+(allow fingerprintd_27_0 fingerprintd_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow fingerprintd_27_0 fingerprintd_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow keystore_27_0 fingerprintd_27_0 (dir (search)))
+(allow keystore_27_0 fingerprintd_27_0 (file (read open)))
+(allow keystore_27_0 fingerprintd_27_0 (process (getattr)))
+(allow fingerprintd_27_0 keystore_service_27_0 (service_manager (find)))
+(allow fingerprintd_27_0 keystore_27_0 (binder (call transfer)))
+(allow keystore_27_0 fingerprintd_27_0 (binder (transfer)))
+(allow fingerprintd_27_0 keystore_27_0 (fd (use)))
+(allow fingerprintd_27_0 keystore_27_0 (keystore_key (add_auth)))
+(allow fingerprintd_27_0 system_server_27_0 (binder (call transfer)))
+(allow system_server_27_0 fingerprintd_27_0 (binder (transfer)))
+(allow fingerprintd_27_0 system_server_27_0 (fd (use)))
+(allow fingerprintd_27_0 permission_service_27_0 (service_manager (find)))
+(allow fingerprintd_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow fingerprintd_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow fingerprintd_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow fingerprintd_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
+(allow fingerprintd_27_0 sysfs_type (file (ioctl read getattr lock map open)))
+(allow fingerprintd_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
+(allow fingerprintd_27_0 ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow fsck_27_0 tmpfs_27_0 (chr_file (ioctl read write)))
+(allow fsck_27_0 devpts_27_0 (chr_file (ioctl read write getattr)))
+(allow fsck_27_0 vold_27_0 (fd (use)))
+(allow fsck_27_0 vold_27_0 (fifo_file (read write getattr)))
+(allow fsck_27_0 block_device_27_0 (dir (search)))
+(allow fsck_27_0 userdata_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
+(allow fsck_27_0 cache_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
+(allow fsck_27_0 dm_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
+(allow fsck_27_0 dev_type (blk_file (getattr)))
+(allow fsck_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
+(allow fsck_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
+(allow fsck_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow fsck_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
+(neverallow fsck_27_0 vold_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow fsck_27_0 root_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow fsck_27_0 frp_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow fsck_27_0 system_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow fsck_27_0 recovery_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow fsck_27_0 boot_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow fsck_27_0 swap_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow fsck_27_0 metadata_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow base_typeattr_90_27_0 fsck_27_0 (process (transition)))
+(neverallow base_typeattr_10_27_0 fsck_27_0 (process (dyntransition)))
+(neverallow fsck_27_0 base_typeattr_91_27_0 (file (entrypoint)))
+(allow fsck_untrusted_27_0 devpts_27_0 (chr_file (ioctl read write getattr)))
+(allow fsck_untrusted_27_0 vold_27_0 (fd (use)))
+(allow fsck_untrusted_27_0 vold_27_0 (fifo_file (read write getattr)))
+(allow fsck_untrusted_27_0 block_device_27_0 (dir (search)))
+(allow fsck_untrusted_27_0 vold_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
+(allow fsck_untrusted_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
+(allow fsck_untrusted_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
+(allow fsck_untrusted_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow fsck_untrusted_27_0 dev_type (blk_file (getattr)))
+(neverallow fsck_untrusted_27_0 dm_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow fsck_untrusted_27_0 root_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow fsck_untrusted_27_0 frp_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow fsck_untrusted_27_0 system_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow fsck_untrusted_27_0 recovery_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow fsck_untrusted_27_0 boot_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow fsck_untrusted_27_0 userdata_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow fsck_untrusted_27_0 cache_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow fsck_untrusted_27_0 swap_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow fsck_untrusted_27_0 metadata_block_device_27_0 (blk_file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(neverallow base_typeattr_92_27_0 fsck_untrusted_27_0 (process (transition)))
+(neverallow base_typeattr_10_27_0 fsck_untrusted_27_0 (process (dyntransition)))
+(neverallow fsck_untrusted_27_0 base_typeattr_91_27_0 (file (entrypoint)))
+(allow gatekeeperd_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 gatekeeperd_27_0 (dir (search)))
+(allow servicemanager_27_0 gatekeeperd_27_0 (file (read open)))
+(allow servicemanager_27_0 gatekeeperd_27_0 (process (getattr)))
+(allow gatekeeperd_27_0 tee_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow gatekeeperd_27_0 ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow gatekeeperd_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow gatekeeperd_27_0 gatekeeper_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_93_27_0 gatekeeper_service_27_0 (service_manager (add)))
+(allow keystore_27_0 gatekeeperd_27_0 (dir (search)))
+(allow keystore_27_0 gatekeeperd_27_0 (file (read open)))
+(allow keystore_27_0 gatekeeperd_27_0 (process (getattr)))
+(allow gatekeeperd_27_0 keystore_service_27_0 (service_manager (find)))
+(allow gatekeeperd_27_0 keystore_27_0 (binder (call transfer)))
+(allow keystore_27_0 gatekeeperd_27_0 (binder (transfer)))
+(allow gatekeeperd_27_0 keystore_27_0 (fd (use)))
+(allow gatekeeperd_27_0 keystore_27_0 (keystore_key (add_auth)))
+(allow gatekeeperd_27_0 system_server_27_0 (binder (call)))
+(allow gatekeeperd_27_0 permission_service_27_0 (service_manager (find)))
+(allow gatekeeperd_27_0 gatekeeper_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow gatekeeperd_27_0 gatekeeper_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow gatekeeperd_27_0 hardware_properties_service_27_0 (service_manager (find)))
+(allow gatekeeperd_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow gatekeeperd_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow gatekeeperd_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow hal_allocator_client hal_allocator_server (binder (call transfer)))
+(allow hal_allocator_server hal_allocator_client (binder (transfer)))
+(allow hal_allocator_client hal_allocator_server (fd (use)))
+(allow hal_allocator_server hidl_allocator_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_allocator_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_94_27_0 hidl_allocator_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_allocator_client hidl_allocator_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_allocator_client hidl_memory_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_audio_client hal_audio_server (binder (call transfer)))
+(allow hal_audio_server hal_audio_client (binder (transfer)))
+(allow hal_audio_client hal_audio_server (fd (use)))
+(allow hal_audio_server hal_audio_client (binder (call transfer)))
+(allow hal_audio_client hal_audio_server (binder (transfer)))
+(allow hal_audio_server hal_audio_client (fd (use)))
+(allow hal_audio_server hal_audio_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_audio_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_95_27_0 hal_audio_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_audio_client hal_audio_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_audio ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow hal_audio audiohal_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow hal_audio audiohal_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow hal_audio proc_27_0 (dir (ioctl read getattr lock search open)))
+(allow hal_audio proc_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_audio proc_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow hal_audio audio_device_27_0 (dir (ioctl read getattr lock search open)))
+(allow hal_audio audio_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_audio shell_27_0 (fd (use)))
+(allow hal_audio shell_27_0 (fifo_file (write)))
+(allow hal_audio dumpstate_27_0 (fd (use)))
+(allow hal_audio dumpstate_27_0 (fifo_file (write)))
+(neverallow hal_audio fs_type (file (execute_no_trans)))
+(neverallow hal_audio file_type (file (execute_no_trans)))
+(neverallow hal_audio domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
+(neverallow hal_audio domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(neverallow hal_audio domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(neverallow base_typeattr_96_27_0 audio_device_27_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(allow hal_bluetooth_client hal_bluetooth_server (binder (call transfer)))
+(allow hal_bluetooth_server hal_bluetooth_client (binder (transfer)))
+(allow hal_bluetooth_client hal_bluetooth_server (fd (use)))
+(allow hal_bluetooth_server hal_bluetooth_client (binder (call transfer)))
+(allow hal_bluetooth_client hal_bluetooth_server (binder (transfer)))
+(allow hal_bluetooth_server hal_bluetooth_client (fd (use)))
+(allow hal_bluetooth_server hal_bluetooth_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_bluetooth_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_97_27_0 hal_bluetooth_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_bluetooth_client hal_bluetooth_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_bluetooth sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
+(allow hal_bluetooth self (capability2 (block_suspend)))
+(allow hal_bluetooth self (capability (net_admin)))
+(allow hal_bluetooth bluetooth_efs_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow hal_bluetooth bluetooth_efs_file_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_bluetooth bluetooth_efs_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow hal_bluetooth uhid_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_bluetooth hci_attach_dev_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_bluetooth sysfs_type (dir (ioctl read getattr lock search open)))
+(allow hal_bluetooth sysfs_type (file (ioctl read getattr lock map open)))
+(allow hal_bluetooth sysfs_type (lnk_file (ioctl read getattr lock map open)))
+(allow hal_bluetooth sysfs_bluetooth_writable_27_0 (file (ioctl read write getattr lock append map open)))
+(allow hal_bluetooth self (capability2 (wake_alarm)))
+(allow hal_bluetooth property_socket_27_0 (sock_file (write)))
+(allow hal_bluetooth init_27_0 (unix_stream_socket (connectto)))
+(allow hal_bluetooth bluetooth_prop_27_0 (property_service (set)))
+(allow hal_bluetooth bluetooth_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_bluetooth proc_bluetooth_writable_27_0 (file (ioctl read write getattr lock append map open)))
+(allow hal_bluetooth self (capability (sys_nice)))
+(allow hal_bootctl_client hal_bootctl_server (binder (call transfer)))
+(allow hal_bootctl_server hal_bootctl_client (binder (transfer)))
+(allow hal_bootctl_client hal_bootctl_server (fd (use)))
+(allow hal_bootctl_server hal_bootctl_client (binder (call transfer)))
+(allow hal_bootctl_client hal_bootctl_server (binder (transfer)))
+(allow hal_bootctl_server hal_bootctl_client (fd (use)))
+(allow hal_bootctl_server hal_bootctl_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_bootctl_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_98_27_0 hal_bootctl_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_bootctl_client hal_bootctl_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_broadcastradio_client hal_broadcastradio_server (binder (call transfer)))
+(allow hal_broadcastradio_server hal_broadcastradio_client (binder (transfer)))
+(allow hal_broadcastradio_client hal_broadcastradio_server (fd (use)))
+(allow hal_broadcastradio_server hal_broadcastradio_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_broadcastradio_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_99_27_0 hal_broadcastradio_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_broadcastradio_client hal_broadcastradio_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_camera_client hal_camera_server (binder (call transfer)))
+(allow hal_camera_server hal_camera_client (binder (transfer)))
+(allow hal_camera_client hal_camera_server (fd (use)))
+(allow hal_camera_server hal_camera_client (binder (call transfer)))
+(allow hal_camera_client hal_camera_server (binder (transfer)))
+(allow hal_camera_server hal_camera_client (fd (use)))
+(allow hal_camera_server hal_camera_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_camera_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_100_27_0 hal_camera_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_camera_client hal_camera_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_camera camera_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow hal_camera camera_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow hal_camera video_device_27_0 (dir (ioctl read getattr lock search open)))
+(allow hal_camera video_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_camera camera_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_camera ion_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_camera_client hal_graphics_allocator (fd (use)))
+(allow hal_camera_server hal_graphics_allocator (fd (use)))
+(allow hal_camera base_typeattr_101_27_0 (fd (use)))
+(allow hal_camera surfaceflinger_27_0 (fd (use)))
+(allow hal_camera hal_allocator_server (fd (use)))
+(neverallow hal_camera fs_type (file (execute_no_trans)))
+(neverallow hal_camera file_type (file (execute_no_trans)))
+(neverallow hal_camera domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
+(neverallow hal_camera domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(neverallow hal_camera domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(neverallow base_typeattr_102_27_0 camera_device_27_0 (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(allow hal_cas_client hal_cas_server (binder (call transfer)))
+(allow hal_cas_server hal_cas_client (binder (transfer)))
+(allow hal_cas_client hal_cas_server (fd (use)))
+(allow hal_cas_server hal_cas_client (binder (call transfer)))
+(allow hal_cas_client hal_cas_server (binder (transfer)))
+(allow hal_cas_server hal_cas_client (fd (use)))
+(allow hal_cas_server hal_cas_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_cas_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_103_27_0 hal_cas_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_cas_client hal_cas_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_cas_server hidl_memory_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_cas serialno_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_cas system_data_file_27_0 (dir (getattr search)))
+(allow hal_cas system_data_file_27_0 (file (read getattr)))
+(allow hal_cas system_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow hal_cas cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow hal_cas cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_cas cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow hal_cas cgroup_27_0 (dir (write search)))
+(allow hal_cas cgroup_27_0 (file (write lock append map open)))
+(allow hal_cas ion_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_cas hal_graphics_allocator (fd (use)))
+(allow hal_cas tee_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(neverallow hal_cas fs_type (file (execute_no_trans)))
+(neverallow hal_cas file_type (file (execute_no_trans)))
+(neverallowx hal_cas domain (ioctl tcp_socket (0x6900 0x6902)))
+(neverallowx hal_cas domain (ioctl udp_socket (0x6900 0x6902)))
+(neverallowx hal_cas domain (ioctl rawip_socket (0x6900 0x6902)))
+(neverallowx hal_cas domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(neverallowx hal_cas domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(neverallowx hal_cas domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(neverallowx hal_cas domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(neverallowx hal_cas domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(neverallowx hal_cas domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(allow hal_configstore_client hal_configstore_server (binder (call transfer)))
+(allow hal_configstore_server hal_configstore_client (binder (transfer)))
+(allow hal_configstore_client hal_configstore_server (fd (use)))
+(allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs_27_0 (hwservice_manager (find)))
+(allow hal_configstore_server hal_configstore_ISurfaceFlingerConfigs_27_0 (hwservice_manager (add find)))
+(allow hal_configstore_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_104_27_0 hal_configstore_ISurfaceFlingerConfigs_27_0 (hwservice_manager (add)))
+(allow hal_configstore_server su_27_0 (fifo_file (append)))
+(allow hal_configstore_server anr_data_file_27_0 (file (append)))
+(allow hal_configstore_server dumpstate_27_0 (fd (use)))
+(allow hal_configstore_server dumpstate_27_0 (fifo_file (write append)))
+(allow hal_configstore_server system_server_27_0 (fifo_file (write append)))
+(allow hal_configstore_server tombstoned_27_0 (unix_stream_socket (connectto)))
+(allow hal_configstore_server tombstoned_27_0 (fd (use)))
+(allow hal_configstore_server tombstoned_crash_socket_27_0 (sock_file (write)))
+(allow hal_configstore_server tombstone_data_file_27_0 (file (append)))
+(neverallow hal_configstore_server fs_type (file (execute_no_trans)))
+(neverallow hal_configstore_server file_type (file (execute_no_trans)))
+(neverallow hal_configstore_server domain (socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
+(neverallow hal_configstore_server domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(neverallow hal_configstore_server domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(neverallow hal_configstore_server domain (netlink_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server domain (packet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server domain (key_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server domain (netlink_route_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
+(neverallow hal_configstore_server domain (netlink_tcpdiag_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
+(neverallow hal_configstore_server domain (netlink_nflog_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server domain (netlink_xfrm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
+(neverallow hal_configstore_server domain (netlink_selinux_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server domain (netlink_audit_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit)))
+(neverallow hal_configstore_server domain (netlink_dnrt_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server domain (netlink_kobject_uevent_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server domain (appletalk_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server domain (tun_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind attach_queue)))
+(neverallow hal_configstore_server domain (netlink_iscsi_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server domain (netlink_fib_lookup_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server domain (netlink_connector_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server domain (netlink_netfilter_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server domain (netlink_generic_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server domain (netlink_scsitransport_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server domain (netlink_rdma_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server domain (netlink_crypto_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server base_typeattr_105_27_0 (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
+(neverallow hal_configstore_server base_typeattr_105_27_0 (unix_dgram_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(neverallow hal_configstore_server base_typeattr_106_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow hal_configstore_server base_typeattr_106_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow hal_configstore_server base_typeattr_106_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow hal_configstore_server fuse_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow hal_configstore_server sdcardfs_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow hal_configstore_server vfat_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow hal_configstore_server base_typeattr_10_27_0 (service_manager (add find list)))
+(neverallow hal_configstore_server self (capability (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
+(neverallow hal_configstore_server self (capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read)))
+(neverallow hal_configstore_server base_typeattr_10_27_0 (process (ptrace)))
+(neverallow hal_configstore_server base_typeattr_10_27_0 (file (relabelfrom relabelto)))
+(neverallow hal_configstore_server base_typeattr_10_27_0 (dir (relabelfrom relabelto)))
+(neverallow hal_configstore_server base_typeattr_10_27_0 (lnk_file (relabelfrom relabelto)))
+(neverallow hal_configstore_server base_typeattr_10_27_0 (chr_file (relabelfrom relabelto)))
+(neverallow hal_configstore_server base_typeattr_10_27_0 (blk_file (relabelfrom relabelto)))
+(neverallow hal_configstore_server base_typeattr_10_27_0 (sock_file (relabelfrom relabelto)))
+(neverallow hal_configstore_server base_typeattr_10_27_0 (fifo_file (relabelfrom relabelto)))
+(allow hal_contexthub_client hal_contexthub_server (binder (call transfer)))
+(allow hal_contexthub_server hal_contexthub_client (binder (transfer)))
+(allow hal_contexthub_client hal_contexthub_server (fd (use)))
+(allow hal_contexthub_server hal_contexthub_client (binder (call transfer)))
+(allow hal_contexthub_client hal_contexthub_server (binder (transfer)))
+(allow hal_contexthub_server hal_contexthub_client (fd (use)))
+(allow hal_contexthub_server hal_contexthub_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_contexthub_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_107_27_0 hal_contexthub_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_contexthub_client hal_contexthub_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_drm_client hal_drm_server (binder (call transfer)))
+(allow hal_drm_server hal_drm_client (binder (transfer)))
+(allow hal_drm_client hal_drm_server (fd (use)))
+(allow hal_drm_server hal_drm_client (binder (call transfer)))
+(allow hal_drm_client hal_drm_server (binder (transfer)))
+(allow hal_drm_server hal_drm_client (fd (use)))
+(allow hal_drm_server hal_drm_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_drm_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_108_27_0 hal_drm_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_drm_client hal_drm_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_drm hidl_memory_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_drm self (process (execmem)))
+(allow hal_drm serialno_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_drm system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow hal_drm system_file_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_drm system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow hal_drm system_data_file_27_0 (dir (getattr search)))
+(allow hal_drm system_data_file_27_0 (file (read getattr)))
+(allow hal_drm system_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow hal_drm cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow hal_drm cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_drm cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow hal_drm cgroup_27_0 (dir (write search)))
+(allow hal_drm cgroup_27_0 (file (write lock append map open)))
+(allow hal_drm ion_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_drm hal_graphics_allocator (fd (use)))
+(allow hal_drm mediaserver_27_0 (fd (use)))
+(allow hal_drm media_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow hal_drm media_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow hal_drm media_data_file_27_0 (file (read getattr)))
+(allow hal_drm sysfs_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_drm tee_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allowx hal_drm self (ioctl tcp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
+(allowx hal_drm self (ioctl udp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
+(allowx hal_drm self (ioctl rawip_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
+(allowx hal_drm self (ioctl tcp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
+(allowx hal_drm self (ioctl udp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
+(allowx hal_drm self (ioctl rawip_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
+(allowx hal_drm self (ioctl tcp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
+(allowx hal_drm self (ioctl udp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
+(allowx hal_drm self (ioctl rawip_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
+(neverallow hal_drm fs_type (file (execute_no_trans)))
+(neverallow hal_drm file_type (file (execute_no_trans)))
+(neverallowx hal_drm domain (ioctl tcp_socket (0x6900 0x6902)))
+(neverallowx hal_drm domain (ioctl udp_socket (0x6900 0x6902)))
+(neverallowx hal_drm domain (ioctl rawip_socket (0x6900 0x6902)))
+(neverallowx hal_drm domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(neverallowx hal_drm domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(neverallowx hal_drm domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(neverallowx hal_drm domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(neverallowx hal_drm domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(neverallowx hal_drm domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(allow hal_dumpstate_client hal_dumpstate_server (binder (call transfer)))
+(allow hal_dumpstate_server hal_dumpstate_client (binder (transfer)))
+(allow hal_dumpstate_client hal_dumpstate_server (fd (use)))
+(allow hal_dumpstate_server hal_dumpstate_client (binder (call transfer)))
+(allow hal_dumpstate_client hal_dumpstate_server (binder (transfer)))
+(allow hal_dumpstate_server hal_dumpstate_client (fd (use)))
+(allow hal_dumpstate_server hal_dumpstate_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_dumpstate_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_109_27_0 hal_dumpstate_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_dumpstate_client hal_dumpstate_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_dumpstate shell_data_file_27_0 (file (write)))
+(allow hal_dumpstate proc_interrupts_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_fingerprint_client hal_fingerprint_server (binder (call transfer)))
+(allow hal_fingerprint_server hal_fingerprint_client (binder (transfer)))
+(allow hal_fingerprint_client hal_fingerprint_server (fd (use)))
+(allow hal_fingerprint_server hal_fingerprint_client (binder (call transfer)))
+(allow hal_fingerprint_client hal_fingerprint_server (binder (transfer)))
+(allow hal_fingerprint_server hal_fingerprint_client (fd (use)))
+(allow hal_fingerprint_server hal_fingerprint_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_fingerprint_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_110_27_0 hal_fingerprint_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_fingerprint_client hal_fingerprint_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_fingerprint fingerprintd_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow hal_fingerprint fingerprintd_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow hal_fingerprint ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow hal_fingerprint cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow hal_fingerprint cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_fingerprint cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow hal_fingerprint sysfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow hal_fingerprint sysfs_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_fingerprint sysfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow hal_gatekeeper_client hal_gatekeeper_server (binder (call transfer)))
+(allow hal_gatekeeper_server hal_gatekeeper_client (binder (transfer)))
+(allow hal_gatekeeper_client hal_gatekeeper_server (fd (use)))
+(allow hal_gatekeeper_server hal_gatekeeper_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_gatekeeper_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_111_27_0 hal_gatekeeper_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_gatekeeper_client hal_gatekeeper_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_gatekeeper tee_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_gatekeeper ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow hal_gnss_client hal_gnss_server (binder (call transfer)))
+(allow hal_gnss_server hal_gnss_client (binder (transfer)))
+(allow hal_gnss_client hal_gnss_server (fd (use)))
+(allow hal_gnss_server hal_gnss_client (binder (call transfer)))
+(allow hal_gnss_client hal_gnss_server (binder (transfer)))
+(allow hal_gnss_server hal_gnss_client (fd (use)))
+(allow hal_gnss_server hal_gnss_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_gnss_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_112_27_0 hal_gnss_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_gnss_client hal_gnss_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_graphics_allocator_client hal_graphics_allocator_server (binder (call transfer)))
+(allow hal_graphics_allocator_server hal_graphics_allocator_client (binder (transfer)))
+(allow hal_graphics_allocator_client hal_graphics_allocator_server (fd (use)))
+(allow hal_graphics_allocator_server hal_graphics_allocator_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_graphics_allocator_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_113_27_0 hal_graphics_allocator_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_graphics_allocator_client hal_graphics_allocator_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_graphics_allocator_client hal_graphics_mapper_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_graphics_allocator gpu_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_graphics_allocator ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow hal_graphics_allocator self (capability (sys_nice)))
+(allow hal_graphics_composer_client hal_graphics_composer_server (binder (call transfer)))
+(allow hal_graphics_composer_server hal_graphics_composer_client (binder (transfer)))
+(allow hal_graphics_composer_client hal_graphics_composer_server (fd (use)))
+(allow hal_graphics_composer_server hal_graphics_composer_client (binder (call transfer)))
+(allow hal_graphics_composer_client hal_graphics_composer_server (binder (transfer)))
+(allow hal_graphics_composer_server hal_graphics_composer_client (fd (use)))
+(allow hal_graphics_composer_server hal_graphics_composer_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_graphics_composer_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_114_27_0 hal_graphics_composer_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_graphics_composer_client hal_graphics_composer_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_graphics_composer_server hal_graphics_mapper_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_graphics_composer gpu_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_graphics_composer ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow hal_graphics_composer hal_graphics_allocator (fd (use)))
+(allow hal_graphics_composer graphics_device_27_0 (dir (search)))
+(allow hal_graphics_composer graphics_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_graphics_composer system_server_27_0 (fd (use)))
+(allow hal_graphics_composer bootanim_27_0 (fd (use)))
+(allow hal_graphics_composer appdomain (fd (use)))
+(allow hal_graphics_composer self (capability (sys_nice)))
+(allow hal_health_client hal_health_server (binder (call transfer)))
+(allow hal_health_server hal_health_client (binder (transfer)))
+(allow hal_health_client hal_health_server (fd (use)))
+(allow hal_health_server hal_health_client (binder (call transfer)))
+(allow hal_health_client hal_health_server (binder (transfer)))
+(allow hal_health_server hal_health_client (fd (use)))
+(allow hal_health_server hal_health_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_health_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_115_27_0 hal_health_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_health_client hal_health_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_health system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow hal_health system_file_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_health system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow hal_ir_client hal_ir_server (binder (call transfer)))
+(allow hal_ir_server hal_ir_client (binder (transfer)))
+(allow hal_ir_client hal_ir_server (fd (use)))
+(allow hal_ir_server hal_ir_client (binder (call transfer)))
+(allow hal_ir_client hal_ir_server (binder (transfer)))
+(allow hal_ir_server hal_ir_client (fd (use)))
+(allow hal_ir_server hal_ir_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_ir_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_116_27_0 hal_ir_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_ir_client hal_ir_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_keymaster_client hal_keymaster_server (binder (call transfer)))
+(allow hal_keymaster_server hal_keymaster_client (binder (transfer)))
+(allow hal_keymaster_client hal_keymaster_server (fd (use)))
+(allow hal_keymaster_server hal_keymaster_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_keymaster_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_117_27_0 hal_keymaster_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_keymaster_client hal_keymaster_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_keymaster tee_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_keymaster ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow hal_light_client hal_light_server (binder (call transfer)))
+(allow hal_light_server hal_light_client (binder (transfer)))
+(allow hal_light_client hal_light_server (fd (use)))
+(allow hal_light_server hal_light_client (binder (call transfer)))
+(allow hal_light_client hal_light_server (binder (transfer)))
+(allow hal_light_server hal_light_client (fd (use)))
+(allow hal_light_server hal_light_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_light_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_118_27_0 hal_light_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_light_client hal_light_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_light sysfs_leds_27_0 (lnk_file (read)))
+(allow hal_light sysfs_leds_27_0 (file (ioctl read write getattr lock append map open)))
+(allow hal_light sysfs_leds_27_0 (dir (ioctl read getattr lock search open)))
+(allow hal_memtrack_client hal_memtrack_server (binder (call transfer)))
+(allow hal_memtrack_server hal_memtrack_client (binder (transfer)))
+(allow hal_memtrack_client hal_memtrack_server (fd (use)))
+(allow hal_memtrack_server hal_memtrack_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_memtrack_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_119_27_0 hal_memtrack_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_memtrack_client hal_memtrack_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_neuralnetworks_client hal_neuralnetworks_server (binder (call transfer)))
+(allow hal_neuralnetworks_server hal_neuralnetworks_client (binder (transfer)))
+(allow hal_neuralnetworks_client hal_neuralnetworks_server (fd (use)))
+(allow hal_neuralnetworks_server hal_neuralnetworks_client (binder (call transfer)))
+(allow hal_neuralnetworks_client hal_neuralnetworks_server (binder (transfer)))
+(allow hal_neuralnetworks_server hal_neuralnetworks_client (fd (use)))
+(allow hal_neuralnetworks_server hal_neuralnetworks_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_neuralnetworks_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_120_27_0 hal_neuralnetworks_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_neuralnetworks_client hal_neuralnetworks_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_neuralnetworks hidl_memory_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_neuralnetworks hal_allocator (fd (use)))
+(neverallow base_typeattr_121_27_0 self (capability (net_admin net_raw)))
+(neverallow base_typeattr_122_27_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
+(neverallow base_typeattr_122_27_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(neverallow base_typeattr_122_27_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(neverallow base_typeattr_123_27_0 fs_type (file (execute_no_trans)))
+(neverallow base_typeattr_123_27_0 file_type (file (execute_no_trans)))
+(neverallow base_typeattr_5_27_0 halserverdomain (process (transition)))
+(neverallow base_typeattr_10_27_0 halserverdomain (process (dyntransition)))
+(allow hal_nfc_client hal_nfc_server (binder (call transfer)))
+(allow hal_nfc_server hal_nfc_client (binder (transfer)))
+(allow hal_nfc_client hal_nfc_server (fd (use)))
+(allow hal_nfc_server hal_nfc_client (binder (call transfer)))
+(allow hal_nfc_client hal_nfc_server (binder (transfer)))
+(allow hal_nfc_server hal_nfc_client (fd (use)))
+(allow hal_nfc_server hal_nfc_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_nfc_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_124_27_0 hal_nfc_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_nfc_client hal_nfc_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_nfc property_socket_27_0 (sock_file (write)))
+(allow hal_nfc init_27_0 (unix_stream_socket (connectto)))
+(allow hal_nfc nfc_prop_27_0 (property_service (set)))
+(allow hal_nfc nfc_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_nfc nfc_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_nfc nfc_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow hal_nfc nfc_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow hal_nfc nfc_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow hal_nfc nfc_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow hal_oemlock_client hal_oemlock_server (binder (call transfer)))
+(allow hal_oemlock_server hal_oemlock_client (binder (transfer)))
+(allow hal_oemlock_client hal_oemlock_server (fd (use)))
+(allow hal_oemlock_server hal_oemlock_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_oemlock_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_125_27_0 hal_oemlock_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_oemlock_client hal_oemlock_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_power_client hal_power_server (binder (call transfer)))
+(allow hal_power_server hal_power_client (binder (transfer)))
+(allow hal_power_client hal_power_server (fd (use)))
+(allow hal_power_server hal_power_client (binder (call transfer)))
+(allow hal_power_client hal_power_server (binder (transfer)))
+(allow hal_power_server hal_power_client (fd (use)))
+(allow hal_power_server hal_power_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_power_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_126_27_0 hal_power_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_power_client hal_power_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_sensors_client hal_sensors_server (binder (call transfer)))
+(allow hal_sensors_server hal_sensors_client (binder (transfer)))
+(allow hal_sensors_client hal_sensors_server (fd (use)))
+(allow hal_sensors_server hal_sensors_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_sensors_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_127_27_0 hal_sensors_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_sensors_client hal_sensors_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_sensors base_typeattr_101_27_0 (fd (use)))
+(allow hal_sensors hal_allocator (fd (use)))
+(allow hal_sensors self (capability (sys_nice)))
+(allow hal_telephony_client hal_telephony_server (binder (call transfer)))
+(allow hal_telephony_server hal_telephony_client (binder (transfer)))
+(allow hal_telephony_client hal_telephony_server (fd (use)))
+(allow hal_telephony_server hal_telephony_client (binder (call transfer)))
+(allow hal_telephony_client hal_telephony_server (binder (transfer)))
+(allow hal_telephony_server hal_telephony_client (fd (use)))
+(allow hal_telephony_server hal_telephony_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_telephony_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_128_27_0 hal_telephony_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_telephony_client hal_telephony_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_tetheroffload_client hal_tetheroffload_server (binder (call transfer)))
+(allow hal_tetheroffload_server hal_tetheroffload_client (binder (transfer)))
+(allow hal_tetheroffload_client hal_tetheroffload_server (fd (use)))
+(allow hal_tetheroffload_server hal_tetheroffload_client (binder (call transfer)))
+(allow hal_tetheroffload_client hal_tetheroffload_server (binder (transfer)))
+(allow hal_tetheroffload_server hal_tetheroffload_client (fd (use)))
+(allow hal_tetheroffload_client hal_tetheroffload_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_tetheroffload_server hal_tetheroffload_client (netlink_netfilter_socket (read write getattr setopt)))
+(allow hal_thermal_client hal_thermal_server (binder (call transfer)))
+(allow hal_thermal_server hal_thermal_client (binder (transfer)))
+(allow hal_thermal_client hal_thermal_server (fd (use)))
+(allow hal_thermal_server hal_thermal_client (binder (call transfer)))
+(allow hal_thermal_client hal_thermal_server (binder (transfer)))
+(allow hal_thermal_server hal_thermal_client (fd (use)))
+(allow hal_thermal_server hal_thermal_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_thermal_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_129_27_0 hal_thermal_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_thermal_client hal_thermal_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_tv_cec_client hal_tv_cec_server (binder (call transfer)))
+(allow hal_tv_cec_server hal_tv_cec_client (binder (transfer)))
+(allow hal_tv_cec_client hal_tv_cec_server (fd (use)))
+(allow hal_tv_cec_server hal_tv_cec_client (binder (call transfer)))
+(allow hal_tv_cec_client hal_tv_cec_server (binder (transfer)))
+(allow hal_tv_cec_server hal_tv_cec_client (fd (use)))
+(allow hal_tv_cec_server hal_tv_cec_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_tv_cec_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_130_27_0 hal_tv_cec_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_tv_cec_client hal_tv_cec_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_tv_input_client hal_tv_input_server (binder (call transfer)))
+(allow hal_tv_input_server hal_tv_input_client (binder (transfer)))
+(allow hal_tv_input_client hal_tv_input_server (fd (use)))
+(allow hal_tv_input_server hal_tv_input_client (binder (call transfer)))
+(allow hal_tv_input_client hal_tv_input_server (binder (transfer)))
+(allow hal_tv_input_server hal_tv_input_client (fd (use)))
+(allow hal_tv_input_server hal_tv_input_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_tv_input_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_131_27_0 hal_tv_input_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_tv_input_client hal_tv_input_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_usb_client hal_usb_server (binder (call transfer)))
+(allow hal_usb_server hal_usb_client (binder (transfer)))
+(allow hal_usb_client hal_usb_server (fd (use)))
+(allow hal_usb_server hal_usb_client (binder (call transfer)))
+(allow hal_usb_client hal_usb_server (binder (transfer)))
+(allow hal_usb_server hal_usb_client (fd (use)))
+(allow hal_usb_server hal_usb_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_usb_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_132_27_0 hal_usb_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_usb_client hal_usb_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_usb self (netlink_kobject_uevent_socket (create)))
+(allow hal_usb self (netlink_kobject_uevent_socket (setopt)))
+(allow hal_usb self (netlink_kobject_uevent_socket (bind)))
+(allow hal_usb self (netlink_kobject_uevent_socket (read)))
+(allow hal_usb sysfs_27_0 (dir (open)))
+(allow hal_usb sysfs_27_0 (dir (read)))
+(allow hal_usb sysfs_27_0 (file (read)))
+(allow hal_usb sysfs_27_0 (file (open)))
+(allow hal_usb sysfs_27_0 (file (write)))
+(allow hal_usb sysfs_27_0 (file (getattr)))
+(allow hal_vibrator_client hal_vibrator_server (binder (call transfer)))
+(allow hal_vibrator_server hal_vibrator_client (binder (transfer)))
+(allow hal_vibrator_client hal_vibrator_server (fd (use)))
+(allow hal_vibrator_server hal_vibrator_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_vibrator_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_133_27_0 hal_vibrator_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_vibrator_client hal_vibrator_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_vibrator sysfs_vibrator_27_0 (file (ioctl read write getattr lock append map open)))
+(allow hal_vr_client hal_vr_server (binder (call transfer)))
+(allow hal_vr_server hal_vr_client (binder (transfer)))
+(allow hal_vr_client hal_vr_server (fd (use)))
+(allow hal_vr_server hal_vr_client (binder (call transfer)))
+(allow hal_vr_client hal_vr_server (binder (transfer)))
+(allow hal_vr_server hal_vr_client (fd (use)))
+(allow hal_vr_server hal_vr_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_vr_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_134_27_0 hal_vr_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_vr_client hal_vr_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_weaver_client hal_weaver_server (binder (call transfer)))
+(allow hal_weaver_server hal_weaver_client (binder (transfer)))
+(allow hal_weaver_client hal_weaver_server (fd (use)))
+(allow hal_weaver_server hal_weaver_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_weaver_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_135_27_0 hal_weaver_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_weaver_client hal_weaver_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_wifi_client hal_wifi_server (binder (call transfer)))
+(allow hal_wifi_server hal_wifi_client (binder (transfer)))
+(allow hal_wifi_client hal_wifi_server (fd (use)))
+(allow hal_wifi_server hal_wifi_client (binder (call transfer)))
+(allow hal_wifi_client hal_wifi_server (binder (transfer)))
+(allow hal_wifi_server hal_wifi_client (fd (use)))
+(allow hal_wifi_server hal_wifi_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_wifi_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_136_27_0 hal_wifi_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_wifi_client hal_wifi_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_wifi proc_net_27_0 (dir (ioctl read getattr lock search open)))
+(allow hal_wifi proc_net_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_wifi proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow hal_wifi sysfs_type (dir (ioctl read getattr lock search open)))
+(allow hal_wifi sysfs_type (file (ioctl read getattr lock map open)))
+(allow hal_wifi sysfs_type (lnk_file (ioctl read getattr lock map open)))
+(allow hal_wifi property_socket_27_0 (sock_file (write)))
+(allow hal_wifi init_27_0 (unix_stream_socket (connectto)))
+(allow hal_wifi wifi_prop_27_0 (property_service (set)))
+(allow hal_wifi wifi_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_wifi self (udp_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allowx hal_wifi self (ioctl udp_socket (0x8914)))
+(allow hal_wifi self (capability (net_admin net_raw)))
+(allow hal_wifi self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow hal_wifi self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow hal_wifi sysfs_wlan_fwpath_27_0 (file (write lock append map open)))
+(allow hal_wifi proc_modules_27_0 (file (read getattr open)))
+(allow hal_wifi_offload_client hal_wifi_offload_server (binder (call transfer)))
+(allow hal_wifi_offload_server hal_wifi_offload_client (binder (transfer)))
+(allow hal_wifi_offload_client hal_wifi_offload_server (fd (use)))
+(allow hal_wifi_offload_server hal_wifi_offload_client (binder (call transfer)))
+(allow hal_wifi_offload_client hal_wifi_offload_server (binder (transfer)))
+(allow hal_wifi_offload_server hal_wifi_offload_client (fd (use)))
+(allow hal_wifi_offload_server hal_wifi_offload_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_wifi_offload_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_137_27_0 hal_wifi_offload_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_wifi_offload_client hal_wifi_offload_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_wifi_offload proc_net_27_0 (dir (ioctl read getattr lock search open)))
+(allow hal_wifi_offload proc_net_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_wifi_offload proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow hal_wifi_offload sysfs_type (dir (ioctl read getattr lock search open)))
+(allow hal_wifi_offload sysfs_type (file (ioctl read getattr lock map open)))
+(allow hal_wifi_offload sysfs_type (lnk_file (ioctl read getattr lock map open)))
+(allow hal_wifi_supplicant_client hal_wifi_supplicant_server (binder (call transfer)))
+(allow hal_wifi_supplicant_server hal_wifi_supplicant_client (binder (transfer)))
+(allow hal_wifi_supplicant_client hal_wifi_supplicant_server (fd (use)))
+(allow hal_wifi_supplicant_server hal_wifi_supplicant_client (binder (call transfer)))
+(allow hal_wifi_supplicant_client hal_wifi_supplicant_server (binder (transfer)))
+(allow hal_wifi_supplicant_server hal_wifi_supplicant_client (fd (use)))
+(allow hal_wifi_supplicant_server hal_wifi_supplicant_hwservice_27_0 (hwservice_manager (add find)))
+(allow hal_wifi_supplicant_server hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_138_27_0 hal_wifi_supplicant_hwservice_27_0 (hwservice_manager (add)))
+(allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice_27_0 (hwservice_manager (find)))
+(allowx hal_wifi_supplicant self (ioctl udp_socket (0x6900 0x6902)))
+(allowx hal_wifi_supplicant self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(allowx hal_wifi_supplicant self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(allow hal_wifi_supplicant sysfs_type (dir (ioctl read getattr lock search open)))
+(allow hal_wifi_supplicant sysfs_type (file (ioctl read getattr lock map open)))
+(allow hal_wifi_supplicant sysfs_type (lnk_file (ioctl read getattr lock map open)))
+(allow hal_wifi_supplicant proc_net_27_0 (dir (ioctl read getattr lock search open)))
+(allow hal_wifi_supplicant proc_net_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_wifi_supplicant proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow hal_wifi_supplicant kernel_27_0 (system (module_request)))
+(allow hal_wifi_supplicant self (capability (setgid setuid net_admin net_raw)))
+(allow hal_wifi_supplicant cgroup_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow hal_wifi_supplicant self (netlink_route_socket (nlmsg_write)))
+(allow hal_wifi_supplicant self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow hal_wifi_supplicant self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow hal_wifi_supplicant self (packet_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allowx hal_wifi_supplicant self (ioctl packet_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
+(allowx hal_wifi_supplicant self (ioctl packet_socket (0x6900 0x6902)))
+(allowx hal_wifi_supplicant self (ioctl packet_socket (((range 0x8906 0x8907)) ((range 0x890b 0x890d)) ((range 0x8910 0x8927)) 0x8929 ((range 0x8930 0x8939)) ((range 0x8940 0x8943)) ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(allowx hal_wifi_supplicant self (ioctl packet_socket (((range 0x8b00 0x8b02)) ((range 0x8b04 0x8b1d)) ((range 0x8b20 0x8b2d)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(allow hal_wifi_supplicant wifi_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow hal_wifi_supplicant wifi_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow hal_wifi_supplicant wpa_socket_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow hal_wifi_supplicant wpa_socket_27_0 (sock_file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow hal_wifi_supplicant wpa_socket_27_0 (sock_file (write)))
+(allow hal_wifi_supplicant su_27_0 (unix_dgram_socket (sendto)))
+(neverallow hal_wifi_supplicant_server sdcard_type (dir (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
+(neverallow hal_wifi_supplicant_server sdcard_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(allow healthd_27_0 kmsg_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow healthd_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
+(allow healthd_27_0 sysfs_type (file (ioctl read getattr lock map open)))
+(allow healthd_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
+(allow healthd_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow healthd_27_0 rootfs_27_0 (file (ioctl read getattr lock map open)))
+(allow healthd_27_0 rootfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow healthd_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow healthd_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow healthd_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow healthd_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow healthd_27_0 system_file_27_0 (file (ioctl read getattr lock map open)))
+(allow healthd_27_0 system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow healthd_27_0 self (capability (sys_tty_config)))
+(allow healthd_27_0 self (capability (sys_boot)))
+(allow healthd_27_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow healthd_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
+(allow healthd_27_0 self (capability2 (block_suspend)))
+(allow healthd_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 healthd_27_0 (dir (search)))
+(allow servicemanager_27_0 healthd_27_0 (file (read open)))
+(allow servicemanager_27_0 healthd_27_0 (process (getattr)))
+(allow healthd_27_0 system_server_27_0 (binder (call transfer)))
+(allow system_server_27_0 healthd_27_0 (binder (transfer)))
+(allow healthd_27_0 system_server_27_0 (fd (use)))
+(allow healthd_27_0 sysfs_27_0 (file (write)))
+(allow healthd_27_0 sysfs_usb_27_0 (file (write)))
+(allow healthd_27_0 sysfs_batteryinfo_27_0 (file (ioctl read getattr lock map open)))
+(allow healthd_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
+(allow healthd_27_0 sysfs_type (file (ioctl read getattr lock map open)))
+(allow healthd_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
+(allow healthd_27_0 pstorefs_27_0 (dir (ioctl read getattr lock search open)))
+(allow healthd_27_0 pstorefs_27_0 (file (ioctl read getattr lock map open)))
+(allow healthd_27_0 graphics_device_27_0 (dir (ioctl read getattr lock search open)))
+(allow healthd_27_0 graphics_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow healthd_27_0 input_device_27_0 (dir (ioctl read getattr lock search open)))
+(allow healthd_27_0 input_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow healthd_27_0 tty_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow healthd_27_0 ashmem_device_27_0 (chr_file (execute)))
+(allow healthd_27_0 self (process (execmem)))
+(allow healthd_27_0 proc_sysrq_27_0 (file (ioctl read write getattr lock append map open)))
+(allow healthd_27_0 batteryproperties_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_139_27_0 batteryproperties_service_27_0 (service_manager (add)))
+(allow healthd_27_0 property_socket_27_0 (sock_file (write)))
+(allow healthd_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow healthd_27_0 system_prop_27_0 (property_service (set)))
+(allow healthd_27_0 system_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow hwservicemanager_27_0 self (binder (set_context_mgr)))
+(allow hwservicemanager_27_0 property_socket_27_0 (sock_file (write)))
+(allow hwservicemanager_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow hwservicemanager_27_0 hwservicemanager_prop_27_0 (property_service (set)))
+(allow hwservicemanager_27_0 hwservicemanager_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow hwservicemanager_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow hwservicemanager_27_0 hwservice_contexts_file_27_0 (file (ioctl read getattr lock map open)))
+(allow hwservicemanager_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow hwservicemanager_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
+(allow hwservicemanager_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow hwservicemanager_27_0 selinuxfs_27_0 (file (write lock append map open)))
+(allow hwservicemanager_27_0 kernel_27_0 (security (compute_av)))
+(allow hwservicemanager_27_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(allow idmap_27_0 installd_27_0 (fd (use)))
+(allow idmap_27_0 resourcecache_data_file_27_0 (file (read write getattr)))
+(allow idmap_27_0 apk_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow idmap_27_0 apk_data_file_27_0 (dir (search)))
+(allow idmap_27_0 vendor_app_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow idmap_27_0 vendor_app_file_27_0 (file (ioctl read getattr lock map open)))
+(allow idmap_27_0 vendor_app_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow idmap_27_0 vendor_overlay_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow idmap_27_0 vendor_overlay_file_27_0 (file (ioctl read getattr lock map open)))
+(allow idmap_27_0 vendor_overlay_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow init_27_0 tmpfs_27_0 (chr_file (ioctl read write create getattr setattr lock append map unlink open)))
+(allow init_27_0 tmpfs_27_0 (chr_file (relabelfrom)))
+(allow init_27_0 kmsg_device_27_0 (chr_file (write relabelto)))
+(allow init_27_0 kmsg_debug_device_27_0 (chr_file (write relabelto)))
+(allow init_27_0 properties_device_27_0 (dir (relabelto)))
+(allow init_27_0 properties_serial_27_0 (file (write relabelto)))
+(allow init_27_0 property_type (file (ioctl read write create getattr setattr lock relabelto append map unlink rename open)))
+(allow init_27_0 device_27_0 (file (relabelfrom)))
+(allow init_27_0 runtime_event_log_tags_file_27_0 (file (write setattr relabelto open)))
+(allow init_27_0 device_27_0 (dir (relabelto)))
+(allow init_27_0 socket_device_27_0 (dir (relabelto)))
+(allow init_27_0 random_device_27_0 (chr_file (relabelto)))
+(allow init_27_0 tmpfs_27_0 (chr_file (relabelfrom)))
+(allow init_27_0 tmpfs_27_0 (blk_file (relabelfrom)))
+(allow init_27_0 tmpfs_27_0 (blk_file (getattr)))
+(allow init_27_0 block_device_27_0 (dir (relabelto)))
+(allow init_27_0 block_device_27_0 (lnk_file (relabelto)))
+(allow init_27_0 block_device_27_0 (blk_file (relabelto)))
+(allow init_27_0 dm_device_27_0 (chr_file (relabelto)))
+(allow init_27_0 dm_device_27_0 (blk_file (relabelto)))
+(allow init_27_0 kernel_27_0 (fd (use)))
+(allow init_27_0 tmpfs_27_0 (lnk_file (read getattr relabelfrom)))
+(allow init_27_0 system_block_device_27_0 (lnk_file (relabelto)))
+(allow init_27_0 system_block_device_27_0 (blk_file (relabelto)))
+(allow init_27_0 self (capability (sys_resource)))
+(allow init_27_0 tmpfs_27_0 (file (unlink)))
+(allow init_27_0 devpts_27_0 (chr_file (read write open)))
+(allow init_27_0 fscklogs_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow init_27_0 tmpfs_27_0 (chr_file (write)))
+(allow init_27_0 console_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow init_27_0 tty_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow init_27_0 self (capability (sys_admin)))
+(allow init_27_0 rootfs_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow init_27_0 rootfs_27_0 (dir (mounton)))
+(allow init_27_0 cgroup_27_0 (dir (mounton)))
+(allow init_27_0 system_file_27_0 (dir (mounton)))
+(allow init_27_0 vendor_file_27_0 (dir (mounton)))
+(allow init_27_0 system_data_file_27_0 (dir (mounton)))
+(allow init_27_0 storage_file_27_0 (dir (mounton)))
+(allow init_27_0 postinstall_mnt_dir_27_0 (dir (mounton)))
+(allow init_27_0 cache_file_27_0 (dir (mounton)))
+(allow init_27_0 device_27_0 (dir (mounton)))
+(allow init_27_0 rootfs_27_0 (lnk_file (create unlink)))
+(allow init_27_0 sysfs_27_0 (dir (mounton)))
+(allow init_27_0 tmpfs_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow init_27_0 tmpfs_27_0 (dir (mounton)))
+(allow init_27_0 cgroup_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow init_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow init_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow init_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow init_27_0 cpuctl_device_27_0 (dir (create mounton)))
+(allow init_27_0 configfs_27_0 (dir (mounton)))
+(allow init_27_0 configfs_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow init_27_0 configfs_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow init_27_0 configfs_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow init_27_0 tmpfs_27_0 (dir (relabelfrom)))
+(allow init_27_0 self (capability (dac_override)))
+(allow init_27_0 self (capability (sys_time)))
+(allow init_27_0 self (capability (sys_rawio mknod)))
+(allow init_27_0 dev_type (blk_file (ioctl read getattr lock map open)))
+(allow init_27_0 fs_type (filesystem (mount remount unmount getattr relabelfrom associate quotamod quotaget)))
+(allow init_27_0 unlabeled_27_0 (filesystem (mount remount unmount getattr relabelfrom associate quotamod quotaget)))
+(allow init_27_0 contextmount_type (filesystem (relabelto)))
+(allow init_27_0 contextmount_type (dir (ioctl read getattr lock search open)))
+(allow init_27_0 contextmount_type (file (ioctl read getattr lock map open)))
+(allow init_27_0 contextmount_type (lnk_file (ioctl read getattr lock map open)))
+(allow init_27_0 contextmount_type (sock_file (ioctl read getattr lock map open)))
+(allow init_27_0 contextmount_type (fifo_file (ioctl read getattr lock map open)))
+(allow init_27_0 rootfs_27_0 (file (relabelfrom)))
+(allow init_27_0 rootfs_27_0 (dir (relabelfrom)))
+(allow init_27_0 self (capability (chown fowner fsetid)))
+(allow init_27_0 base_typeattr_140_27_0 (dir (ioctl read create getattr setattr search open)))
+(allow init_27_0 base_typeattr_141_27_0 (dir (write relabelfrom add_name remove_name rmdir)))
+(allow init_27_0 base_typeattr_142_27_0 (file (read write create getattr setattr relabelfrom unlink open)))
+(allow init_27_0 base_typeattr_141_27_0 (sock_file (read create getattr setattr relabelfrom unlink open)))
+(allow init_27_0 base_typeattr_141_27_0 (fifo_file (read create getattr setattr relabelfrom unlink open)))
+(allow init_27_0 base_typeattr_141_27_0 (lnk_file (create getattr setattr relabelfrom unlink)))
+(allow init_27_0 cache_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow init_27_0 base_typeattr_143_27_0 (file (relabelto)))
+(allow init_27_0 base_typeattr_143_27_0 (dir (relabelto)))
+(allow init_27_0 base_typeattr_143_27_0 (lnk_file (relabelto)))
+(allow init_27_0 base_typeattr_143_27_0 (chr_file (relabelto)))
+(allow init_27_0 base_typeattr_143_27_0 (blk_file (relabelto)))
+(allow init_27_0 base_typeattr_143_27_0 (sock_file (relabelto)))
+(allow init_27_0 base_typeattr_143_27_0 (fifo_file (relabelto)))
+(allow init_27_0 sysfs_27_0 (file (getattr relabelfrom)))
+(allow init_27_0 sysfs_27_0 (dir (getattr relabelfrom)))
+(allow init_27_0 sysfs_27_0 (lnk_file (getattr relabelfrom)))
+(allow init_27_0 debugfs_27_0 (file (getattr relabelfrom)))
+(allow init_27_0 debugfs_27_0 (dir (getattr relabelfrom)))
+(allow init_27_0 debugfs_27_0 (lnk_file (getattr relabelfrom)))
+(allow init_27_0 debugfs_tracing_27_0 (file (getattr relabelfrom)))
+(allow init_27_0 debugfs_tracing_27_0 (dir (getattr relabelfrom)))
+(allow init_27_0 debugfs_tracing_27_0 (lnk_file (getattr relabelfrom)))
+(allow init_27_0 sysfs_type (file (getattr relabelto)))
+(allow init_27_0 sysfs_type (dir (getattr relabelto)))
+(allow init_27_0 sysfs_type (lnk_file (getattr relabelto)))
+(allow init_27_0 debugfs_type (file (getattr relabelto)))
+(allow init_27_0 debugfs_type (dir (getattr relabelto)))
+(allow init_27_0 debugfs_type (lnk_file (getattr relabelto)))
+(allow init_27_0 dev_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow init_27_0 dev_type (lnk_file (create)))
+(allow init_27_0 debugfs_tracing_27_0 (file (write lock append map open)))
+(allow init_27_0 debugfs_tracing_instances_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow init_27_0 debugfs_tracing_instances_27_0 (file (write lock append map open)))
+(allow init_27_0 debugfs_wifi_tracing_27_0 (file (write lock append map open)))
+(allow init_27_0 base_typeattr_144_27_0 (file (read setattr open)))
+(allow init_27_0 base_typeattr_144_27_0 (dir (read setattr search open)))
+(allow init_27_0 base_typeattr_145_27_0 (chr_file (read open)))
+(auditallow init_27_0 base_typeattr_146_27_0 (chr_file (read open)))
+(allow init_27_0 base_typeattr_147_27_0 (chr_file (setattr)))
+(allow init_27_0 unlabeled_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom rename add_name remove_name reparent search rmdir open)))
+(allow init_27_0 unlabeled_27_0 (file (ioctl read write create getattr setattr lock relabelfrom append map unlink rename open)))
+(allow init_27_0 unlabeled_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom append map unlink rename open)))
+(allow init_27_0 unlabeled_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom append map unlink rename open)))
+(allow init_27_0 unlabeled_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom append map unlink rename open)))
+(allow init_27_0 kernel_27_0 (system (syslog_mod)))
+(allow init_27_0 self (capability2 (syslog)))
+(allow init_27_0 usermodehelper_27_0 (file (ioctl read write getattr lock append map open)))
+(allow init_27_0 sysfs_usermodehelper_27_0 (file (ioctl read write getattr lock append map open)))
+(allow init_27_0 proc_security_27_0 (file (ioctl read write getattr lock append map open)))
+(allow init_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
+(allow init_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
+(allow init_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow init_27_0 proc_27_0 (file (write lock append map open)))
+(allow init_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
+(allow init_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
+(allow init_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow init_27_0 proc_net_27_0 (file (write lock append map open)))
+(allow init_27_0 self (capability (net_admin)))
+(allow init_27_0 proc_sysrq_27_0 (file (write lock append map open)))
+(allow init_27_0 proc_stat_27_0 (file (ioctl read getattr lock map open)))
+(allow init_27_0 self (capability (sys_boot)))
+(allow init_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
+(allow init_27_0 sysfs_type (lnk_file (read)))
+(allow init_27_0 sysfs_type (file (ioctl read write getattr lock append map open)))
+(allow init_27_0 misc_logd_file_27_0 (dir (read write create getattr setattr add_name search open)))
+(allow init_27_0 misc_logd_file_27_0 (file (write create getattr setattr open)))
+(allow init_27_0 self (capability (kill)))
+(allow init_27_0 domain (process (sigkill signal getpgid)))
+(allow init_27_0 keystore_data_file_27_0 (dir (read create getattr setattr search open)))
+(allow init_27_0 keystore_data_file_27_0 (file (getattr)))
+(allow init_27_0 vold_data_file_27_0 (dir (read create getattr setattr search open)))
+(allow init_27_0 vold_data_file_27_0 (file (getattr)))
+(allow init_27_0 shell_data_file_27_0 (dir (read create getattr setattr search open)))
+(allow init_27_0 shell_data_file_27_0 (file (getattr)))
+(allow init_27_0 self (capability (setgid setuid setpcap)))
+(allow init_27_0 domain (dir (ioctl read getattr lock search open)))
+(allow init_27_0 domain (file (ioctl read getattr lock map open)))
+(allow init_27_0 domain (lnk_file (ioctl read getattr lock map open)))
+(allow init_27_0 self (process (setexec setfscreate setsockcreate)))
+(allow init_27_0 file_contexts_file_27_0 (file (ioctl read getattr lock map open)))
+(allow init_27_0 sepolicy_file_27_0 (file (ioctl read getattr lock map open)))
+(allow init_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow init_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
+(allow init_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow init_27_0 selinuxfs_27_0 (file (write lock append map open)))
+(allow init_27_0 kernel_27_0 (security (compute_av)))
+(allow init_27_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(allow init_27_0 kernel_27_0 (security (compute_create)))
+(allow init_27_0 domain (unix_stream_socket (create bind setopt)))
+(allow init_27_0 domain (unix_dgram_socket (create bind setopt)))
+(allow init_27_0 property_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow init_27_0 property_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow init_27_0 property_type (property_service (set)))
+(allow init_27_0 self (netlink_audit_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_relay)))
+(allow init_27_0 self (capability (audit_write)))
+(allow init_27_0 self (udp_socket (ioctl create)))
+(allowx init_27_0 self (ioctl udp_socket (0x8914)))
+(allow init_27_0 self (capability (net_raw)))
+(allow init_27_0 kernel_27_0 (process (setsched)))
+(allow init_27_0 swap_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
+(allow init_27_0 hw_random_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow init_27_0 device_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow init_27_0 self (capability (sys_tty_config)))
+(allow init_27_0 keychord_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow init_27_0 dm_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow init_27_0 dm_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
+(allow init_27_0 metadata_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
+(allow init_27_0 pstorefs_27_0 (dir (search)))
+(allow init_27_0 pstorefs_27_0 (file (ioctl read getattr lock map open)))
+(allow init_27_0 kernel_27_0 (system (syslog_read)))
+(allow init_27_0 init_27_0 (key (write search setattr)))
+(allow init_27_0 unencrypted_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow init_27_0 proc_overcommit_memory_27_0 (file (write)))
+(allow init_27_0 vold_socket_27_0 (sock_file (write)))
+(allow init_27_0 vold_27_0 (unix_stream_socket (connectto)))
+(allow init_27_0 misc_block_device_27_0 (blk_file (write lock append map open)))
+(allow init_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow init_27_0 system_file_27_0 (file (ioctl read getattr lock map open)))
+(allow init_27_0 system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow init_27_0 vendor_file_type (dir (ioctl read getattr lock search open)))
+(allow init_27_0 vendor_file_type (file (ioctl read getattr lock map open)))
+(allow init_27_0 vendor_file_type (lnk_file (ioctl read getattr lock map open)))
+(allow init_27_0 proc_meminfo_27_0 (file (ioctl read getattr lock map open)))
+(allow init_27_0 system_data_file_27_0 (file (read getattr)))
+(allow init_27_0 system_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow init_27_0 vendor_shell_exec_27_0 (file (execute)))
+(neverallow domain init_27_0 (process (dyntransition)))
+(neverallow base_typeattr_15_27_0 init_27_0 (process (transition)))
+(neverallow init_27_0 base_typeattr_148_27_0 (file (entrypoint)))
+(neverallow init_27_0 shell_data_file_27_0 (lnk_file (read)))
+(neverallow init_27_0 app_data_file_27_0 (lnk_file (read)))
+(neverallow init_27_0 fs_type (file (execute_no_trans)))
+(neverallow init_27_0 file_type (file (execute_no_trans)))
+(neverallow init_27_0 service_manager_type (service_manager (add find)))
+(neverallow init_27_0 servicemanager_27_0 (service_manager (list)))
+(neverallow init_27_0 shell_data_file_27_0 (dir (write add_name remove_name)))
+(allow inputflinger_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 inputflinger_27_0 (dir (search)))
+(allow servicemanager_27_0 inputflinger_27_0 (file (read open)))
+(allow servicemanager_27_0 inputflinger_27_0 (process (getattr)))
+(allow inputflinger_27_0 system_server_27_0 (binder (call transfer)))
+(allow system_server_27_0 inputflinger_27_0 (binder (transfer)))
+(allow inputflinger_27_0 system_server_27_0 (fd (use)))
+(allow inputflinger_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
+(allow inputflinger_27_0 self (capability2 (block_suspend)))
+(allow inputflinger_27_0 inputflinger_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_149_27_0 inputflinger_service_27_0 (service_manager (add)))
+(allow inputflinger_27_0 input_device_27_0 (dir (ioctl read getattr lock search open)))
+(allow inputflinger_27_0 input_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow inputflinger_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow inputflinger_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow inputflinger_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow install_recovery_27_0 self (capability (dac_override)))
+(allow install_recovery_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow install_recovery_27_0 system_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow install_recovery_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow install_recovery_27_0 block_device_27_0 (dir (search)))
+(allow install_recovery_27_0 boot_block_device_27_0 (blk_file (ioctl read getattr lock map open)))
+(allow install_recovery_27_0 recovery_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
+(allow install_recovery_27_0 cache_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow install_recovery_27_0 cache_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow install_recovery_27_0 proc_drop_caches_27_0 (file (write lock append map open)))
+(allow installd_27_0 self (capability (chown dac_override fowner fsetid setgid setuid sys_admin)))
+(allow installd_27_0 dalvikcache_data_file_27_0 (dir (relabelto)))
+(allow installd_27_0 dalvikcache_data_file_27_0 (file (relabelto link)))
+(allow installd_27_0 apk_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom rename add_name remove_name reparent search rmdir open)))
+(allow installd_27_0 apk_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom append map unlink link rename open)))
+(allow installd_27_0 apk_data_file_27_0 (lnk_file (ioctl read create getattr lock map unlink open)))
+(allow installd_27_0 asec_apk_file_27_0 (file (ioctl read getattr lock map open)))
+(allow installd_27_0 apk_tmp_file_27_0 (file (ioctl read getattr lock map unlink open)))
+(allow installd_27_0 apk_tmp_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom rename add_name remove_name reparent search rmdir open)))
+(allow installd_27_0 oemfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow installd_27_0 oemfs_27_0 (file (ioctl read getattr lock map open)))
+(allow installd_27_0 cgroup_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow installd_27_0 cgroup_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow installd_27_0 cgroup_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow installd_27_0 mnt_expand_file_27_0 (dir (getattr search)))
+(allow installd_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow installd_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
+(allow installd_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow installd_27_0 selinuxfs_27_0 (file (write lock append map open)))
+(allow installd_27_0 kernel_27_0 (security (check_context)))
+(allow installd_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow installd_27_0 rootfs_27_0 (file (ioctl read getattr lock map open)))
+(allow installd_27_0 rootfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow installd_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow installd_27_0 system_file_27_0 (file (ioctl read getattr lock map open)))
+(allow installd_27_0 system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow installd_27_0 vendor_app_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow installd_27_0 vendor_app_file_27_0 (file (ioctl read getattr lock map open)))
+(allow installd_27_0 vendor_app_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow installd_27_0 vendor_overlay_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow installd_27_0 vendor_overlay_file_27_0 (file (ioctl read getattr lock map open)))
+(allow installd_27_0 vendor_overlay_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow installd_27_0 file_contexts_file_27_0 (file (ioctl read getattr lock map open)))
+(allow installd_27_0 seapp_contexts_file_27_0 (file (ioctl read getattr lock map open)))
+(allow installd_27_0 asec_image_file_27_0 (dir (search)))
+(allow installd_27_0 asec_image_file_27_0 (file (getattr)))
+(allow installd_27_0 system_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow installd_27_0 system_data_file_27_0 (lnk_file (create setattr unlink)))
+(allow installd_27_0 media_rw_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow installd_27_0 media_rw_data_file_27_0 (file (getattr unlink)))
+(allow installd_27_0 system_data_file_27_0 (dir (relabelfrom)))
+(allow installd_27_0 media_rw_data_file_27_0 (dir (relabelto)))
+(allow installd_27_0 tmpfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow installd_27_0 storage_file_27_0 (dir (search)))
+(allow installd_27_0 sdcardfs_27_0 (dir (read write getattr remove_name search rmdir open)))
+(allow installd_27_0 sdcardfs_27_0 (file (getattr unlink)))
+(allow installd_27_0 misc_user_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow installd_27_0 misc_user_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow installd_27_0 keychain_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow installd_27_0 keychain_data_file_27_0 (file (ioctl read getattr lock map unlink open)))
+(allow installd_27_0 install_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow installd_27_0 dalvikcache_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow installd_27_0 dalvikcache_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow installd_27_0 dalvikcache_data_file_27_0 (lnk_file (getattr)))
+(allow installd_27_0 resourcecache_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow installd_27_0 resourcecache_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow installd_27_0 unlabeled_27_0 (dir (ioctl read write getattr lock relabelfrom add_name remove_name search rmdir open)))
+(allow installd_27_0 unlabeled_27_0 (file (getattr setattr relabelfrom unlink rename)))
+(allow installd_27_0 unlabeled_27_0 (lnk_file (getattr setattr relabelfrom unlink rename)))
+(allow installd_27_0 unlabeled_27_0 (sock_file (getattr setattr relabelfrom unlink rename)))
+(allow installd_27_0 unlabeled_27_0 (fifo_file (getattr setattr relabelfrom unlink rename)))
+(allow installd_27_0 unlabeled_27_0 (file (ioctl read getattr lock map open)))
+(allow installd_27_0 system_data_file_27_0 (file (getattr relabelfrom unlink)))
+(allow installd_27_0 system_data_file_27_0 (lnk_file (getattr relabelfrom unlink)))
+(allow installd_27_0 system_data_file_27_0 (sock_file (getattr relabelfrom unlink)))
+(allow installd_27_0 system_data_file_27_0 (fifo_file (getattr relabelfrom unlink)))
+(allow installd_27_0 shell_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
+(allow installd_27_0 bluetooth_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
+(allow installd_27_0 nfc_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
+(allow installd_27_0 radio_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
+(allow installd_27_0 app_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
+(allow installd_27_0 system_app_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename add_name remove_name reparent search rmdir open)))
+(allow installd_27_0 shell_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 shell_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 shell_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 shell_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 bluetooth_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 bluetooth_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 bluetooth_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 bluetooth_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 nfc_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 nfc_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 nfc_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 nfc_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 radio_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 radio_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 radio_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 radio_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 app_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 app_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 app_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 app_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 system_app_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 system_app_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 system_app_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 system_app_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink rename open)))
+(allow installd_27_0 user_profile_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow installd_27_0 user_profile_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow installd_27_0 user_profile_data_file_27_0 (dir (rmdir)))
+(allow installd_27_0 user_profile_data_file_27_0 (file (unlink)))
+(allow installd_27_0 profman_dump_data_file_27_0 (dir (write add_name search)))
+(allow installd_27_0 profman_dump_data_file_27_0 (file (write create setattr open)))
+(allow installd_27_0 devpts_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow installd_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow installd_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 installd_27_0 (dir (search)))
+(allow servicemanager_27_0 installd_27_0 (file (read open)))
+(allow servicemanager_27_0 installd_27_0 (process (getattr)))
+(allow installd_27_0 installd_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_150_27_0 installd_service_27_0 (service_manager (add)))
+(allow installd_27_0 dumpstate_27_0 (fifo_file (write getattr)))
+(allow installd_27_0 system_server_27_0 (binder (call transfer)))
+(allow system_server_27_0 installd_27_0 (binder (transfer)))
+(allow installd_27_0 system_server_27_0 (fd (use)))
+(allow installd_27_0 permission_service_27_0 (service_manager (find)))
+(allow installd_27_0 block_device_27_0 (dir (search)))
+(allow installd_27_0 labeledfs_27_0 (filesystem (quotamod quotaget)))
+(allow installd_27_0 preloads_data_file_27_0 (file (ioctl read getattr lock map unlink open)))
+(allow installd_27_0 preloads_data_file_27_0 (dir (ioctl read write getattr lock remove_name search rmdir open)))
+(allow installd_27_0 preloads_media_file_27_0 (file (ioctl read getattr lock map unlink open)))
+(allow installd_27_0 preloads_media_file_27_0 (dir (ioctl read write getattr lock remove_name search rmdir open)))
+(neverallow base_typeattr_151_27_0 installd_service_27_0 (service_manager (find)))
+(neverallow base_typeattr_63_27_0 installd_27_0 (binder (call)))
+(neverallow installd_27_0 base_typeattr_152_27_0 (binder (call)))
+(allow kernel_27_0 self (capability (sys_nice)))
+(allow kernel_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow kernel_27_0 rootfs_27_0 (file (ioctl read getattr lock map open)))
+(allow kernel_27_0 rootfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow kernel_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
+(allow kernel_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
+(allow kernel_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow kernel_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow kernel_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
+(allow kernel_27_0 file_contexts_file_27_0 (file (ioctl read getattr lock map open)))
+(allow kernel_27_0 rootfs_27_0 (file (relabelfrom)))
+(allow kernel_27_0 init_exec_27_0 (file (relabelto)))
+(allow kernel_27_0 init_27_0 (process (share)))
+(allow kernel_27_0 unlabeled_27_0 (dir (search)))
+(allow kernel_27_0 usbfs_27_0 (filesystem (mount)))
+(allow kernel_27_0 usbfs_27_0 (dir (search)))
+(dontaudit kernel_27_0 self (security (setenforce)))
+(allow kernel_27_0 self (capability (sys_resource)))
+(allow kernel_27_0 self (capability (sys_boot)))
+(allow kernel_27_0 proc_sysrq_27_0 (file (write lock append map open)))
+(allow kernel_27_0 tmpfs_27_0 (chr_file (write)))
+(allow kernel_27_0 selinuxfs_27_0 (file (write)))
+(allow kernel_27_0 self (security (setcheckreqprot)))
+(allow kernel_27_0 sdcard_type (file (read write)))
+(allow kernel_27_0 mediaprovider_27_0 (fd (use)))
+(allow kernel_27_0 vold_27_0 (fd (use)))
+(allow kernel_27_0 app_data_file_27_0 (file (read)))
+(allow kernel_27_0 asec_image_file_27_0 (file (read)))
+(allow kernel_27_0 update_engine_data_file_27_0 (file (read)))
+(allow kernel_27_0 nativetest_data_file_27_0 (file (read)))
+(allow kernel_27_0 media_rw_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow kernel_27_0 media_rw_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow kernel_27_0 vold_data_file_27_0 (file (read)))
+(neverallow base_typeattr_10_27_0 kernel_27_0 (process (transition dyntransition)))
+(neverallow kernel_27_0 base_typeattr_10_27_0 (file (execute_no_trans entrypoint)))
+(neverallow kernel_27_0 self (capability (dac_override dac_read_search)))
+(allow keystore_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 keystore_27_0 (dir (search)))
+(allow servicemanager_27_0 keystore_27_0 (file (read open)))
+(allow servicemanager_27_0 keystore_27_0 (process (getattr)))
+(allow keystore_27_0 system_server_27_0 (binder (call transfer)))
+(allow system_server_27_0 keystore_27_0 (binder (transfer)))
+(allow keystore_27_0 system_server_27_0 (fd (use)))
+(allow keystore_27_0 keystore_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow keystore_27_0 keystore_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow keystore_27_0 keystore_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow keystore_27_0 keystore_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow keystore_27_0 keystore_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow keystore_27_0 keystore_exec_27_0 (file (getattr)))
+(allow keystore_27_0 keystore_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_153_27_0 keystore_service_27_0 (service_manager (add)))
+(allow keystore_27_0 sec_key_att_app_id_provider_service_27_0 (service_manager (find)))
+(allow keystore_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow keystore_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
+(allow keystore_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow keystore_27_0 selinuxfs_27_0 (file (write lock append map open)))
+(allow keystore_27_0 kernel_27_0 (security (compute_av)))
+(allow keystore_27_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(allow keystore_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow keystore_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow keystore_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(neverallow base_typeattr_153_27_0 keystore_data_file_27_0 (dir (write lock relabelfrom append map unlink link rename execute quotaon mounton add_name remove_name reparent rmdir audit_access execmod)))
+(neverallow base_typeattr_153_27_0 keystore_data_file_27_0 (file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow base_typeattr_153_27_0 keystore_data_file_27_0 (lnk_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow base_typeattr_153_27_0 keystore_data_file_27_0 (sock_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow base_typeattr_153_27_0 keystore_data_file_27_0 (fifo_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow base_typeattr_154_27_0 keystore_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
+(neverallow base_typeattr_154_27_0 keystore_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow base_typeattr_154_27_0 keystore_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow base_typeattr_154_27_0 keystore_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow base_typeattr_154_27_0 keystore_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow base_typeattr_10_27_0 keystore_27_0 (process (ptrace)))
+(allow lmkd_27_0 self (capability (dac_override kill sys_resource)))
+(allow lmkd_27_0 self (capability (ipc_lock)))
+(allow lmkd_27_0 appdomain (dir (ioctl read getattr lock search open)))
+(allow lmkd_27_0 appdomain (file (ioctl read getattr lock map open)))
+(allow lmkd_27_0 appdomain (lnk_file (ioctl read getattr lock map open)))
+(allow lmkd_27_0 appdomain (file (write)))
+(allow lmkd_27_0 system_server_27_0 (dir (ioctl read getattr lock search open)))
+(allow lmkd_27_0 system_server_27_0 (file (ioctl read getattr lock map open)))
+(allow lmkd_27_0 system_server_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow lmkd_27_0 system_server_27_0 (file (write)))
+(allow lmkd_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
+(allow lmkd_27_0 sysfs_type (file (ioctl read getattr lock map open)))
+(allow lmkd_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
+(allow lmkd_27_0 sysfs_lowmemorykiller_27_0 (file (write lock append map open)))
+(allow lmkd_27_0 appdomain (process (sigkill)))
+(allow lmkd_27_0 cgroup_27_0 (dir (remove_name rmdir)))
+(allow lmkd_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow lmkd_27_0 self (capability (sys_nice)))
+(allow lmkd_27_0 proc_zoneinfo_27_0 (file (ioctl read getattr lock map open)))
+(neverallow base_typeattr_10_27_0 lmkd_27_0 (process (noatsecure)))
+(allow logd_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow logd_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow logd_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow logd_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
+(allow logd_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
+(allow logd_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow logd_27_0 proc_meminfo_27_0 (dir (ioctl read getattr lock search open)))
+(allow logd_27_0 proc_meminfo_27_0 (file (ioctl read getattr lock map open)))
+(allow logd_27_0 proc_meminfo_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow logd_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
+(allow logd_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
+(allow logd_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow logd_27_0 self (capability (setgid setuid setpcap sys_nice audit_control)))
+(allow logd_27_0 self (capability2 (syslog)))
+(allow logd_27_0 self (netlink_audit_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_write)))
+(allow logd_27_0 kernel_27_0 (system (syslog_read)))
+(allow logd_27_0 kmsg_device_27_0 (chr_file (write lock append map open)))
+(allow logd_27_0 system_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow logd_27_0 system_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow logd_27_0 pstorefs_27_0 (dir (search)))
+(allow logd_27_0 pstorefs_27_0 (file (ioctl read getattr lock map open)))
+(allow logd_27_0 misc_logd_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow logd_27_0 misc_logd_file_27_0 (file (ioctl read write getattr lock append map open)))
+(allow logd_27_0 runtime_event_log_tags_file_27_0 (file (ioctl read write getattr lock append map open)))
+(allow logd_27_0 device_logging_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow logd_27_0 domain (dir (ioctl read getattr lock search open)))
+(allow logd_27_0 domain (file (ioctl read getattr lock map open)))
+(allow logd_27_0 domain (lnk_file (ioctl read getattr lock map open)))
+(allow logd_27_0 kernel_27_0 (system (syslog_mod)))
+(allow logd_27_0 logd_socket_27_0 (sock_file (write)))
+(allow logd_27_0 logd_27_0 (unix_stream_socket (connectto)))
+(allow logd_27_0 runtime_event_log_tags_file_27_0 (file (ioctl read getattr lock map open)))
+(allow runtime_event_log_tags_file_27_0 tmpfs_27_0 (filesystem (associate)))
+(dontaudit domain runtime_event_log_tags_file_27_0 (file (read open)))
+(neverallow logd_27_0 dev_type (blk_file (read write)))
+(neverallow logd_27_0 domain (process (ptrace)))
+(neverallow base_typeattr_155_27_0 logd_27_0 (process (ptrace)))
+(neverallow logd_27_0 system_file_27_0 (file (write)))
+(neverallow logd_27_0 system_file_27_0 (dir (write)))
+(neverallow logd_27_0 system_file_27_0 (lnk_file (write)))
+(neverallow logd_27_0 system_file_27_0 (chr_file (write)))
+(neverallow logd_27_0 system_file_27_0 (blk_file (write)))
+(neverallow logd_27_0 system_file_27_0 (sock_file (write)))
+(neverallow logd_27_0 system_file_27_0 (fifo_file (write)))
+(neverallow logd_27_0 system_data_file_27_0 (file (write)))
+(neverallow logd_27_0 system_data_file_27_0 (dir (write)))
+(neverallow logd_27_0 system_data_file_27_0 (lnk_file (write)))
+(neverallow logd_27_0 system_data_file_27_0 (chr_file (write)))
+(neverallow logd_27_0 system_data_file_27_0 (blk_file (write)))
+(neverallow logd_27_0 system_data_file_27_0 (sock_file (write)))
+(neverallow logd_27_0 system_data_file_27_0 (fifo_file (write)))
+(neverallow logd_27_0 app_data_file_27_0 (file (write)))
+(neverallow logd_27_0 app_data_file_27_0 (dir (write)))
+(neverallow logd_27_0 app_data_file_27_0 (lnk_file (write)))
+(neverallow logd_27_0 app_data_file_27_0 (chr_file (write)))
+(neverallow logd_27_0 app_data_file_27_0 (blk_file (write)))
+(neverallow logd_27_0 app_data_file_27_0 (sock_file (write)))
+(neverallow logd_27_0 app_data_file_27_0 (fifo_file (write)))
+(neverallow base_typeattr_5_27_0 logd_27_0 (process (transition)))
+(neverallow base_typeattr_10_27_0 logd_27_0 (process (dyntransition)))
+(neverallow base_typeattr_156_27_0 runtime_event_log_tags_file_27_0 (file (write create setattr relabelfrom append unlink link rename)))
+(neverallow logpersist_27_0 dev_type (blk_file (read write)))
+(neverallow logpersist_27_0 domain (process (ptrace)))
+(neverallow logpersist_27_0 system_data_file_27_0 (file (write)))
+(neverallow logpersist_27_0 system_data_file_27_0 (dir (write)))
+(neverallow logpersist_27_0 system_data_file_27_0 (lnk_file (write)))
+(neverallow logpersist_27_0 system_data_file_27_0 (chr_file (write)))
+(neverallow logpersist_27_0 system_data_file_27_0 (blk_file (write)))
+(neverallow logpersist_27_0 system_data_file_27_0 (sock_file (write)))
+(neverallow logpersist_27_0 system_data_file_27_0 (fifo_file (write)))
+(neverallow logpersist_27_0 app_data_file_27_0 (file (write)))
+(neverallow logpersist_27_0 app_data_file_27_0 (dir (write)))
+(neverallow logpersist_27_0 app_data_file_27_0 (lnk_file (write)))
+(neverallow logpersist_27_0 app_data_file_27_0 (chr_file (write)))
+(neverallow logpersist_27_0 app_data_file_27_0 (blk_file (write)))
+(neverallow logpersist_27_0 app_data_file_27_0 (sock_file (write)))
+(neverallow logpersist_27_0 app_data_file_27_0 (fifo_file (write)))
+(neverallow base_typeattr_10_27_0 logpersist_27_0 (process (dyntransition)))
+(allow mediacodec_27_0 hwservicemanager_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow mediacodec_27_0 vndbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow mediacodec_27_0 vndservicemanager_27_0 (binder (call transfer)))
+(allow vndservicemanager_27_0 mediacodec_27_0 (dir (search)))
+(allow vndservicemanager_27_0 mediacodec_27_0 (file (read open)))
+(allow vndservicemanager_27_0 mediacodec_27_0 (process (getattr)))
+(allow mediacodec_27_0 binderservicedomain (binder (call transfer)))
+(allow binderservicedomain mediacodec_27_0 (binder (transfer)))
+(allow mediacodec_27_0 binderservicedomain (fd (use)))
+(allow mediacodec_27_0 appdomain (binder (call transfer)))
+(allow appdomain mediacodec_27_0 (binder (transfer)))
+(allow mediacodec_27_0 appdomain (fd (use)))
+(allow mediacodec_27_0 hal_graphics_composer (fd (use)))
+(allow mediacodec_27_0 gpu_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow mediacodec_27_0 video_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow mediacodec_27_0 video_device_27_0 (dir (search)))
+(allow mediacodec_27_0 ion_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow mediacodec_27_0 hal_camera (fd (use)))
+(allow mediacodec_27_0 su_27_0 (fifo_file (append)))
+(allow mediacodec_27_0 anr_data_file_27_0 (file (append)))
+(allow mediacodec_27_0 dumpstate_27_0 (fd (use)))
+(allow mediacodec_27_0 dumpstate_27_0 (fifo_file (write append)))
+(allow mediacodec_27_0 system_server_27_0 (fifo_file (write append)))
+(allow mediacodec_27_0 tombstoned_27_0 (unix_stream_socket (connectto)))
+(allow mediacodec_27_0 tombstoned_27_0 (fd (use)))
+(allow mediacodec_27_0 tombstoned_crash_socket_27_0 (sock_file (write)))
+(allow mediacodec_27_0 tombstone_data_file_27_0 (file (append)))
+(allow mediacodec_27_0 hal_omx_hwservice_27_0 (hwservice_manager (add find)))
+(allow mediacodec_27_0 hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_157_27_0 hal_omx_hwservice_27_0 (hwservice_manager (add)))
+(allow mediacodec_27_0 bufferhubd_27_0 (fd (use)))
+(neverallow mediacodec_27_0 fs_type (file (execute_no_trans)))
+(neverallow mediacodec_27_0 file_type (file (execute_no_trans)))
+(neverallow mediacodec_27_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
+(neverallow mediacodec_27_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(neverallow mediacodec_27_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(allow mediadrmserver_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 mediadrmserver_27_0 (dir (search)))
+(allow servicemanager_27_0 mediadrmserver_27_0 (file (read open)))
+(allow servicemanager_27_0 mediadrmserver_27_0 (process (getattr)))
+(allow mediadrmserver_27_0 binderservicedomain (binder (call transfer)))
+(allow binderservicedomain mediadrmserver_27_0 (binder (transfer)))
+(allow mediadrmserver_27_0 binderservicedomain (fd (use)))
+(allow mediadrmserver_27_0 appdomain (binder (call transfer)))
+(allow appdomain mediadrmserver_27_0 (binder (transfer)))
+(allow mediadrmserver_27_0 appdomain (fd (use)))
+(allow mediadrmserver_27_0 mediadrmserver_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_158_27_0 mediadrmserver_service_27_0 (service_manager (add)))
+(allow mediadrmserver_27_0 mediaserver_service_27_0 (service_manager (find)))
+(allow mediadrmserver_27_0 mediametrics_service_27_0 (service_manager (find)))
+(allow mediadrmserver_27_0 processinfo_service_27_0 (service_manager (find)))
+(allow mediadrmserver_27_0 surfaceflinger_service_27_0 (service_manager (find)))
+(allow mediadrmserver_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow mediadrmserver_27_0 mediacodec_27_0 (binder (call transfer)))
+(allow mediacodec_27_0 mediadrmserver_27_0 (binder (transfer)))
+(allow mediadrmserver_27_0 mediacodec_27_0 (fd (use)))
+(neverallow mediadrmserver_27_0 fs_type (file (execute_no_trans)))
+(neverallow mediadrmserver_27_0 file_type (file (execute_no_trans)))
+(neverallowx mediadrmserver_27_0 domain (ioctl tcp_socket (0x6900 0x6902)))
+(neverallowx mediadrmserver_27_0 domain (ioctl udp_socket (0x6900 0x6902)))
+(neverallowx mediadrmserver_27_0 domain (ioctl rawip_socket (0x6900 0x6902)))
+(neverallowx mediadrmserver_27_0 domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(neverallowx mediadrmserver_27_0 domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(neverallowx mediadrmserver_27_0 domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(neverallowx mediadrmserver_27_0 domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(neverallowx mediadrmserver_27_0 domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(neverallowx mediadrmserver_27_0 domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(allow mediaextractor_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 mediaextractor_27_0 (dir (search)))
+(allow servicemanager_27_0 mediaextractor_27_0 (file (read open)))
+(allow servicemanager_27_0 mediaextractor_27_0 (process (getattr)))
+(allow mediaextractor_27_0 binderservicedomain (binder (call transfer)))
+(allow binderservicedomain mediaextractor_27_0 (binder (transfer)))
+(allow mediaextractor_27_0 binderservicedomain (fd (use)))
+(allow mediaextractor_27_0 appdomain (binder (call transfer)))
+(allow appdomain mediaextractor_27_0 (binder (transfer)))
+(allow mediaextractor_27_0 appdomain (fd (use)))
+(allow mediaextractor_27_0 mediaextractor_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_159_27_0 mediaextractor_service_27_0 (service_manager (add)))
+(allow mediaextractor_27_0 mediametrics_service_27_0 (service_manager (find)))
+(allow mediaextractor_27_0 hidl_token_hwservice_27_0 (hwservice_manager (find)))
+(allow mediaextractor_27_0 system_server_27_0 (fd (use)))
+(allow mediaextractor_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow mediaextractor_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow mediaextractor_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow mediaextractor_27_0 proc_meminfo_27_0 (file (ioctl read getattr lock map open)))
+(allow mediaextractor_27_0 su_27_0 (fifo_file (append)))
+(allow mediaextractor_27_0 anr_data_file_27_0 (file (append)))
+(allow mediaextractor_27_0 dumpstate_27_0 (fd (use)))
+(allow mediaextractor_27_0 dumpstate_27_0 (fifo_file (write append)))
+(allow mediaextractor_27_0 system_server_27_0 (fifo_file (write append)))
+(allow mediaextractor_27_0 tombstoned_27_0 (unix_stream_socket (connectto)))
+(allow mediaextractor_27_0 tombstoned_27_0 (fd (use)))
+(allow mediaextractor_27_0 tombstoned_crash_socket_27_0 (sock_file (write)))
+(allow mediaextractor_27_0 tombstone_data_file_27_0 (file (append)))
+(allow mediaextractor_27_0 media_rw_data_file_27_0 (file (read getattr)))
+(allow mediaextractor_27_0 app_data_file_27_0 (file (read getattr)))
+(allow mediaextractor_27_0 apk_data_file_27_0 (file (read getattr)))
+(allow mediaextractor_27_0 asec_apk_file_27_0 (file (read getattr)))
+(allow mediaextractor_27_0 ringtone_file_27_0 (file (read getattr)))
+(neverallow mediaextractor_27_0 fs_type (file (execute_no_trans)))
+(neverallow mediaextractor_27_0 file_type (file (execute_no_trans)))
+(neverallow mediaextractor_27_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
+(neverallow mediaextractor_27_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(neverallow mediaextractor_27_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(allow mediametrics_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 mediametrics_27_0 (dir (search)))
+(allow servicemanager_27_0 mediametrics_27_0 (file (read open)))
+(allow servicemanager_27_0 mediametrics_27_0 (process (getattr)))
+(allow mediametrics_27_0 binderservicedomain (binder (call transfer)))
+(allow binderservicedomain mediametrics_27_0 (binder (transfer)))
+(allow mediametrics_27_0 binderservicedomain (fd (use)))
+(allow mediametrics_27_0 mediametrics_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_160_27_0 mediametrics_service_27_0 (service_manager (add)))
+(allow mediametrics_27_0 system_server_27_0 (fd (use)))
+(allow mediametrics_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow mediametrics_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow mediametrics_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow mediametrics_27_0 proc_meminfo_27_0 (file (ioctl read getattr lock map open)))
+(allow mediametrics_27_0 app_data_file_27_0 (file (write)))
+(allow mediametrics_27_0 package_native_service_27_0 (service_manager (find)))
+(neverallow mediametrics_27_0 fs_type (file (execute_no_trans)))
+(neverallow mediametrics_27_0 file_type (file (execute_no_trans)))
+(neverallow mediametrics_27_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
+(neverallow mediametrics_27_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(neverallow mediametrics_27_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(allow mediaserver_27_0 sdcard_type (dir (ioctl read getattr lock search open)))
+(allow mediaserver_27_0 sdcard_type (file (ioctl read getattr lock map open)))
+(allow mediaserver_27_0 sdcard_type (lnk_file (ioctl read getattr lock map open)))
+(allow mediaserver_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow mediaserver_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow mediaserver_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow mediaserver_27_0 proc_27_0 (lnk_file (getattr)))
+(allow mediaserver_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow mediaserver_27_0 self (process (ptrace)))
+(allow mediaserver_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 mediaserver_27_0 (dir (search)))
+(allow servicemanager_27_0 mediaserver_27_0 (file (read open)))
+(allow servicemanager_27_0 mediaserver_27_0 (process (getattr)))
+(allow mediaserver_27_0 binderservicedomain (binder (call transfer)))
+(allow binderservicedomain mediaserver_27_0 (binder (transfer)))
+(allow mediaserver_27_0 binderservicedomain (fd (use)))
+(allow mediaserver_27_0 appdomain (binder (call transfer)))
+(allow appdomain mediaserver_27_0 (binder (transfer)))
+(allow mediaserver_27_0 appdomain (fd (use)))
+(allow mediaserver_27_0 media_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow mediaserver_27_0 media_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow mediaserver_27_0 app_data_file_27_0 (dir (search)))
+(allow mediaserver_27_0 app_data_file_27_0 (file (ioctl read write getattr lock append map open)))
+(allow mediaserver_27_0 sdcard_type (file (write)))
+(allow mediaserver_27_0 gpu_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow mediaserver_27_0 video_device_27_0 (dir (ioctl read getattr lock search open)))
+(allow mediaserver_27_0 video_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow mediaserver_27_0 property_socket_27_0 (sock_file (write)))
+(allow mediaserver_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow mediaserver_27_0 audio_prop_27_0 (property_service (set)))
+(allow mediaserver_27_0 audio_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow mediaserver_27_0 sysfs_27_0 (file (ioctl read getattr lock map open)))
+(allow mediaserver_27_0 apk_data_file_27_0 (file (read getattr)))
+(allow mediaserver_27_0 asec_apk_file_27_0 (file (read getattr)))
+(allow mediaserver_27_0 ringtone_file_27_0 (file (read getattr)))
+(allow mediaserver_27_0 radio_data_file_27_0 (file (read getattr)))
+(allow mediaserver_27_0 appdomain (fifo_file (read write getattr)))
+(allow mediaserver_27_0 rpmsg_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow mediaserver_27_0 system_server_27_0 (fifo_file (ioctl read getattr lock map open)))
+(allow mediaserver_27_0 media_rw_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow mediaserver_27_0 media_rw_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow mediaserver_27_0 media_rw_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow mediaserver_27_0 app_fuse_file_27_0 (file (read getattr)))
+(allow mediaserver_27_0 qtaguid_proc_27_0 (file (ioctl read write getattr lock append map open)))
+(allow mediaserver_27_0 qtaguid_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow mediaserver_27_0 drmserver_socket_27_0 (sock_file (write)))
+(allow mediaserver_27_0 drmserver_27_0 (unix_stream_socket (connectto)))
+(allow mediaserver_27_0 bluetooth_socket_27_0 (sock_file (write)))
+(allow mediaserver_27_0 bluetooth_27_0 (unix_stream_socket (connectto)))
+(allow mediaserver_27_0 mediaserver_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_161_27_0 mediaserver_service_27_0 (service_manager (add)))
+(allow mediaserver_27_0 activity_service_27_0 (service_manager (find)))
+(allow mediaserver_27_0 appops_service_27_0 (service_manager (find)))
+(allow mediaserver_27_0 audioserver_service_27_0 (service_manager (find)))
+(allow mediaserver_27_0 cameraserver_service_27_0 (service_manager (find)))
+(allow mediaserver_27_0 batterystats_service_27_0 (service_manager (find)))
+(allow mediaserver_27_0 drmserver_service_27_0 (service_manager (find)))
+(allow mediaserver_27_0 mediaextractor_service_27_0 (service_manager (find)))
+(allow mediaserver_27_0 mediacodec_service_27_0 (service_manager (find)))
+(allow mediaserver_27_0 mediametrics_service_27_0 (service_manager (find)))
+(allow mediaserver_27_0 media_session_service_27_0 (service_manager (find)))
+(allow mediaserver_27_0 permission_service_27_0 (service_manager (find)))
+(allow mediaserver_27_0 power_service_27_0 (service_manager (find)))
+(allow mediaserver_27_0 processinfo_service_27_0 (service_manager (find)))
+(allow mediaserver_27_0 scheduling_policy_service_27_0 (service_manager (find)))
+(allow mediaserver_27_0 surfaceflinger_service_27_0 (service_manager (find)))
+(allow mediaserver_27_0 mediadrmserver_service_27_0 (service_manager (find)))
+(allow mediaserver_27_0 hidl_token_hwservice_27_0 (hwservice_manager (find)))
+(allow mediaserver_27_0 oemfs_27_0 (dir (search)))
+(allow mediaserver_27_0 oemfs_27_0 (file (ioctl read getattr lock map open)))
+(allow drmserver_27_0 mediaserver_27_0 (dir (search)))
+(allow drmserver_27_0 mediaserver_27_0 (file (read open)))
+(allow drmserver_27_0 mediaserver_27_0 (process (getattr)))
+(allow mediaserver_27_0 drmserver_27_0 (drmservice (consumeRights setPlaybackStatus openDecryptSession closeDecryptSession initializeDecryptUnit decrypt finalizeDecryptUnit pread)))
+(allowx mediaserver_27_0 self (ioctl tcp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
+(allowx mediaserver_27_0 self (ioctl udp_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
+(allowx mediaserver_27_0 self (ioctl rawip_socket (((range 0x5401 0x5403)) 0x540b ((range 0x540e 0x5411)) ((range 0x5413 0x5414)) 0x5451)))
+(allowx mediaserver_27_0 self (ioctl tcp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
+(allowx mediaserver_27_0 self (ioctl udp_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
+(allowx mediaserver_27_0 self (ioctl rawip_socket (((range 0x8906 0x8907)) 0x8910 ((range 0x8912 0x8913)) 0x8915 0x8917 0x8919 0x891b 0x8921 0x8933 0x8938 0x8942)))
+(allowx mediaserver_27_0 self (ioctl tcp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
+(allowx mediaserver_27_0 self (ioctl udp_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
+(allowx mediaserver_27_0 self (ioctl rawip_socket (0x8b01 0x8b05 0x8b07 0x8b09 0x8b0b 0x8b0d 0x8b0f ((range 0x8b11 0x8b13)) 0x8b21 0x8b23 0x8b25 0x8b27 0x8b29 0x8b2d)))
+(allow mediaserver_27_0 media_rw_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow mediaserver_27_0 media_rw_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow mediaserver_27_0 preloads_media_file_27_0 (file (ioctl read getattr)))
+(allow mediaserver_27_0 ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow mediaserver_27_0 hal_graphics_allocator (fd (use)))
+(allow mediaserver_27_0 hal_graphics_composer (fd (use)))
+(allow mediaserver_27_0 hal_camera (fd (use)))
+(allow mediaserver_27_0 system_server_27_0 (fd (use)))
+(allow mediaserver_27_0 mediacodec_27_0 (binder (call transfer)))
+(allow mediacodec_27_0 mediaserver_27_0 (binder (transfer)))
+(allow mediaserver_27_0 mediacodec_27_0 (fd (use)))
+(neverallow mediaserver_27_0 fs_type (file (execute_no_trans)))
+(neverallow mediaserver_27_0 file_type (file (execute_no_trans)))
+(neverallowx mediaserver_27_0 domain (ioctl tcp_socket (0x6900 0x6902)))
+(neverallowx mediaserver_27_0 domain (ioctl udp_socket (0x6900 0x6902)))
+(neverallowx mediaserver_27_0 domain (ioctl rawip_socket (0x6900 0x6902)))
+(neverallowx mediaserver_27_0 domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(neverallowx mediaserver_27_0 domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(neverallowx mediaserver_27_0 domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(neverallowx mediaserver_27_0 domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(neverallowx mediaserver_27_0 domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(neverallowx mediaserver_27_0 domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(allow modprobe_27_0 proc_modules_27_0 (file (ioctl read getattr lock map open)))
+(allow modprobe_27_0 self (capability (sys_module)))
+(allow modprobe_27_0 kernel_27_0 (key (search)))
+(allow modprobe_27_0 system_file_27_0 (system (module_load)))
+(allow modprobe_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow modprobe_27_0 system_file_27_0 (file (ioctl read getattr lock map open)))
+(allow modprobe_27_0 system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow mtp_27_0 self (socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow mtp_27_0 self (capability (net_raw)))
+(allow mtp_27_0 ppp_27_0 (process (signal)))
+(allow mtp_27_0 vpn_data_file_27_0 (dir (search)))
+(allowx netd_27_0 self (ioctl udp_socket (0x6900 0x6902)))
+(allowx netd_27_0 self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(allowx netd_27_0 self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(allow netd_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow netd_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow netd_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow netd_27_0 system_server_27_0 (fd (use)))
+(allow netd_27_0 self (capability (kill net_admin net_raw)))
+(dontaudit netd_27_0 self (capability (fsetid)))
+(allow netd_27_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow netd_27_0 self (netlink_route_socket (nlmsg_write)))
+(allow netd_27_0 self (netlink_nflog_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow netd_27_0 self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow netd_27_0 self (netlink_tcpdiag_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_write)))
+(allow netd_27_0 self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow netd_27_0 self (netlink_netfilter_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow netd_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow netd_27_0 system_file_27_0 (file (getattr map execute execute_no_trans)))
+(allow netd_27_0 devpts_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow netd_27_0 system_file_27_0 (file (lock)))
+(allow netd_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
+(allow netd_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
+(allow netd_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow netd_27_0 proc_net_27_0 (file (ioctl read write getattr lock append map open)))
+(allow netd_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
+(allow netd_27_0 sysfs_type (file (ioctl read getattr lock map open)))
+(allow netd_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
+(allow netd_27_0 sysfs_27_0 (file (write)))
+(allow netd_27_0 sysfs_usb_27_0 (file (write)))
+(allow netd_27_0 self (capability (chown dac_override)))
+(allow netd_27_0 net_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow netd_27_0 net_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow netd_27_0 self (capability (fowner)))
+(allow netd_27_0 system_file_27_0 (file (lock)))
+(allow netd_27_0 dnsmasq_27_0 (process (signal)))
+(allow netd_27_0 clatd_27_0 (process (signal)))
+(allow netd_27_0 property_socket_27_0 (sock_file (write)))
+(allow netd_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow netd_27_0 ctl_mdnsd_prop_27_0 (property_service (set)))
+(allow netd_27_0 ctl_mdnsd_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow netd_27_0 property_socket_27_0 (sock_file (write)))
+(allow netd_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow netd_27_0 netd_stable_secret_prop_27_0 (property_service (set)))
+(allow netd_27_0 netd_stable_secret_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow netd_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 netd_27_0 (dir (search)))
+(allow servicemanager_27_0 netd_27_0 (file (read open)))
+(allow servicemanager_27_0 netd_27_0 (process (getattr)))
+(allow netd_27_0 netd_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_162_27_0 netd_service_27_0 (service_manager (add)))
+(allow netd_27_0 dumpstate_27_0 (fifo_file (write getattr)))
+(allow netd_27_0 system_server_27_0 (binder (call)))
+(allow netd_27_0 permission_service_27_0 (service_manager (find)))
+(allow netd_27_0 netd_listener_service_27_0 (service_manager (find)))
+(allow netd_27_0 netdomain (tcp_socket (read write getattr setattr getopt setopt)))
+(allow netd_27_0 netdomain (udp_socket (read write getattr setattr getopt setopt)))
+(allow netd_27_0 netdomain (rawip_socket (read write getattr setattr getopt setopt)))
+(allow netd_27_0 netdomain (tun_socket (read write getattr setattr getopt setopt)))
+(allow netd_27_0 netdomain (fd (use)))
+(allow netd_27_0 self (netlink_xfrm_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown nlmsg_read nlmsg_write)))
+(allow netd_27_0 system_net_netd_hwservice_27_0 (hwservice_manager (add find)))
+(allow netd_27_0 hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_162_27_0 system_net_netd_hwservice_27_0 (hwservice_manager (add)))
+(allow netd_27_0 hwservicemanager_27_0 (binder (call transfer)))
+(allow hwservicemanager_27_0 netd_27_0 (binder (call transfer)))
+(allow hwservicemanager_27_0 netd_27_0 (dir (search)))
+(allow hwservicemanager_27_0 netd_27_0 (file (read open)))
+(allow hwservicemanager_27_0 netd_27_0 (process (getattr)))
+(allow netd_27_0 hwservicemanager_prop_27_0 (file (ioctl read getattr lock map open)))
+(neverallow netd_27_0 dev_type (blk_file (read write)))
+(neverallow netd_27_0 domain (process (ptrace)))
+(neverallow netd_27_0 system_file_27_0 (file (write)))
+(neverallow netd_27_0 system_file_27_0 (dir (write)))
+(neverallow netd_27_0 system_file_27_0 (lnk_file (write)))
+(neverallow netd_27_0 system_file_27_0 (chr_file (write)))
+(neverallow netd_27_0 system_file_27_0 (blk_file (write)))
+(neverallow netd_27_0 system_file_27_0 (sock_file (write)))
+(neverallow netd_27_0 system_file_27_0 (fifo_file (write)))
+(neverallow netd_27_0 system_data_file_27_0 (file (write)))
+(neverallow netd_27_0 system_data_file_27_0 (dir (write)))
+(neverallow netd_27_0 system_data_file_27_0 (lnk_file (write)))
+(neverallow netd_27_0 system_data_file_27_0 (chr_file (write)))
+(neverallow netd_27_0 system_data_file_27_0 (blk_file (write)))
+(neverallow netd_27_0 system_data_file_27_0 (sock_file (write)))
+(neverallow netd_27_0 system_data_file_27_0 (fifo_file (write)))
+(neverallow netd_27_0 app_data_file_27_0 (file (write)))
+(neverallow netd_27_0 app_data_file_27_0 (dir (write)))
+(neverallow netd_27_0 app_data_file_27_0 (lnk_file (write)))
+(neverallow netd_27_0 app_data_file_27_0 (chr_file (write)))
+(neverallow netd_27_0 app_data_file_27_0 (blk_file (write)))
+(neverallow netd_27_0 app_data_file_27_0 (sock_file (write)))
+(neverallow netd_27_0 app_data_file_27_0 (fifo_file (write)))
+(neverallow base_typeattr_163_27_0 netd_service_27_0 (service_manager (find)))
+(neverallow appdomain netd_27_0 (binder (call)))
+(neverallow netd_27_0 base_typeattr_164_27_0 (binder (call)))
+(neverallow base_typeattr_165_27_0 netd_stable_secret_prop_27_0 (file (ioctl read getattr lock map open)))
+(neverallow base_typeattr_165_27_0 netd_stable_secret_prop_27_0 (property_service (set)))
+(neverallow domain netutils_wrapper_exec_27_0 (file (execute_no_trans)))
+(allow otapreopt_chroot_27_0 postinstall_file_27_0 (dir (mounton search)))
+(allow otapreopt_chroot_27_0 self (capability (sys_chroot sys_admin)))
+(allow otapreopt_chroot_27_0 block_device_27_0 (dir (search)))
+(allow otapreopt_chroot_27_0 labeledfs_27_0 (filesystem (mount)))
+(dontaudit otapreopt_chroot_27_0 kernel_27_0 (process (setsched)))
+(allow otapreopt_chroot_27_0 postinstall_27_0 (fd (use)))
+(allow otapreopt_chroot_27_0 update_engine_27_0 (fd (use)))
+(allow otapreopt_chroot_27_0 update_engine_27_0 (fifo_file (write)))
+(allow otapreopt_slot_27_0 ota_data_file_27_0 (dir (ioctl read write getattr lock rename add_name remove_name reparent search rmdir open)))
+(allow otapreopt_slot_27_0 ota_data_file_27_0 (file (getattr)))
+(allow otapreopt_slot_27_0 ota_data_file_27_0 (lnk_file (getattr)))
+(allow otapreopt_slot_27_0 ota_data_file_27_0 (lnk_file (read)))
+(allow otapreopt_slot_27_0 dalvikcache_data_file_27_0 (dir (read write getattr add_name remove_name search rmdir open)))
+(allow otapreopt_slot_27_0 dalvikcache_data_file_27_0 (file (getattr unlink)))
+(allow otapreopt_slot_27_0 dalvikcache_data_file_27_0 (lnk_file (read getattr unlink)))
+(allow otapreopt_slot_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow otapreopt_slot_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow performanced_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 performanced_27_0 (dir (search)))
+(allow servicemanager_27_0 performanced_27_0 (file (read open)))
+(allow servicemanager_27_0 performanced_27_0 (process (getattr)))
+(allow performanced_27_0 system_server_27_0 (binder (call transfer)))
+(allow system_server_27_0 performanced_27_0 (binder (transfer)))
+(allow performanced_27_0 system_server_27_0 (fd (use)))
+(allow performanced_27_0 permission_service_27_0 (service_manager (find)))
+(allow init_27_0 pdx_performance_client_endpoint_socket_type (unix_stream_socket (create bind)))
+(allow performanced_27_0 pdx_performance_client_endpoint_socket_type (unix_stream_socket (read write getattr setattr lock append listen accept getopt setopt shutdown)))
+(allow performanced_27_0 self (process (setsockcreate)))
+(allow performanced_27_0 pdx_performance_client_channel_socket_type (unix_stream_socket (ioctl read write create getattr setattr lock append bind connect listen accept getopt setopt shutdown)))
+(neverallow base_typeattr_166_27_0 pdx_performance_client_endpoint_socket_type (unix_stream_socket (listen accept)))
+(allow performanced_27_0 self (capability (setgid setuid sys_nice)))
+(allow performanced_27_0 appdomain (dir (ioctl read getattr lock search open)))
+(allow performanced_27_0 bufferhubd_27_0 (dir (ioctl read getattr lock search open)))
+(allow performanced_27_0 kernel_27_0 (dir (ioctl read getattr lock search open)))
+(allow performanced_27_0 surfaceflinger_27_0 (dir (ioctl read getattr lock search open)))
+(allow performanced_27_0 appdomain (file (ioctl read getattr lock map open)))
+(allow performanced_27_0 appdomain (lnk_file (ioctl read getattr lock map open)))
+(allow performanced_27_0 bufferhubd_27_0 (file (ioctl read getattr lock map open)))
+(allow performanced_27_0 bufferhubd_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow performanced_27_0 kernel_27_0 (file (ioctl read getattr lock map open)))
+(allow performanced_27_0 kernel_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow performanced_27_0 surfaceflinger_27_0 (file (ioctl read getattr lock map open)))
+(allow performanced_27_0 surfaceflinger_27_0 (lnk_file (ioctl read getattr lock map open)))
+(dontaudit performanced_27_0 domain (dir (read)))
+(allow performanced_27_0 appdomain (process (setsched)))
+(allow performanced_27_0 bufferhubd_27_0 (process (setsched)))
+(allow performanced_27_0 kernel_27_0 (process (setsched)))
+(allow performanced_27_0 surfaceflinger_27_0 (process (setsched)))
+(allow performanced_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow performanced_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow performanced_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow perfprofd_27_0 sysfs_devices_system_cpu_27_0 (file (ioctl read write getattr lock append map open)))
+(allow perfprofd_27_0 system_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow perfprofd_27_0 app_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow perfprofd_27_0 app_data_file_27_0 (dir (search)))
+(allow perfprofd_27_0 self (capability (dac_override)))
+(allow perfprofd_27_0 perfprofd_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow perfprofd_27_0 perfprofd_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow perfprofd_27_0 logcat_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow perfprofd_27_0 logdr_socket_27_0 (sock_file (write)))
+(allow perfprofd_27_0 logd_27_0 (unix_stream_socket (connectto)))
+(allow perfprofd_27_0 logdw_socket_27_0 (sock_file (write)))
+(allow perfprofd_27_0 logd_27_0 (unix_dgram_socket (sendto)))
+(allow perfprofd_27_0 pmsg_device_27_0 (chr_file (write lock append map open)))
+(allow perfprofd_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
+(allow perfprofd_27_0 self (capability2 (block_suspend)))
+(allow perfprofd_27_0 self (capability (sys_admin)))
+(allow perfprofd_27_0 domain (dir (ioctl read getattr lock search open)))
+(allow perfprofd_27_0 domain (file (ioctl read getattr lock map open)))
+(allow perfprofd_27_0 domain (lnk_file (ioctl read getattr lock map open)))
+(allow perfprofd_27_0 self (capability (sys_ptrace sys_resource)))
+(neverallow perfprofd_27_0 domain (process (ptrace)))
+(allow perfprofd_27_0 exec_type (file (ioctl read getattr lock map open)))
+(allow perfprofd_27_0 debugfs_tracing_27_0 (file (ioctl read getattr lock map open)))
+(allow perfprofd_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow perfprofd_27_0 self (capability (ipc_lock)))
+(allow postinstall_27_0 update_engine_common (fd (use)))
+(allow postinstall_27_0 update_engine_common (fifo_file (ioctl read write getattr lock append map open)))
+(allow postinstall_27_0 postinstall_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow postinstall_27_0 postinstall_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow postinstall_27_0 postinstall_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow postinstall_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow postinstall_27_0 system_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow postinstall_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow postinstall_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 postinstall_27_0 (dir (search)))
+(allow servicemanager_27_0 postinstall_27_0 (file (read open)))
+(allow servicemanager_27_0 postinstall_27_0 (process (getattr)))
+(allow postinstall_27_0 system_server_27_0 (binder (call transfer)))
+(allow system_server_27_0 postinstall_27_0 (binder (transfer)))
+(allow postinstall_27_0 system_server_27_0 (fd (use)))
+(allow postinstall_27_0 otadexopt_service_27_0 (service_manager (find)))
+(neverallow base_typeattr_36_27_0 postinstall_27_0 (process (transition dyntransition)))
+(allow postinstall_dexopt_27_0 self (capability (chown dac_override fowner setgid setuid)))
+(allow postinstall_dexopt_27_0 postinstall_file_27_0 (filesystem (getattr)))
+(allow postinstall_dexopt_27_0 postinstall_file_27_0 (dir (getattr search)))
+(allow postinstall_dexopt_27_0 postinstall_file_27_0 (lnk_file (read)))
+(allow postinstall_dexopt_27_0 proc_27_0 (file (read getattr open)))
+(allow postinstall_dexopt_27_0 tmpfs_27_0 (file (read)))
+(allow postinstall_dexopt_27_0 apk_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow postinstall_dexopt_27_0 apk_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow postinstall_dexopt_27_0 apk_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow postinstall_dexopt_27_0 vendor_app_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow postinstall_dexopt_27_0 vendor_app_file_27_0 (file (ioctl read getattr lock map open)))
+(allow postinstall_dexopt_27_0 vendor_app_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow postinstall_dexopt_27_0 dalvikcache_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow postinstall_dexopt_27_0 dalvikcache_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow postinstall_dexopt_27_0 dalvikcache_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow postinstall_dexopt_27_0 user_profile_data_file_27_0 (dir (getattr search)))
+(allow postinstall_dexopt_27_0 user_profile_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow postinstall_dexopt_27_0 ota_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow postinstall_dexopt_27_0 ota_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow postinstall_dexopt_27_0 ota_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow postinstall_dexopt_27_0 dalvikcache_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow postinstall_dexopt_27_0 dalvikcache_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow postinstall_dexopt_27_0 dalvikcache_data_file_27_0 (dir (relabelto)))
+(allow postinstall_dexopt_27_0 dalvikcache_data_file_27_0 (file (relabelto link)))
+(allow postinstall_dexopt_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow postinstall_dexopt_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
+(allow postinstall_dexopt_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow postinstall_dexopt_27_0 selinuxfs_27_0 (file (write lock append map open)))
+(allow postinstall_dexopt_27_0 kernel_27_0 (security (check_context)))
+(allow postinstall_dexopt_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow postinstall_dexopt_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
+(allow postinstall_dexopt_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow postinstall_dexopt_27_0 selinuxfs_27_0 (file (write lock append map open)))
+(allow postinstall_dexopt_27_0 kernel_27_0 (security (compute_av)))
+(allow postinstall_dexopt_27_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(allow postinstall_dexopt_27_0 postinstall_27_0 (process (sigchld)))
+(allow postinstall_dexopt_27_0 otapreopt_chroot_27_0 (fd (use)))
+(allow postinstall_dexopt_27_0 cpuctl_device_27_0 (dir (search)))
+(allow ppp_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
+(allow ppp_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
+(allow ppp_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow ppp_27_0 mtp_27_0 (socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown)))
+(allowx ppp_27_0 self (ioctl udp_socket (0x6900 0x6902)))
+(allowx ppp_27_0 self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(allowx ppp_27_0 self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(allowx ppp_27_0 mtp_27_0 (ioctl socket (((range 0x7436 0x7441)) ((range 0x7446 0x7447)) ((range 0x744b 0x745a)) ((range 0x7480 0x7488)))))
+(allow ppp_27_0 mtp_27_0 (unix_dgram_socket (ioctl read write getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow ppp_27_0 ppp_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow ppp_27_0 self (capability (net_admin)))
+(allow ppp_27_0 system_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow ppp_27_0 vpn_data_file_27_0 (dir (write lock add_name remove_name search open)))
+(allow ppp_27_0 vpn_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow ppp_27_0 mtp_27_0 (fd (use)))
+(allow preopt2cachename_27_0 cppreopts_27_0 (fd (use)))
+(allow preopt2cachename_27_0 cppreopts_27_0 (fifo_file (read write getattr)))
+(allow preopt2cachename_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
+(allow profman_27_0 user_profile_data_file_27_0 (file (read write getattr lock)))
+(allow profman_27_0 asec_apk_file_27_0 (file (read)))
+(allow profman_27_0 apk_data_file_27_0 (file (read)))
+(allow profman_27_0 oemfs_27_0 (file (read)))
+(allow profman_27_0 tmpfs_27_0 (file (read)))
+(allow profman_27_0 profman_dump_data_file_27_0 (file (write)))
+(allow profman_27_0 installd_27_0 (fd (use)))
+(allow profman_27_0 app_data_file_27_0 (file (read write getattr lock)))
+(neverallow profman_27_0 app_data_file_27_0 (file (open)))
+(neverallow profman_27_0 app_data_file_27_0 (lnk_file (open)))
+(neverallow profman_27_0 app_data_file_27_0 (sock_file (open)))
+(neverallow profman_27_0 app_data_file_27_0 (fifo_file (open)))
+(allow property_type tmpfs_27_0 (filesystem (associate)))
+(neverallow base_typeattr_10_27_0 base_typeattr_167_27_0 (file (ioctl read write create setattr lock relabelfrom append unlink link rename open)))
+(allowx racoon_27_0 self (ioctl udp_socket (0x8914 0x8916 0x891c)))
+(allow racoon_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 racoon_27_0 (dir (search)))
+(allow servicemanager_27_0 racoon_27_0 (file (read open)))
+(allow servicemanager_27_0 racoon_27_0 (process (getattr)))
+(allow racoon_27_0 tun_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow racoon_27_0 cgroup_27_0 (dir (create add_name)))
+(allow racoon_27_0 kernel_27_0 (system (module_request)))
+(allow racoon_27_0 self (key_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow racoon_27_0 self (tun_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow racoon_27_0 self (capability (net_bind_service net_admin net_raw)))
+(allow racoon_27_0 system_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow racoon_27_0 vpn_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow racoon_27_0 vpn_data_file_27_0 (dir (write lock add_name remove_name search open)))
+(allow keystore_27_0 racoon_27_0 (dir (search)))
+(allow keystore_27_0 racoon_27_0 (file (read open)))
+(allow keystore_27_0 racoon_27_0 (process (getattr)))
+(allow racoon_27_0 keystore_service_27_0 (service_manager (find)))
+(allow racoon_27_0 keystore_27_0 (binder (call transfer)))
+(allow keystore_27_0 racoon_27_0 (binder (transfer)))
+(allow racoon_27_0 keystore_27_0 (fd (use)))
+(allow racoon_27_0 keystore_27_0 (keystore_key (get sign verify)))
+(allow radio_27_0 radio_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow radio_27_0 radio_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow radio_27_0 radio_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow radio_27_0 radio_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow radio_27_0 radio_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow radio_27_0 alarm_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow radio_27_0 net_data_file_27_0 (dir (search)))
+(allow radio_27_0 net_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow radio_27_0 property_socket_27_0 (sock_file (write)))
+(allow radio_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow radio_27_0 radio_prop_27_0 (property_service (set)))
+(allow radio_27_0 radio_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow radio_27_0 property_socket_27_0 (sock_file (write)))
+(allow radio_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow radio_27_0 net_radio_prop_27_0 (property_service (set)))
+(allow radio_27_0 net_radio_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow radio_27_0 property_socket_27_0 (sock_file (write)))
+(allow radio_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow radio_27_0 ctl_rildaemon_prop_27_0 (property_service (set)))
+(allow radio_27_0 ctl_rildaemon_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow radio_27_0 radio_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_168_27_0 radio_service_27_0 (service_manager (add)))
+(allow radio_27_0 audioserver_service_27_0 (service_manager (find)))
+(allow radio_27_0 cameraserver_service_27_0 (service_manager (find)))
+(allow radio_27_0 drmserver_service_27_0 (service_manager (find)))
+(allow radio_27_0 mediaserver_service_27_0 (service_manager (find)))
+(allow radio_27_0 nfc_service_27_0 (service_manager (find)))
+(allow radio_27_0 surfaceflinger_service_27_0 (service_manager (find)))
+(allow radio_27_0 app_api_service (service_manager (find)))
+(allow radio_27_0 system_api_service (service_manager (find)))
+(allow radio_27_0 hwservicemanager_27_0 (binder (call transfer)))
+(allow hwservicemanager_27_0 radio_27_0 (binder (call transfer)))
+(allow hwservicemanager_27_0 radio_27_0 (dir (search)))
+(allow hwservicemanager_27_0 radio_27_0 (file (read open)))
+(allow hwservicemanager_27_0 radio_27_0 (process (getattr)))
+(neverallow recovery_27_0 base_typeattr_169_27_0 (file (write create setattr relabelfrom append unlink link rename execute execute_no_trans)))
+(neverallow recovery_27_0 base_typeattr_169_27_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
+(allow recovery_persist_27_0 pstorefs_27_0 (dir (search)))
+(allow recovery_persist_27_0 pstorefs_27_0 (file (ioctl read getattr lock map open)))
+(allow recovery_persist_27_0 recovery_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow recovery_persist_27_0 recovery_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(neverallow recovery_persist_27_0 dev_type (blk_file (read write)))
+(neverallow recovery_persist_27_0 domain (process (ptrace)))
+(neverallow recovery_persist_27_0 system_file_27_0 (file (write)))
+(neverallow recovery_persist_27_0 system_file_27_0 (dir (write)))
+(neverallow recovery_persist_27_0 system_file_27_0 (lnk_file (write)))
+(neverallow recovery_persist_27_0 system_file_27_0 (chr_file (write)))
+(neverallow recovery_persist_27_0 system_file_27_0 (blk_file (write)))
+(neverallow recovery_persist_27_0 system_file_27_0 (sock_file (write)))
+(neverallow recovery_persist_27_0 system_file_27_0 (fifo_file (write)))
+(neverallow recovery_persist_27_0 system_data_file_27_0 (file (write)))
+(neverallow recovery_persist_27_0 system_data_file_27_0 (dir (write)))
+(neverallow recovery_persist_27_0 system_data_file_27_0 (lnk_file (write)))
+(neverallow recovery_persist_27_0 system_data_file_27_0 (chr_file (write)))
+(neverallow recovery_persist_27_0 system_data_file_27_0 (blk_file (write)))
+(neverallow recovery_persist_27_0 system_data_file_27_0 (sock_file (write)))
+(neverallow recovery_persist_27_0 system_data_file_27_0 (fifo_file (write)))
+(neverallow recovery_persist_27_0 app_data_file_27_0 (file (write)))
+(neverallow recovery_persist_27_0 app_data_file_27_0 (dir (write)))
+(neverallow recovery_persist_27_0 app_data_file_27_0 (lnk_file (write)))
+(neverallow recovery_persist_27_0 app_data_file_27_0 (chr_file (write)))
+(neverallow recovery_persist_27_0 app_data_file_27_0 (blk_file (write)))
+(neverallow recovery_persist_27_0 app_data_file_27_0 (sock_file (write)))
+(neverallow recovery_persist_27_0 app_data_file_27_0 (fifo_file (write)))
+(allow recovery_refresh_27_0 pstorefs_27_0 (dir (search)))
+(allow recovery_refresh_27_0 pstorefs_27_0 (file (ioctl read getattr lock map open)))
+(neverallow recovery_refresh_27_0 dev_type (blk_file (read write)))
+(neverallow recovery_refresh_27_0 domain (process (ptrace)))
+(neverallow recovery_refresh_27_0 system_file_27_0 (file (write)))
+(neverallow recovery_refresh_27_0 system_file_27_0 (dir (write)))
+(neverallow recovery_refresh_27_0 system_file_27_0 (lnk_file (write)))
+(neverallow recovery_refresh_27_0 system_file_27_0 (chr_file (write)))
+(neverallow recovery_refresh_27_0 system_file_27_0 (blk_file (write)))
+(neverallow recovery_refresh_27_0 system_file_27_0 (sock_file (write)))
+(neverallow recovery_refresh_27_0 system_file_27_0 (fifo_file (write)))
+(neverallow recovery_refresh_27_0 system_data_file_27_0 (file (write)))
+(neverallow recovery_refresh_27_0 system_data_file_27_0 (dir (write)))
+(neverallow recovery_refresh_27_0 system_data_file_27_0 (lnk_file (write)))
+(neverallow recovery_refresh_27_0 system_data_file_27_0 (chr_file (write)))
+(neverallow recovery_refresh_27_0 system_data_file_27_0 (blk_file (write)))
+(neverallow recovery_refresh_27_0 system_data_file_27_0 (sock_file (write)))
+(neverallow recovery_refresh_27_0 system_data_file_27_0 (fifo_file (write)))
+(neverallow recovery_refresh_27_0 app_data_file_27_0 (file (write)))
+(neverallow recovery_refresh_27_0 app_data_file_27_0 (dir (write)))
+(neverallow recovery_refresh_27_0 app_data_file_27_0 (lnk_file (write)))
+(neverallow recovery_refresh_27_0 app_data_file_27_0 (chr_file (write)))
+(neverallow recovery_refresh_27_0 app_data_file_27_0 (blk_file (write)))
+(neverallow recovery_refresh_27_0 app_data_file_27_0 (sock_file (write)))
+(neverallow recovery_refresh_27_0 app_data_file_27_0 (fifo_file (write)))
+(allowx rild_27_0 self (ioctl udp_socket (0x6900 0x6902)))
+(allowx rild_27_0 self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(allowx rild_27_0 self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(allow rild_27_0 self (netlink_route_socket (nlmsg_write)))
+(allow rild_27_0 kernel_27_0 (system (module_request)))
+(allow rild_27_0 self (capability (setgid setuid setpcap net_admin net_raw)))
+(allow rild_27_0 alarm_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow rild_27_0 cgroup_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow rild_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow rild_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow rild_27_0 radio_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow rild_27_0 radio_device_27_0 (blk_file (ioctl read getattr lock map open)))
+(allow rild_27_0 mtd_device_27_0 (dir (search)))
+(allow rild_27_0 efs_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow rild_27_0 efs_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow rild_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow rild_27_0 bluetooth_efs_file_27_0 (file (ioctl read getattr lock map open)))
+(allow rild_27_0 bluetooth_efs_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow rild_27_0 sdcard_type (dir (ioctl read getattr lock search open)))
+(allow rild_27_0 property_socket_27_0 (sock_file (write)))
+(allow rild_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow rild_27_0 radio_prop_27_0 (property_service (set)))
+(allow rild_27_0 radio_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow rild_27_0 tty_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow rild_27_0 self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow rild_27_0 self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow rild_27_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow rild_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
+(allow rild_27_0 self (capability2 (block_suspend)))
+(allow rild_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
+(allow rild_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
+(allow rild_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow rild_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
+(allow rild_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
+(allow rild_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow rild_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
+(allow rild_27_0 sysfs_type (file (ioctl read getattr lock map open)))
+(allow rild_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
+(allow rild_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow rild_27_0 system_file_27_0 (file (ioctl read getattr lock map open)))
+(allow rild_27_0 system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow rild_27_0 self (socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow runas_27_0 adbd_27_0 (fd (use)))
+(allow runas_27_0 adbd_27_0 (process (sigchld)))
+(allow runas_27_0 adbd_27_0 (unix_stream_socket (read write)))
+(allow runas_27_0 shell_27_0 (fd (use)))
+(allow runas_27_0 shell_27_0 (fifo_file (read write)))
+(allow runas_27_0 shell_27_0 (unix_stream_socket (read write)))
+(allow runas_27_0 devpts_27_0 (chr_file (ioctl read write)))
+(allow runas_27_0 shell_data_file_27_0 (file (read write)))
+(allow runas_27_0 system_data_file_27_0 (file (ioctl read getattr lock map open)))
+(dontaudit runas_27_0 self (capability (dac_override)))
+(allow runas_27_0 app_data_file_27_0 (dir (getattr search)))
+(allow runas_27_0 self (capability (setgid setuid)))
+(allow runas_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow runas_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
+(allow runas_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow runas_27_0 selinuxfs_27_0 (file (write lock append map open)))
+(allow runas_27_0 kernel_27_0 (security (check_context)))
+(allow runas_27_0 self (process (setcurrent)))
+(allow runas_27_0 base_typeattr_170_27_0 (process (dyntransition)))
+(allow runas_27_0 seapp_contexts_file_27_0 (file (ioctl read getattr lock map open)))
+(neverallow runas_27_0 self (capability (chown dac_override dac_read_search fowner fsetid kill setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
+(neverallow runas_27_0 self (capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read)))
+(allow sdcardd_27_0 cgroup_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow sdcardd_27_0 fuse_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow sdcardd_27_0 rootfs_27_0 (dir (mounton)))
+(allow sdcardd_27_0 sdcardfs_27_0 (filesystem (remount)))
+(allow sdcardd_27_0 tmpfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow sdcardd_27_0 mnt_media_rw_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow sdcardd_27_0 storage_file_27_0 (dir (search)))
+(allow sdcardd_27_0 storage_stub_file_27_0 (dir (mounton search)))
+(allow sdcardd_27_0 sdcard_type (filesystem (mount unmount)))
+(allow sdcardd_27_0 self (capability (dac_override setgid setuid sys_admin sys_resource)))
+(allow sdcardd_27_0 sdcard_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow sdcardd_27_0 sdcard_type (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow sdcardd_27_0 media_rw_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow sdcardd_27_0 media_rw_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow sdcardd_27_0 system_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow sdcardd_27_0 install_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow sdcardd_27_0 vold_27_0 (fd (use)))
+(allow sdcardd_27_0 vold_27_0 (fifo_file (read write getattr)))
+(allow sdcardd_27_0 mnt_expand_file_27_0 (dir (search)))
+(allow sdcardd_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
+(neverallow init_27_0 sdcardd_exec_27_0 (file (execute)))
+(neverallow init_27_0 sdcardd_27_0 (process (transition dyntransition)))
+(allow servicemanager_27_0 self (binder (set_context_mgr)))
+(allow servicemanager_27_0 base_typeattr_171_27_0 (binder (transfer)))
+(allow servicemanager_27_0 service_contexts_file_27_0 (file (ioctl read getattr lock map open)))
+(allow servicemanager_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow servicemanager_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
+(allow servicemanager_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow servicemanager_27_0 selinuxfs_27_0 (file (write lock append map open)))
+(allow servicemanager_27_0 kernel_27_0 (security (compute_av)))
+(allow servicemanager_27_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(allow sgdisk_27_0 block_device_27_0 (dir (search)))
+(allow sgdisk_27_0 vold_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
+(allow sgdisk_27_0 devpts_27_0 (chr_file (ioctl read write getattr)))
+(allow sgdisk_27_0 vold_27_0 (fd (use)))
+(allow sgdisk_27_0 vold_27_0 (fifo_file (read write getattr)))
+(allow sgdisk_27_0 self (capability (sys_admin)))
+(neverallow base_typeattr_92_27_0 sgdisk_27_0 (process (transition)))
+(neverallow base_typeattr_10_27_0 sgdisk_27_0 (process (dyntransition)))
+(neverallow sgdisk_27_0 base_typeattr_172_27_0 (file (entrypoint)))
+(allow shared_relro_27_0 shared_relro_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow shared_relro_27_0 shared_relro_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow shared_relro_27_0 webviewupdate_service_27_0 (service_manager (find)))
+(allow shell_27_0 logcat_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow shell_27_0 logdr_socket_27_0 (sock_file (write)))
+(allow shell_27_0 logd_27_0 (unix_stream_socket (connectto)))
+(allow shell_27_0 logd_socket_27_0 (sock_file (write)))
+(allow shell_27_0 logd_27_0 (unix_stream_socket (connectto)))
+(allow shell_27_0 pstorefs_27_0 (dir (search)))
+(allow shell_27_0 pstorefs_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow shell_27_0 anr_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow shell_27_0 anr_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 shell_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow shell_27_0 shell_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow shell_27_0 shell_data_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow shell_27_0 shell_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow shell_27_0 profman_dump_data_file_27_0 (dir (write getattr remove_name search)))
+(allow shell_27_0 profman_dump_data_file_27_0 (file (getattr unlink)))
+(allow shell_27_0 nativetest_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow shell_27_0 nativetest_data_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow shell_27_0 dumpstate_socket_27_0 (sock_file (write)))
+(allow shell_27_0 dumpstate_27_0 (unix_stream_socket (connectto)))
+(allow shell_27_0 devpts_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow shell_27_0 tty_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow shell_27_0 console_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow shell_27_0 input_device_27_0 (dir (ioctl read getattr lock search open)))
+(allow shell_27_0 input_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow shell_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow shell_27_0 system_file_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow shell_27_0 system_file_27_0 (file (getattr map execute execute_no_trans)))
+(allow shell_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow shell_27_0 tzdatacheck_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow shell_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow shell_27_0 zygote_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow shell_27_0 apk_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow shell_27_0 apk_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 apk_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow shell_27_0 property_socket_27_0 (sock_file (write)))
+(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow shell_27_0 shell_prop_27_0 (property_service (set)))
+(allow shell_27_0 shell_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 property_socket_27_0 (sock_file (write)))
+(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow shell_27_0 ctl_bugreport_prop_27_0 (property_service (set)))
+(allow shell_27_0 ctl_bugreport_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 property_socket_27_0 (sock_file (write)))
+(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow shell_27_0 ctl_dumpstate_prop_27_0 (property_service (set)))
+(allow shell_27_0 ctl_dumpstate_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 property_socket_27_0 (sock_file (write)))
+(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow shell_27_0 dumpstate_prop_27_0 (property_service (set)))
+(allow shell_27_0 dumpstate_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 property_socket_27_0 (sock_file (write)))
+(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow shell_27_0 debug_prop_27_0 (property_service (set)))
+(allow shell_27_0 debug_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 property_socket_27_0 (sock_file (write)))
+(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow shell_27_0 powerctl_prop_27_0 (property_service (set)))
+(allow shell_27_0 powerctl_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 property_socket_27_0 (sock_file (write)))
+(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow shell_27_0 log_tag_prop_27_0 (property_service (set)))
+(allow shell_27_0 log_tag_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 property_socket_27_0 (sock_file (write)))
+(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow shell_27_0 wifi_log_prop_27_0 (property_service (set)))
+(allow shell_27_0 wifi_log_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 property_socket_27_0 (sock_file (write)))
+(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow shell_27_0 log_prop_27_0 (property_service (set)))
+(allow shell_27_0 log_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 property_socket_27_0 (sock_file (write)))
+(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow shell_27_0 logpersistd_logging_prop_27_0 (property_service (set)))
+(allow shell_27_0 logpersistd_logging_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 boottrace_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow shell_27_0 boottrace_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow shell_27_0 property_socket_27_0 (sock_file (write)))
+(allow shell_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow shell_27_0 persist_debug_prop_27_0 (property_service (set)))
+(allow shell_27_0 persist_debug_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 serialno_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 device_logging_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 servicemanager_27_0 (service_manager (list)))
+(allow shell_27_0 base_typeattr_173_27_0 (service_manager (find)))
+(allow shell_27_0 dumpstate_27_0 (binder (call)))
+(allow shell_27_0 hwservicemanager_27_0 (binder (call transfer)))
+(allow hwservicemanager_27_0 shell_27_0 (binder (call transfer)))
+(allow hwservicemanager_27_0 shell_27_0 (dir (search)))
+(allow hwservicemanager_27_0 shell_27_0 (file (read open)))
+(allow hwservicemanager_27_0 shell_27_0 (process (getattr)))
+(allow shell_27_0 hwservicemanager_27_0 (hwservice_manager (list)))
+(allow shell_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
+(allow shell_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow shell_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
+(allow shell_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow shell_27_0 proc_interrupts_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 proc_meminfo_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 proc_stat_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 proc_timer_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 proc_zoneinfo_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 cgroup_27_0 (dir (ioctl read getattr lock search open)))
+(allow shell_27_0 cgroup_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 cgroup_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow shell_27_0 domain (dir (read getattr search open)))
+(allow shell_27_0 domain (file (read getattr open)))
+(allow shell_27_0 domain (lnk_file (read getattr open)))
+(allow shell_27_0 labeledfs_27_0 (filesystem (getattr)))
+(allow shell_27_0 proc_27_0 (filesystem (getattr)))
+(allow shell_27_0 device_27_0 (dir (getattr)))
+(allow shell_27_0 domain (process (getattr)))
+(allow shell_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow shell_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 bootchart_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow shell_27_0 bootchart_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow shell_27_0 self (process (ptrace)))
+(allow shell_27_0 sysfs_batteryinfo_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 sysfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow shell_27_0 ion_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow shell_27_0 dev_type (dir (ioctl read getattr lock search open)))
+(allow shell_27_0 dev_type (chr_file (getattr)))
+(allow shell_27_0 proc_27_0 (lnk_file (getattr)))
+(allow shell_27_0 dev_type (blk_file (getattr)))
+(allow shell_27_0 file_contexts_file_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 property_contexts_file_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 seapp_contexts_file_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 service_contexts_file_27_0 (file (ioctl read getattr lock map open)))
+(allow shell_27_0 sepolicy_file_27_0 (file (ioctl read getattr lock map open)))
+(neverallow shell_27_0 file_type (file (link)))
+(neverallowx shell_27_0 domain (ioctl tcp_socket (0x6900 0x6902)))
+(neverallowx shell_27_0 domain (ioctl udp_socket (0x6900 0x6902)))
+(neverallowx shell_27_0 domain (ioctl rawip_socket (0x6900 0x6902)))
+(neverallowx shell_27_0 domain (ioctl tcp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(neverallowx shell_27_0 domain (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(neverallowx shell_27_0 domain (ioctl rawip_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(neverallowx shell_27_0 domain (ioctl tcp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(neverallowx shell_27_0 domain (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(neverallowx shell_27_0 domain (ioctl rawip_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(neverallow shell_27_0 hw_random_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow shell_27_0 kmem_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow shell_27_0 port_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow shell_27_0 fuse_device_27_0 (chr_file (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow shell_27_0 dev_type (blk_file (ioctl read write create setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(allow slideshow_27_0 kmsg_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow slideshow_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
+(allow slideshow_27_0 self (capability2 (block_suspend)))
+(allow slideshow_27_0 device_27_0 (dir (ioctl read getattr lock search open)))
+(allow slideshow_27_0 self (capability (sys_tty_config)))
+(allow slideshow_27_0 graphics_device_27_0 (dir (ioctl read getattr lock search open)))
+(allow slideshow_27_0 graphics_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow slideshow_27_0 input_device_27_0 (dir (ioctl read getattr lock search open)))
+(allow slideshow_27_0 input_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow slideshow_27_0 tty_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow su_27_0 vndbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow su_27_0 vndservicemanager_27_0 (binder (call transfer)))
+(allow vndservicemanager_27_0 su_27_0 (dir (search)))
+(allow vndservicemanager_27_0 su_27_0 (file (read open)))
+(allow vndservicemanager_27_0 su_27_0 (process (getattr)))
+(dontaudit su_27_0 self (capability (chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_module sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap)))
+(dontaudit su_27_0 self (capability2 (mac_override mac_admin syslog wake_alarm block_suspend audit_read)))
+(dontaudit su_27_0 kernel_27_0 (security (compute_av compute_create compute_member check_context load_policy compute_relabel compute_user setenforce setbool setsecparam setcheckreqprot read_policy validate_trans)))
+(dontaudit su_27_0 kernel_27_0 (system (ipc_info syslog_read syslog_mod syslog_console module_request module_load)))
+(dontaudit su_27_0 self (memprotect (mmap_zero)))
+(dontaudit su_27_0 domain (process (fork transition sigchld sigkill sigstop signull signal ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit)))
+(dontaudit su_27_0 domain (fd (use)))
+(dontaudit su_27_0 domain (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
+(dontaudit su_27_0 domain (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(dontaudit su_27_0 domain (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(dontaudit su_27_0 domain (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(dontaudit su_27_0 domain (socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
+(dontaudit su_27_0 domain (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(dontaudit su_27_0 domain (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(dontaudit su_27_0 domain (netlink_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (packet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (key_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
+(dontaudit su_27_0 domain (unix_dgram_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (netlink_route_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
+(dontaudit su_27_0 domain (netlink_tcpdiag_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
+(dontaudit su_27_0 domain (netlink_nflog_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (netlink_xfrm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
+(dontaudit su_27_0 domain (netlink_selinux_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (netlink_audit_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit)))
+(dontaudit su_27_0 domain (netlink_dnrt_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (netlink_kobject_uevent_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (appletalk_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (tun_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind attach_queue)))
+(dontaudit su_27_0 domain (netlink_iscsi_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (netlink_fib_lookup_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (netlink_connector_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (netlink_netfilter_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (netlink_generic_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (netlink_scsitransport_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (netlink_rdma_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (netlink_crypto_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (sctp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(dontaudit su_27_0 domain (icmp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(dontaudit su_27_0 domain (ax25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (ipx_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (netrom_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (atmpvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (x25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (rose_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (decnet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (atmsvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (rds_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (irda_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (pppox_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (llc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (can_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (tipc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (bluetooth_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (iucv_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (rxrpc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (isdn_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (phonet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (ieee802154_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (caif_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (alg_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (nfc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (vsock_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (kcm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (qipcrtr_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (smc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 domain (sem (create destroy getattr setattr read write associate unix_read unix_write)))
+(dontaudit su_27_0 domain (msgq (create destroy getattr setattr read write associate unix_read unix_write enqueue)))
+(dontaudit su_27_0 domain (shm (create destroy getattr setattr read write associate unix_read unix_write lock)))
+(dontaudit su_27_0 domain (ipc (create destroy getattr setattr read write associate unix_read unix_write)))
+(dontaudit su_27_0 domain (key (view read write search link setattr create)))
+(dontaudit su_27_0 fs_type (filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget)))
+(dontaudit su_27_0 dev_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(dontaudit su_27_0 dev_type (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
+(dontaudit su_27_0 dev_type (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(dontaudit su_27_0 dev_type (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(dontaudit su_27_0 dev_type (blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(dontaudit su_27_0 dev_type (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(dontaudit su_27_0 dev_type (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(dontaudit su_27_0 fs_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(dontaudit su_27_0 fs_type (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
+(dontaudit su_27_0 fs_type (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(dontaudit su_27_0 fs_type (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(dontaudit su_27_0 fs_type (blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(dontaudit su_27_0 fs_type (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(dontaudit su_27_0 fs_type (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(dontaudit su_27_0 file_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(dontaudit su_27_0 file_type (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
+(dontaudit su_27_0 file_type (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(dontaudit su_27_0 file_type (chr_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(dontaudit su_27_0 file_type (blk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(dontaudit su_27_0 file_type (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(dontaudit su_27_0 file_type (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(dontaudit su_27_0 node_type (node (recvfrom sendto)))
+(dontaudit su_27_0 node_type (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
+(dontaudit su_27_0 node_type (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(dontaudit su_27_0 node_type (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(dontaudit su_27_0 netif_type (netif (ingress egress)))
+(dontaudit su_27_0 port_type (socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
+(dontaudit su_27_0 port_type (udp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(dontaudit su_27_0 port_type (rawip_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(dontaudit su_27_0 port_type (netlink_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (packet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (key_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (unix_stream_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind connectto)))
+(dontaudit su_27_0 port_type (unix_dgram_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (netlink_route_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
+(dontaudit su_27_0 port_type (netlink_tcpdiag_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
+(dontaudit su_27_0 port_type (netlink_nflog_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (netlink_xfrm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write)))
+(dontaudit su_27_0 port_type (netlink_selinux_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (netlink_audit_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind nlmsg_read nlmsg_write nlmsg_relay nlmsg_readpriv nlmsg_tty_audit)))
+(dontaudit su_27_0 port_type (netlink_dnrt_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (netlink_kobject_uevent_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (appletalk_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (tun_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind attach_queue)))
+(dontaudit su_27_0 port_type (netlink_iscsi_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (netlink_fib_lookup_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (netlink_connector_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (netlink_netfilter_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (netlink_generic_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (netlink_scsitransport_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (netlink_rdma_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (netlink_crypto_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (sctp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(dontaudit su_27_0 port_type (icmp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind)))
+(dontaudit su_27_0 port_type (ax25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (ipx_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (netrom_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (atmpvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (x25_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (rose_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (decnet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (atmsvc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (rds_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (irda_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (pppox_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (llc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (can_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (tipc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (bluetooth_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (iucv_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (rxrpc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (isdn_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (phonet_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (ieee802154_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (caif_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (alg_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (nfc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (vsock_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (kcm_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (qipcrtr_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (smc_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(dontaudit su_27_0 port_type (tcp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
+(dontaudit su_27_0 port_type (dccp_socket (ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind node_bind name_connect)))
+(dontaudit su_27_0 domain (peer (recv)))
+(dontaudit su_27_0 domain (binder (impersonate call set_context_mgr transfer)))
+(dontaudit su_27_0 property_type (property_service (set)))
+(dontaudit su_27_0 property_type (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(dontaudit su_27_0 service_manager_type (service_manager (add find list)))
+(dontaudit su_27_0 hwservice_manager_type (hwservice_manager (add find list)))
+(dontaudit su_27_0 vndservice_manager_type (service_manager (add find list)))
+(dontaudit su_27_0 servicemanager_27_0 (service_manager (list)))
+(dontaudit su_27_0 hwservicemanager_27_0 (hwservice_manager (list)))
+(dontaudit su_27_0 vndservicemanager_27_0 (service_manager (list)))
+(dontaudit su_27_0 keystore_27_0 (keystore_key (get_state get insert delete exist list reset password lock unlock is_empty sign verify grant duplicate clear_uid add_auth user_changed gen_unique_id)))
+(dontaudit su_27_0 domain (drmservice (consumeRights setPlaybackStatus openDecryptSession closeDecryptSession initializeDecryptUnit decrypt finalizeDecryptUnit pread)))
+(dontaudit su_27_0 unlabeled_27_0 (filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget)))
+(dontaudit su_27_0 postinstall_file_27_0 (filesystem (mount remount unmount getattr relabelfrom relabelto associate quotamod quotaget)))
+(allow thermalserviced_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 thermalserviced_27_0 (dir (search)))
+(allow servicemanager_27_0 thermalserviced_27_0 (file (read open)))
+(allow servicemanager_27_0 thermalserviced_27_0 (process (getattr)))
+(allow thermalserviced_27_0 thermal_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_174_27_0 thermal_service_27_0 (service_manager (add)))
+(allow thermalserviced_27_0 hwservicemanager_27_0 (binder (call transfer)))
+(allow hwservicemanager_27_0 thermalserviced_27_0 (binder (call transfer)))
+(allow hwservicemanager_27_0 thermalserviced_27_0 (dir (search)))
+(allow hwservicemanager_27_0 thermalserviced_27_0 (file (read open)))
+(allow hwservicemanager_27_0 thermalserviced_27_0 (process (getattr)))
+(allow thermalserviced_27_0 thermalcallback_hwservice_27_0 (hwservice_manager (add find)))
+(allow thermalserviced_27_0 hidl_base_hwservice_27_0 (hwservice_manager (add)))
+(neverallow base_typeattr_174_27_0 thermalcallback_hwservice_27_0 (hwservice_manager (add)))
+(allow tombstoned_27_0 domain (fd (use)))
+(allow tombstoned_27_0 domain (fifo_file (write)))
+(allow tombstoned_27_0 domain (dir (ioctl read getattr lock search open)))
+(allow tombstoned_27_0 domain (file (ioctl read getattr lock map open)))
+(allow tombstoned_27_0 tombstone_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow tombstoned_27_0 tombstone_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow tombstoned_27_0 anr_data_file_27_0 (file (write append)))
+(auditallow tombstoned_27_0 anr_data_file_27_0 (file (write append)))
+(allow tombstoned_27_0 anr_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow tombstoned_27_0 anr_data_file_27_0 (file (create getattr open)))
+(allow toolbox_27_0 tmpfs_27_0 (chr_file (ioctl read write)))
+(allow toolbox_27_0 devpts_27_0 (chr_file (ioctl read write getattr)))
+(allow toolbox_27_0 block_device_27_0 (dir (search)))
+(allow toolbox_27_0 swap_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
+(neverallow base_typeattr_5_27_0 toolbox_27_0 (process (transition)))
+(neverallow base_typeattr_10_27_0 toolbox_27_0 (process (dyntransition)))
+(neverallow toolbox_27_0 base_typeattr_175_27_0 (file (entrypoint)))
+(allow tzdatacheck_27_0 zoneinfo_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow tzdatacheck_27_0 zoneinfo_data_file_27_0 (file (unlink)))
+(neverallow base_typeattr_176_27_0 zoneinfo_data_file_27_0 (file (write create setattr relabelfrom append unlink link rename)))
+(neverallow base_typeattr_176_27_0 zoneinfo_data_file_27_0 (dir (write create setattr relabelfrom link rename add_name remove_name reparent rmdir)))
+(allow ueventd_27_0 kmsg_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow ueventd_27_0 self (capability (chown dac_override fowner fsetid setgid net_admin sys_rawio mknod)))
+(allow ueventd_27_0 device_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow ueventd_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow ueventd_27_0 rootfs_27_0 (file (ioctl read getattr lock map open)))
+(allow ueventd_27_0 rootfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow ueventd_27_0 sysfs_type (file (write lock append map open)))
+(allow ueventd_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
+(allow ueventd_27_0 sysfs_type (file (ioctl read getattr lock map open)))
+(allow ueventd_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
+(allow ueventd_27_0 sysfs_type (file (setattr relabelfrom relabelto)))
+(allow ueventd_27_0 sysfs_type (lnk_file (setattr relabelfrom relabelto)))
+(allow ueventd_27_0 sysfs_type (dir (setattr relabelfrom relabelto)))
+(allow ueventd_27_0 tmpfs_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow ueventd_27_0 dev_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow ueventd_27_0 dev_type (lnk_file (create unlink)))
+(allow ueventd_27_0 dev_type (chr_file (create getattr setattr unlink)))
+(allow ueventd_27_0 dev_type (blk_file (create getattr setattr relabelfrom relabelto unlink)))
+(allow ueventd_27_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow ueventd_27_0 efs_file_27_0 (dir (search)))
+(allow ueventd_27_0 efs_file_27_0 (file (ioctl read getattr lock map open)))
+(allow ueventd_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow ueventd_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
+(allow ueventd_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow ueventd_27_0 base_typeattr_177_27_0 (dir (ioctl read getattr lock search open)))
+(allow ueventd_27_0 base_typeattr_177_27_0 (file (ioctl read getattr lock map open)))
+(allow ueventd_27_0 base_typeattr_177_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow ueventd_27_0 file_contexts_file_27_0 (file (ioctl read getattr lock map open)))
+(allow ueventd_27_0 self (process (setfscreate)))
+(neverallow ueventd_27_0 property_socket_27_0 (sock_file (write)))
+(neverallow ueventd_27_0 init_27_0 (unix_stream_socket (connectto)))
+(neverallow ueventd_27_0 property_type (property_service (set)))
+(neverallow ueventd_27_0 dev_type (blk_file (ioctl read write lock append map link rename execute quotaon mounton open audit_access execmod)))
+(neverallow ueventd_27_0 kmem_device_27_0 (chr_file (ioctl read write lock relabelfrom append map link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow ueventd_27_0 port_device_27_0 (chr_file (ioctl read write lock relabelfrom append map link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(allow uncrypt_27_0 self (capability (dac_override)))
+(allow uncrypt_27_0 app_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow uncrypt_27_0 app_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow uncrypt_27_0 app_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow uncrypt_27_0 shell_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow uncrypt_27_0 shell_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow uncrypt_27_0 shell_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow uncrypt_27_0 cache_file_27_0 (dir (search)))
+(allow uncrypt_27_0 cache_recovery_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow uncrypt_27_0 cache_recovery_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow uncrypt_27_0 ota_package_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow uncrypt_27_0 ota_package_file_27_0 (file (ioctl read getattr lock map open)))
+(allow uncrypt_27_0 uncrypt_socket_27_0 (sock_file (write)))
+(allow uncrypt_27_0 uncrypt_27_0 (unix_stream_socket (connectto)))
+(allow uncrypt_27_0 property_socket_27_0 (sock_file (write)))
+(allow uncrypt_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow uncrypt_27_0 powerctl_prop_27_0 (property_service (set)))
+(allow uncrypt_27_0 powerctl_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow uncrypt_27_0 self (capability (sys_rawio)))
+(allow uncrypt_27_0 misc_block_device_27_0 (blk_file (write lock append map open)))
+(allow uncrypt_27_0 block_device_27_0 (dir (ioctl read getattr lock search open)))
+(allow uncrypt_27_0 userdata_block_device_27_0 (blk_file (write lock append map open)))
+(allow uncrypt_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow uncrypt_27_0 rootfs_27_0 (file (ioctl read getattr lock map open)))
+(allow uncrypt_27_0 rootfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow update_engine_27_0 qtaguid_proc_27_0 (file (ioctl read write getattr lock append map open)))
+(allow update_engine_27_0 qtaguid_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow update_engine_27_0 self (process (setsched)))
+(allow update_engine_27_0 self (capability (fowner sys_admin)))
+(allow update_engine_27_0 kmsg_device_27_0 (chr_file (write lock append map open)))
+(allow update_engine_27_0 update_engine_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow update_engine_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
+(allow update_engine_27_0 self (capability2 (block_suspend)))
+(dontaudit update_engine_27_0 kernel_27_0 (process (setsched)))
+(allow update_engine_27_0 update_engine_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow update_engine_27_0 update_engine_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(dontaudit update_engine_27_0 kernel_27_0 (system (module_request)))
+(allow update_engine_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 update_engine_27_0 (dir (search)))
+(allow servicemanager_27_0 update_engine_27_0 (file (read open)))
+(allow servicemanager_27_0 update_engine_27_0 (process (getattr)))
+(allow update_engine_27_0 update_engine_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_178_27_0 update_engine_service_27_0 (service_manager (add)))
+(allow update_engine_27_0 priv_app_27_0 (binder (call transfer)))
+(allow priv_app_27_0 update_engine_27_0 (binder (transfer)))
+(allow update_engine_27_0 priv_app_27_0 (fd (use)))
+(allow update_engine_27_0 ota_package_file_27_0 (file (ioctl read getattr lock map open)))
+(allow update_engine_27_0 ota_package_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow update_engine_common block_device_27_0 (dir (search)))
+(allow update_engine_common boot_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
+(allow update_engine_common system_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
+(allow update_engine_common misc_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
+(allow update_engine_common rootfs_27_0 (dir (getattr)))
+(allow update_engine_common rootfs_27_0 (file (ioctl read getattr lock map open)))
+(allow update_engine_common postinstall_mnt_dir_27_0 (dir (getattr mounton search)))
+(allow update_engine_common postinstall_file_27_0 (filesystem (mount unmount relabelfrom relabelto)))
+(allow update_engine_common labeledfs_27_0 (filesystem (relabelfrom)))
+(allow update_engine_common postinstall_file_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow update_engine_common postinstall_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow update_engine_common postinstall_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow update_engine_common cache_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow update_engine_common cache_file_27_0 (file (ioctl read getattr lock map open)))
+(allow update_engine_common cache_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow update_engine_common shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow update_engine_common postinstall_27_0 (process (sigkill sigstop signal)))
+(allow update_engine_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
+(allow update_engine_27_0 proc_misc_27_0 (file (ioctl read getattr lock map open)))
+(allow update_engine_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow update_verifier_27_0 block_device_27_0 (dir (search)))
+(allow update_verifier_27_0 ota_package_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow update_verifier_27_0 ota_package_file_27_0 (file (ioctl read getattr lock map open)))
+(allow update_verifier_27_0 dm_device_27_0 (blk_file (ioctl read getattr lock map open)))
+(allow update_verifier_27_0 property_socket_27_0 (sock_file (write)))
+(allow update_verifier_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow update_verifier_27_0 powerctl_prop_27_0 (property_service (set)))
+(allow update_verifier_27_0 powerctl_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow vdc_27_0 vold_socket_27_0 (sock_file (write)))
+(allow vdc_27_0 vold_27_0 (unix_stream_socket (connectto)))
+(allow vdc_27_0 dumpstate_27_0 (fd (use)))
+(allow vdc_27_0 dumpstate_27_0 (unix_stream_socket (read write getattr)))
+(allow vdc_27_0 shell_data_file_27_0 (file (write getattr)))
+(allow vdc_27_0 dumpstate_27_0 (unix_dgram_socket (read write)))
+(allow vdc_27_0 devpts_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow vdc_27_0 kmsg_device_27_0 (chr_file (write lock append map open)))
+(neverallow base_typeattr_179_27_0 vendor_toolbox_exec_27_0 (file (execute execute_no_trans entrypoint)))
+(allow virtual_touchpad_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 virtual_touchpad_27_0 (dir (search)))
+(allow servicemanager_27_0 virtual_touchpad_27_0 (file (read open)))
+(allow servicemanager_27_0 virtual_touchpad_27_0 (process (getattr)))
+(allow virtual_touchpad_27_0 virtual_touchpad_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_180_27_0 virtual_touchpad_service_27_0 (service_manager (add)))
+(allow virtual_touchpad_27_0 system_server_27_0 (binder (call transfer)))
+(allow system_server_27_0 virtual_touchpad_27_0 (binder (transfer)))
+(allow virtual_touchpad_27_0 system_server_27_0 (fd (use)))
+(allow virtual_touchpad_27_0 uhid_device_27_0 (chr_file (ioctl write lock append map open)))
+(allow virtual_touchpad_27_0 permission_service_27_0 (service_manager (find)))
+(allow vold_27_0 cache_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow vold_27_0 cache_file_27_0 (file (read getattr)))
+(allow vold_27_0 cache_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow vold_27_0 proc_27_0 (dir (ioctl read getattr lock search open)))
+(allow vold_27_0 proc_27_0 (file (ioctl read getattr lock map open)))
+(allow vold_27_0 proc_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow vold_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
+(allow vold_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
+(allow vold_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow vold_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
+(allow vold_27_0 sysfs_type (file (ioctl read getattr lock map open)))
+(allow vold_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
+(allow vold_27_0 sysfs_27_0 (file (write lock append map open)))
+(allow vold_27_0 sysfs_usb_27_0 (file (write lock append map open)))
+(allow vold_27_0 sysfs_zram_uevent_27_0 (file (write lock append map open)))
+(allow vold_27_0 rootfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow vold_27_0 rootfs_27_0 (file (ioctl read getattr lock map open)))
+(allow vold_27_0 rootfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow vold_27_0 proc_meminfo_27_0 (file (ioctl read getattr lock map open)))
+(allow vold_27_0 file_contexts_file_27_0 (file (ioctl read getattr lock map open)))
+(allow vold_27_0 self (process (setexec)))
+(allow vold_27_0 shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow vold_27_0 e2fs_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow vold_27_0 self (process (setfscreate)))
+(allow vold_27_0 system_file_27_0 (file (getattr map execute execute_no_trans)))
+(allow vold_27_0 block_device_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow vold_27_0 device_27_0 (dir (write)))
+(allow vold_27_0 devpts_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow vold_27_0 rootfs_27_0 (dir (mounton)))
+(allow vold_27_0 sdcard_type (dir (mounton)))
+(allow vold_27_0 sdcard_type (filesystem (mount remount unmount)))
+(allow vold_27_0 sdcard_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow vold_27_0 sdcard_type (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow vold_27_0 sdcard_type (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow vold_27_0 mnt_media_rw_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow vold_27_0 storage_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow vold_27_0 sdcard_type (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow vold_27_0 mnt_media_rw_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow vold_27_0 storage_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow vold_27_0 media_rw_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow vold_27_0 media_rw_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow vold_27_0 mnt_media_rw_stub_file_27_0 (dir (create getattr setattr mounton rmdir)))
+(allow vold_27_0 storage_stub_file_27_0 (dir (create getattr setattr mounton rmdir)))
+(allow vold_27_0 mnt_user_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow vold_27_0 mnt_user_file_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow vold_27_0 mnt_expand_file_27_0 (dir (ioctl read write create getattr setattr lock rename mounton add_name remove_name reparent search rmdir open)))
+(allow vold_27_0 apk_data_file_27_0 (dir (create getattr setattr)))
+(allow vold_27_0 shell_data_file_27_0 (dir (create getattr setattr)))
+(allow vold_27_0 tmpfs_27_0 (filesystem (mount unmount)))
+(allow vold_27_0 tmpfs_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow vold_27_0 tmpfs_27_0 (dir (mounton)))
+(allow vold_27_0 self (capability (chown dac_override fowner fsetid net_admin sys_admin mknod)))
+(allow vold_27_0 self (netlink_kobject_uevent_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow vold_27_0 app_data_file_27_0 (dir (search)))
+(allow vold_27_0 app_data_file_27_0 (file (ioctl read write getattr lock append map open)))
+(allow vold_27_0 loop_control_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow vold_27_0 loop_device_27_0 (blk_file (ioctl read write create getattr setattr lock append map unlink open)))
+(allow vold_27_0 vold_device_27_0 (blk_file (ioctl read write create getattr setattr lock append map unlink open)))
+(allow vold_27_0 dm_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow vold_27_0 dm_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
+(allow vold_27_0 domain (dir (ioctl read getattr lock search open)))
+(allow vold_27_0 domain (file (ioctl read getattr lock map open)))
+(allow vold_27_0 domain (lnk_file (ioctl read getattr lock map open)))
+(allow vold_27_0 domain (process (sigkill signal)))
+(allow vold_27_0 self (capability (kill sys_ptrace)))
+(allow vold_27_0 sysfs_27_0 (file (ioctl read write getattr lock append map open)))
+(allow vold_27_0 kmsg_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow vold_27_0 fsck_exec_27_0 (file (ioctl read getattr lock map execute open)))
+(allow vold_27_0 fscklogs_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow vold_27_0 fscklogs_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow vold_27_0 labeledfs_27_0 (filesystem (mount unmount)))
+(allow vold_27_0 efs_file_27_0 (file (ioctl read write getattr lock append map open)))
+(allow vold_27_0 system_data_file_27_0 (dir (ioctl read write create getattr setattr lock mounton add_name remove_name search rmdir open)))
+(allow vold_27_0 kernel_27_0 (process (setsched)))
+(allow vold_27_0 property_socket_27_0 (sock_file (write)))
+(allow vold_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow vold_27_0 vold_prop_27_0 (property_service (set)))
+(allow vold_27_0 vold_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow vold_27_0 property_socket_27_0 (sock_file (write)))
+(allow vold_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow vold_27_0 powerctl_prop_27_0 (property_service (set)))
+(allow vold_27_0 powerctl_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow vold_27_0 property_socket_27_0 (sock_file (write)))
+(allow vold_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow vold_27_0 ctl_fuse_prop_27_0 (property_service (set)))
+(allow vold_27_0 ctl_fuse_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow vold_27_0 property_socket_27_0 (sock_file (write)))
+(allow vold_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow vold_27_0 restorecon_prop_27_0 (property_service (set)))
+(allow vold_27_0 restorecon_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow vold_27_0 asec_image_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow vold_27_0 asec_image_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow vold_27_0 asec_apk_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto rename mounton add_name remove_name reparent search rmdir open)))
+(allow vold_27_0 asec_public_file_27_0 (dir (setattr relabelto)))
+(allow vold_27_0 asec_apk_file_27_0 (file (ioctl read getattr setattr lock relabelfrom relabelto map open)))
+(allow vold_27_0 asec_public_file_27_0 (file (setattr relabelto)))
+(allow vold_27_0 unlabeled_27_0 (dir (ioctl read getattr setattr lock relabelfrom search open)))
+(allow vold_27_0 unlabeled_27_0 (file (ioctl read getattr setattr lock relabelfrom map open)))
+(allow vold_27_0 sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
+(allow vold_27_0 self (capability2 (block_suspend)))
+(allow vold_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 vold_27_0 (dir (search)))
+(allow servicemanager_27_0 vold_27_0 (file (read open)))
+(allow servicemanager_27_0 vold_27_0 (process (getattr)))
+(allow vold_27_0 healthd_27_0 (binder (call transfer)))
+(allow healthd_27_0 vold_27_0 (binder (transfer)))
+(allow vold_27_0 healthd_27_0 (fd (use)))
+(allow vold_27_0 userdata_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
+(allow vold_27_0 metadata_block_device_27_0 (blk_file (ioctl read write getattr lock append map open)))
+(allow vold_27_0 unencrypted_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow vold_27_0 unencrypted_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow vold_27_0 proc_drop_caches_27_0 (file (write lock append map open)))
+(allow vold_27_0 vold_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow vold_27_0 vold_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow vold_27_0 init_27_0 (key (write search setattr)))
+(allow vold_27_0 vold_27_0 (key (write search setattr)))
+(allow vold_27_0 self (capability (sys_nice)))
+(allow vold_27_0 self (capability (sys_chroot)))
+(allow vold_27_0 storage_file_27_0 (dir (mounton)))
+(allow vold_27_0 fuse_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow vold_27_0 fuse_27_0 (filesystem (relabelfrom)))
+(allow vold_27_0 app_fusefs_27_0 (filesystem (relabelfrom relabelto)))
+(allow vold_27_0 app_fusefs_27_0 (filesystem (mount unmount)))
+(allow vold_27_0 toolbox_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow vold_27_0 user_profile_data_file_27_0 (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow vold_27_0 misc_block_device_27_0 (blk_file (write lock append map open)))
+(neverallow base_typeattr_92_27_0 vold_data_file_27_0 (dir (write lock relabelfrom append map unlink link rename execute quotaon mounton add_name remove_name reparent rmdir audit_access execmod)))
+(neverallow base_typeattr_181_27_0 vold_data_file_27_0 (file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow base_typeattr_181_27_0 vold_data_file_27_0 (lnk_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow base_typeattr_181_27_0 vold_data_file_27_0 (sock_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow base_typeattr_181_27_0 vold_data_file_27_0 (fifo_file (ioctl read write create setattr lock relabelfrom append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow base_typeattr_90_27_0 vold_data_file_27_0 (dir (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton add_name remove_name reparent search rmdir open audit_access execmod)))
+(neverallow base_typeattr_182_27_0 vold_data_file_27_0 (file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton execute_no_trans entrypoint execmod open audit_access)))
+(neverallow base_typeattr_182_27_0 vold_data_file_27_0 (lnk_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow base_typeattr_182_27_0 vold_data_file_27_0 (sock_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow base_typeattr_182_27_0 vold_data_file_27_0 (fifo_file (ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute quotaon mounton open audit_access execmod)))
+(neverallow base_typeattr_90_27_0 restorecon_prop_27_0 (property_service (set)))
+(neverallow vold_27_0 fsck_exec_27_0 (file (execute_no_trans)))
+(allow vr_hwc_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 vr_hwc_27_0 (dir (search)))
+(allow servicemanager_27_0 vr_hwc_27_0 (file (read open)))
+(allow servicemanager_27_0 vr_hwc_27_0 (process (getattr)))
+(allow vr_hwc_27_0 surfaceflinger_27_0 (binder (call transfer)))
+(allow surfaceflinger_27_0 vr_hwc_27_0 (binder (transfer)))
+(allow vr_hwc_27_0 surfaceflinger_27_0 (fd (use)))
+(allow vr_hwc_27_0 system_server_27_0 (binder (call transfer)))
+(allow system_server_27_0 vr_hwc_27_0 (binder (transfer)))
+(allow vr_hwc_27_0 system_server_27_0 (fd (use)))
+(allow vr_hwc_27_0 vr_hwc_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_183_27_0 vr_hwc_service_27_0 (service_manager (add)))
+(allow vr_hwc_27_0 hwservicemanager_27_0 (binder (call transfer)))
+(allow hwservicemanager_27_0 vr_hwc_27_0 (binder (call transfer)))
+(allow hwservicemanager_27_0 vr_hwc_27_0 (dir (search)))
+(allow hwservicemanager_27_0 vr_hwc_27_0 (file (read open)))
+(allow hwservicemanager_27_0 vr_hwc_27_0 (process (getattr)))
+(allow vr_hwc_27_0 system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow vr_hwc_27_0 ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow vr_hwc_27_0 pdx_display_client_endpoint_dir_type (dir (ioctl read getattr lock search open)))
+(allow vr_hwc_27_0 pdx_display_client_endpoint_socket_type (sock_file (ioctl read write getattr lock append map open)))
+(allow vr_hwc_27_0 pdx_display_client_endpoint_socket_type (unix_stream_socket (read write shutdown connectto)))
+(allow vr_hwc_27_0 pdx_display_client_channel_socket_type (unix_stream_socket (read write getattr setattr lock append getopt setopt shutdown)))
+(allow vr_hwc_27_0 pdx_display_client_server_type (fd (use)))
+(allow pdx_display_client_server_type vr_hwc_27_0 (fd (use)))
+(allow vr_hwc_27_0 permission_service_27_0 (service_manager (find)))
+(allow watchdogd_27_0 watchdog_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow watchdogd_27_0 kmsg_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow wificond_27_0 servicemanager_27_0 (binder (call transfer)))
+(allow servicemanager_27_0 wificond_27_0 (dir (search)))
+(allow servicemanager_27_0 wificond_27_0 (file (read open)))
+(allow servicemanager_27_0 wificond_27_0 (process (getattr)))
+(allow wificond_27_0 system_server_27_0 (binder (call transfer)))
+(allow system_server_27_0 wificond_27_0 (binder (transfer)))
+(allow wificond_27_0 system_server_27_0 (fd (use)))
+(allow wificond_27_0 wificond_service_27_0 (service_manager (add find)))
+(neverallow base_typeattr_184_27_0 wificond_service_27_0 (service_manager (add)))
+(allow wificond_27_0 property_socket_27_0 (sock_file (write)))
+(allow wificond_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow wificond_27_0 wifi_prop_27_0 (property_service (set)))
+(allow wificond_27_0 wifi_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow wificond_27_0 property_socket_27_0 (sock_file (write)))
+(allow wificond_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow wificond_27_0 ctl_default_prop_27_0 (property_service (set)))
+(allow wificond_27_0 ctl_default_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow wificond_27_0 self (udp_socket (ioctl read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allowx wificond_27_0 self (ioctl udp_socket (0x8914)))
+(allow wificond_27_0 self (capability (net_admin net_raw)))
+(allow wificond_27_0 self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow wificond_27_0 self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow wificond_27_0 proc_net_27_0 (dir (ioctl read getattr lock search open)))
+(allow wificond_27_0 proc_net_27_0 (file (ioctl read getattr lock map open)))
+(allow wificond_27_0 proc_net_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow wificond_27_0 wifi_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow wificond_27_0 wifi_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow wificond_27_0 permission_service_27_0 (service_manager (find)))
+(allow wificond_27_0 dumpstate_27_0 (fd (use)))
+(allow wificond_27_0 dumpstate_27_0 (fifo_file (write)))
+(allow init_27_0 hal_audio_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_audio_default (process (transition)))
+(allow hal_audio_default hal_audio_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_audio_default (process (noatsecure)))
+(allow init_27_0 hal_audio_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_audio_default_exec process hal_audio_default)
+(typetransition hal_audio_default tmpfs_27_0 file hal_audio_default_tmpfs)
+(allow hal_audio_default hal_audio_default_tmpfs (file (read write getattr)))
+(allow hal_audio_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_bluetooth_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_bluetooth_default (process (transition)))
+(allow hal_bluetooth_default hal_bluetooth_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_bluetooth_default (process (noatsecure)))
+(allow init_27_0 hal_bluetooth_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_bluetooth_default_exec process hal_bluetooth_default)
+(typetransition hal_bluetooth_default tmpfs_27_0 file hal_bluetooth_default_tmpfs)
+(allow hal_bluetooth_default hal_bluetooth_default_tmpfs (file (read write getattr)))
+(allow hal_bluetooth_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_bootctl_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_bootctl_default (process (transition)))
+(allow hal_bootctl_default hal_bootctl_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_bootctl_default (process (noatsecure)))
+(allow init_27_0 hal_bootctl_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_bootctl_default_exec process hal_bootctl_default)
+(typetransition hal_bootctl_default tmpfs_27_0 file hal_bootctl_default_tmpfs)
+(allow hal_bootctl_default hal_bootctl_default_tmpfs (file (read write getattr)))
+(allow hal_bootctl_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_broadcastradio_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_broadcastradio_default (process (transition)))
+(allow hal_broadcastradio_default hal_broadcastradio_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_broadcastradio_default (process (noatsecure)))
+(allow init_27_0 hal_broadcastradio_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_broadcastradio_default_exec process hal_broadcastradio_default)
+(typetransition hal_broadcastradio_default tmpfs_27_0 file hal_broadcastradio_default_tmpfs)
+(allow hal_broadcastradio_default hal_broadcastradio_default_tmpfs (file (read write getattr)))
+(allow hal_broadcastradio_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_camera_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_camera_default (process (transition)))
+(allow hal_camera_default hal_camera_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_camera_default (process (noatsecure)))
+(allow init_27_0 hal_camera_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_camera_default_exec process hal_camera_default)
+(typetransition hal_camera_default tmpfs_27_0 file hal_camera_default_tmpfs)
+(allow hal_camera_default hal_camera_default_tmpfs (file (read write getattr)))
+(allow hal_camera_default tmpfs_27_0 (dir (getattr search)))
+(allow hal_camera_default fwk_sensor_hwservice_27_0 (hwservice_manager (find)))
+(allow init_27_0 hal_cas_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_cas_default (process (transition)))
+(allow hal_cas_default hal_cas_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_cas_default (process (noatsecure)))
+(allow init_27_0 hal_cas_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_cas_default_exec process hal_cas_default)
+(typetransition hal_cas_default tmpfs_27_0 file hal_cas_default_tmpfs)
+(allow hal_cas_default hal_cas_default_tmpfs (file (read write getattr)))
+(allow hal_cas_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_configstore_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_configstore_default (process (transition)))
+(allow hal_configstore_default hal_configstore_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_configstore_default (process (noatsecure)))
+(allow init_27_0 hal_configstore_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_configstore_default_exec process hal_configstore_default)
+(typetransition hal_configstore_default tmpfs_27_0 file hal_configstore_default_tmpfs)
+(allow hal_configstore_default hal_configstore_default_tmpfs (file (read write getattr)))
+(allow hal_configstore_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_contexthub_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_contexthub_default (process (transition)))
+(allow hal_contexthub_default hal_contexthub_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_contexthub_default (process (noatsecure)))
+(allow init_27_0 hal_contexthub_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_contexthub_default_exec process hal_contexthub_default)
+(typetransition hal_contexthub_default tmpfs_27_0 file hal_contexthub_default_tmpfs)
+(allow hal_contexthub_default hal_contexthub_default_tmpfs (file (read write getattr)))
+(allow hal_contexthub_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_drm_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_drm_default (process (transition)))
+(allow hal_drm_default hal_drm_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_drm_default (process (noatsecure)))
+(allow init_27_0 hal_drm_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_drm_default_exec process hal_drm_default)
+(typetransition hal_drm_default tmpfs_27_0 file hal_drm_default_tmpfs)
+(allow hal_drm_default hal_drm_default_tmpfs (file (read write getattr)))
+(allow hal_drm_default tmpfs_27_0 (dir (getattr search)))
+(allow hal_drm_default mediacodec_27_0 (fd (use)))
+(allow hal_drm_default base_typeattr_101_27_0 (fd (use)))
+(allow init_27_0 hal_dumpstate_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_dumpstate_default (process (transition)))
+(allow hal_dumpstate_default hal_dumpstate_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_dumpstate_default (process (noatsecure)))
+(allow init_27_0 hal_dumpstate_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_dumpstate_default_exec process hal_dumpstate_default)
+(typetransition hal_dumpstate_default tmpfs_27_0 file hal_dumpstate_default_tmpfs)
+(allow hal_dumpstate_default hal_dumpstate_default_tmpfs (file (read write getattr)))
+(allow hal_dumpstate_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_fingerprint_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_fingerprint_default (process (transition)))
+(allow hal_fingerprint_default hal_fingerprint_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_fingerprint_default (process (noatsecure)))
+(allow init_27_0 hal_fingerprint_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_fingerprint_default_exec process hal_fingerprint_default)
+(typetransition hal_fingerprint_default tmpfs_27_0 file hal_fingerprint_default_tmpfs)
+(allow hal_fingerprint_default hal_fingerprint_default_tmpfs (file (read write getattr)))
+(allow hal_fingerprint_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_gatekeeper_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_gatekeeper_default (process (transition)))
+(allow hal_gatekeeper_default hal_gatekeeper_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_gatekeeper_default (process (noatsecure)))
+(allow init_27_0 hal_gatekeeper_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_gatekeeper_default_exec process hal_gatekeeper_default)
+(typetransition hal_gatekeeper_default tmpfs_27_0 file hal_gatekeeper_default_tmpfs)
+(allow hal_gatekeeper_default hal_gatekeeper_default_tmpfs (file (read write getattr)))
+(allow hal_gatekeeper_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_gnss_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_gnss_default (process (transition)))
+(allow hal_gnss_default hal_gnss_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_gnss_default (process (noatsecure)))
+(allow init_27_0 hal_gnss_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_gnss_default_exec process hal_gnss_default)
+(typetransition hal_gnss_default tmpfs_27_0 file hal_gnss_default_tmpfs)
+(allow hal_gnss_default hal_gnss_default_tmpfs (file (read write getattr)))
+(allow hal_gnss_default tmpfs_27_0 (dir (getattr search)))
+(allow hal_gnss system_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow hal_gnss system_file_27_0 (file (ioctl read getattr lock map open)))
+(allow hal_gnss system_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow init_27_0 hal_graphics_allocator_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_graphics_allocator_default (process (transition)))
+(allow hal_graphics_allocator_default hal_graphics_allocator_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_graphics_allocator_default (process (noatsecure)))
+(allow init_27_0 hal_graphics_allocator_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_graphics_allocator_default_exec process hal_graphics_allocator_default)
+(typetransition hal_graphics_allocator_default tmpfs_27_0 file hal_graphics_allocator_default_tmpfs)
+(allow hal_graphics_allocator_default hal_graphics_allocator_default_tmpfs (file (read write getattr)))
+(allow hal_graphics_allocator_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_graphics_composer_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_graphics_composer_default (process (transition)))
+(allow hal_graphics_composer_default hal_graphics_composer_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_graphics_composer_default (process (noatsecure)))
+(allow init_27_0 hal_graphics_composer_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_graphics_composer_default_exec process hal_graphics_composer_default)
+(typetransition hal_graphics_composer_default tmpfs_27_0 file hal_graphics_composer_default_tmpfs)
+(allow hal_graphics_composer_default hal_graphics_composer_default_tmpfs (file (read write getattr)))
+(allow hal_graphics_composer_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_health_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_health_default (process (transition)))
+(allow hal_health_default hal_health_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_health_default (process (noatsecure)))
+(allow init_27_0 hal_health_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_health_default_exec process hal_health_default)
+(typetransition hal_health_default tmpfs_27_0 file hal_health_default_tmpfs)
+(allow hal_health_default hal_health_default_tmpfs (file (read write getattr)))
+(allow hal_health_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_ir_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_ir_default (process (transition)))
+(allow hal_ir_default hal_ir_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_ir_default (process (noatsecure)))
+(allow init_27_0 hal_ir_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_ir_default_exec process hal_ir_default)
+(typetransition hal_ir_default tmpfs_27_0 file hal_ir_default_tmpfs)
+(allow hal_ir_default hal_ir_default_tmpfs (file (read write getattr)))
+(allow hal_ir_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_keymaster_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_keymaster_default (process (transition)))
+(allow hal_keymaster_default hal_keymaster_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_keymaster_default (process (noatsecure)))
+(allow init_27_0 hal_keymaster_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_keymaster_default_exec process hal_keymaster_default)
+(typetransition hal_keymaster_default tmpfs_27_0 file hal_keymaster_default_tmpfs)
+(allow hal_keymaster_default hal_keymaster_default_tmpfs (file (read write getattr)))
+(allow hal_keymaster_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_light_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_light_default (process (transition)))
+(allow hal_light_default hal_light_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_light_default (process (noatsecure)))
+(allow init_27_0 hal_light_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_light_default_exec process hal_light_default)
+(typetransition hal_light_default tmpfs_27_0 file hal_light_default_tmpfs)
+(allow hal_light_default hal_light_default_tmpfs (file (read write getattr)))
+(allow hal_light_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_memtrack_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_memtrack_default (process (transition)))
+(allow hal_memtrack_default hal_memtrack_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_memtrack_default (process (noatsecure)))
+(allow init_27_0 hal_memtrack_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_memtrack_default_exec process hal_memtrack_default)
+(typetransition hal_memtrack_default tmpfs_27_0 file hal_memtrack_default_tmpfs)
+(allow hal_memtrack_default hal_memtrack_default_tmpfs (file (read write getattr)))
+(allow hal_memtrack_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_nfc_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_nfc_default (process (transition)))
+(allow hal_nfc_default hal_nfc_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_nfc_default (process (noatsecure)))
+(allow init_27_0 hal_nfc_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_nfc_default_exec process hal_nfc_default)
+(typetransition hal_nfc_default tmpfs_27_0 file hal_nfc_default_tmpfs)
+(allow hal_nfc_default hal_nfc_default_tmpfs (file (read write getattr)))
+(allow hal_nfc_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 mediacodec_exec_27_0 (file (read getattr map execute open)))
+(allow init_27_0 mediacodec_27_0 (process (transition)))
+(allow mediacodec_27_0 mediacodec_exec_27_0 (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 mediacodec_27_0 (process (noatsecure)))
+(allow init_27_0 mediacodec_27_0 (process (siginh rlimitinh)))
+(typetransition init_27_0 mediacodec_exec_27_0 process mediacodec)
+(typetransition mediacodec_27_0 tmpfs_27_0 file mediacodec_tmpfs)
+(allow mediacodec_27_0 mediacodec_tmpfs (file (read write getattr)))
+(allow mediacodec_27_0 tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_power_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_power_default (process (transition)))
+(allow hal_power_default hal_power_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_power_default (process (noatsecure)))
+(allow init_27_0 hal_power_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_power_default_exec process hal_power_default)
+(typetransition hal_power_default tmpfs_27_0 file hal_power_default_tmpfs)
+(allow hal_power_default hal_power_default_tmpfs (file (read write getattr)))
+(allow hal_power_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_sensors_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_sensors_default (process (transition)))
+(allow hal_sensors_default hal_sensors_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_sensors_default (process (noatsecure)))
+(allow init_27_0 hal_sensors_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_sensors_default_exec process hal_sensors_default)
+(typetransition hal_sensors_default tmpfs_27_0 file hal_sensors_default_tmpfs)
+(allow hal_sensors_default hal_sensors_default_tmpfs (file (read write getattr)))
+(allow hal_sensors_default tmpfs_27_0 (dir (getattr search)))
+(allow hal_sensors_default fwk_scheduler_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_sensors_default hal_graphics_allocator_default (fd (use)))
+(allow hal_sensors_default ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow hal_sensors_default sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
+(allow hal_sensors_default self (capability2 (block_suspend)))
+(allow init_27_0 hal_tetheroffload_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_tetheroffload_default (process (transition)))
+(allow hal_tetheroffload_default hal_tetheroffload_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_tetheroffload_default (process (noatsecure)))
+(allow init_27_0 hal_tetheroffload_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_tetheroffload_default_exec process hal_tetheroffload_default)
+(typetransition hal_tetheroffload_default tmpfs_27_0 file hal_tetheroffload_default_tmpfs)
+(allow hal_tetheroffload_default hal_tetheroffload_default_tmpfs (file (read write getattr)))
+(allow hal_tetheroffload_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_thermal_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_thermal_default (process (transition)))
+(allow hal_thermal_default hal_thermal_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_thermal_default (process (noatsecure)))
+(allow init_27_0 hal_thermal_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_thermal_default_exec process hal_thermal_default)
+(typetransition hal_thermal_default tmpfs_27_0 file hal_thermal_default_tmpfs)
+(allow hal_thermal_default hal_thermal_default_tmpfs (file (read write getattr)))
+(allow hal_thermal_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_tv_cec_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_tv_cec_default (process (transition)))
+(allow hal_tv_cec_default hal_tv_cec_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_tv_cec_default (process (noatsecure)))
+(allow init_27_0 hal_tv_cec_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_tv_cec_default_exec process hal_tv_cec_default)
+(typetransition hal_tv_cec_default tmpfs_27_0 file hal_tv_cec_default_tmpfs)
+(allow hal_tv_cec_default hal_tv_cec_default_tmpfs (file (read write getattr)))
+(allow hal_tv_cec_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_tv_input_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_tv_input_default (process (transition)))
+(allow hal_tv_input_default hal_tv_input_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_tv_input_default (process (noatsecure)))
+(allow init_27_0 hal_tv_input_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_tv_input_default_exec process hal_tv_input_default)
+(typetransition hal_tv_input_default tmpfs_27_0 file hal_tv_input_default_tmpfs)
+(allow hal_tv_input_default hal_tv_input_default_tmpfs (file (read write getattr)))
+(allow hal_tv_input_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_usb_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_usb_default (process (transition)))
+(allow hal_usb_default hal_usb_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_usb_default (process (noatsecure)))
+(allow init_27_0 hal_usb_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_usb_default_exec process hal_usb_default)
+(typetransition hal_usb_default tmpfs_27_0 file hal_usb_default_tmpfs)
+(allow hal_usb_default hal_usb_default_tmpfs (file (read write getattr)))
+(allow hal_usb_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_vibrator_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_vibrator_default (process (transition)))
+(allow hal_vibrator_default hal_vibrator_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_vibrator_default (process (noatsecure)))
+(allow init_27_0 hal_vibrator_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_vibrator_default_exec process hal_vibrator_default)
+(typetransition hal_vibrator_default tmpfs_27_0 file hal_vibrator_default_tmpfs)
+(allow hal_vibrator_default hal_vibrator_default_tmpfs (file (read write getattr)))
+(allow hal_vibrator_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_vr_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_vr_default (process (transition)))
+(allow hal_vr_default hal_vr_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_vr_default (process (noatsecure)))
+(allow init_27_0 hal_vr_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_vr_default_exec process hal_vr_default)
+(typetransition hal_vr_default tmpfs_27_0 file hal_vr_default_tmpfs)
+(allow hal_vr_default hal_vr_default_tmpfs (file (read write getattr)))
+(allow hal_vr_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_wifi_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_wifi_default (process (transition)))
+(allow hal_wifi_default hal_wifi_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_wifi_default (process (noatsecure)))
+(allow init_27_0 hal_wifi_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_wifi_default_exec process hal_wifi_default)
+(typetransition hal_wifi_default tmpfs_27_0 file hal_wifi_default_tmpfs)
+(allow hal_wifi_default hal_wifi_default_tmpfs (file (read write getattr)))
+(allow hal_wifi_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_wifi_offload_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_wifi_offload_default (process (transition)))
+(allow hal_wifi_offload_default hal_wifi_offload_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_wifi_offload_default (process (noatsecure)))
+(allow init_27_0 hal_wifi_offload_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_wifi_offload_default_exec process hal_wifi_offload_default)
+(typetransition hal_wifi_offload_default tmpfs_27_0 file hal_wifi_offload_default_tmpfs)
+(allow hal_wifi_offload_default hal_wifi_offload_default_tmpfs (file (read write getattr)))
+(allow hal_wifi_offload_default tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 hal_wifi_supplicant_default_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_wifi_supplicant_default (process (transition)))
+(allow hal_wifi_supplicant_default hal_wifi_supplicant_default_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_wifi_supplicant_default (process (noatsecure)))
+(allow init_27_0 hal_wifi_supplicant_default (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_wifi_supplicant_default_exec process hal_wifi_supplicant_default)
+(typetransition hal_wifi_supplicant_default tmpfs_27_0 file hal_wifi_supplicant_default_tmpfs)
+(allow hal_wifi_supplicant_default hal_wifi_supplicant_default_tmpfs (file (read write getattr)))
+(allow hal_wifi_supplicant_default tmpfs_27_0 (dir (getattr search)))
+(allow hal_wifi_supplicant_default hwservicemanager_27_0 (binder (call transfer)))
+(allow hwservicemanager_27_0 hal_wifi_supplicant_default (binder (call transfer)))
+(allow hwservicemanager_27_0 hal_wifi_supplicant_default (dir (search)))
+(allow hwservicemanager_27_0 hal_wifi_supplicant_default (file (read open)))
+(allow hwservicemanager_27_0 hal_wifi_supplicant_default (process (getattr)))
+(allow hal_wifi_supplicant_default system_wifi_keystore_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_wifi_supplicant_default wifi_keystore_service_server (binder (call transfer)))
+(allow wifi_keystore_service_server hal_wifi_supplicant_default (binder (transfer)))
+(allow hal_wifi_supplicant_default wifi_keystore_service_server (fd (use)))
+(allow init_27_0 hostapd_exec (file (read getattr map execute open)))
+(allow init_27_0 hostapd (process (transition)))
+(allow hostapd hostapd_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hostapd (process (noatsecure)))
+(allow init_27_0 hostapd (process (siginh rlimitinh)))
+(typetransition init_27_0 hostapd_exec process hostapd)
+(typetransition hostapd tmpfs_27_0 file hostapd_tmpfs)
+(allow hostapd hostapd_tmpfs (file (read write getattr)))
+(allow hostapd tmpfs_27_0 (dir (getattr search)))
+(allow hostapd self (capability (net_admin net_raw)))
+(allow hostapd sysfs_27_0 (file (ioctl read getattr lock map open)))
+(allow hostapd sysfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow hostapd proc_net_27_0 (file (read getattr open)))
+(allowx hostapd self (ioctl udp_socket (0x6900 0x6902)))
+(allowx hostapd self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(allowx hostapd self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(allow hostapd self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow hostapd self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow hostapd self (packet_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow hostapd self (netlink_route_socket (nlmsg_write)))
+(allow hostapd wifi_data_file_27_0 (file (ioctl read write getattr lock append map open)))
+(allow hostapd wifi_data_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow hostapd wifi_data_file_27_0 (file (ioctl read getattr lock map open)))
+(allow hostapd wifi_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow hostapd hostapd_socket (dir (ioctl read write create getattr setattr lock rename add_name remove_name reparent search rmdir open)))
+(allow hostapd hostapd_socket (sock_file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow init_27_0 rild_exec (file (read getattr map execute open)))
+(allow init_27_0 rild_27_0 (process (transition)))
+(allow rild_27_0 rild_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 rild_27_0 (process (noatsecure)))
+(allow init_27_0 rild_27_0 (process (siginh rlimitinh)))
+(typetransition init_27_0 rild_exec process rild)
+(typetransition rild_27_0 tmpfs_27_0 file rild_tmpfs)
+(allow rild_27_0 rild_tmpfs (file (read write getattr)))
+(allow rild_27_0 tmpfs_27_0 (dir (getattr search)))
+(allow init_27_0 tee_exec (file (read getattr map execute open)))
+(allow init_27_0 tee_27_0 (process (transition)))
+(allow tee_27_0 tee_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 tee_27_0 (process (noatsecure)))
+(allow init_27_0 tee_27_0 (process (siginh rlimitinh)))
+(typetransition init_27_0 tee_exec process tee)
+(typetransition tee_27_0 tmpfs_27_0 file tee_tmpfs)
+(allow tee_27_0 tee_tmpfs (file (read write getattr)))
+(allow tee_27_0 tmpfs_27_0 (dir (getattr search)))
+(allow tee_27_0 self (capability (dac_override)))
+(allow tee_27_0 tee_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow tee_27_0 tee_data_file_27_0 (dir (ioctl read write getattr lock add_name remove_name search open)))
+(allow tee_27_0 tee_data_file_27_0 (file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(allow tee_27_0 self (netlink_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow tee_27_0 self (netlink_generic_socket (read write create getattr setattr lock append bind connect getopt setopt shutdown)))
+(allow tee_27_0 ion_device_27_0 (chr_file (ioctl read getattr lock map open)))
+(allow tee_27_0 sysfs_type (dir (ioctl read getattr lock search open)))
+(allow tee_27_0 sysfs_type (file (ioctl read getattr lock map open)))
+(allow tee_27_0 sysfs_type (lnk_file (ioctl read getattr lock map open)))
+(allow tee_27_0 system_data_file_27_0 (file (read getattr)))
+(allow tee_27_0 system_data_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow init_27_0 vendor_toolbox_exec_27_0 (file (read getattr map execute open)))
+(allow init_27_0 vendor_modprobe (process (transition)))
+(allow vendor_modprobe vendor_toolbox_exec_27_0 (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 vendor_modprobe (process (noatsecure)))
+(allow init_27_0 vendor_modprobe (process (siginh rlimitinh)))
+(allow vendor_modprobe proc_modules_27_0 (file (ioctl read getattr lock map open)))
+(allow vendor_modprobe self (capability (sys_module)))
+(allow vendor_modprobe kernel_27_0 (key (search)))
+(allow vendor_modprobe vendor_file_27_0 (system (module_load)))
+(allow vendor_modprobe vendor_file_27_0 (dir (ioctl read getattr lock search open)))
+(allow vendor_modprobe vendor_file_27_0 (file (ioctl read getattr lock map open)))
+(allow vendor_modprobe vendor_file_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow init_27_0 vndservicemanager_exec (file (read getattr map execute open)))
+(allow init_27_0 vndservicemanager_27_0 (process (transition)))
+(allow vndservicemanager_27_0 vndservicemanager_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 vndservicemanager_27_0 (process (noatsecure)))
+(allow init_27_0 vndservicemanager_27_0 (process (siginh rlimitinh)))
+(typetransition init_27_0 vndservicemanager_exec process vndservicemanager)
+(typetransition vndservicemanager_27_0 tmpfs_27_0 file vndservicemanager_tmpfs)
+(allow vndservicemanager_27_0 vndservicemanager_tmpfs (file (read write getattr)))
+(allow vndservicemanager_27_0 tmpfs_27_0 (dir (getattr search)))
+(allow vndservicemanager_27_0 self (binder (set_context_mgr)))
+(allow vndservicemanager_27_0 base_typeattr_185_27_0 (binder (transfer)))
+(allow vndservicemanager_27_0 vndbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow vndservicemanager_27_0 vndservice_contexts_file_27_0 (file (ioctl read getattr lock map open)))
+(allow vndservicemanager_27_0 selinuxfs_27_0 (dir (ioctl read getattr lock search open)))
+(allow vndservicemanager_27_0 selinuxfs_27_0 (file (ioctl read getattr lock map open)))
+(allow vndservicemanager_27_0 selinuxfs_27_0 (lnk_file (ioctl read getattr lock map open)))
+(allow vndservicemanager_27_0 selinuxfs_27_0 (file (write lock append map open)))
+(allow vndservicemanager_27_0 kernel_27_0 (security (compute_av)))
+(allow vndservicemanager_27_0 self (netlink_selinux_socket (read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind)))
+(allow adbd_27_0 property_socket_27_0 (sock_file (write)))
+(allow adbd_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow adbd_27_0 ctl_mdnsd_prop_27_0 (property_service (set)))
+(allow adbd_27_0 ctl_mdnsd_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow audioserver_27_0 bootanim_27_0 (binder (call)))
+(allow bootanim_27_0 self (process (execmem)))
+(allow bootanim_27_0 ashmem_device_27_0 (chr_file (execute)))
+(dontaudit bootanim_27_0 system_data_file_27_0 (dir (read)))
+(allow bootanim_27_0 property_socket_27_0 (sock_file (write)))
+(allow bootanim_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow bootanim_27_0 qemu_prop (property_service (set)))
+(allow bootanim_27_0 qemu_prop (file (ioctl read getattr lock map open)))
+(allow cameraserver_27_0 system_file_27_0 (dir (read open)))
+(allow cameraserver_27_0 hal_allocator (fd (use)))
+(allow domain sysfs_writable (dir (search)))
+(allow domain sysfs_writable (file (ioctl read write getattr lock append map open)))
+(allow domain qemu_device (chr_file (ioctl read write getattr lock append map open)))
+(allow domain qemu_prop (file (ioctl read getattr lock map open)))
+(allow init_27_0 goldfish_setup_exec (file (read getattr map execute open)))
+(allow init_27_0 goldfish_setup (process (transition)))
+(allow goldfish_setup goldfish_setup_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 goldfish_setup (process (noatsecure)))
+(allow init_27_0 goldfish_setup (process (siginh rlimitinh)))
+(typetransition init_27_0 goldfish_setup_exec process goldfish_setup)
+(typetransition goldfish_setup tmpfs_27_0 file goldfish_setup_tmpfs)
+(allow goldfish_setup goldfish_setup_tmpfs (file (read write getattr)))
+(allow goldfish_setup tmpfs_27_0 (dir (getattr search)))
+(allow goldfish_setup self (capability (net_admin net_raw)))
+(allow goldfish_setup self (udp_socket (ioctl create)))
+(allow goldfish_setup vendor_toolbox_exec_27_0 (file (execute_no_trans)))
+(allowx goldfish_setup self (ioctl udp_socket (0x6900 0x6902)))
+(allowx goldfish_setup self (ioctl udp_socket (((range 0x890b 0x890d)) 0x8911 0x8914 0x8916 0x8918 0x891a ((range 0x891c 0x8920)) ((range 0x8922 0x8927)) 0x8929 ((range 0x8930 0x8932)) ((range 0x8934 0x8937)) 0x8939 ((range 0x8940 0x8941)) 0x8943 ((range 0x8946 0x894b)) ((range 0x8953 0x8955)) ((range 0x8960 0x8962)) ((range 0x8970 0x8971)) ((range 0x8980 0x8983)) ((range 0x8990 0x8995)) ((range 0x89a0 0x89a3)) 0x89b0 ((range 0x89e0 0x89ff)))))
+(allowx goldfish_setup self (ioctl udp_socket (0x8b00 0x8b02 0x8b04 0x8b06 0x8b08 0x8b0a 0x8b0c 0x8b0e 0x8b10 ((range 0x8b14 0x8b1d)) 0x8b20 0x8b22 0x8b24 0x8b26 0x8b28 ((range 0x8b2a 0x8b2c)) ((range 0x8b30 0x8b36)) ((range 0x8be0 0x8bff)))))
+(allow goldfish_setup sysfs_wake_lock_27_0 (file (ioctl read write getattr lock append map open)))
+(allow goldfish_setup self (capability2 (block_suspend)))
+(allow goldfish_setup vendor_shell_exec_27_0 (file (ioctl read getattr lock map execute execute_no_trans open)))
+(allow hal_camera_default vndbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_camera_default vndservicemanager_27_0 (binder (call transfer)))
+(allow vndservicemanager_27_0 hal_camera_default (dir (search)))
+(allow vndservicemanager_27_0 hal_camera_default (file (read open)))
+(allow vndservicemanager_27_0 hal_camera_default (process (getattr)))
+(allow hal_camera_default hal_graphics_mapper_hwservice_27_0 (hwservice_manager (find)))
+(allow hal_cas_default vndbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_cas_default vndservicemanager_27_0 (binder (call transfer)))
+(allow vndservicemanager_27_0 hal_cas_default (dir (search)))
+(allow vndservicemanager_27_0 hal_cas_default (file (read open)))
+(allow vndservicemanager_27_0 hal_cas_default (process (getattr)))
+(allow hal_drm_default vndbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_drm_default vndservicemanager_27_0 (binder (call transfer)))
+(allow vndservicemanager_27_0 hal_drm_default (dir (search)))
+(allow vndservicemanager_27_0 hal_drm_default (file (read open)))
+(allow vndservicemanager_27_0 hal_drm_default (process (getattr)))
+(allow init_27_0 hal_drm_widevine_exec (file (read getattr map execute open)))
+(allow init_27_0 hal_drm_widevine (process (transition)))
+(allow hal_drm_widevine hal_drm_widevine_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 hal_drm_widevine (process (noatsecure)))
+(allow init_27_0 hal_drm_widevine (process (siginh rlimitinh)))
+(typetransition init_27_0 hal_drm_widevine_exec process hal_drm_widevine)
+(typetransition hal_drm_widevine tmpfs_27_0 file hal_drm_widevine_tmpfs)
+(allow hal_drm_widevine hal_drm_widevine_tmpfs (file (read write getattr)))
+(allow hal_drm_widevine tmpfs_27_0 (dir (getattr search)))
+(allow hal_drm mediacodec_27_0 (fd (use)))
+(allow hal_drm base_typeattr_101_27_0 (fd (use)))
+(allow hal_drm_widevine vndbinder_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow hal_drm_widevine vndservicemanager_27_0 (binder (call transfer)))
+(allow vndservicemanager_27_0 hal_drm_widevine (dir (search)))
+(allow vndservicemanager_27_0 hal_drm_widevine (file (read open)))
+(allow vndservicemanager_27_0 hal_drm_widevine (process (getattr)))
+(allow hal_gnss_default vndbinder_device_27_0 (chr_file (ioctl read write open)))
+(allow hal_graphics_composer_default vndbinder_device_27_0 (chr_file (ioctl read write open)))
+(allow init_27_0 tmpfs_27_0 (lnk_file (ioctl read write create getattr setattr lock append map unlink rename open)))
+(dontaudit init_27_0 kernel_27_0 (system (module_request)))
+(allow init_27_0 logcat_exec_27_0 (file (read getattr map execute open)))
+(allow init_27_0 logpersist_27_0 (process (transition)))
+(allow logpersist_27_0 logcat_exec_27_0 (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 logpersist_27_0 (process (noatsecure)))
+(allow init_27_0 logpersist_27_0 (process (siginh rlimitinh)))
+(typetransition init_27_0 logcat_exec_27_0 process logpersist)
+(allow logpersist_27_0 logdr_socket_27_0 (sock_file (write)))
+(allow logpersist_27_0 logd_27_0 (unix_stream_socket (connectto)))
+(allow logpersist_27_0 serial_device_27_0 (chr_file (write open)))
+(allow logpersist_27_0 qemu_cmdline (file (ioctl read getattr lock map open)))
+(allow mediacodec_27_0 system_file_27_0 (dir (read open)))
+(dontaudit netd_27_0 self (capability (sys_module)))
+(dontaudit netd_27_0 kernel_27_0 (system (module_request)))
+(dontaudit priv_app_27_0 firstboot_prop_27_0 (file (getattr open)))
+(dontaudit priv_app_27_0 device_27_0 (dir (read open)))
+(dontaudit priv_app_27_0 proc_interrupts_27_0 (file (read getattr open)))
+(dontaudit priv_app_27_0 proc_modules_27_0 (file (read getattr open)))
+(allow init_27_0 qemu_props_exec (file (read getattr map execute open)))
+(allow init_27_0 qemu_props (process (transition)))
+(allow qemu_props qemu_props_exec (file (read getattr map execute entrypoint open)))
+(dontaudit init_27_0 qemu_props (process (noatsecure)))
+(allow init_27_0 qemu_props (process (siginh rlimitinh)))
+(typetransition init_27_0 qemu_props_exec process qemu_props)
+(typetransition qemu_props tmpfs_27_0 file qemu_props_tmpfs)
+(allow qemu_props qemu_props_tmpfs (file (read write getattr)))
+(allow qemu_props tmpfs_27_0 (dir (getattr search)))
+(allow qemu_props property_socket_27_0 (sock_file (write)))
+(allow qemu_props init_27_0 (unix_stream_socket (connectto)))
+(allow qemu_props qemu_prop (property_service (set)))
+(allow qemu_props qemu_prop (file (ioctl read getattr lock map open)))
+(allow qemu_props property_socket_27_0 (sock_file (write)))
+(allow qemu_props init_27_0 (unix_stream_socket (connectto)))
+(allow qemu_props dalvik_prop_27_0 (property_service (set)))
+(allow qemu_props dalvik_prop_27_0 (file (ioctl read getattr lock map open)))
+(allow qemu_props property_socket_27_0 (sock_file (write)))
+(allow qemu_props init_27_0 (unix_stream_socket (connectto)))
+(allow qemu_props qemu_cmdline (property_service (set)))
+(allow qemu_props qemu_cmdline (file (ioctl read getattr lock map open)))
+(allow shell_27_0 serial_device_27_0 (chr_file (ioctl read write getattr lock append map open)))
+(allow surfaceflinger_27_0 self (process (execmem)))
+(allow surfaceflinger_27_0 ashmem_device_27_0 (chr_file (execute)))
+(allow surfaceflinger_27_0 property_socket_27_0 (sock_file (write)))
+(allow surfaceflinger_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow surfaceflinger_27_0 qemu_prop (property_service (set)))
+(allow surfaceflinger_27_0 qemu_prop (file (ioctl read getattr lock map open)))
+(allow system_server_27_0 opengles_prop (file (ioctl read getattr lock map open)))
+(allow system_server_27_0 radio_noril_prop (file (ioctl read getattr lock map open)))
+(dontaudit vold_27_0 kernel_27_0 (system (module_request)))
+(allow zygote_27_0 property_socket_27_0 (sock_file (write)))
+(allow zygote_27_0 init_27_0 (unix_stream_socket (connectto)))
+(allow zygote_27_0 qemu_prop (property_service (set)))
+(allow zygote_27_0 qemu_prop (file (ioctl read getattr lock map open)))
+(dontaudit webview_zygote_27_0 mnt_expand_file_27_0 (dir (getattr)))
+(typetransition hal_wifi_supplicant_default wifi_data_file_27_0 dir "sockets" wpa_socket)
+(typeattribute base_typeattr_185_27_0)
+(typeattributeset base_typeattr_185_27_0 ((and (domain) ((not (coredomain init_27_0))))))
+(typeattribute base_typeattr_184_27_0)
+(typeattributeset base_typeattr_184_27_0 ((and (domain) ((not (wificond_27_0))))))
+(typeattribute base_typeattr_183_27_0)
+(typeattributeset base_typeattr_183_27_0 ((and (domain) ((not (vr_hwc_27_0))))))
+(typeattribute base_typeattr_182_27_0)
+(typeattributeset base_typeattr_182_27_0 ((and (domain) ((not (init_27_0 kernel_27_0 vold_27_0))))))
+(typeattribute base_typeattr_181_27_0)
+(typeattributeset base_typeattr_181_27_0 ((and (domain) ((not (kernel_27_0 vold_27_0))))))
+(typeattribute base_typeattr_180_27_0)
+(typeattributeset base_typeattr_180_27_0 ((and (domain) ((not (virtual_touchpad_27_0))))))
+(typeattribute base_typeattr_179_27_0)
+(typeattributeset base_typeattr_179_27_0 ((and (coredomain) ((not (init_27_0 modprobe_27_0))))))
+(typeattribute base_typeattr_178_27_0)
+(typeattributeset base_typeattr_178_27_0 ((and (domain) ((not (update_engine_27_0))))))
+(typeattribute base_typeattr_177_27_0)
+(typeattributeset base_typeattr_177_27_0 ((and (vendor_file_type) ((not (vendor_app_file_27_0 vendor_overlay_file_27_0))))))
+(typeattribute base_typeattr_176_27_0)
+(typeattributeset base_typeattr_176_27_0 ((and (domain) ((not (init_27_0 system_server_27_0 tzdatacheck_27_0))))))
+(typeattribute base_typeattr_175_27_0)
+(typeattributeset base_typeattr_175_27_0 ((and (fs_type file_type) ((not (toolbox_exec_27_0))))))
+(typeattribute base_typeattr_174_27_0)
+(typeattributeset base_typeattr_174_27_0 ((and (domain) ((not (thermalserviced_27_0))))))
+(typeattribute base_typeattr_173_27_0)
+(typeattributeset base_typeattr_173_27_0 ((and (service_manager_type) ((not (gatekeeper_service_27_0 incident_service_27_0 installd_service_27_0 netd_service_27_0 virtual_touchpad_service_27_0 vr_hwc_service_27_0))))))
+(typeattribute base_typeattr_172_27_0)
+(typeattributeset base_typeattr_172_27_0 ((and (fs_type file_type) ((not (sgdisk_exec_27_0))))))
+(typeattribute base_typeattr_171_27_0)
+(typeattributeset base_typeattr_171_27_0 ((and (domain) ((not (hwservicemanager_27_0 init_27_0 vndservicemanager_27_0))))))
+(typeattribute base_typeattr_170_27_0)
+(typeattributeset base_typeattr_170_27_0 ((and (appdomain) ((not (system_app_27_0))))))
+(typeattribute base_typeattr_169_27_0)
+(typeattributeset base_typeattr_169_27_0 ((and (data_file_type) ((not (cache_file_27_0 cache_recovery_file_27_0))))))
+(typeattribute base_typeattr_168_27_0)
+(typeattributeset base_typeattr_168_27_0 ((and (domain) ((not (radio_27_0))))))
+(typeattribute base_typeattr_167_27_0)
+(typeattributeset base_typeattr_167_27_0 ((and (core_property_type) ((not (audio_prop_27_0 config_prop_27_0 cppreopt_prop_27_0 dalvik_prop_27_0 debuggerd_prop_27_0 debug_prop_27_0 default_prop_27_0 dhcp_prop_27_0 dumpstate_prop_27_0 ffs_prop_27_0 fingerprint_prop_27_0 logd_prop_27_0 net_radio_prop_27_0 nfc_prop_27_0 pan_result_prop_27_0 persist_debug_prop_27_0 powerctl_prop_27_0 radio_prop_27_0 restorecon_prop_27_0 shell_prop_27_0 system_prop_27_0 system_radio_prop_27_0 vold_prop_27_0))))))
+(typeattribute base_typeattr_166_27_0)
+(typeattributeset base_typeattr_166_27_0 ((and (domain) ((not (performanced_27_0))))))
+(typeattribute base_typeattr_165_27_0)
+(typeattributeset base_typeattr_165_27_0 ((and (domain) ((not (init_27_0 netd_27_0))))))
+(typeattribute base_typeattr_164_27_0)
+(typeattributeset base_typeattr_164_27_0 ((and (appdomain) ((not (su_27_0))))))
+(typeattribute base_typeattr_163_27_0)
+(typeattributeset base_typeattr_163_27_0 ((and (domain) ((not (dumpstate_27_0 netd_27_0 system_server_27_0))))))
+(typeattribute base_typeattr_162_27_0)
+(typeattributeset base_typeattr_162_27_0 ((and (domain) ((not (netd_27_0))))))
+(typeattribute base_typeattr_161_27_0)
+(typeattributeset base_typeattr_161_27_0 ((and (domain) ((not (mediaserver_27_0))))))
+(typeattribute base_typeattr_160_27_0)
+(typeattributeset base_typeattr_160_27_0 ((and (domain) ((not (mediametrics_27_0))))))
+(typeattribute base_typeattr_159_27_0)
+(typeattributeset base_typeattr_159_27_0 ((and (domain) ((not (mediaextractor_27_0))))))
+(typeattribute base_typeattr_158_27_0)
+(typeattributeset base_typeattr_158_27_0 ((and (domain) ((not (mediadrmserver_27_0))))))
+(typeattribute base_typeattr_157_27_0)
+(typeattributeset base_typeattr_157_27_0 ((and (domain) ((not (mediacodec_27_0))))))
+(typeattribute base_typeattr_156_27_0)
+(typeattributeset base_typeattr_156_27_0 ((and (domain) ((not (init_27_0 logd_27_0))))))
+(typeattribute base_typeattr_155_27_0)
+(typeattributeset base_typeattr_155_27_0 ((and (domain) ((not (crash_dump_27_0))))))
+(typeattribute base_typeattr_154_27_0)
+(typeattributeset base_typeattr_154_27_0 ((and (domain) ((not (init_27_0 keystore_27_0))))))
+(typeattribute base_typeattr_153_27_0)
+(typeattributeset base_typeattr_153_27_0 ((and (domain) ((not (keystore_27_0))))))
+(typeattribute base_typeattr_152_27_0)
+(typeattributeset base_typeattr_152_27_0 ((and (domain) ((not (servicemanager_27_0 su_27_0 system_server_27_0))))))
+(typeattribute base_typeattr_151_27_0)
+(typeattributeset base_typeattr_151_27_0 ((and (domain) ((not (dumpstate_27_0 installd_27_0 system_server_27_0))))))
+(typeattribute base_typeattr_150_27_0)
+(typeattributeset base_typeattr_150_27_0 ((and (domain) ((not (installd_27_0))))))
+(typeattribute base_typeattr_149_27_0)
+(typeattributeset base_typeattr_149_27_0 ((and (domain) ((not (inputflinger_27_0))))))
+(typeattribute base_typeattr_148_27_0)
+(typeattributeset base_typeattr_148_27_0 ((and (fs_type file_type) ((not (init_exec_27_0))))))
+(typeattribute base_typeattr_147_27_0)
+(typeattributeset base_typeattr_147_27_0 ((and (dev_type) ((not (kmem_device_27_0 port_device_27_0))))))
+(typeattribute base_typeattr_146_27_0)
+(typeattributeset base_typeattr_146_27_0 ((and (dev_type) ((not (device_27_0 alarm_device_27_0 ashmem_device_27_0 binder_device_27_0 hwbinder_device_27_0 dm_device_27_0 keychord_device_27_0 console_device_27_0 hw_random_device_27_0 kmem_device_27_0 port_device_27_0 ptmx_device_27_0 kmsg_device_27_0 null_device_27_0 random_device_27_0 owntty_device_27_0 zero_device_27_0 devpts_27_0))))))
+(typeattribute base_typeattr_145_27_0)
+(typeattributeset base_typeattr_145_27_0 ((and (dev_type) ((not (device_27_0 vndbinder_device_27_0 kmem_device_27_0 port_device_27_0))))))
+(typeattribute base_typeattr_144_27_0)
+(typeattributeset base_typeattr_144_27_0 ((and (fs_type) ((not (contextmount_type sdcard_type rootfs_27_0))))))
+(typeattribute base_typeattr_143_27_0)
+(typeattributeset base_typeattr_143_27_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_27_0))))))
+(typeattribute base_typeattr_142_27_0)
+(typeattributeset base_typeattr_142_27_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_27_0 runtime_event_log_tags_file_27_0 shell_data_file_27_0 keystore_data_file_27_0 vold_data_file_27_0 app_data_file_27_0 system_app_data_file_27_0 misc_logd_file_27_0))))))
+(typeattribute base_typeattr_141_27_0)
+(typeattributeset base_typeattr_141_27_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_27_0 shell_data_file_27_0 keystore_data_file_27_0 vold_data_file_27_0 app_data_file_27_0 system_app_data_file_27_0 misc_logd_file_27_0))))))
+(typeattribute base_typeattr_140_27_0)
+(typeattributeset base_typeattr_140_27_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_27_0 app_data_file_27_0 system_app_data_file_27_0 misc_logd_file_27_0))))))
+(typeattribute base_typeattr_139_27_0)
+(typeattributeset base_typeattr_139_27_0 ((and (domain) ((not (healthd_27_0))))))
+(typeattribute base_typeattr_138_27_0)
+(typeattributeset base_typeattr_138_27_0 ((and (domain) ((not (hal_wifi_supplicant_server))))))
+(typeattribute base_typeattr_137_27_0)
+(typeattributeset base_typeattr_137_27_0 ((and (domain) ((not (hal_wifi_offload_server))))))
+(typeattribute base_typeattr_136_27_0)
+(typeattributeset base_typeattr_136_27_0 ((and (domain) ((not (hal_wifi_server))))))
+(typeattribute base_typeattr_135_27_0)
+(typeattributeset base_typeattr_135_27_0 ((and (domain) ((not (hal_weaver_server))))))
+(typeattribute base_typeattr_134_27_0)
+(typeattributeset base_typeattr_134_27_0 ((and (domain) ((not (hal_vr_server))))))
+(typeattribute base_typeattr_133_27_0)
+(typeattributeset base_typeattr_133_27_0 ((and (domain) ((not (hal_vibrator_server))))))
+(typeattribute base_typeattr_132_27_0)
+(typeattributeset base_typeattr_132_27_0 ((and (domain) ((not (hal_usb_server))))))
+(typeattribute base_typeattr_131_27_0)
+(typeattributeset base_typeattr_131_27_0 ((and (domain) ((not (hal_tv_input_server))))))
+(typeattribute base_typeattr_130_27_0)
+(typeattributeset base_typeattr_130_27_0 ((and (domain) ((not (hal_tv_cec_server))))))
+(typeattribute base_typeattr_129_27_0)
+(typeattributeset base_typeattr_129_27_0 ((and (domain) ((not (hal_thermal_server))))))
+(typeattribute base_typeattr_128_27_0)
+(typeattributeset base_typeattr_128_27_0 ((and (domain) ((not (hal_telephony_server))))))
+(typeattribute base_typeattr_127_27_0)
+(typeattributeset base_typeattr_127_27_0 ((and (domain) ((not (hal_sensors_server))))))
+(typeattribute base_typeattr_126_27_0)
+(typeattributeset base_typeattr_126_27_0 ((and (domain) ((not (hal_power_server))))))
+(typeattribute base_typeattr_125_27_0)
+(typeattributeset base_typeattr_125_27_0 ((and (domain) ((not (hal_oemlock_server))))))
+(typeattribute base_typeattr_124_27_0)
+(typeattributeset base_typeattr_124_27_0 ((and (domain) ((not (hal_nfc_server))))))
+(typeattribute base_typeattr_123_27_0)
+(typeattributeset base_typeattr_123_27_0 ((and (halserverdomain) ((not (hal_dumpstate_server rild_27_0))))))
+(typeattribute base_typeattr_122_27_0)
+(typeattributeset base_typeattr_122_27_0 ((and (halserverdomain) ((not (hal_tetheroffload_server hal_wifi_server hal_wifi_supplicant_server rild_27_0))))))
+(typeattribute base_typeattr_121_27_0)
+(typeattributeset base_typeattr_121_27_0 ((and (halserverdomain) ((not (hal_bluetooth_server hal_wifi_server hal_wifi_supplicant_server rild_27_0))))))
+(typeattribute base_typeattr_120_27_0)
+(typeattributeset base_typeattr_120_27_0 ((and (domain) ((not (hal_neuralnetworks_server))))))
+(typeattribute base_typeattr_119_27_0)
+(typeattributeset base_typeattr_119_27_0 ((and (domain) ((not (hal_memtrack_server))))))
+(typeattribute base_typeattr_118_27_0)
+(typeattributeset base_typeattr_118_27_0 ((and (domain) ((not (hal_light_server))))))
+(typeattribute base_typeattr_117_27_0)
+(typeattributeset base_typeattr_117_27_0 ((and (domain) ((not (hal_keymaster_server))))))
+(typeattribute base_typeattr_116_27_0)
+(typeattributeset base_typeattr_116_27_0 ((and (domain) ((not (hal_ir_server))))))
+(typeattribute base_typeattr_115_27_0)
+(typeattributeset base_typeattr_115_27_0 ((and (domain) ((not (hal_health_server))))))
+(typeattribute base_typeattr_114_27_0)
+(typeattributeset base_typeattr_114_27_0 ((and (domain) ((not (hal_graphics_composer_server))))))
+(typeattribute base_typeattr_113_27_0)
+(typeattributeset base_typeattr_113_27_0 ((and (domain) ((not (hal_graphics_allocator_server))))))
+(typeattribute base_typeattr_112_27_0)
+(typeattributeset base_typeattr_112_27_0 ((and (domain) ((not (hal_gnss_server))))))
+(typeattribute base_typeattr_111_27_0)
+(typeattributeset base_typeattr_111_27_0 ((and (domain) ((not (hal_gatekeeper_server))))))
+(typeattribute base_typeattr_110_27_0)
+(typeattributeset base_typeattr_110_27_0 ((and (domain) ((not (hal_fingerprint_server))))))
+(typeattribute base_typeattr_109_27_0)
+(typeattributeset base_typeattr_109_27_0 ((and (domain) ((not (hal_dumpstate_server))))))
+(typeattribute base_typeattr_108_27_0)
+(typeattributeset base_typeattr_108_27_0 ((and (domain) ((not (hal_drm_server))))))
+(typeattribute base_typeattr_107_27_0)
+(typeattributeset base_typeattr_107_27_0 ((and (domain) ((not (hal_contexthub_server))))))
+(typeattribute base_typeattr_106_27_0)
+(typeattributeset base_typeattr_106_27_0 ((and (data_file_type) ((not (anr_data_file_27_0 tombstone_data_file_27_0 zoneinfo_data_file_27_0))))))
+(typeattribute base_typeattr_105_27_0)
+(typeattributeset base_typeattr_105_27_0 ((and (domain) ((not (hal_configstore_server logd_27_0 su_27_0 tombstoned_27_0))))))
+(typeattribute base_typeattr_104_27_0)
+(typeattributeset base_typeattr_104_27_0 ((and (domain) ((not (hal_configstore_server))))))
+(typeattribute base_typeattr_103_27_0)
+(typeattributeset base_typeattr_103_27_0 ((and (domain) ((not (hal_cas_server))))))
+(typeattribute base_typeattr_102_27_0)
+(typeattributeset base_typeattr_102_27_0 ((and (halserverdomain) ((not (hal_camera_server))))))
+(typeattribute base_typeattr_101_27_0)
+(typeattributeset base_typeattr_101_27_0 ((and (appdomain) ((not (isolated_app_27_0))))))
+(typeattribute base_typeattr_100_27_0)
+(typeattributeset base_typeattr_100_27_0 ((and (domain) ((not (hal_camera_server))))))
+(typeattribute base_typeattr_99_27_0)
+(typeattributeset base_typeattr_99_27_0 ((and (domain) ((not (hal_broadcastradio_server))))))
+(typeattribute base_typeattr_98_27_0)
+(typeattributeset base_typeattr_98_27_0 ((and (domain) ((not (hal_bootctl_server))))))
+(typeattribute base_typeattr_97_27_0)
+(typeattributeset base_typeattr_97_27_0 ((and (domain) ((not (hal_bluetooth_server))))))
+(typeattribute base_typeattr_96_27_0)
+(typeattributeset base_typeattr_96_27_0 ((and (halserverdomain) ((not (hal_audio_server))))))
+(typeattribute base_typeattr_95_27_0)
+(typeattributeset base_typeattr_95_27_0 ((and (domain) ((not (hal_audio_server))))))
+(typeattribute base_typeattr_94_27_0)
+(typeattributeset base_typeattr_94_27_0 ((and (domain) ((not (hal_allocator_server))))))
+(typeattribute base_typeattr_93_27_0)
+(typeattributeset base_typeattr_93_27_0 ((and (domain) ((not (gatekeeperd_27_0))))))
+(typeattribute base_typeattr_92_27_0)
+(typeattributeset base_typeattr_92_27_0 ((and (domain) ((not (vold_27_0))))))
+(typeattribute base_typeattr_91_27_0)
+(typeattributeset base_typeattr_91_27_0 ((and (fs_type file_type) ((not (fsck_exec_27_0))))))
+(typeattribute base_typeattr_90_27_0)
+(typeattributeset base_typeattr_90_27_0 ((and (domain) ((not (init_27_0 vold_27_0))))))
+(typeattribute base_typeattr_89_27_0)
+(typeattributeset base_typeattr_89_27_0 ((and (domain) ((not (fingerprintd_27_0))))))
+(typeattribute base_typeattr_88_27_0)
+(typeattributeset base_typeattr_88_27_0 ((and (domain) ((not (dumpstate_27_0 shell_27_0 system_server_27_0))))))
+(typeattribute base_typeattr_87_27_0)
+(typeattributeset base_typeattr_87_27_0 ((and (domain) ((not (dumpstate_27_0))))))
+(typeattribute base_typeattr_86_27_0)
+(typeattributeset base_typeattr_86_27_0 ((and (service_manager_type) ((not (dumpstate_service_27_0 gatekeeper_service_27_0 incident_service_27_0 virtual_touchpad_service_27_0 vr_hwc_service_27_0))))))
+(typeattribute base_typeattr_85_27_0)
+(typeattributeset base_typeattr_85_27_0 ((and (domain) ((not (drmserver_27_0))))))
+(typeattribute base_typeattr_84_27_0)
+(typeattributeset base_typeattr_84_27_0 ((not (coredomain))))
+(typeattribute base_typeattr_83_27_0)
+(typeattributeset base_typeattr_83_27_0 ((not (rootfs_27_0 system_file_27_0 vendor_file_27_0))))
+(typeattribute base_typeattr_82_27_0)
+(typeattributeset base_typeattr_82_27_0 ((and (domain) ((not (installd_27_0 profman_27_0))))))
+(typeattribute base_typeattr_81_27_0)
+(typeattributeset base_typeattr_81_27_0 ((and (domain) ((not (dumpstate_27_0 init_27_0 system_server_27_0))))))
+(typeattribute base_typeattr_80_27_0)
+(typeattributeset base_typeattr_80_27_0 ((not (hwservicemanager_27_0))))
+(typeattribute base_typeattr_79_27_0)
+(typeattributeset base_typeattr_79_27_0 ((not (servicemanager_27_0 vndservicemanager_27_0))))
+(typeattribute base_typeattr_78_27_0)
+(typeattributeset base_typeattr_78_27_0 ((and (domain) ((not (appdomain adbd_27_0 dumpstate_27_0 installd_27_0 uncrypt_27_0))))))
+(typeattribute base_typeattr_77_27_0)
+(typeattributeset base_typeattr_77_27_0 ((and (domain) ((not (appdomain adbd_27_0 dumpstate_27_0 init_27_0 installd_27_0 system_server_27_0 uncrypt_27_0))))))
+(typeattribute base_typeattr_76_27_0)
+(typeattributeset base_typeattr_76_27_0 ((and (domain) ((not (adbd_27_0 dumpstate_27_0 init_27_0 installd_27_0 shell_27_0 vold_27_0))))))
+(typeattribute base_typeattr_75_27_0)
+(typeattributeset base_typeattr_75_27_0 ((and (domain) ((not (installd_27_0 shell_27_0 uncrypt_27_0))))))
+(typeattribute base_typeattr_74_27_0)
+(typeattributeset base_typeattr_74_27_0 ((and (domain) ((not (appdomain installd_27_0 uncrypt_27_0))))))
+(typeattribute base_typeattr_73_27_0)
+(typeattributeset base_typeattr_73_27_0 ((and (appdomain) ((not (shell_27_0 su_27_0))))))
+(typeattribute base_typeattr_72_27_0)
+(typeattributeset base_typeattr_72_27_0 ((and (domain) ((not (runas_27_0 webview_zygote_27_0 zygote_27_0))))))
+(typeattribute base_typeattr_71_27_0)
+(typeattributeset base_typeattr_71_27_0 ((and (domain) ((not (adbd_27_0 init_27_0 runas_27_0 zygote_27_0))))))
+(typeattribute base_typeattr_70_27_0)
+(typeattributeset base_typeattr_70_27_0 ((and (domain) ((not (appdomain installd_27_0))))))
+(typeattribute base_typeattr_69_27_0)
+(typeattributeset base_typeattr_69_27_0 ((and (domain) ((not (appdomain installd_27_0 system_server_27_0))))))
+(typeattribute base_typeattr_68_27_0)
+(typeattributeset base_typeattr_68_27_0 ((and (domain) ((not (init_27_0 installd_27_0 system_app_27_0 system_server_27_0))))))
+(typeattribute base_typeattr_67_27_0)
+(typeattributeset base_typeattr_67_27_0 ((not (domain))))
+(typeattribute base_typeattr_66_27_0)
+(typeattributeset base_typeattr_66_27_0 ((and (domain) ((not (untrusted_app_all))))))
+(typeattribute base_typeattr_65_27_0)
+(typeattributeset base_typeattr_65_27_0 ((and (file_type) ((not (apk_data_file_27_0 app_data_file_27_0 asec_public_file_27_0))))))
+(typeattribute base_typeattr_64_27_0)
+(typeattributeset base_typeattr_64_27_0 ((and (domain) ((not (dumpstate_27_0 shell_27_0 su_27_0))))))
+(typeattribute base_typeattr_63_27_0)
+(typeattributeset base_typeattr_63_27_0 ((and (domain) ((not (dumpstate_27_0 system_server_27_0))))))
+(typeattribute base_typeattr_62_27_0)
+(typeattributeset base_typeattr_62_27_0 ((and (domain) ((not (crash_dump_27_0 dumpstate_27_0 mediacodec_27_0 mediaextractor_27_0 system_server_27_0 tombstoned_27_0))))))
+(typeattribute base_typeattr_61_27_0)
+(typeattributeset base_typeattr_61_27_0 ((and (domain) ((not (system_server_27_0 webview_zygote_27_0))))))
+(typeattribute base_typeattr_60_27_0)
+(typeattributeset base_typeattr_60_27_0 ((and (domain) ((not (system_server_27_0))))))
+(typeattribute base_typeattr_59_27_0)
+(typeattributeset base_typeattr_59_27_0 ((and (domain) ((not (system_server_27_0 zygote_27_0))))))
+(typeattribute base_typeattr_58_27_0)
+(typeattributeset base_typeattr_58_27_0 ((and (domain) ((not (cppreopts_27_0 dex2oat_27_0 init_27_0 installd_27_0 otapreopt_slot_27_0 postinstall_dexopt_27_0 zygote_27_0))))))
+(typeattribute base_typeattr_57_27_0)
+(typeattributeset base_typeattr_57_27_0 ((and (exec_type) ((not (vendor_file_type crash_dump_exec_27_0 netutils_wrapper_exec_27_0))))))
+(typeattribute base_typeattr_56_27_0)
+(typeattributeset base_typeattr_56_27_0 ((and (domain) ((not (appdomain coredomain vendor_executes_system_violators rild_27_0))))))
+(typeattribute base_typeattr_55_27_0)
+(typeattributeset base_typeattr_55_27_0 ((and (coredomain) ((not (init_27_0))))))
+(typeattribute base_typeattr_54_27_0)
+(typeattributeset base_typeattr_54_27_0 ((and (coredomain) ((not (appdomain idmap_27_0 init_27_0 installd_27_0 system_server_27_0 zygote_27_0))))))
+(typeattribute base_typeattr_53_27_0)
+(typeattributeset base_typeattr_53_27_0 ((and (coredomain) ((not (appdomain dex2oat_27_0 idmap_27_0 init_27_0 installd_27_0 postinstall_dexopt_27_0 system_server_27_0))))))
+(typeattribute base_typeattr_52_27_0)
+(typeattributeset base_typeattr_52_27_0 ((and (dev_type file_type) ((not (core_data_file_type coredomain_socket unlabeled_27_0))))))
+(typeattribute base_typeattr_51_27_0)
+(typeattributeset base_typeattr_51_27_0 ((and (coredomain) ((not (socket_between_core_and_vendor_violators init_27_0 ueventd_27_0))))))
+(typeattribute base_typeattr_50_27_0)
+(typeattributeset base_typeattr_50_27_0 ((and (core_data_file_type coredomain_socket unlabeled_27_0) ((not (pdx_endpoint_socket_type pdx_channel_socket_type app_data_file_27_0))))))
+(typeattribute base_typeattr_49_27_0)
+(typeattributeset base_typeattr_49_27_0 ((and (domain) ((not (netdomain coredomain socket_between_core_and_vendor_violators))))))
+(typeattribute base_typeattr_48_27_0)
+(typeattributeset base_typeattr_48_27_0 ((and (coredomain) ((not (incidentd_27_0 init_27_0 logd_27_0 mdnsd_27_0 netd_27_0 su_27_0 tombstoned_27_0))))))
+(typeattribute base_typeattr_47_27_0)
+(typeattributeset base_typeattr_47_27_0 ((and (domain) ((not (appdomain coredomain socket_between_core_and_vendor_violators))))))
+(typeattribute base_typeattr_46_27_0)
+(typeattributeset base_typeattr_46_27_0 ((and (domain) ((not (coredomain socket_between_core_and_vendor_violators))))))
+(typeattribute base_typeattr_45_27_0)
+(typeattributeset base_typeattr_45_27_0 ((and (coredomain) ((not (adbd_27_0 init_27_0))))))
+(typeattribute base_typeattr_44_27_0)
+(typeattributeset base_typeattr_44_27_0 ((and (coredomain) ((not (shell_27_0 su_27_0))))))
+(typeattribute base_typeattr_43_27_0)
+(typeattributeset base_typeattr_43_27_0 ((and (coredomain) ((not (shell_27_0 su_27_0 ueventd_27_0))))))
+(typeattribute base_typeattr_42_27_0)
+(typeattributeset base_typeattr_42_27_0 ((and (service_manager_type) ((not (app_api_service ephemeral_app_api_service audioserver_service_27_0 cameraserver_service_27_0 drmserver_service_27_0 keystore_service_27_0 mediaserver_service_27_0 mediametrics_service_27_0 mediaextractor_service_27_0 mediadrmserver_service_27_0 nfc_service_27_0 radio_service_27_0 surfaceflinger_service_27_0 virtual_touchpad_service_27_0 vr_hwc_service_27_0 vr_manager_service_27_0))))))
+(typeattribute base_typeattr_41_27_0)
+(typeattributeset base_typeattr_41_27_0 ((and (appdomain) ((not (coredomain))))))
+(typeattribute base_typeattr_40_27_0)
+(typeattributeset base_typeattr_40_27_0 ((and (domain) ((not (appdomain coredomain binder_in_vendor_violators))))))
+(typeattribute base_typeattr_39_27_0)
+(typeattributeset base_typeattr_39_27_0 ((and (domain) ((not (hwservicemanager_27_0 servicemanager_27_0 vndservicemanager_27_0))))))
+(typeattribute base_typeattr_38_27_0)
+(typeattributeset base_typeattr_38_27_0 ((and (domain) ((not (domain hal_bootctl init_27_0 recovery_27_0 ueventd_27_0 uncrypt_27_0 update_engine_27_0 vold_27_0))))))
+(typeattribute base_typeattr_37_27_0)
+(typeattributeset base_typeattr_37_27_0 ((and (domain) ((not (install_recovery_27_0 recovery_27_0))))))
+(typeattribute base_typeattr_36_27_0)
+(typeattributeset base_typeattr_36_27_0 ((and (domain) ((not (recovery_27_0 update_engine_27_0))))))
+(typeattribute base_typeattr_35_27_0)
+(typeattributeset base_typeattr_35_27_0 ((and (domain) ((not (init_27_0 recovery_27_0 vold_27_0))))))
+(typeattribute base_typeattr_34_27_0)
+(typeattributeset base_typeattr_34_27_0 ((and (domain) ((not (init_27_0 recovery_27_0 shell_27_0 system_server_27_0 ueventd_27_0))))))
+(typeattribute base_typeattr_33_27_0)
+(typeattributeset base_typeattr_33_27_0 ((and (domain) ((not (init_27_0 system_server_27_0))))))
+(typeattribute base_typeattr_32_27_0)
+(typeattributeset base_typeattr_32_27_0 ((and (domain) ((not (hal_drm hal_cas adbd_27_0 dumpstate_27_0 init_27_0 mediadrmserver_27_0 recovery_27_0 shell_27_0 system_server_27_0))))))
+(typeattribute base_typeattr_31_27_0)
+(typeattributeset base_typeattr_31_27_0 ((and (fs_type) ((not (contextmount_type))))))
+(typeattribute base_typeattr_30_27_0)
+(typeattributeset base_typeattr_30_27_0 ((and (domain) ((not (kernel_27_0 recovery_27_0))))))
+(typeattribute base_typeattr_29_27_0)
+(typeattributeset base_typeattr_29_27_0 ((and (domain) ((not (shell_27_0))))))
+(typeattribute base_typeattr_28_27_0)
+(typeattributeset base_typeattr_28_27_0 ((and (data_file_type) ((not (system_data_file_27_0 apk_data_file_27_0 dalvikcache_data_file_27_0))))))
+(typeattribute base_typeattr_27_27_0)
+(typeattributeset base_typeattr_27_27_0 ((and (domain) ((not (appdomain))))))
+(typeattribute base_typeattr_26_27_0)
+(typeattributeset base_typeattr_26_27_0 ((and (fs_type) ((not (rootfs_27_0))))))
+(typeattribute base_typeattr_25_27_0)
+(typeattributeset base_typeattr_25_27_0 ((and (domain) ((not (appdomain recovery_27_0))))))
+(typeattribute base_typeattr_24_27_0)
+(typeattributeset base_typeattr_24_27_0 ((and (file_type) ((not (exec_type vendor_file_type system_file_27_0 postinstall_file_27_0))))))
+(typeattribute base_typeattr_23_27_0)
+(typeattributeset base_typeattr_23_27_0 ((and (domain) ((not (appdomain dumpstate_27_0 shell_27_0 su_27_0 webview_zygote_27_0 zygote_27_0))))))
+(typeattribute base_typeattr_22_27_0)
+(typeattributeset base_typeattr_22_27_0 ((and (fs_type) ((not (sdcard_type))))))
+(typeattribute base_typeattr_21_27_0)
+(typeattributeset base_typeattr_21_27_0 ((and (domain) ((not (init_27_0 kernel_27_0 otapreopt_chroot_27_0 recovery_27_0 update_engine_27_0 vold_27_0 zygote_27_0))))))
+(typeattribute base_typeattr_20_27_0)
+(typeattributeset base_typeattr_20_27_0 ((and (domain) ((not (init_27_0 kernel_27_0 recovery_27_0))))))
+(typeattribute base_typeattr_19_27_0)
+(typeattributeset base_typeattr_19_27_0 ((and (domain) ((not (init_27_0 ueventd_27_0))))))
+(typeattribute base_typeattr_18_27_0)
+(typeattributeset base_typeattr_18_27_0 ((and (domain) ((not (shell_27_0 ueventd_27_0))))))
+(typeattribute base_typeattr_17_27_0)
+(typeattributeset base_typeattr_17_27_0 ((and (file_type) ((not (exec_type postinstall_file_27_0))))))
+(typeattribute base_typeattr_16_27_0)
+(typeattributeset base_typeattr_16_27_0 ((and (domain) ((not (init_27_0 shell_27_0 system_server_27_0 ueventd_27_0))))))
+(typeattribute base_typeattr_15_27_0)
+(typeattributeset base_typeattr_15_27_0 ((and (domain) ((not (kernel_27_0))))))
+(typeattribute base_typeattr_14_27_0)
+(typeattributeset base_typeattr_14_27_0 ((and (domain) ((not (recovery_27_0))))))
+(typeattribute base_typeattr_13_27_0)
+(typeattributeset base_typeattr_13_27_0 ((and (domain) ((not (domain healthd_27_0 init_27_0 kernel_27_0 recovery_27_0 tee_27_0 ueventd_27_0 uncrypt_27_0))))))
+(typeattribute base_typeattr_12_27_0)
+(typeattributeset base_typeattr_12_27_0 ((and (domain) ((not (init_27_0 kernel_27_0 ueventd_27_0 vold_27_0))))))
+(typeattribute base_typeattr_11_27_0)
+(typeattributeset base_typeattr_11_27_0 ((and (domain) ((not (init_27_0 recovery_27_0))))))
+(typeattribute base_typeattr_10_27_0)
+(typeattributeset base_typeattr_10_27_0 ((all)))
+(typeattribute base_typeattr_9_27_0)
+(typeattributeset base_typeattr_9_27_0 ((and (domain) ((not (domain))))))
+(typeattribute base_typeattr_8_27_0)
+(typeattributeset base_typeattr_8_27_0 ((and (domain) ((not (coredomain))))))
+(typeattribute base_typeattr_7_27_0)
+(typeattributeset base_typeattr_7_27_0 ((and (domain) ((not (isolated_app_27_0 servicemanager_27_0 vndservicemanager_27_0))))))
+(typeattribute base_typeattr_6_27_0)
+(typeattributeset base_typeattr_6_27_0 ((and (appdomain coredomain binder_in_vendor_violators) ((not (hwservicemanager_27_0))))))
+(typeattribute base_typeattr_5_27_0)
+(typeattributeset base_typeattr_5_27_0 ((and (domain) ((not (init_27_0))))))
+(typeattribute base_typeattr_4_27_0)
+(typeattributeset base_typeattr_4_27_0 ((and (domain) ((not (display_service_server))))))
+(typeattribute base_typeattr_3_27_0)
+(typeattributeset base_typeattr_3_27_0 ((and (domain) ((not (crash_dump_27_0 init_27_0 keystore_27_0 logd_27_0))))))
+(typeattribute base_typeattr_2_27_0)
+(typeattributeset base_typeattr_2_27_0 ((and (domain) ((not (cameraserver_27_0))))))
+(typeattribute base_typeattr_1_27_0)
+(typeattributeset base_typeattr_1_27_0 ((and (domain) ((not (bufferhubd_27_0))))))
diff --git a/prebuilts/api/27.0/private/access_vectors b/prebuilts/api/27.0/private/access_vectors
new file mode 100644
index 0000000..14e1712
--- /dev/null
+++ b/prebuilts/api/27.0/private/access_vectors
@@ -0,0 +1,717 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ map
+ unlink
+ link
+ rename
+ execute
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ map
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define a common for capability access vectors.
+#
+common cap
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the cap2 common.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+common cap2
+{
+ mac_override # unused by SELinux
+ mac_admin # unused by SELinux
+ syslog
+ wake_alarm
+ block_suspend
+ audit_read
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+ open
+ audit_access
+ execmod
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+ audit_access
+}
+
+class lnk_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class chr_file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+ audit_access
+}
+
+class blk_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class sock_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class fifo_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class udp_socket
+inherits socket
+{
+ node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+ node_bind
+}
+
+class node
+{
+ recvfrom
+ sendto
+}
+
+class netif
+{
+ ingress
+ egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+}
+
+class unix_dgram_socket
+inherits socket
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+ getattr
+ setexec
+ setfscreate
+ noatsecure
+ siginh
+ setrlimit
+ rlimitinh
+ dyntransition
+ setcurrent
+ execmem
+ execstack
+ execheap
+ setkeycreate
+ setsockcreate
+ getrlimit
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce # was avc_toggle in system class
+ setbool
+ setsecparam
+ setcheckreqprot
+ read_policy
+ validate_trans
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ syslog_read
+ syslog_mod
+ syslog_console
+ module_request
+ module_load
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+#
+
+class capability
+inherits cap
+
+class capability2
+inherits cap2
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_relay
+ nlmsg_readpriv
+ nlmsg_tty_audit
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+ sendto
+ recvfrom
+ setcontext
+ polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+ send
+ recv
+ relabelto
+ flow_in # deprecated
+ flow_out # deprecated
+ forward_in
+ forward_out
+}
+
+class key
+{
+ view
+ read
+ write
+ search
+ link
+ setattr
+ create
+}
+
+class dccp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class memprotect
+{
+ mmap_zero
+}
+
+# network peer labels
+class peer
+{
+ recv
+}
+
+class kernel_service
+{
+ use_as_override
+ create_files_as
+}
+
+class tun_socket
+inherits socket
+{
+ attach_queue
+}
+
+class binder
+{
+ impersonate
+ call
+ set_context_mgr
+ transfer
+}
+
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
+
+
+#
+# Define the access vector interpretation for the new socket classes
+# enabled by the extended_socket_class policy capability.
+#
+
+#
+# The next two classes were previously mapped to rawip_socket and therefore
+# have the same definition as rawip_socket (until further permissions
+# are defined).
+#
+class sctp_socket
+inherits socket
+{
+ node_bind
+}
+
+class icmp_socket
+inherits socket
+{
+ node_bind
+}
+
+#
+# The remaining network socket classes were previously
+# mapped to the socket class and therefore have the
+# same definition as socket.
+#
+
+class ax25_socket
+inherits socket
+
+class ipx_socket
+inherits socket
+
+class netrom_socket
+inherits socket
+
+class atmpvc_socket
+inherits socket
+
+class x25_socket
+inherits socket
+
+class rose_socket
+inherits socket
+
+class decnet_socket
+inherits socket
+
+class atmsvc_socket
+inherits socket
+
+class rds_socket
+inherits socket
+
+class irda_socket
+inherits socket
+
+class pppox_socket
+inherits socket
+
+class llc_socket
+inherits socket
+
+class can_socket
+inherits socket
+
+class tipc_socket
+inherits socket
+
+class bluetooth_socket
+inherits socket
+
+class iucv_socket
+inherits socket
+
+class rxrpc_socket
+inherits socket
+
+class isdn_socket
+inherits socket
+
+class phonet_socket
+inherits socket
+
+class ieee802154_socket
+inherits socket
+
+class caif_socket
+inherits socket
+
+class alg_socket
+inherits socket
+
+class nfc_socket
+inherits socket
+
+class vsock_socket
+inherits socket
+
+class kcm_socket
+inherits socket
+
+class qipcrtr_socket
+inherits socket
+
+class smc_socket
+inherits socket
+
+class property_service
+{
+ set
+}
+
+class service_manager
+{
+ add
+ find
+ list
+}
+
+class hwservice_manager
+{
+ add
+ find
+ list
+}
+
+class keystore_key
+{
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ add_auth
+ user_changed
+ gen_unique_id
+}
+
+class drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+}
diff --git a/prebuilts/api/27.0/private/adbd.te b/prebuilts/api/27.0/private/adbd.te
new file mode 100644
index 0000000..47a6cbd
--- /dev/null
+++ b/prebuilts/api/27.0/private/adbd.te
@@ -0,0 +1,143 @@
+### ADB daemon
+
+typeattribute adbd coredomain;
+typeattribute adbd mlstrustedsubject;
+
+init_daemon_domain(adbd)
+
+domain_auto_trans(adbd, shell_exec, shell)
+
+userdebug_or_eng(`
+ allow adbd self:process setcurrent;
+ allow adbd su:process dyntransition;
+')
+
+# Do not sanitize the environment or open fds of the shell. Allow signaling
+# created processes.
+allow adbd shell:process { noatsecure signal };
+
+# Set UID and GID to shell. Set supplementary groups.
+allow adbd self:capability { setuid setgid };
+
+# Drop capabilities from bounding set on user builds.
+allow adbd self:capability setpcap;
+
+# Create and use network sockets.
+net_domain(adbd)
+
+# Access /dev/usb-ffs/adb/ep0
+allow adbd functionfs:dir search;
+allow adbd functionfs:file rw_file_perms;
+
+# Use a pseudo tty.
+allow adbd devpts:chr_file rw_file_perms;
+
+# adb push/pull /data/local/tmp.
+allow adbd shell_data_file:dir create_dir_perms;
+allow adbd shell_data_file:file create_file_perms;
+
+# adb pull /data/misc/profman.
+allow adbd profman_dump_data_file:dir r_dir_perms;
+allow adbd profman_dump_data_file:file r_file_perms;
+
+# adb push/pull sdcard.
+allow adbd tmpfs:dir search;
+allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
+allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
+allow adbd sdcard_type:dir create_dir_perms;
+allow adbd sdcard_type:file create_file_perms;
+
+# adb pull /data/anr/traces.txt
+allow adbd anr_data_file:dir r_dir_perms;
+allow adbd anr_data_file:file r_file_perms;
+
+# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
+set_prop(adbd, shell_prop)
+set_prop(adbd, powerctl_prop)
+set_prop(adbd, ffs_prop)
+
+# Access device logging gating property
+get_prop(adbd, device_logging_prop)
+
+# Read device's serial number from system properties
+get_prop(adbd, serialno_prop)
+
+# Run /system/bin/bu
+allow adbd system_file:file rx_file_perms;
+
+# Perform binder IPC to surfaceflinger (screencap)
+# XXX Run screencap in a separate domain?
+binder_use(adbd)
+binder_call(adbd, surfaceflinger)
+# b/13188914
+allow adbd gpu_device:chr_file rw_file_perms;
+allow adbd ion_device:chr_file rw_file_perms;
+r_dir_file(adbd, system_file)
+
+# Needed for various screenshots
+hal_client_domain(adbd, hal_graphics_allocator)
+
+# Read /data/misc/adb/adb_keys.
+allow adbd adb_keys_file:dir search;
+allow adbd adb_keys_file:file r_file_perms;
+
+userdebug_or_eng(`
+ # Write debugging information to /data/adb
+ # when persist.adb.trace_mask is set
+ # https://code.google.com/p/android/issues/detail?id=72895
+ allow adbd adb_data_file:dir rw_dir_perms;
+ allow adbd adb_data_file:file create_file_perms;
+')
+
+# ndk-gdb invokes adb forward to forward the gdbserver socket.
+allow adbd app_data_file:dir search;
+allow adbd app_data_file:sock_file write;
+allow adbd appdomain:unix_stream_socket connectto;
+
+# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
+allow adbd zygote_exec:file r_file_perms;
+allow adbd system_file:file r_file_perms;
+
+# Allow pulling the SELinux policy for CTS purposes
+allow adbd selinuxfs:dir r_dir_perms;
+allow adbd selinuxfs:file r_file_perms;
+allow adbd kernel:security read_policy;
+allow adbd service_contexts_file:file r_file_perms;
+allow adbd file_contexts_file:file r_file_perms;
+allow adbd seapp_contexts_file:file r_file_perms;
+allow adbd property_contexts_file:file r_file_perms;
+allow adbd sepolicy_file:file r_file_perms;
+
+# Allow pulling config.gz for CTS purposes
+allow adbd config_gz:file r_file_perms;
+
+allow adbd surfaceflinger_service:service_manager find;
+allow adbd bootchart_data_file:dir search;
+allow adbd bootchart_data_file:file r_file_perms;
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow adbd storage_file:dir r_dir_perms;
+allow adbd storage_file:lnk_file r_file_perms;
+allow adbd mnt_user_file:dir r_dir_perms;
+allow adbd mnt_user_file:lnk_file r_file_perms;
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow adbd media_rw_data_file:dir create_dir_perms;
+allow adbd media_rw_data_file:file create_file_perms;
+
+r_dir_file(adbd, apk_data_file)
+
+allow adbd rootfs:dir r_dir_perms;
+
+###
+### Neverallow rules
+###
+
+# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
+# transitions to the shell domain (except when it crashes). In particular, we
+# never want to see a transition from adbd to su (aka "adb root")
+neverallow adbd { domain -crash_dump -shell }:process transition;
+neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
diff --git a/prebuilts/api/27.0/private/app.te b/prebuilts/api/27.0/private/app.te
new file mode 100644
index 0000000..9251ed9
--- /dev/null
+++ b/prebuilts/api/27.0/private/app.te
@@ -0,0 +1,542 @@
+###
+### Domain for all zygote spawned apps
+###
+### This file is the base policy for all zygote spawned apps.
+### Other policy files, such as isolated_app.te, untrusted_app.te, etc
+### extend from this policy. Only policies which should apply to ALL
+### zygote spawned apps should be added here.
+###
+
+# TODO: deal with tmpfs_domain pub/priv split properly
+# Read system properties managed by zygote.
+allow appdomain zygote_tmpfs:file read;
+
+# WebView and other application-specific JIT compilers
+allow appdomain self:process execmem;
+
+allow appdomain ashmem_device:chr_file execute;
+
+# Receive and use open file descriptors inherited from zygote.
+allow appdomain zygote:fd use;
+
+# gdbserver for ndk-gdb reads the zygote.
+# valgrind needs mmap exec for zygote
+allow appdomain zygote_exec:file rx_file_perms;
+
+# Notify zygote of death;
+allow appdomain zygote:process sigchld;
+
+# Place process into foreground / background
+allow appdomain cgroup:dir { search write };
+allow appdomain cgroup:file rw_file_perms;
+
+# Read /data/dalvik-cache.
+allow appdomain dalvikcache_data_file:dir { search getattr };
+allow appdomain dalvikcache_data_file:file r_file_perms;
+
+# Read the /sdcard and /mnt/sdcard symlinks
+allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
+
+# Search /storage/emulated tmpfs mount.
+allow appdomain tmpfs:dir r_dir_perms;
+
+# Notify zygote of the wrapped process PID when using --invoke-with.
+allow appdomain zygote:fifo_file write;
+
+userdebug_or_eng(`
+ # Allow apps to create and write method traces in /data/misc/trace.
+ allow appdomain method_trace_data_file:dir w_dir_perms;
+ allow appdomain method_trace_data_file:file { create w_file_perms };
+')
+
+# Notify shell and adbd of death when spawned via runas for ndk-gdb.
+allow appdomain shell:process sigchld;
+allow appdomain adbd:process sigchld;
+
+# child shell or gdbserver pty access for runas.
+allow appdomain devpts:chr_file { getattr read write ioctl };
+
+# Use pipes and sockets provided by system_server via binder or local socket.
+allow appdomain system_server:fd use;
+allow appdomain system_server:fifo_file rw_file_perms;
+allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
+
+# Communication with other apps via fifos
+allow appdomain appdomain:fifo_file rw_file_perms;
+
+# Communicate with surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+
+# App sandbox file accesses.
+allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
+
+# Traverse into expanded storage
+allow appdomain mnt_expand_file:dir r_dir_perms;
+
+# Keychain and user-trusted credentials
+r_dir_file(appdomain, keychain_data_file)
+allow appdomain misc_user_data_file:dir r_dir_perms;
+allow appdomain misc_user_data_file:file r_file_perms;
+
+# TextClassifier
+r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+
+# Access to OEM provided data and apps
+allow appdomain oemfs:dir r_dir_perms;
+allow appdomain oemfs:file rx_file_perms;
+
+# Execute the shell or other system executables.
+allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
+
+# Renderscript needs the ability to read directories on /system
+allow appdomain system_file:dir r_dir_perms;
+allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+ allow appdomain vendor_file_type:dir r_dir_perms;
+ allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+ # For looking up Renderscript vendor drivers
+ allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
+allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
+# Allow apps access to /vendor/framework
+# for vendor provided libraries.
+r_dir_file(appdomain, vendor_framework_file)
+
+# Execute dex2oat when apps call dexclassloader
+allow appdomain dex2oat_exec:file rx_file_perms;
+
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { getattr read write };
+
+# Read/write cached ringtones (opened by system).
+allow appdomain ringtone_file:file { getattr read write };
+
+# Read ShortcutManager icon files (opened by system).
+allow appdomain shortcut_manager_icons:file { getattr read };
+
+# Read icon file (opened by system).
+allow appdomain icon_file:file { getattr read };
+
+# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
+#
+# TODO: All of these permissions except for anr_data_file:file append can be
+# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
+# and the rules below.
+allow appdomain anr_data_file:dir search;
+allow appdomain anr_data_file:file { open append };
+
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow apps to connect and write to the tombstoned java trace socket in
+# order to dump their traces. Also allow them to append traces to pipes
+# created by dumptrace. (Also see the rules below where they are given
+# additional permissions to dumpstate pipes for other aspects of bug report
+# creation).
+unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
+allow appdomain tombstoned:fd use;
+allow appdomain dumpstate:fifo_file append;
+
+# Allow apps to send dump information to dumpstate
+allow appdomain dumpstate:fd use;
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
+allow appdomain dumpstate:fifo_file { write getattr };
+allow appdomain shell_data_file:file { write getattr };
+
+# Write profiles /data/misc/profiles
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+
+# Send heap dumps to system_server via an already open file descriptor
+# % adb shell am set-watch-heap com.android.systemui 1048576
+# % adb shell dumpsys procstats --start-testing
+# debuggable builds only.
+userdebug_or_eng(`
+ allow appdomain heapdump_data_file:file append;
+')
+
+# Write to /proc/net/xt_qtaguid/ctrl file.
+allow appdomain qtaguid_proc:file rw_file_perms;
+# read /proc/net/xt_qtguid/stats
+r_dir_file({ appdomain -ephemeral_app}, proc_net)
+# Everybody can read the xt_qtaguid resource tracking misc dev.
+# So allow all apps to read from /dev/xt_qtaguid.
+allow appdomain qtaguid_device:chr_file r_file_perms;
+
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
+
+# Use the Binder.
+binder_use(appdomain)
+# Perform binder IPC to binder services.
+binder_call(appdomain, binderservicedomain)
+# Perform binder IPC to other apps.
+binder_call(appdomain, appdomain)
+# Perform binder IPC to ephemeral apps.
+binder_call(appdomain, ephemeral_app)
+
+# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
+# as OMX HAL
+hwbinder_use({ appdomain -isolated_app })
+allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
+allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
+
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
+
+# Backup ability for every app. BMS opens and passes the fd
+# to any app that has backup ability. Hence, no open permissions here.
+allow appdomain backup_data_file:file { read write getattr };
+allow appdomain cache_backup_file:file { read write getattr };
+allow appdomain cache_backup_file:dir getattr;
+# Backup ability using 'adb backup'
+allow appdomain system_data_file:lnk_file r_file_perms;
+allow appdomain system_data_file:file { getattr read };
+
+# Allow read/stat of /data/media files passed by Binder or local socket IPC.
+allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
+
+# Read and write /data/data/com.android.providers.telephony files passed over Binder.
+allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
+
+# Read/write visible storage
+allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
+
+# Access OBBs (vfat images) mounted by vold (b/17633509)
+# File write access allowed for FDs returned through Storage Access Framework
+allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
+
+# Allow apps to use the USB Accessory interface.
+# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
+#
+# USB devices are first opened by the system server (USBDeviceManagerService)
+# and the file descriptor is passed to the right Activity via binder.
+allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
+
+# For art.
+allow appdomain dalvikcache_data_file:file execute;
+allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
+
+# Allow any app to read shared RELRO files.
+allow appdomain shared_relro_file:dir search;
+allow appdomain shared_relro_file:file r_file_perms;
+
+# Allow apps to read/execute installed binaries
+allow appdomain apk_data_file:dir r_dir_perms;
+allow appdomain apk_data_file:file rx_file_perms;
+
+# /data/resource-cache
+allow appdomain resourcecache_data_file:file r_file_perms;
+allow appdomain resourcecache_data_file:dir r_dir_perms;
+
+# logd access
+read_logd(appdomain)
+control_logd({ appdomain -ephemeral_app untrusted_v2_app })
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
+
+use_keystore({ appdomain -isolated_app -ephemeral_app })
+
+allow appdomain console_device:chr_file { read write };
+
+# only allow unprivileged socket ioctl commands
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
+# TODO is write really necessary ?
+auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
+
+# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
+get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
+
+# Allow app access to mediacodec (IOMX HAL)
+binder_call({ appdomain -isolated_app }, mediacodec)
+
+# Allow AAudio apps to use shared memory file descriptors from the HAL
+allow { appdomain -isolated_app } hal_audio:fd use;
+
+# Allow app to access shared memory created by camera HAL1
+allow { appdomain -isolated_app } hal_camera:fd use;
+
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+
+# TODO: switch to meminfo service
+allow appdomain proc_meminfo:file r_file_perms;
+
+# For app fuse.
+allow appdomain app_fuse_file:file { getattr read append write };
+
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
+
+###
+### CTS-specific rules
+###
+
+# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
+# testRunAsHasCorrectCapabilities
+allow appdomain runas_exec:file getattr;
+# Others are either allowed elsewhere or not desired.
+
+# Apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow appdomain adbd:unix_stream_socket connectto;
+allow appdomain adbd:fd use;
+allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+allow appdomain cache_file:dir getattr;
+
+# Allow apps to run with asanwrapper.
+with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
+
+###
+### Neverallow rules
+###
+### These are things that Android apps should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_admin and wake_alarm.
+neverallow { appdomain -bluetooth } self:capability *;
+neverallow { appdomain -bluetooth } self:capability2 *;
+
+# Block device access.
+neverallow appdomain dev_type:blk_file { read write };
+
+# Access to any of the following character devices.
+neverallow appdomain {
+ audio_device
+ camera_device
+ dm_device
+ radio_device
+ rpmsg_device
+ video_device
+}:chr_file { read write };
+
+# Note: Try expanding list of app domains in the future.
+neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
+
+neverallow { appdomain -nfc } nfc_device:chr_file
+ { read write };
+neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
+ { read write };
+neverallow appdomain tee_device:chr_file { read write };
+
+# Privileged netlink socket interfaces.
+neverallow appdomain
+ domain:{
+ netlink_tcpdiag_socket
+ netlink_nflog_socket
+ netlink_xfrm_socket
+ netlink_audit_socket
+ netlink_dnrt_socket
+ } *;
+
+# These messages are broadcast messages from the kernel to userspace.
+# Do not allow the writing of netlink messages, which has been a source
+# of rooting vulns in the past.
+neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
+
+# Sockets under /dev/socket that are not specifically typed.
+neverallow appdomain socket_device:sock_file write;
+
+# Unix domain sockets.
+neverallow appdomain adbd_socket:sock_file write;
+neverallow { appdomain -radio } rild_socket:sock_file write;
+neverallow appdomain vold_socket:sock_file write;
+neverallow appdomain zygote_socket:sock_file write;
+
+# ptrace access to non-app domains.
+neverallow appdomain { domain -appdomain }:process ptrace;
+
+# Write access to /proc/pid entries for any non-app domain.
+neverallow appdomain { domain -appdomain }:file write;
+
+# signal access to non-app domains.
+# sigchld allowed for parent death notification.
+# signull allowed for kill(pid, 0) existence test.
+# All others prohibited.
+neverallow appdomain { domain -appdomain }:process
+ { sigkill sigstop signal };
+
+# Transition to a non-app domain.
+# Exception for the shell and su domains, can transition to runas, etc.
+# Exception for crash_dump.
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
+ { transition };
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
+ { dyntransition };
+
+# Write to rootfs.
+neverallow appdomain rootfs:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to /system.
+neverallow appdomain system_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to entrypoint executables.
+neverallow appdomain exec_type:file
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to system-owned parts of /data.
+# This is the default type for anything under /data not otherwise
+# specified in file_contexts. Define a different type for portions
+# that should be writable by apps.
+neverallow appdomain system_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to various other parts of /data.
+neverallow appdomain drm_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_private_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_private_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -shell }
+ shell_data_file:dir_file_class_set
+ { create setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -bluetooth }
+ bluetooth_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ keystore_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ systemkeys_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ wifi_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ dhcp_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# access tmp apk files
+neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
+ { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
+
+neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
+
+# Access to factory files.
+neverallow appdomain efs_file:dir_file_class_set write;
+neverallow { appdomain -shell } efs_file:dir_file_class_set read;
+
+# Write to various pseudo file systems.
+neverallow { appdomain -bluetooth -nfc }
+ sysfs:dir_file_class_set write;
+neverallow appdomain
+ proc:dir_file_class_set write;
+
+# Access to syslog(2) or /proc/kmsg.
+neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+
+# SELinux is not an API for apps to use
+neverallow { appdomain -shell } *:security { compute_av check_context };
+neverallow { appdomain -shell } *:netlink_selinux_socket *;
+
+# Ability to perform any filesystem operation other than statfs(2).
+# i.e. no mount(2), unmount(2), etc.
+neverallow appdomain fs_type:filesystem ~getattr;
+
+# prevent creation/manipulation of globally readable symlinks
+neverallow appdomain {
+ apk_data_file
+ cache_file
+ cache_recovery_file
+ dev_type
+ rootfs
+ system_file
+ tmpfs
+}:lnk_file no_w_file_perms;
+
+# Blacklist app domains not allowed to execute from /data
+neverallow {
+ bluetooth
+ isolated_app
+ nfc
+ radio
+ shared_relro
+ system_app
+} {
+ data_file_type
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
+# Applications should use the activity model for receiving events
+neverallow {
+ appdomain
+ -shell # bugreport
+} input_device:chr_file ~getattr;
+
+# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# neverallow rules for access to Bluetooth-related data files are above.
+neverallow {
+ appdomain
+ -bluetooth
+ -system_app
+} bluetooth_prop:file create_file_perms;
diff --git a/prebuilts/api/27.0/private/app_neverallows.te b/prebuilts/api/27.0/private/app_neverallows.te
new file mode 100644
index 0000000..a3d7d49
--- /dev/null
+++ b/prebuilts/api/27.0/private/app_neverallows.te
@@ -0,0 +1,230 @@
+###
+### neverallow rules for untrusted app domains
+###
+
+define(`all_untrusted_apps',`{
+ ephemeral_app
+ isolated_app
+ mediaprovider
+ untrusted_app
+ untrusted_app_25
+ untrusted_app_all
+ untrusted_v2_app
+}')
+# Receive or send uevent messages.
+neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow all_untrusted_apps domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow all_untrusted_apps debugfs_type:file read;
+
+# Do not allow untrusted apps to register services.
+# Only trusted components of Android should be registering
+# services.
+neverallow all_untrusted_apps service_manager_type:service_manager add;
+
+# Do not allow untrusted apps to use VendorBinder
+neverallow all_untrusted_apps vndbinder_device:chr_file *;
+neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
+
+# Do not allow untrusted apps to connect to the property service
+# or set properties. b/10243159
+neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
+neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
+neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
+
+# Do not allow untrusted apps to be assigned mlstrustedsubject.
+# This would undermine the per-user isolation model being
+# enforced via levelFrom=user in seapp_contexts and the mls
+# constraints. As there is no direct way to specify a neverallow
+# on attribute assignment, this relies on the fact that fork
+# permission only makes sense within a domain (hence should
+# never be granted to any other domain within mlstrustedsubject)
+# and an untrusted app is allowed fork permission to itself.
+neverallow all_untrusted_apps mlstrustedsubject:process fork;
+
+# Do not allow untrusted apps to hard link to any files.
+# In particular, if an untrusted app links to other app data
+# files, installd will not be able to guarantee the deletion
+# of the linked to file. Hard links also contribute to security
+# bugs, so we want to ensure untrusted apps never have this
+# capability.
+neverallow all_untrusted_apps file_type:file link;
+
+# Do not allow untrusted apps to access network MAC address file
+neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow all_untrusted_apps *:{
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket
+} *;
+
+# Do not allow untrusted apps access to /cache
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
+
+# Do not allow untrusted apps to create/unlink files outside of its sandbox,
+# internal storage or sdcard.
+# World accessible data locations allow application to fill the device
+# with unaccounted for data. This data will not get removed during
+# application un-installation.
+neverallow { all_untrusted_apps -mediaprovider } {
+ fs_type
+ -fuse # sdcard
+ -sdcardfs # sdcard
+ -vfat
+ file_type
+ -app_data_file # The apps sandbox itself
+ -media_rw_data_file # Internal storage. Known that apps can
+ # leave artfacts here after uninstall.
+ -user_profile_data_file # Access to profile files
+ userdebug_or_eng(`
+ -method_trace_data_file # only on ro.debuggable=1
+ -coredump_file # userdebug/eng only
+ ')
+}:dir_file_class_set { create unlink };
+
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
+
+# Do not allow untrusted apps to directly open tun_device
+neverallow all_untrusted_apps tun_device:chr_file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+neverallow all_untrusted_apps anr_data_file:file ~{ open append };
+neverallow all_untrusted_apps anr_data_file:dir ~search;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
+
+# Avoid all access to kernel configuration
+neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
+
+# Do not allow untrusted apps access to preloads data files
+neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
+
+# Locking of files on /system could lead to denial of service attacks
+# against privileged system components
+neverallow all_untrusted_apps system_file:file lock;
+
+# Do not permit untrusted apps to perform actions on HwBinder service_manager
+# other than find actions for services listed below
+neverallow all_untrusted_apps *:hwservice_manager ~find;
+
+# Do not permit access from apps which host arbitrary code to HwBinder services,
+# except those considered sufficiently safe for access from such apps.
+# The two main reasons for this are:
+# 1. HwBinder servers do not perform client authentication because HIDL
+# currently does not expose caller UID information and, even if it did, many
+# HwBinder services either operate at a level below that of apps (e.g., HALs)
+# or must not rely on app identity for authorization. Thus, to be safe, the
+# default assumption is that every HwBinder service treats all its clients as
+# equally authorized to perform operations offered by the service.
+# 2. HAL servers (a subset of HwBinder services) contain code with higher
+# incidence rate of security issues than system/core components and have
+# access to lower layes of the stack (all the way down to hardware) thus
+# increasing opportunities for bypassing the Android security model.
+#
+# Safe services include:
+# - same process services: because they by definition run in the process
+# of the client and thus have the same access as the client domain in which
+# the process runs
+# - coredomain_hwservice: are considered safe because they do not pose risks
+# associated with reason #2 above.
+# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
+# designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+# by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+# Binder service which apps were permitted to access.
+neverallow all_untrusted_apps {
+ hwservice_manager_type
+ -same_process_hwservice
+ -coredomain_hwservice
+ -hal_configstore_ISurfaceFlingerConfigs
+ -hal_graphics_allocator_hwservice
+ -hal_omx_hwservice
+ -hal_cas_hwservice
+ -untrusted_app_visible_hwservice
+}:hwservice_manager find;
+
+# Make sure that the following services are never accessible by untrusted_apps
+neverallow all_untrusted_apps {
+ default_android_hwservice
+ hal_audio_hwservice
+ hal_bluetooth_hwservice
+ hal_bootctl_hwservice
+ hal_camera_hwservice
+ hal_contexthub_hwservice
+ hal_drm_hwservice
+ hal_dumpstate_hwservice
+ hal_fingerprint_hwservice
+ hal_gatekeeper_hwservice
+ hal_gnss_hwservice
+ hal_graphics_composer_hwservice
+ hal_health_hwservice
+ hal_ir_hwservice
+ hal_keymaster_hwservice
+ hal_light_hwservice
+ hal_memtrack_hwservice
+ hal_neuralnetworks_hwservice
+ hal_nfc_hwservice
+ hal_oemlock_hwservice
+ hal_power_hwservice
+ hal_sensors_hwservice
+ hal_telephony_hwservice
+ hal_thermal_hwservice
+ hal_tv_cec_hwservice
+ hal_tv_input_hwservice
+ hal_usb_hwservice
+ hal_vibrator_hwservice
+ hal_vr_hwservice
+ hal_weaver_hwservice
+ hal_wifi_hwservice
+ hal_wifi_offload_hwservice
+ hal_wifi_supplicant_hwservice
+ hidl_base_hwservice
+ system_net_netd_hwservice
+ thermalcallback_hwservice
+}:hwservice_manager find;
+# HwBinder services offered by core components (as opposed to vendor components)
+# are considered somewhat safer due to point #2 above.
+neverallow all_untrusted_apps {
+ coredomain_hwservice
+ -same_process_hwservice
+ -hidl_allocator_hwservice # Designed for use by any domain
+ -hidl_manager_hwservice # Designed for use by any domain
+ -hidl_memory_hwservice # Designed for use by any domain
+ -hidl_token_hwservice # Designed for use by any domain
+}:hwservice_manager find;
+
+# SELinux is not an API for untrusted apps to use
+neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
+
+# Restrict *Binder access from apps to HAL domains. We can only do this on full
+# Treble devices where *Binder communications between apps and HALs are tightly
+# restricted.
+full_treble_only(`
+ neverallow all_untrusted_apps {
+ halserverdomain
+ -coredomain
+ -hal_configstore_server
+ -hal_graphics_allocator_server
+ -hal_cas_server
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ -untrusted_app_visible_halserver
+ }:binder { call transfer };
+')
diff --git a/prebuilts/api/27.0/private/asan_extract.te b/prebuilts/api/27.0/private/asan_extract.te
new file mode 100644
index 0000000..1c20d78
--- /dev/null
+++ b/prebuilts/api/27.0/private/asan_extract.te
@@ -0,0 +1,8 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Technically not a daemon but we do want the transition from init domain to
+# asan_extract to occur.
+with_asan(`
+typeattribute asan_extract coredomain;
+init_daemon_domain(asan_extract)
+')
diff --git a/prebuilts/api/27.0/private/atrace.te b/prebuilts/api/27.0/private/atrace.te
new file mode 100644
index 0000000..5de9f99
--- /dev/null
+++ b/prebuilts/api/27.0/private/atrace.te
@@ -0,0 +1,27 @@
+# Domain for atrace process spawned by boottrace service.
+
+type atrace_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+ type atrace, domain, coredomain, domain_deprecated;
+
+ init_daemon_domain(atrace)
+
+ # boottrace services uses /data/misc/boottrace/categories
+ allow atrace boottrace_data_file:dir search;
+ allow atrace boottrace_data_file:file r_file_perms;
+
+ # Allow atrace to access tracefs.
+ allow atrace debugfs_tracing:dir r_dir_perms;
+ allow atrace debugfs_tracing:file rw_file_perms;
+ allow atrace debugfs_tracing_debug:file rw_file_perms;
+ allow atrace debugfs_trace_marker:file getattr;
+
+ # atrace sets debug.atrace.* properties
+ set_prop(atrace, debug_prop)
+
+ # atrace pokes all the binder-enabled processes at startup.
+ binder_use(atrace)
+ allow atrace healthd:binder call;
+ allow atrace surfaceflinger:binder call;
+')
diff --git a/private/attributes b/prebuilts/api/27.0/private/attributes
similarity index 100%
rename from private/attributes
rename to prebuilts/api/27.0/private/attributes
diff --git a/prebuilts/api/27.0/private/audioserver.te b/prebuilts/api/27.0/private/audioserver.te
new file mode 100644
index 0000000..9119daa
--- /dev/null
+++ b/prebuilts/api/27.0/private/audioserver.te
@@ -0,0 +1,66 @@
+# audioserver - audio services daemon
+
+typeattribute audioserver coredomain;
+
+type audioserver_exec, exec_type, file_type;
+init_daemon_domain(audioserver)
+
+r_dir_file(audioserver, sdcard_type)
+
+binder_use(audioserver)
+binder_call(audioserver, binderservicedomain)
+binder_call(audioserver, appdomain)
+binder_service(audioserver)
+
+hal_client_domain(audioserver, hal_allocator)
+# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
+r_dir_file(audioserver, system_file)
+
+hal_client_domain(audioserver, hal_audio)
+
+userdebug_or_eng(`
+ # used for TEE sink - pcm capture for debug.
+ allow audioserver media_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:file create_file_perms;
+
+ # ptrace to processes in the same domain for memory leak detection
+ allow audioserver self:process ptrace;
+')
+
+add_service(audioserver, audioserver_service)
+allow audioserver appops_service:service_manager find;
+allow audioserver batterystats_service:service_manager find;
+allow audioserver permission_service:service_manager find;
+allow audioserver power_service:service_manager find;
+allow audioserver scheduling_policy_service:service_manager find;
+
+# Grant access to audio files to audioserver
+allow audioserver audio_data_file:dir ra_dir_perms;
+allow audioserver audio_data_file:file create_file_perms;
+
+# allow access to ALSA MMAP FDs for AAudio API
+allow audioserver audio_device:chr_file { read write };
+
+# For A2DP bridge which is loaded directly into audioserver
+unix_socket_connect(audioserver, bluetooth, bluetooth)
+
+###
+### neverallow rules
+###
+
+# audioserver should never execute any executable without a
+# domain transition
+neverallow audioserver { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/27.0/private/binder_in_vendor_violators.te b/prebuilts/api/27.0/private/binder_in_vendor_violators.te
new file mode 100644
index 0000000..4a1218e
--- /dev/null
+++ b/prebuilts/api/27.0/private/binder_in_vendor_violators.te
@@ -0,0 +1 @@
+allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/27.0/private/binderservicedomain.te b/prebuilts/api/27.0/private/binderservicedomain.te
new file mode 100644
index 0000000..0891ee5
--- /dev/null
+++ b/prebuilts/api/27.0/private/binderservicedomain.te
@@ -0,0 +1,22 @@
+# Rules common to all binder service domains
+
+# Allow dumpstate and incidentd to collect information from binder services
+allow binderservicedomain { dumpstate incidentd }:fd use;
+allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
+allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
+allow binderservicedomain shell_data_file:file { getattr write };
+
+# Allow dumpsys to work from adb shell or the serial console
+allow binderservicedomain devpts:chr_file rw_file_perms;
+allow binderservicedomain console_device:chr_file rw_file_perms;
+
+# Receive and write to a pipe received over Binder from an app.
+allow binderservicedomain appdomain:fd use;
+allow binderservicedomain appdomain:fifo_file write;
+
+# allow all services to run permission checks
+allow binderservicedomain permission_service:service_manager find;
+
+allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
+
+use_keystore(binderservicedomain)
diff --git a/prebuilts/api/27.0/private/blkid.te b/prebuilts/api/27.0/private/blkid.te
new file mode 100644
index 0000000..090912b
--- /dev/null
+++ b/prebuilts/api/27.0/private/blkid.te
@@ -0,0 +1,22 @@
+# blkid called from vold
+
+typeattribute blkid coredomain;
+
+type blkid_exec, exec_type, file_type;
+
+# Allowed read-only access to encrypted devices to extract UUID/label
+allow blkid block_device:dir search;
+allow blkid userdata_block_device:blk_file r_file_perms;
+allow blkid dm_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid vold:fd use;
+allow blkid vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid blkid_exec:file rx_file_perms;
+
+# Only allow entry from vold
+neverallow { domain -vold } blkid:process transition;
+neverallow * blkid:process dyntransition;
+neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/prebuilts/api/27.0/private/blkid_untrusted.te b/prebuilts/api/27.0/private/blkid_untrusted.te
new file mode 100644
index 0000000..1256771
--- /dev/null
+++ b/prebuilts/api/27.0/private/blkid_untrusted.te
@@ -0,0 +1,37 @@
+# blkid for untrusted block devices
+
+typeattribute blkid_untrusted coredomain;
+
+# Allowed read-only access to vold block devices to extract UUID/label
+allow blkid_untrusted block_device:dir search;
+allow blkid_untrusted vold_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid_untrusted vold:fd use;
+allow blkid_untrusted vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid_untrusted blkid_exec:file rx_file_perms;
+
+###
+### neverallow rules
+###
+
+# Untrusted blkid should never be run on block devices holding sensitive data
+neverallow blkid_untrusted {
+ boot_block_device
+ frp_block_device
+ metadata_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ userdata_block_device
+ cache_block_device
+ dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via blkid binary
+neverallow { domain -vold } blkid_untrusted:process transition;
+neverallow * blkid_untrusted:process dyntransition;
+neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/prebuilts/api/27.0/private/bluetooth.te b/prebuilts/api/27.0/private/bluetooth.te
new file mode 100644
index 0000000..451d27a
--- /dev/null
+++ b/prebuilts/api/27.0/private/bluetooth.te
@@ -0,0 +1,76 @@
+# bluetooth app
+
+typeattribute bluetooth coredomain;
+
+app_domain(bluetooth)
+net_domain(bluetooth)
+
+# Socket creation under /data/misc/bluedroid.
+type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
+
+# Allow access to net_admin ioctls
+allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
+
+wakelock_use(bluetooth);
+
+# Data file accesses.
+allow bluetooth bluetooth_data_file:dir create_dir_perms;
+allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
+allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
+allow bluetooth bluetooth_logs_data_file:file create_file_perms;
+
+# Socket creation under /data/misc/bluedroid.
+allow bluetooth bluetooth_socket:sock_file create_file_perms;
+
+allow bluetooth self:capability net_admin;
+allow bluetooth self:capability2 wake_alarm;
+
+# tethering
+allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
+allow bluetooth self:capability { net_admin net_raw net_bind_service };
+allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
+allow bluetooth tun_device:chr_file rw_file_perms;
+allow bluetooth efs_file:dir search;
+
+# allow Bluetooth to access uhid device for HID profile
+allow bluetooth uhid_device:chr_file rw_file_perms;
+
+# proc access.
+allow bluetooth proc_bluetooth_writable:file rw_file_perms;
+
+# Allow write access to bluetooth specific properties
+set_prop(bluetooth, bluetooth_prop)
+set_prop(bluetooth, pan_result_prop)
+
+allow bluetooth audioserver_service:service_manager find;
+allow bluetooth bluetooth_service:service_manager find;
+allow bluetooth drmserver_service:service_manager find;
+allow bluetooth mediaserver_service:service_manager find;
+allow bluetooth radio_service:service_manager find;
+allow bluetooth surfaceflinger_service:service_manager find;
+allow bluetooth app_api_service:service_manager find;
+allow bluetooth system_api_service:service_manager find;
+
+# already open bugreport file descriptors may be shared with
+# the bluetooth process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow bluetooth shell_data_file:file read;
+
+# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
+allow bluetooth self:capability sys_nice;
+
+hal_client_domain(bluetooth, hal_bluetooth)
+hal_client_domain(bluetooth, hal_telephony)
+
+read_runtime_log_tags(bluetooth)
+
+###
+### Neverallow rules
+###
+### These are things that the bluetooth app should NEVER be able to do
+###
+
+# Superuser capabilities.
+# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
+neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
+neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
diff --git a/prebuilts/api/27.0/private/bluetoothdomain.te b/prebuilts/api/27.0/private/bluetoothdomain.te
new file mode 100644
index 0000000..fe4f0e6
--- /dev/null
+++ b/prebuilts/api/27.0/private/bluetoothdomain.te
@@ -0,0 +1,2 @@
+# Allow clients to use a socket provided by the bluetooth app.
+allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
diff --git a/prebuilts/api/27.0/private/bootanim.te b/prebuilts/api/27.0/private/bootanim.te
new file mode 100644
index 0000000..8c9f6c7
--- /dev/null
+++ b/prebuilts/api/27.0/private/bootanim.te
@@ -0,0 +1,3 @@
+typeattribute bootanim coredomain;
+
+init_daemon_domain(bootanim)
diff --git a/prebuilts/api/27.0/private/bootstat.te b/prebuilts/api/27.0/private/bootstat.te
new file mode 100644
index 0000000..806144c
--- /dev/null
+++ b/prebuilts/api/27.0/private/bootstat.te
@@ -0,0 +1,3 @@
+typeattribute bootstat coredomain;
+
+init_daemon_domain(bootstat)
diff --git a/prebuilts/api/27.0/private/bufferhubd.te b/prebuilts/api/27.0/private/bufferhubd.te
new file mode 100644
index 0000000..012eb20
--- /dev/null
+++ b/prebuilts/api/27.0/private/bufferhubd.te
@@ -0,0 +1,3 @@
+typeattribute bufferhubd coredomain;
+
+init_daemon_domain(bufferhubd)
diff --git a/prebuilts/api/27.0/private/cameraserver.te b/prebuilts/api/27.0/private/cameraserver.te
new file mode 100644
index 0000000..c16c132
--- /dev/null
+++ b/prebuilts/api/27.0/private/cameraserver.te
@@ -0,0 +1,3 @@
+typeattribute cameraserver coredomain;
+
+init_daemon_domain(cameraserver)
diff --git a/prebuilts/api/27.0/private/charger.te b/prebuilts/api/27.0/private/charger.te
new file mode 100644
index 0000000..65109de
--- /dev/null
+++ b/prebuilts/api/27.0/private/charger.te
@@ -0,0 +1 @@
+typeattribute charger coredomain;
diff --git a/prebuilts/api/27.0/private/clatd.te b/prebuilts/api/27.0/private/clatd.te
new file mode 100644
index 0000000..c09398d
--- /dev/null
+++ b/prebuilts/api/27.0/private/clatd.te
@@ -0,0 +1,2 @@
+typeattribute clatd coredomain;
+typeattribute clatd domain_deprecated;
diff --git a/prebuilts/api/27.0/private/compat/26.0/26.0.cil b/prebuilts/api/27.0/private/compat/26.0/26.0.cil
new file mode 100644
index 0000000..40bec84
--- /dev/null
+++ b/prebuilts/api/27.0/private/compat/26.0/26.0.cil
@@ -0,0 +1,708 @@
+;; private attributes removed from public types
+(typeattributeset domain_deprecated (bluetooth_26_0))
+
+;; attributes removed from current policy
+(typeattribute hal_wifi_keystore)
+(typeattribute hal_wifi_keystore_client)
+(typeattribute hal_wifi_keystore_server)
+
+;; types removed from current policy
+(type asan_reboot_prop)
+(type log_device)
+(type mediacasserver_service)
+(type tracing_shell_writable)
+(type tracing_shell_writable_debug)
+
+(typeattributeset accessibility_service_26_0 (accessibility_service))
+(typeattributeset account_service_26_0 (account_service))
+(typeattributeset activity_service_26_0 (activity_service))
+(typeattributeset adbd_26_0 (adbd))
+(typeattributeset adb_data_file_26_0 (adb_data_file))
+(typeattributeset adbd_socket_26_0 (adbd_socket))
+(typeattributeset adb_keys_file_26_0 (adb_keys_file))
+(typeattributeset alarm_device_26_0 (alarm_device))
+(typeattributeset alarm_service_26_0 (alarm_service))
+(typeattributeset anr_data_file_26_0 (anr_data_file))
+(typeattributeset apk_data_file_26_0 (apk_data_file))
+(typeattributeset apk_private_data_file_26_0 (apk_private_data_file))
+(typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file))
+(typeattributeset apk_tmp_file_26_0 (apk_tmp_file))
+(typeattributeset app_data_file_26_0 (app_data_file))
+(typeattributeset app_fuse_file_26_0 (app_fuse_file))
+(typeattributeset app_fusefs_26_0 (app_fusefs))
+(typeattributeset appops_service_26_0 (appops_service))
+(typeattributeset appwidget_service_26_0 (appwidget_service))
+(typeattributeset asan_reboot_prop_26_0 (asan_reboot_prop))
+(typeattributeset asec_apk_file_26_0 (asec_apk_file))
+(typeattributeset asec_image_file_26_0 (asec_image_file))
+(typeattributeset asec_public_file_26_0 (asec_public_file))
+(typeattributeset ashmem_device_26_0 (ashmem_device))
+(typeattributeset assetatlas_service_26_0 (assetatlas_service))
+(typeattributeset audio_data_file_26_0 (audio_data_file))
+(typeattributeset audio_device_26_0 (audio_device))
+(typeattributeset audiohal_data_file_26_0 (audiohal_data_file))
+(typeattributeset audio_prop_26_0 (audio_prop))
+(typeattributeset audio_seq_device_26_0 (audio_seq_device))
+(typeattributeset audioserver_26_0 (audioserver))
+(typeattributeset audioserver_data_file_26_0 (audioserver_data_file))
+(typeattributeset audioserver_service_26_0 (audioserver_service))
+(typeattributeset audio_service_26_0 (audio_service))
+(typeattributeset audio_timer_device_26_0 (audio_timer_device))
+(typeattributeset autofill_service_26_0 (autofill_service))
+(typeattributeset backup_data_file_26_0 (backup_data_file))
+(typeattributeset backup_service_26_0 (backup_service))
+(typeattributeset batteryproperties_service_26_0 (batteryproperties_service))
+(typeattributeset battery_service_26_0 (battery_service))
+(typeattributeset batterystats_service_26_0 (batterystats_service))
+(typeattributeset binder_device_26_0 (binder_device))
+(typeattributeset binfmt_miscfs_26_0 (binfmt_miscfs))
+(typeattributeset blkid_26_0 (blkid))
+(typeattributeset blkid_untrusted_26_0 (blkid_untrusted))
+(typeattributeset block_device_26_0 (block_device))
+(typeattributeset bluetooth_26_0 (bluetooth))
+(typeattributeset bluetooth_data_file_26_0 (bluetooth_data_file))
+(typeattributeset bluetooth_efs_file_26_0 (bluetooth_efs_file))
+(typeattributeset bluetooth_logs_data_file_26_0 (bluetooth_logs_data_file))
+(typeattributeset bluetooth_manager_service_26_0 (bluetooth_manager_service))
+(typeattributeset bluetooth_prop_26_0 (bluetooth_prop))
+(typeattributeset bluetooth_service_26_0 (bluetooth_service))
+(typeattributeset bluetooth_socket_26_0 (bluetooth_socket))
+(typeattributeset bootanim_26_0 (bootanim))
+(typeattributeset bootanim_exec_26_0 (bootanim_exec))
+(typeattributeset boot_block_device_26_0 (boot_block_device))
+(typeattributeset bootchart_data_file_26_0 (bootchart_data_file))
+(typeattributeset bootstat_26_0 (bootstat))
+(typeattributeset bootstat_data_file_26_0 (bootstat_data_file))
+(typeattributeset bootstat_exec_26_0 (bootstat_exec))
+(typeattributeset boottime_prop_26_0 (boottime_prop))
+(typeattributeset boottrace_data_file_26_0 (boottrace_data_file))
+(typeattributeset bufferhubd_26_0 (bufferhubd))
+(typeattributeset bufferhubd_exec_26_0 (bufferhubd_exec))
+(typeattributeset cache_backup_file_26_0 (cache_backup_file))
+(typeattributeset cache_block_device_26_0 (cache_block_device))
+(typeattributeset cache_file_26_0 (cache_file))
+(typeattributeset cache_private_backup_file_26_0 (cache_private_backup_file))
+(typeattributeset cache_recovery_file_26_0 (cache_recovery_file))
+(typeattributeset camera_data_file_26_0 (camera_data_file))
+(typeattributeset camera_device_26_0 (camera_device))
+(typeattributeset cameraproxy_service_26_0 (cameraproxy_service))
+(typeattributeset cameraserver_26_0 (cameraserver))
+(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
+(typeattributeset cameraserver_service_26_0 (cameraserver_service))
+(typeattributeset cgroup_26_0 (cgroup))
+(typeattributeset charger_26_0 (charger))
+(typeattributeset clatd_26_0 (clatd))
+(typeattributeset clatd_exec_26_0 (clatd_exec))
+(typeattributeset clipboard_service_26_0 (clipboard_service))
+(typeattributeset commontime_management_service_26_0 (commontime_management_service))
+(typeattributeset companion_device_service_26_0 (companion_device_service))
+(typeattributeset configfs_26_0 (configfs))
+(typeattributeset config_prop_26_0 (config_prop))
+(typeattributeset connectivity_service_26_0 (connectivity_service))
+(typeattributeset connmetrics_service_26_0 (connmetrics_service))
+(typeattributeset console_device_26_0 (console_device))
+(typeattributeset consumer_ir_service_26_0 (consumer_ir_service))
+(typeattributeset content_service_26_0 (content_service))
+(typeattributeset contexthub_service_26_0 (contexthub_service))
+(typeattributeset coredump_file_26_0 (coredump_file))
+(typeattributeset country_detector_service_26_0 (country_detector_service))
+(typeattributeset coverage_service_26_0 (coverage_service))
+(typeattributeset cppreopt_prop_26_0 (cppreopt_prop))
+(typeattributeset cppreopts_26_0 (cppreopts))
+(typeattributeset cppreopts_exec_26_0 (cppreopts_exec))
+(typeattributeset cpuctl_device_26_0 (cpuctl_device))
+(typeattributeset cpuinfo_service_26_0 (cpuinfo_service))
+(typeattributeset crash_dump_26_0 (crash_dump))
+(typeattributeset crash_dump_exec_26_0 (crash_dump_exec))
+(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
+(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
+(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
+(typeattributeset ctl_default_prop_26_0 (ctl_default_prop))
+(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
+(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
+(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
+(typeattributeset ctl_rildaemon_prop_26_0 (ctl_rildaemon_prop))
+(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
+(typeattributeset dalvik_prop_26_0 (dalvik_prop))
+(typeattributeset dbinfo_service_26_0 (dbinfo_service))
+(typeattributeset debugfs_26_0 (debugfs))
+(typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
+(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
+(typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
+(typeattributeset debugfs_tracing_instances_26_0 (debugfs_tracing_instances))
+(typeattributeset debugfs_wifi_tracing_26_0 (debugfs_wifi_tracing))
+(typeattributeset debuggerd_prop_26_0 (debuggerd_prop))
+(typeattributeset debug_prop_26_0 (debug_prop))
+(typeattributeset default_android_hwservice_26_0 (default_android_hwservice))
+(typeattributeset default_android_service_26_0 (default_android_service))
+(typeattributeset default_android_vndservice_26_0 (default_android_vndservice))
+(typeattributeset default_prop_26_0 (default_prop))
+(typeattributeset device_26_0 (device))
+(typeattributeset device_identifiers_service_26_0 (device_identifiers_service))
+(typeattributeset deviceidle_service_26_0 (deviceidle_service))
+(typeattributeset device_logging_prop_26_0 (device_logging_prop))
+(typeattributeset device_policy_service_26_0 (device_policy_service))
+(typeattributeset devicestoragemonitor_service_26_0 (devicestoragemonitor_service))
+(typeattributeset devpts_26_0 (devpts))
+(typeattributeset dex2oat_26_0 (dex2oat))
+(typeattributeset dex2oat_exec_26_0 (dex2oat_exec))
+(typeattributeset dhcp_26_0 (dhcp))
+(typeattributeset dhcp_data_file_26_0 (dhcp_data_file))
+(typeattributeset dhcp_exec_26_0 (dhcp_exec))
+(typeattributeset dhcp_prop_26_0 (dhcp_prop))
+(typeattributeset diskstats_service_26_0 (diskstats_service))
+(typeattributeset display_service_26_0 (display_service))
+(typeattributeset dm_device_26_0 (dm_device))
+(typeattributeset dnsmasq_26_0 (dnsmasq))
+(typeattributeset dnsmasq_exec_26_0 (dnsmasq_exec))
+(typeattributeset dnsproxyd_socket_26_0 (dnsproxyd_socket))
+(typeattributeset DockObserver_service_26_0 (DockObserver_service))
+(typeattributeset dreams_service_26_0 (dreams_service))
+(typeattributeset drm_data_file_26_0 (drm_data_file))
+(typeattributeset drmserver_26_0 (drmserver))
+(typeattributeset drmserver_exec_26_0 (drmserver_exec))
+(typeattributeset drmserver_service_26_0 (drmserver_service))
+(typeattributeset drmserver_socket_26_0 (drmserver_socket))
+(typeattributeset dropbox_service_26_0 (dropbox_service))
+(typeattributeset dumpstate_26_0 (dumpstate))
+(typeattributeset dumpstate_exec_26_0 (dumpstate_exec))
+(typeattributeset dumpstate_options_prop_26_0 (dumpstate_options_prop))
+(typeattributeset dumpstate_prop_26_0 (dumpstate_prop))
+(typeattributeset dumpstate_service_26_0 (dumpstate_service))
+(typeattributeset dumpstate_socket_26_0 (dumpstate_socket))
+(typeattributeset efs_file_26_0 (efs_file))
+(typeattributeset ephemeral_app_26_0 (ephemeral_app))
+(typeattributeset ethernet_service_26_0 (ethernet_service))
+(typeattributeset ffs_prop_26_0 (ffs_prop))
+(typeattributeset file_contexts_file_26_0 (file_contexts_file))
+(typeattributeset fingerprintd_26_0 (fingerprintd))
+(typeattributeset fingerprintd_data_file_26_0 (fingerprintd_data_file))
+(typeattributeset fingerprintd_exec_26_0 (fingerprintd_exec))
+(typeattributeset fingerprintd_service_26_0 (fingerprintd_service))
+(typeattributeset fingerprint_prop_26_0 (fingerprint_prop))
+(typeattributeset fingerprint_service_26_0 (fingerprint_service))
+(typeattributeset firstboot_prop_26_0 (firstboot_prop))
+(typeattributeset font_service_26_0 (font_service))
+(typeattributeset frp_block_device_26_0 (frp_block_device))
+(typeattributeset fsck_26_0 (fsck))
+(typeattributeset fsck_exec_26_0 (fsck_exec))
+(typeattributeset fscklogs_26_0 (fscklogs))
+(typeattributeset fsck_untrusted_26_0 (fsck_untrusted))
+(typeattributeset full_device_26_0 (full_device))
+(typeattributeset functionfs_26_0 (functionfs))
+(typeattributeset fuse_26_0 (fuse))
+(typeattributeset fuse_device_26_0 (fuse_device))
+(typeattributeset fwk_display_hwservice_26_0 (fwk_display_hwservice))
+(typeattributeset fwk_scheduler_hwservice_26_0 (fwk_scheduler_hwservice))
+(typeattributeset fwk_sensor_hwservice_26_0 (fwk_sensor_hwservice))
+(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))
+(typeattributeset gatekeeperd_26_0 (gatekeeperd))
+(typeattributeset gatekeeper_data_file_26_0 (gatekeeper_data_file))
+(typeattributeset gatekeeperd_exec_26_0 (gatekeeperd_exec))
+(typeattributeset gatekeeper_service_26_0 (gatekeeper_service))
+(typeattributeset gfxinfo_service_26_0 (gfxinfo_service))
+(typeattributeset gps_control_26_0 (gps_control))
+(typeattributeset gpu_device_26_0 (gpu_device))
+(typeattributeset gpu_service_26_0 (gpu_service))
+(typeattributeset graphics_device_26_0 (graphics_device))
+(typeattributeset graphicsstats_service_26_0 (graphicsstats_service))
+(typeattributeset hal_audio_hwservice_26_0 (hal_audio_hwservice))
+(typeattributeset hal_bluetooth_hwservice_26_0 (hal_bluetooth_hwservice))
+(typeattributeset hal_bootctl_hwservice_26_0 (hal_bootctl_hwservice))
+(typeattributeset hal_camera_hwservice_26_0 (hal_camera_hwservice))
+(typeattributeset hal_configstore_ISurfaceFlingerConfigs_26_0 (hal_configstore_ISurfaceFlingerConfigs))
+(typeattributeset hal_contexthub_hwservice_26_0 (hal_contexthub_hwservice))
+(typeattributeset hal_drm_hwservice_26_0 (hal_drm_hwservice))
+(typeattributeset hal_dumpstate_hwservice_26_0 (hal_dumpstate_hwservice))
+(typeattributeset hal_fingerprint_hwservice_26_0 (hal_fingerprint_hwservice))
+(typeattributeset hal_fingerprint_service_26_0 (hal_fingerprint_service))
+(typeattributeset hal_gatekeeper_hwservice_26_0 (hal_gatekeeper_hwservice))
+(typeattributeset hal_gnss_hwservice_26_0 (hal_gnss_hwservice))
+(typeattributeset hal_graphics_allocator_hwservice_26_0 (hal_graphics_allocator_hwservice))
+(typeattributeset hal_graphics_composer_hwservice_26_0 (hal_graphics_composer_hwservice))
+(typeattributeset hal_graphics_mapper_hwservice_26_0 (hal_graphics_mapper_hwservice))
+(typeattributeset hal_health_hwservice_26_0 (hal_health_hwservice))
+(typeattributeset hal_ir_hwservice_26_0 (hal_ir_hwservice))
+(typeattributeset hal_keymaster_hwservice_26_0 (hal_keymaster_hwservice))
+(typeattributeset hal_light_hwservice_26_0 (hal_light_hwservice))
+(typeattributeset hal_memtrack_hwservice_26_0 (hal_memtrack_hwservice))
+(typeattributeset hal_nfc_hwservice_26_0 (hal_nfc_hwservice))
+(typeattributeset hal_oemlock_hwservice_26_0 (hal_oemlock_hwservice))
+(typeattributeset hal_omx_hwservice_26_0 (hal_omx_hwservice))
+(typeattributeset hal_power_hwservice_26_0 (hal_power_hwservice))
+(typeattributeset hal_renderscript_hwservice_26_0 (hal_renderscript_hwservice))
+(typeattributeset hal_sensors_hwservice_26_0 (hal_sensors_hwservice))
+(typeattributeset hal_telephony_hwservice_26_0 (hal_telephony_hwservice))
+(typeattributeset hal_thermal_hwservice_26_0 (hal_thermal_hwservice))
+(typeattributeset hal_tv_cec_hwservice_26_0 (hal_tv_cec_hwservice))
+(typeattributeset hal_tv_input_hwservice_26_0 (hal_tv_input_hwservice))
+(typeattributeset hal_usb_hwservice_26_0 (hal_usb_hwservice))
+(typeattributeset hal_vibrator_hwservice_26_0 (hal_vibrator_hwservice))
+(typeattributeset hal_vr_hwservice_26_0 (hal_vr_hwservice))
+(typeattributeset hal_weaver_hwservice_26_0 (hal_weaver_hwservice))
+(typeattributeset hal_wifi_hwservice_26_0 (hal_wifi_hwservice))
+(typeattributeset hal_wifi_supplicant_hwservice_26_0 (hal_wifi_supplicant_hwservice))
+(typeattributeset hardware_properties_service_26_0 (hardware_properties_service))
+(typeattributeset hardware_service_26_0 (hardware_service))
+(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))
+(typeattributeset hdmi_control_service_26_0 (hdmi_control_service))
+(typeattributeset healthd_26_0 (healthd))
+(typeattributeset healthd_exec_26_0 (healthd_exec))
+(typeattributeset heapdump_data_file_26_0 (heapdump_data_file))
+(typeattributeset hidl_allocator_hwservice_26_0 (hidl_allocator_hwservice))
+(typeattributeset hidl_base_hwservice_26_0 (hidl_base_hwservice))
+(typeattributeset hidl_manager_hwservice_26_0 (hidl_manager_hwservice))
+(typeattributeset hidl_memory_hwservice_26_0 (hidl_memory_hwservice))
+(typeattributeset hidl_token_hwservice_26_0 (hidl_token_hwservice))
+(typeattributeset hwbinder_device_26_0 (hwbinder_device))
+(typeattributeset hw_random_device_26_0 (hw_random_device))
+(typeattributeset hwservice_contexts_file_26_0 (hwservice_contexts_file))
+(typeattributeset hwservicemanager_26_0 (hwservicemanager))
+(typeattributeset hwservicemanager_exec_26_0 (hwservicemanager_exec))
+(typeattributeset hwservicemanager_prop_26_0 (hwservicemanager_prop))
+(typeattributeset i2c_device_26_0 (i2c_device))
+(typeattributeset icon_file_26_0 (icon_file))
+(typeattributeset idmap_26_0 (idmap))
+(typeattributeset idmap_exec_26_0 (idmap_exec))
+(typeattributeset iio_device_26_0 (iio_device))
+(typeattributeset imms_service_26_0 (imms_service))
+(typeattributeset incident_26_0 (incident))
+(typeattributeset incidentd_26_0 (incidentd))
+(typeattributeset incident_data_file_26_0 (incident_data_file))
+(typeattributeset incident_service_26_0 (incident_service))
+(typeattributeset init_26_0 (init))
+(typeattributeset init_exec_26_0 (init_exec))
+(typeattributeset inotify_26_0 (inotify))
+(typeattributeset input_device_26_0 (input_device))
+(typeattributeset inputflinger_26_0 (inputflinger))
+(typeattributeset inputflinger_exec_26_0 (inputflinger_exec))
+(typeattributeset inputflinger_service_26_0 (inputflinger_service))
+(typeattributeset input_method_service_26_0 (input_method_service))
+(typeattributeset input_service_26_0 (input_service))
+(typeattributeset installd_26_0 (installd))
+(typeattributeset install_data_file_26_0 (install_data_file))
+(typeattributeset installd_exec_26_0 (installd_exec))
+(typeattributeset installd_service_26_0 (installd_service))
+(typeattributeset install_recovery_26_0 (install_recovery))
+(typeattributeset install_recovery_exec_26_0 (install_recovery_exec))
+(typeattributeset ion_device_26_0 (ion_device))
+(typeattributeset IProxyService_service_26_0 (IProxyService_service))
+(typeattributeset ipsec_service_26_0 (ipsec_service))
+(typeattributeset isolated_app_26_0 (isolated_app))
+(typeattributeset jobscheduler_service_26_0 (jobscheduler_service))
+(typeattributeset kernel_26_0 (kernel))
+(typeattributeset keychain_data_file_26_0 (keychain_data_file))
+(typeattributeset keychord_device_26_0 (keychord_device))
+(typeattributeset keystore_26_0 (keystore))
+(typeattributeset keystore_data_file_26_0 (keystore_data_file))
+(typeattributeset keystore_exec_26_0 (keystore_exec))
+(typeattributeset keystore_service_26_0 (keystore_service))
+(typeattributeset kmem_device_26_0 (kmem_device))
+(typeattributeset kmsg_device_26_0 (kmsg_device))
+(typeattributeset labeledfs_26_0 (labeledfs))
+(typeattributeset launcherapps_service_26_0 (launcherapps_service))
+(typeattributeset lmkd_26_0 (lmkd))
+(typeattributeset lmkd_exec_26_0 (lmkd_exec))
+(typeattributeset lmkd_socket_26_0 (lmkd_socket))
+(typeattributeset location_service_26_0 (location_service))
+(typeattributeset lock_settings_service_26_0 (lock_settings_service))
+(typeattributeset logcat_exec_26_0 (logcat_exec))
+(typeattributeset logd_26_0 (logd))
+(typeattributeset log_device_26_0 (log_device))
+(typeattributeset logd_exec_26_0 (logd_exec))
+(typeattributeset logd_prop_26_0 (logd_prop))
+(typeattributeset logdr_socket_26_0 (logdr_socket))
+(typeattributeset logd_socket_26_0 (logd_socket))
+(typeattributeset logdw_socket_26_0 (logdw_socket))
+(typeattributeset logpersist_26_0 (logpersist))
+(typeattributeset logpersistd_logging_prop_26_0 (logpersistd_logging_prop))
+(typeattributeset log_prop_26_0 (log_prop))
+(typeattributeset log_tag_prop_26_0 (log_tag_prop))
+(typeattributeset loop_control_device_26_0 (loop_control_device))
+(typeattributeset loop_device_26_0 (loop_device))
+(typeattributeset mac_perms_file_26_0 (mac_perms_file))
+(typeattributeset mdnsd_26_0 (mdnsd))
+(typeattributeset mdnsd_socket_26_0 (mdnsd_socket))
+(typeattributeset mdns_socket_26_0 (mdns_socket))
+(typeattributeset mediacasserver_service_26_0 (mediacasserver_service))
+(typeattributeset mediacodec_26_0 (mediacodec))
+(typeattributeset mediacodec_exec_26_0 (mediacodec_exec))
+(typeattributeset mediacodec_service_26_0 (mediacodec_service))
+(typeattributeset media_data_file_26_0 (media_data_file))
+(typeattributeset mediadrmserver_26_0 (mediadrmserver))
+(typeattributeset mediadrmserver_exec_26_0 (mediadrmserver_exec))
+(typeattributeset mediadrmserver_service_26_0 (mediadrmserver_service))
+(typeattributeset mediaextractor_26_0 (mediaextractor))
+(typeattributeset mediaextractor_exec_26_0 (mediaextractor_exec))
+(typeattributeset mediaextractor_service_26_0 (mediaextractor_service))
+(typeattributeset mediametrics_26_0 (mediametrics))
+(typeattributeset mediametrics_exec_26_0 (mediametrics_exec))
+(typeattributeset mediametrics_service_26_0 (mediametrics_service))
+(typeattributeset media_projection_service_26_0 (media_projection_service))
+(typeattributeset media_router_service_26_0 (media_router_service))
+(typeattributeset media_rw_data_file_26_0 (media_rw_data_file))
+(typeattributeset mediaserver_26_0 (mediaserver))
+(typeattributeset mediaserver_exec_26_0 (mediaserver_exec))
+(typeattributeset mediaserver_service_26_0 (mediaserver_service))
+(typeattributeset media_session_service_26_0 (media_session_service))
+(typeattributeset meminfo_service_26_0 (meminfo_service))
+(typeattributeset metadata_block_device_26_0 (metadata_block_device))
+(typeattributeset method_trace_data_file_26_0 (method_trace_data_file))
+(typeattributeset midi_service_26_0 (midi_service))
+(typeattributeset misc_block_device_26_0 (misc_block_device))
+(typeattributeset misc_logd_file_26_0 (misc_logd_file))
+(typeattributeset misc_user_data_file_26_0 (misc_user_data_file))
+(typeattributeset mmc_prop_26_0 (mmc_prop))
+(typeattributeset mnt_expand_file_26_0 (mnt_expand_file))
+(typeattributeset mnt_media_rw_file_26_0 (mnt_media_rw_file))
+(typeattributeset mnt_media_rw_stub_file_26_0 (mnt_media_rw_stub_file))
+(typeattributeset mnt_user_file_26_0 (mnt_user_file))
+(typeattributeset modprobe_26_0 (modprobe))
+(typeattributeset mount_service_26_0 (mount_service))
+(typeattributeset mqueue_26_0 (mqueue))
+(typeattributeset mtd_device_26_0 (mtd_device))
+(typeattributeset mtp_26_0 (mtp))
+(typeattributeset mtp_device_26_0 (mtp_device))
+(typeattributeset mtpd_socket_26_0 (mtpd_socket))
+(typeattributeset mtp_exec_26_0 (mtp_exec))
+(typeattributeset nativetest_data_file_26_0 (nativetest_data_file))
+(typeattributeset netd_26_0 (netd))
+(typeattributeset net_data_file_26_0 (net_data_file))
+(typeattributeset netd_exec_26_0 (netd_exec))
+(typeattributeset netd_listener_service_26_0 (netd_listener_service))
+(typeattributeset net_dns_prop_26_0 (net_dns_prop))
+(typeattributeset netd_service_26_0 (netd_service))
+(typeattributeset netd_socket_26_0 (netd_socket))
+(typeattributeset netif_26_0 (netif))
+(typeattributeset netpolicy_service_26_0 (netpolicy_service))
+(typeattributeset net_radio_prop_26_0 (net_radio_prop))
+(typeattributeset netstats_service_26_0 (netstats_service))
+(typeattributeset netutils_wrapper_26_0 (netutils_wrapper))
+(typeattributeset netutils_wrapper_exec_26_0 (netutils_wrapper_exec))
+(typeattributeset network_management_service_26_0 (network_management_service))
+(typeattributeset network_score_service_26_0 (network_score_service))
+(typeattributeset network_time_update_service_26_0 (network_time_update_service))
+(typeattributeset nfc_26_0 (nfc))
+(typeattributeset nfc_data_file_26_0 (nfc_data_file))
+(typeattributeset nfc_device_26_0 (nfc_device))
+(typeattributeset nfc_prop_26_0 (nfc_prop))
+(typeattributeset nfc_service_26_0 (nfc_service))
+(typeattributeset node_26_0 (node))
+(typeattributeset notification_service_26_0 (notification_service))
+(typeattributeset null_device_26_0 (null_device))
+(typeattributeset oemfs_26_0 (oemfs))
+(typeattributeset oem_lock_service_26_0 (oem_lock_service))
+(typeattributeset ota_data_file_26_0 (ota_data_file))
+(typeattributeset otadexopt_service_26_0 (otadexopt_service))
+(typeattributeset ota_package_file_26_0 (ota_package_file))
+(typeattributeset otapreopt_chroot_26_0 (otapreopt_chroot))
+(typeattributeset otapreopt_chroot_exec_26_0 (otapreopt_chroot_exec))
+(typeattributeset otapreopt_slot_26_0 (otapreopt_slot))
+(typeattributeset otapreopt_slot_exec_26_0 (otapreopt_slot_exec))
+(typeattributeset overlay_prop_26_0 (overlay_prop))
+(typeattributeset overlay_service_26_0 (overlay_service))
+(typeattributeset owntty_device_26_0 (owntty_device))
+(typeattributeset package_service_26_0 (package_service))
+(typeattributeset pan_result_prop_26_0 (pan_result_prop))
+(typeattributeset pdx_bufferhub_client_channel_socket_26_0 (pdx_bufferhub_client_channel_socket))
+(typeattributeset pdx_bufferhub_client_endpoint_socket_26_0 (pdx_bufferhub_client_endpoint_socket))
+(typeattributeset pdx_bufferhub_dir_26_0 (pdx_bufferhub_dir))
+(typeattributeset pdx_display_client_channel_socket_26_0 (pdx_display_client_channel_socket))
+(typeattributeset pdx_display_client_endpoint_socket_26_0 (pdx_display_client_endpoint_socket))
+(typeattributeset pdx_display_dir_26_0 (pdx_display_dir))
+(typeattributeset pdx_display_manager_channel_socket_26_0 (pdx_display_manager_channel_socket))
+(typeattributeset pdx_display_manager_endpoint_socket_26_0 (pdx_display_manager_endpoint_socket))
+(typeattributeset pdx_display_screenshot_channel_socket_26_0 (pdx_display_screenshot_channel_socket))
+(typeattributeset pdx_display_screenshot_endpoint_socket_26_0 (pdx_display_screenshot_endpoint_socket))
+(typeattributeset pdx_display_vsync_channel_socket_26_0 (pdx_display_vsync_channel_socket))
+(typeattributeset pdx_display_vsync_endpoint_socket_26_0 (pdx_display_vsync_endpoint_socket))
+(typeattributeset pdx_performance_client_channel_socket_26_0 (pdx_performance_client_channel_socket))
+(typeattributeset pdx_performance_client_endpoint_socket_26_0 (pdx_performance_client_endpoint_socket))
+(typeattributeset pdx_performance_dir_26_0 (pdx_performance_dir))
+(typeattributeset performanced_26_0 (performanced))
+(typeattributeset performanced_exec_26_0 (performanced_exec))
+(typeattributeset perfprofd_26_0 (perfprofd))
+(typeattributeset perfprofd_data_file_26_0 (perfprofd_data_file))
+(typeattributeset perfprofd_exec_26_0 (perfprofd_exec))
+(typeattributeset permission_service_26_0 (permission_service))
+(typeattributeset persist_debug_prop_26_0 (persist_debug_prop))
+(typeattributeset persistent_data_block_service_26_0 (persistent_data_block_service))
+(typeattributeset persistent_properties_ready_prop_26_0 (persistent_properties_ready_prop))
+(typeattributeset pinner_service_26_0 (pinner_service))
+(typeattributeset pipefs_26_0 (pipefs))
+(typeattributeset platform_app_26_0 (platform_app))
+(typeattributeset pmsg_device_26_0 (pmsg_device))
+(typeattributeset port_26_0 (port))
+(typeattributeset port_device_26_0 (port_device))
+(typeattributeset postinstall_26_0 (postinstall))
+(typeattributeset postinstall_dexopt_26_0 (postinstall_dexopt))
+(typeattributeset postinstall_file_26_0 (postinstall_file))
+(typeattributeset postinstall_mnt_dir_26_0 (postinstall_mnt_dir))
+(typeattributeset powerctl_prop_26_0 (powerctl_prop))
+(typeattributeset power_service_26_0 (power_service))
+(typeattributeset ppp_26_0 (ppp))
+(typeattributeset ppp_device_26_0 (ppp_device))
+(typeattributeset ppp_exec_26_0 (ppp_exec))
+(typeattributeset preloads_data_file_26_0 (preloads_data_file))
+(typeattributeset preloads_media_file_26_0 (preloads_media_file))
+(typeattributeset preopt2cachename_26_0 (preopt2cachename))
+(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
+(typeattributeset print_service_26_0 (print_service))
+(typeattributeset priv_app_26_0 (mediaprovider priv_app))
+(typeattributeset proc_26_0 (proc proc_uid_time_in_state))
+(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
+(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
+(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
+(typeattributeset processinfo_service_26_0 (processinfo_service))
+(typeattributeset proc_interrupts_26_0 (proc_interrupts))
+(typeattributeset proc_iomem_26_0 (proc_iomem))
+(typeattributeset proc_meminfo_26_0 (proc_meminfo))
+(typeattributeset proc_misc_26_0 (proc_misc))
+(typeattributeset proc_modules_26_0 (proc_modules))
+(typeattributeset proc_net_26_0 (proc_net))
+(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
+(typeattributeset proc_perf_26_0 (proc_perf))
+(typeattributeset proc_security_26_0 (proc_security))
+(typeattributeset proc_stat_26_0 (proc_stat))
+(typeattributeset procstats_service_26_0 (procstats_service))
+(typeattributeset proc_sysrq_26_0 (proc_sysrq))
+(typeattributeset proc_timer_26_0 (proc_timer))
+(typeattributeset proc_tty_drivers_26_0 (proc_tty_drivers))
+(typeattributeset proc_uid_cputime_removeuid_26_0 (proc_uid_cputime_removeuid))
+(typeattributeset proc_uid_cputime_showstat_26_0 (proc_uid_cputime_showstat))
+(typeattributeset proc_uid_io_stats_26_0 (proc_uid_io_stats))
+(typeattributeset proc_uid_procstat_set_26_0 (proc_uid_procstat_set))
+(typeattributeset proc_zoneinfo_26_0 (proc_zoneinfo))
+(typeattributeset profman_26_0 (profman))
+(typeattributeset profman_dump_data_file_26_0 (profman_dump_data_file))
+(typeattributeset profman_exec_26_0 (profman_exec))
+(typeattributeset properties_device_26_0 (properties_device))
+(typeattributeset properties_serial_26_0 (properties_serial))
+(typeattributeset property_contexts_file_26_0 (property_contexts_file))
+(typeattributeset property_data_file_26_0 (property_data_file))
+(typeattributeset property_socket_26_0 (property_socket))
+(typeattributeset pstorefs_26_0 (pstorefs))
+(typeattributeset ptmx_device_26_0 (ptmx_device))
+(typeattributeset qtaguid_device_26_0 (qtaguid_device))
+(typeattributeset qtaguid_proc_26_0 (qtaguid_proc))
+(typeattributeset racoon_26_0 (racoon))
+(typeattributeset racoon_exec_26_0 (racoon_exec))
+(typeattributeset racoon_socket_26_0 (racoon_socket))
+(typeattributeset radio_26_0 (radio))
+(typeattributeset radio_data_file_26_0 (radio_data_file))
+(typeattributeset radio_device_26_0 (radio_device))
+(typeattributeset radio_prop_26_0 (radio_prop))
+(typeattributeset radio_service_26_0 (radio_service))
+(typeattributeset ram_device_26_0 (ram_device))
+(typeattributeset random_device_26_0 (random_device))
+(typeattributeset reboot_data_file_26_0 (reboot_data_file))
+(typeattributeset recovery_26_0 (recovery))
+(typeattributeset recovery_block_device_26_0 (recovery_block_device))
+(typeattributeset recovery_data_file_26_0 (recovery_data_file))
+(typeattributeset recovery_persist_26_0 (recovery_persist))
+(typeattributeset recovery_persist_exec_26_0 (recovery_persist_exec))
+(typeattributeset recovery_refresh_26_0 (recovery_refresh))
+(typeattributeset recovery_refresh_exec_26_0 (recovery_refresh_exec))
+(typeattributeset recovery_service_26_0 (recovery_service))
+(typeattributeset registry_service_26_0 (registry_service))
+(typeattributeset resourcecache_data_file_26_0 (resourcecache_data_file))
+(typeattributeset restorecon_prop_26_0 (restorecon_prop))
+(typeattributeset restrictions_service_26_0 (restrictions_service))
+(typeattributeset rild_26_0 (rild))
+(typeattributeset rild_debug_socket_26_0 (rild_debug_socket))
+(typeattributeset rild_socket_26_0 (rild_socket))
+(typeattributeset ringtone_file_26_0 (ringtone_file))
+(typeattributeset root_block_device_26_0 (root_block_device))
+(typeattributeset rootfs_26_0 (rootfs))
+(typeattributeset rpmsg_device_26_0 (rpmsg_device))
+(typeattributeset rtc_device_26_0 (rtc_device))
+(typeattributeset rttmanager_service_26_0 (rttmanager_service))
+(typeattributeset runas_26_0 (runas))
+(typeattributeset runas_exec_26_0 (runas_exec))
+(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
+(typeattributeset safemode_prop_26_0 (safemode_prop))
+(typeattributeset same_process_hal_file_26_0 (same_process_hal_file))
+(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
+(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
+(typeattributeset sdcardd_26_0 (sdcardd))
+(typeattributeset sdcardd_exec_26_0 (sdcardd_exec))
+(typeattributeset sdcardfs_26_0 (sdcardfs))
+(typeattributeset seapp_contexts_file_26_0 (seapp_contexts_file))
+(typeattributeset search_service_26_0 (search_service))
+(typeattributeset sec_key_att_app_id_provider_service_26_0 (sec_key_att_app_id_provider_service))
+(typeattributeset selinuxfs_26_0 (selinuxfs))
+(typeattributeset sensors_device_26_0 (sensors_device))
+(typeattributeset sensorservice_service_26_0 (sensorservice_service))
+(typeattributeset sepolicy_file_26_0 (sepolicy_file))
+(typeattributeset serial_device_26_0 (serial_device))
+(typeattributeset serialno_prop_26_0 (serialno_prop))
+(typeattributeset serial_service_26_0 (serial_service))
+(typeattributeset service_contexts_file_26_0 (service_contexts_file nonplat_service_contexts_file))
+(typeattributeset servicediscovery_service_26_0 (servicediscovery_service))
+(typeattributeset servicemanager_26_0 (servicemanager))
+(typeattributeset servicemanager_exec_26_0 (servicemanager_exec))
+(typeattributeset settings_service_26_0 (settings_service))
+(typeattributeset sgdisk_26_0 (sgdisk))
+(typeattributeset sgdisk_exec_26_0 (sgdisk_exec))
+(typeattributeset shared_relro_26_0 (shared_relro))
+(typeattributeset shared_relro_file_26_0 (shared_relro_file))
+(typeattributeset shell_26_0 (shell))
+(typeattributeset shell_data_file_26_0 (shell_data_file))
+(typeattributeset shell_exec_26_0 (shell_exec))
+(typeattributeset shell_prop_26_0 (shell_prop))
+(typeattributeset shm_26_0 (shm))
+(typeattributeset shortcut_manager_icons_26_0 (shortcut_manager_icons))
+(typeattributeset shortcut_service_26_0 (shortcut_service))
+(typeattributeset slideshow_26_0 (slideshow))
+(typeattributeset socket_device_26_0 (socket_device))
+(typeattributeset sockfs_26_0 (sockfs))
+(typeattributeset statusbar_service_26_0 (statusbar_service))
+(typeattributeset storaged_service_26_0 (storaged_service))
+(typeattributeset storage_file_26_0 (storage_file))
+(typeattributeset storagestats_service_26_0 (storagestats_service))
+(typeattributeset storage_stub_file_26_0 (storage_stub_file))
+(typeattributeset su_26_0 (su))
+(typeattributeset su_exec_26_0 (su_exec))
+(typeattributeset surfaceflinger_26_0 (surfaceflinger))
+(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
+(typeattributeset swap_block_device_26_0 (swap_block_device))
+(typeattributeset sysfs_26_0 (sysfs))
+(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
+(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
+(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
+(typeattributeset sysfs_hwrandom_26_0 (sysfs_hwrandom))
+(typeattributeset sysfs_leds_26_0 (sysfs_leds))
+(typeattributeset sysfs_lowmemorykiller_26_0 (sysfs_lowmemorykiller))
+(typeattributeset sysfs_mac_address_26_0 (sysfs_mac_address))
+(typeattributeset sysfs_nfc_power_writable_26_0 (sysfs_nfc_power_writable))
+(typeattributeset sysfs_thermal_26_0 (sysfs_thermal))
+(typeattributeset sysfs_uio_26_0 (sysfs_uio))
+(typeattributeset sysfs_usb_26_0 (sysfs_usb))
+(typeattributeset sysfs_vibrator_26_0 (sysfs_vibrator))
+(typeattributeset sysfs_wake_lock_26_0 (sysfs_wake_lock))
+(typeattributeset sysfs_wlan_fwpath_26_0 (sysfs_wlan_fwpath))
+(typeattributeset sysfs_zram_26_0 (sysfs_zram))
+(typeattributeset sysfs_zram_uevent_26_0 (sysfs_zram_uevent))
+(typeattributeset system_app_26_0 (system_app))
+(typeattributeset system_app_data_file_26_0 (system_app_data_file))
+(typeattributeset system_app_service_26_0 (system_app_service))
+(typeattributeset system_block_device_26_0 (system_block_device))
+(typeattributeset system_data_file_26_0 (system_data_file))
+(typeattributeset system_file_26_0 (system_file))
+(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
+(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
+(typeattributeset system_prop_26_0 (system_prop))
+(typeattributeset system_radio_prop_26_0 (system_radio_prop))
+(typeattributeset system_server_26_0 (system_server))
+(typeattributeset system_wifi_keystore_hwservice_26_0 (system_wifi_keystore_hwservice))
+(typeattributeset system_wpa_socket_26_0 (system_wpa_socket))
+(typeattributeset task_service_26_0 (task_service))
+(typeattributeset tee_26_0 (tee))
+(typeattributeset tee_data_file_26_0 (tee_data_file))
+(typeattributeset tee_device_26_0 (tee_device))
+(typeattributeset telecom_service_26_0 (telecom_service))
+(typeattributeset textclassification_service_26_0 (textclassification_service))
+(typeattributeset textclassifier_data_file_26_0 (textclassifier_data_file))
+(typeattributeset textservices_service_26_0 (textservices_service))
+(typeattributeset tmpfs_26_0 (tmpfs))
+(typeattributeset tombstoned_26_0 (tombstoned))
+(typeattributeset tombstone_data_file_26_0 (tombstone_data_file))
+(typeattributeset tombstoned_crash_socket_26_0 (tombstoned_crash_socket))
+(typeattributeset tombstoned_exec_26_0 (tombstoned_exec))
+(typeattributeset tombstoned_intercept_socket_26_0 (tombstoned_intercept_socket))
+(typeattributeset toolbox_26_0 (toolbox))
+(typeattributeset toolbox_exec_26_0 (toolbox_exec))
+(typeattributeset tracing_shell_writable_26_0 (debugfs_tracing tracing_shell_writable))
+(typeattributeset tracing_shell_writable_debug_26_0 (debugfs_tracing_debug tracing_shell_writable_debug))
+(typeattributeset trust_service_26_0 (trust_service))
+(typeattributeset tty_device_26_0 (tty_device))
+(typeattributeset tun_device_26_0 (tun_device))
+(typeattributeset tv_input_service_26_0 (tv_input_service))
+(typeattributeset tzdatacheck_26_0 (tzdatacheck))
+(typeattributeset tzdatacheck_exec_26_0 (tzdatacheck_exec))
+(typeattributeset ueventd_26_0 (ueventd))
+(typeattributeset uhid_device_26_0 (uhid_device))
+(typeattributeset uimode_service_26_0 (uimode_service))
+(typeattributeset uio_device_26_0 (uio_device))
+(typeattributeset uncrypt_26_0 (uncrypt))
+(typeattributeset uncrypt_exec_26_0 (uncrypt_exec))
+(typeattributeset uncrypt_socket_26_0 (uncrypt_socket))
+(typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file))
+(typeattributeset unlabeled_26_0 (unlabeled))
+(typeattributeset untrusted_app_25_26_0 (untrusted_app_25))
+(typeattributeset untrusted_app_26_0 (untrusted_app))
+(typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app))
+(typeattributeset update_engine_26_0 (update_engine))
+(typeattributeset update_engine_data_file_26_0 (update_engine_data_file))
+(typeattributeset update_engine_exec_26_0 (update_engine_exec))
+(typeattributeset update_engine_service_26_0 (update_engine_service))
+(typeattributeset updatelock_service_26_0 (updatelock_service))
+(typeattributeset update_verifier_26_0 (update_verifier))
+(typeattributeset update_verifier_exec_26_0 (update_verifier_exec))
+(typeattributeset usagestats_service_26_0 (usagestats_service))
+(typeattributeset usbaccessory_device_26_0 (usbaccessory_device))
+(typeattributeset usb_device_26_0 (usb_device))
+(typeattributeset usbfs_26_0 (usbfs))
+(typeattributeset usb_service_26_0 (usb_service))
+(typeattributeset userdata_block_device_26_0 (userdata_block_device))
+(typeattributeset usermodehelper_26_0 (sysfs_usermodehelper usermodehelper))
+(typeattributeset user_profile_data_file_26_0 (user_profile_data_file))
+(typeattributeset user_service_26_0 (user_service))
+(typeattributeset vcs_device_26_0 (vcs_device))
+(typeattributeset vdc_26_0 (vdc))
+(typeattributeset vdc_exec_26_0 (vdc_exec))
+(typeattributeset vendor_app_file_26_0 (vendor_app_file))
+(typeattributeset vendor_configs_file_26_0 (vendor_configs_file))
+(typeattributeset vendor_file_26_0 (vendor_file))
+(typeattributeset vendor_framework_file_26_0 (vendor_framework_file))
+(typeattributeset vendor_hal_file_26_0 (vendor_hal_file))
+(typeattributeset vendor_overlay_file_26_0 (vendor_overlay_file))
+(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec))
+(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec))
+(typeattributeset vfat_26_0 (vfat))
+(typeattributeset vibrator_service_26_0 (vibrator_service))
+(typeattributeset video_device_26_0 (video_device))
+(typeattributeset virtual_touchpad_26_0 (virtual_touchpad))
+(typeattributeset virtual_touchpad_exec_26_0 (virtual_touchpad_exec))
+(typeattributeset virtual_touchpad_service_26_0 (virtual_touchpad_service))
+(typeattributeset vndbinder_device_26_0 (vndbinder_device))
+(typeattributeset vndk_sp_file_26_0 (vndk_sp_file))
+(typeattributeset vndservice_contexts_file_26_0 (vndservice_contexts_file))
+(typeattributeset vndservicemanager_26_0 (vndservicemanager))
+(typeattributeset voiceinteraction_service_26_0 (voiceinteraction_service))
+(typeattributeset vold_26_0 (vold))
+(typeattributeset vold_data_file_26_0 (vold_data_file))
+(typeattributeset vold_device_26_0 (vold_device))
+(typeattributeset vold_exec_26_0 (vold_exec))
+(typeattributeset vold_prop_26_0 (vold_prop))
+(typeattributeset vold_socket_26_0 (vold_socket))
+(typeattributeset vpn_data_file_26_0 (vpn_data_file))
+(typeattributeset vr_hwc_26_0 (vr_hwc))
+(typeattributeset vr_hwc_exec_26_0 (vr_hwc_exec))
+(typeattributeset vr_hwc_service_26_0 (vr_hwc_service))
+(typeattributeset vr_manager_service_26_0 (vr_manager_service))
+(typeattributeset wallpaper_file_26_0 (wallpaper_file))
+(typeattributeset wallpaper_service_26_0 (wallpaper_service))
+(typeattributeset watchdogd_26_0 (watchdogd))
+(typeattributeset watchdog_device_26_0 (watchdog_device))
+(typeattributeset webviewupdate_service_26_0 (webviewupdate_service))
+(typeattributeset webview_zygote_26_0 (webview_zygote))
+(typeattributeset webview_zygote_exec_26_0 (webview_zygote_exec))
+(typeattributeset webview_zygote_socket_26_0 (webview_zygote_socket))
+(typeattributeset wifiaware_service_26_0 (wifiaware_service))
+(typeattributeset wificond_26_0 (wificond))
+(typeattributeset wificond_exec_26_0 (wificond_exec))
+(typeattributeset wificond_service_26_0 (wificond_service))
+(typeattributeset wifi_data_file_26_0 (wifi_data_file))
+(typeattributeset wifi_log_prop_26_0 (wifi_log_prop))
+(typeattributeset wifip2p_service_26_0 (wifip2p_service))
+(typeattributeset wifi_prop_26_0 (wifi_prop))
+(typeattributeset wifiscanner_service_26_0 (wifiscanner_service))
+(typeattributeset wifi_service_26_0 (wifi_service))
+(typeattributeset window_service_26_0 (window_service))
+(typeattributeset wpa_socket_26_0 (wpa_socket))
+(typeattributeset zero_device_26_0 (zero_device))
+(typeattributeset zoneinfo_data_file_26_0 (zoneinfo_data_file))
+(typeattributeset zygote_26_0 (zygote))
+(typeattributeset zygote_exec_26_0 (zygote_exec))
+(typeattributeset zygote_socket_26_0 (zygote_socket))
diff --git a/prebuilts/api/27.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/27.0/private/compat/26.0/26.0.ignore.cil
new file mode 100644
index 0000000..9e1eb97
--- /dev/null
+++ b/prebuilts/api/27.0/private/compat/26.0/26.0.ignore.cil
@@ -0,0 +1,34 @@
+;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( adbd_exec
+ broadcastradio_service
+ e2fs
+ e2fs_exec
+ hal_broadcastradio_hwservice
+ hal_cas_hwservice
+ hal_neuralnetworks_hwservice
+ hal_tetheroffload_hwservice
+ hal_wifi_offload_hwservice
+ kmsg_debug_device
+ mediaprovider_tmpfs
+ netd_stable_secret_prop
+ package_native_service
+ sysfs_fs_ext4_features
+ system_net_netd_hwservice
+ thermal_service
+ thermalcallback_hwservice
+ thermalserviced
+ thermalserviced_exec
+ thermalserviced_tmpfs
+ timezone_service
+ tombstoned_java_trace_socket))
+
+;; private_objects - a collection of types that were labeled differently in
+;; older policy, but that should not remain accessible to vendor policy.
+;; Thus, these types are also not mapped, but recorded for checkapi tests
+(typeattribute priv_objects)
+(typeattributeset priv_objects
+ ( adbd_tmpfs ))
diff --git a/prebuilts/api/27.0/private/cppreopts.te b/prebuilts/api/27.0/private/cppreopts.te
new file mode 100644
index 0000000..34f0d66
--- /dev/null
+++ b/prebuilts/api/27.0/private/cppreopts.te
@@ -0,0 +1,6 @@
+typeattribute cppreopts coredomain;
+
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(cppreopts)
+domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
diff --git a/prebuilts/api/27.0/private/crash_dump.te b/prebuilts/api/27.0/private/crash_dump.te
new file mode 100644
index 0000000..fb73f08
--- /dev/null
+++ b/prebuilts/api/27.0/private/crash_dump.te
@@ -0,0 +1 @@
+typeattribute crash_dump coredomain;
diff --git a/prebuilts/api/27.0/private/dex2oat.te b/prebuilts/api/27.0/private/dex2oat.te
new file mode 100644
index 0000000..89c3970
--- /dev/null
+++ b/prebuilts/api/27.0/private/dex2oat.te
@@ -0,0 +1,2 @@
+typeattribute dex2oat coredomain;
+typeattribute dex2oat domain_deprecated;
diff --git a/prebuilts/api/27.0/private/dexoptanalyzer.te b/prebuilts/api/27.0/private/dexoptanalyzer.te
new file mode 100644
index 0000000..1c23f57
--- /dev/null
+++ b/prebuilts/api/27.0/private/dexoptanalyzer.te
@@ -0,0 +1,30 @@
+# dexoptanalyzer
+type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
+type dexoptanalyzer_exec, exec_type, file_type;
+
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by dexoptanalyzer vs other
+#processes.
+tmpfs_domain(dexoptanalyzer)
+
+# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
+# app_data_file the oat file is symlinked to the original file in /system.
+allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
+allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
+allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
+
+allow dexoptanalyzer installd:fd use;
+
+# Allow reading secondary dex files that were reported by the app to the
+# package manager.
+allow dexoptanalyzer app_data_file:dir { getattr search };
+allow dexoptanalyzer app_data_file:file r_file_perms;
+# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
+# "dontaudit...audit_access" policy line to suppress the audit access without
+# suppressing denial on actual access.
+dontaudit dexoptanalyzer app_data_file:dir audit_access;
+
+# Allow testing /data/user/0 which symlinks to /data/data
+allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/prebuilts/api/27.0/private/dhcp.te b/prebuilts/api/27.0/private/dhcp.te
new file mode 100644
index 0000000..6a6a139
--- /dev/null
+++ b/prebuilts/api/27.0/private/dhcp.te
@@ -0,0 +1,5 @@
+typeattribute dhcp coredomain;
+typeattribute dhcp domain_deprecated;
+
+init_daemon_domain(dhcp)
+type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/prebuilts/api/27.0/private/dnsmasq.te b/prebuilts/api/27.0/private/dnsmasq.te
new file mode 100644
index 0000000..96084b4
--- /dev/null
+++ b/prebuilts/api/27.0/private/dnsmasq.te
@@ -0,0 +1 @@
+typeattribute dnsmasq coredomain;
diff --git a/prebuilts/api/27.0/private/domain.te b/prebuilts/api/27.0/private/domain.te
new file mode 100644
index 0000000..d37a0bd
--- /dev/null
+++ b/prebuilts/api/27.0/private/domain.te
@@ -0,0 +1,18 @@
+# Transition to crash_dump when /system/bin/crash_dump* is executed.
+# This occurs when the process crashes.
+domain_auto_trans(domain, crash_dump_exec, crash_dump);
+allow domain crash_dump:process sigchld;
+
+# Limit ability to ptrace or read sensitive /proc/pid files of processes
+# with other UIDs to these whitelisted domains.
+neverallow {
+ domain
+ -vold
+ -dumpstate
+ -storaged
+ -system_server
+ userdebug_or_eng(`-perfprofd')
+} self:capability sys_ptrace;
+
+# Limit ability to generate hardware unique device ID attestations to priv_apps
+neverallow { domain -priv_app } *:keystore_key gen_unique_id;
diff --git a/private/domain_deprecated.te b/prebuilts/api/27.0/private/domain_deprecated.te
similarity index 100%
rename from private/domain_deprecated.te
rename to prebuilts/api/27.0/private/domain_deprecated.te
diff --git a/prebuilts/api/27.0/private/drmserver.te b/prebuilts/api/27.0/private/drmserver.te
new file mode 100644
index 0000000..afe4f0a
--- /dev/null
+++ b/prebuilts/api/27.0/private/drmserver.te
@@ -0,0 +1,7 @@
+typeattribute drmserver coredomain;
+
+init_daemon_domain(drmserver)
+
+type_transition drmserver apk_data_file:sock_file drmserver_socket;
+
+typeattribute drmserver_socket coredomain_socket;
diff --git a/prebuilts/api/27.0/private/dumpstate.te b/prebuilts/api/27.0/private/dumpstate.te
new file mode 100644
index 0000000..0fe2adf
--- /dev/null
+++ b/prebuilts/api/27.0/private/dumpstate.te
@@ -0,0 +1,26 @@
+typeattribute dumpstate coredomain;
+typeattribute dumpstate domain_deprecated;
+
+init_daemon_domain(dumpstate)
+
+# Execute and transition to the vdc domain
+domain_auto_trans(dumpstate, vdc_exec, vdc)
+
+# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
+allow dumpstate system_file:file lock;
+
+# TODO: deal with tmpfs_domain pub/priv split properly
+allow dumpstate dumpstate_tmpfs:file execute;
+
+# systrace support - allow atrace to run
+allow dumpstate debugfs_tracing:dir r_dir_perms;
+allow dumpstate debugfs_tracing:file rw_file_perms;
+allow dumpstate debugfs_trace_marker:file getattr;
+allow dumpstate atrace_exec:file rx_file_perms;
+allow dumpstate storaged_exec:file rx_file_perms;
+
+# Allow dumpstate to make binder calls to storaged service
+binder_call(dumpstate, storaged)
+
+# Collect metrics on boot time created by init
+get_prop(dumpstate, boottime_prop)
diff --git a/prebuilts/api/27.0/private/ephemeral_app.te b/prebuilts/api/27.0/private/ephemeral_app.te
new file mode 100644
index 0000000..872892b
--- /dev/null
+++ b/prebuilts/api/27.0/private/ephemeral_app.te
@@ -0,0 +1,70 @@
+###
+### Ephemeral apps.
+###
+### This file defines the security policy for apps with the ephemeral
+### feature.
+###
+### The ephemeral_app domain is a reduced permissions sandbox allowing
+### ephemeral applications to be safely installed and run. Non ephemeral
+### applications may also opt-in to ephemeral to take advantage of the
+### additional security features.
+###
+### PackageManager flags an app as ephemeral at install time.
+
+typeattribute ephemeral_app coredomain;
+
+net_domain(ephemeral_app)
+app_domain(ephemeral_app)
+
+# Allow ephemeral apps to read/write files in visible storage if provided fds
+allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow ephemeral_app app_data_file:file {r_file_perms execute};
+
+# services
+allow ephemeral_app audioserver_service:service_manager find;
+allow ephemeral_app cameraserver_service:service_manager find;
+allow ephemeral_app mediaserver_service:service_manager find;
+allow ephemeral_app mediaextractor_service:service_manager find;
+allow ephemeral_app mediacodec_service:service_manager find;
+allow ephemeral_app mediametrics_service:service_manager find;
+allow ephemeral_app mediadrmserver_service:service_manager find;
+allow ephemeral_app surfaceflinger_service:service_manager find;
+allow ephemeral_app radio_service:service_manager find;
+allow ephemeral_app ephemeral_app_api_service:service_manager find;
+
+###
+### neverallow rules
+###
+
+neverallow ephemeral_app app_data_file:file execute_no_trans;
+
+# Receive or send uevent messages.
+neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow ephemeral_app domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow ephemeral_app debugfs:file read;
+
+# execute gpu_device
+neverallow ephemeral_app gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow ephemeral_app sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow ephemeral_app proc_net:file no_rw_file_perms;
diff --git a/prebuilts/api/27.0/private/file.te b/prebuilts/api/27.0/private/file.te
new file mode 100644
index 0000000..da5f9ad
--- /dev/null
+++ b/prebuilts/api/27.0/private/file.te
@@ -0,0 +1,7 @@
+# Compatibility with type names used in vanilla Android 4.3 and 4.4.
+typealias audio_data_file alias audio_firmware_file;
+typealias app_data_file alias platform_app_data_file;
+typealias app_data_file alias download_file;
+
+# /proc/config.gz
+type config_gz, fs_type;
diff --git a/prebuilts/api/27.0/private/file_contexts b/prebuilts/api/27.0/private/file_contexts
new file mode 100644
index 0000000..5369758
--- /dev/null
+++ b/prebuilts/api/27.0/private/file_contexts
@@ -0,0 +1,470 @@
+###########################################
+# Root
+/ u:object_r:rootfs:s0
+
+# Data files
+/adb_keys u:object_r:adb_keys_file:s0
+/build\.prop u:object_r:rootfs:s0
+/default\.prop u:object_r:rootfs:s0
+/fstab\..* u:object_r:rootfs:s0
+/init\..* u:object_r:rootfs:s0
+/res(/.*)? u:object_r:rootfs:s0
+/selinux_version u:object_r:rootfs:s0
+/ueventd\..* u:object_r:rootfs:s0
+/verity_key u:object_r:rootfs:s0
+
+# Executables
+/charger u:object_r:rootfs:s0
+/init u:object_r:init_exec:s0
+/sbin(/.*)? u:object_r:rootfs:s0
+
+# For kernel modules
+/lib(/.*)? u:object_r:rootfs:s0
+
+# Empty directories
+/lost\+found u:object_r:rootfs:s0
+/acct u:object_r:cgroup:s0
+/config u:object_r:rootfs:s0
+/mnt u:object_r:tmpfs:s0
+/postinstall u:object_r:postinstall_mnt_dir:s0
+/proc u:object_r:rootfs:s0
+/root u:object_r:rootfs:s0
+/sys u:object_r:sysfs:s0
+
+# Symlinks
+/bugreports u:object_r:rootfs:s0
+/d u:object_r:rootfs:s0
+/etc u:object_r:rootfs:s0
+/sdcard u:object_r:rootfs:s0
+
+# SELinux policy files
+/nonplat_file_contexts u:object_r:file_contexts_file:s0
+/plat_file_contexts u:object_r:file_contexts_file:s0
+/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
+/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_property_contexts u:object_r:property_contexts_file:s0
+/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/seapp_contexts u:object_r:seapp_contexts_file:s0
+/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/sepolicy u:object_r:sepolicy_file:s0
+/plat_service_contexts u:object_r:service_contexts_file:s0
+/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
+/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vndservice_contexts u:object_r:vndservice_contexts_file:s0
+
+##########################
+# Devices
+#
+/dev(/.*)? u:object_r:device:s0
+/dev/akm8973.* u:object_r:sensors_device:s0
+/dev/accelerometer u:object_r:sensors_device:s0
+/dev/adf[0-9]* u:object_r:graphics_device:s0
+/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0
+/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0
+/dev/alarm u:object_r:alarm_device:s0
+/dev/ashmem u:object_r:ashmem_device:s0
+/dev/audio.* u:object_r:audio_device:s0
+/dev/binder u:object_r:binder_device:s0
+/dev/block(/.*)? u:object_r:block_device:s0
+/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
+/dev/block/loop[0-9]* u:object_r:loop_device:s0
+/dev/block/vold/.+ u:object_r:vold_device:s0
+/dev/block/ram[0-9]* u:object_r:ram_device:s0
+/dev/block/zram[0-9]* u:object_r:ram_device:s0
+/dev/bus/usb(.*)? u:object_r:usb_device:s0
+/dev/cam u:object_r:camera_device:s0
+/dev/console u:object_r:console_device:s0
+/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
+/dev/memcg(/.*)? u:object_r:cgroup:s0
+/dev/device-mapper u:object_r:dm_device:s0
+/dev/eac u:object_r:audio_device:s0
+/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
+/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
+/dev/full u:object_r:full_device:s0
+/dev/fuse u:object_r:fuse_device:s0
+/dev/graphics(/.*)? u:object_r:graphics_device:s0
+/dev/hw_random u:object_r:hw_random_device:s0
+/dev/hwbinder u:object_r:hwbinder_device:s0
+/dev/i2c-[0-9]+ u:object_r:i2c_device:s0
+/dev/input(/.*)? u:object_r:input_device:s0
+/dev/iio:device[0-9]+ u:object_r:iio_device:s0
+/dev/ion u:object_r:ion_device:s0
+/dev/keychord u:object_r:keychord_device:s0
+/dev/kmem u:object_r:kmem_device:s0
+/dev/loop-control u:object_r:loop_control_device:s0
+/dev/mem u:object_r:kmem_device:s0
+/dev/modem.* u:object_r:radio_device:s0
+/dev/mtd(/.*)? u:object_r:mtd_device:s0
+/dev/mtp_usb u:object_r:mtp_device:s0
+/dev/pmsg0 u:object_r:pmsg_device:s0
+/dev/pn544 u:object_r:nfc_device:s0
+/dev/port u:object_r:port_device:s0
+/dev/ppp u:object_r:ppp_device:s0
+/dev/ptmx u:object_r:ptmx_device:s0
+/dev/pvrsrvkm u:object_r:gpu_device:s0
+/dev/kmsg u:object_r:kmsg_device:s0
+/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
+/dev/null u:object_r:null_device:s0
+/dev/nvhdcp1 u:object_r:video_device:s0
+/dev/random u:object_r:random_device:s0
+/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
+/dev/rproc_user u:object_r:rpmsg_device:s0
+/dev/rtc[0-9] u:object_r:rtc_device:s0
+/dev/snd(/.*)? u:object_r:audio_device:s0
+/dev/snd/audio_timer_device u:object_r:audio_timer_device:s0
+/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0
+/dev/socket(/.*)? u:object_r:socket_device:s0
+/dev/socket/adbd u:object_r:adbd_socket:s0
+/dev/socket/cryptd u:object_r:vold_socket:s0
+/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
+/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
+/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
+/dev/socket/lmkd u:object_r:lmkd_socket:s0
+/dev/socket/logd u:object_r:logd_socket:s0
+/dev/socket/logdr u:object_r:logdr_socket:s0
+/dev/socket/logdw u:object_r:logdw_socket:s0
+/dev/socket/mdns u:object_r:mdns_socket:s0
+/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
+/dev/socket/mtpd u:object_r:mtpd_socket:s0
+/dev/socket/netd u:object_r:netd_socket:s0
+/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
+/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
+/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
+/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0
+/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
+/dev/socket/property_service u:object_r:property_socket:s0
+/dev/socket/racoon u:object_r:racoon_socket:s0
+/dev/socket/rild u:object_r:rild_socket:s0
+/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
+/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
+/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
+/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
+/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
+/dev/socket/vold u:object_r:vold_socket:s0
+/dev/socket/webview_zygote u:object_r:webview_zygote_socket:s0
+/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
+/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
+/dev/socket/zygote u:object_r:zygote_socket:s0
+/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
+/dev/spdif_out.* u:object_r:audio_device:s0
+/dev/tegra.* u:object_r:video_device:s0
+/dev/tty u:object_r:owntty_device:s0
+/dev/tty[0-9]* u:object_r:tty_device:s0
+/dev/ttyS[0-9]* u:object_r:serial_device:s0
+/dev/tun u:object_r:tun_device:s0
+/dev/uhid u:object_r:uhid_device:s0
+/dev/uinput u:object_r:uhid_device:s0
+/dev/uio[0-9]* u:object_r:uio_device:s0
+/dev/urandom u:object_r:random_device:s0
+/dev/usb_accessory u:object_r:usbaccessory_device:s0
+/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
+/dev/video[0-9]* u:object_r:video_device:s0
+/dev/vndbinder u:object_r:vndbinder_device:s0
+/dev/watchdog u:object_r:watchdog_device:s0
+/dev/xt_qtaguid u:object_r:qtaguid_device:s0
+/dev/zero u:object_r:zero_device:s0
+/dev/__properties__ u:object_r:properties_device:s0
+#############################
+# System files
+#
+/system(/.*)? u:object_r:system_file:s0
+/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
+/system/bin/mke2fs u:object_r:e2fs_exec:s0
+/system/bin/e2fsck -- u:object_r:fsck_exec:s0
+/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
+/system/bin/make_f2fs -- u:object_r:fsck_exec:s0
+/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
+/system/bin/tune2fs -- u:object_r:fsck_exec:s0
+/system/bin/toolbox -- u:object_r:toolbox_exec:s0
+/system/bin/toybox -- u:object_r:toolbox_exec:s0
+/system/bin/logcat -- u:object_r:logcat_exec:s0
+/system/bin/logcatd -- u:object_r:logcat_exec:s0
+/system/bin/sh -- u:object_r:shell_exec:s0
+/system/bin/run-as -- u:object_r:runas_exec:s0
+/system/bin/bootanimation u:object_r:bootanim_exec:s0
+/system/bin/bootstat u:object_r:bootstat_exec:s0
+/system/bin/app_process32 u:object_r:zygote_exec:s0
+/system/bin/app_process64 u:object_r:zygote_exec:s0
+/system/bin/servicemanager u:object_r:servicemanager_exec:s0
+/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
+/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
+/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
+/system/bin/performanced u:object_r:performanced_exec:s0
+/system/bin/drmserver u:object_r:drmserver_exec:s0
+/system/bin/dumpstate u:object_r:dumpstate_exec:s0
+/system/bin/incident u:object_r:incident_exec:s0
+/system/bin/incidentd u:object_r:incidentd_exec:s0
+/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
+/system/bin/vold u:object_r:vold_exec:s0
+/system/bin/netd u:object_r:netd_exec:s0
+/system/bin/wificond u:object_r:wificond_exec:s0
+/system/bin/audioserver u:object_r:audioserver_exec:s0
+/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
+/system/bin/mediaserver u:object_r:mediaserver_exec:s0
+/system/bin/mediametrics u:object_r:mediametrics_exec:s0
+/system/bin/cameraserver u:object_r:cameraserver_exec:s0
+/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
+/system/bin/mdnsd u:object_r:mdnsd_exec:s0
+/system/bin/installd u:object_r:installd_exec:s0
+/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
+/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
+/system/bin/keystore u:object_r:keystore_exec:s0
+/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
+/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
+/system/bin/crash_dump32 u:object_r:crash_dump_exec:s0
+/system/bin/crash_dump64 u:object_r:crash_dump_exec:s0
+/system/bin/tombstoned u:object_r:tombstoned_exec:s0
+/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
+/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
+/system/bin/sdcard u:object_r:sdcardd_exec:s0
+/system/bin/dhcpcd u:object_r:dhcp_exec:s0
+/system/bin/dhcpcd-6.8.2 u:object_r:dhcp_exec:s0
+/system/bin/mtpd u:object_r:mtp_exec:s0
+/system/bin/pppd u:object_r:ppp_exec:s0
+/system/bin/racoon u:object_r:racoon_exec:s0
+/system/xbin/su u:object_r:su_exec:s0
+/system/xbin/perfprofd u:object_r:perfprofd_exec:s0
+/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
+/system/bin/healthd u:object_r:healthd_exec:s0
+/system/bin/clatd u:object_r:clatd_exec:s0
+/system/bin/lmkd u:object_r:lmkd_exec:s0
+/system/bin/inputflinger u:object_r:inputflinger_exec:s0
+/system/bin/logd u:object_r:logd_exec:s0
+/system/bin/uncrypt u:object_r:uncrypt_exec:s0
+/system/bin/update_verifier u:object_r:update_verifier_exec:s0
+/system/bin/logwrapper u:object_r:system_file:s0
+/system/bin/vdc u:object_r:vdc_exec:s0
+/system/bin/cppreopts.sh u:object_r:cppreopts_exec:s0
+/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
+/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
+/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
+/system/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
+# patchoat executable has (essentially) the same requirements as dex2oat.
+/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
+/system/bin/profman u:object_r:profman_exec:s0
+/system/bin/sgdisk u:object_r:sgdisk_exec:s0
+/system/bin/blkid u:object_r:blkid_exec:s0
+/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
+/system/bin/idmap u:object_r:idmap_exec:s0
+/system/bin/update_engine u:object_r:update_engine_exec:s0
+/system/bin/bspatch u:object_r:update_engine_exec:s0
+/system/bin/storaged u:object_r:storaged_exec:s0
+/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0
+/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
+/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
+/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
+/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
+/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
+/system/bin/adbd u:object_r:adbd_exec:s0
+
+#############################
+# Vendor files
+#
+/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
+/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0
+/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
+/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
+
+/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+
+/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+
+# TODO: b/36790901 move this to /vendor/etc
+/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
+
+# HAL location
+/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
+
+/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
+/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/vendor/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
+/vendor/etc/selinux/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
+/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
+/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0
+
+#############################
+# OEM and ODM files
+#
+/odm(/.*)? u:object_r:system_file:s0
+/oem(/.*)? u:object_r:oemfs:s0
+
+
+#############################
+# Data files
+#
+# NOTE: When modifying existing label rules, changes may also need to
+# propagate to the "Expanded data files" section.
+#
+/data(/.*)? u:object_r:system_data_file:s0
+/data/.layout_version u:object_r:install_data_file:s0
+/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
+/data/backup(/.*)? u:object_r:backup_data_file:s0
+/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
+/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
+/data/drm(/.*)? u:object_r:drm_data_file:s0
+/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
+/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/ota(/.*)? u:object_r:ota_data_file:s0
+/data/ota_package(/.*)? u:object_r:ota_package_file:s0
+/data/adb(/.*)? u:object_r:adb_data_file:s0
+/data/anr(/.*)? u:object_r:anr_data_file:s0
+/data/app(/.*)? u:object_r:apk_data_file:s0
+/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
+/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
+/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
+/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
+/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/data/media(/.*)? u:object_r:media_rw_data_file:s0
+/data/mediadrm(/.*)? u:object_r:media_data_file:s0
+/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
+/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0
+/data/property(/.*)? u:object_r:property_data_file:s0
+/data/preloads(/.*)? u:object_r:preloads_data_file:s0
+/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
+/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
+
+# Misc data
+/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
+/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
+/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
+/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
+/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
+/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
+/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
+/data/misc/bluetooth/logs(/.*)? u:object_r:bluetooth_logs_data_file:s0
+/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
+/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
+/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
+/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
+/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/dhcp-6.8.2(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
+/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
+/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
+/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
+/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
+/data/misc/media(/.*)? u:object_r:media_data_file:s0
+/data/misc/net(/.*)? u:object_r:net_data_file:s0
+/data/misc/reboot(/.*)? u:object_r:reboot_data_file:s0
+/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
+/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
+/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
+/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
+/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
+/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
+/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
+/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
+/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
+/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
+/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
+/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
+/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
+/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
+/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
+/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
+# TODO(calin) label profile reference differently so that only
+# profman run as a special user can write to them
+/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
+
+# Fingerprint data
+/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
+
+# Bootchart data
+/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+
+#############################
+# Expanded data files
+#
+/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
+/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
+/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
+/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
+/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
+
+# coredump directory for userdebug/eng devices
+/cores(/.*)? u:object_r:coredump_file:s0
+
+# Wallpaper files
+/data/system/users/[0-9]+/wallpaper_lock_orig u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
+
+# Ringtone files
+/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0
+
+# ShortcutManager icons, e.g.
+# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png
+/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0
+
+# User icon files
+/data/system/users/[0-9]+/photo.png u:object_r:icon_file:s0
+
+#############################
+# efs files
+#
+/efs(/.*)? u:object_r:efs_file:s0
+
+#############################
+# Cache files
+#
+/cache(/.*)? u:object_r:cache_file:s0
+/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
+# General backup/restore interchange with apps
+/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
+# LocalTransport (backup) uses this subtree
+/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
+
+/data/cache(/.*)? u:object_r:cache_file:s0
+/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
+# General backup/restore interchange with apps
+/data/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
+# LocalTransport (backup) uses this subtree
+/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
+
+#############################
+# asec containers
+/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
+/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
+/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
+/data/app-asec(/.*)? u:object_r:asec_image_file:s0
+
+#############################
+# external storage
+/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
+/mnt/user(/.*)? u:object_r:mnt_user_file:s0
+/mnt/runtime(/.*)? u:object_r:storage_file:s0
+/storage(/.*)? u:object_r:storage_file:s0
diff --git a/prebuilts/api/27.0/private/file_contexts_asan b/prebuilts/api/27.0/private/file_contexts_asan
new file mode 100644
index 0000000..0401ffe
--- /dev/null
+++ b/prebuilts/api/27.0/private/file_contexts_asan
@@ -0,0 +1,9 @@
+/data/asan/system/lib(/.*)? u:object_r:system_file:s0
+/data/asan/system/lib64(/.*)? u:object_r:system_file:s0
+/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
+/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
+/system/bin/asan_extract u:object_r:asan_extract_exec:s0
+/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
+/system/bin/asan/app_process u:object_r:zygote_exec:s0
+/system/bin/asan/app_process32 u:object_r:zygote_exec:s0
+/system/bin/asan/app_process64 u:object_r:zygote_exec:s0
diff --git a/prebuilts/api/27.0/private/fingerprintd.te b/prebuilts/api/27.0/private/fingerprintd.te
new file mode 100644
index 0000000..0c1dfaa
--- /dev/null
+++ b/prebuilts/api/27.0/private/fingerprintd.te
@@ -0,0 +1,4 @@
+typeattribute fingerprintd coredomain;
+typeattribute fingerprintd domain_deprecated;
+
+init_daemon_domain(fingerprintd)
diff --git a/prebuilts/api/27.0/private/fs_use b/prebuilts/api/27.0/private/fs_use
new file mode 100644
index 0000000..4bd1112
--- /dev/null
+++ b/prebuilts/api/27.0/private/fs_use
@@ -0,0 +1,23 @@
+# Label inodes via getxattr.
+fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
+fs_use_xattr jffs2 u:object_r:labeledfs:s0;
+fs_use_xattr ext2 u:object_r:labeledfs:s0;
+fs_use_xattr ext3 u:object_r:labeledfs:s0;
+fs_use_xattr ext4 u:object_r:labeledfs:s0;
+fs_use_xattr xfs u:object_r:labeledfs:s0;
+fs_use_xattr btrfs u:object_r:labeledfs:s0;
+fs_use_xattr f2fs u:object_r:labeledfs:s0;
+fs_use_xattr squashfs u:object_r:labeledfs:s0;
+
+# Label inodes from task label.
+fs_use_task pipefs u:object_r:pipefs:s0;
+fs_use_task sockfs u:object_r:sockfs:s0;
+
+# Label inodes from combination of task label and fs label.
+# Define type_transition rules if you want per-domain types.
+fs_use_trans devpts u:object_r:devpts:s0;
+fs_use_trans tmpfs u:object_r:tmpfs:s0;
+fs_use_trans devtmpfs u:object_r:device:s0;
+fs_use_trans shm u:object_r:shm:s0;
+fs_use_trans mqueue u:object_r:mqueue:s0;
+
diff --git a/prebuilts/api/27.0/private/fsck.te b/prebuilts/api/27.0/private/fsck.te
new file mode 100644
index 0000000..e846797
--- /dev/null
+++ b/prebuilts/api/27.0/private/fsck.te
@@ -0,0 +1,4 @@
+typeattribute fsck coredomain;
+typeattribute fsck domain_deprecated;
+
+init_daemon_domain(fsck)
diff --git a/prebuilts/api/27.0/private/fsck_untrusted.te b/prebuilts/api/27.0/private/fsck_untrusted.te
new file mode 100644
index 0000000..2a1a39f
--- /dev/null
+++ b/prebuilts/api/27.0/private/fsck_untrusted.te
@@ -0,0 +1,2 @@
+typeattribute fsck_untrusted coredomain;
+typeattribute fsck_untrusted domain_deprecated;
diff --git a/prebuilts/api/27.0/private/gatekeeperd.te b/prebuilts/api/27.0/private/gatekeeperd.te
new file mode 100644
index 0000000..5e4d0a2
--- /dev/null
+++ b/prebuilts/api/27.0/private/gatekeeperd.te
@@ -0,0 +1,3 @@
+typeattribute gatekeeperd coredomain;
+
+init_daemon_domain(gatekeeperd)
diff --git a/prebuilts/api/27.0/private/genfs_contexts b/prebuilts/api/27.0/private/genfs_contexts
new file mode 100644
index 0000000..e77a39b
--- /dev/null
+++ b/prebuilts/api/27.0/private/genfs_contexts
@@ -0,0 +1,122 @@
+# Label inodes with the fs label.
+genfscon rootfs / u:object_r:rootfs:s0
+# proc labeling can be further refined (longest matching prefix).
+genfscon proc / u:object_r:proc:s0
+genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /interrupts u:object_r:proc_interrupts:s0
+genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /meminfo u:object_r:proc_meminfo:s0
+genfscon proc /misc u:object_r:proc_misc:s0
+genfscon proc /modules u:object_r:proc_modules:s0
+genfscon proc /net u:object_r:proc_net:s0
+genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
+genfscon proc /softirqs u:object_r:proc_timer:s0
+genfscon proc /stat u:object_r:proc_stat:s0
+genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/net u:object_r:proc_net:s0
+genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
+genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
+genfscon proc /timer_list u:object_r:proc_timer:s0
+genfscon proc /timer_stats u:object_r:proc_timer:s0
+genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
+genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
+genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
+genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
+genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
+genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+
+# selinuxfs booleans can be individually labeled.
+genfscon selinuxfs / u:object_r:selinuxfs:s0
+genfscon cgroup / u:object_r:cgroup:s0
+# sysfs labels can be set by userspace.
+genfscon sysfs / u:object_r:sysfs:s0
+genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
+genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
+genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
+genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
+genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
+genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
+genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
+genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
+genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
+genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
+genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
+genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+
+genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
+genfscon debugfs /tracing u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
+genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
+genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
+genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
+genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
+genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
+
+genfscon debugfs /tracing/events/sync/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/regulator/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/pagecache/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/irq/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/ipi/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_end/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_end/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing_debug:s0
+
+genfscon tracefs /events/sync/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/regulator/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/pagecache/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/irq/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/ipi/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/f2fs/f2fs_write_begin/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/f2fs/f2fs_write_end/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/ext4/ext4_da_write_begin/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/ext4/ext4_da_write_end/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/ext4/ext4_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing_debug:s0
+
+genfscon inotifyfs / u:object_r:inotify:s0
+genfscon vfat / u:object_r:vfat:s0
+genfscon debugfs / u:object_r:debugfs:s0
+genfscon tracefs / u:object_r:debugfs_tracing:s0
+genfscon fuse / u:object_r:fuse:s0
+genfscon configfs / u:object_r:configfs:s0
+genfscon sdcardfs / u:object_r:sdcardfs:s0
+genfscon pstore / u:object_r:pstorefs:s0
+genfscon functionfs / u:object_r:functionfs:s0
+genfscon usbfs / u:object_r:usbfs:s0
+genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
diff --git a/prebuilts/api/27.0/private/hal_allocator_default.te b/prebuilts/api/27.0/private/hal_allocator_default.te
new file mode 100644
index 0000000..49ef178
--- /dev/null
+++ b/prebuilts/api/27.0/private/hal_allocator_default.te
@@ -0,0 +1,5 @@
+type hal_allocator_default, domain, coredomain;
+hal_server_domain(hal_allocator_default, hal_allocator)
+
+type hal_allocator_default_exec, exec_type, file_type;
+init_daemon_domain(hal_allocator_default)
diff --git a/prebuilts/api/27.0/private/halclientdomain.te b/prebuilts/api/27.0/private/halclientdomain.te
new file mode 100644
index 0000000..9dcd3ee
--- /dev/null
+++ b/prebuilts/api/27.0/private/halclientdomain.te
@@ -0,0 +1,13 @@
+###
+### Rules for all domains which are clients of a HAL
+###
+
+# Find out whether a HAL in passthrough/in-process mode or
+# binderized/out-of-process mode
+hwbinder_use(halclientdomain)
+
+# Used to wait for hwservicemanager
+get_prop(halclientdomain, hwservicemanager_prop)
+
+# Wait for HAL server to be up (used by getService)
+allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/private/halserverdomain.te b/prebuilts/api/27.0/private/halserverdomain.te
new file mode 100644
index 0000000..f36e0e7
--- /dev/null
+++ b/prebuilts/api/27.0/private/halserverdomain.te
@@ -0,0 +1,12 @@
+###
+### Rules for all domains which offer a HAL service over HwBinder
+###
+
+# Register the HAL service with hwservicemanager
+hwbinder_use(halserverdomain)
+
+# Find HAL implementations
+allow halserverdomain system_file:dir r_dir_perms;
+
+# Used to wait for hwservicemanager
+get_prop(halserverdomain, hwservicemanager_prop)
diff --git a/prebuilts/api/27.0/private/healthd.te b/prebuilts/api/27.0/private/healthd.te
new file mode 100644
index 0000000..0693a3a
--- /dev/null
+++ b/prebuilts/api/27.0/private/healthd.te
@@ -0,0 +1,6 @@
+typeattribute healthd coredomain;
+
+init_daemon_domain(healthd)
+
+# Allow callback to storaged batteryproperties listener
+binder_call(healthd, storaged)
diff --git a/prebuilts/api/27.0/private/hwservice_contexts b/prebuilts/api/27.0/private/hwservice_contexts
new file mode 100644
index 0000000..e304495
--- /dev/null
+++ b/prebuilts/api/27.0/private/hwservice_contexts
@@ -0,0 +1,57 @@
+android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
+android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
+android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
+android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
+android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
+android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
+android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
+android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
+android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
+android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
+android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
+android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
+android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
+android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
+android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
+android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
+android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
+android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
+android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
+android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
+android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
+android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
+android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
+android.hardware.neuralnetworks::IDevice u:object_r:hal_neuralnetworks_hwservice:s0
+android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
+android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
+android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
+android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
+android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
+android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
+android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
+android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
+android.hardware.thermal::IThermalCallback u:object_r:thermalcallback_hwservice:s0
+android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
+android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
+android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
+android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
+android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
+android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
+android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.offload::IOffload u:object_r:hal_wifi_offload_hwservice:s0
+android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
+android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
+android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
+android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
+android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
+android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
+android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0
+android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
+* u:object_r:default_android_hwservice:s0
diff --git a/prebuilts/api/27.0/private/hwservicemanager.te b/prebuilts/api/27.0/private/hwservicemanager.te
new file mode 100644
index 0000000..a43eb02
--- /dev/null
+++ b/prebuilts/api/27.0/private/hwservicemanager.te
@@ -0,0 +1,6 @@
+typeattribute hwservicemanager coredomain;
+
+init_daemon_domain(hwservicemanager)
+
+add_hwservice(hwservicemanager, hidl_manager_hwservice)
+add_hwservice(hwservicemanager, hidl_token_hwservice)
diff --git a/prebuilts/api/27.0/private/idmap.te b/prebuilts/api/27.0/private/idmap.te
new file mode 100644
index 0000000..73abf35
--- /dev/null
+++ b/prebuilts/api/27.0/private/idmap.te
@@ -0,0 +1 @@
+typeattribute idmap coredomain;
diff --git a/prebuilts/api/27.0/private/incident.te b/prebuilts/api/27.0/private/incident.te
new file mode 100644
index 0000000..b910dde
--- /dev/null
+++ b/prebuilts/api/27.0/private/incident.te
@@ -0,0 +1,25 @@
+typeattribute incident coredomain;
+
+type incident_exec, exec_type, file_type;
+
+# switch to incident domain for incident command
+domain_auto_trans(shell, incident_exec, incident)
+
+# allow incident access to stdout from its parent shell.
+allow incident shell:fd use;
+
+# allow incident to communicate use, read and write over the adb
+# connection.
+allow incident adbd:fd use;
+allow incident adbd:unix_stream_socket { read write };
+
+# allow adbd to reap incident
+allow incident adbd:process { sigchld };
+
+# Allow the incident command to talk to the incidentd over the binder, and get
+# back the incident report data from a ParcelFileDescriptor.
+binder_use(incident)
+allow incident incident_service:service_manager find;
+binder_call(incident, incidentd)
+allow incident incidentd:fifo_file write;
+
diff --git a/prebuilts/api/27.0/private/incidentd.te b/prebuilts/api/27.0/private/incidentd.te
new file mode 100644
index 0000000..efd23bd
--- /dev/null
+++ b/prebuilts/api/27.0/private/incidentd.te
@@ -0,0 +1,110 @@
+typeattribute incidentd coredomain;
+
+init_daemon_domain(incidentd)
+type incidentd_exec, exec_type, file_type;
+binder_use(incidentd)
+wakelock_use(incidentd)
+
+# Allow setting process priority, protect from OOM killer, and dropping
+# privileges by switching UID / GID
+# TODO allow incidentd self:capability { setuid setgid sys_resource };
+
+# Allow incidentd to scan through /proc/pid for all processes
+r_dir_file(incidentd, domain)
+
+allow incidentd self:capability {
+ # Send signals to processes
+ kill
+};
+
+# Allow executing files on system, such as:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow incidentd system_file:file execute_no_trans;
+allow incidentd toolbox_exec:file rx_file_perms;
+
+# Create and write into /data/misc/incidents
+allow incidentd incident_data_file:dir rw_dir_perms;
+allow incidentd incident_data_file:file create_file_perms;
+
+# Get process attributes
+# TODO allow incidentd domain:process getattr;
+
+# Signal java processes to dump their stack and get the results
+# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
+# TODO allow incidentd anr_data_file:dir rw_dir_perms;
+# TODO allow incidentd anr_data_file:file create_file_perms;
+
+# Signal native processes to dump their stack.
+# This list comes from native_processes_to_dump in incidentd/utils.c
+allow incidentd {
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediacodec
+ mediadrmserver
+ mediaextractor
+ mediaserver
+ sdcardd
+ surfaceflinger
+}:process signal;
+
+# Allow incidentd to make binder calls to any binder service
+binder_call(incidentd, binderservicedomain)
+binder_call(incidentd, appdomain)
+
+# Reading /proc/PID/maps of other processes
+# TODO allow incidentd self:capability sys_ptrace;
+
+# Run a shell.
+allow incidentd shell_exec:file rx_file_perms;
+
+# logd access - work to be done is a PII safe log (possibly an event log?)
+# TODO read_logd(incidentd)
+# TODO control_logd(incidentd)
+
+# Allow incidentd to find these standard groups of services.
+# Others can be whitelisted individually.
+allow incidentd {
+ system_server_service
+ app_api_service
+ system_api_service
+}:service_manager find;
+
+# Only incidentd can publish the binder service
+add_service(incidentd, incident_service)
+
+# Allow pipes from (and only from) incident
+allow incidentd incident:fd use;
+allow incidentd incident:fifo_file write;
+
+# Allow incident to call back to incident with status updates.
+binder_call(incidentd, incident)
+
+###
+### neverallow rules
+###
+
+# only system_server, system_app and incident command can find the incident service
+neverallow { domain -system_server -system_app -incident -incidentd } incident_service:service_manager find;
+
+# only incidentd and the other root services in limited circumstances
+# can get to the files in /data/misc/incidents
+#
+# write, execute, append are forbidden almost everywhere
+neverallow { domain -incidentd -init -vold } incident_data_file:file {
+ w_file_perms
+ x_file_perms
+ create
+ rename
+ setattr
+ unlink
+ append
+};
+# read is also allowed by system_server, for when the file is handed to dropbox
+neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms;
+# limited access to the directory itself
+neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms;
+
diff --git a/prebuilts/api/27.0/private/init.te b/prebuilts/api/27.0/private/init.te
new file mode 100644
index 0000000..5c23f66
--- /dev/null
+++ b/prebuilts/api/27.0/private/init.te
@@ -0,0 +1,26 @@
+typeattribute init coredomain;
+
+tmpfs_domain(init)
+
+# Transitions to seclabel processes in init.rc
+domain_trans(init, rootfs, charger)
+domain_trans(init, rootfs, healthd)
+domain_trans(init, rootfs, slideshow)
+domain_auto_trans(init, e2fs_exec, e2fs)
+recovery_only(`
+ domain_trans(init, rootfs, adbd)
+ domain_trans(init, rootfs, recovery)
+')
+domain_trans(init, shell_exec, shell)
+domain_trans(init, init_exec, ueventd)
+domain_trans(init, init_exec, watchdogd)
+domain_trans(init, { rootfs toolbox_exec }, modprobe)
+# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
+userdebug_or_eng(`
+ domain_auto_trans(init, logcat_exec, logpersist)
+')
+
+# Creating files on sysfs is impossible so this isn't a threat
+# Sometimes we have to write to non-existent files to avoid conditional
+# init behavior. See b/35303861 for an example.
+dontaudit init sysfs:dir write;
diff --git a/prebuilts/api/27.0/private/initial_sid_contexts b/prebuilts/api/27.0/private/initial_sid_contexts
new file mode 100644
index 0000000..9819051
--- /dev/null
+++ b/prebuilts/api/27.0/private/initial_sid_contexts
@@ -0,0 +1,27 @@
+sid kernel u:r:kernel:s0
+sid security u:object_r:kernel:s0
+sid unlabeled u:object_r:unlabeled:s0
+sid fs u:object_r:labeledfs:s0
+sid file u:object_r:unlabeled:s0
+sid file_labels u:object_r:unlabeled:s0
+sid init u:object_r:unlabeled:s0
+sid any_socket u:object_r:unlabeled:s0
+sid port u:object_r:port:s0
+sid netif u:object_r:netif:s0
+sid netmsg u:object_r:unlabeled:s0
+sid node u:object_r:node:s0
+sid igmp_packet u:object_r:unlabeled:s0
+sid icmp_socket u:object_r:unlabeled:s0
+sid tcp_socket u:object_r:unlabeled:s0
+sid sysctl_modprobe u:object_r:unlabeled:s0
+sid sysctl u:object_r:proc:s0
+sid sysctl_fs u:object_r:unlabeled:s0
+sid sysctl_kernel u:object_r:unlabeled:s0
+sid sysctl_net u:object_r:unlabeled:s0
+sid sysctl_net_unix u:object_r:unlabeled:s0
+sid sysctl_vm u:object_r:unlabeled:s0
+sid sysctl_dev u:object_r:unlabeled:s0
+sid kmod u:object_r:unlabeled:s0
+sid policy u:object_r:unlabeled:s0
+sid scmp_packet u:object_r:unlabeled:s0
+sid devnull u:object_r:null_device:s0
diff --git a/prebuilts/api/27.0/private/initial_sids b/prebuilts/api/27.0/private/initial_sids
new file mode 100644
index 0000000..91ac816
--- /dev/null
+++ b/prebuilts/api/27.0/private/initial_sids
@@ -0,0 +1,35 @@
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+sid security
+sid unlabeled
+sid fs
+sid file
+sid file_labels
+sid init
+sid any_socket
+sid port
+sid netif
+sid netmsg
+sid node
+sid igmp_packet
+sid icmp_socket
+sid tcp_socket
+sid sysctl_modprobe
+sid sysctl
+sid sysctl_fs
+sid sysctl_kernel
+sid sysctl_net
+sid sysctl_net_unix
+sid sysctl_vm
+sid sysctl_dev
+sid kmod
+sid policy
+sid scmp_packet
+sid devnull
+
+# FLASK
diff --git a/prebuilts/api/27.0/private/inputflinger.te b/prebuilts/api/27.0/private/inputflinger.te
new file mode 100644
index 0000000..9696b49
--- /dev/null
+++ b/prebuilts/api/27.0/private/inputflinger.te
@@ -0,0 +1,3 @@
+typeattribute inputflinger coredomain;
+
+init_daemon_domain(inputflinger)
diff --git a/prebuilts/api/27.0/private/install_recovery.te b/prebuilts/api/27.0/private/install_recovery.te
new file mode 100644
index 0000000..b79d683
--- /dev/null
+++ b/prebuilts/api/27.0/private/install_recovery.te
@@ -0,0 +1,3 @@
+typeattribute install_recovery coredomain;
+
+init_daemon_domain(install_recovery)
diff --git a/prebuilts/api/27.0/private/installd.te b/prebuilts/api/27.0/private/installd.te
new file mode 100644
index 0000000..d726e7d
--- /dev/null
+++ b/prebuilts/api/27.0/private/installd.te
@@ -0,0 +1,19 @@
+typeattribute installd coredomain;
+typeattribute installd domain_deprecated;
+
+init_daemon_domain(installd)
+
+# Run dex2oat in its own sandbox.
+domain_auto_trans(installd, dex2oat_exec, dex2oat)
+
+# Run dexoptanalyzer in its own sandbox.
+domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
+
+# Run profman in its own sandbox.
+domain_auto_trans(installd, profman_exec, profman)
+
+# Run idmap in its own sandbox.
+domain_auto_trans(installd, idmap_exec, idmap)
+
+# Create /data/.layout_version.* file
+type_transition installd system_data_file:file install_data_file;
diff --git a/prebuilts/api/27.0/private/isolated_app.te b/prebuilts/api/27.0/private/isolated_app.te
new file mode 100644
index 0000000..37935c3
--- /dev/null
+++ b/prebuilts/api/27.0/private/isolated_app.te
@@ -0,0 +1,108 @@
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules for isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+
+typeattribute isolated_app coredomain;
+
+app_domain(isolated_app)
+
+# Access already open app data files received over Binder or local socket IPC.
+allow isolated_app app_data_file:file { append read write getattr lock };
+
+allow isolated_app activity_service:service_manager find;
+allow isolated_app display_service:service_manager find;
+allow isolated_app webviewupdate_service:service_manager find;
+
+# Google Breakpad (crash reporter for Chrome) relies on ptrace
+# functionality. Without the ability to ptrace, the crash reporter
+# tool is broken.
+# b/20150694
+# https://code.google.com/p/chromium/issues/detail?id=475270
+allow isolated_app self:process ptrace;
+
+# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
+# by other processes. Open should never be allowed, and is blocked by
+# neverallow rules below.
+# TODO: consider removing write/append. We want to limit isolated_apps
+# ability to mutate files of any type.
+# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
+# is modified to change the secontext when accessing the lower filesystem.
+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
+auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
+
+# For webviews, isolated_app processes can be forked from the webview_zygote
+# in addition to the zygote. Allow access to resources inherited from the
+# webview_zygote process. These rules are specialized copies of the ones in app.te.
+# Inherit FDs from the webview_zygote.
+allow isolated_app webview_zygote:fd use;
+# Notify webview_zygote of child death.
+allow isolated_app webview_zygote:process sigchld;
+# Inherit logd write socket.
+allow isolated_app webview_zygote:unix_dgram_socket write;
+# Read system properties managed by webview_zygote.
+allow isolated_app webview_zygote_tmpfs:file read;
+
+# TODO (b/63631799) fix this access
+# suppress denials to /data/local/tmp
+dontaudit isolated_app shell_data_file:dir search;
+
+#####
+##### Neverallow
+#####
+
+# Do not allow isolated_app to directly open tun_device
+neverallow isolated_app tun_device:chr_file open;
+
+# Isolated apps should not directly open app data files themselves.
+neverallow isolated_app app_data_file:file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+# TODO: are there situations where isolated_apps write to this file?
+# TODO: should we tighten these restrictions further?
+neverallow isolated_app anr_data_file:file ~{ open append };
+neverallow isolated_app anr_data_file:dir ~search;
+
+# Isolated apps must not be permitted to use HwBinder
+neverallow isolated_app hwbinder_device:chr_file *;
+neverallow isolated_app *:hwservice_manager *;
+
+# Isolated apps must not be permitted to use VndBinder
+neverallow isolated_app vndbinder_device:chr_file *;
+
+# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
+# except the find actions for services whitelisted below.
+neverallow isolated_app *:service_manager ~find;
+
+# b/17487348
+# Isolated apps can only access three services,
+# activity_service, display_service and webviewupdate_service.
+neverallow isolated_app {
+ service_manager_type
+ -activity_service
+ -display_service
+ -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
+
+# Do not allow isolated_app access to /cache
+neverallow isolated_app cache_file:dir ~{ r_dir_perms };
+neverallow isolated_app cache_file:file ~{ read getattr };
+
+# Do not allow isolated_app to access external storage, except for files passed
+# via file descriptors (b/32896414).
+neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
+neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
+neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
+neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
+
+# Do not allow USB access
+neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
+
+# Restrict the webview_zygote control socket.
+neverallow isolated_app webview_zygote_socket:sock_file write;
diff --git a/prebuilts/api/27.0/private/kernel.te b/prebuilts/api/27.0/private/kernel.te
new file mode 100644
index 0000000..a4e6ebe
--- /dev/null
+++ b/prebuilts/api/27.0/private/kernel.te
@@ -0,0 +1,3 @@
+typeattribute kernel coredomain;
+
+domain_auto_trans(kernel, init_exec, init)
diff --git a/prebuilts/api/27.0/private/keys.conf b/prebuilts/api/27.0/private/keys.conf
new file mode 100644
index 0000000..7a307b5
--- /dev/null
+++ b/prebuilts/api/27.0/private/keys.conf
@@ -0,0 +1,25 @@
+#
+# Maps an arbitrary tag [TAGNAME] with the string contents found in
+# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
+# name it after the base file name of the pem file.
+#
+# Each tag (section) then allows one to specify any string found in
+# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
+# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
+#
+
+[@PLATFORM]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
+
+[@MEDIA]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
+
+[@SHARED]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
+
+# Example of ALL TARGET_BUILD_VARIANTS
+[@RELEASE]
+ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+
diff --git a/prebuilts/api/27.0/private/keystore.te b/prebuilts/api/27.0/private/keystore.te
new file mode 100644
index 0000000..1e56338
--- /dev/null
+++ b/prebuilts/api/27.0/private/keystore.te
@@ -0,0 +1,11 @@
+typeattribute keystore coredomain;
+typeattribute keystore domain_deprecated;
+
+init_daemon_domain(keystore)
+
+# talk to keymaster
+hal_client_domain(keystore, hal_keymaster)
+
+# Offer the Wifi Keystore HwBinder service
+typeattribute keystore wifi_keystore_service_server;
+add_hwservice(keystore, system_wifi_keystore_hwservice)
diff --git a/prebuilts/api/27.0/private/lmkd.te b/prebuilts/api/27.0/private/lmkd.te
new file mode 100644
index 0000000..a07ce87
--- /dev/null
+++ b/prebuilts/api/27.0/private/lmkd.te
@@ -0,0 +1,3 @@
+typeattribute lmkd coredomain;
+
+init_daemon_domain(lmkd)
diff --git a/prebuilts/api/27.0/private/logd.te b/prebuilts/api/27.0/private/logd.te
new file mode 100644
index 0000000..4338e40
--- /dev/null
+++ b/prebuilts/api/27.0/private/logd.te
@@ -0,0 +1,39 @@
+typeattribute logd coredomain;
+
+init_daemon_domain(logd)
+
+# logd is not allowed to write anywhere other than /data/misc/logd, and then
+# only on userdebug or eng builds
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow logd {
+ file_type
+ -logd_tmpfs
+ -runtime_event_log_tags_file
+ userdebug_or_eng(`-coredump_file -misc_logd_file')
+}:file { create write append };
+
+# protect the event-log-tags file
+neverallow {
+ domain
+ -appdomain # covered below
+ -bootstat
+ -dumpstate
+ -init
+ -logd
+ userdebug_or_eng(`-logpersist')
+ -servicemanager
+ -system_server
+ -surfaceflinger
+ -zygote
+} runtime_event_log_tags_file:file no_rw_file_perms;
+
+neverallow {
+ appdomain
+ -bluetooth
+ -platform_app
+ -priv_app
+ -radio
+ -shell
+ userdebug_or_eng(`-su')
+ -system_app
+} runtime_event_log_tags_file:file no_rw_file_perms;
diff --git a/prebuilts/api/27.0/private/logpersist.te b/prebuilts/api/27.0/private/logpersist.te
new file mode 100644
index 0000000..70e3198
--- /dev/null
+++ b/prebuilts/api/27.0/private/logpersist.te
@@ -0,0 +1,24 @@
+typeattribute logpersist coredomain;
+
+# android debug log storage in logpersist domains (eng and userdebug only)
+userdebug_or_eng(`
+
+ r_dir_file(logpersist, cgroup)
+
+ allow logpersist misc_logd_file:file create_file_perms;
+ allow logpersist misc_logd_file:dir rw_dir_perms;
+
+ allow logpersist self:capability sys_nice;
+ allow logpersist pstorefs:dir search;
+ allow logpersist pstorefs:file r_file_perms;
+
+ control_logd(logpersist)
+ unix_socket_connect(logpersist, logdr, logd)
+ read_runtime_log_tags(logpersist)
+
+')
+
+# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
+neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/prebuilts/api/27.0/private/mac_permissions.xml b/prebuilts/api/27.0/private/mac_permissions.xml
new file mode 100644
index 0000000..1fcd2a4
--- /dev/null
+++ b/prebuilts/api/27.0/private/mac_permissions.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+ * A signature is a hex encoded X.509 certificate or a tag defined in
+ keys.conf and is required for each signer tag. The signature can
+ either appear as a set of attached cert child tags or as an attribute.
+ * A signer tag must contain a seinfo tag XOR multiple package stanzas.
+ * Each signer/package tag is allowed to contain one seinfo tag. This tag
+ represents additional info that each app can use in setting a SELinux security
+ context on the eventual process as well as the apps data directory.
+ * seinfo assignments are made according to the following rules:
+ - Stanzas with package name refinements will be checked first.
+ - Stanzas w/o package name refinements will be checked second.
+ - The "default" seinfo label is automatically applied.
+
+ * valid stanzas can take one of the following forms:
+
+ // single cert protecting seinfo
+ <signer signature="@PLATFORM" >
+ <seinfo value="platform" />
+ </signer>
+
+ // multiple certs protecting seinfo (all contained certs must match)
+ <signer>
+ <cert signature="@PLATFORM1"/>
+ <cert signature="@PLATFORM2"/>
+ <seinfo value="platform" />
+ </signer>
+
+ // single cert protecting explicitly named app
+ <signer signature="@PLATFORM" >
+ <package name="com.android.foo">
+ <seinfo value="bar" />
+ </package>
+ </signer>
+
+ // multiple certs protecting explicitly named app (all certs must match)
+ <signer>
+ <cert signature="@PLATFORM1"/>
+ <cert signature="@PLATFORM2"/>
+ <package name="com.android.foo">
+ <seinfo value="bar" />
+ </package>
+ </signer>
+-->
+
+ <!-- Platform dev key in AOSP -->
+ <signer signature="@PLATFORM" >
+ <seinfo value="platform" />
+ </signer>
+
+ <!-- Media key in AOSP -->
+ <signer signature="@MEDIA" >
+ <seinfo value="media" />
+ </signer>
+
+</policy>
diff --git a/prebuilts/api/27.0/private/mdnsd.te b/prebuilts/api/27.0/private/mdnsd.te
new file mode 100644
index 0000000..96259e2
--- /dev/null
+++ b/prebuilts/api/27.0/private/mdnsd.te
@@ -0,0 +1,12 @@
+# mdns daemon
+
+typeattribute mdnsd coredomain;
+typeattribute mdnsd mlstrustedsubject;
+
+type mdnsd_exec, exec_type, file_type;
+init_daemon_domain(mdnsd)
+
+net_domain(mdnsd)
+
+# Read from /proc/net
+r_dir_file(mdnsd, proc_net)
diff --git a/prebuilts/api/27.0/private/mediadrmserver.te b/prebuilts/api/27.0/private/mediadrmserver.te
new file mode 100644
index 0000000..4e511a8
--- /dev/null
+++ b/prebuilts/api/27.0/private/mediadrmserver.te
@@ -0,0 +1,8 @@
+typeattribute mediadrmserver coredomain;
+
+init_daemon_domain(mediadrmserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediadrmserver, hal_graphics_allocator)
+auditallow mediadrmserver hal_graphics_allocator_server:binder call;
+
diff --git a/prebuilts/api/27.0/private/mediaextractor.te b/prebuilts/api/27.0/private/mediaextractor.te
new file mode 100644
index 0000000..c1a8521
--- /dev/null
+++ b/prebuilts/api/27.0/private/mediaextractor.te
@@ -0,0 +1,3 @@
+typeattribute mediaextractor coredomain;
+
+init_daemon_domain(mediaextractor)
diff --git a/prebuilts/api/27.0/private/mediametrics.te b/prebuilts/api/27.0/private/mediametrics.te
new file mode 100644
index 0000000..f8b2fa5
--- /dev/null
+++ b/prebuilts/api/27.0/private/mediametrics.te
@@ -0,0 +1,3 @@
+typeattribute mediametrics coredomain;
+
+init_daemon_domain(mediametrics)
diff --git a/prebuilts/api/27.0/private/mediaprovider.te b/prebuilts/api/27.0/private/mediaprovider.te
new file mode 100644
index 0000000..63f56c8
--- /dev/null
+++ b/prebuilts/api/27.0/private/mediaprovider.te
@@ -0,0 +1,35 @@
+###
+### A domain for android.process.media, which contains both
+### MediaProvider and DownloadProvider and associated services.
+###
+
+typeattribute mediaprovider coredomain;
+app_domain(mediaprovider)
+
+# DownloadProvider accesses the network.
+net_domain(mediaprovider)
+
+# DownloadProvider uses /cache.
+allow mediaprovider cache_file:dir create_dir_perms;
+allow mediaprovider cache_file:file create_file_perms;
+# /cache is a symlink to /data/cache on some devices. Allow reading the link.
+allow mediaprovider cache_file:lnk_file r_file_perms;
+
+allow mediaprovider app_api_service:service_manager find;
+allow mediaprovider audioserver_service:service_manager find;
+allow mediaprovider drmserver_service:service_manager find;
+allow mediaprovider mediaserver_service:service_manager find;
+allow mediaprovider surfaceflinger_service:service_manager find;
+
+# Allow MediaProvider to read/write cached ringtones (opened by system).
+allow mediaprovider ringtone_file:file { getattr read write };
+
+# MtpServer uses /dev/mtp_usb
+allow mediaprovider mtp_device:chr_file rw_file_perms;
+
+# MtpServer uses /dev/usb-ffs/mtp
+allow mediaprovider functionfs:dir search;
+allow mediaprovider functionfs:file rw_file_perms;
+
+# MtpServer sets sys.usb.ffs.mtp.ready
+set_prop(mediaprovider, ffs_prop)
diff --git a/prebuilts/api/27.0/private/mediaserver.te b/prebuilts/api/27.0/private/mediaserver.te
new file mode 100644
index 0000000..a9b85be
--- /dev/null
+++ b/prebuilts/api/27.0/private/mediaserver.te
@@ -0,0 +1,10 @@
+typeattribute mediaserver coredomain;
+
+init_daemon_domain(mediaserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediaserver, hal_graphics_allocator)
+
+# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
+# of OMX HAL.
+allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/private/mls b/prebuilts/api/27.0/private/mls
new file mode 100644
index 0000000..a561de1
--- /dev/null
+++ b/prebuilts/api/27.0/private/mls
@@ -0,0 +1,100 @@
+#################################################
+# MLS policy constraints
+#
+
+#
+# Process constraints
+#
+
+# Process transition: Require equivalence unless the subject is trusted.
+mlsconstrain process { transition dyntransition }
+ ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
+
+# Process read operations: No read up unless trusted.
+mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
+ (l1 dom l2 or t1 == mlstrustedsubject);
+
+# Process write operations: Require equivalence unless trusted.
+mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
+ (l1 eq l2 or t1 == mlstrustedsubject);
+
+#
+# Socket constraints
+#
+
+# Create/relabel operations: Subject must be equivalent to object unless
+# the subject is trusted. Sockets inherit the range of their creator.
+mlsconstrain socket_class_set { create relabelfrom relabelto }
+ ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
+
+# Datagram send: Sender must be equivalent to the receiver unless one of them
+# is trusted.
+mlsconstrain unix_dgram_socket { sendto }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+# Stream connect: Client must be equivalent to server unless one of them
+# is trusted.
+mlsconstrain unix_stream_socket { connectto }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+#
+# Directory/file constraints
+#
+
+# Create/relabel operations: Subject must be equivalent to object unless
+# the subject is trusted. Also, files should always be single-level.
+# Do NOT exempt mlstrustedobject types from this constraint.
+mlsconstrain dir_file_class_set { create relabelfrom relabelto }
+ (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
+
+#
+# Constraints for app data files only.
+#
+
+# Only constrain open, not read/write.
+# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
+# Subject must be equivalent to object unless the subject is trusted.
+mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
+ (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
+ (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+
+#
+# Constraints for file types other than app data files.
+#
+
+# Read operations: Subject must dominate object unless the subject
+# or the object is trusted.
+mlsconstrain dir { read getattr search }
+ (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
+ (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Write operations: Subject must be equivalent to the object unless the
+# subject or the object is trusted.
+mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
+ (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
+ (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Special case for FIFOs.
+# These can be unnamed pipes, in which case they will be labeled with the
+# creating process' label. Thus we also have an exemption when the "object"
+# is a domain type, so that processes can communicate via unnamed pipes
+# passed by binder or local socket IPC.
+mlsconstrain fifo_file { read getattr }
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
+
+mlsconstrain fifo_file { write setattr append unlink link rename }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
+
+#
+# Binder IPC constraints
+#
+# Presently commented out, as apps are expected to call one another.
+# This would only make sense if apps were assigned categories
+# based on allowable communications rather than per-app categories.
+#mlsconstrain binder call
+# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
diff --git a/prebuilts/api/27.0/private/mls_decl b/prebuilts/api/27.0/private/mls_decl
new file mode 100644
index 0000000..dd53bea
--- /dev/null
+++ b/prebuilts/api/27.0/private/mls_decl
@@ -0,0 +1,10 @@
+#########################################
+# MLS declarations
+#
+
+# Generate the desired number of sensitivities and categories.
+gen_sens(mls_num_sens)
+gen_cats(mls_num_cats)
+
+# Generate level definitions for each sensitivity and category.
+gen_levels(mls_num_sens,mls_num_cats)
diff --git a/prebuilts/api/27.0/private/mls_macros b/prebuilts/api/27.0/private/mls_macros
new file mode 100644
index 0000000..83e0542
--- /dev/null
+++ b/prebuilts/api/27.0/private/mls_macros
@@ -0,0 +1,54 @@
+########################################
+#
+# gen_cats(N)
+#
+# declares categores c0 to c(N-1)
+#
+define(`decl_cats',`dnl
+category c$1;
+ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
+')
+
+define(`gen_cats',`decl_cats(0,decr($1))')
+
+########################################
+#
+# gen_sens(N)
+#
+# declares sensitivites s0 to s(N-1) with dominance
+# in increasing numeric order with s0 lowest, s(N-1) highest
+#
+define(`decl_sens',`dnl
+sensitivity s$1;
+ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
+')
+
+define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
+
+define(`gen_sens',`
+# Each sensitivity has a name and zero or more aliases.
+decl_sens(0,decr($1))
+
+# Define the ordering of the sensitivity levels (least to greatest)
+dominance { gen_dominance(0,decr($1)) }
+')
+
+########################################
+#
+# gen_levels(N,M)
+#
+# levels from s0 to (N-1) with categories c0 to (M-1)
+#
+define(`decl_levels',`dnl
+level s$1:c0.c$3;
+ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
+')
+
+define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
+
+########################################
+#
+# Basic level names for system low and high
+#
+define(`mls_systemlow',`s0')
+define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
diff --git a/prebuilts/api/27.0/private/modprobe.te b/prebuilts/api/27.0/private/modprobe.te
new file mode 100644
index 0000000..9858675
--- /dev/null
+++ b/prebuilts/api/27.0/private/modprobe.te
@@ -0,0 +1 @@
+typeattribute modprobe coredomain;
diff --git a/prebuilts/api/27.0/private/mtp.te b/prebuilts/api/27.0/private/mtp.te
new file mode 100644
index 0000000..3cfda0b
--- /dev/null
+++ b/prebuilts/api/27.0/private/mtp.te
@@ -0,0 +1,4 @@
+typeattribute mtp coredomain;
+typeattribute mtp domain_deprecated;
+
+init_daemon_domain(mtp)
diff --git a/prebuilts/api/27.0/private/net.te b/prebuilts/api/27.0/private/net.te
new file mode 100644
index 0000000..f16daf9
--- /dev/null
+++ b/prebuilts/api/27.0/private/net.te
@@ -0,0 +1,24 @@
+###
+### Domain with network access
+###
+
+# Use network sockets.
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
+# Connect to ports.
+allow netdomain port_type:tcp_socket name_connect;
+# Bind to ports.
+allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
+# See changes to the routing table.
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
+
+# Talks to netd via dnsproxyd socket.
+unix_socket_connect(netdomain, dnsproxyd, netd)
+
+# Talks to netd via fwmarkd socket.
+unix_socket_connect(netdomain, fwmarkd, netd)
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/prebuilts/api/27.0/private/netd.te b/prebuilts/api/27.0/private/netd.te
new file mode 100644
index 0000000..3a824af
--- /dev/null
+++ b/prebuilts/api/27.0/private/netd.te
@@ -0,0 +1,10 @@
+typeattribute netd coredomain;
+typeattribute netd domain_deprecated;
+
+init_daemon_domain(netd)
+
+# Allow netd to spawn dnsmasq in it's own domain
+domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
+
+# Allow netd to start clatd in its own domain
+domain_auto_trans(netd, clatd_exec, clatd)
diff --git a/prebuilts/api/27.0/private/netutils_wrapper.te b/prebuilts/api/27.0/private/netutils_wrapper.te
new file mode 100644
index 0000000..f7fe32a
--- /dev/null
+++ b/prebuilts/api/27.0/private/netutils_wrapper.te
@@ -0,0 +1,28 @@
+typeattribute netutils_wrapper coredomain;
+
+r_dir_file(netutils_wrapper, system_file);
+
+# For netutils (ip, iptables, tc)
+allow netutils_wrapper self:capability net_raw;
+
+allow netutils_wrapper system_file:file { execute execute_no_trans };
+allow netutils_wrapper proc_net:file { open read getattr };
+allow netutils_wrapper self:rawip_socket create_socket_perms;
+allow netutils_wrapper self:udp_socket create_socket_perms;
+allow netutils_wrapper self:capability net_admin;
+# ip utils need everything but ioctl
+allow netutils_wrapper self:netlink_route_socket ~ioctl;
+allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
+
+# For netutils (ndc) to be able to talk to netd
+allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
+allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
+
+# For /data/misc/net access to ndc and ip
+r_dir_file(netutils_wrapper, net_data_file)
+
+domain_auto_trans({
+ domain
+ -coredomain
+ -appdomain
+}, netutils_wrapper_exec, netutils_wrapper)
diff --git a/prebuilts/api/27.0/private/nfc.te b/prebuilts/api/27.0/private/nfc.te
new file mode 100644
index 0000000..b41558c
--- /dev/null
+++ b/prebuilts/api/27.0/private/nfc.te
@@ -0,0 +1,34 @@
+# nfc subsystem
+typeattribute nfc coredomain;
+app_domain(nfc)
+net_domain(nfc)
+
+binder_service(nfc)
+add_service(nfc, nfc_service)
+
+hal_client_domain(nfc, hal_nfc)
+
+# Data file accesses.
+allow nfc nfc_data_file:dir create_dir_perms;
+allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
+
+# SoundPool loading and playback
+allow nfc audioserver_service:service_manager find;
+allow nfc drmserver_service:service_manager find;
+allow nfc mediacodec_service:service_manager find;
+allow nfc mediametrics_service:service_manager find;
+allow nfc mediaextractor_service:service_manager find;
+allow nfc mediaserver_service:service_manager find;
+
+allow nfc radio_service:service_manager find;
+allow nfc surfaceflinger_service:service_manager find;
+allow nfc app_api_service:service_manager find;
+allow nfc system_api_service:service_manager find;
+allow nfc vr_manager_service:service_manager find;
+
+set_prop(nfc, nfc_prop);
+
+# already open bugreport file descriptors may be shared with
+# the nfc process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow nfc shell_data_file:file read;
diff --git a/prebuilts/api/27.0/private/otapreopt_chroot.te b/prebuilts/api/27.0/private/otapreopt_chroot.te
new file mode 100644
index 0000000..1f69931
--- /dev/null
+++ b/prebuilts/api/27.0/private/otapreopt_chroot.te
@@ -0,0 +1,4 @@
+typeattribute otapreopt_chroot coredomain;
+
+# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
+domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
diff --git a/prebuilts/api/27.0/private/otapreopt_slot.te b/prebuilts/api/27.0/private/otapreopt_slot.te
new file mode 100644
index 0000000..98b93d4
--- /dev/null
+++ b/prebuilts/api/27.0/private/otapreopt_slot.te
@@ -0,0 +1,5 @@
+typeattribute otapreopt_slot coredomain;
+
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(otapreopt_slot)
diff --git a/prebuilts/api/27.0/private/performanced.te b/prebuilts/api/27.0/private/performanced.te
new file mode 100644
index 0000000..792826e
--- /dev/null
+++ b/prebuilts/api/27.0/private/performanced.te
@@ -0,0 +1,3 @@
+typeattribute performanced coredomain;
+
+init_daemon_domain(performanced)
diff --git a/prebuilts/api/27.0/private/perfprofd.te b/prebuilts/api/27.0/private/perfprofd.te
new file mode 100644
index 0000000..a655f1d
--- /dev/null
+++ b/prebuilts/api/27.0/private/perfprofd.te
@@ -0,0 +1,5 @@
+userdebug_or_eng(`
+ typeattribute perfprofd coredomain;
+ typeattribute perfprofd domain_deprecated;
+ init_daemon_domain(perfprofd)
+')
diff --git a/prebuilts/api/27.0/private/platform_app.te b/prebuilts/api/27.0/private/platform_app.te
new file mode 100644
index 0000000..2aa7dc9
--- /dev/null
+++ b/prebuilts/api/27.0/private/platform_app.te
@@ -0,0 +1,73 @@
+###
+### Apps signed with the platform key.
+###
+
+typeattribute platform_app coredomain;
+typeattribute platform_app domain_deprecated;
+
+app_domain(platform_app)
+
+# Access the network.
+net_domain(platform_app)
+# Access bluetooth.
+bluetooth_domain(platform_app)
+# Read from /data/local/tmp or /data/data/com.android.shell.
+allow platform_app shell_data_file:dir search;
+allow platform_app shell_data_file:file { open getattr read };
+allow platform_app icon_file:file { open getattr read };
+# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+# created by system server.
+allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
+allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
+allow platform_app apk_private_data_file:dir search;
+# ASEC
+allow platform_app asec_apk_file:dir create_dir_perms;
+allow platform_app asec_apk_file:file create_file_perms;
+
+# Access to /data/media.
+allow platform_app media_rw_data_file:dir create_dir_perms;
+allow platform_app media_rw_data_file:file create_file_perms;
+
+# Write to /cache.
+allow platform_app cache_file:dir create_dir_perms;
+allow platform_app cache_file:file create_file_perms;
+
+# Direct access to vold-mounted storage under /mnt/media_rw
+# This is a performance optimization that allows platform apps to bypass the FUSE layer
+allow platform_app mnt_media_rw_file:dir r_dir_perms;
+allow platform_app vfat:dir create_dir_perms;
+allow platform_app vfat:file create_file_perms;
+
+# com.android.systemui
+allow platform_app rootfs:dir getattr;
+
+allow platform_app audioserver_service:service_manager find;
+allow platform_app cameraserver_service:service_manager find;
+allow platform_app drmserver_service:service_manager find;
+allow platform_app mediaserver_service:service_manager find;
+allow platform_app mediametrics_service:service_manager find;
+allow platform_app mediaextractor_service:service_manager find;
+allow platform_app mediacodec_service:service_manager find;
+allow platform_app mediadrmserver_service:service_manager find;
+allow platform_app persistent_data_block_service:service_manager find;
+allow platform_app radio_service:service_manager find;
+allow platform_app surfaceflinger_service:service_manager find;
+allow platform_app timezone_service:service_manager find;
+allow platform_app app_api_service:service_manager find;
+allow platform_app system_api_service:service_manager find;
+allow platform_app vr_manager_service:service_manager find;
+
+# Access to /data/preloads
+allow platform_app preloads_data_file:file r_file_perms;
+allow platform_app preloads_data_file:dir r_dir_perms;
+allow platform_app preloads_media_file:file r_file_perms;
+allow platform_app preloads_media_file:dir r_dir_perms;
+
+read_runtime_log_tags(platform_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as platform_app
+neverallow platform_app fuse_device:chr_file *;
diff --git a/prebuilts/api/27.0/private/policy_capabilities b/prebuilts/api/27.0/private/policy_capabilities
new file mode 100644
index 0000000..ab55c15
--- /dev/null
+++ b/prebuilts/api/27.0/private/policy_capabilities
@@ -0,0 +1,13 @@
+# Enable new networking controls.
+policycap network_peer_controls;
+
+# Enable open permission check.
+policycap open_perms;
+
+# Enable separate security classes for
+# all network address families previously
+# mapped to the socket class and for
+# ICMP and SCTP sockets previously mapped
+# to the rawip_socket class.
+policycap extended_socket_class;
+
diff --git a/prebuilts/api/27.0/private/port_contexts b/prebuilts/api/27.0/private/port_contexts
new file mode 100644
index 0000000..b473c0c
--- /dev/null
+++ b/prebuilts/api/27.0/private/port_contexts
@@ -0,0 +1,3 @@
+# portcon statements go here, e.g.
+# portcon tcp 80 u:object_r:http_port:s0
+
diff --git a/prebuilts/api/27.0/private/postinstall.te b/prebuilts/api/27.0/private/postinstall.te
new file mode 100644
index 0000000..363e362
--- /dev/null
+++ b/prebuilts/api/27.0/private/postinstall.te
@@ -0,0 +1,3 @@
+typeattribute postinstall coredomain;
+
+domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
diff --git a/prebuilts/api/27.0/private/postinstall_dexopt.te b/prebuilts/api/27.0/private/postinstall_dexopt.te
new file mode 100644
index 0000000..ff5fe87
--- /dev/null
+++ b/prebuilts/api/27.0/private/postinstall_dexopt.te
@@ -0,0 +1,5 @@
+typeattribute postinstall_dexopt coredomain;
+
+# Run dex2oat/patchoat in its own sandbox.
+# We have to manually transition, as we don't have an entrypoint.
+domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
diff --git a/prebuilts/api/27.0/private/ppp.te b/prebuilts/api/27.0/private/ppp.te
new file mode 100644
index 0000000..9b301f4
--- /dev/null
+++ b/prebuilts/api/27.0/private/ppp.te
@@ -0,0 +1,4 @@
+typeattribute ppp coredomain;
+typeattribute ppp domain_deprecated;
+
+domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/prebuilts/api/27.0/private/preopt2cachename.te b/prebuilts/api/27.0/private/preopt2cachename.te
new file mode 100644
index 0000000..d10f767
--- /dev/null
+++ b/prebuilts/api/27.0/private/preopt2cachename.te
@@ -0,0 +1 @@
+typeattribute preopt2cachename coredomain;
diff --git a/prebuilts/api/27.0/private/priv_app.te b/prebuilts/api/27.0/private/priv_app.te
new file mode 100644
index 0000000..60fb411
--- /dev/null
+++ b/prebuilts/api/27.0/private/priv_app.te
@@ -0,0 +1,159 @@
+###
+### A domain for further sandboxing privileged apps.
+###
+
+typeattribute priv_app coredomain;
+app_domain(priv_app)
+
+# Access the network.
+net_domain(priv_app)
+# Access bluetooth.
+bluetooth_domain(priv_app)
+
+# Allow the allocation and use of ptys
+# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
+create_pty(priv_app)
+
+# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
+allow priv_app self:process ptrace;
+
+# Some apps ship with shared libraries that they write out
+# to their sandbox directory and then dlopen().
+allow priv_app app_data_file:file execute;
+
+allow priv_app audioserver_service:service_manager find;
+allow priv_app cameraserver_service:service_manager find;
+allow priv_app drmserver_service:service_manager find;
+allow priv_app mediacodec_service:service_manager find;
+allow priv_app mediametrics_service:service_manager find;
+allow priv_app mediadrmserver_service:service_manager find;
+allow priv_app mediaextractor_service:service_manager find;
+allow priv_app mediaserver_service:service_manager find;
+allow priv_app nfc_service:service_manager find;
+allow priv_app oem_lock_service:service_manager find;
+allow priv_app radio_service:service_manager find;
+allow priv_app surfaceflinger_service:service_manager find;
+allow priv_app app_api_service:service_manager find;
+allow priv_app system_api_service:service_manager find;
+allow priv_app persistent_data_block_service:service_manager find;
+allow priv_app recovery_service:service_manager find;
+
+# Write to /cache.
+allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
+allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
+# /cache is a symlink to /data/cache on some devices. Allow reading the link.
+allow priv_app cache_file:lnk_file r_file_perms;
+
+# Write to /data/ota_package for OTA packages.
+allow priv_app ota_package_file:dir rw_dir_perms;
+allow priv_app ota_package_file:file create_file_perms;
+
+# Access to /data/media.
+allow priv_app media_rw_data_file:dir create_dir_perms;
+allow priv_app media_rw_data_file:file create_file_perms;
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+allow priv_app shell_data_file:file r_file_perms;
+allow priv_app shell_data_file:dir r_dir_perms;
+
+# Allow verifier to access staged apks.
+allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
+allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+
+# b/18504118: Allow reads from /data/anr/traces.txt
+allow priv_app anr_data_file:file r_file_perms;
+
+# Allow GMS core to access perfprofd output, which is stored
+# in /data/misc/perfprofd/. GMS core will need to list all
+# data stored in that directory to process them one by one.
+userdebug_or_eng(`
+ allow priv_app perfprofd_data_file:file r_file_perms;
+ allow priv_app perfprofd_data_file:dir r_dir_perms;
+')
+
+# For AppFuse.
+allow priv_app vold:fd use;
+allow priv_app fuse_device:chr_file { read write };
+
+# /sys and /proc access
+r_dir_file(priv_app, sysfs_type)
+r_dir_file(priv_app, proc)
+r_dir_file(priv_app, rootfs)
+
+# Allow GMS core to open kernel config for OTA matching through libvintf
+allow priv_app config_gz:file { open read getattr };
+
+# access the mac address
+allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
+
+# Allow GMS core to communicate with update_engine for A/B update.
+binder_call(priv_app, update_engine)
+allow priv_app update_engine_service:service_manager find;
+
+# Allow GMS core to communicate with dumpsys storaged.
+binder_call(priv_app, storaged)
+allow priv_app storaged_service:service_manager find;
+
+# Allow Phone to read/write cached ringtones (opened by system).
+allow priv_app ringtone_file:file { getattr read write };
+
+# Access to /data/preloads
+allow priv_app preloads_data_file:file r_file_perms;
+allow priv_app preloads_data_file:dir r_dir_perms;
+allow priv_app preloads_media_file:file r_file_perms;
+allow priv_app preloads_media_file:dir r_dir_perms;
+
+# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
+allow priv_app keystore:keystore_key gen_unique_id;
+
+# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
+allow priv_app selinuxfs:file r_file_perms;
+
+read_runtime_log_tags(priv_app)
+
+# suppress denials when safetynet scans /system
+dontaudit priv_app exec_type:file getattr;
+
+###
+### neverallow rules
+###
+
+# Receive or send uevent messages.
+neverallow priv_app domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow priv_app domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow priv_app debugfs:file read;
+
+# Do not allow privileged apps to register services.
+# Only trusted components of Android should be registering
+# services.
+neverallow priv_app service_manager_type:service_manager add;
+
+# Do not allow privileged apps to connect to the property service
+# or set properties. b/10243159
+neverallow priv_app property_socket:sock_file write;
+neverallow priv_app init:unix_stream_socket connectto;
+neverallow priv_app property_type:property_service set;
+
+# Do not allow priv_app to be assigned mlstrustedsubject.
+# This would undermine the per-user isolation model being
+# enforced via levelFrom=user in seapp_contexts and the mls
+# constraints. As there is no direct way to specify a neverallow
+# on attribute assignment, this relies on the fact that fork
+# permission only makes sense within a domain (hence should
+# never be granted to any other domain within mlstrustedsubject)
+# and priv_app is allowed fork permission to itself.
+neverallow priv_app mlstrustedsubject:process fork;
+
+# Do not allow priv_app to hard link to any files.
+# In particular, if priv_app links to other app data
+# files, installd will not be able to guarantee the deletion
+# of the linked to file. Hard links also contribute to security
+# bugs, so we want to ensure priv_app never has this
+# capability.
+neverallow priv_app file_type:file link;
diff --git a/prebuilts/api/27.0/private/profman.te b/prebuilts/api/27.0/private/profman.te
new file mode 100644
index 0000000..f61d05e
--- /dev/null
+++ b/prebuilts/api/27.0/private/profman.te
@@ -0,0 +1 @@
+typeattribute profman coredomain;
diff --git a/prebuilts/api/27.0/private/property_contexts b/prebuilts/api/27.0/private/property_contexts
new file mode 100644
index 0000000..8eb2f28
--- /dev/null
+++ b/prebuilts/api/27.0/private/property_contexts
@@ -0,0 +1,114 @@
+##########################
+# property service keys
+#
+#
+net.rmnet u:object_r:net_radio_prop:s0
+net.gprs u:object_r:net_radio_prop:s0
+net.ppp u:object_r:net_radio_prop:s0
+net.qmi u:object_r:net_radio_prop:s0
+net.lte u:object_r:net_radio_prop:s0
+net.cdma u:object_r:net_radio_prop:s0
+net.dns u:object_r:net_dns_prop:s0
+sys.usb.config u:object_r:system_radio_prop:s0
+ril. u:object_r:radio_prop:s0
+ro.ril. u:object_r:radio_prop:s0
+gsm. u:object_r:radio_prop:s0
+persist.radio u:object_r:radio_prop:s0
+
+net. u:object_r:system_prop:s0
+dev. u:object_r:system_prop:s0
+ro.runtime. u:object_r:system_prop:s0
+ro.runtime.firstboot u:object_r:firstboot_prop:s0
+hw. u:object_r:system_prop:s0
+ro.hw. u:object_r:system_prop:s0
+sys. u:object_r:system_prop:s0
+sys.cppreopt u:object_r:cppreopt_prop:s0
+sys.powerctl u:object_r:powerctl_prop:s0
+sys.usb.ffs. u:object_r:ffs_prop:s0
+service. u:object_r:system_prop:s0
+dhcp. u:object_r:dhcp_prop:s0
+dhcp.bt-pan.result u:object_r:pan_result_prop:s0
+bluetooth. u:object_r:bluetooth_prop:s0
+
+debug. u:object_r:debug_prop:s0
+debug.db. u:object_r:debuggerd_prop:s0
+dumpstate. u:object_r:dumpstate_prop:s0
+dumpstate.options u:object_r:dumpstate_options_prop:s0
+log. u:object_r:log_prop:s0
+log.tag u:object_r:log_tag_prop:s0
+log.tag.WifiHAL u:object_r:wifi_log_prop:s0
+security.perf_harden u:object_r:shell_prop:s0
+service.adb.root u:object_r:shell_prop:s0
+service.adb.tcp.port u:object_r:shell_prop:s0
+
+persist.audio. u:object_r:audio_prop:s0
+persist.bluetooth. u:object_r:bluetooth_prop:s0
+persist.debug. u:object_r:persist_debug_prop:s0
+persist.logd. u:object_r:logd_prop:s0
+persist.logd.security u:object_r:device_logging_prop:s0
+persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
+logd.logpersistd u:object_r:logpersistd_logging_prop:s0
+persist.log.tag u:object_r:log_tag_prop:s0
+persist.mmc. u:object_r:mmc_prop:s0
+persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
+persist.sys. u:object_r:system_prop:s0
+persist.sys.safemode u:object_r:safemode_prop:s0
+ro.sys.safemode u:object_r:safemode_prop:s0
+persist.sys.audit_safemode u:object_r:safemode_prop:s0
+persist.service. u:object_r:system_prop:s0
+persist.service.bdroid. u:object_r:bluetooth_prop:s0
+persist.security. u:object_r:system_prop:s0
+persist.vendor.overlay. u:object_r:overlay_prop:s0
+ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
+ro.boottime. u:object_r:boottime_prop:s0
+ro.serialno u:object_r:serialno_prop:s0
+ro.boot.btmacaddr u:object_r:bluetooth_prop:s0
+ro.boot.serialno u:object_r:serialno_prop:s0
+ro.bt. u:object_r:bluetooth_prop:s0
+
+# Boolean property set by system server upon boot indicating
+# if device owner is provisioned.
+ro.device_owner u:object_r:device_logging_prop:s0
+
+# selinux non-persistent properties
+selinux.restorecon_recursive u:object_r:restorecon_prop:s0
+
+# default property context
+* u:object_r:default_prop:s0
+
+# data partition encryption properties
+vold. u:object_r:vold_prop:s0
+ro.crypto. u:object_r:vold_prop:s0
+
+# ro.build.fingerprint is either set in /system/build.prop, or is
+# set at runtime by system_server.
+ro.build.fingerprint u:object_r:fingerprint_prop:s0
+
+ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
+
+# ctl properties
+ctl.bootanim u:object_r:ctl_bootanim_prop:s0
+ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
+ctl.fuse_ u:object_r:ctl_fuse_prop:s0
+ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
+ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
+ctl.bugreport u:object_r:ctl_bugreport_prop:s0
+ctl.console u:object_r:ctl_console_prop:s0
+ctl. u:object_r:ctl_default_prop:s0
+
+# NFC properties
+nfc. u:object_r:nfc_prop:s0
+
+# These properties are not normally set by processes other than init.
+# They are only distinguished here for setting by qemu-props on the
+# emulator/goldfish.
+config. u:object_r:config_prop:s0
+ro.config. u:object_r:config_prop:s0
+dalvik. u:object_r:dalvik_prop:s0
+ro.dalvik. u:object_r:dalvik_prop:s0
+
+# Shared between system server and wificond
+wlan. u:object_r:wifi_prop:s0
+
+# hwservicemanager properties
+hwservicemanager. u:object_r:hwservicemanager_prop:s0
diff --git a/prebuilts/api/27.0/private/racoon.te b/prebuilts/api/27.0/private/racoon.te
new file mode 100644
index 0000000..42ea7c9
--- /dev/null
+++ b/prebuilts/api/27.0/private/racoon.te
@@ -0,0 +1,3 @@
+typeattribute racoon coredomain;
+
+init_daemon_domain(racoon)
diff --git a/prebuilts/api/27.0/private/radio.te b/prebuilts/api/27.0/private/radio.te
new file mode 100644
index 0000000..83b5b41
--- /dev/null
+++ b/prebuilts/api/27.0/private/radio.te
@@ -0,0 +1,6 @@
+typeattribute radio coredomain;
+typeattribute radio domain_deprecated;
+
+app_domain(radio)
+
+read_runtime_log_tags(radio)
diff --git a/prebuilts/api/27.0/private/recovery.te b/prebuilts/api/27.0/private/recovery.te
new file mode 100644
index 0000000..b7b2847
--- /dev/null
+++ b/prebuilts/api/27.0/private/recovery.te
@@ -0,0 +1,2 @@
+typeattribute recovery coredomain;
+typeattribute recovery domain_deprecated;
diff --git a/prebuilts/api/27.0/private/recovery_persist.te b/prebuilts/api/27.0/private/recovery_persist.te
new file mode 100644
index 0000000..1fdd758
--- /dev/null
+++ b/prebuilts/api/27.0/private/recovery_persist.te
@@ -0,0 +1,7 @@
+typeattribute recovery_persist coredomain;
+
+init_daemon_domain(recovery_persist)
+
+# recovery_persist is not allowed to write anywhere other than recovery_data_file
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/prebuilts/api/27.0/private/recovery_refresh.te b/prebuilts/api/27.0/private/recovery_refresh.te
new file mode 100644
index 0000000..327098d
--- /dev/null
+++ b/prebuilts/api/27.0/private/recovery_refresh.te
@@ -0,0 +1,7 @@
+typeattribute recovery_refresh coredomain;
+
+init_daemon_domain(recovery_refresh)
+
+# recovery_refresh is not allowed to write anywhere
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/prebuilts/api/27.0/private/roles_decl b/prebuilts/api/27.0/private/roles_decl
new file mode 100644
index 0000000..c84fcba
--- /dev/null
+++ b/prebuilts/api/27.0/private/roles_decl
@@ -0,0 +1 @@
+role r;
diff --git a/prebuilts/api/27.0/private/runas.te b/prebuilts/api/27.0/private/runas.te
new file mode 100644
index 0000000..73a91ff
--- /dev/null
+++ b/prebuilts/api/27.0/private/runas.te
@@ -0,0 +1,5 @@
+typeattribute runas coredomain;
+typeattribute runas domain_deprecated;
+
+# ndk-gdb invokes adb shell run-as.
+domain_auto_trans(shell, runas_exec, runas)
diff --git a/prebuilts/api/27.0/private/sdcardd.te b/prebuilts/api/27.0/private/sdcardd.te
new file mode 100644
index 0000000..ac6bb4e
--- /dev/null
+++ b/prebuilts/api/27.0/private/sdcardd.te
@@ -0,0 +1,4 @@
+typeattribute sdcardd coredomain;
+typeattribute sdcardd domain_deprecated;
+
+type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/prebuilts/api/27.0/private/seapp_contexts b/prebuilts/api/27.0/private/seapp_contexts
new file mode 100644
index 0000000..a97fc70
--- /dev/null
+++ b/prebuilts/api/27.0/private/seapp_contexts
@@ -0,0 +1,110 @@
+# Input selectors:
+# isSystemServer (boolean)
+# isEphemeralApp (boolean)
+# isV2App (boolean)
+# isOwner (boolean)
+# user (string)
+# seinfo (string)
+# name (string)
+# path (string)
+# isPrivApp (boolean)
+# minTargetSdkVersion (unsigned integer)
+# isSystemServer=true can only be used once.
+# An unspecified isSystemServer defaults to false.
+# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
+# isV2App=true will match apps in the v2 app sandbox.
+# isOwner=true will only match for the owner/primary user.
+# isOwner=false will only match for secondary users.
+# If unspecified, the entry can match either case.
+# An unspecified string selector will match any value.
+# A user string selector that ends in * will perform a prefix match.
+# user=_app will match any regular app UID.
+# user=_isolated will match any isolated service UID.
+# isPrivApp=true will only match for applications preinstalled in
+# /system/priv-app.
+# minTargetSdkVersion will match applications with a targetSdkVersion
+# greater than or equal to the specified value. If unspecified,
+# it has a default value of 0.
+# All specified input selectors in an entry must match (i.e. logical AND).
+# Matching is case-insensitive.
+#
+# Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()):
+# (1) isSystemServer=true before isSystemServer=false.
+# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
+# (3) Specified isV2App= before unspecified isV2App= boolean.
+# (4) Specified isOwner= before unspecified isOwner= boolean.
+# (5) Specified user= string before unspecified user= string.
+# (6) Fixed user= string before user= prefix (i.e. ending in *).
+# (7) Longer user= prefix before shorter user= prefix.
+# (8) Specified seinfo= string before unspecified seinfo= string.
+# ':' character is reserved and may not be used.
+# (9) Specified name= string before unspecified name= string.
+# (10) Specified path= string before unspecified path= string.
+# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
+# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
+# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
+#
+# Outputs:
+# domain (string)
+# type (string)
+# levelFrom (string; one of none, all, app, or user)
+# level (string)
+# Only entries that specify domain= will be used for app process labeling.
+# Only entries that specify type= will be used for app directory labeling.
+# levelFrom=user is only supported for _app or _isolated UIDs.
+# levelFrom=app or levelFrom=all is only supported for _app UIDs.
+# level may be used to specify a fixed level for any UID.
+#
+#
+# Neverallow Assertions
+# Additional compile time assertion checks can be added as well. The assertion
+# rules are lines beginning with the keyword neverallow. Full support for PCRE
+# regular expressions exists on all input and output selectors. Neverallow
+# rules are never output to the built seapp_contexts file. Like all keywords,
+# neverallows are case-insensitive. A neverallow is asserted when all key value
+# inputs are matched on a key value rule line.
+#
+
+# only the system server can be in system_server domain
+neverallow isSystemServer=false domain=system_server
+neverallow isSystemServer="" domain=system_server
+
+# system domains should never be assigned outside of system uid
+neverallow user=((?!system).)* domain=system_app
+neverallow user=((?!system).)* type=system_app_data_file
+
+# anything with a non-known uid with a specified name should have a specified seinfo
+neverallow user=_app name=.* seinfo=""
+neverallow user=_app name=.* seinfo=default
+
+# neverallow shared relro to any other domain
+# and neverallow any other uid into shared_relro
+neverallow user=shared_relro domain=((?!shared_relro).)*
+neverallow user=((?!shared_relro).)* domain=shared_relro
+
+# neverallow non-isolated uids into isolated_app domain
+# and vice versa
+neverallow user=_isolated domain=((?!isolated_app).)*
+neverallow user=((?!_isolated).)* domain=isolated_app
+
+# uid shell should always be in shell domain, however non-shell
+# uid's can be in shell domain
+neverallow user=shell domain=((?!shell).)*
+
+# Ephemeral Apps must run in the ephemeral_app domain
+neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
+
+isSystemServer=true domain=system_server
+user=system seinfo=platform domain=system_app type=system_app_data_file
+user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
+user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=radio seinfo=platform domain=radio type=radio_data_file
+user=shared_relro domain=shared_relro
+user=shell seinfo=platform domain=shell type=shell_data_file
+user=_isolated domain=isolated_app levelFrom=user
+user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
+user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
+user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
+user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
+user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
+user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/prebuilts/api/27.0/private/security_classes b/prebuilts/api/27.0/private/security_classes
new file mode 100644
index 0000000..2cfc768
--- /dev/null
+++ b/prebuilts/api/27.0/private/security_classes
@@ -0,0 +1,145 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_dnrt_socket
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+class appletalk_socket
+
+class packet
+
+# Kernel access key retention
+class key
+
+class dccp_socket
+
+class memprotect
+
+# network peer labels
+class peer
+
+# Capabilities >= 32
+class capability2
+
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service
+
+class tun_socket
+
+class binder
+
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
+# New socket classes introduced by extended_socket_class policy capability.
+# These two were previously mapped to rawip_socket.
+class sctp_socket
+class icmp_socket
+# These were previously mapped to socket.
+class ax25_socket
+class ipx_socket
+class netrom_socket
+class atmpvc_socket
+class x25_socket
+class rose_socket
+class decnet_socket
+class atmsvc_socket
+class rds_socket
+class irda_socket
+class pppox_socket
+class llc_socket
+class can_socket
+class tipc_socket
+class bluetooth_socket
+class iucv_socket
+class rxrpc_socket
+class isdn_socket
+class phonet_socket
+class ieee802154_socket
+class caif_socket
+class alg_socket
+class nfc_socket
+class vsock_socket
+class kcm_socket
+class qipcrtr_socket
+class smc_socket
+
+# Property service
+class property_service # userspace
+
+# Service manager
+class service_manager # userspace
+
+# hardware service manager # userspace
+class hwservice_manager
+
+# Keystore Key
+class keystore_key # userspace
+
+class drmservice # userspace
+# FLASK
diff --git a/prebuilts/api/27.0/private/service_contexts b/prebuilts/api/27.0/private/service_contexts
new file mode 100644
index 0000000..a82243f
--- /dev/null
+++ b/prebuilts/api/27.0/private/service_contexts
@@ -0,0 +1,174 @@
+accessibility u:object_r:accessibility_service:s0
+account u:object_r:account_service:s0
+activity u:object_r:activity_service:s0
+alarm u:object_r:alarm_service:s0
+android.os.UpdateEngineService u:object_r:update_engine_service:s0
+android.security.keystore u:object_r:keystore_service:s0
+android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
+appops u:object_r:appops_service:s0
+appwidget u:object_r:appwidget_service:s0
+assetatlas u:object_r:assetatlas_service:s0
+audio u:object_r:audio_service:s0
+autofill u:object_r:autofill_service:s0
+backup u:object_r:backup_service:s0
+batteryproperties u:object_r:batteryproperties_service:s0
+batterystats u:object_r:batterystats_service:s0
+battery u:object_r:battery_service:s0
+bluetooth_manager u:object_r:bluetooth_manager_service:s0
+bluetooth u:object_r:bluetooth_service:s0
+broadcastradio u:object_r:broadcastradio_service:s0
+carrier_config u:object_r:radio_service:s0
+clipboard u:object_r:clipboard_service:s0
+com.android.net.IProxyService u:object_r:IProxyService_service:s0
+commontime_management u:object_r:commontime_management_service:s0
+common_time.clock u:object_r:mediaserver_service:s0
+common_time.config u:object_r:mediaserver_service:s0
+companiondevice u:object_r:companion_device_service:s0
+connectivity u:object_r:connectivity_service:s0
+connmetrics u:object_r:connmetrics_service:s0
+consumer_ir u:object_r:consumer_ir_service:s0
+content u:object_r:content_service:s0
+contexthub u:object_r:contexthub_service:s0
+country_detector u:object_r:country_detector_service:s0
+coverage u:object_r:coverage_service:s0
+cpuinfo u:object_r:cpuinfo_service:s0
+dbinfo u:object_r:dbinfo_service:s0
+device_policy u:object_r:device_policy_service:s0
+device_identifiers u:object_r:device_identifiers_service:s0
+deviceidle u:object_r:deviceidle_service:s0
+devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
+diskstats u:object_r:diskstats_service:s0
+display.qservice u:object_r:surfaceflinger_service:s0
+display u:object_r:display_service:s0
+netd_listener u:object_r:netd_listener_service:s0
+DockObserver u:object_r:DockObserver_service:s0
+dreams u:object_r:dreams_service:s0
+drm.drmManager u:object_r:drmserver_service:s0
+dropbox u:object_r:dropbox_service:s0
+dumpstate u:object_r:dumpstate_service:s0
+econtroller u:object_r:radio_service:s0
+ethernet u:object_r:ethernet_service:s0
+fingerprint u:object_r:fingerprint_service:s0
+font u:object_r:font_service:s0
+android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
+gfxinfo u:object_r:gfxinfo_service:s0
+graphicsstats u:object_r:graphicsstats_service:s0
+gpu u:object_r:gpu_service:s0
+hardware u:object_r:hardware_service:s0
+hardware_properties u:object_r:hardware_properties_service:s0
+hdmi_control u:object_r:hdmi_control_service:s0
+incident u:object_r:incident_service:s0
+inputflinger u:object_r:inputflinger_service:s0
+input_method u:object_r:input_method_service:s0
+input u:object_r:input_service:s0
+installd u:object_r:installd_service:s0
+iphonesubinfo_msim u:object_r:radio_service:s0
+iphonesubinfo2 u:object_r:radio_service:s0
+iphonesubinfo u:object_r:radio_service:s0
+ims u:object_r:radio_service:s0
+imms u:object_r:imms_service:s0
+ipsec u:object_r:ipsec_service:s0
+isms_msim u:object_r:radio_service:s0
+isms2 u:object_r:radio_service:s0
+isms u:object_r:radio_service:s0
+isub u:object_r:radio_service:s0
+jobscheduler u:object_r:jobscheduler_service:s0
+launcherapps u:object_r:launcherapps_service:s0
+location u:object_r:location_service:s0
+lock_settings u:object_r:lock_settings_service:s0
+media.aaudio u:object_r:audioserver_service:s0
+media.audio_flinger u:object_r:audioserver_service:s0
+media.audio_policy u:object_r:audioserver_service:s0
+media.camera u:object_r:cameraserver_service:s0
+media.camera.proxy u:object_r:cameraproxy_service:s0
+media.log u:object_r:audioserver_service:s0
+media.player u:object_r:mediaserver_service:s0
+media.metrics u:object_r:mediametrics_service:s0
+media.extractor u:object_r:mediaextractor_service:s0
+media.codec u:object_r:mediacodec_service:s0
+media.resource_manager u:object_r:mediaserver_service:s0
+media.sound_trigger_hw u:object_r:audioserver_service:s0
+media.drm u:object_r:mediadrmserver_service:s0
+media_projection u:object_r:media_projection_service:s0
+media_resource_monitor u:object_r:media_session_service:s0
+media_router u:object_r:media_router_service:s0
+media_session u:object_r:media_session_service:s0
+meminfo u:object_r:meminfo_service:s0
+midi u:object_r:midi_service:s0
+mount u:object_r:mount_service:s0
+netd u:object_r:netd_service:s0
+netpolicy u:object_r:netpolicy_service:s0
+netstats u:object_r:netstats_service:s0
+network_management u:object_r:network_management_service:s0
+network_score u:object_r:network_score_service:s0
+network_time_update_service u:object_r:network_time_update_service:s0
+nfc u:object_r:nfc_service:s0
+notification u:object_r:notification_service:s0
+oem_lock u:object_r:oem_lock_service:s0
+otadexopt u:object_r:otadexopt_service:s0
+overlay u:object_r:overlay_service:s0
+package u:object_r:package_service:s0
+package_native u:object_r:package_native_service:s0
+permission u:object_r:permission_service:s0
+persistent_data_block u:object_r:persistent_data_block_service:s0
+phone_msim u:object_r:radio_service:s0
+phone1 u:object_r:radio_service:s0
+phone2 u:object_r:radio_service:s0
+phone u:object_r:radio_service:s0
+pinner u:object_r:pinner_service:s0
+power u:object_r:power_service:s0
+print u:object_r:print_service:s0
+processinfo u:object_r:processinfo_service:s0
+procstats u:object_r:procstats_service:s0
+radio.phonesubinfo u:object_r:radio_service:s0
+radio.phone u:object_r:radio_service:s0
+radio.sms u:object_r:radio_service:s0
+recovery u:object_r:recovery_service:s0
+restrictions u:object_r:restrictions_service:s0
+rttmanager u:object_r:rttmanager_service:s0
+samplingprofiler u:object_r:samplingprofiler_service:s0
+scheduling_policy u:object_r:scheduling_policy_service:s0
+search u:object_r:search_service:s0
+sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
+sensorservice u:object_r:sensorservice_service:s0
+serial u:object_r:serial_service:s0
+servicediscovery u:object_r:servicediscovery_service:s0
+settings u:object_r:settings_service:s0
+shortcut u:object_r:shortcut_service:s0
+simphonebook_msim u:object_r:radio_service:s0
+simphonebook2 u:object_r:radio_service:s0
+simphonebook u:object_r:radio_service:s0
+sip u:object_r:radio_service:s0
+soundtrigger u:object_r:voiceinteraction_service:s0
+statusbar u:object_r:statusbar_service:s0
+storaged u:object_r:storaged_service:s0
+storagestats u:object_r:storagestats_service:s0
+SurfaceFlinger u:object_r:surfaceflinger_service:s0
+task u:object_r:task_service:s0
+telecom u:object_r:telecom_service:s0
+telephony.registry u:object_r:registry_service:s0
+textclassification u:object_r:textclassification_service:s0
+textservices u:object_r:textservices_service:s0
+timezone u:object_r:timezone_service:s0
+thermalservice u:object_r:thermal_service:s0
+trust u:object_r:trust_service:s0
+tv_input u:object_r:tv_input_service:s0
+uimode u:object_r:uimode_service:s0
+updatelock u:object_r:updatelock_service:s0
+usagestats u:object_r:usagestats_service:s0
+usb u:object_r:usb_service:s0
+user u:object_r:user_service:s0
+vibrator u:object_r:vibrator_service:s0
+virtual_touchpad u:object_r:virtual_touchpad_service:s0
+voiceinteraction u:object_r:voiceinteraction_service:s0
+vr_hwc u:object_r:vr_hwc_service:s0
+vrmanager u:object_r:vr_manager_service:s0
+wallpaper u:object_r:wallpaper_service:s0
+webviewupdate u:object_r:webviewupdate_service:s0
+wifip2p u:object_r:wifip2p_service:s0
+wifiscanner u:object_r:wifiscanner_service:s0
+wifi u:object_r:wifi_service:s0
+wificond u:object_r:wificond_service:s0
+wifiaware u:object_r:wifiaware_service:s0
+window u:object_r:window_service:s0
+* u:object_r:default_android_service:s0
diff --git a/prebuilts/api/27.0/private/servicemanager.te b/prebuilts/api/27.0/private/servicemanager.te
new file mode 100644
index 0000000..9f675a2
--- /dev/null
+++ b/prebuilts/api/27.0/private/servicemanager.te
@@ -0,0 +1,5 @@
+typeattribute servicemanager coredomain;
+
+init_daemon_domain(servicemanager)
+
+read_runtime_log_tags(servicemanager)
diff --git a/prebuilts/api/27.0/private/sgdisk.te b/prebuilts/api/27.0/private/sgdisk.te
new file mode 100644
index 0000000..a17342e
--- /dev/null
+++ b/prebuilts/api/27.0/private/sgdisk.te
@@ -0,0 +1 @@
+typeattribute sgdisk coredomain;
diff --git a/prebuilts/api/27.0/private/shared_relro.te b/prebuilts/api/27.0/private/shared_relro.te
new file mode 100644
index 0000000..8d06294
--- /dev/null
+++ b/prebuilts/api/27.0/private/shared_relro.te
@@ -0,0 +1,6 @@
+typeattribute shared_relro coredomain;
+typeattribute shared_relro domain_deprecated;
+
+# The shared relro process is a Java program forked from the zygote, so it
+# inherits from app to get basic permissions it needs to run.
+app_domain(shared_relro)
diff --git a/prebuilts/api/27.0/private/shell.te b/prebuilts/api/27.0/private/shell.te
new file mode 100644
index 0000000..5299532
--- /dev/null
+++ b/prebuilts/api/27.0/private/shell.te
@@ -0,0 +1,28 @@
+typeattribute shell coredomain;
+
+# allow shell input injection
+allow shell uhid_device:chr_file rw_file_perms;
+
+# systrace support - allow atrace to run
+allow shell debugfs_tracing:dir r_dir_perms;
+allow shell debugfs_tracing:file rw_file_perms;
+allow shell debugfs_trace_marker:file getattr;
+allow shell atrace_exec:file rx_file_perms;
+
+# read config.gz for CTS purposes
+allow shell config_gz:file r_file_perms;
+
+userdebug_or_eng(`
+ allow shell debugfs_tracing_debug:file rw_file_perms;
+')
+
+# Run app_process.
+# XXX Transition into its own domain?
+app_domain(shell)
+
+# allow shell to call dumpsys storaged
+binder_call(shell, storaged)
+
+# Perform SELinux access checks, needed for CTS
+selinux_check_access(shell)
+selinux_check_context(shell)
diff --git a/prebuilts/api/27.0/private/slideshow.te b/prebuilts/api/27.0/private/slideshow.te
new file mode 100644
index 0000000..7dfa994
--- /dev/null
+++ b/prebuilts/api/27.0/private/slideshow.te
@@ -0,0 +1 @@
+typeattribute slideshow coredomain;
diff --git a/prebuilts/api/27.0/private/storaged.te b/prebuilts/api/27.0/private/storaged.te
new file mode 100644
index 0000000..20377e0
--- /dev/null
+++ b/prebuilts/api/27.0/private/storaged.te
@@ -0,0 +1,57 @@
+# storaged daemon
+type storaged, domain, coredomain, mlstrustedsubject;
+type storaged_exec, exec_type, file_type;
+
+init_daemon_domain(storaged)
+
+# Read access to pseudo filesystems
+r_dir_file(storaged, sysfs_type)
+r_dir_file(storaged, proc_net)
+r_dir_file(storaged, domain)
+
+# Read /proc/uid_io/stats
+allow storaged proc_uid_io_stats:file r_file_perms;
+
+# Read /data/system/packages.list
+allow storaged system_data_file:file r_file_perms;
+
+userdebug_or_eng(`
+ # Read access to debugfs
+ allow storaged debugfs_mmc:dir search;
+ allow storaged debugfs_mmc:file r_file_perms;
+')
+
+# Needed to provide debug dump output via dumpsys pipes.
+allow storaged shell:fd use;
+allow storaged shell:fifo_file write;
+
+# Needed for GMScore to call dumpsys storaged
+allow storaged priv_app:fd use;
+allow storaged app_data_file:file write;
+allow storaged permission_service:service_manager find;
+
+# Binder permissions
+add_service(storaged, storaged_service)
+
+binder_use(storaged)
+binder_call(storaged, system_server)
+
+# use batteryproperties service
+allow storaged batteryproperties_service:service_manager find;
+binder_call(storaged, healthd)
+
+# Implements a dumpsys interface.
+allow storaged dumpstate:fd use;
+
+# use a subset of the package manager service
+allow storaged package_native_service:service_manager find;
+
+# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
+# running as root. See b/35323867 #3.
+dontaudit storaged self:capability dac_override;
+
+###
+### neverallow
+###
+neverallow storaged domain:process ptrace;
+neverallow storaged self:capability_class_set *;
diff --git a/prebuilts/api/27.0/private/su.te b/prebuilts/api/27.0/private/su.te
new file mode 100644
index 0000000..d42bf61
--- /dev/null
+++ b/prebuilts/api/27.0/private/su.te
@@ -0,0 +1,20 @@
+userdebug_or_eng(`
+ typeattribute su coredomain;
+
+ domain_auto_trans(shell, su_exec, su)
+ # Allow dumpstate to call su on userdebug / eng builds to collect
+ # additional information.
+ domain_auto_trans(dumpstate, su_exec, su)
+
+ # Make sure that dumpstate runs the same from the "su" domain as
+ # from the "init" domain.
+ domain_auto_trans(su, dumpstate_exec, dumpstate)
+
+ # Put the incident command into its domain so it is the same on user, userdebug and eng.
+ domain_auto_trans(su, incident_exec, incident)
+
+# su is also permissive to permit setenforce.
+ permissive su;
+
+ app_domain(su)
+')
diff --git a/prebuilts/api/27.0/private/surfaceflinger.te b/prebuilts/api/27.0/private/surfaceflinger.te
new file mode 100644
index 0000000..b33035e
--- /dev/null
+++ b/prebuilts/api/27.0/private/surfaceflinger.te
@@ -0,0 +1,109 @@
+# surfaceflinger - display compositor service
+
+typeattribute surfaceflinger coredomain;
+
+type surfaceflinger_exec, exec_type, file_type;
+init_daemon_domain(surfaceflinger)
+
+typeattribute surfaceflinger mlstrustedsubject;
+typeattribute surfaceflinger display_service_server;
+
+read_runtime_log_tags(surfaceflinger)
+
+# Perform HwBinder IPC.
+hal_client_domain(surfaceflinger, hal_graphics_allocator)
+hal_client_domain(surfaceflinger, hal_graphics_composer)
+hal_client_domain(surfaceflinger, hal_configstore)
+allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
+
+# Perform Binder IPC.
+binder_use(surfaceflinger)
+binder_call(surfaceflinger, binderservicedomain)
+binder_call(surfaceflinger, appdomain)
+binder_call(surfaceflinger, bootanim)
+binder_service(surfaceflinger)
+
+# Binder IPC to bu, presently runs in adbd domain.
+binder_call(surfaceflinger, adbd)
+
+# Read /proc/pid files for Binder clients.
+r_dir_file(surfaceflinger, binderservicedomain)
+r_dir_file(surfaceflinger, appdomain)
+
+# Access the GPU.
+allow surfaceflinger gpu_device:chr_file rw_file_perms;
+
+# Access /dev/graphics/fb0.
+allow surfaceflinger graphics_device:dir search;
+allow surfaceflinger graphics_device:chr_file rw_file_perms;
+
+# Access /dev/video1.
+allow surfaceflinger video_device:dir r_dir_perms;
+allow surfaceflinger video_device:chr_file rw_file_perms;
+
+# Create and use netlink kobject uevent sockets.
+allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Set properties.
+set_prop(surfaceflinger, system_prop)
+set_prop(surfaceflinger, ctl_bootanim_prop)
+
+# Use open files supplied by an app.
+allow surfaceflinger appdomain:fd use;
+allow surfaceflinger app_data_file:file { read write };
+
+# Use socket supplied by adbd, for cmd gpu vkjson etc.
+allow surfaceflinger adbd:unix_stream_socket { read write getattr };
+
+# Allow a dumpstate triggered screenshot
+binder_call(surfaceflinger, dumpstate)
+binder_call(surfaceflinger, shell)
+r_dir_file(surfaceflinger, dumpstate)
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+allow surfaceflinger tee_device:chr_file rw_file_perms;
+
+
+# media.player service
+add_service(surfaceflinger, gpu_service)
+
+# do not use add_service() as hal_graphics_composer_default may be the
+# provider as well
+#add_service(surfaceflinger, surfaceflinger_service)
+allow surfaceflinger surfaceflinger_service:service_manager { add find };
+
+allow surfaceflinger mediaserver_service:service_manager find;
+allow surfaceflinger permission_service:service_manager find;
+allow surfaceflinger power_service:service_manager find;
+allow surfaceflinger vr_manager_service:service_manager find;
+allow surfaceflinger window_service:service_manager find;
+
+
+# allow self to set SCHED_FIFO
+allow surfaceflinger self:capability sys_nice;
+allow surfaceflinger proc_meminfo:file r_file_perms;
+r_dir_file(surfaceflinger, cgroup)
+r_dir_file(surfaceflinger, sysfs_type)
+r_dir_file(surfaceflinger, system_file)
+allow surfaceflinger tmpfs:dir r_dir_perms;
+allow surfaceflinger system_server:fd use;
+allow surfaceflinger ion_device:chr_file r_file_perms;
+
+# pdx IPC
+pdx_server(surfaceflinger, display_client)
+pdx_server(surfaceflinger, display_manager)
+pdx_server(surfaceflinger, display_screenshot)
+pdx_server(surfaceflinger, display_vsync)
+
+pdx_client(surfaceflinger, bufferhub_client)
+pdx_client(surfaceflinger, performance_client)
+
+###
+### Neverallow rules
+###
+### surfaceflinger should NEVER do any of this
+
+# Do not allow accessing SDcard files as unsafe ejection could
+# cause the kernel to kill the process.
+neverallow surfaceflinger sdcard_type:file rw_file_perms;
diff --git a/prebuilts/api/27.0/private/system_app.te b/prebuilts/api/27.0/private/system_app.te
new file mode 100644
index 0000000..4741479
--- /dev/null
+++ b/prebuilts/api/27.0/private/system_app.te
@@ -0,0 +1,95 @@
+###
+### Apps that run with the system UID, e.g. com.android.system.ui,
+### com.android.settings. These are not as privileged as the system
+### server.
+###
+
+typeattribute system_app coredomain;
+typeattribute system_app domain_deprecated;
+
+app_domain(system_app)
+net_domain(system_app)
+binder_service(system_app)
+
+# android.ui and system.ui
+allow system_app rootfs:dir getattr;
+
+# Read and write /data/data subdirectory.
+allow system_app system_app_data_file:dir create_dir_perms;
+allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
+
+# Read and write to /data/misc/user.
+allow system_app misc_user_data_file:dir create_dir_perms;
+allow system_app misc_user_data_file:file create_file_perms;
+
+# Access to vold-mounted storage for measuring free space
+allow system_app mnt_media_rw_file:dir search;
+
+# Read wallpaper file.
+allow system_app wallpaper_file:file r_file_perms;
+
+# Read icon file.
+allow system_app icon_file:file r_file_perms;
+
+# Write to properties
+set_prop(system_app, bluetooth_prop)
+set_prop(system_app, debug_prop)
+set_prop(system_app, system_prop)
+set_prop(system_app, logd_prop)
+set_prop(system_app, net_radio_prop)
+set_prop(system_app, system_radio_prop)
+set_prop(system_app, log_tag_prop)
+userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
+auditallow system_app net_radio_prop:property_service set;
+auditallow system_app system_radio_prop:property_service set;
+
+# ctl interface
+set_prop(system_app, ctl_default_prop)
+set_prop(system_app, ctl_bugreport_prop)
+
+# Create /data/anr/traces.txt.
+allow system_app anr_data_file:dir ra_dir_perms;
+allow system_app anr_data_file:file create_file_perms;
+
+# Settings need to access app name and icon from asec
+allow system_app asec_apk_file:file r_file_perms;
+
+# Allow system apps to interact with incidentd
+binder_call(system_app, incidentd)
+
+allow system_app servicemanager:service_manager list;
+# TODO: scope this down? Too broad?
+allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
+
+allow system_app keystore:keystore_key {
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ user_changed
+};
+
+# /sys access
+r_dir_file(system_app, sysfs_type)
+
+control_logd(system_app)
+read_runtime_log_tags(system_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as system_app
+neverallow system_app fuse_device:chr_file *;
diff --git a/prebuilts/api/27.0/private/system_server.te b/prebuilts/api/27.0/private/system_server.te
new file mode 100644
index 0000000..40c5382
--- /dev/null
+++ b/prebuilts/api/27.0/private/system_server.te
@@ -0,0 +1,771 @@
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
+
+typeattribute system_server coredomain;
+typeattribute system_server domain_deprecated;
+typeattribute system_server mlstrustedsubject;
+
+# Define a type for tmpfs-backed ashmem regions.
+tmpfs_domain(system_server)
+
+# Create a socket for connections from crash_dump.
+type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
+
+allow system_server zygote_tmpfs:file read;
+
+# For art.
+allow system_server dalvikcache_data_file:dir r_dir_perms;
+allow system_server dalvikcache_data_file:file r_file_perms;
+
+# When running system server under --invoke-with, we'll try to load the boot image under the
+# system server domain, following links to the system partition.
+with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
+
+# /data/resource-cache
+allow system_server resourcecache_data_file:file r_file_perms;
+allow system_server resourcecache_data_file:dir r_dir_perms;
+
+# ptrace to processes in the same domain for debugging crashes.
+allow system_server self:process ptrace;
+
+# Read and delete last_reboot_reason file
+allow system_server reboot_data_file:file { rename r_file_perms unlink };
+allow system_server reboot_data_file:dir { write search open remove_name };
+
+# Child of the zygote.
+allow system_server zygote:fd use;
+allow system_server zygote:process sigchld;
+
+# May kill zygote on crashes.
+allow system_server zygote:process sigkill;
+allow system_server crash_dump:process sigkill;
+
+# Read /system/bin/app_process.
+allow system_server zygote_exec:file r_file_perms;
+
+# Needed to close the zygote socket, which involves getopt / getattr
+allow system_server zygote:unix_stream_socket { getopt getattr };
+
+# system server gets network and bluetooth permissions.
+net_domain(system_server)
+# in addition to ioctls whitelisted for all domains, also allow system_server
+# to use privileged ioctls commands. Needed to set up VPNs.
+allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
+bluetooth_domain(system_server)
+
+# These are the capabilities assigned by the zygote to the
+# system server.
+allow system_server self:capability {
+ ipc_lock
+ kill
+ net_admin
+ net_bind_service
+ net_broadcast
+ net_raw
+ sys_boot
+ sys_nice
+ sys_ptrace
+ sys_time
+ sys_tty_config
+};
+
+wakelock_use(system_server)
+
+# Trigger module auto-load.
+allow system_server kernel:system module_request;
+
+# Allow alarmtimers to be set
+allow system_server self:capability2 wake_alarm;
+
+# Create and share netlink_netfilter_sockets for tetheroffload.
+allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
+
+# Use netlink uevent sockets.
+allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Use generic netlink sockets.
+allow system_server self:netlink_socket create_socket_perms_no_ioctl;
+allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+# libvintf reads the kernel config to verify vendor interface compatibility.
+allow system_server config_gz:file { read open };
+
+# Use generic "sockets" where the address family is not known
+# to the kernel. The ioctl permission is specifically omitted here, but may
+# be added to device specific policy along with the ioctl commands to be
+# whitelisted.
+allow system_server self:socket create_socket_perms_no_ioctl;
+
+# Set and get routes directly via netlink.
+allow system_server self:netlink_route_socket nlmsg_write;
+
+# Kill apps.
+allow system_server appdomain:process { getpgid sigkill signal };
+
+# Set scheduling info for apps.
+allow system_server appdomain:process { getsched setsched };
+allow system_server audioserver:process { getsched setsched };
+allow system_server hal_audio:process { getsched setsched };
+allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server cameraserver:process { getsched setsched };
+allow system_server hal_camera:process { getsched setsched };
+allow system_server mediaserver:process { getsched setsched };
+allow system_server bootanim:process { getsched setsched };
+
+# Allow system_server to write to cameraserver's /proc/<pid>/timerslack_ns
+allow system_server cameraserver:file w_file_perms;
+
+# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
+# within system_server to keep track of memory and CPU usage for
+# all processes on the device. In addition, /proc/pid files access is needed
+# for dumping stack traces of native processes.
+r_dir_file(system_server, domain)
+
+# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
+allow system_server qtaguid_proc:file rw_file_perms;
+allow system_server qtaguid_device:chr_file rw_file_perms;
+
+# Read /proc/uid_cputime/show_uid_stat.
+allow system_server proc_uid_cputime_showstat:file r_file_perms;
+
+# Write /proc/uid_cputime/remove_uid_range.
+allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
+
+# Write /proc/uid_procstat/set.
+allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
+
+# Read /proc/uid_time_in_state.
+allow system_server proc_uid_time_in_state:file r_file_perms;
+
+# Write to /proc/sysrq-trigger.
+allow system_server proc_sysrq:file rw_file_perms;
+
+# Read /proc/stat for CPU usage statistics
+allow system_server proc_stat:file r_file_perms;
+
+# Read /sys/kernel/debug/wakeup_sources.
+allow system_server debugfs:file r_file_perms;
+
+# The DhcpClient and WifiWatchdog use packet_sockets
+allow system_server self:packet_socket create_socket_perms_no_ioctl;
+
+# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
+# as raw sockets, but the kernel doesn't yet distinguish between the two.
+allow system_server node:rawip_socket node_bind;
+
+# 3rd party VPN clients require a tun_socket to be created
+allow system_server self:tun_socket create_socket_perms_no_ioctl;
+
+# Talk to init and various daemons via sockets.
+unix_socket_connect(system_server, lmkd, lmkd)
+unix_socket_connect(system_server, mtpd, mtp)
+unix_socket_connect(system_server, netd, netd)
+unix_socket_connect(system_server, vold, vold)
+unix_socket_connect(system_server, webview_zygote, webview_zygote)
+unix_socket_connect(system_server, zygote, zygote)
+unix_socket_connect(system_server, racoon, racoon)
+unix_socket_connect(system_server, uncrypt, uncrypt)
+
+# Communicate over a socket created by surfaceflinger.
+allow system_server surfaceflinger:unix_stream_socket { read write setopt };
+
+# Perform Binder IPC.
+binder_use(system_server)
+binder_call(system_server, appdomain)
+binder_call(system_server, binderservicedomain)
+binder_call(system_server, dumpstate)
+binder_call(system_server, fingerprintd)
+binder_call(system_server, gatekeeperd)
+binder_call(system_server, installd)
+binder_call(system_server, incidentd)
+binder_call(system_server, netd)
+binder_call(system_server, wificond)
+binder_service(system_server)
+
+# Use HALs
+hal_client_domain(system_server, hal_allocator)
+hal_client_domain(system_server, hal_broadcastradio)
+hal_client_domain(system_server, hal_configstore)
+hal_client_domain(system_server, hal_contexthub)
+hal_client_domain(system_server, hal_fingerprint)
+hal_client_domain(system_server, hal_gnss)
+hal_client_domain(system_server, hal_graphics_allocator)
+hal_client_domain(system_server, hal_ir)
+hal_client_domain(system_server, hal_light)
+hal_client_domain(system_server, hal_memtrack)
+hal_client_domain(system_server, hal_neuralnetworks)
+hal_client_domain(system_server, hal_oemlock)
+allow system_server hal_omx_hwservice:hwservice_manager find;
+allow system_server hidl_token_hwservice:hwservice_manager find;
+hal_client_domain(system_server, hal_power)
+hal_client_domain(system_server, hal_sensors)
+hal_client_domain(system_server, hal_tetheroffload)
+hal_client_domain(system_server, hal_thermal)
+hal_client_domain(system_server, hal_tv_cec)
+hal_client_domain(system_server, hal_tv_input)
+hal_client_domain(system_server, hal_usb)
+hal_client_domain(system_server, hal_vibrator)
+hal_client_domain(system_server, hal_vr)
+hal_client_domain(system_server, hal_weaver)
+hal_client_domain(system_server, hal_wifi)
+hal_client_domain(system_server, hal_wifi_offload)
+hal_client_domain(system_server, hal_wifi_supplicant)
+
+binder_call(system_server, mediacodec)
+
+# Talk with graphics composer fences
+allow system_server hal_graphics_composer:fd use;
+
+# Use RenderScript always-passthrough HAL
+allow system_server hal_renderscript_hwservice:hwservice_manager find;
+
+# Offer HwBinder services
+add_hwservice(system_server, fwk_scheduler_hwservice)
+add_hwservice(system_server, fwk_sensor_hwservice)
+
+# Talk to tombstoned to get ANR traces.
+unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
+
+# List HAL interfaces to get ANR traces.
+allow system_server hwservicemanager:hwservice_manager list;
+
+# Send signals to trigger ANR traces.
+allow system_server {
+ # This is derived from the list that system server defines as interesting native processes
+ # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
+ # frameworks/base/services/core/java/com/android/server/Watchdog.java.
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediadrmserver
+ mediaextractor
+ mediaserver
+ mediametrics
+ sdcardd
+ surfaceflinger
+
+ # This list comes from HAL_INTERFACES_OF_INTEREST in
+ # frameworks/base/services/core/java/com/android/server/Watchdog.java.
+ hal_audio_server
+ hal_bluetooth_server
+ hal_camera_server
+ hal_graphics_composer_server
+ hal_sensors_server
+ hal_vr_server
+ mediacodec # TODO(b/36375899): hal_omx_server
+}:process { signal };
+
+# Use sockets received over binder from various services.
+allow system_server audioserver:tcp_socket rw_socket_perms;
+allow system_server audioserver:udp_socket rw_socket_perms;
+allow system_server mediaserver:tcp_socket rw_socket_perms;
+allow system_server mediaserver:udp_socket rw_socket_perms;
+
+# Use sockets received over binder from various services.
+allow system_server mediadrmserver:tcp_socket rw_socket_perms;
+allow system_server mediadrmserver:udp_socket rw_socket_perms;
+
+# Get file context
+allow system_server file_contexts_file:file r_file_perms;
+# access for mac_permissions
+allow system_server mac_perms_file: file r_file_perms;
+# Check SELinux permissions.
+selinux_check_access(system_server)
+
+# XXX Label sysfs files with a specific type?
+allow system_server sysfs:file rw_file_perms;
+allow system_server sysfs_nfc_power_writable:file rw_file_perms;
+allow system_server sysfs_devices_system_cpu:file w_file_perms;
+allow system_server sysfs_mac_address:file r_file_perms;
+allow system_server sysfs_thermal:dir search;
+allow system_server sysfs_thermal:file r_file_perms;
+
+# TODO: Remove when HALs are forced into separate processes
+allow system_server sysfs_vibrator:file { write append };
+
+# TODO: added to match above sysfs rule. Remove me?
+allow system_server sysfs_usb:file w_file_perms;
+
+# Access devices.
+allow system_server device:dir r_dir_perms;
+allow system_server mdns_socket:sock_file rw_file_perms;
+allow system_server alarm_device:chr_file rw_file_perms;
+allow system_server gpu_device:chr_file rw_file_perms;
+allow system_server iio_device:chr_file rw_file_perms;
+allow system_server input_device:dir r_dir_perms;
+allow system_server input_device:chr_file rw_file_perms;
+allow system_server radio_device:chr_file r_file_perms;
+allow system_server tty_device:chr_file rw_file_perms;
+allow system_server usbaccessory_device:chr_file rw_file_perms;
+allow system_server video_device:dir r_dir_perms;
+allow system_server video_device:chr_file rw_file_perms;
+allow system_server adbd_socket:sock_file rw_file_perms;
+allow system_server rtc_device:chr_file rw_file_perms;
+allow system_server audio_device:dir r_dir_perms;
+
+# write access needed for MIDI
+allow system_server audio_device:chr_file rw_file_perms;
+
+# tun device used for 3rd party vpn apps
+allow system_server tun_device:chr_file rw_file_perms;
+
+# Manage system data files.
+allow system_server system_data_file:dir create_dir_perms;
+allow system_server system_data_file:notdevfile_class_set create_file_perms;
+allow system_server keychain_data_file:dir create_dir_perms;
+allow system_server keychain_data_file:file create_file_perms;
+allow system_server keychain_data_file:lnk_file create_file_perms;
+
+# Manage /data/app.
+allow system_server apk_data_file:dir create_dir_perms;
+allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
+allow system_server apk_tmp_file:dir create_dir_perms;
+allow system_server apk_tmp_file:file create_file_perms;
+
+# Access /vendor/app
+r_dir_file(system_server, vendor_app_file)
+
+# Access /vendor/app
+r_dir_file(system_server, vendor_overlay_file)
+
+# Manage /data/app-private.
+allow system_server apk_private_data_file:dir create_dir_perms;
+allow system_server apk_private_data_file:file create_file_perms;
+allow system_server apk_private_tmp_file:dir create_dir_perms;
+allow system_server apk_private_tmp_file:file create_file_perms;
+
+# Manage files within asec containers.
+allow system_server asec_apk_file:dir create_dir_perms;
+allow system_server asec_apk_file:file create_file_perms;
+allow system_server asec_public_file:file create_file_perms;
+
+# Manage /data/anr.
+#
+# TODO: Some of these permissions can be withdrawn once we've switched to the
+# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
+# the system_server should never need to create a new anr_data_file:file or write
+# to one, but it will still need to read and append to existing files.
+allow system_server anr_data_file:dir create_dir_perms;
+allow system_server anr_data_file:file create_file_perms;
+
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow system_server to connect and write to the tombstoned java trace socket in
+# order to dump its traces. Also allow the system server to write its traces to
+# dumpstate during bugreport capture.
+unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
+allow system_server tombstoned:fd use;
+allow system_server dumpstate:fifo_file append;
+
+# Read /data/misc/incidents - only read. The fd will be sent over binder,
+# with no DAC access to it, for dropbox to read.
+allow system_server incident_data_file:file read;
+
+# Manage /data/backup.
+allow system_server backup_data_file:dir create_dir_perms;
+allow system_server backup_data_file:file create_file_perms;
+
+# Write to /data/system/heapdump
+allow system_server heapdump_data_file:dir rw_dir_perms;
+allow system_server heapdump_data_file:file create_file_perms;
+
+# Manage /data/misc/adb.
+allow system_server adb_keys_file:dir create_dir_perms;
+allow system_server adb_keys_file:file create_file_perms;
+
+# Manage /data/misc/sms.
+# TODO: Split into a separate type?
+allow system_server radio_data_file:dir create_dir_perms;
+allow system_server radio_data_file:file create_file_perms;
+
+# Manage /data/misc/systemkeys.
+allow system_server systemkeys_data_file:dir create_dir_perms;
+allow system_server systemkeys_data_file:file create_file_perms;
+
+# Manage /data/misc/textclassifier.
+allow system_server textclassifier_data_file:dir create_dir_perms;
+allow system_server textclassifier_data_file:file create_file_perms;
+
+# Access /data/tombstones.
+allow system_server tombstone_data_file:dir r_dir_perms;
+allow system_server tombstone_data_file:file r_file_perms;
+
+# Manage /data/misc/vpn.
+allow system_server vpn_data_file:dir create_dir_perms;
+allow system_server vpn_data_file:file create_file_perms;
+
+# Manage /data/misc/wifi.
+allow system_server wifi_data_file:dir create_dir_perms;
+allow system_server wifi_data_file:file create_file_perms;
+
+# Manage /data/misc/zoneinfo.
+allow system_server zoneinfo_data_file:dir create_dir_perms;
+allow system_server zoneinfo_data_file:file create_file_perms;
+
+# Walk /data/data subdirectories.
+# Types extracted from seapp_contexts type= fields.
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
+# Also permit for unlabeled /data/data subdirectories and
+# for unlabeled asec containers on upgrades from 4.2.
+allow system_server unlabeled:dir r_dir_perms;
+# Read pkg.apk file before it has been relabeled by vold.
+allow system_server unlabeled:file r_file_perms;
+
+# Populate com.android.providers.settings/databases/settings.db.
+allow system_server system_app_data_file:dir create_dir_perms;
+allow system_server system_app_data_file:file create_file_perms;
+
+# Receive and use open app data files passed over binder IPC.
+# Types extracted from seapp_contexts type= fields.
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
+
+# Access to /data/media for measuring disk usage.
+allow system_server media_rw_data_file:dir { search getattr open read };
+
+# Receive and use open /data/media files passed over binder IPC.
+# Also used for measuring disk usage.
+allow system_server media_rw_data_file:file { getattr read write append };
+
+# Relabel apk files.
+allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
+allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
+
+# Relabel wallpaper.
+allow system_server system_data_file:file relabelfrom;
+allow system_server wallpaper_file:file relabelto;
+allow system_server wallpaper_file:file { rw_file_perms rename unlink };
+
+# Backup of wallpaper imagery uses temporary hard links to avoid data churn
+allow system_server { system_data_file wallpaper_file }:file link;
+
+# ShortcutManager icons
+allow system_server system_data_file:dir relabelfrom;
+allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
+allow system_server shortcut_manager_icons:file create_file_perms;
+
+# Manage ringtones.
+allow system_server ringtone_file:dir { create_dir_perms relabelto };
+allow system_server ringtone_file:file create_file_perms;
+
+# Relabel icon file.
+allow system_server icon_file:file relabelto;
+allow system_server icon_file:file { rw_file_perms unlink };
+
+# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
+allow system_server system_data_file:dir relabelfrom;
+
+# Property Service write
+set_prop(system_server, system_prop)
+set_prop(system_server, safemode_prop)
+set_prop(system_server, dhcp_prop)
+set_prop(system_server, net_radio_prop)
+set_prop(system_server, net_dns_prop)
+set_prop(system_server, system_radio_prop)
+set_prop(system_server, debug_prop)
+set_prop(system_server, powerctl_prop)
+set_prop(system_server, fingerprint_prop)
+set_prop(system_server, device_logging_prop)
+set_prop(system_server, dumpstate_options_prop)
+set_prop(system_server, overlay_prop)
+userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
+
+# ctl interface
+set_prop(system_server, ctl_default_prop)
+set_prop(system_server, ctl_bugreport_prop)
+
+# cppreopt property
+set_prop(system_server, cppreopt_prop)
+
+# Collect metrics on boot time created by init
+get_prop(system_server, boottime_prop)
+
+# Read device's serial number from system properties
+get_prop(system_server, serialno_prop)
+
+# Read/write the property which keeps track of whether this is the first start of system_server
+set_prop(system_server, firstboot_prop)
+
+# Create a socket for connections from debuggerd.
+allow system_server system_ndebug_socket:sock_file create_file_perms;
+
+# Manage cache files.
+allow system_server cache_file:lnk_file r_file_perms;
+allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
+allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
+allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
+
+allow system_server system_file:dir r_dir_perms;
+allow system_server system_file:lnk_file r_file_perms;
+
+# LocationManager(e.g, GPS) needs to read and write
+# to uart driver and ctrl proc entry
+allow system_server gps_control:file rw_file_perms;
+
+# Allow system_server to use app-created sockets and pipes.
+allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
+allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
+
+# BackupManagerService needs to manipulate backup data files
+allow system_server cache_backup_file:dir rw_dir_perms;
+allow system_server cache_backup_file:file create_file_perms;
+# LocalTransport works inside /cache/backup
+allow system_server cache_private_backup_file:dir create_dir_perms;
+allow system_server cache_private_backup_file:file create_file_perms;
+
+# Allow system to talk to usb device
+allow system_server usb_device:chr_file rw_file_perms;
+allow system_server usb_device:dir r_dir_perms;
+
+# Read from HW RNG (needed by EntropyMixer).
+allow system_server hw_random_device:chr_file r_file_perms;
+
+# Read and delete files under /dev/fscklogs.
+r_dir_file(system_server, fscklogs)
+allow system_server fscklogs:dir { write remove_name };
+allow system_server fscklogs:file unlink;
+
+# logd access, system_server inherit logd write socket
+# (urge is to deprecate this long term)
+allow system_server zygote:unix_dgram_socket write;
+
+# Read from log daemon.
+read_logd(system_server)
+read_runtime_log_tags(system_server)
+
+# Be consistent with DAC permissions. Allow system_server to write to
+# /sys/module/lowmemorykiller/parameters/adj
+# /sys/module/lowmemorykiller/parameters/minfree
+allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow system_server pstorefs:dir r_dir_perms;
+allow system_server pstorefs:file r_file_perms;
+
+# /sys access
+allow system_server sysfs_zram:dir search;
+allow system_server sysfs_zram:file r_file_perms;
+
+add_service(system_server, system_server_service);
+allow system_server audioserver_service:service_manager find;
+allow system_server batteryproperties_service:service_manager find;
+allow system_server cameraserver_service:service_manager find;
+allow system_server drmserver_service:service_manager find;
+allow system_server dumpstate_service:service_manager find;
+allow system_server fingerprintd_service:service_manager find;
+allow system_server hal_fingerprint_service:service_manager find;
+allow system_server gatekeeper_service:service_manager find;
+allow system_server incident_service:service_manager find;
+allow system_server installd_service:service_manager find;
+allow system_server keystore_service:service_manager find;
+allow system_server mediaserver_service:service_manager find;
+allow system_server mediametrics_service:service_manager find;
+allow system_server mediaextractor_service:service_manager find;
+allow system_server mediacodec_service:service_manager find;
+allow system_server mediadrmserver_service:service_manager find;
+allow system_server netd_service:service_manager find;
+allow system_server nfc_service:service_manager find;
+allow system_server radio_service:service_manager find;
+allow system_server surfaceflinger_service:service_manager find;
+allow system_server wificond_service:service_manager find;
+
+allow system_server keystore:keystore_key {
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ add_auth
+ user_changed
+};
+
+# Allow system server to search and write to the persistent factory reset
+# protection partition. This block device does not get wiped in a factory reset.
+allow system_server block_device:dir search;
+allow system_server frp_block_device:blk_file rw_file_perms;
+
+# Clean up old cgroups
+allow system_server cgroup:dir { remove_name rmdir };
+
+# /oem access
+r_dir_file(system_server, oemfs)
+
+# Allow resolving per-user storage symlinks
+allow system_server { mnt_user_file storage_file }:dir { getattr search };
+allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
+
+# Allow statfs() on storage devices, which happens fast enough that
+# we shouldn't be killed during unsafe removal
+allow system_server sdcard_type:dir { getattr search };
+
+# Traverse into expanded storage
+allow system_server mnt_expand_file:dir r_dir_perms;
+
+# Allow system process to relabel the fingerprint directory after mkdir
+# and delete the directory and files when no longer needed
+allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
+allow system_server fingerprintd_data_file:file { getattr unlink };
+
+# Allow system process to read network MAC address
+allow system_server sysfs_mac_address:file r_file_perms;
+
+userdebug_or_eng(`
+ # Allow system server to create and write method traces in /data/misc/trace.
+ allow system_server method_trace_data_file:dir w_dir_perms;
+ allow system_server method_trace_data_file:file { create w_file_perms };
+
+ # Allow system server to read dmesg
+ allow system_server kernel:system syslog_read;
+')
+
+# For AppFuse.
+allow system_server vold:fd use;
+allow system_server fuse_device:chr_file { read write ioctl getattr };
+allow system_server app_fuse_file:dir rw_dir_perms;
+allow system_server app_fuse_file:file { read write open getattr append };
+
+# For configuring sdcardfs
+allow system_server configfs:dir { create_dir_perms };
+allow system_server configfs:file { getattr open unlink write };
+
+# Connect to adbd and use a socket transferred from it.
+# Used for e.g. jdwp.
+allow system_server adbd:unix_stream_socket connectto;
+allow system_server adbd:fd use;
+allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+# Allow invoking tools like "timeout"
+allow system_server toolbox_exec:file rx_file_perms;
+
+# Postinstall
+#
+# For OTA dexopt, allow calls coming from postinstall.
+binder_call(system_server, postinstall)
+
+allow system_server postinstall:fifo_file write;
+allow system_server update_engine:fd use;
+allow system_server update_engine:fifo_file write;
+
+# Access to /data/preloads
+allow system_server preloads_data_file:file { r_file_perms unlink };
+allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
+allow system_server preloads_media_file:file { r_file_perms unlink };
+allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
+
+r_dir_file(system_server, cgroup)
+allow system_server ion_device:chr_file r_file_perms;
+
+r_dir_file(system_server, proc)
+r_dir_file(system_server, proc_meminfo)
+r_dir_file(system_server, proc_net)
+r_dir_file(system_server, rootfs)
+r_dir_file(system_server, sysfs_type)
+
+### Rules needed when Light HAL runs inside system_server process.
+### These rules should eventually be granted only when needed.
+allow system_server sysfs_leds:lnk_file read;
+allow system_server sysfs_leds:file rw_file_perms;
+allow system_server sysfs_leds:dir r_dir_perms;
+###
+
+# Allow WifiService to start, stop, and read wifi-specific trace events.
+allow system_server debugfs_tracing_instances:dir search;
+allow system_server debugfs_wifi_tracing:dir search;
+allow system_server debugfs_wifi_tracing:file rw_file_perms;
+
+# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
+# asanwrapper.
+with_asan(`
+ allow system_server shell_exec:file rx_file_perms;
+ allow system_server asanwrapper_exec:file rx_file_perms;
+ allow system_server zygote_exec:file rx_file_perms;
+')
+
+###
+### Neverallow rules
+###
+### system_server should NEVER do any of this
+
+# Do not allow opening files from external storage as unsafe ejection
+# could cause the kernel to kill the system_server.
+neverallow system_server sdcard_type:dir { open read write };
+neverallow system_server sdcard_type:file rw_file_perms;
+
+# system server should never be operating on zygote spawned app data
+# files directly. Rather, they should always be passed via a
+# file descriptor.
+# Types extracted from seapp_contexts type= fields, excluding
+# those types that system_server needs to open directly.
+neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
+
+# Forking and execing is inherently dangerous and racy. See, for
+# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
+# Prevent the addition of new file execs to stop the problem from
+# getting worse. b/28035297
+neverallow system_server {
+ file_type
+ -toolbox_exec
+ -logcat_exec
+ with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
+}:file execute_no_trans;
+
+# Ensure that system_server doesn't perform any domain transitions other than
+# transitioning to the crash_dump domain when a crash occurs.
+neverallow system_server { domain -crash_dump }:process transition;
+neverallow system_server *:process dyntransition;
+
+# Only allow crash_dump to connect to system_ndebug_socket.
+neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
+
+# system_server should never be executing dex2oat. This is either
+# a bug (for example, bug 16317188), or represents an attempt by
+# system server to dynamically load a dex file, something we do not
+# want to allow.
+neverallow system_server dex2oat_exec:file no_x_file_perms;
+
+# system_server should never execute or load executable shared libraries
+# in /data except for /data/dalvik-cache files.
+neverallow system_server {
+ data_file_type
+ -dalvikcache_data_file #mapping with PROT_EXEC
+}:file no_x_file_perms;
+
+# The only block device system_server should be accessing is
+# the frp_block_device. This helps avoid a system_server to root
+# escalation by writing to raw block devices.
+neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
+
+# system_server should never use JIT functionality
+neverallow system_server self:process execmem;
+neverallow system_server ashmem_device:chr_file execute;
+
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow system_server system_server_tmpfs:file execute;
+
+# dexoptanalyzer is currently used only for secondary dex files which
+# system_server should never access.
+neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
+
+# No ptracing others
+neverallow system_server { domain -system_server }:process ptrace;
+
+# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
+# file read access. However, that is now unnecessary (b/34951864)
+# This neverallow can be removed after b/34951864 is fixed.
+neverallow system_server system_server:capability sys_resource;
diff --git a/prebuilts/api/27.0/private/technical_debt.cil b/prebuilts/api/27.0/private/technical_debt.cil
new file mode 100644
index 0000000..974f328
--- /dev/null
+++ b/prebuilts/api/27.0/private/technical_debt.cil
@@ -0,0 +1,33 @@
+; THIS IS A WORKAROUND for the current limitations of the module policy language
+; This should be used sparingly until we figure out a saner way to achieve the
+; stuff below, for example, by improving typeattribute statement of module
+; language.
+;
+; NOTE: This file has no effect on recovery policy.
+
+; Apps, except isolated apps, are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_allocator_client;
+; typeattribute hal_allocator_client halclientdomain;
+(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset halclientdomain (hal_allocator_client))
+
+; Apps, except isolated apps, are clients of Configstore HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_configstore_client;
+(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
+
+; Apps, except isolated apps, are clients of Graphics Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
+(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
+
+; Apps, except isolated apps, are clients of Cas HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_cas_client;
+(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app))))))
+
+; Domains hosting Camera HAL implementations are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute hal_camera hal_allocator_client;
+(typeattributeset hal_allocator_client (hal_camera))
diff --git a/prebuilts/api/27.0/private/thermalserviced.te b/prebuilts/api/27.0/private/thermalserviced.te
new file mode 100644
index 0000000..1a09e20
--- /dev/null
+++ b/prebuilts/api/27.0/private/thermalserviced.te
@@ -0,0 +1,4 @@
+typeattribute thermalserviced coredomain;
+
+init_daemon_domain(thermalserviced)
+
diff --git a/prebuilts/api/27.0/private/tombstoned.te b/prebuilts/api/27.0/private/tombstoned.te
new file mode 100644
index 0000000..305f9d0
--- /dev/null
+++ b/prebuilts/api/27.0/private/tombstoned.te
@@ -0,0 +1,3 @@
+typeattribute tombstoned coredomain;
+
+init_daemon_domain(tombstoned)
diff --git a/prebuilts/api/27.0/private/toolbox.te b/prebuilts/api/27.0/private/toolbox.te
new file mode 100644
index 0000000..a2b958d
--- /dev/null
+++ b/prebuilts/api/27.0/private/toolbox.te
@@ -0,0 +1,3 @@
+typeattribute toolbox coredomain;
+
+init_daemon_domain(toolbox)
diff --git a/prebuilts/api/27.0/private/tzdatacheck.te b/prebuilts/api/27.0/private/tzdatacheck.te
new file mode 100644
index 0000000..502735c
--- /dev/null
+++ b/prebuilts/api/27.0/private/tzdatacheck.te
@@ -0,0 +1,3 @@
+typeattribute tzdatacheck coredomain;
+
+init_daemon_domain(tzdatacheck)
diff --git a/prebuilts/api/27.0/private/ueventd.te b/prebuilts/api/27.0/private/ueventd.te
new file mode 100644
index 0000000..0df587f
--- /dev/null
+++ b/prebuilts/api/27.0/private/ueventd.te
@@ -0,0 +1,4 @@
+typeattribute ueventd coredomain;
+typeattribute ueventd domain_deprecated;
+
+tmpfs_domain(ueventd)
diff --git a/prebuilts/api/27.0/private/uncrypt.te b/prebuilts/api/27.0/private/uncrypt.te
new file mode 100644
index 0000000..fde686b
--- /dev/null
+++ b/prebuilts/api/27.0/private/uncrypt.te
@@ -0,0 +1,4 @@
+typeattribute uncrypt coredomain;
+typeattribute uncrypt domain_deprecated;
+
+init_daemon_domain(uncrypt)
diff --git a/prebuilts/api/27.0/private/untrusted_app.te b/prebuilts/api/27.0/private/untrusted_app.te
new file mode 100644
index 0000000..93a73f1
--- /dev/null
+++ b/prebuilts/api/27.0/private/untrusted_app.te
@@ -0,0 +1,37 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps.
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+typeattribute untrusted_app coredomain;
+
+app_domain(untrusted_app)
+untrusted_app_domain(untrusted_app)
+net_domain(untrusted_app)
+bluetooth_domain(untrusted_app)
+
+# allow untrusted apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow untrusted_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+create_pty(untrusted_app)
+
+neverallow untrusted_app system_server:udp_socket {
+ accept append bind create getopt ioctl listen lock name_bind
+ relabelfrom relabelto setattr setopt shutdown };
diff --git a/prebuilts/api/27.0/private/untrusted_app_25.te b/prebuilts/api/27.0/private/untrusted_app_25.te
new file mode 100644
index 0000000..3fa79ef
--- /dev/null
+++ b/prebuilts/api/27.0/private/untrusted_app_25.te
@@ -0,0 +1,46 @@
+###
+### Untrusted_app_25
+###
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion <= 25.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+typeattribute untrusted_app_25 coredomain;
+
+app_domain(untrusted_app_25)
+untrusted_app_domain(untrusted_app_25)
+net_domain(untrusted_app_25)
+bluetooth_domain(untrusted_app_25)
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+create_pty(untrusted_app_25)
+
+# b/34115651 - net.dns* properties read
+# This will go away in a future Android release
+get_prop(untrusted_app_25, net_dns_prop)
+
+# b/35917228 - /proc/misc access
+# This will go away in a future Android release
+allow untrusted_app_25 proc_misc:file r_file_perms;
+
+# Access to /proc/tty/drivers, to allow apps to determine if they
+# are running in an emulated environment.
+# b/33214085 b/33814662 b/33791054 b/33211769
+# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
+# This will go away in a future Android release
+allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
diff --git a/prebuilts/api/27.0/private/untrusted_app_all.te b/prebuilts/api/27.0/private/untrusted_app_all.te
new file mode 100644
index 0000000..cce589e
--- /dev/null
+++ b/prebuilts/api/27.0/private/untrusted_app_all.te
@@ -0,0 +1,108 @@
+###
+### Untrusted_app_all.
+###
+### This file defines the rules shared by all untrusted app domains except
+### apps which target the v2 security sandbox (ephemeral_app for instant apps,
+### untrusted_v2_app for fully installed v2 apps).
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app_all attribute is assigned to all default
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### attribute is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+### Note that rules that should apply to all untrusted apps must be in app.te or also
+### added to untrusted_v2_app.te and ephemeral_app.te.
+
+# Legacy text relocations
+allow untrusted_app_all apk_data_file:file execmod;
+
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow untrusted_app_all app_data_file:file { rx_file_perms execmod };
+
+# ASEC
+allow untrusted_app_all asec_apk_file:file r_file_perms;
+allow untrusted_app_all asec_apk_file:dir r_dir_perms;
+# Execute libs in asec containers.
+allow untrusted_app_all asec_public_file:file { execute execmod };
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+# TODO: Long term, we don't want apps probing into shell data files.
+# Figure out a way to remove these rules.
+allow untrusted_app_all shell_data_file:file r_file_perms;
+allow untrusted_app_all shell_data_file:dir r_dir_perms;
+
+# Allow to read staged apks.
+allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
+
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow untrusted_app_all system_app_data_file:file { read write getattr };
+
+#
+# Rules migrated from old app domains coalesced into untrusted_app.
+# This includes what used to be media_app, shared_app, and release_app.
+#
+
+# Access to /data/media.
+allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
+allow untrusted_app_all media_rw_data_file:file create_file_perms;
+
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow untrusted_app_all mnt_media_rw_file:dir search;
+
+# allow cts to query all services
+allow untrusted_app_all servicemanager:service_manager list;
+
+allow untrusted_app_all audioserver_service:service_manager find;
+allow untrusted_app_all cameraserver_service:service_manager find;
+allow untrusted_app_all drmserver_service:service_manager find;
+allow untrusted_app_all mediaserver_service:service_manager find;
+allow untrusted_app_all mediaextractor_service:service_manager find;
+allow untrusted_app_all mediacodec_service:service_manager find;
+allow untrusted_app_all mediametrics_service:service_manager find;
+allow untrusted_app_all mediadrmserver_service:service_manager find;
+allow untrusted_app_all nfc_service:service_manager find;
+allow untrusted_app_all radio_service:service_manager find;
+allow untrusted_app_all surfaceflinger_service:service_manager find;
+allow untrusted_app_all app_api_service:service_manager find;
+allow untrusted_app_all vr_manager_service:service_manager find;
+
+# Allow GMS core to access perfprofd output, which is stored
+# in /data/misc/perfprofd/. GMS core will need to list all
+# data stored in that directory to process them one by one.
+userdebug_or_eng(`
+ allow untrusted_app_all perfprofd_data_file:file r_file_perms;
+ allow untrusted_app_all perfprofd_data_file:dir r_dir_perms;
+')
+
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow untrusted_app_all self:process ptrace;
+
+# Cts: HwRngTest
+allow untrusted_app_all sysfs_hwrandom:dir search;
+allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
+
+# Allow apps to view preloaded media content
+allow untrusted_app_all preloads_media_file:dir r_dir_perms;
+allow untrusted_app_all preloads_media_file:file r_file_perms;
+allow untrusted_app_all preloads_data_file:dir search;
+
+# Allow untrusted apps read / execute access to /vendor/app for there can
+# be pre-installed vendor apps that package a library within themselves.
+# TODO (b/37784178) Consider creating a special type for /vendor/app installed
+# apps.
+allow untrusted_app_all vendor_app_file:dir { open getattr read search };
+allow untrusted_app_all vendor_app_file:file { open getattr read execute };
+allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
diff --git a/prebuilts/api/27.0/private/untrusted_v2_app.te b/prebuilts/api/27.0/private/untrusted_v2_app.te
new file mode 100644
index 0000000..7ed3881
--- /dev/null
+++ b/prebuilts/api/27.0/private/untrusted_v2_app.te
@@ -0,0 +1,42 @@
+###
+### Untrusted v2 sandbox apps.
+###
+
+typeattribute untrusted_v2_app coredomain;
+
+app_domain(untrusted_v2_app)
+net_domain(untrusted_v2_app)
+bluetooth_domain(untrusted_v2_app)
+
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow untrusted_v2_app system_app_data_file:file { read write getattr };
+
+# Access to /data/media.
+allow untrusted_v2_app media_rw_data_file:dir create_dir_perms;
+allow untrusted_v2_app media_rw_data_file:file create_file_perms;
+
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow untrusted_v2_app mnt_media_rw_file:dir search;
+
+# allow cts to query all services
+allow untrusted_v2_app servicemanager:service_manager list;
+
+allow untrusted_v2_app audioserver_service:service_manager find;
+allow untrusted_v2_app cameraserver_service:service_manager find;
+allow untrusted_v2_app drmserver_service:service_manager find;
+allow untrusted_v2_app mediaserver_service:service_manager find;
+allow untrusted_v2_app mediaextractor_service:service_manager find;
+allow untrusted_v2_app mediacodec_service:service_manager find;
+allow untrusted_v2_app mediametrics_service:service_manager find;
+allow untrusted_v2_app mediadrmserver_service:service_manager find;
+allow untrusted_v2_app nfc_service:service_manager find;
+allow untrusted_v2_app radio_service:service_manager find;
+allow untrusted_v2_app surfaceflinger_service:service_manager find;
+# TODO: potentially provide a tighter list of services here
+allow untrusted_v2_app app_api_service:service_manager find;
+
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow untrusted_v2_app self:process ptrace;
diff --git a/prebuilts/api/27.0/private/update_engine.te b/prebuilts/api/27.0/private/update_engine.te
new file mode 100644
index 0000000..f460272
--- /dev/null
+++ b/prebuilts/api/27.0/private/update_engine.te
@@ -0,0 +1,4 @@
+typeattribute update_engine coredomain;
+typeattribute update_engine domain_deprecated;
+
+init_daemon_domain(update_engine);
diff --git a/prebuilts/api/27.0/private/update_engine_common.te b/prebuilts/api/27.0/private/update_engine_common.te
new file mode 100644
index 0000000..a7fb584
--- /dev/null
+++ b/prebuilts/api/27.0/private/update_engine_common.te
@@ -0,0 +1,5 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# The postinstall program is run by update_engine_common and will always be tagged as a
+# postinstall_file regardless of its attributes in the new system.
+domain_auto_trans(update_engine_common, postinstall_file, postinstall)
diff --git a/prebuilts/api/27.0/private/update_verifier.te b/prebuilts/api/27.0/private/update_verifier.te
new file mode 100644
index 0000000..1b934d9
--- /dev/null
+++ b/prebuilts/api/27.0/private/update_verifier.te
@@ -0,0 +1,3 @@
+typeattribute update_verifier coredomain;
+
+init_daemon_domain(update_verifier)
diff --git a/prebuilts/api/27.0/private/users b/prebuilts/api/27.0/private/users
new file mode 100644
index 0000000..51b7b57
--- /dev/null
+++ b/prebuilts/api/27.0/private/users
@@ -0,0 +1 @@
+user u roles { r } level s0 range s0 - mls_systemhigh;
diff --git a/prebuilts/api/27.0/private/vdc.te b/prebuilts/api/27.0/private/vdc.te
new file mode 100644
index 0000000..bc7409e
--- /dev/null
+++ b/prebuilts/api/27.0/private/vdc.te
@@ -0,0 +1,3 @@
+typeattribute vdc coredomain;
+
+init_daemon_domain(vdc)
diff --git a/prebuilts/api/27.0/private/virtual_touchpad.te b/prebuilts/api/27.0/private/virtual_touchpad.te
new file mode 100644
index 0000000..e735172
--- /dev/null
+++ b/prebuilts/api/27.0/private/virtual_touchpad.te
@@ -0,0 +1,3 @@
+typeattribute virtual_touchpad coredomain;
+
+init_daemon_domain(virtual_touchpad)
diff --git a/prebuilts/api/27.0/private/vold.te b/prebuilts/api/27.0/private/vold.te
new file mode 100644
index 0000000..f2416f8
--- /dev/null
+++ b/prebuilts/api/27.0/private/vold.te
@@ -0,0 +1,20 @@
+typeattribute vold coredomain;
+typeattribute vold domain_deprecated;
+
+init_daemon_domain(vold)
+
+# Switch to more restrictive domains when executing common tools
+domain_auto_trans(vold, sgdisk_exec, sgdisk);
+domain_auto_trans(vold, sdcardd_exec, sdcardd);
+
+# For a handful of probing tools, we choose an even more restrictive
+# domain when working with untrusted block devices
+domain_trans(vold, shell_exec, blkid);
+domain_trans(vold, shell_exec, blkid_untrusted);
+domain_trans(vold, fsck_exec, fsck);
+domain_trans(vold, fsck_exec, fsck_untrusted);
+
+# Newly created storage dirs are always treated as mount stubs to prevent us
+# from accidentally writing when the mount point isn't present.
+type_transition vold storage_file:dir storage_stub_file;
+type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
diff --git a/prebuilts/api/27.0/private/vr_hwc.te b/prebuilts/api/27.0/private/vr_hwc.te
new file mode 100644
index 0000000..053c03d
--- /dev/null
+++ b/prebuilts/api/27.0/private/vr_hwc.te
@@ -0,0 +1,6 @@
+typeattribute vr_hwc coredomain;
+
+# Daemon started by init.
+init_daemon_domain(vr_hwc)
+
+hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/prebuilts/api/27.0/private/watchdogd.te b/prebuilts/api/27.0/private/watchdogd.te
new file mode 100644
index 0000000..36dd30f
--- /dev/null
+++ b/prebuilts/api/27.0/private/watchdogd.te
@@ -0,0 +1 @@
+typeattribute watchdogd coredomain;
diff --git a/prebuilts/api/27.0/private/webview_zygote.te b/prebuilts/api/27.0/private/webview_zygote.te
new file mode 100644
index 0000000..3c5403b
--- /dev/null
+++ b/prebuilts/api/27.0/private/webview_zygote.te
@@ -0,0 +1,120 @@
+# webview_zygote is an auxiliary zygote process that is used to spawn
+# isolated_app processes for rendering untrusted web content.
+
+typeattribute webview_zygote coredomain;
+
+# The webview_zygote needs to be able to transition domains.
+typeattribute webview_zygote mlstrustedsubject;
+
+# When init launches the WebView zygote's executable, transition the
+# resulting process into webview_zygote domain.
+init_daemon_domain(webview_zygote)
+
+# Allow reading/executing installed binaries to enable preloading the
+# installed WebView implementation.
+allow webview_zygote apk_data_file:dir r_dir_perms;
+allow webview_zygote apk_data_file:file { r_file_perms execute };
+
+# Access to the WebView relro file.
+allow webview_zygote shared_relro_file:dir search;
+allow webview_zygote shared_relro_file:file r_file_perms;
+
+# Set the UID/GID of the process.
+allow webview_zygote self:capability { setgid setuid };
+# Drop capabilities from bounding set.
+allow webview_zygote self:capability setpcap;
+# Switch SELinux context to app domains.
+allow webview_zygote self:process setcurrent;
+allow webview_zygote isolated_app:process dyntransition;
+
+# For art.
+allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
+allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
+allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
+
+# Allow webview_zygote to stat the files that it opens. It must
+# be able to inspect them so that it can reopen them on fork
+# if necessary: b/30963384.
+allow webview_zygote debugfs_trace_marker:file getattr;
+
+# Allow webview_zygote to manage the pgroup of its children.
+allow webview_zygote system_server:process getpgid;
+
+# Interaction between the webview_zygote and its children.
+allow webview_zygote isolated_app:process setpgid;
+
+# TODO (b/63631799) fix this access
+# Suppress denials to storage. Webview zygote should not be accessing.
+dontaudit webview_zygote mnt_expand_file:dir getattr;
+
+# Get seapp_contexts
+allow webview_zygote seapp_contexts_file:file r_file_perms;
+# Check validity of SELinux context before use.
+selinux_check_context(webview_zygote)
+# Check SELinux permissions.
+selinux_check_access(webview_zygote)
+
+#####
+##### Neverallow
+#####
+
+# Only permit transition to isolated_app.
+neverallow webview_zygote { domain -isolated_app }:process dyntransition;
+
+# Only setcon() transitions, no exec() based transitions, except for crash_dump.
+neverallow webview_zygote { domain -crash_dump }:process transition;
+
+# Must not exec() a program without changing domains.
+# Having said that, exec() above is not allowed.
+neverallow webview_zygote *:file execute_no_trans;
+
+# The only way to enter this domain is for init to exec() us.
+neverallow { domain -init } webview_zygote:process transition;
+neverallow * webview_zygote:process dyntransition;
+
+# Disallow write access to properties.
+neverallow webview_zygote property_socket:sock_file write;
+neverallow webview_zygote property_type:property_service set;
+
+# Should not have any access to app data files.
+neverallow webview_zygote {
+ app_data_file
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+}:file { rwx_file_perms };
+
+neverallow webview_zygote {
+ service_manager_type
+ -activity_service
+ -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };
+
+# Do not allow webview_zygote access to /cache.
+neverallow webview_zygote cache_file:dir ~{ r_dir_perms };
+neverallow webview_zygote cache_file:file ~{ read getattr };
+
+# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
+# unix_stream_socket, and netlink_selinux_socket.
+neverallow webview_zygote domain:{
+ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
+ appletalk_socket netlink_route_socket netlink_tcpdiag_socket
+ netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
+ netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
+ netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
+ sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
+ x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
+ pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
+ rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
+} *;
+
+# Do not allow access to Bluetooth-related system properties.
+# neverallow rules for Bluetooth-related data files are listed above.
+neverallow webview_zygote bluetooth_prop:file create_file_perms;
diff --git a/prebuilts/api/27.0/private/wificond.te b/prebuilts/api/27.0/private/wificond.te
new file mode 100644
index 0000000..cc76447
--- /dev/null
+++ b/prebuilts/api/27.0/private/wificond.te
@@ -0,0 +1,4 @@
+typeattribute wificond coredomain;
+
+init_daemon_domain(wificond)
+hal_client_domain(wificond, hal_wifi_offload)
diff --git a/prebuilts/api/27.0/private/zygote.te b/prebuilts/api/27.0/private/zygote.te
new file mode 100644
index 0000000..daabbc0
--- /dev/null
+++ b/prebuilts/api/27.0/private/zygote.te
@@ -0,0 +1,134 @@
+# zygote
+typeattribute zygote coredomain;
+typeattribute zygote domain_deprecated;
+typeattribute zygote mlstrustedsubject;
+
+init_daemon_domain(zygote)
+
+read_runtime_log_tags(zygote)
+
+# Override DAC on files and switch uid/gid.
+allow zygote self:capability { dac_override setgid setuid fowner chown };
+
+# Drop capabilities from bounding set.
+allow zygote self:capability setpcap;
+
+# Switch SELinux context to app domains.
+allow zygote self:process setcurrent;
+allow zygote system_server:process dyntransition;
+allow zygote appdomain:process dyntransition;
+
+# Allow zygote to read app /proc/pid dirs (b/10455872).
+allow zygote appdomain:dir { getattr search };
+allow zygote appdomain:file { r_file_perms };
+
+# Move children into the peer process group.
+allow zygote system_server:process { getpgid setpgid };
+allow zygote appdomain:process { getpgid setpgid };
+
+# Read system data.
+allow zygote system_data_file:dir r_dir_perms;
+allow zygote system_data_file:file r_file_perms;
+
+# Write to /data/dalvik-cache.
+allow zygote dalvikcache_data_file:dir create_dir_perms;
+allow zygote dalvikcache_data_file:file create_file_perms;
+
+# Create symlinks in /data/dalvik-cache.
+allow zygote dalvikcache_data_file:lnk_file create_file_perms;
+
+# Write to /data/resource-cache.
+allow zygote resourcecache_data_file:dir rw_dir_perms;
+allow zygote resourcecache_data_file:file create_file_perms;
+
+# When WITH_DEXPREOPT is true, the zygote does not load executable content from
+# /data/dalvik-cache.
+allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
+
+# Execute idmap and dex2oat within zygote's own domain.
+# TODO: Should either of these be transitioned to the same domain
+# used by installd or stay in-domain for zygote?
+allow zygote idmap_exec:file rx_file_perms;
+allow zygote dex2oat_exec:file rx_file_perms;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(zygote, vendor_overlay_file)
+
+# Control cgroups.
+allow zygote cgroup:dir create_dir_perms;
+allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote self:capability sys_admin;
+
+# Allow zygote to stat the files that it opens. The zygote must
+# be able to inspect them so that it can reopen them on fork
+# if necessary: b/30963384.
+allow zygote pmsg_device:chr_file getattr;
+allow zygote debugfs_trace_marker:file getattr;
+
+# Get seapp_contexts
+allow zygote seapp_contexts_file:file r_file_perms;
+# Check validity of SELinux context before use.
+selinux_check_context(zygote)
+# Check SELinux permissions.
+selinux_check_access(zygote)
+
+# Native bridge functionality requires that zygote replaces
+# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
+allow zygote proc_cpuinfo:file mounton;
+
+# Allow remounting rootfs as MS_SLAVE.
+allow zygote rootfs:dir mounton;
+allow zygote tmpfs:filesystem { mount unmount };
+allow zygote fuse:filesystem { unmount };
+allow zygote sdcardfs:filesystem { unmount };
+
+# Allow creating user-specific storage source if started before vold.
+allow zygote mnt_user_file:dir create_dir_perms;
+allow zygote mnt_user_file:lnk_file create_file_perms;
+# Allowed to mount user-specific storage into place
+allow zygote storage_file:dir { search mounton };
+
+# Handle --invoke-with command when launching Zygote with a wrapper command.
+allow zygote zygote_exec:file rx_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(zygote, proc_net)
+
+# Root fs.
+r_dir_file(zygote, rootfs)
+
+# System file accesses.
+r_dir_file(zygote, system_file)
+
+userdebug_or_eng(`
+ # Allow zygote to create and write method traces in /data/misc/trace.
+ allow zygote method_trace_data_file:dir w_dir_perms;
+ allow zygote method_trace_data_file:file { create w_file_perms };
+')
+
+allow zygote ion_device:chr_file r_file_perms;
+allow zygote tmpfs:dir r_dir_perms;
+
+# Let the zygote access overlays so it can initialize the AssetManager.
+get_prop(zygote, overlay_prop)
+
+###
+### neverallow rules
+###
+
+# Ensure that all types assigned to app processes are included
+# in the appdomain attribute, so that all allow and neverallow rules
+# written on appdomain are applied to all app processes.
+# This is achieved by ensuring that it is impossible for zygote to
+# setcon (dyntransition) to any types other than those associated
+# with appdomain plus system_server.
+neverallow zygote ~{ appdomain system_server }:process dyntransition;
+
+# Zygote should never execute anything from /data except for /data/dalvik-cache files.
+neverallow zygote {
+ data_file_type
+ -dalvikcache_data_file # map PROT_EXEC
+}:file no_x_file_perms;
+
+# Do not allow access to Bluetooth-related system properties and files
+neverallow zygote bluetooth_prop:file create_file_perms;
diff --git a/prebuilts/api/27.0/public/adbd.te b/prebuilts/api/27.0/public/adbd.te
new file mode 100644
index 0000000..95854c0
--- /dev/null
+++ b/prebuilts/api/27.0/public/adbd.te
@@ -0,0 +1,4 @@
+# adbd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type adbd, domain;
+type adbd_exec, exec_type, file_type;
diff --git a/prebuilts/api/27.0/public/asan_extract.te b/prebuilts/api/27.0/public/asan_extract.te
new file mode 100644
index 0000000..15c5a09
--- /dev/null
+++ b/prebuilts/api/27.0/public/asan_extract.te
@@ -0,0 +1,36 @@
+# asan_extract
+#
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+with_asan(`
+ type asan_extract, domain, coredomain;
+ type asan_extract_exec, exec_type, file_type;
+
+ # Allow asan_extract to execute itself using #!/system/bin/sh
+ allow asan_extract shell_exec:file rx_file_perms;
+
+ # We execute log, rm, gzip and tar.
+ allow asan_extract toolbox_exec:file rx_file_perms;
+ allow asan_extract system_file:file execute_no_trans;
+
+ # asan_extract deletes old /data/lib.
+ allow asan_extract system_file:dir { open read remove_name rmdir write };
+ allow asan_extract system_file:file unlink;
+
+ # asan_extract untars ASAN libraries into /data.
+ allow asan_extract system_data_file:dir create_dir_perms ;
+ allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
+
+ # Relabel the libraries with restorecon.
+ allow asan_extract file_contexts_file:file r_file_perms;
+ allow asan_extract system_data_file:{ dir file } relabelfrom;
+ allow asan_extract system_file:dir { relabelto setattr };
+ allow asan_extract system_file:file relabelto;
+
+ # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
+ allow asan_extract system_data_file:file execute;
+
+ # We need to signal a reboot when done.
+ set_prop(asan_extract, powerctl_prop)
+')
diff --git a/prebuilts/api/27.0/public/attributes b/prebuilts/api/27.0/public/attributes
new file mode 100644
index 0000000..fa8a6a6
--- /dev/null
+++ b/prebuilts/api/27.0/public/attributes
@@ -0,0 +1,430 @@
+######################################
+# Attribute declarations
+#
+
+# All types used for devices.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# in tools/checkfc.c
+attribute dev_type;
+
+# All types used for processes.
+attribute domain;
+
+# All types used for filesystems.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute fs_type;
+
+# All types used for context= mounts.
+attribute contextmount_type;
+
+# All types used for files that can exist on a labeled fs.
+# Do not use for pseudo file types.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute file_type;
+
+# All types used for domain entry points.
+attribute exec_type;
+
+# All types used for /data files.
+attribute data_file_type;
+expandattribute data_file_type false;
+# All types in /data, not in /data/vendor
+attribute core_data_file_type;
+# All types in /vendor
+attribute vendor_file_type;
+
+# All types use for sysfs files.
+attribute sysfs_type;
+
+# All types use for debugfs files.
+attribute debugfs_type;
+
+# Attribute used for all sdcards
+attribute sdcard_type;
+
+# All types used for nodes/hosts.
+attribute node_type;
+
+# All types used for network interfaces.
+attribute netif_type;
+
+# All types used for network ports.
+attribute port_type;
+
+# All types used for property service
+# On change, update CHECK_PC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute property_type;
+
+# All properties defined in core SELinux policy. Should not be
+# used by device specific properties
+attribute core_property_type;
+
+# All properties used to configure log filtering.
+attribute log_property_type;
+
+# All service_manager types created by system_server
+attribute system_server_service;
+
+# services which should be available to all but isolated apps
+attribute app_api_service;
+
+# services which should be available to all ephemeral apps
+attribute ephemeral_app_api_service;
+
+# services which export only system_api
+attribute system_api_service;
+
+# All types used for services managed by servicemanager.
+# On change, update CHECK_SC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute service_manager_type;
+
+# All types used for services managed by hwservicemanager
+attribute hwservice_manager_type;
+
+# All HwBinder services guaranteed to be passthrough. These services always run
+# in the process of their clients, and thus operate with the same access as
+# their clients.
+attribute same_process_hwservice;
+
+# All HwBinder services guaranteed to be offered only by core domain components
+attribute coredomain_hwservice;
+
+# All types used for services managed by vndservicemanager
+attribute vndservice_manager_type;
+
+
+# All domains that can override MLS restrictions.
+# i.e. processes that can read up and write down.
+attribute mlstrustedsubject;
+
+# All types that can override MLS restrictions.
+# i.e. files that can be read by lower and written by higher
+attribute mlstrustedobject;
+
+# All domains used for apps.
+attribute appdomain;
+
+# All third party apps.
+attribute untrusted_app_all;
+
+# All domains used for apps with network access.
+attribute netdomain;
+
+# All domains used for apps with bluetooth access.
+attribute bluetoothdomain;
+
+# All domains used for binder service domains.
+attribute binderservicedomain;
+
+# update_engine related domains that need to apply an update and run
+# postinstall. This includes the background daemon and the sideload tool from
+# recovery for A/B devices.
+attribute update_engine_common;
+
+# All core domains (as opposed to vendor/device-specific domains)
+attribute coredomain;
+
+# All socket devices owned by core domain components
+attribute coredomain_socket;
+
+# All vendor domains which violate the requirement of not using Binder
+# TODO(b/35870313): Remove this once there are no violations
+attribute binder_in_vendor_violators;
+expandattribute binder_in_vendor_violators false;
+
+# All vendor domains which violate the requirement of not using sockets for
+# communicating with core components
+# TODO(b/36577153): Remove this once there are no violations
+attribute socket_between_core_and_vendor_violators;
+expandattribute socket_between_core_and_vendor_violators false;
+
+# All vendor domains which violate the requirement of not executing
+# system processes
+# TODO(b/36463595)
+attribute vendor_executes_system_violators;
+expandattribute vendor_executes_system_violators false;
+
+# hwservices that are accessible from untrusted applications
+# WARNING: Use of this attribute should be avoided unless
+# absolutely necessary. It is a temporary allowance to aid the
+# transition to treble and will be removed in a future platform
+# version, requiring all hwservices that are labeled with this
+# attribute to be submitted to AOSP in order to maintain their
+# app-visibility.
+attribute untrusted_app_visible_hwservice;
+expandattribute untrusted_app_visible_hwservice false;
+
+# halserver domains that are accessible to untrusted applications. These
+# domains are typically those hosting hwservices attributed by the
+# untrusted_app_visible_hwservice.
+# WARNING: Use of this attribute should be avoided unless absolutely necessary.
+# It is a temporary allowance to aid the transition to treble and will be
+# removed in the future platform version, requiring all halserver domains that
+# are labeled with this attribute to be submitted to AOSP in order to maintain
+# their app-visibility.
+attribute untrusted_app_visible_halserver;
+expandattribute untrusted_app_visible_halserver false;
+
+# PDX services
+attribute pdx_endpoint_dir_type;
+attribute pdx_endpoint_socket_type;
+expandattribute pdx_endpoint_socket_type false;
+attribute pdx_channel_socket_type;
+expandattribute pdx_channel_socket_type false;
+
+pdx_service_attributes(display_client)
+pdx_service_attributes(display_manager)
+pdx_service_attributes(display_screenshot)
+pdx_service_attributes(display_vsync)
+pdx_service_attributes(performance_client)
+pdx_service_attributes(bufferhub_client)
+
+# All HAL servers
+attribute halserverdomain;
+# All HAL clients
+attribute halclientdomain;
+expandattribute halclientdomain true;
+
+# HALs
+attribute hal_allocator;
+expandattribute hal_allocator true;
+attribute hal_allocator_client;
+expandattribute hal_allocator_client true;
+attribute hal_allocator_server;
+expandattribute hal_allocator_server false;
+attribute hal_audio;
+expandattribute hal_audio false;
+attribute hal_audio_client;
+expandattribute hal_audio_client true;
+attribute hal_audio_server;
+expandattribute hal_audio_server false;
+attribute hal_bluetooth;
+expandattribute hal_bluetooth true;
+attribute hal_bluetooth_client;
+expandattribute hal_bluetooth_client true;
+attribute hal_bluetooth_server;
+expandattribute hal_bluetooth_server false;
+attribute hal_bootctl;
+expandattribute hal_bootctl false;
+attribute hal_bootctl_client;
+expandattribute hal_bootctl_client true;
+attribute hal_bootctl_server;
+expandattribute hal_bootctl_server false;
+attribute hal_broadcastradio;
+expandattribute hal_broadcastradio true;
+attribute hal_broadcastradio_client;
+expandattribute hal_broadcastradio_client true;
+attribute hal_broadcastradio_server;
+expandattribute hal_broadcastradio_server false;
+attribute hal_camera;
+expandattribute hal_camera false;
+attribute hal_camera_client;
+expandattribute hal_camera_client true;
+attribute hal_camera_server;
+expandattribute hal_camera_server false;
+attribute hal_configstore;
+expandattribute hal_configstore true;
+attribute hal_configstore_client;
+expandattribute hal_configstore_client true;
+attribute hal_configstore_server;
+expandattribute hal_configstore_server false;
+attribute hal_contexthub;
+expandattribute hal_contexthub true;
+attribute hal_contexthub_client;
+expandattribute hal_contexthub_client true;
+attribute hal_contexthub_server;
+expandattribute hal_contexthub_server false;
+attribute hal_drm;
+expandattribute hal_drm false;
+attribute hal_drm_client;
+expandattribute hal_drm_client true;
+attribute hal_drm_server;
+expandattribute hal_drm_server false;
+attribute hal_cas;
+expandattribute hal_cas false;
+attribute hal_cas_client;
+expandattribute hal_cas_client true;
+attribute hal_cas_server;
+expandattribute hal_cas_server false;
+attribute hal_dumpstate;
+expandattribute hal_dumpstate true;
+attribute hal_dumpstate_client;
+expandattribute hal_dumpstate_client true;
+attribute hal_dumpstate_server;
+expandattribute hal_dumpstate_server false;
+attribute hal_fingerprint;
+expandattribute hal_fingerprint true;
+attribute hal_fingerprint_client;
+expandattribute hal_fingerprint_client true;
+attribute hal_fingerprint_server;
+expandattribute hal_fingerprint_server false;
+attribute hal_gatekeeper;
+expandattribute hal_gatekeeper true;
+attribute hal_gatekeeper_client;
+expandattribute hal_gatekeeper_client true;
+attribute hal_gatekeeper_server;
+expandattribute hal_gatekeeper_server false;
+attribute hal_gnss;
+expandattribute hal_gnss true;
+attribute hal_gnss_client;
+expandattribute hal_gnss_client true;
+attribute hal_gnss_server;
+expandattribute hal_gnss_server false;
+attribute hal_graphics_allocator;
+expandattribute hal_graphics_allocator true;
+attribute hal_graphics_allocator_client;
+expandattribute hal_graphics_allocator_client true;
+attribute hal_graphics_allocator_server;
+expandattribute hal_graphics_allocator_server false;
+attribute hal_graphics_composer;
+expandattribute hal_graphics_composer true;
+attribute hal_graphics_composer_client;
+expandattribute hal_graphics_composer_client true;
+attribute hal_graphics_composer_server;
+expandattribute hal_graphics_composer_server false;
+attribute hal_health;
+expandattribute hal_health true;
+attribute hal_health_client;
+expandattribute hal_health_client true;
+attribute hal_health_server;
+expandattribute hal_health_server false;
+attribute hal_ir;
+expandattribute hal_ir true;
+attribute hal_ir_client;
+expandattribute hal_ir_client true;
+attribute hal_ir_server;
+expandattribute hal_ir_server false;
+attribute hal_keymaster;
+expandattribute hal_keymaster true;
+attribute hal_keymaster_client;
+expandattribute hal_keymaster_client true;
+attribute hal_keymaster_server;
+expandattribute hal_keymaster_server false;
+attribute hal_light;
+expandattribute hal_light true;
+attribute hal_light_client;
+expandattribute hal_light_client true;
+attribute hal_light_server;
+expandattribute hal_light_server false;
+attribute hal_memtrack;
+expandattribute hal_memtrack true;
+attribute hal_memtrack_client;
+expandattribute hal_memtrack_client true;
+attribute hal_memtrack_server;
+expandattribute hal_memtrack_server false;
+attribute hal_neuralnetworks;
+expandattribute hal_neuralnetworks true;
+attribute hal_neuralnetworks_client;
+expandattribute hal_neuralnetworks_client true;
+attribute hal_neuralnetworks_server;
+expandattribute hal_neuralnetworks_server false;
+attribute hal_nfc;
+expandattribute hal_nfc true;
+attribute hal_nfc_client;
+expandattribute hal_nfc_client true;
+attribute hal_nfc_server;
+expandattribute hal_nfc_server false;
+attribute hal_oemlock;
+expandattribute hal_oemlock true;
+attribute hal_oemlock_client;
+expandattribute hal_oemlock_client true;
+attribute hal_oemlock_server;
+expandattribute hal_oemlock_server false;
+attribute hal_power;
+expandattribute hal_power true;
+attribute hal_power_client;
+expandattribute hal_power_client true;
+attribute hal_power_server;
+expandattribute hal_power_server false;
+attribute hal_sensors;
+expandattribute hal_sensors true;
+attribute hal_sensors_client;
+expandattribute hal_sensors_client true;
+attribute hal_sensors_server;
+expandattribute hal_sensors_server false;
+attribute hal_telephony;
+expandattribute hal_telephony true;
+attribute hal_telephony_client;
+expandattribute hal_telephony_client true;
+attribute hal_telephony_server;
+expandattribute hal_telephony_server false;
+attribute hal_tetheroffload;
+expandattribute hal_tetheroffload true;
+attribute hal_tetheroffload_client;
+expandattribute hal_tetheroffload_client true;
+attribute hal_tetheroffload_server;
+expandattribute hal_tetheroffload_server false;
+attribute hal_thermal;
+expandattribute hal_thermal true;
+attribute hal_thermal_client;
+expandattribute hal_thermal_client true;
+attribute hal_thermal_server;
+expandattribute hal_thermal_server false;
+attribute hal_tv_cec;
+expandattribute hal_tv_cec true;
+attribute hal_tv_cec_client;
+expandattribute hal_tv_cec_client true;
+attribute hal_tv_cec_server;
+expandattribute hal_tv_cec_server false;
+attribute hal_tv_input;
+expandattribute hal_tv_input true;
+attribute hal_tv_input_client;
+expandattribute hal_tv_input_client true;
+attribute hal_tv_input_server;
+expandattribute hal_tv_input_server false;
+attribute hal_usb;
+expandattribute hal_usb true;
+attribute hal_usb_client;
+expandattribute hal_usb_client true;
+attribute hal_usb_server;
+expandattribute hal_usb_server false;
+attribute hal_vibrator;
+expandattribute hal_vibrator true;
+attribute hal_vibrator_client;
+expandattribute hal_vibrator_client true;
+attribute hal_vibrator_server;
+expandattribute hal_vibrator_server false;
+attribute hal_vr;
+expandattribute hal_vr true;
+attribute hal_vr_client;
+expandattribute hal_vr_client true;
+attribute hal_vr_server;
+expandattribute hal_vr_server false;
+attribute hal_weaver;
+expandattribute hal_weaver true;
+attribute hal_weaver_client;
+expandattribute hal_weaver_client true;
+attribute hal_weaver_server;
+expandattribute hal_weaver_server false;
+attribute hal_wifi;
+expandattribute hal_wifi true;
+attribute hal_wifi_client;
+expandattribute hal_wifi_client true;
+attribute hal_wifi_server;
+expandattribute hal_wifi_server false;
+attribute hal_wifi_offload;
+expandattribute hal_wifi_offload true;
+attribute hal_wifi_offload_client;
+expandattribute hal_wifi_offload_client true;
+attribute hal_wifi_offload_server;
+expandattribute hal_wifi_offload_server false;
+attribute hal_wifi_supplicant;
+expandattribute hal_wifi_supplicant true;
+attribute hal_wifi_supplicant_client;
+expandattribute hal_wifi_supplicant_client true;
+attribute hal_wifi_supplicant_server;
+expandattribute hal_wifi_supplicant_server false;
+
+# HwBinder services offered across the core-vendor boundary
+#
+# We annotate server domains with x_server to loosen the coupling between
+# system and vendor images. For example, it should be possible to move a service
+# from one core domain to another, without having to update the vendor image
+# which contains clients of this service.
+
+attribute display_service_server;
+attribute wifi_keystore_service_server;
diff --git a/prebuilts/api/27.0/public/audioserver.te b/prebuilts/api/27.0/public/audioserver.te
new file mode 100644
index 0000000..9a72858
--- /dev/null
+++ b/prebuilts/api/27.0/public/audioserver.te
@@ -0,0 +1,2 @@
+# audioserver - audio services daemon
+type audioserver, domain;
diff --git a/prebuilts/api/27.0/public/blkid.te b/prebuilts/api/27.0/public/blkid.te
new file mode 100644
index 0000000..dabe014
--- /dev/null
+++ b/prebuilts/api/27.0/public/blkid.te
@@ -0,0 +1,2 @@
+# blkid called from vold
+type blkid, domain;
diff --git a/prebuilts/api/27.0/public/blkid_untrusted.te b/prebuilts/api/27.0/public/blkid_untrusted.te
new file mode 100644
index 0000000..4be4c0c
--- /dev/null
+++ b/prebuilts/api/27.0/public/blkid_untrusted.te
@@ -0,0 +1,2 @@
+# blkid for untrusted block devices
+type blkid_untrusted, domain;
diff --git a/prebuilts/api/27.0/public/bluetooth.te b/prebuilts/api/27.0/public/bluetooth.te
new file mode 100644
index 0000000..9b3442a
--- /dev/null
+++ b/prebuilts/api/27.0/public/bluetooth.te
@@ -0,0 +1,2 @@
+# bluetooth subsystem
+type bluetooth, domain;
diff --git a/prebuilts/api/27.0/public/bootanim.te b/prebuilts/api/27.0/public/bootanim.te
new file mode 100644
index 0000000..1a265f9
--- /dev/null
+++ b/prebuilts/api/27.0/public/bootanim.te
@@ -0,0 +1,41 @@
+# bootanimation oneshot service
+type bootanim, domain;
+type bootanim_exec, exec_type, file_type;
+
+hal_client_domain(bootanim, hal_configstore)
+hal_client_domain(bootanim, hal_graphics_allocator)
+hal_client_domain(bootanim, hal_graphics_composer)
+
+binder_use(bootanim)
+binder_call(bootanim, surfaceflinger)
+binder_call(bootanim, audioserver)
+
+hwbinder_use(bootanim)
+
+allow bootanim gpu_device:chr_file rw_file_perms;
+
+# /oem access
+allow bootanim oemfs:dir search;
+allow bootanim oemfs:file r_file_perms;
+
+allow bootanim audio_device:dir r_dir_perms;
+allow bootanim audio_device:chr_file rw_file_perms;
+
+allow bootanim audioserver_service:service_manager find;
+allow bootanim surfaceflinger_service:service_manager find;
+
+# Allow access to ion memory allocation device
+allow bootanim ion_device:chr_file rw_file_perms;
+allow bootanim hal_graphics_allocator:fd use;
+
+# Fences
+allow bootanim hal_graphics_composer:fd use;
+
+# Read access to pseudo filesystems.
+r_dir_file(bootanim, proc)
+allow bootanim proc_meminfo:file r_file_perms;
+r_dir_file(bootanim, sysfs)
+r_dir_file(bootanim, cgroup)
+
+# System file accesses.
+allow bootanim system_file:dir r_dir_perms;
diff --git a/prebuilts/api/27.0/public/bootstat.te b/prebuilts/api/27.0/public/bootstat.te
new file mode 100644
index 0000000..f5c7268
--- /dev/null
+++ b/prebuilts/api/27.0/public/bootstat.te
@@ -0,0 +1,15 @@
+# bootstat command
+type bootstat, domain;
+type bootstat_exec, exec_type, file_type;
+
+read_runtime_log_tags(bootstat)
+
+# Allow persistent storage in /data/misc/bootstat.
+allow bootstat bootstat_data_file:dir rw_dir_perms;
+allow bootstat bootstat_data_file:file create_file_perms;
+
+# Read access to pseudo filesystems (for /proc/uptime).
+r_dir_file(bootstat, proc)
+
+# Collect metrics on boot time created by init
+get_prop(bootstat, boottime_prop)
diff --git a/prebuilts/api/27.0/public/bufferhubd.te b/prebuilts/api/27.0/public/bufferhubd.te
new file mode 100644
index 0000000..274c271
--- /dev/null
+++ b/prebuilts/api/27.0/public/bufferhubd.te
@@ -0,0 +1,20 @@
+# bufferhubd
+type bufferhubd, domain, mlstrustedsubject;
+type bufferhubd_exec, exec_type, file_type;
+
+hal_client_domain(bufferhubd, hal_graphics_allocator)
+
+pdx_server(bufferhubd, bufferhub_client)
+pdx_client(bufferhubd, performance_client)
+
+# Access the GPU.
+allow bufferhubd gpu_device:chr_file rw_file_perms;
+
+# Access /dev/ion
+allow bufferhubd ion_device:chr_file r_file_perms;
+
+# Receive sync fence FDs from mediacodec. Note that mediacodec never directly
+# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
+# those two: it talks to mediacodec via Binder and talks to bufferhubd via PDX.
+# Thus, there is no need to use pdx_client macro.
+allow bufferhubd mediacodec:fd use;
diff --git a/prebuilts/api/27.0/public/cameraserver.te b/prebuilts/api/27.0/public/cameraserver.te
new file mode 100644
index 0000000..0dd4a80
--- /dev/null
+++ b/prebuilts/api/27.0/public/cameraserver.te
@@ -0,0 +1,49 @@
+# cameraserver - camera daemon
+type cameraserver, domain;
+type cameraserver_exec, exec_type, file_type;
+
+binder_use(cameraserver)
+binder_call(cameraserver, binderservicedomain)
+binder_call(cameraserver, appdomain)
+binder_service(cameraserver)
+
+hal_client_domain(cameraserver, hal_camera)
+
+hal_client_domain(cameraserver, hal_graphics_allocator)
+
+allow cameraserver ion_device:chr_file rw_file_perms;
+
+# Talk with graphics composer fences
+allow cameraserver hal_graphics_composer:fd use;
+
+add_service(cameraserver, cameraserver_service)
+allow cameraserver appops_service:service_manager find;
+allow cameraserver audioserver_service:service_manager find;
+allow cameraserver batterystats_service:service_manager find;
+allow cameraserver cameraproxy_service:service_manager find;
+allow cameraserver mediaserver_service:service_manager find;
+allow cameraserver processinfo_service:service_manager find;
+allow cameraserver scheduling_policy_service:service_manager find;
+allow cameraserver surfaceflinger_service:service_manager find;
+
+allow cameraserver hidl_token_hwservice:hwservice_manager find;
+
+###
+### neverallow rules
+###
+
+# cameraserver should never execute any executable without a
+# domain transition
+neverallow cameraserver { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/27.0/public/charger.te b/prebuilts/api/27.0/public/charger.te
new file mode 100644
index 0000000..4b20d1d
--- /dev/null
+++ b/prebuilts/api/27.0/public/charger.te
@@ -0,0 +1,41 @@
+# charger seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type charger, domain;
+
+# Write to /dev/kmsg
+allow charger kmsg_device:chr_file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(charger, sysfs_type)
+r_dir_file(charger, rootfs)
+r_dir_file(charger, cgroup)
+
+allow charger self:capability { sys_tty_config };
+allow charger self:capability sys_boot;
+
+wakelock_use(charger)
+
+allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Write to /sys/power/state
+# TODO: Split into a separate type?
+allow charger sysfs:file write;
+
+allow charger sysfs_batteryinfo:file r_file_perms;
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow charger pstorefs:dir r_dir_perms;
+allow charger pstorefs:file r_file_perms;
+
+allow charger graphics_device:dir r_dir_perms;
+allow charger graphics_device:chr_file rw_file_perms;
+allow charger input_device:dir r_dir_perms;
+allow charger input_device:chr_file r_file_perms;
+allow charger tty_device:chr_file rw_file_perms;
+allow charger proc_sysrq:file rw_file_perms;
+
+# charger needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(charger, system_prop)
diff --git a/prebuilts/api/27.0/public/clatd.te b/prebuilts/api/27.0/public/clatd.te
new file mode 100644
index 0000000..212b76e
--- /dev/null
+++ b/prebuilts/api/27.0/public/clatd.te
@@ -0,0 +1,33 @@
+# 464xlat daemon
+type clatd, domain;
+type clatd_exec, exec_type, file_type;
+
+net_domain(clatd)
+
+r_dir_file(clatd, proc_net)
+
+# Access objects inherited from netd.
+allow clatd netd:fd use;
+allow clatd netd:fifo_file { read write };
+# TODO: Check whether some or all of these sockets should be close-on-exec.
+allow clatd netd:netlink_kobject_uevent_socket { read write };
+allow clatd netd:netlink_nflog_socket { read write };
+allow clatd netd:netlink_route_socket { read write };
+allow clatd netd:udp_socket { read write };
+allow clatd netd:unix_stream_socket { read write };
+allow clatd netd:unix_dgram_socket { read write };
+
+allow clatd self:capability { net_admin net_raw setuid setgid };
+
+# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
+# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
+# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
+# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
+# so we permit any requests we see from clatd asking for this capability.
+# See https://android-review.googlesource.com/127940 and
+# https://b.corp.google.com/issues/21736319
+allow clatd self:capability ipc_lock;
+
+allow clatd self:netlink_route_socket nlmsg_write;
+allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;
+allow clatd tun_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/27.0/public/cppreopts.te b/prebuilts/api/27.0/public/cppreopts.te
new file mode 100644
index 0000000..8cbf801
--- /dev/null
+++ b/prebuilts/api/27.0/public/cppreopts.te
@@ -0,0 +1,22 @@
+# cppreopts
+#
+# This command copies preopted files from the system_b partition to the data
+# partition. This domain ensures that we are only copying into specific
+# directories.
+
+type cppreopts, domain, mlstrustedsubject;
+type cppreopts_exec, exec_type, file_type;
+
+# Allow cppreopts copy files into the dalvik-cache
+allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
+allow cppreopts dalvikcache_data_file:file { create getattr open read rename write };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow cppreopts shell_exec:file rx_file_perms;
+
+# Allow us to run find on /postinstall
+allow cppreopts system_file:dir { open read };
+
+# Allow running the cp command using cppreopts permissions. Needed so we can
+# write into dalvik-cache
+allow cppreopts toolbox_exec:file rx_file_perms;
diff --git a/prebuilts/api/27.0/public/crash_dump.te b/prebuilts/api/27.0/public/crash_dump.te
new file mode 100644
index 0000000..c101b34
--- /dev/null
+++ b/prebuilts/api/27.0/public/crash_dump.te
@@ -0,0 +1,63 @@
+type crash_dump, domain;
+type crash_dump_exec, exec_type, file_type;
+
+allow crash_dump {
+ domain
+ -init
+ -crash_dump
+ -keystore
+ -logd
+}:process { ptrace signal sigchld sigstop sigkill };
+
+# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
+# which will result in an audit log even when it's allowed to trace.
+dontaudit crash_dump self:capability { sys_ptrace };
+
+userdebug_or_eng(`
+ allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
+
+ # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
+ allow crash_dump kmsg_debug_device:chr_file { open append };
+')
+
+# Use inherited file descriptors
+allow crash_dump domain:fd use;
+
+# Write to the IPC pipe inherited from crashing processes.
+# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
+allow crash_dump domain:fifo_file { write append };
+
+r_dir_file(crash_dump, domain)
+allow crash_dump exec_type:file r_file_perms;
+
+# Read /data/dalvik-cache.
+allow crash_dump dalvikcache_data_file:dir { search getattr };
+allow crash_dump dalvikcache_data_file:file r_file_perms;
+
+# Read APK files.
+r_dir_file(crash_dump, apk_data_file);
+
+# Read all /vendor
+r_dir_file(crash_dump, { vendor_file same_process_hal_file })
+
+# Talk to tombstoned
+unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
+
+# Talk to ActivityManager.
+unix_socket_connect(crash_dump, system_ndebug, system_server)
+
+# Append to ANR files.
+allow crash_dump anr_data_file:file { append getattr };
+
+# Append to tombstone files.
+allow crash_dump tombstone_data_file:file { append getattr };
+
+read_logd(crash_dump)
+
+###
+### neverallow assertions
+###
+
+# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
+# Do not allow the execution of crash_dump without a domain transition.
+neverallow domain crash_dump_exec:file execute_no_trans;
diff --git a/prebuilts/api/27.0/public/device.te b/prebuilts/api/27.0/public/device.te
new file mode 100644
index 0000000..475948d
--- /dev/null
+++ b/prebuilts/api/27.0/public/device.te
@@ -0,0 +1,103 @@
+# Device types
+type device, dev_type, fs_type;
+type alarm_device, dev_type, mlstrustedobject;
+type ashmem_device, dev_type, mlstrustedobject;
+type audio_device, dev_type;
+type audio_timer_device, dev_type;
+type audio_seq_device, dev_type;
+type binder_device, dev_type, mlstrustedobject;
+type hwbinder_device, dev_type, mlstrustedobject;
+type vndbinder_device, dev_type;
+type block_device, dev_type;
+type camera_device, dev_type;
+type dm_device, dev_type;
+type keychord_device, dev_type;
+type loop_control_device, dev_type;
+type loop_device, dev_type;
+type pmsg_device, dev_type, mlstrustedobject;
+type radio_device, dev_type;
+type ram_device, dev_type;
+type rtc_device, dev_type;
+type vold_device, dev_type;
+type console_device, dev_type;
+type cpuctl_device, dev_type;
+type fscklogs, dev_type;
+type full_device, dev_type;
+# GPU (used by most UI apps)
+type gpu_device, dev_type, mlstrustedobject;
+type graphics_device, dev_type;
+type hw_random_device, dev_type;
+type input_device, dev_type;
+type kmem_device, dev_type;
+type port_device, dev_type;
+type mtd_device, dev_type;
+type mtp_device, dev_type, mlstrustedobject;
+type nfc_device, dev_type;
+type ptmx_device, dev_type, mlstrustedobject;
+type kmsg_device, dev_type;
+type kmsg_debug_device, dev_type;
+type null_device, dev_type, mlstrustedobject;
+type random_device, dev_type, mlstrustedobject;
+type sensors_device, dev_type;
+type serial_device, dev_type;
+type socket_device, dev_type;
+type owntty_device, dev_type, mlstrustedobject;
+type tty_device, dev_type;
+type video_device, dev_type;
+type vcs_device, dev_type;
+type zero_device, dev_type, mlstrustedobject;
+type fuse_device, dev_type, mlstrustedobject;
+type iio_device, dev_type;
+type ion_device, dev_type, mlstrustedobject;
+type qtaguid_device, dev_type;
+type watchdog_device, dev_type;
+type uhid_device, dev_type;
+type uio_device, dev_type;
+type tun_device, dev_type, mlstrustedobject;
+type usbaccessory_device, dev_type, mlstrustedobject;
+type usb_device, dev_type, mlstrustedobject;
+type properties_device, dev_type;
+type properties_serial, dev_type;
+type i2c_device, dev_type;
+
+# All devices have a uart for the hci
+# attach service. The uart dev node
+# varies per device. This type
+# is used in per device policy
+type hci_attach_dev, dev_type;
+
+# All devices have a rpmsg device for
+# achieving remoteproc and rpmsg modules
+type rpmsg_device, dev_type;
+
+# Partition layout block device
+type root_block_device, dev_type;
+
+# factory reset protection block device
+type frp_block_device, dev_type;
+
+# System block device mounted on /system.
+type system_block_device, dev_type;
+
+# Recovery block device.
+type recovery_block_device, dev_type;
+
+# boot block device.
+type boot_block_device, dev_type;
+
+# Userdata block device mounted on /data.
+type userdata_block_device, dev_type;
+
+# Cache block device mounted on /cache.
+type cache_block_device, dev_type;
+
+# Block device for any swap partition.
+type swap_block_device, dev_type;
+
+# Metadata block device used for encryption metadata.
+# Assign this type to the partition specified by the encryptable=
+# mount option in your fstab file in the entry for userdata.
+type metadata_block_device, dev_type;
+
+# The 'misc' partition used by recovery and A/B.
+type misc_block_device, dev_type;
diff --git a/prebuilts/api/27.0/public/dex2oat.te b/prebuilts/api/27.0/public/dex2oat.te
new file mode 100644
index 0000000..47f3bcb
--- /dev/null
+++ b/prebuilts/api/27.0/public/dex2oat.te
@@ -0,0 +1,66 @@
+# dex2oat
+type dex2oat, domain;
+type dex2oat_exec, exec_type, file_type;
+
+r_dir_file(dex2oat, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dex2oat, vendor_app_file)
+# Access /vendor/framework
+allow dex2oat vendor_framework_file:dir { getattr search };
+allow dex2oat vendor_framework_file:file { getattr open read };
+
+allow dex2oat tmpfs:file { read getattr };
+
+r_dir_file(dex2oat, dalvikcache_data_file)
+allow dex2oat dalvikcache_data_file:file write;
+# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
+# the oat file is symlinked to the original file in /system.
+allow dex2oat dalvikcache_data_file:lnk_file read;
+allow dex2oat installd:fd use;
+
+# Acquire advisory lock on /system/framework/arm/*
+allow dex2oat system_file:file lock;
+
+# Read already open asec_apk_file file descriptors passed by installd.
+# Also allow reading unlabeled files, to allow for upgrading forward
+# locked APKs.
+allow dex2oat asec_apk_file:file read;
+allow dex2oat unlabeled:file read;
+allow dex2oat oemfs:file read;
+allow dex2oat apk_tmp_file:dir search;
+allow dex2oat apk_tmp_file:file r_file_perms;
+allow dex2oat user_profile_data_file:file { getattr read lock };
+
+# Allow dex2oat to compile app's secondary dex files which were reported back to
+# the framework.
+allow dex2oat app_data_file:file { getattr read write lock };
+
+##################
+# A/B OTA Dexopt #
+##################
+
+# Allow dex2oat to use file descriptors from otapreopt.
+allow dex2oat postinstall_dexopt:fd use;
+
+allow dex2oat postinstall_file:dir { getattr search };
+allow dex2oat postinstall_file:filesystem getattr;
+allow dex2oat postinstall_file:lnk_file read;
+
+# Allow dex2oat access to files in /data/ota.
+allow dex2oat ota_data_file:dir ra_dir_perms;
+allow dex2oat ota_data_file:file r_file_perms;
+
+# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
+# where the oat file is symlinked to the original file in /system.
+allow dex2oat ota_data_file:lnk_file { create read };
+
+# It would be nice to tie this down, but currently, because of how images are written, we can't
+# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
+# create them itself (and make them world-readable).
+allow dex2oat ota_data_file:file { create w_file_perms setattr };
+
+##############
+# Neverallow #
+##############
+
+neverallow dex2oat app_data_file:notdevfile_class_set open;
diff --git a/prebuilts/api/27.0/public/dhcp.te b/prebuilts/api/27.0/public/dhcp.te
new file mode 100644
index 0000000..2b54b7f
--- /dev/null
+++ b/prebuilts/api/27.0/public/dhcp.te
@@ -0,0 +1,30 @@
+type dhcp, domain;
+type dhcp_exec, exec_type, file_type;
+
+net_domain(dhcp)
+
+allow dhcp cgroup:dir { create write add_name };
+allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
+allow dhcp self:packet_socket create_socket_perms_no_ioctl;
+allow dhcp self:netlink_route_socket nlmsg_write;
+allow dhcp shell_exec:file rx_file_perms;
+allow dhcp system_file:file rx_file_perms;
+not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
+
+# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
+allow dhcp toolbox_exec:file rx_file_perms;
+
+# For /proc/sys/net/ipv4/conf/*/promote_secondaries
+allow dhcp proc_net:file write;
+
+set_prop(dhcp, dhcp_prop)
+set_prop(dhcp, pan_result_prop)
+
+allow dhcp dhcp_data_file:dir create_dir_perms;
+allow dhcp dhcp_data_file:file create_file_perms;
+
+# PAN connections
+allow dhcp netd:fd use;
+allow dhcp netd:fifo_file rw_file_perms;
+allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
+allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
diff --git a/prebuilts/api/27.0/public/display_service_server.te b/prebuilts/api/27.0/public/display_service_server.te
new file mode 100644
index 0000000..c5839fa
--- /dev/null
+++ b/prebuilts/api/27.0/public/display_service_server.te
@@ -0,0 +1 @@
+add_hwservice(display_service_server, fwk_display_hwservice)
diff --git a/prebuilts/api/27.0/public/dnsmasq.te b/prebuilts/api/27.0/public/dnsmasq.te
new file mode 100644
index 0000000..ccac69a
--- /dev/null
+++ b/prebuilts/api/27.0/public/dnsmasq.te
@@ -0,0 +1,25 @@
+# DNS, DHCP services
+type dnsmasq, domain;
+type dnsmasq_exec, exec_type, file_type;
+
+net_domain(dnsmasq)
+allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
+
+# TODO: Run with dhcp group to avoid need for dac_override.
+allow dnsmasq self:capability dac_override;
+
+allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
+
+allow dnsmasq dhcp_data_file:dir w_dir_perms;
+allow dnsmasq dhcp_data_file:file create_file_perms;
+
+# Inherit and use open files from netd.
+allow dnsmasq netd:fd use;
+allow dnsmasq netd:fifo_file { read write };
+# TODO: Investigate whether these inherited sockets should be closed on exec.
+allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
+allow dnsmasq netd:netlink_nflog_socket { read write };
+allow dnsmasq netd:netlink_route_socket { read write };
+allow dnsmasq netd:unix_stream_socket { read write };
+allow dnsmasq netd:unix_dgram_socket { read write };
+allow dnsmasq netd:udp_socket { read write };
diff --git a/prebuilts/api/27.0/public/domain.te b/prebuilts/api/27.0/public/domain.te
new file mode 100644
index 0000000..f5c72cc
--- /dev/null
+++ b/prebuilts/api/27.0/public/domain.te
@@ -0,0 +1,1021 @@
+# Rules for all domains.
+
+# Allow reaping by init.
+allow domain init:process sigchld;
+
+# Intra-domain accesses.
+allow domain self:process {
+ fork
+ sigchld
+ sigkill
+ sigstop
+ signull
+ signal
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ getattr
+ setrlimit
+};
+allow domain self:fd use;
+allow domain proc:dir r_dir_perms;
+allow domain proc_net:dir search;
+r_dir_file(domain, self)
+allow domain self:{ fifo_file file } rw_file_perms;
+allow domain self:unix_dgram_socket { create_socket_perms sendto };
+allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
+
+# Inherit or receive open files from others.
+allow domain init:fd use;
+
+userdebug_or_eng(`
+ # Same as adbd rules above, except allow su to do the same thing
+ allow domain su:unix_stream_socket connectto;
+ allow domain su:fd use;
+ allow domain su:unix_stream_socket { getattr getopt read write shutdown };
+
+ allow { domain -init } su:binder { call transfer };
+ allow { domain -init } su:fd use;
+
+ # Running something like "pm dump com.android.bluetooth" requires
+ # fifo writes
+ allow domain su:fifo_file { write getattr };
+
+ # allow "gdbserver --attach" to work for su.
+ allow domain su:process sigchld;
+
+ # Allow writing coredumps to /cores/*
+ allow domain coredump_file:file create_file_perms;
+ allow domain coredump_file:dir ra_dir_perms;
+')
+
+# Root fs.
+allow domain rootfs:dir search;
+allow domain rootfs:lnk_file { read getattr };
+
+# Device accesses.
+allow domain device:dir search;
+allow domain dev_type:lnk_file r_file_perms;
+allow domain devpts:dir search;
+allow domain socket_device:dir r_dir_perms;
+allow domain owntty_device:chr_file rw_file_perms;
+allow domain null_device:chr_file rw_file_perms;
+allow domain zero_device:chr_file rw_file_perms;
+allow domain ashmem_device:chr_file rw_file_perms;
+# /dev/binder can be accessed by non-vendor domains and by apps
+allow {
+ coredomain
+ appdomain
+ binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ -hwservicemanager
+} binder_device:chr_file rw_file_perms;
+# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
+not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
+allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
+allow domain ptmx_device:chr_file rw_file_perms;
+allow domain alarm_device:chr_file r_file_perms;
+allow domain random_device:chr_file rw_file_perms;
+allow domain properties_device:dir { search getattr };
+allow domain properties_serial:file r_file_perms;
+
+# For now, everyone can access core property files
+# Device specific properties are not granted by default
+get_prop(domain, core_property_type)
+# Let everyone read log properties, so that liblog can avoid sending unloggable
+# messages to logd.
+get_prop(domain, log_property_type)
+dontaudit domain property_type:file audit_access;
+allow domain property_contexts_file:file r_file_perms;
+
+allow domain init:key search;
+allow domain vold:key search;
+
+# logd access
+write_logd(domain)
+
+# System file accesses.
+allow domain system_file:dir { search getattr };
+allow domain system_file:file { execute read open getattr map };
+allow domain system_file:lnk_file { getattr read };
+
+# Make sure system/vendor split doesn not affect non-treble
+# devices
+not_full_treble(`
+ allow domain vendor_file_type:dir { search getattr };
+ allow domain vendor_file_type:file { execute read open getattr map };
+ allow domain vendor_file_type:lnk_file { getattr read };
+')
+
+# All domains are allowed to open and read directories
+# that contain HAL implementations (e.g. passthrough
+# HALs require clients to have these permissions)
+allow domain vendor_hal_file:dir r_dir_perms;
+
+# Everyone can read and execute all same process HALs
+allow domain same_process_hal_file:dir r_dir_perms;
+allow domain same_process_hal_file:file { execute read open getattr map };
+
+# Any process can load vndk-sp libraries, which are system libraries
+# used by same process HALs
+allow domain vndk_sp_file:dir r_dir_perms;
+allow domain vndk_sp_file:file { execute read open getattr map };
+
+# All domains get access to /vendor/etc
+allow domain vendor_configs_file:dir r_dir_perms;
+allow domain vendor_configs_file:file { read open getattr };
+
+full_treble_only(`
+ # Allow all domains to be able to follow /system/vendor symlink
+ allow domain vendor_file:lnk_file { getattr open read };
+
+ # This is required to be able to search & read /vendor/lib64
+ # in order to lookup vendor libraries. The execute permission
+ # for coredomains is granted *only* for same process HALs
+ allow domain vendor_file:dir { getattr search };
+
+ # Allow reading and executing out of /vendor to all vendor domains
+ allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
+ allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
+ allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
+')
+
+# read and stat any sysfs symlinks
+allow domain sysfs:lnk_file { getattr read };
+
+# libc references /data/misc/zoneinfo for timezone related information
+# This directory is considered to be a VNDK-stable
+r_dir_file(domain, zoneinfo_data_file)
+
+# Lots of processes access current CPU information
+r_dir_file(domain, sysfs_devices_system_cpu)
+
+r_dir_file(domain, sysfs_usb);
+
+# files under /data.
+not_full_treble(`allow domain system_data_file:dir getattr;')
+allow { coredomain appdomain } system_data_file:dir getattr;
+# /data has the label system_data_file. Vendor components need the search
+# permission on system_data_file for path traversal to /data/vendor.
+allow domain system_data_file:dir search;
+
+# required by the dynamic linker
+allow domain proc:lnk_file { getattr read };
+
+# /proc/cpuinfo
+allow domain proc_cpuinfo:file r_file_perms;
+
+# jemalloc needs to read /proc/sys/vm/overcommit_memory
+allow domain proc_overcommit_memory:file r_file_perms;
+
+# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
+allow domain proc_perf:file r_file_perms;
+
+# toybox loads libselinux which stats /sys/fs/selinux/
+allow domain selinuxfs:dir search;
+allow domain selinuxfs:file getattr;
+allow domain sysfs:dir search;
+allow domain selinuxfs:filesystem getattr;
+
+# For /acct/uid/*/tasks.
+allow domain cgroup:dir { search write };
+allow domain cgroup:file w_file_perms;
+
+# Almost all processes log tracing information to
+# /sys/kernel/debug/tracing/trace_marker
+# The reason behind this is documented in b/6513400
+allow domain debugfs:dir search;
+allow domain debugfs_tracing:dir search;
+allow domain debugfs_trace_marker:file w_file_perms;
+
+# Filesystem access.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
+# Restrict all domains to a whitelist for common socket types. Additional
+# ioctl commands may be added to individual domains, but this sets safe
+# defaults for all processes. Note that granting this whitelist to domain does
+# not grant the ioctl permission on these socket types. That must be granted
+# separately.
+allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+# default whitelist for unix sockets.
+allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
+ ioctl unpriv_unix_sock_ioctls;
+
+# Restrict PTYs to only whitelisted ioctls.
+# Note that granting this whitelist to domain does
+# not grant the wider ioctl permission. That must be granted
+# separately.
+allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
+
+# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
+# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } vndservice_manager_type:service_manager { add find };
+
+# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
+with_asan(`allow domain system_data_file:dir getattr;')
+
+###
+### neverallow rules
+###
+
+# All socket ioctls must be restricted to a whitelist.
+neverallowxperm domain domain:socket_class_set ioctl { 0 };
+
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * devpts:chr_file ioctl TIOCSTI;
+
+# Do not allow any domain other than init or recovery to create unlabeled files.
+neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
+
+# Limit device node creation to these whitelisted domains.
+neverallow {
+ domain
+ -kernel
+ -init
+ -ueventd
+ -vold
+} self:capability mknod;
+
+# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain')
+ -kernel
+ -init
+ -recovery
+ -ueventd
+ -healthd
+ -uncrypt
+ -tee
+} self:capability sys_rawio;
+
+# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
+neverallow * self:memprotect mmap_zero;
+
+# No domain needs mac_override as it is unused by SELinux.
+neverallow * self:capability2 mac_override;
+
+# Only recovery needs mac_admin to set contexts not defined in current policy.
+neverallow { domain -recovery } self:capability2 mac_admin;
+
+# Once the policy has been loaded there shall be none to modify the policy.
+# It is sealed.
+neverallow * kernel:security load_policy;
+
+# Only init prior to switching context should be able to set enforcing mode.
+# init starts in kernel domain and switches to init domain via setcon in
+# the init.rc, so the setenforce occurs while still in kernel. After
+# switching domains, there is never any need to setenforce again by init.
+neverallow * kernel:security setenforce;
+neverallow { domain -kernel } kernel:security setcheckreqprot;
+
+# No booleans in AOSP policy, so no need to ever set them.
+neverallow * kernel:security setbool;
+
+# Adjusting the AVC cache threshold.
+# Not presently allowed to anything in policy, but possibly something
+# that could be set from init.rc.
+neverallow { domain -init } kernel:security setsecparam;
+
+# Only init, ueventd, shell and system_server should be able to access HW RNG
+neverallow {
+ domain
+ -init
+ -shell # For CTS and is restricted to getattr in shell.te
+ -system_server
+ -ueventd
+} hw_random_device:chr_file *;
+
+# Ensure that all entrypoint executables are in exec_type or postinstall_file.
+neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
+
+# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
+neverallow {
+ domain
+ -shell # For CTS and is restricted to getattr in shell.te
+ -ueventd # Further restricted in ueventd.te
+} kmem_device:chr_file *;
+neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
+
+#Ensure that nothing in userspace can access /dev/port
+neverallow {
+ domain
+ -shell # Shell user should not have any abilities outside of getattr
+ -ueventd
+} port_device:chr_file *;
+neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
+# Only init should be able to configure kernel usermodehelpers or
+# security-sensitive proc settings.
+neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
+neverallow { domain -init } proc_security:file { append open read write };
+
+# No domain should be allowed to ptrace init.
+neverallow * init:process ptrace;
+
+# Init can't do anything with binder calls. If this neverallow rule is being
+# triggered, it's probably due to a service with no SELinux domain.
+neverallow * init:binder *;
+
+# Don't allow raw read/write/open access to block_device
+# Rather force a relabel to a more specific type
+neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
+
+# Do not allow renaming of block files or character files
+# Ability to do so can lead to possible use in an exploit chain
+# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
+neverallow * *:{ blk_file chr_file } rename;
+
+# Don't allow raw read/write/open access to generic devices.
+# Rather force a relabel to a more specific type.
+neverallow domain device:chr_file { open read write };
+
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type / vfat is exempt as a larger set of domains need
+# this capability, including device-specific domains.
+neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+
+#
+# Assert that, to the extent possible, we're not loading executable content from
+# outside the rootfs or /system partition except for a few whitelisted domains.
+#
+neverallow {
+ domain
+ -appdomain
+ with_asan(`-asan_extract')
+ -dumpstate
+ -shell
+ userdebug_or_eng(`-su')
+ -webview_zygote
+ -zygote
+} {
+ file_type
+ -system_file
+ -vendor_file_type
+ -exec_type
+ -postinstall_file
+}:file execute;
+
+neverallow {
+ domain
+ -appdomain # for oemfs
+ -recovery # for /tmp/update_binary in tmpfs
+} { fs_type -rootfs }:file execute;
+# Files from cache should never be executed
+neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
+
+# Protect most domains from executing arbitrary content from /data.
+neverallow {
+ domain
+ -appdomain
+} {
+ data_file_type
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
+neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
+
+# Only the init property service should write to /data/property and /dev/__properties__
+neverallow { domain -init } property_data_file:dir no_w_dir_perms;
+neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
+
+# Only recovery should be doing writes to /system & /vendor
+neverallow {
+ domain
+ -recovery
+ with_asan(`-asan_extract')
+} {
+ system_file
+ vendor_file_type
+ exec_type
+}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
+
+neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
+
+# Don't allow mounting on top of /system files or directories
+neverallow * exec_type:dir_file_class_set mounton;
+neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton;
+
+# Nothing should be writing to files in the rootfs.
+neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+
+# Restrict context mounts to specific types marked with
+# the contextmount_type attribute.
+neverallow * {fs_type -contextmount_type}:filesystem relabelto;
+
+# Ensure that context mount types are not writable, to ensure that
+# the write to /system restriction above is not bypassed via context=
+# mount to another type.
+neverallow { domain -recovery } contextmount_type:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Do not allow service_manager add for default service labels.
+# Instead domains should use a more specific type such as
+# system_app_service rather than the generic type.
+# New service_types are defined in {,hw,vnd}service.te and new mappings
+# from service name to service_type are defined in {,hw,vnd}service_contexts.
+neverallow * default_android_service:service_manager add;
+neverallow * default_android_vndservice:service_manager { add find };
+neverallow * default_android_hwservice:hwservice_manager { add find };
+
+# Looking up the base class/interface of all HwBinder services is a bad idea.
+# hwservicemanager currently offer such lookups only to make it so that security
+# decisions are expressed in SELinux policy. However, it's unclear whether this
+# lookup has security implications. If it doesn't, hwservicemanager should be
+# modified to not offer this lookup.
+# This rule can be removed if hwservicemanager is modified to not permit these
+# lookups.
+neverallow * hidl_base_hwservice:hwservice_manager find;
+
+# Require that domains explicitly label unknown properties, and do not allow
+# anyone but init to modify unknown properties.
+neverallow { domain -init } default_prop:property_service set;
+neverallow { domain -init } mmc_prop:property_service set;
+
+# Do not allow reading device's serial number from system properties except form
+# a few whitelisted domains.
+neverallow {
+ domain
+ -adbd
+ -dumpstate
+ -hal_drm
+ -hal_cas
+ -init
+ -mediadrmserver
+ -recovery
+ -shell
+ -system_server
+} serialno_prop:file r_file_perms;
+
+# Do not allow reading the last boot timestamp from system properties
+neverallow { domain -init -system_server } firstboot_prop:file r_file_perms;
+
+neverallow {
+ domain
+ -init
+ -recovery
+ -system_server
+ -shell # Shell is further restricted in shell.te
+ -ueventd # Further restricted in ueventd.te
+} frp_block_device:blk_file no_rw_file_perms;
+
+# The metadata block device is set aside for device encryption and
+# verified boot metadata. It may be reset at will and should not
+# be used by other domains.
+neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
+ { append link rename write open read ioctl lock };
+
+# No domain other than recovery and update_engine can write to system partition(s).
+neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
+
+# No domains other than install_recovery or recovery can write to recovery.
+neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
+
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain') # exclude debuggable builds
+ -hal_bootctl
+ -init
+ -uncrypt
+ -update_engine
+ -vold
+ -recovery
+ -ueventd
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+
+# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
+neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
+# The service managers are only allowed to access their own device node
+neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
+neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
+
+# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
+# domain apps need this because Android framework offers many of its services to apps as Binder
+# services.
+full_treble_only(`
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } binder_device:chr_file rw_file_perms;
+ neverallow {
+ domain
+ -coredomain
+ -appdomain # restrictions for vendor apps are declared lower down
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } service_manager_type:service_manager find;
+ # Vendor apps are permited to use only stable public services. If they were to use arbitrary
+ # services which can change any time framework/core is updated, breakage is likely.
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ service_manager_type
+ -app_api_service
+ -ephemeral_app_api_service
+ -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
+ -cameraserver_service
+ -drmserver_service
+ -keystore_service
+ -mediadrmserver_service
+ -mediaextractor_service
+ -mediametrics_service
+ -mediaserver_service
+ -nfc_service
+ -radio_service
+ -surfaceflinger_service
+ -virtual_touchpad_service
+ -vr_hwc_service
+ -vr_manager_service
+ }:service_manager find;
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } servicemanager:binder { call transfer };
+')
+
+# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ -ueventd # uevent is granted create for this device, but we still neverallow I/O below
+ } vndbinder_device:chr_file rw_file_perms;
+ neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservice_manager_type:service_manager *;
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservicemanager:binder *;
+')
+
+# On full TREBLE devices, socket communications between core components and vendor components are
+# not permitted.
+full_treble_only(`
+ # Most general rules first, more specific rules below.
+
+ # Core domains are not permitted to initiate communications to vendor domain sockets.
+ # We are not restricting the use of already established sockets because it is fine for a process
+ # to obtain an already established socket via some public/official/stable API and then exchange
+ # data with its peer over that socket. The wire format in this scenario is dicatated by the API
+ # and thus does not break the core-vendor separation.
+ neverallow_establish_socket_comms({
+ coredomain
+ -init
+ -adbd
+ }, {
+ domain
+ -coredomain
+ -socket_between_core_and_vendor_violators
+ });
+ # Vendor domains are not permitted to initiate communications to core domain sockets
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -appdomain
+ -socket_between_core_and_vendor_violators
+ }, {
+ coredomain
+ -logd # Logging by writing to logd Unix domain socket is public API
+ -netd # netdomain needs this
+ -mdnsd # netdomain needs this
+ userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
+ -init
+ -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
+ -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
+ });
+
+ # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -netdomain
+ -socket_between_core_and_vendor_violators
+ }, netd);
+
+ # Vendor domains are not permitted to initiate create/open sockets owned by core domains
+ neverallow {
+ domain
+ -coredomain
+ -appdomain # appdomain restrictions below
+ -socket_between_core_and_vendor_violators
+ } {
+ coredomain_socket
+ core_data_file_type
+ unlabeled # used only by core domains
+ }:sock_file ~{ append getattr ioctl read write };
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ coredomain_socket
+ unlabeled # used only by core domains
+ core_data_file_type
+ -app_data_file
+ -pdx_endpoint_socket_type # used by VR layer
+ -pdx_channel_socket_type # used by VR layer
+ }:sock_file ~{ append getattr ioctl read write };
+
+ # Core domains are not permitted to create/open sockets owned by vendor domains
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ -socket_between_core_and_vendor_violators
+ } {
+ file_type
+ dev_type
+ -coredomain_socket
+ -core_data_file_type
+ -unlabeled
+ }:sock_file ~{ append getattr ioctl read write };
+')
+
+# On TREBLE devices, a limited set of files in /vendor are accessible to
+# only a few whitelisted coredomains to keep system/vendor separation.
+full_treble_only(`
+ # Limit access to /vendor/app
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ -postinstall_dexopt
+ -system_server
+ } vendor_app_file:dir { open read getattr search };
+
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ -postinstall_dexopt
+ -system_server
+ } vendor_app_file:{ file lnk_file } r_file_perms;
+
+ # Limit access to /vendor/overlay
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -installd
+ -system_server
+ -zygote
+ } vendor_overlay_file:dir { getattr open read search };
+
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -installd
+ -system_server
+ -zygote
+ } vendor_overlay_file:{ file lnk_file } r_file_perms;
+
+ # Non-vendor domains are not allowed to file execute shell
+ # from vendor
+ neverallow {
+ coredomain
+ -init
+ } vendor_shell_exec:file { execute execute_no_trans };
+
+ # Do not allow vendor components to execute files from system
+ # except for the ones whitelist here.
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -rild
+ -vendor_executes_system_violators
+ } {
+ exec_type
+ -vendor_file_type
+ -crash_dump_exec
+ -netutils_wrapper_exec
+ }:file { entrypoint execute execute_no_trans };
+')
+
+# Only authorized processes should be writing to files in /data/dalvik-cache
+neverallow {
+ domain
+ -init # TODO: limit init to relabelfrom for files
+ -zygote
+ -installd
+ -postinstall_dexopt
+ -cppreopts
+ -dex2oat
+ -otapreopt_slot
+} dalvikcache_data_file:file no_w_file_perms;
+
+neverallow {
+ domain
+ -init
+ -installd
+ -postinstall_dexopt
+ -cppreopts
+ -dex2oat
+ -zygote
+ -otapreopt_slot
+} dalvikcache_data_file:dir no_w_dir_perms;
+
+# Only system_server should be able to send commands via the zygote socket
+neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
+neverallow { domain -system_server } zygote_socket:sock_file write;
+
+neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
+neverallow { domain -system_server } webview_zygote_socket:sock_file write;
+
+neverallow {
+ domain
+ -tombstoned
+ -crash_dump
+ -dumpstate
+ -system_server
+
+ # Processes that can't exec crash_dump
+ -mediacodec
+ -mediaextractor
+} tombstoned_crash_socket:unix_stream_socket connectto;
+
+# Never allow anyone except dumpstate or the system server to connect or write to
+# the tombstoned intercept socket.
+neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
+neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
+
+# Android does not support System V IPCs.
+#
+# The reason for this is due to the fact that, by design, they lead to global
+# kernel resource leakage.
+#
+# For example, there is no way to automatically release a SysV semaphore
+# allocated in the kernel when:
+#
+# - a buggy or malicious process exits
+# - a non-buggy and non-malicious process crashes or is explicitly killed.
+#
+# Killing processes automatically to make room for new ones is an
+# important part of Android's application lifecycle implementation. This means
+# that, even assuming only non-buggy and non-malicious code, it is very likely
+# that over time, the kernel global tables used to implement SysV IPCs will fill
+# up.
+neverallow * *:{ shm sem msg msgq } *;
+
+# Do not mount on top of symlinks, fifos, or sockets.
+# Feature parity with Chromium LSM.
+neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
+
+# Nobody should be able to execute su on user builds.
+# On userdebug/eng builds, only dumpstate, shell, and
+# su itself execute su.
+neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
+
+# Do not allow the introduction of new execmod rules. Text relocations
+# and modification of executable pages are unsafe.
+# The only exceptions are for NDK text relocations associated with
+# https://code.google.com/p/android/issues/detail?id=23203
+# which, long term, need to go away.
+neverallow * {
+ file_type
+ -apk_data_file
+ -app_data_file
+ -asec_public_file
+}:file execmod;
+
+# Do not allow making the stack or heap executable.
+# We would also like to minimize execmem but it seems to be
+# required by some device-specific service domains.
+neverallow * self:process { execstack execheap };
+
+# prohibit non-zygote spawned processes from using shared libraries
+# with text relocations. b/20013628 .
+neverallow { domain -untrusted_app_all } file_type:file execmod;
+
+neverallow { domain -init } proc:{ file dir } mounton;
+
+# Ensure that all types assigned to processes are included
+# in the domain attribute, so that all allow and neverallow rules
+# written on domain are applied to all processes.
+# This is achieved by ensuring that it is impossible to transition
+# from a domain to a non-domain type and vice versa.
+# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
+neverallow ~domain domain:process { transition dyntransition };
+
+#
+# Only system_app and system_server should be creating or writing
+# their files. The proper way to share files is to setup
+# type transitions to a more specific type or assigning a type
+# to its parent directory via a file_contexts entry.
+# Example type transition:
+# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
+#
+neverallow {
+ domain
+ -system_server
+ -system_app
+ -init
+ -installd # for relabelfrom and unlink, check for this in explicit neverallow
+ with_asan(`-asan_extract')
+} system_data_file:file no_w_file_perms;
+# do not grant anything greater than r_file_perms and relabelfrom unlink
+# to installd
+neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
+
+# respect system_app sandboxes
+neverallow {
+ domain
+ -appdomain # finer-grained rules for appdomain are listed below
+ -system_server #populate com.android.providers.settings/databases/settings.db.
+ -installd # creation of app sandbox
+} system_app_data_file:dir_file_class_set { create unlink open };
+neverallow {
+ isolated_app
+ untrusted_app_all # finer-grained rules for appdomain are listed below
+ ephemeral_app
+ priv_app
+} system_app_data_file:dir_file_class_set { create unlink open };
+
+
+# Services should respect app sandboxes
+neverallow {
+ domain
+ -appdomain
+ -installd # creation of sandbox
+} app_data_file:dir_file_class_set { create unlink };
+
+#
+# Only these domains should transition to shell domain. This domain is
+# permissible for the "shell user". If you need a process to exec a shell
+# script with differing privilege, define a domain and set up a transition.
+#
+neverallow {
+ domain
+ -adbd
+ -init
+ -runas
+ -zygote
+} shell:process { transition dyntransition };
+
+# Only domains spawned from zygote and runas may have the appdomain attribute.
+neverallow { domain -runas -webview_zygote -zygote } {
+ appdomain -shell userdebug_or_eng(`-su')
+}:process { transition dyntransition };
+
+# Minimize read access to shell- or app-writable symlinks.
+# This is to prevent malicious symlink attacks.
+neverallow {
+ domain
+ -appdomain
+ -installd
+ -uncrypt # TODO: see if we can remove
+} app_data_file:lnk_file read;
+
+neverallow {
+ domain
+ -shell
+ userdebug_or_eng(`-uncrypt')
+ -installd
+} shell_data_file:lnk_file read;
+
+# In addition to the symlink reading restrictions above, restrict
+# write access to shell owned directories. The /data/local/tmp
+# directory is untrustworthy, and non-whitelisted domains should
+# not be trusting any content in those directories.
+neverallow {
+ domain
+ -adbd
+ -dumpstate
+ -installd
+ -init
+ -shell
+ -vold
+} shell_data_file:dir no_w_dir_perms;
+
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -dumpstate
+ -init
+ -installd
+ -system_server # why?
+ userdebug_or_eng(`-uncrypt')
+} shell_data_file:dir { open search };
+
+# Same as above for /data/local/tmp files. We allow shell files
+# to be passed around by file descriptor, but not directly opened.
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -dumpstate
+ -installd
+ userdebug_or_eng(`-uncrypt')
+} shell_data_file:file open;
+
+
+# servicemanager and vndservicemanager are the only processes which handle the
+# service_manager list request
+neverallow * ~{
+ servicemanager
+ vndservicemanager
+ }:service_manager list;
+
+# hwservicemanager is the only process which handles hw list requests
+neverallow * ~{
+ hwservicemanager
+ }:hwservice_manager list;
+
+# only service_manager_types can be added to service_manager
+# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
+
+# Prevent assigning non property types to properties
+# TODO - rework this: neverallow * ~property_type:property_service set;
+
+# Domain types should never be assigned to any files other
+# than the /proc/pid files associated with a process. The
+# executable file used to enter a domain should be labeled
+# with its own _exec type, not with the domain type.
+# Conventionally, this looks something like:
+# $ cat mydaemon.te
+# type mydaemon, domain;
+# type mydaemon_exec, exec_type, file_type;
+# init_daemon_domain(mydaemon)
+# $ grep mydaemon file_contexts
+# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
+neverallow * domain:file { execute execute_no_trans entrypoint };
+
+# Do not allow access to the generic debugfs label. This is too broad.
+# Instead, if access to part of debugfs is desired, it should have a
+# more specific label.
+# TODO: fix system_server and dumpstate
+neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+
+# Profiles contain untrusted data and profman parses that. We should only run
+# in from installd forked processes.
+neverallow {
+ domain
+ -installd
+ -profman
+} profman_exec:file no_x_file_perms;
+
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, and boot partitions.
+neverallow * ~{ system_file vendor_file rootfs }:system module_load;
+
+# Only allow filesystem caps to be set at build time or
+# during upgrade by recovery.
+neverallow {
+ domain
+ -recovery
+} self:capability setfcap;
+
+# Enforce AT_SECURE for executing crash_dump.
+neverallow domain crash_dump:process noatsecure;
+
+# Do not permit non-core domains to register HwBinder services which are
+# guaranteed to be provided by core domains only.
+neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
+
+# Do not permit the registeration of HwBinder services which are guaranteed to
+# be passthrough only (i.e., run in the process of their clients instead of a
+# separate server process).
+neverallow * same_process_hwservice:hwservice_manager add;
diff --git a/prebuilts/api/27.0/public/drmserver.te b/prebuilts/api/27.0/public/drmserver.te
new file mode 100644
index 0000000..f752c13
--- /dev/null
+++ b/prebuilts/api/27.0/public/drmserver.te
@@ -0,0 +1,58 @@
+# drmserver - DRM service
+type drmserver, domain;
+type drmserver_exec, exec_type, file_type;
+
+typeattribute drmserver mlstrustedsubject;
+
+net_domain(drmserver)
+
+# Perform Binder IPC to system server.
+binder_use(drmserver)
+binder_call(drmserver, system_server)
+binder_call(drmserver, appdomain)
+binder_service(drmserver)
+# Inherit or receive open files from system_server.
+allow drmserver system_server:fd use;
+
+# Perform Binder IPC to mediaserver
+binder_call(drmserver, mediaserver)
+
+allow drmserver sdcard_type:dir search;
+allow drmserver drm_data_file:dir create_dir_perms;
+allow drmserver drm_data_file:file create_file_perms;
+allow drmserver tee_device:chr_file rw_file_perms;
+allow drmserver app_data_file:file { read write getattr };
+allow drmserver sdcard_type:file { read write getattr };
+r_dir_file(drmserver, efs_file)
+
+type drmserver_socket, file_type;
+
+# /data/app/tlcd_sock socket file.
+# Clearly, /data/app is the most logical place to create a socket. Not.
+allow drmserver apk_data_file:dir rw_dir_perms;
+allow drmserver drmserver_socket:sock_file create_file_perms;
+# Delete old socket file if present.
+allow drmserver apk_data_file:sock_file unlink;
+
+# After taking a video, drmserver looks at the video file.
+r_dir_file(drmserver, media_rw_data_file)
+
+# Read resources from open apk files passed over Binder.
+allow drmserver apk_data_file:file { read getattr };
+allow drmserver asec_apk_file:file { read getattr };
+allow drmserver ringtone_file:file { read getattr };
+
+# Read /data/data/com.android.providers.telephony files passed over Binder.
+allow drmserver radio_data_file:file { read getattr };
+
+# /oem access
+allow drmserver oemfs:dir search;
+allow drmserver oemfs:file r_file_perms;
+
+add_service(drmserver, drmserver_service)
+allow drmserver permission_service:service_manager find;
+
+selinux_check_access(drmserver)
+
+r_dir_file(drmserver, cgroup)
+r_dir_file(drmserver, system_file)
diff --git a/prebuilts/api/27.0/public/dumpstate.te b/prebuilts/api/27.0/public/dumpstate.te
new file mode 100644
index 0000000..f6d6a0a
--- /dev/null
+++ b/prebuilts/api/27.0/public/dumpstate.te
@@ -0,0 +1,250 @@
+# dumpstate
+type dumpstate, domain, mlstrustedsubject;
+type dumpstate_exec, exec_type, file_type;
+
+net_domain(dumpstate)
+binder_use(dumpstate)
+wakelock_use(dumpstate)
+
+# Allow setting process priority, protect from OOM killer, and dropping
+# privileges by switching UID / GID
+allow dumpstate self:capability { setuid setgid sys_resource };
+
+# Allow dumpstate to scan through /proc/pid for all processes
+r_dir_file(dumpstate, domain)
+
+allow dumpstate self:capability {
+ # Send signals to processes
+ kill
+ # Run iptables
+ net_raw
+ net_admin
+};
+
+# Allow executing files on system, such as:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow dumpstate system_file:file execute_no_trans;
+not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
+allow dumpstate toolbox_exec:file rx_file_perms;
+
+# hidl searches for files in /system/lib(64)/hw/
+allow dumpstate system_file:dir r_dir_perms;
+
+# Create and write into /data/anr/
+allow dumpstate self:capability { dac_override chown fowner fsetid };
+allow dumpstate anr_data_file:dir rw_dir_perms;
+allow dumpstate anr_data_file:file create_file_perms;
+
+# Allow reading /data/system/uiderrors.txt
+# TODO: scope this down.
+allow dumpstate system_data_file:file r_file_perms;
+
+# Read dmesg
+allow dumpstate self:capability2 syslog;
+allow dumpstate kernel:system syslog_read;
+
+# Read /sys/fs/pstore/console-ramoops
+allow dumpstate pstorefs:dir r_dir_perms;
+allow dumpstate pstorefs:file r_file_perms;
+
+# Get process attributes
+allow dumpstate domain:process getattr;
+
+# Signal java processes to dump their stack
+allow dumpstate { appdomain system_server }:process signal;
+
+# Signal native processes to dump their stack.
+allow dumpstate {
+ # This list comes from native_processes_to_dump in dumpstate/utils.c
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediadrmserver
+ mediaextractor
+ mediaserver
+ sdcardd
+ surfaceflinger
+
+ # This list comes from hal_interfaces_to_dump in dumpstate/utils.c
+ hal_audio_server
+ hal_bluetooth_server
+ hal_camera_server
+ hal_graphics_composer_server
+ hal_sensors_server
+ hal_vr_server
+ mediacodec # TODO(b/36375899): hal_omx_server
+}:process signal;
+
+# Connect to tombstoned to intercept dumps.
+unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
+
+# TODO: added to match above sysfs rule. Remove me?
+allow dumpstate sysfs_usb:file w_file_perms;
+
+# Other random bits of data we want to collect
+allow dumpstate qtaguid_proc:file r_file_perms;
+allow dumpstate debugfs:file r_file_perms;
+
+# df for
+allow dumpstate {
+ block_device
+ cache_file
+ rootfs
+ selinuxfs
+ storage_file
+ tmpfs
+}:dir { search getattr };
+allow dumpstate fuse_device:chr_file getattr;
+allow dumpstate { dm_device cache_block_device }:blk_file getattr;
+allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
+
+# Read /dev/cpuctl and /dev/cpuset
+r_dir_file(dumpstate, cgroup)
+
+# Allow dumpstate to make binder calls to any binder service
+binder_call(dumpstate, binderservicedomain)
+binder_call(dumpstate, { appdomain netd wificond })
+
+hal_client_domain(dumpstate, hal_dumpstate)
+hal_client_domain(dumpstate, hal_graphics_allocator)
+# Vibrate the device after we are done collecting the bugreport
+hal_client_domain(dumpstate, hal_vibrator)
+# For passthrough mode:
+allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
+
+# Reading /proc/PID/maps of other processes
+allow dumpstate self:capability sys_ptrace;
+
+# Allow the bugreport service to create a file in
+# /data/data/com.android.shell/files/bugreports/bugreport
+allow dumpstate shell_data_file:dir create_dir_perms;
+allow dumpstate shell_data_file:file create_file_perms;
+
+# Run a shell.
+allow dumpstate shell_exec:file rx_file_perms;
+
+# For running am and similar framework commands.
+# Run /system/bin/app_process.
+allow dumpstate zygote_exec:file rx_file_perms;
+# Dalvik Compiler JIT.
+allow dumpstate ashmem_device:chr_file execute;
+allow dumpstate self:process execmem;
+# For art.
+allow dumpstate dalvikcache_data_file:dir { search getattr };
+allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
+allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
+
+# For Bluetooth
+allow dumpstate bluetooth_data_file:dir search;
+allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
+allow dumpstate bluetooth_logs_data_file:file r_file_perms;
+
+# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
+allow dumpstate gpu_device:chr_file rw_file_perms;
+
+# logd access
+read_logd(dumpstate)
+control_logd(dumpstate)
+read_runtime_log_tags(dumpstate)
+
+# Read files in /proc
+allow dumpstate proc_meminfo:file r_file_perms;
+allow dumpstate proc_net:file r_file_perms;
+r_dir_file(dumpstate, proc)
+
+# Read network state info files.
+allow dumpstate net_data_file:dir search;
+allow dumpstate net_data_file:file r_file_perms;
+
+# List sockets via ss.
+allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+# Access /data/tombstones.
+allow dumpstate tombstone_data_file:dir r_dir_perms;
+allow dumpstate tombstone_data_file:file r_file_perms;
+
+# Access /cache/recovery
+allow dumpstate cache_recovery_file:dir r_dir_perms;
+allow dumpstate cache_recovery_file:file r_file_perms;
+
+# Access /data/misc/recovery
+allow dumpstate recovery_data_file:dir r_dir_perms;
+allow dumpstate recovery_data_file:file r_file_perms;
+
+# Access /data/misc/profiles/{cur,ref}/
+userdebug_or_eng(`
+ allow dumpstate user_profile_data_file:dir r_dir_perms;
+ allow dumpstate user_profile_data_file:file r_file_perms;
+')
+
+# Access /data/misc/logd
+userdebug_or_eng(`
+ allow dumpstate misc_logd_file:dir r_dir_perms;
+ allow dumpstate misc_logd_file:file r_file_perms;
+')
+
+allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
+allow dumpstate servicemanager:service_manager list;
+allow dumpstate hwservicemanager:hwservice_manager list;
+
+allow dumpstate devpts:chr_file rw_file_perms;
+
+# Set properties.
+# dumpstate_prop is used to share state with the Shell app.
+set_prop(dumpstate, dumpstate_prop)
+# dumpstate_options_prop is used to pass extra command-line args.
+set_prop(dumpstate, dumpstate_options_prop)
+
+# Read device's serial number from system properties
+get_prop(dumpstate, serialno_prop)
+
+# Read state of logging-related properties
+get_prop(dumpstate, device_logging_prop)
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow dumpstate media_rw_data_file:dir getattr;
+allow dumpstate proc_interrupts:file r_file_perms;
+allow dumpstate proc_zoneinfo:file r_file_perms;
+
+# Create a service for talking back to system_server
+add_service(dumpstate, dumpstate_service)
+
+# use /dev/ion for screen capture
+allow dumpstate ion_device:chr_file r_file_perms;
+
+# read default labeled files in /sys
+r_dir_file(dumpstate, sysfs)
+
+# Allow dumpstate to run top
+allow dumpstate proc_stat:file r_file_perms;
+
+# Allow dumpstate to read backlight details
+allow dumpstate sysfs_leds:lnk_file r_file_perms;
+allow dumpstate sysfs_leds:file r_file_perms;
+allow dumpstate sysfs_leds:dir search;
+
+# Allow dumpstate to talk to installd over binder
+binder_call(dumpstate, installd);
+
+# Allow dumpstate to run ip xfrm policy
+allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+###
+### neverallow rules
+###
+
+# dumpstate has capability sys_ptrace, but should only use that capability for
+# accessing sensitive /proc/PID files, never for using ptrace attach.
+neverallow dumpstate *:process ptrace;
+
+# only system_server, dumpstate and shell can find the dumpstate service
+neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;
+
+# Dumpstate should not be writing to any generically labeled sysfs files.
+# Create a specific label for the file type
+neverallow dumpstate sysfs:file no_w_file_perms;
diff --git a/prebuilts/api/27.0/public/e2fs.te b/prebuilts/api/27.0/public/e2fs.te
new file mode 100644
index 0000000..30a815a
--- /dev/null
+++ b/prebuilts/api/27.0/public/e2fs.te
@@ -0,0 +1,15 @@
+type e2fs, domain, coredomain;
+type e2fs_exec, exec_type, file_type;
+
+allow e2fs block_device:blk_file getattr;
+allow e2fs block_device:dir search;
+allow e2fs userdata_block_device:blk_file rw_file_perms;
+
+# access /proc/filesystems
+allow e2fs proc:file r_file_perms;
+
+# access /sys/fs/ext4/features
+allow e2fs sysfs_fs_ext4_features:file r_file_perms;
+
+# access sselinux context files
+allow e2fs file_contexts_file:file { getattr open read };
diff --git a/prebuilts/api/27.0/public/ephemeral_app.te b/prebuilts/api/27.0/public/ephemeral_app.te
new file mode 100644
index 0000000..dc39a22
--- /dev/null
+++ b/prebuilts/api/27.0/public/ephemeral_app.te
@@ -0,0 +1,14 @@
+###
+### Ephemeral apps.
+###
+### This file defines the security policy for apps with the ephemeral
+### feature.
+###
+### The ephemeral_app domain is a reduced permissions sandbox allowing
+### ephemeral applications to be safely installed and run. Non ephemeral
+### applications may also opt-in to ephemeral to take advantage of the
+### additional security features.
+###
+### PackageManager flags an app as ephemeral at install time.
+
+type ephemeral_app, domain;
diff --git a/prebuilts/api/27.0/public/file.te b/prebuilts/api/27.0/public/file.te
new file mode 100644
index 0000000..bcdc461
--- /dev/null
+++ b/prebuilts/api/27.0/public/file.te
@@ -0,0 +1,347 @@
+# Filesystem types
+type labeledfs, fs_type;
+type pipefs, fs_type;
+type sockfs, fs_type;
+type rootfs, fs_type;
+type proc, fs_type;
+# Security-sensitive proc nodes that should not be writable to most.
+type proc_security, fs_type;
+type proc_drop_caches, fs_type;
+type proc_overcommit_memory, fs_type;
+# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
+type usermodehelper, fs_type;
+type sysfs_usermodehelper, fs_type, sysfs_type;
+type qtaguid_proc, fs_type, mlstrustedobject;
+type proc_bluetooth_writable, fs_type;
+type proc_cpuinfo, fs_type;
+type proc_interrupts, fs_type;
+type proc_iomem, fs_type;
+type proc_meminfo, fs_type;
+type proc_misc, fs_type;
+type proc_modules, fs_type;
+type proc_net, fs_type;
+type proc_perf, fs_type;
+type proc_stat, fs_type;
+type proc_sysrq, fs_type;
+type proc_timer, fs_type;
+type proc_tty_drivers, fs_type;
+type proc_uid_cputime_showstat, fs_type;
+type proc_uid_cputime_removeuid, fs_type;
+type proc_uid_io_stats, fs_type;
+type proc_uid_procstat_set, fs_type;
+type proc_uid_time_in_state, fs_type;
+type proc_zoneinfo, fs_type;
+type selinuxfs, fs_type, mlstrustedobject;
+type cgroup, fs_type, mlstrustedobject;
+type sysfs, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_uio, sysfs_type, fs_type;
+type sysfs_batteryinfo, fs_type, sysfs_type;
+type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_leds, fs_type, sysfs_type;
+type sysfs_hwrandom, fs_type, sysfs_type;
+type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_mac_address, fs_type, sysfs_type;
+type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
+type sysfs_fs_ext4_features, sysfs_type, fs_type;
+type configfs, fs_type;
+# /sys/devices/system/cpu
+type sysfs_devices_system_cpu, fs_type, sysfs_type;
+# /sys/module/lowmemorykiller
+type sysfs_lowmemorykiller, fs_type, sysfs_type;
+# /sys/module/wlan/parameters/fwpath
+type sysfs_wlan_fwpath, fs_type, sysfs_type;
+type sysfs_vibrator, fs_type, sysfs_type;
+
+type sysfs_thermal, sysfs_type, fs_type;
+
+type sysfs_zram, fs_type, sysfs_type;
+type sysfs_zram_uevent, fs_type, sysfs_type;
+type inotify, fs_type, mlstrustedobject;
+type devpts, fs_type, mlstrustedobject;
+type tmpfs, fs_type;
+type shm, fs_type;
+type mqueue, fs_type;
+type fuse, sdcard_type, fs_type, mlstrustedobject;
+type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
+type vfat, sdcard_type, fs_type, mlstrustedobject;
+type debugfs, fs_type, debugfs_type;
+type debugfs_mmc, fs_type, debugfs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing, fs_type, debugfs_type;
+type debugfs_tracing_debug, fs_type, debugfs_type;
+type debugfs_tracing_instances, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type;
+
+type pstorefs, fs_type;
+type functionfs, fs_type, mlstrustedobject;
+type oemfs, fs_type, contextmount_type;
+type usbfs, fs_type;
+type binfmt_miscfs, fs_type;
+type app_fusefs, fs_type, contextmount_type;
+
+# File types
+type unlabeled, file_type;
+
+# Default type for anything under /system.
+type system_file, file_type;
+
+# Default type for directories search for
+# HAL implementations
+type vendor_hal_file, vendor_file_type, file_type;
+# Default type for under /vendor or /system/vendor
+type vendor_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/app
+type vendor_app_file, vendor_file_type, file_type;
+# Default type for everything under /vendor/etc/
+type vendor_configs_file, vendor_file_type, file_type;
+# Default type for all *same process* HALs.
+# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
+type same_process_hal_file, vendor_file_type, file_type;
+# Default type for vndk-sp libs. /vendor/lib/vndk-sp
+type vndk_sp_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/framework
+type vendor_framework_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/overlay
+type vendor_overlay_file, vendor_file_type, file_type;
+
+# Speedup access for trusted applications to the runtime event tags
+type runtime_event_log_tags_file, file_type;
+# Type for /system/bin/logcat.
+type logcat_exec, exec_type, file_type;
+# /cores for coredumps on userdebug / eng builds
+type coredump_file, file_type;
+# Default type for anything under /data.
+type system_data_file, file_type, data_file_type, core_data_file_type;
+# Unencrypted data
+type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
+# /data/.layout_version or other installd-created files that
+# are created in a system_data_file directory.
+type install_data_file, file_type, data_file_type, core_data_file_type;
+# /data/drm - DRM plugin data
+type drm_data_file, file_type, data_file_type, core_data_file_type;
+# /data/adb - adb debugging files
+type adb_data_file, file_type, data_file_type, core_data_file_type;
+# /data/anr - ANR traces
+type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/tombstones - core dumps
+type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/app - user-installed apps
+type apk_data_file, file_type, data_file_type, core_data_file_type;
+type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/app-private - forward-locked apps
+type apk_private_data_file, file_type, data_file_type, core_data_file_type;
+type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/dalvik-cache
+type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
+# /data/ota
+type ota_data_file, file_type, data_file_type, core_data_file_type;
+# /data/ota_package
+type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/misc/profiles
+type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/misc/profman
+type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
+# /data/resource-cache
+type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
+# /data/local - writable by shell
+type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/property
+type property_data_file, file_type, data_file_type, core_data_file_type;
+# /data/bootchart
+type bootchart_data_file, file_type, data_file_type, core_data_file_type;
+# /data/system/heapdump
+type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/nativetest
+type nativetest_data_file, file_type, data_file_type, core_data_file_type;
+# /data/system_de/0/ringtones
+type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/preloads
+type preloads_data_file, file_type, data_file_type, core_data_file_type;
+# /data/preloads/media
+type preloads_media_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/dhcp and /data/misc/dhcp-6.8.2
+type dhcp_data_file, file_type, data_file_type, core_data_file_type;
+
+# Mount locations managed by vold
+type mnt_media_rw_file, file_type;
+type mnt_user_file, file_type;
+type mnt_expand_file, file_type;
+type storage_file, file_type;
+
+# Label for storage dirs which are just mount stubs
+type mnt_media_rw_stub_file, file_type;
+type storage_stub_file, file_type;
+
+# /postinstall: Mount point used by update_engine to run postinstall.
+type postinstall_mnt_dir, file_type;
+# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
+type postinstall_file, file_type;
+
+# /data/misc subdirectories
+type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type audio_data_file, file_type, data_file_type, core_data_file_type;
+type audiohal_data_file, file_type, data_file_type, core_data_file_type;
+type audioserver_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
+type bootstat_data_file, file_type, data_file_type, core_data_file_type;
+type boottrace_data_file, file_type, data_file_type, core_data_file_type;
+type camera_data_file, file_type, data_file_type, core_data_file_type;
+type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
+type incident_data_file, file_type, data_file_type, core_data_file_type;
+type keychain_data_file, file_type, data_file_type, core_data_file_type;
+type keystore_data_file, file_type, data_file_type, core_data_file_type;
+type media_data_file, file_type, data_file_type, core_data_file_type;
+type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type misc_user_data_file, file_type, data_file_type, core_data_file_type;
+type net_data_file, file_type, data_file_type, core_data_file_type;
+type nfc_data_file, file_type, data_file_type, core_data_file_type;
+type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type reboot_data_file, file_type, data_file_type, core_data_file_type;
+type recovery_data_file, file_type, data_file_type, core_data_file_type;
+type shared_relro_file, file_type, data_file_type, core_data_file_type;
+type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
+type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
+type vpn_data_file, file_type, data_file_type, core_data_file_type;
+type wifi_data_file, file_type, data_file_type, core_data_file_type;
+type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
+type vold_data_file, file_type, data_file_type, core_data_file_type;
+type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type tee_data_file, file_type, data_file_type;
+type update_engine_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/trace for method traces on userdebug / eng builds
+type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+
+# /data/data subdirectories - app sandboxes
+type app_data_file, file_type, data_file_type, core_data_file_type;
+# /data/data subdirectory for system UID apps.
+type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Compatibility with type name used in Android 4.3 and 4.4.
+# Default type for anything under /cache
+type cache_file, file_type, data_file_type, mlstrustedobject;
+# Type for /cache/backup_stage/* (fd interchange with apps)
+type cache_backup_file, file_type, data_file_type, mlstrustedobject;
+# type for anything under /cache/backup (local transport storage)
+type cache_private_backup_file, file_type, data_file_type;
+# Type for anything under /cache/recovery
+type cache_recovery_file, file_type, data_file_type, mlstrustedobject;
+# Default type for anything under /efs
+type efs_file, file_type;
+# Type for wallpaper file.
+type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for shortcut manager icon file.
+type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for user icon file.
+type icon_file, file_type, data_file_type, core_data_file_type;
+# /mnt/asec
+type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Elements of asec files (/mnt/asec) that are world readable
+type asec_public_file, file_type, data_file_type, core_data_file_type;
+# /data/app-asec
+type asec_image_file, file_type, data_file_type, core_data_file_type;
+# /data/backup and /data/secure/backup
+type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# All devices have bluetooth efs files. But they
+# vary per device, so this type is used in per
+# device policy
+type bluetooth_efs_file, file_type;
+# Type for fingerprint template file
+type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
+# Type for appfuse file.
+type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+
+# Socket types
+type adbd_socket, file_type, coredomain_socket;
+type bluetooth_socket, file_type, data_file_type, coredomain_socket;
+type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
+type dumpstate_socket, file_type, coredomain_socket;
+type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
+type lmkd_socket, file_type, coredomain_socket;
+type logd_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type mdns_socket, file_type, coredomain_socket;
+type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
+type misc_logd_file, coredomain_socket, file_type, data_file_type;
+type mtpd_socket, file_type, coredomain_socket;
+type netd_socket, file_type, coredomain_socket;
+type property_socket, file_type, coredomain_socket, mlstrustedobject;
+type racoon_socket, file_type, coredomain_socket;
+type rild_socket, file_type;
+type rild_debug_socket, file_type;
+type system_wpa_socket, file_type, data_file_type, coredomain_socket;
+type system_ndebug_socket, file_type, data_file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_java_trace_socket, file_type, mlstrustedobject;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
+type uncrypt_socket, file_type, coredomain_socket;
+type vold_socket, file_type, coredomain_socket;
+type webview_zygote_socket, file_type, coredomain_socket;
+type wpa_socket, file_type, data_file_type;
+type zygote_socket, file_type, coredomain_socket;
+# UART (for GPS) control proc file
+type gps_control, file_type;
+
+# PDX endpoint types
+type pdx_display_dir, pdx_endpoint_dir_type, file_type;
+type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
+type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
+
+pdx_service_socket_types(display_client, pdx_display_dir)
+pdx_service_socket_types(display_manager, pdx_display_dir)
+pdx_service_socket_types(display_screenshot, pdx_display_dir)
+pdx_service_socket_types(display_vsync, pdx_display_dir)
+pdx_service_socket_types(performance_client, pdx_performance_dir)
+pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
+
+# file_contexts files
+type file_contexts_file, file_type;
+
+# mac_permissions file
+type mac_perms_file, file_type;
+
+# property_contexts file
+type property_contexts_file, file_type;
+
+# seapp_contexts file
+type seapp_contexts_file, file_type;
+
+# sepolicy files binary and others
+type sepolicy_file, file_type;
+
+# service_contexts file
+type service_contexts_file, file_type;
+
+# nonplat service_contexts file (only accessible on non full-treble devices)
+type nonplat_service_contexts_file, file_type;
+
+# hwservice_contexts file
+type hwservice_contexts_file, file_type;
+
+# vndservice_contexts file
+type vndservice_contexts_file, file_type;
+
+# Allow files to be created in their appropriate filesystems.
+allow fs_type self:filesystem associate;
+allow cgroup tmpfs:filesystem associate;
+allow sysfs_type sysfs:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
+allow file_type labeledfs:filesystem associate;
+allow file_type tmpfs:filesystem associate;
+allow file_type rootfs:filesystem associate;
+allow dev_type tmpfs:filesystem associate;
+allow app_fuse_file app_fusefs:filesystem associate;
+allow postinstall_file self:filesystem associate;
+
+# asanwrapper (run a sanitized app_process, to be used with wrap properties)
+with_asan(`type asanwrapper_exec, exec_type, file_type;')
+
+# It's a bug to assign the file_type attribute and fs_type attribute
+# to any type. Do not allow it.
+#
+# For example, the following is a bug:
+# type apk_data_file, file_type, data_file_type, fs_type;
+# Should be:
+# type apk_data_file, file_type, data_file_type;
+neverallow fs_type file_type:filesystem associate;
diff --git a/prebuilts/api/27.0/public/fingerprintd.te b/prebuilts/api/27.0/public/fingerprintd.te
new file mode 100644
index 0000000..5dd18a3
--- /dev/null
+++ b/prebuilts/api/27.0/public/fingerprintd.te
@@ -0,0 +1,28 @@
+type fingerprintd, domain;
+type fingerprintd_exec, exec_type, file_type;
+
+binder_use(fingerprintd)
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow fingerprintd system_file:dir r_dir_perms;
+
+# need to find KeyStore and add self
+add_service(fingerprintd, fingerprintd_service)
+
+# allow HAL module to read dir contents
+allow fingerprintd fingerprintd_data_file:file { create_file_perms };
+
+# allow HAL module to read/write/unlink contents of this dir
+allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
+
+# Need to add auth tokens to KeyStore
+use_keystore(fingerprintd)
+allow fingerprintd keystore:keystore_key { add_auth };
+
+# For permissions checking
+binder_call(fingerprintd, system_server);
+allow fingerprintd permission_service:service_manager find;
+
+r_dir_file(fingerprintd, cgroup)
+r_dir_file(fingerprintd, sysfs_type)
+allow fingerprintd ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/27.0/public/fsck.te b/prebuilts/api/27.0/public/fsck.te
new file mode 100644
index 0000000..b682a87
--- /dev/null
+++ b/prebuilts/api/27.0/public/fsck.te
@@ -0,0 +1,55 @@
+# Any fsck program run by init
+type fsck, domain;
+type fsck_exec, exec_type, file_type;
+
+# /dev/__null__ created by init prior to policy load,
+# open fd inherited by fsck.
+allow fsck tmpfs:chr_file { read write ioctl };
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow fsck devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow fsck vold:fd use;
+allow fsck vold:fifo_file { read write getattr };
+
+# Run fsck on certain block devices
+allow fsck block_device:dir search;
+allow fsck userdata_block_device:blk_file rw_file_perms;
+allow fsck cache_block_device:blk_file rw_file_perms;
+allow fsck dm_device:blk_file rw_file_perms;
+
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck dev_type:blk_file getattr;
+
+r_dir_file(fsck, proc)
+allow fsck rootfs:dir r_dir_perms;
+
+###
+### neverallow rules
+###
+
+# fsck should never be run on these block devices
+neverallow fsck {
+ boot_block_device
+ frp_block_device
+ metadata_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ vold_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from init or vold via fsck binaries
+neverallow { domain -init -vold } fsck:process transition;
+neverallow * fsck:process dyntransition;
+neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/prebuilts/api/27.0/public/fsck_untrusted.te b/prebuilts/api/27.0/public/fsck_untrusted.te
new file mode 100644
index 0000000..e2aceb8
--- /dev/null
+++ b/prebuilts/api/27.0/public/fsck_untrusted.te
@@ -0,0 +1,49 @@
+# Any fsck program run on untrusted block devices
+type fsck_untrusted, domain;
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow fsck_untrusted vold:fd use;
+allow fsck_untrusted vold:fifo_file { read write getattr };
+
+# Run fsck on vold block devices
+allow fsck_untrusted block_device:dir search;
+allow fsck_untrusted vold_device:blk_file rw_file_perms;
+
+r_dir_file(fsck_untrusted, proc)
+
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck_untrusted dev_type:blk_file getattr;
+
+###
+### neverallow rules
+###
+
+# Untrusted fsck should never be run on block devices holding sensitive data
+neverallow fsck_untrusted {
+ boot_block_device
+ frp_block_device
+ metadata_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ userdata_block_device
+ cache_block_device
+ dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via fsck binaries
+neverallow { domain -vold } fsck_untrusted:process transition;
+neverallow * fsck_untrusted:process dyntransition;
+neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/prebuilts/api/27.0/public/gatekeeperd.te b/prebuilts/api/27.0/public/gatekeeperd.te
new file mode 100644
index 0000000..2fc3627
--- /dev/null
+++ b/prebuilts/api/27.0/public/gatekeeperd.te
@@ -0,0 +1,39 @@
+type gatekeeperd, domain;
+type gatekeeperd_exec, exec_type, file_type;
+
+# gatekeeperd
+binder_service(gatekeeperd)
+binder_use(gatekeeperd)
+
+### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
+### These rules should eventually be granted only when needed.
+allow gatekeeperd tee_device:chr_file rw_file_perms;
+allow gatekeeperd ion_device:chr_file r_file_perms;
+# Load HAL implementation
+allow gatekeeperd system_file:dir r_dir_perms;
+###
+
+### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
+### These rules should eventually be granted only when needed.
+hal_client_domain(gatekeeperd, hal_gatekeeper)
+###
+
+# need to find KeyStore and add self
+add_service(gatekeeperd, gatekeeper_service)
+
+# Need to add auth tokens to KeyStore
+use_keystore(gatekeeperd)
+allow gatekeeperd keystore:keystore_key { add_auth };
+
+# For permissions checking
+allow gatekeeperd system_server:binder call;
+allow gatekeeperd permission_service:service_manager find;
+
+# for SID file access
+allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
+allow gatekeeperd gatekeeper_data_file:file create_file_perms;
+
+# For hardware properties retrieval
+allow gatekeeperd hardware_properties_service:service_manager find;
+
+r_dir_file(gatekeeperd, cgroup)
diff --git a/prebuilts/api/27.0/public/global_macros b/prebuilts/api/27.0/public/global_macros
new file mode 100644
index 0000000..bcfb686
--- /dev/null
+++ b/prebuilts/api/27.0/public/global_macros
@@ -0,0 +1,48 @@
+#####################################
+# Common groupings of object classes.
+#
+define(`capability_class_set', `{ capability capability2 }')
+
+define(`devfile_class_set', `{ chr_file blk_file }')
+define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
+define(`dir_file_class_set', `{ dir file_class_set }')
+
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket }')
+define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
+
+define(`ipc_class_set', `{ sem msgq shm ipc }')
+
+#####################################
+# Common groupings of permissions.
+#
+define(`x_file_perms', `{ getattr execute execute_no_trans map }')
+define(`r_file_perms', `{ getattr open read ioctl lock map }')
+define(`w_file_perms', `{ open append write lock map }')
+define(`rx_file_perms', `{ r_file_perms x_file_perms }')
+define(`ra_file_perms', `{ r_file_perms append }')
+define(`rw_file_perms', `{ r_file_perms w_file_perms }')
+define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
+define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
+
+define(`r_dir_perms', `{ open getattr read search ioctl lock }')
+define(`w_dir_perms', `{ open search write add_name remove_name lock }')
+define(`ra_dir_perms', `{ r_dir_perms add_name write }')
+define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
+define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
+
+define(`r_ipc_perms', `{ getattr read associate unix_read }')
+define(`w_ipc_perms', `{ write unix_write }')
+define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
+define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
+
+#####################################
+# Common socket permission sets.
+define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown }')
+define(`create_socket_perms', `{ create rw_socket_perms }')
+define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/prebuilts/api/27.0/public/hal_allocator.te b/prebuilts/api/27.0/public/hal_allocator.te
new file mode 100644
index 0000000..646cebd
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_allocator.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server
+binder_call(hal_allocator_client, hal_allocator_server)
+
+add_hwservice(hal_allocator_server, hidl_allocator_hwservice)
+allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
+allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_audio.te b/prebuilts/api/27.0/public/hal_audio.te
new file mode 100644
index 0000000..33330bf
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_audio.te
@@ -0,0 +1,38 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_audio_client, hal_audio_server)
+binder_call(hal_audio_server, hal_audio_client)
+
+add_hwservice(hal_audio_server, hal_audio_hwservice)
+allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
+
+allow hal_audio ion_device:chr_file r_file_perms;
+
+userdebug_or_eng(`
+ # used for pcm capture for debug.
+ allow hal_audio audiohal_data_file:dir create_dir_perms;
+ allow hal_audio audiohal_data_file:file create_file_perms;
+')
+
+r_dir_file(hal_audio, proc)
+allow hal_audio audio_device:dir r_dir_perms;
+allow hal_audio audio_device:chr_file rw_file_perms;
+
+# Needed to provide debug dump output via dumpsys' pipes.
+allow hal_audio shell:fd use;
+allow hal_audio shell:fifo_file write;
+allow hal_audio dumpstate:fd use;
+allow hal_audio dumpstate:fifo_file write;
+
+###
+### neverallow rules
+###
+
+# Should never execute any executable without a domain transition
+neverallow hal_audio { file_type fs_type }:file execute_no_trans;
+
+# Should never need network access.
+# Disallow network sockets.
+neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Only audio HAL may directly access the audio hardware
+neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
diff --git a/prebuilts/api/27.0/public/hal_bluetooth.te b/prebuilts/api/27.0/public/hal_bluetooth.te
new file mode 100644
index 0000000..2394e2e
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_bluetooth.te
@@ -0,0 +1,30 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_bluetooth_client, hal_bluetooth_server)
+binder_call(hal_bluetooth_server, hal_bluetooth_client)
+
+add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
+allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
+
+wakelock_use(hal_bluetooth);
+
+# The HAL toggles rfkill to power the chip off/on.
+allow hal_bluetooth self:capability net_admin;
+
+# bluetooth factory file accesses.
+r_dir_file(hal_bluetooth, bluetooth_efs_file)
+
+allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
+
+# sysfs access.
+r_dir_file(hal_bluetooth, sysfs_type)
+allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
+allow hal_bluetooth self:capability2 wake_alarm;
+
+# Allow write access to bluetooth-specific properties
+set_prop(hal_bluetooth, bluetooth_prop)
+
+# /proc access (bluesleep etc.).
+allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
+
+# allow to run with real-time scheduling policy
+allow hal_bluetooth self:capability sys_nice;
diff --git a/prebuilts/api/27.0/public/hal_bootctl.te b/prebuilts/api/27.0/public/hal_bootctl.te
new file mode 100644
index 0000000..8b240b1
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_bootctl.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_bootctl_client, hal_bootctl_server)
+binder_call(hal_bootctl_server, hal_bootctl_client)
+
+add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
+allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_broadcastradio.te b/prebuilts/api/27.0/public/hal_broadcastradio.te
new file mode 100644
index 0000000..24d4908
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_broadcastradio.te
@@ -0,0 +1,4 @@
+binder_call(hal_broadcastradio_client, hal_broadcastradio_server)
+
+add_hwservice(hal_broadcastradio_server, hal_broadcastradio_hwservice)
+allow hal_broadcastradio_client hal_broadcastradio_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_camera.te b/prebuilts/api/27.0/public/hal_camera.te
new file mode 100644
index 0000000..413a057
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_camera.te
@@ -0,0 +1,36 @@
+# HwBinder IPC from clients to server and callbacks
+binder_call(hal_camera_client, hal_camera_server)
+binder_call(hal_camera_server, hal_camera_client)
+
+add_hwservice(hal_camera_server, hal_camera_hwservice)
+allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
+
+# access /data/misc/camera
+allow hal_camera camera_data_file:dir create_dir_perms;
+allow hal_camera camera_data_file:file create_file_perms;
+
+allow hal_camera video_device:dir r_dir_perms;
+allow hal_camera video_device:chr_file rw_file_perms;
+allow hal_camera camera_device:chr_file rw_file_perms;
+allow hal_camera ion_device:chr_file rw_file_perms;
+# Both the client and the server need to use the graphics allocator
+allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
+
+# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
+allow hal_camera { appdomain -isolated_app }:fd use;
+allow hal_camera surfaceflinger:fd use;
+allow hal_camera hal_allocator_server:fd use;
+
+###
+### neverallow rules
+###
+
+# hal_camera should never execute any executable without a
+# domain transition
+neverallow hal_camera { file_type fs_type }:file execute_no_trans;
+
+# hal_camera should never need network access. Disallow network sockets.
+neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Only camera HAL may directly access the camera hardware
+neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/prebuilts/api/27.0/public/hal_cas.te b/prebuilts/api/27.0/public/hal_cas.te
new file mode 100644
index 0000000..fd5d63b
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_cas.te
@@ -0,0 +1,37 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_cas_client, hal_cas_server)
+binder_call(hal_cas_server, hal_cas_client)
+
+add_hwservice(hal_cas_server, hal_cas_hwservice)
+allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
+allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
+
+# Permit reading device's serial number from system properties
+get_prop(hal_cas, serialno_prop)
+
+# Read files already opened under /data
+allow hal_cas system_data_file:dir { search getattr };
+allow hal_cas system_data_file:file { getattr read };
+allow hal_cas system_data_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems
+r_dir_file(hal_cas, cgroup)
+allow hal_cas cgroup:dir { search write };
+allow hal_cas cgroup:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow hal_cas ion_device:chr_file rw_file_perms;
+allow hal_cas hal_graphics_allocator:fd use;
+
+allow hal_cas tee_device:chr_file rw_file_perms;
+
+###
+### neverallow rules
+###
+
+# hal_cas should never execute any executable without a
+# domain transition
+neverallow hal_cas { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/27.0/public/hal_configstore.te b/prebuilts/api/27.0/public/hal_configstore.te
new file mode 100644
index 0000000..d5f2ef6
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_configstore.te
@@ -0,0 +1,64 @@
+# HwBinder IPC from client to server
+binder_call(hal_configstore_client, hal_configstore_server)
+
+allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+
+add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
+# As opposed to the rules of most other HALs, the different services exposed by
+# this HAL should be restricted to different clients. Thus, the allow rules for
+# clients are defined in the .te files of the clients.
+
+# hal_configstore runs with a strict seccomp filter. Use crash_dump's
+# fallback path to collect crash data.
+crash_dump_fallback(hal_configstore_server)
+
+###
+### neverallow rules
+###
+
+# Should never execute an executable without a domain transition
+neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;
+
+# Should never need network access. Disallow sockets except for
+# for unix stream/dgram sockets used for logging/debugging.
+neverallow hal_configstore_server domain:{
+ rawip_socket tcp_socket udp_socket
+ netlink_route_socket netlink_selinux_socket
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket
+} *;
+neverallow hal_configstore_server {
+ domain
+ -hal_configstore_server
+ -logd
+ userdebug_or_eng(`-su')
+ -tombstoned
+}:{ unix_dgram_socket unix_stream_socket } *;
+
+# Should never need access to anything on /data
+neverallow hal_configstore_server {
+ data_file_type
+ -anr_data_file # for crash dump collection
+ -tombstone_data_file # for crash dump collection
+ -zoneinfo_data_file # granted to domain
+}:{ file fifo_file sock_file } *;
+
+# Should never need sdcard access
+neverallow hal_configstore_server { fuse sdcardfs vfat }:file *;
+
+# Do not permit access to service_manager and vndservice_manager
+neverallow hal_configstore_server *:service_manager *;
+
+# No privileged capabilities
+neverallow hal_configstore_server self:capability_class_set *;
+
+# No ptracing other processes
+neverallow hal_configstore_server *:process ptrace;
+
+# no relabeling
+neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };
diff --git a/prebuilts/api/27.0/public/hal_contexthub.te b/prebuilts/api/27.0/public/hal_contexthub.te
new file mode 100644
index 0000000..f11bfc8
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_contexthub.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_contexthub_client, hal_contexthub_server)
+binder_call(hal_contexthub_server, hal_contexthub_client)
+
+add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
+allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_drm.te b/prebuilts/api/27.0/public/hal_drm.te
new file mode 100644
index 0000000..5a6bf5c
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_drm.te
@@ -0,0 +1,60 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_drm_client, hal_drm_server)
+binder_call(hal_drm_server, hal_drm_client)
+
+add_hwservice(hal_drm_server, hal_drm_hwservice)
+allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
+
+allow hal_drm hidl_memory_hwservice:hwservice_manager find;
+
+# Required by Widevine DRM (b/22990512)
+allow hal_drm self:process execmem;
+
+# Permit reading device's serial number from system properties
+get_prop(hal_drm, serialno_prop)
+
+# System file accesses
+allow hal_drm system_file:dir r_dir_perms;
+allow hal_drm system_file:file r_file_perms;
+allow hal_drm system_file:lnk_file r_file_perms;
+
+# Read files already opened under /data
+allow hal_drm system_data_file:dir { search getattr };
+allow hal_drm system_data_file:file { getattr read };
+allow hal_drm system_data_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems
+r_dir_file(hal_drm, cgroup)
+allow hal_drm cgroup:dir { search write };
+allow hal_drm cgroup:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow hal_drm ion_device:chr_file rw_file_perms;
+allow hal_drm hal_graphics_allocator:fd use;
+
+# Allow access to fds allocated by mediaserver
+allow hal_drm mediaserver:fd use;
+
+# Allow access to app_data and media_data_files
+allow hal_drm media_data_file:dir create_dir_perms;
+allow hal_drm media_data_file:file create_file_perms;
+allow hal_drm media_data_file:file { getattr read };
+
+allow hal_drm sysfs:file r_file_perms;
+
+allow hal_drm tee_device:chr_file rw_file_perms;
+
+# only allow unprivileged socket ioctl commands
+allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+###
+### neverallow rules
+###
+
+# hal_drm should never execute any executable without a
+# domain transition
+neverallow hal_drm { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/27.0/public/hal_dumpstate.te b/prebuilts/api/27.0/public/hal_dumpstate.te
new file mode 100644
index 0000000..2853567
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_dumpstate.te
@@ -0,0 +1,11 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_dumpstate_client, hal_dumpstate_server)
+binder_call(hal_dumpstate_server, hal_dumpstate_client)
+
+add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
+allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
+
+# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
+allow hal_dumpstate shell_data_file:file write;
+# allow reading /proc/interrupts for all hal impls
+allow hal_dumpstate proc_interrupts:file r_file_perms;
diff --git a/prebuilts/api/27.0/public/hal_fingerprint.te b/prebuilts/api/27.0/public/hal_fingerprint.te
new file mode 100644
index 0000000..bef9f55
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_fingerprint.te
@@ -0,0 +1,18 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_fingerprint_client, hal_fingerprint_server)
+binder_call(hal_fingerprint_server, hal_fingerprint_client)
+
+add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
+allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
+
+# allow HAL module to read dir contents
+allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
+
+# allow HAL module to read/write/unlink contents of this dir
+allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
+
+# For memory allocation
+allow hal_fingerprint ion_device:chr_file r_file_perms;
+
+r_dir_file(hal_fingerprint, cgroup)
+r_dir_file(hal_fingerprint, sysfs)
diff --git a/prebuilts/api/27.0/public/hal_gatekeeper.te b/prebuilts/api/27.0/public/hal_gatekeeper.te
new file mode 100644
index 0000000..123acf5
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_gatekeeper.te
@@ -0,0 +1,8 @@
+binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
+
+add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
+allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
+
+# TEE access.
+allow hal_gatekeeper tee_device:chr_file rw_file_perms;
+allow hal_gatekeeper ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/27.0/public/hal_gnss.te b/prebuilts/api/27.0/public/hal_gnss.te
new file mode 100644
index 0000000..b59cd1d
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_gnss.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_gnss_client, hal_gnss_server)
+binder_call(hal_gnss_server, hal_gnss_client)
+
+add_hwservice(hal_gnss_server, hal_gnss_hwservice)
+allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_graphics_allocator.te b/prebuilts/api/27.0/public/hal_graphics_allocator.te
new file mode 100644
index 0000000..f56e8f6
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_graphics_allocator.te
@@ -0,0 +1,13 @@
+# HwBinder IPC from client to server
+binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
+
+add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
+allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+
+# GPU device access
+allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
+allow hal_graphics_allocator ion_device:chr_file r_file_perms;
+
+# allow to run with real-time scheduling policy
+allow hal_graphics_allocator self:capability sys_nice;
diff --git a/prebuilts/api/27.0/public/hal_graphics_composer.te b/prebuilts/api/27.0/public/hal_graphics_composer.te
new file mode 100644
index 0000000..287037c
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_graphics_composer.te
@@ -0,0 +1,26 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
+binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
+
+add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
+allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
+
+# Coordinate with hal_graphics_mapper
+allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
+
+# GPU device access
+allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
+allow hal_graphics_composer ion_device:chr_file r_file_perms;
+allow hal_graphics_composer hal_graphics_allocator:fd use;
+
+# Access /dev/graphics/fb0.
+allow hal_graphics_composer graphics_device:dir search;
+allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
+
+# Fences
+allow hal_graphics_composer system_server:fd use;
+allow hal_graphics_composer bootanim:fd use;
+allow hal_graphics_composer appdomain:fd use;
+
+# allow self to set SCHED_FIFO
+allow hal_graphics_composer self:capability sys_nice;
diff --git a/prebuilts/api/27.0/public/hal_health.te b/prebuilts/api/27.0/public/hal_health.te
new file mode 100644
index 0000000..c19c5f1
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_health.te
@@ -0,0 +1,11 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_health_client, hal_health_server)
+binder_call(hal_health_server, hal_health_client)
+
+add_hwservice(hal_health_server, hal_health_hwservice)
+allow hal_health_client hal_health_hwservice:hwservice_manager find;
+
+# Read access to system files for HALs in
+# /{system,vendor,odm}/lib[64]/hw/ in order
+# to be able to open the hal implementation .so files
+r_dir_file(hal_health, system_file)
diff --git a/prebuilts/api/27.0/public/hal_ir.te b/prebuilts/api/27.0/public/hal_ir.te
new file mode 100644
index 0000000..b1bfdd8
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_ir.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_ir_client, hal_ir_server)
+binder_call(hal_ir_server, hal_ir_client)
+
+add_hwservice(hal_ir_server, hal_ir_hwservice)
+allow hal_ir_client hal_ir_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_keymaster.te b/prebuilts/api/27.0/public/hal_keymaster.te
new file mode 100644
index 0000000..dc5f6d0
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_keymaster.te
@@ -0,0 +1,8 @@
+# HwBinder IPC from client to server
+binder_call(hal_keymaster_client, hal_keymaster_server)
+
+add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
+allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
+
+allow hal_keymaster tee_device:chr_file rw_file_perms;
+allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/27.0/public/hal_light.te b/prebuilts/api/27.0/public/hal_light.te
new file mode 100644
index 0000000..5b93dd1
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_light.te
@@ -0,0 +1,10 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_light_client, hal_light_server)
+binder_call(hal_light_server, hal_light_client)
+
+add_hwservice(hal_light_server, hal_light_hwservice)
+allow hal_light_client hal_light_hwservice:hwservice_manager find;
+
+allow hal_light sysfs_leds:lnk_file read;
+allow hal_light sysfs_leds:file rw_file_perms;
+allow hal_light sysfs_leds:dir r_dir_perms;
diff --git a/prebuilts/api/27.0/public/hal_memtrack.te b/prebuilts/api/27.0/public/hal_memtrack.te
new file mode 100644
index 0000000..b2cc9cd
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_memtrack.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_memtrack_client, hal_memtrack_server)
+
+add_hwservice(hal_memtrack_server, hal_memtrack_hwservice)
+allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_neuralnetworks.te b/prebuilts/api/27.0/public/hal_neuralnetworks.te
new file mode 100644
index 0000000..c697ac2
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_neuralnetworks.te
@@ -0,0 +1,8 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server)
+binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client)
+
+add_hwservice(hal_neuralnetworks_server, hal_neuralnetworks_hwservice)
+allow hal_neuralnetworks_client hal_neuralnetworks_hwservice:hwservice_manager find;
+allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
+allow hal_neuralnetworks hal_allocator:fd use;
diff --git a/prebuilts/api/27.0/public/hal_neverallows.te b/prebuilts/api/27.0/public/hal_neverallows.te
new file mode 100644
index 0000000..036e1d2
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_neverallows.te
@@ -0,0 +1,52 @@
+# only HALs responsible for network hardware should have privileged
+# network capabilities
+neverallow {
+ halserverdomain
+ -hal_bluetooth_server
+ -hal_wifi_server
+ -hal_wifi_supplicant_server
+ -rild
+} self:capability { net_admin net_raw };
+
+# Unless a HAL's job is to communicate over the network, or control network
+# hardware, it should not be using network sockets.
+neverallow {
+ halserverdomain
+ -hal_tetheroffload_server
+ -hal_wifi_server
+ -hal_wifi_supplicant_server
+ -rild
+} domain:{ tcp_socket udp_socket rawip_socket } *;
+
+###
+# HALs are defined as an attribute and so a given domain could hypothetically
+# have multiple HALs in it (or even all of them) with the subsequent policy of
+# the domain comprised of the union of all the HALs.
+#
+# This is a problem because
+# 1) Security sensitive components should only be accessed by specific HALs.
+# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
+# the platform.
+# 3) The platform cannot reason about defense in depth if there are
+# monolithic domains etc.
+#
+# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
+# its OK for them to share a process its not OK with them to share processes
+# with other hals.
+#
+# The following neverallow rules, in conjuntion with CTS tests, assert that
+# these security principles are adhered to.
+#
+# Do not allow a hal to exec another process without a domain transition.
+# TODO remove exemptions.
+neverallow {
+ halserverdomain
+ -hal_dumpstate_server
+ -rild
+} { file_type fs_type }:file execute_no_trans;
+# Do not allow a process other than init to transition into a HAL domain.
+neverallow { domain -init } halserverdomain:process transition;
+# Only allow transitioning to a domain by running its executable. Do not
+# allow transitioning into a HAL domain by use of seclabel in an
+# init.*.rc script.
+neverallow * halserverdomain:process dyntransition;
diff --git a/prebuilts/api/27.0/public/hal_nfc.te b/prebuilts/api/27.0/public/hal_nfc.te
new file mode 100644
index 0000000..a027c48
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_nfc.te
@@ -0,0 +1,16 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_nfc_client, hal_nfc_server)
+binder_call(hal_nfc_server, hal_nfc_client)
+
+add_hwservice(hal_nfc_server, hal_nfc_hwservice)
+allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
+
+# Set NFC properties (used by bcm2079x HAL).
+set_prop(hal_nfc, nfc_prop)
+
+# NFC device access.
+allow hal_nfc nfc_device:chr_file rw_file_perms;
+
+# Data file accesses.
+allow hal_nfc nfc_data_file:dir create_dir_perms;
+allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
diff --git a/prebuilts/api/27.0/public/hal_oemlock.te b/prebuilts/api/27.0/public/hal_oemlock.te
new file mode 100644
index 0000000..3fb5a18
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_oemlock.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_oemlock_client, hal_oemlock_server)
+
+add_hwservice(hal_oemlock_server, hal_oemlock_hwservice)
+allow hal_oemlock_client hal_oemlock_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_power.te b/prebuilts/api/27.0/public/hal_power.te
new file mode 100644
index 0000000..fcba3d2
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_power.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_power_client, hal_power_server)
+binder_call(hal_power_server, hal_power_client)
+
+add_hwservice(hal_power_server, hal_power_hwservice)
+allow hal_power_client hal_power_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_sensors.te b/prebuilts/api/27.0/public/hal_sensors.te
new file mode 100644
index 0000000..068c93b
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_sensors.te
@@ -0,0 +1,15 @@
+# HwBinder IPC from client to server
+binder_call(hal_sensors_client, hal_sensors_server)
+
+add_hwservice(hal_sensors_server, hal_sensors_hwservice)
+allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
+
+# Allow sensor hals to access ashmem memory allocated by apps
+allow hal_sensors { appdomain -isolated_app }:fd use;
+
+# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
+# fd is passed in from framework sensorservice HAL.
+allow hal_sensors hal_allocator:fd use;
+
+# allow to run with real-time scheduling policy
+allow hal_sensors self:capability sys_nice;
diff --git a/prebuilts/api/27.0/public/hal_telephony.te b/prebuilts/api/27.0/public/hal_telephony.te
new file mode 100644
index 0000000..41cfd4b
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_telephony.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_telephony_client, hal_telephony_server)
+binder_call(hal_telephony_server, hal_telephony_client)
+
+add_hwservice(hal_telephony_server, hal_telephony_hwservice)
+allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
+
diff --git a/prebuilts/api/27.0/public/hal_tetheroffload.te b/prebuilts/api/27.0/public/hal_tetheroffload.te
new file mode 100644
index 0000000..48d67a2
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_tetheroffload.te
@@ -0,0 +1,8 @@
+## HwBinder IPC from client to server, and callbacks
+binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
+binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
+
+allow hal_tetheroffload_client hal_tetheroffload_hwservice:hwservice_manager find;
+
+# allow the client to pass the server already open netlink sockets
+allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/prebuilts/api/27.0/public/hal_thermal.te b/prebuilts/api/27.0/public/hal_thermal.te
new file mode 100644
index 0000000..b1764f1
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_thermal.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_thermal_client, hal_thermal_server)
+binder_call(hal_thermal_server, hal_thermal_client)
+
+add_hwservice(hal_thermal_server, hal_thermal_hwservice)
+allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_tv_cec.te b/prebuilts/api/27.0/public/hal_tv_cec.te
new file mode 100644
index 0000000..7719cae
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_tv_cec.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_tv_cec_client, hal_tv_cec_server)
+binder_call(hal_tv_cec_server, hal_tv_cec_client)
+
+add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice)
+allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_tv_input.te b/prebuilts/api/27.0/public/hal_tv_input.te
new file mode 100644
index 0000000..31a0067
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_tv_input.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_tv_input_client, hal_tv_input_server)
+binder_call(hal_tv_input_server, hal_tv_input_client)
+
+add_hwservice(hal_tv_input_server, hal_tv_input_hwservice)
+allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_usb.te b/prebuilts/api/27.0/public/hal_usb.te
new file mode 100644
index 0000000..9cfd516
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_usb.te
@@ -0,0 +1,18 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_usb_client, hal_usb_server)
+binder_call(hal_usb_server, hal_usb_client)
+
+add_hwservice(hal_usb_server, hal_usb_hwservice)
+allow hal_usb_client hal_usb_hwservice:hwservice_manager find;
+
+allow hal_usb self:netlink_kobject_uevent_socket create;
+allow hal_usb self:netlink_kobject_uevent_socket setopt;
+allow hal_usb self:netlink_kobject_uevent_socket bind;
+allow hal_usb self:netlink_kobject_uevent_socket read;
+allow hal_usb sysfs:dir open;
+allow hal_usb sysfs:dir read;
+allow hal_usb sysfs:file read;
+allow hal_usb sysfs:file open;
+allow hal_usb sysfs:file write;
+allow hal_usb sysfs:file getattr;
+
diff --git a/prebuilts/api/27.0/public/hal_vibrator.te b/prebuilts/api/27.0/public/hal_vibrator.te
new file mode 100644
index 0000000..c8612d7
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_vibrator.te
@@ -0,0 +1,8 @@
+# HwBinder IPC from client to server
+binder_call(hal_vibrator_client, hal_vibrator_server)
+
+add_hwservice(hal_vibrator_server, hal_vibrator_hwservice)
+allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
+
+# vibrator sysfs rw access
+allow hal_vibrator sysfs_vibrator:file rw_file_perms;
diff --git a/prebuilts/api/27.0/public/hal_vr.te b/prebuilts/api/27.0/public/hal_vr.te
new file mode 100644
index 0000000..3cb392d
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_vr.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vr_client, hal_vr_server)
+binder_call(hal_vr_server, hal_vr_client)
+
+add_hwservice(hal_vr_server, hal_vr_hwservice)
+allow hal_vr_client hal_vr_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_weaver.te b/prebuilts/api/27.0/public/hal_weaver.te
new file mode 100644
index 0000000..b80ba29
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_weaver.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_weaver_client, hal_weaver_server)
+
+add_hwservice(hal_weaver_server, hal_weaver_hwservice)
+allow hal_weaver_client hal_weaver_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/27.0/public/hal_wifi.te b/prebuilts/api/27.0/public/hal_wifi.te
new file mode 100644
index 0000000..a01805d
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_wifi.te
@@ -0,0 +1,25 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_wifi_client, hal_wifi_server)
+binder_call(hal_wifi_server, hal_wifi_client)
+
+add_hwservice(hal_wifi_server, hal_wifi_hwservice)
+allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
+
+r_dir_file(hal_wifi, proc_net)
+r_dir_file(hal_wifi, sysfs_type)
+
+set_prop(hal_wifi, wifi_prop)
+
+# allow hal wifi set interfaces up and down
+allow hal_wifi self:udp_socket create_socket_perms;
+allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS };
+
+allow hal_wifi self:capability { net_admin net_raw };
+# allow hal_wifi to speak to nl80211 in the kernel
+allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
+allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
+# hal_wifi writes firmware paths to this file.
+allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
+# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
+allow hal_wifi proc_modules:file { getattr open read };
diff --git a/prebuilts/api/27.0/public/hal_wifi_offload.te b/prebuilts/api/27.0/public/hal_wifi_offload.te
new file mode 100644
index 0000000..dc0cf5a
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_wifi_offload.te
@@ -0,0 +1,9 @@
+## HwBinder IPC from client to server, and callbacks
+binder_call(hal_wifi_offload_client, hal_wifi_offload_server)
+binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
+
+add_hwservice(hal_wifi_offload_server, hal_wifi_offload_hwservice)
+allow hal_wifi_offload_client hal_wifi_offload_hwservice:hwservice_manager find;
+
+r_dir_file(hal_wifi_offload, proc_net)
+r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/prebuilts/api/27.0/public/hal_wifi_supplicant.te b/prebuilts/api/27.0/public/hal_wifi_supplicant.te
new file mode 100644
index 0000000..0f2540e
--- /dev/null
+++ b/prebuilts/api/27.0/public/hal_wifi_supplicant.te
@@ -0,0 +1,41 @@
+# HwBinder IPC from client to server
+binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
+binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
+
+add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
+allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
+
+# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(hal_wifi_supplicant, sysfs_type)
+r_dir_file(hal_wifi_supplicant, proc_net)
+
+allow hal_wifi_supplicant kernel:system module_request;
+allow hal_wifi_supplicant self:capability { setuid net_admin setgid net_raw };
+allow hal_wifi_supplicant cgroup:dir create_dir_perms;
+allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
+allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_wifi_supplicant self:packet_socket create_socket_perms;
+allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
+allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
+
+# Create a socket for receiving info from wpa
+allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
+allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
+
+# Allow wpa_cli to work. wpa_cli creates a socket in
+# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
+userdebug_or_eng(`
+ unix_socket_send(hal_wifi_supplicant, wpa, su)
+')
+
+###
+### neverallow rules
+###
+
+# wpa_supplicant should not trust any data from sdcards
+neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
+neverallow hal_wifi_supplicant_server sdcard_type:file *;
diff --git a/prebuilts/api/27.0/public/healthd.te b/prebuilts/api/27.0/public/healthd.te
new file mode 100644
index 0000000..c0a7bec
--- /dev/null
+++ b/prebuilts/api/27.0/public/healthd.te
@@ -0,0 +1,63 @@
+# healthd - battery/charger monitoring service daemon
+type healthd, domain;
+type healthd_exec, exec_type, file_type;
+
+# Write to /dev/kmsg
+allow healthd kmsg_device:chr_file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(healthd, sysfs_type)
+r_dir_file(healthd, rootfs)
+r_dir_file(healthd, cgroup)
+
+# Read access to system files for passthrough HALs in
+# /{system,vendor,odm}/lib[64]/hw/
+r_dir_file(healthd, system_file)
+
+allow healthd self:capability { sys_tty_config };
+allow healthd self:capability sys_boot;
+
+allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+wakelock_use(healthd)
+
+binder_use(healthd)
+binder_service(healthd)
+binder_call(healthd, system_server)
+hal_client_domain(healthd, hal_health)
+
+# Write to state file.
+# TODO: Split into a separate type?
+allow healthd sysfs:file write;
+
+# TODO: added to match above sysfs rule. Remove me?
+allow healthd sysfs_usb:file write;
+
+allow healthd sysfs_batteryinfo:file r_file_perms;
+
+r_dir_file(healthd, sysfs_type)
+
+###
+### healthd: charger mode
+###
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow healthd pstorefs:dir r_dir_perms;
+allow healthd pstorefs:file r_file_perms;
+
+allow healthd graphics_device:dir r_dir_perms;
+allow healthd graphics_device:chr_file rw_file_perms;
+allow healthd input_device:dir r_dir_perms;
+allow healthd input_device:chr_file r_file_perms;
+allow healthd tty_device:chr_file rw_file_perms;
+allow healthd ashmem_device:chr_file execute;
+allow healthd self:process execmem;
+allow healthd proc_sysrq:file rw_file_perms;
+
+add_service(healthd, batteryproperties_service)
+
+# Healthd needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(healthd, system_prop)
diff --git a/prebuilts/api/27.0/public/hwservice.te b/prebuilts/api/27.0/public/hwservice.te
new file mode 100644
index 0000000..97b9b8d
--- /dev/null
+++ b/prebuilts/api/27.0/public/hwservice.te
@@ -0,0 +1,52 @@
+type default_android_hwservice, hwservice_manager_type;
+type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
+type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
+type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_audio_hwservice, hwservice_manager_type;
+type hal_bluetooth_hwservice, hwservice_manager_type;
+type hal_bootctl_hwservice, hwservice_manager_type;
+type hal_broadcastradio_hwservice, hwservice_manager_type;
+type hal_camera_hwservice, hwservice_manager_type;
+type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_contexthub_hwservice, hwservice_manager_type;
+type hal_drm_hwservice, hwservice_manager_type;
+type hal_cas_hwservice, hwservice_manager_type;
+type hal_dumpstate_hwservice, hwservice_manager_type;
+type hal_fingerprint_hwservice, hwservice_manager_type;
+type hal_gatekeeper_hwservice, hwservice_manager_type;
+type hal_gnss_hwservice, hwservice_manager_type;
+type hal_graphics_allocator_hwservice, hwservice_manager_type;
+type hal_graphics_composer_hwservice, hwservice_manager_type;
+type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_health_hwservice, hwservice_manager_type;
+type hal_ir_hwservice, hwservice_manager_type;
+type hal_keymaster_hwservice, hwservice_manager_type;
+type hal_light_hwservice, hwservice_manager_type;
+type hal_memtrack_hwservice, hwservice_manager_type;
+type hal_neuralnetworks_hwservice, hwservice_manager_type;
+type hal_nfc_hwservice, hwservice_manager_type;
+type hal_oemlock_hwservice, hwservice_manager_type;
+type hal_omx_hwservice, hwservice_manager_type;
+type hal_power_hwservice, hwservice_manager_type;
+type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_sensors_hwservice, hwservice_manager_type;
+type hal_telephony_hwservice, hwservice_manager_type;
+type hal_tetheroffload_hwservice, hwservice_manager_type;
+type hal_thermal_hwservice, hwservice_manager_type;
+type hal_tv_cec_hwservice, hwservice_manager_type;
+type hal_tv_input_hwservice, hwservice_manager_type;
+type hal_usb_hwservice, hwservice_manager_type;
+type hal_vibrator_hwservice, hwservice_manager_type;
+type hal_vr_hwservice, hwservice_manager_type;
+type hal_weaver_hwservice, hwservice_manager_type;
+type hal_wifi_hwservice, hwservice_manager_type;
+type hal_wifi_offload_hwservice, hwservice_manager_type;
+type hal_wifi_supplicant_hwservice, hwservice_manager_type;
+type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_base_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice;
+type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
+type thermalcallback_hwservice, hwservice_manager_type;
diff --git a/prebuilts/api/27.0/public/hwservicemanager.te b/prebuilts/api/27.0/public/hwservicemanager.te
new file mode 100644
index 0000000..1ffd2a6
--- /dev/null
+++ b/prebuilts/api/27.0/public/hwservicemanager.te
@@ -0,0 +1,22 @@
+# hwservicemanager - the Binder context manager for HAL services
+type hwservicemanager, domain, mlstrustedsubject;
+type hwservicemanager_exec, exec_type, file_type;
+
+# Note that we do not use the binder_* macros here.
+# hwservicemanager provides name service (aka context manager)
+# for hwbinder.
+# Additionally, it initiates binder IPC calls to
+# clients who request service notifications. The permission
+# to do this is granted in the hwbinder_use macro.
+allow hwservicemanager self:binder set_context_mgr;
+
+set_prop(hwservicemanager, hwservicemanager_prop)
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow hwservicemanager system_file:dir r_dir_perms;
+
+# Read hwservice_contexts
+allow hwservicemanager hwservice_contexts_file:file r_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(hwservicemanager)
diff --git a/prebuilts/api/27.0/public/idmap.te b/prebuilts/api/27.0/public/idmap.te
new file mode 100644
index 0000000..1c32f8f
--- /dev/null
+++ b/prebuilts/api/27.0/public/idmap.te
@@ -0,0 +1,17 @@
+# idmap, when executed by installd
+type idmap, domain;
+type idmap_exec, exec_type, file_type;
+
+# Use open file to /data/resource-cache file inherited from installd.
+allow idmap installd:fd use;
+allow idmap resourcecache_data_file:file { getattr read write };
+
+# Open and read from target and overlay apk files passed by argument.
+allow idmap apk_data_file:file r_file_perms;
+allow idmap apk_data_file:dir search;
+
+# Allow apps access to /vendor/app
+r_dir_file(idmap, vendor_app_file)
+
+# Allow apps access to /vendor/overlay
+r_dir_file(idmap, vendor_overlay_file)
diff --git a/prebuilts/api/27.0/public/incident.te b/prebuilts/api/27.0/public/incident.te
new file mode 100644
index 0000000..ce57bf6
--- /dev/null
+++ b/prebuilts/api/27.0/public/incident.te
@@ -0,0 +1,8 @@
+# The incident command is used to call into the incidentd service to
+# take an incident report (binary, shared bugreport), download incident
+# reports that have already been taken, and monitor for new ones.
+# It doesn't do anything else.
+
+# incident
+type incident, domain;
+
diff --git a/prebuilts/api/27.0/public/incidentd.te b/prebuilts/api/27.0/public/incidentd.te
new file mode 100644
index 0000000..b03249c
--- /dev/null
+++ b/prebuilts/api/27.0/public/incidentd.te
@@ -0,0 +1,3 @@
+# incidentd
+type incidentd, domain;
+
diff --git a/prebuilts/api/27.0/public/init.te b/prebuilts/api/27.0/public/init.te
new file mode 100644
index 0000000..e6162a9
--- /dev/null
+++ b/prebuilts/api/27.0/public/init.te
@@ -0,0 +1,434 @@
+# init is its own domain.
+type init, domain, mlstrustedsubject;
+
+# The init domain is entered by execing init.
+type init_exec, exec_type, file_type;
+
+# /dev/__null__ node created by init.
+allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
+
+#
+# init direct restorecon calls.
+#
+# /dev/kmsg
+allow init tmpfs:chr_file relabelfrom;
+allow init kmsg_device:chr_file { write relabelto };
+# /dev/kmsg_debug
+userdebug_or_eng(`
+ allow init kmsg_debug_device:chr_file { write relabelto };
+')
+# /dev/__properties__
+allow init properties_device:dir relabelto;
+allow init properties_serial:file { write relabelto };
+allow init property_type:file { create_file_perms relabelto };
+# /dev/event-log-tags
+allow init device:file relabelfrom;
+allow init runtime_event_log_tags_file:file { open write setattr relabelto };
+# /dev/socket
+allow init { device socket_device }:dir relabelto;
+# /dev/random, /dev/urandom
+allow init random_device:chr_file relabelto;
+# /dev/device-mapper, /dev/block(/.*)?
+allow init tmpfs:{ chr_file blk_file } relabelfrom;
+allow init tmpfs:blk_file getattr;
+allow init block_device:{ dir blk_file lnk_file } relabelto;
+allow init dm_device:{ chr_file blk_file } relabelto;
+allow init kernel:fd use;
+# restorecon for early mount device symlinks
+allow init tmpfs:lnk_file { getattr read relabelfrom };
+allow init system_block_device:{ blk_file lnk_file } relabelto;
+
+# setrlimit
+allow init self:capability sys_resource;
+
+# Remove /dev/.booting, created before initial policy load or restorecon /dev.
+allow init tmpfs:file unlink;
+
+# Access pty created for fsck.
+allow init devpts:chr_file { read write open };
+
+# Create /dev/fscklogs files.
+allow init fscklogs:file create_file_perms;
+
+# Access /dev/__null__ node created prior to initial policy load.
+allow init tmpfs:chr_file write;
+
+# Access /dev/console.
+allow init console_device:chr_file rw_file_perms;
+
+# Access /dev/tty0.
+allow init tty_device:chr_file rw_file_perms;
+
+# Call mount(2).
+allow init self:capability sys_admin;
+
+# Create and mount on directories in /.
+allow init rootfs:dir create_dir_perms;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
+
+# Mount on /dev/usb-ffs/adb.
+allow init device:dir mounton;
+
+# Create and remove symlinks in /.
+allow init rootfs:lnk_file { create unlink };
+
+# Mount debugfs on /sys/kernel/debug.
+allow init sysfs:dir mounton;
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow init tmpfs:dir create_dir_perms;
+allow init tmpfs:dir mounton;
+allow init cgroup:dir create_dir_perms;
+r_dir_file(init, cgroup)
+allow init cpuctl_device:dir { create mounton };
+
+# /config
+allow init configfs:dir mounton;
+allow init configfs:dir create_dir_perms;
+allow init configfs:{ file lnk_file } create_file_perms;
+
+# Use tmpfs as /data, used for booting when /data is encrypted
+allow init tmpfs:dir relabelfrom;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow init self:capability dac_override;
+
+# Set system clock.
+allow init self:capability sys_time;
+
+allow init self:capability { sys_rawio mknod };
+
+# Mounting filesystems from block devices.
+allow init dev_type:blk_file r_file_perms;
+
+# Mounting filesystems.
+# Only allow relabelto for types used in context= mount options,
+# which should all be assigned the contextmount_type attribute.
+# This can be done in device-specific policy via type or typeattribute
+# declarations.
+allow init fs_type:filesystem ~relabelto;
+allow init unlabeled:filesystem ~relabelto;
+allow init contextmount_type:filesystem relabelto;
+
+# Allow read-only access to context= mounted filesystems.
+allow init contextmount_type:dir r_dir_perms;
+allow init contextmount_type:notdevfile_class_set r_file_perms;
+
+# restorecon /adb_keys or any other rootfs files and directories to a more
+# specific type.
+allow init rootfs:{ dir file } relabelfrom;
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow init self:capability { chown fowner fsetid };
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -misc_logd_file
+ -system_app_data_file
+ -system_file
+ -vendor_file_type
+}:dir { create search getattr open read setattr ioctl };
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -keystore_data_file
+ -misc_logd_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -vendor_file_type
+ -vold_data_file
+}:dir { write add_name remove_name rmdir relabelfrom };
+
+allow init {
+ file_type
+ -app_data_file
+ -runtime_event_log_tags_file
+ -exec_type
+ -keystore_data_file
+ -misc_logd_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -vendor_file_type
+ -vold_data_file
+}:file { create getattr open read write setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -keystore_data_file
+ -misc_logd_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -vendor_file_type
+ -vold_data_file
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -keystore_data_file
+ -misc_logd_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -vendor_file_type
+ -vold_data_file
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow init cache_file:lnk_file r_file_perms;
+
+allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
+allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init dev_type:dir create_dir_perms;
+allow init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow init debugfs_tracing:file w_file_perms;
+
+# Setup and control wifi event tracing (see wifi-events.rc)
+allow init debugfs_tracing_instances:dir create_dir_perms;
+allow init debugfs_tracing_instances:file w_file_perms;
+allow init debugfs_wifi_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
+allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
+
+# init should not be able to read or open generic devices
+# TODO: auditing to see if this can be deleted entirely
+allow init {
+ dev_type
+ -kmem_device
+ -port_device
+ -device
+ -vndbinder_device
+ }:chr_file { read open };
+auditallow init {
+ dev_type
+ -alarm_device
+ -ashmem_device
+ -binder_device
+ -console_device
+ -device
+ -devpts
+ -dm_device
+ -hwbinder_device
+ -hw_random_device
+ -keychord_device
+ -kmem_device
+ -kmsg_device
+ -null_device
+ -owntty_device
+ -port_device
+ -ptmx_device
+ -random_device
+ -zero_device
+}:chr_file { read open };
+
+# chown/chmod on devices.
+allow init { dev_type -kmem_device -port_device }:chr_file setattr;
+
+# Unlabeled file access for upgrades from 4.2.
+allow init unlabeled:dir { create_dir_perms relabelfrom };
+allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+
+# Any operation that can modify the kernel ring buffer, e.g. clear
+# or a read that consumes the messages that were read.
+allow init kernel:system syslog_mod;
+allow init self:capability2 syslog;
+
+# Set usermodehelpers and /proc security settings.
+allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
+allow init proc_security:file rw_file_perms;
+
+# Write to /proc/sys/kernel/panic_on_oops.
+r_dir_file(init, proc)
+allow init proc:file w_file_perms;
+
+# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+r_dir_file(init, proc_net)
+allow init proc_net:file w_file_perms;
+allow init self:capability net_admin;
+
+# Write to /proc/sysrq-trigger.
+allow init proc_sysrq:file w_file_perms;
+
+# Read /proc/stat for bootchart.
+allow init proc_stat:file r_file_perms;
+
+# Reboot.
+allow init self:capability sys_boot;
+
+# Write to sysfs nodes.
+allow init sysfs_type:dir r_dir_perms;
+allow init sysfs_type:lnk_file read;
+allow init sysfs_type:file rw_file_perms;
+
+# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
+# Init will also walk through the directory as part of a recursive restorecon.
+allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
+allow init misc_logd_file:file { open create getattr setattr write };
+
+# Support "adb shell stop"
+allow init self:capability kill;
+allow init domain:process { getpgid sigkill signal };
+
+# Init creates keystore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init keystore_data_file:dir { open create read getattr setattr search };
+allow init keystore_data_file:file { getattr };
+
+# Init creates vold's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init vold_data_file:dir { open create read getattr setattr search };
+allow init vold_data_file:file { getattr };
+
+# Init creates /data/local/tmp at boot
+allow init shell_data_file:dir { open create read getattr setattr search };
+allow init shell_data_file:file { getattr };
+
+# Set UID, GID, and adjust capability bounding set for services.
+allow init self:capability { setuid setgid setpcap };
+
+# For bootchart to read the /proc/$pid/cmdline file of each process,
+# we need to have following line to allow init to have access
+# to different domains.
+r_dir_file(init, domain)
+
+# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
+# setexec is for services with seclabel options.
+# setfscreate is for labeling directories and socket files.
+# setsockcreate is for labeling local/unix domain sockets.
+allow init self:process { setexec setfscreate setsockcreate };
+
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
+# Perform SELinux access checks on setting properties.
+selinux_check_access(init)
+
+# Ask the kernel for the new context on services to label their sockets.
+allow init kernel:security compute_create;
+
+# Create sockets for the services.
+allow init domain:unix_stream_socket { create bind setopt };
+allow init domain:unix_dgram_socket { create bind setopt };
+
+# Create /data/property and files within it.
+allow init property_data_file:dir create_dir_perms;
+allow init property_data_file:file create_file_perms;
+
+# Set any property.
+allow init property_type:property_service set;
+
+# Send an SELinux userspace denial to the kernel audit subsystem,
+# so it can be picked up and processed by logd. These denials are
+# generated when an attempt to set a property is denied by policy.
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+allow init self:capability audit_write;
+
+# Run "ifup lo" to bring up the localhost interface
+allow init self:udp_socket { create ioctl };
+# in addition to unpriv ioctls granted to all domains, init also needs:
+allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
+allow init self:capability net_raw;
+
+# This line seems suspect, as it should not really need to
+# set scheduling parameters for a kernel domain task.
+allow init kernel:process setsched;
+
+# swapon() needs write access to swap device
+# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
+allow init swap_block_device:blk_file rw_file_perms;
+
+# Read from /dev/hw_random if present.
+# system/core/init/init.c - mix_hwrng_into_linux_rng_action
+allow init hw_random_device:chr_file r_file_perms;
+
+# Create and access /dev files without a specific type,
+# e.g. /dev/.coldboot_done, /dev/.booting
+# TODO: Move these files into their own type unless they are
+# only ever accessed by init.
+allow init device:file create_file_perms;
+
+# keychord configuration
+allow init self:capability sys_tty_config;
+allow init keychord_device:chr_file rw_file_perms;
+
+# Access device mapper for setting up dm-verity
+allow init dm_device:chr_file rw_file_perms;
+allow init dm_device:blk_file rw_file_perms;
+
+# Access metadata block device for storing dm-verity state
+allow init metadata_block_device:blk_file rw_file_perms;
+
+# Read /sys/fs/pstore/console-ramoops to detect restarts caused
+# by dm-verity detecting corrupted blocks
+allow init pstorefs:dir search;
+allow init pstorefs:file r_file_perms;
+allow init kernel:system syslog_read;
+
+# linux keyring configuration
+allow init init:key { write search setattr };
+
+# Allow init to create /data/unencrypted
+allow init unencrypted_data_file:dir create_dir_perms;
+
+# Allow init to write to /proc/sys/vm/overcommit_memory
+allow init proc_overcommit_memory:file { write };
+
+unix_socket_connect(init, vold, vold)
+
+# Raw writes to misc block device
+allow init misc_block_device:blk_file w_file_perms;
+
+r_dir_file(init, system_file)
+r_dir_file(init, vendor_file_type)
+allow init proc_meminfo:file r_file_perms;
+
+allow init system_data_file:file { getattr read };
+allow init system_data_file:lnk_file r_file_perms;
+
+# For init to be able to run shell scripts from vendor
+allow init vendor_shell_exec:file execute;
+
+###
+### neverallow rules
+###
+
+# The init domain is only entered via an exec based transition from the
+# kernel domain, never via setcon().
+neverallow domain init:process dyntransition;
+neverallow { domain -kernel } init:process transition;
+neverallow init { file_type fs_type -init_exec }:file entrypoint;
+
+# Never read/follow symlinks created by shell or untrusted apps.
+neverallow init shell_data_file:lnk_file read;
+neverallow init app_data_file:lnk_file read;
+
+# init should never execute a program without changing to another domain.
+neverallow init { file_type fs_type }:file execute_no_trans;
+
+# Init never adds or uses services via service_manager.
+neverallow init service_manager_type:service_manager { add find };
+neverallow init servicemanager:service_manager list;
+
+# Init should not be creating subdirectories in /data/local/tmp
+neverallow init shell_data_file:dir { write add_name remove_name };
diff --git a/prebuilts/api/27.0/public/inputflinger.te b/prebuilts/api/27.0/public/inputflinger.te
new file mode 100644
index 0000000..e5f12a0
--- /dev/null
+++ b/prebuilts/api/27.0/public/inputflinger.te
@@ -0,0 +1,16 @@
+# inputflinger
+type inputflinger, domain;
+type inputflinger_exec, exec_type, file_type;
+
+binder_use(inputflinger)
+binder_service(inputflinger)
+
+binder_call(inputflinger, system_server)
+
+wakelock_use(inputflinger)
+
+add_service(inputflinger, inputflinger_service)
+allow inputflinger input_device:dir r_dir_perms;
+allow inputflinger input_device:chr_file rw_file_perms;
+
+r_dir_file(inputflinger, cgroup)
diff --git a/prebuilts/api/27.0/public/install_recovery.te b/prebuilts/api/27.0/public/install_recovery.te
new file mode 100644
index 0000000..2115663
--- /dev/null
+++ b/prebuilts/api/27.0/public/install_recovery.te
@@ -0,0 +1,27 @@
+# service flash_recovery in init.rc
+type install_recovery, domain;
+type install_recovery_exec, exec_type, file_type;
+
+allow install_recovery self:capability dac_override;
+
+# /system/bin/install-recovery.sh is a shell script.
+# Needs to execute /system/bin/sh
+allow install_recovery shell_exec:file rx_file_perms;
+
+# Execute /system/bin/applypatch
+allow install_recovery system_file:file rx_file_perms;
+not_full_treble(`allow install_recovery vendor_file:file rx_file_perms;')
+
+allow install_recovery toolbox_exec:file rx_file_perms;
+
+# Update the recovery block device based off a diff of the boot block device
+allow install_recovery block_device:dir search;
+allow install_recovery boot_block_device:blk_file r_file_perms;
+allow install_recovery recovery_block_device:blk_file rw_file_perms;
+
+# Create and delete /cache/saved.file
+allow install_recovery cache_file:dir rw_dir_perms;
+allow install_recovery cache_file:file create_file_perms;
+
+# Write to /proc/sys/vm/drop_caches
+allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/prebuilts/api/27.0/public/installd.te b/prebuilts/api/27.0/public/installd.te
new file mode 100644
index 0000000..939a481
--- /dev/null
+++ b/prebuilts/api/27.0/public/installd.te
@@ -0,0 +1,159 @@
+# installer daemon
+type installd, domain;
+type installd_exec, exec_type, file_type;
+typeattribute installd mlstrustedsubject;
+allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };
+
+# Allow labeling of files under /data/app/com.example/oat/
+allow installd dalvikcache_data_file:dir relabelto;
+allow installd dalvikcache_data_file:file { relabelto link };
+
+# Allow movement of APK files between volumes
+allow installd apk_data_file:dir { create_dir_perms relabelfrom };
+allow installd apk_data_file:file { create_file_perms relabelfrom link };
+allow installd apk_data_file:lnk_file { create r_file_perms unlink };
+
+allow installd asec_apk_file:file r_file_perms;
+allow installd apk_tmp_file:file { r_file_perms unlink };
+allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
+allow installd oemfs:dir r_dir_perms;
+allow installd oemfs:file r_file_perms;
+allow installd cgroup:dir create_dir_perms;
+allow installd cgroup:{ file lnk_file } create_file_perms;
+allow installd mnt_expand_file:dir { search getattr };
+# Check validity of SELinux context before use.
+selinux_check_context(installd)
+
+r_dir_file(installd, rootfs)
+# Scan through APKs in /system/app and /system/priv-app
+r_dir_file(installd, system_file)
+# Scan through APKs in /vendor/app
+r_dir_file(installd, vendor_app_file)
+# Scan through Runtime Resource Overlay APKs in /vendor/overlay
+r_dir_file(installd, vendor_overlay_file)
+# Get file context
+allow installd file_contexts_file:file r_file_perms;
+# Get seapp_context
+allow installd seapp_contexts_file:file r_file_perms;
+
+# Search /data/app-asec and stat files in it.
+allow installd asec_image_file:dir search;
+allow installd asec_image_file:file getattr;
+
+# Create /data/user and /data/user/0 if necessary.
+# Also required to initially create /data/data subdirectories
+# and lib symlinks before the setfilecon call. May want to
+# move symlink creation after setfilecon in installd.
+allow installd system_data_file:dir create_dir_perms;
+allow installd system_data_file:lnk_file { create setattr unlink };
+
+# Upgrade /data/media for multi-user if necessary.
+allow installd media_rw_data_file:dir create_dir_perms;
+allow installd media_rw_data_file:file { getattr unlink };
+# restorecon new /data/media directory.
+allow installd system_data_file:dir relabelfrom;
+allow installd media_rw_data_file:dir relabelto;
+
+# Delete /data/media files through sdcardfs, instead of going behind its back
+allow installd tmpfs:dir r_dir_perms;
+allow installd storage_file:dir search;
+allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
+allow installd sdcardfs:file { getattr unlink };
+
+# Upgrade /data/misc/keychain for multi-user if necessary.
+allow installd misc_user_data_file:dir create_dir_perms;
+allow installd misc_user_data_file:file create_file_perms;
+allow installd keychain_data_file:dir create_dir_perms;
+allow installd keychain_data_file:file {r_file_perms unlink};
+
+# Create /data/.layout_version.* file
+allow installd install_data_file:file create_file_perms;
+
+# Create files under /data/dalvik-cache.
+allow installd dalvikcache_data_file:dir create_dir_perms;
+allow installd dalvikcache_data_file:file create_file_perms;
+allow installd dalvikcache_data_file:lnk_file getattr;
+
+# Create files under /data/resource-cache.
+allow installd resourcecache_data_file:dir rw_dir_perms;
+allow installd resourcecache_data_file:file create_file_perms;
+
+# Upgrade from unlabeled userdata.
+# Just need enough to remove and/or relabel it.
+allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
+allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
+# Read pkg.apk file for input during dexopt.
+allow installd unlabeled:file r_file_perms;
+
+# Upgrade from before system_app_data_file was used for system UID apps.
+# Just need enough to relabel it and to unlink removed package files.
+# Directory access covered by earlier rule above.
+allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
+
+# Manage /data/data subdirectories, including initially labeling them
+# upon creation via setfilecon or running restorecon_recursive,
+# setting owner/mode, creating symlinks within them, and deleting them
+# upon package uninstall.
+# Types extracted from seapp_contexts type= fields.
+allow installd {
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ app_data_file
+}:dir { create_dir_perms relabelfrom relabelto };
+
+allow installd {
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ app_data_file
+}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_data_file:dir create_dir_perms;
+allow installd user_profile_data_file:file create_file_perms;
+allow installd user_profile_data_file:dir rmdir;
+allow installd user_profile_data_file:file unlink;
+
+# Files created/updated by profman dumps.
+allow installd profman_dump_data_file:dir { search add_name write };
+allow installd profman_dump_data_file:file { create setattr open write };
+
+# Create and use pty created by android_fork_execvp().
+allow installd devpts:chr_file rw_file_perms;
+
+# execute toybox for app relocation
+allow installd toolbox_exec:file rx_file_perms;
+
+# Allow installd to publish a binder service and make binder calls.
+binder_use(installd)
+add_service(installd, installd_service)
+allow installd dumpstate:fifo_file { getattr write };
+
+# Allow installd to call into the system server so it can check permissions.
+binder_call(installd, system_server)
+allow installd permission_service:service_manager find;
+
+# Allow installd to read and write quotas
+allow installd block_device:dir { search };
+allow installd labeledfs:filesystem { quotaget quotamod };
+
+# Allow installd to delete from /data/preloads when trimming data caches
+# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
+allow installd preloads_data_file:file { r_file_perms unlink };
+allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
+allow installd preloads_media_file:file { r_file_perms unlink };
+allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
+
+###
+### Neverallow rules
+###
+
+# only system_server, installd and dumpstate may interact with installd over binder
+neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
+neverallow { domain -system_server -dumpstate } installd:binder call;
+neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/prebuilts/api/27.0/public/ioctl_defines b/prebuilts/api/27.0/public/ioctl_defines
new file mode 100644
index 0000000..a1cd0b9
--- /dev/null
+++ b/prebuilts/api/27.0/public/ioctl_defines
@@ -0,0 +1,2694 @@
+define(`FIBMAP', `0x00000001')
+define(`FIGETBSZ', `0x00000002')
+define(`FDCLRPRM', `0x00000241')
+define(`FDMSGON', `0x00000245')
+define(`FDMSGOFF', `0x00000246')
+define(`FDFMTBEG', `0x00000247')
+define(`FDFMTEND', `0x00000249')
+define(`FDSETEMSGTRESH', `0x0000024a')
+define(`FDFLUSH', `0x0000024b')
+define(`FDRESET', `0x00000254')
+define(`FDWERRORCLR', `0x00000256')
+define(`FDRAWCMD', `0x00000258')
+define(`FDTWADDLE', `0x00000259')
+define(`FDEJECT', `0x0000025a')
+define(`HDIO_GETGEO', `0x00000301')
+define(`HDIO_GET_UNMASKINTR', `0x00000302')
+define(`HDIO_GET_MULTCOUNT', `0x00000304')
+define(`HDIO_GET_QDMA', `0x00000305')
+define(`HDIO_SET_XFER', `0x00000306')
+define(`HDIO_OBSOLETE_IDENTITY', `0x00000307')
+define(`HDIO_GET_KEEPSETTINGS', `0x00000308')
+define(`HDIO_GET_32BIT', `0x00000309')
+define(`HDIO_GET_NOWERR', `0x0000030a')
+define(`HDIO_GET_DMA', `0x0000030b')
+define(`HDIO_GET_NICE', `0x0000030c')
+define(`HDIO_GET_IDENTITY', `0x0000030d')
+define(`HDIO_GET_WCACHE', `0x0000030e')
+define(`HDIO_GET_ACOUSTIC', `0x0000030f')
+define(`HDIO_GET_ADDRESS', `0x00000310')
+define(`HDIO_GET_BUSSTATE', `0x0000031a')
+define(`HDIO_TRISTATE_HWIF', `0x0000031b')
+define(`HDIO_DRIVE_RESET', `0x0000031c')
+define(`HDIO_DRIVE_TASKFILE', `0x0000031d')
+define(`HDIO_DRIVE_TASK', `0x0000031e')
+define(`HDIO_DRIVE_CMD', `0x0000031f')
+define(`HDIO_SET_MULTCOUNT', `0x00000321')
+define(`HDIO_SET_UNMASKINTR', `0x00000322')
+define(`HDIO_SET_KEEPSETTINGS', `0x00000323')
+define(`HDIO_SET_32BIT', `0x00000324')
+define(`HDIO_SET_NOWERR', `0x00000325')
+define(`HDIO_SET_DMA', `0x00000326')
+define(`HDIO_SET_PIO_MODE', `0x00000327')
+define(`HDIO_SCAN_HWIF', `0x00000328')
+define(`HDIO_SET_NICE', `0x00000329')
+define(`HDIO_UNREGISTER_HWIF', `0x0000032a')
+define(`HDIO_SET_WCACHE', `0x0000032b')
+define(`HDIO_SET_ACOUSTIC', `0x0000032c')
+define(`HDIO_SET_BUSSTATE', `0x0000032d')
+define(`HDIO_SET_QDMA', `0x0000032e')
+define(`HDIO_SET_ADDRESS', `0x0000032f')
+define(`IOCTL_VMCI_VERSION', `0x0000079f')
+define(`IOCTL_VMCI_INIT_CONTEXT', `0x000007a0')
+define(`IOCTL_VMCI_QUEUEPAIR_SETVA', `0x000007a4')
+define(`IOCTL_VMCI_NOTIFY_RESOURCE', `0x000007a5')
+define(`IOCTL_VMCI_NOTIFICATIONS_RECEIVE', `0x000007a6')
+define(`IOCTL_VMCI_VERSION2', `0x000007a7')
+define(`IOCTL_VMCI_QUEUEPAIR_ALLOC', `0x000007a8')
+define(`IOCTL_VMCI_QUEUEPAIR_SETPAGEFILE', `0x000007a9')
+define(`IOCTL_VMCI_QUEUEPAIR_DETACH', `0x000007aa')
+define(`IOCTL_VMCI_DATAGRAM_SEND', `0x000007ab')
+define(`IOCTL_VMCI_DATAGRAM_RECEIVE', `0x000007ac')
+define(`IOCTL_VMCI_CTX_ADD_NOTIFICATION', `0x000007af')
+define(`IOCTL_VMCI_CTX_REMOVE_NOTIFICATION', `0x000007b0')
+define(`IOCTL_VMCI_CTX_GET_CPT_STATE', `0x000007b1')
+define(`IOCTL_VMCI_CTX_SET_CPT_STATE', `0x000007b2')
+define(`IOCTL_VMCI_GET_CONTEXT_ID', `0x000007b3')
+define(`IOCTL_VMCI_SOCKETS_VERSION', `0x000007b4')
+define(`IOCTL_VMCI_SOCKETS_GET_AF_VALUE', `0x000007b8')
+define(`IOCTL_VMCI_SOCKETS_GET_LOCAL_CID', `0x000007b9')
+define(`IOCTL_VM_SOCKETS_GET_LOCAL_CID', `0x000007b9')
+define(`IOCTL_VMCI_SET_NOTIFY', `0x000007cb')
+define(`RAID_AUTORUN', `0x00000914')
+define(`CLEAR_ARRAY', `0x00000920')
+define(`HOT_REMOVE_DISK', `0x00000922')
+define(`SET_DISK_INFO', `0x00000924')
+define(`WRITE_RAID_INFO', `0x00000925')
+define(`UNPROTECT_ARRAY', `0x00000926')
+define(`PROTECT_ARRAY', `0x00000927')
+define(`HOT_ADD_DISK', `0x00000928')
+define(`SET_DISK_FAULTY', `0x00000929')
+define(`HOT_GENERATE_ERROR', `0x0000092a')
+define(`STOP_ARRAY', `0x00000932')
+define(`STOP_ARRAY_RO', `0x00000933')
+define(`RESTART_ARRAY_RW', `0x00000934')
+define(`BLKROSET', `0x0000125d')
+define(`BLKROGET', `0x0000125e')
+define(`BLKRRPART', `0x0000125f')
+define(`BLKGETSIZE', `0x00001260')
+define(`BLKFLSBUF', `0x00001261')
+define(`BLKRASET', `0x00001262')
+define(`BLKRAGET', `0x00001263')
+define(`BLKFRASET', `0x00001264')
+define(`BLKFRAGET', `0x00001265')
+define(`BLKSECTSET', `0x00001266')
+define(`BLKSECTGET', `0x00001267')
+define(`BLKSSZGET', `0x00001268')
+define(`BLKPG', `0x00001269')
+define(`BLKTRACESTART', `0x00001274')
+define(`BLKTRACESTOP', `0x00001275')
+define(`BLKTRACETEARDOWN', `0x00001276')
+define(`BLKDISCARD', `0x00001277')
+define(`BLKIOMIN', `0x00001278')
+define(`BLKIOOPT', `0x00001279')
+define(`BLKALIGNOFF', `0x0000127a')
+define(`BLKPBSZGET', `0x0000127b')
+define(`BLKDISCARDZEROES', `0x0000127c')
+define(`BLKSECDISCARD', `0x0000127d')
+define(`BLKROTATIONAL', `0x0000127e')
+define(`BLKZEROOUT', `0x0000127f')
+define(`IB_USER_MAD_ENABLE_PKEY', `0x00001b03')
+define(`SG_SET_TIMEOUT', `0x00002201')
+define(`SG_GET_TIMEOUT', `0x00002202')
+define(`SG_EMULATED_HOST', `0x00002203')
+define(`SG_SET_TRANSFORM', `0x00002204')
+define(`SG_GET_TRANSFORM', `0x00002205')
+define(`SG_GET_COMMAND_Q', `0x00002270')
+define(`SG_SET_COMMAND_Q', `0x00002271')
+define(`SG_GET_RESERVED_SIZE', `0x00002272')
+define(`SG_SET_RESERVED_SIZE', `0x00002275')
+define(`SG_GET_SCSI_ID', `0x00002276')
+define(`SG_SET_FORCE_LOW_DMA', `0x00002279')
+define(`SG_GET_LOW_DMA', `0x0000227a')
+define(`SG_SET_FORCE_PACK_ID', `0x0000227b')
+define(`SG_GET_PACK_ID', `0x0000227c')
+define(`SG_GET_NUM_WAITING', `0x0000227d')
+define(`SG_SET_DEBUG', `0x0000227e')
+define(`SG_GET_SG_TABLESIZE', `0x0000227f')
+define(`SG_GET_VERSION_NUM', `0x00002282')
+define(`SG_NEXT_CMD_LEN', `0x00002283')
+define(`SG_SCSI_RESET', `0x00002284')
+define(`SG_IO', `0x00002285')
+define(`SG_GET_REQUEST_TABLE', `0x00002286')
+define(`SG_SET_KEEP_ORPHAN', `0x00002287')
+define(`SG_GET_KEEP_ORPHAN', `0x00002288')
+define(`SG_GET_ACCESS_COUNT', `0x00002289')
+define(`FW_CDEV_IOC_GET_SPEED', `0x00002311')
+define(`PERF_EVENT_IOC_ENABLE', `0x00002400')
+define(`PERF_EVENT_IOC_DISABLE', `0x00002401')
+define(`PERF_EVENT_IOC_REFRESH', `0x00002402')
+define(`PERF_EVENT_IOC_RESET', `0x00002403')
+define(`PERF_EVENT_IOC_SET_OUTPUT', `0x00002405')
+define(`SNAPSHOT_FREEZE', `0x00003301')
+define(`SNAPSHOT_UNFREEZE', `0x00003302')
+define(`SNAPSHOT_ATOMIC_RESTORE', `0x00003304')
+define(`SNAPSHOT_FREE', `0x00003305')
+define(`SNAPSHOT_FREE_SWAP_PAGES', `0x00003309')
+define(`SNAPSHOT_S2RAM', `0x0000330b')
+define(`SNAPSHOT_PLATFORM_SUPPORT', `0x0000330f')
+define(`SNAPSHOT_POWER_OFF', `0x00003310')
+define(`SNAPSHOT_PREF_IMAGE_SIZE', `0x00003312')
+define(`VFIO_GET_API_VERSION', `0x00003b64')
+define(`VFIO_CHECK_EXTENSION', `0x00003b65')
+define(`VFIO_SET_IOMMU', `0x00003b66')
+define(`VFIO_GROUP_GET_STATUS', `0x00003b67')
+define(`VFIO_GROUP_SET_CONTAINER', `0x00003b68')
+define(`VFIO_GROUP_UNSET_CONTAINER', `0x00003b69')
+define(`VFIO_GROUP_GET_DEVICE_FD', `0x00003b6a')
+define(`VFIO_DEVICE_GET_INFO', `0x00003b6b')
+define(`VFIO_DEVICE_GET_REGION_INFO', `0x00003b6c')
+define(`VFIO_DEVICE_GET_IRQ_INFO', `0x00003b6d')
+define(`VFIO_DEVICE_SET_IRQS', `0x00003b6e')
+define(`VFIO_DEVICE_RESET', `0x00003b6f')
+define(`VFIO_DEVICE_GET_PCI_HOT_RESET_INFO', `0x00003b70')
+define(`VFIO_IOMMU_GET_INFO', `0x00003b70')
+define(`VFIO_IOMMU_SPAPR_TCE_GET_INFO', `0x00003b70')
+define(`VFIO_DEVICE_PCI_HOT_RESET', `0x00003b71')
+define(`VFIO_IOMMU_MAP_DMA', `0x00003b71')
+define(`VFIO_IOMMU_UNMAP_DMA', `0x00003b72')
+define(`VFIO_IOMMU_ENABLE', `0x00003b73')
+define(`VFIO_IOMMU_DISABLE', `0x00003b74')
+define(`VFIO_EEH_PE_OP', `0x00003b79')
+define(`AGPIOC_ACQUIRE', `0x00004101')
+define(`APM_IOC_STANDBY', `0x00004101')
+define(`AGPIOC_RELEASE', `0x00004102')
+define(`APM_IOC_SUSPEND', `0x00004102')
+define(`AGPIOC_CHIPSET_FLUSH', `0x0000410a')
+define(`SNDRV_PCM_IOCTL_HW_FREE', `0x00004112')
+define(`SNDRV_PCM_IOCTL_HWSYNC', `0x00004122')
+define(`SNDRV_PCM_IOCTL_PREPARE', `0x00004140')
+define(`SNDRV_PCM_IOCTL_RESET', `0x00004141')
+define(`SNDRV_PCM_IOCTL_START', `0x00004142')
+define(`SNDRV_PCM_IOCTL_DROP', `0x00004143')
+define(`SNDRV_PCM_IOCTL_DRAIN', `0x00004144')
+define(`SNDRV_PCM_IOCTL_RESUME', `0x00004147')
+define(`SNDRV_PCM_IOCTL_XRUN', `0x00004148')
+define(`SNDRV_PCM_IOCTL_UNLINK', `0x00004161')
+define(`IOCTL_XENBUS_BACKEND_EVTCHN', `0x00004200')
+define(`PMU_IOC_SLEEP', `0x00004200')
+define(`IOCTL_XENBUS_BACKEND_SETUP', `0x00004201')
+define(`CCISS_REVALIDVOLS', `0x0000420a')
+define(`CCISS_DEREGDISK', `0x0000420c')
+define(`CCISS_REGNEWD', `0x0000420e')
+define(`CCISS_RESCANDISK', `0x00004210')
+define(`SNDCTL_COPR_RESET', `0x00004300')
+define(`SNDRV_COMPRESS_PAUSE', `0x00004330')
+define(`SNDRV_COMPRESS_RESUME', `0x00004331')
+define(`SNDRV_COMPRESS_START', `0x00004332')
+define(`SNDRV_COMPRESS_STOP', `0x00004333')
+define(`SNDRV_COMPRESS_DRAIN', `0x00004334')
+define(`SNDRV_COMPRESS_NEXT_TRACK', `0x00004335')
+define(`SNDRV_COMPRESS_PARTIAL_DRAIN', `0x00004336')
+define(`IOCTL_EVTCHN_RESET', `0x00004505')
+define(`FBIOGET_VSCREENINFO', `0x00004600')
+define(`FBIOPUT_VSCREENINFO', `0x00004601')
+define(`FBIOGET_FSCREENINFO', `0x00004602')
+define(`FBIOGETCMAP', `0x00004604')
+define(`FBIOPUTCMAP', `0x00004605')
+define(`FBIOPAN_DISPLAY', `0x00004606')
+define(`FBIOGET_CON2FBMAP', `0x0000460f')
+define(`FBIOPUT_CON2FBMAP', `0x00004610')
+define(`FBIOBLANK', `0x00004611')
+define(`FBIO_ALLOC', `0x00004613')
+define(`FBIO_FREE', `0x00004614')
+define(`FBIOGET_GLYPH', `0x00004615')
+define(`FBIOGET_HWCINFO', `0x00004616')
+define(`FBIOPUT_MODEINFO', `0x00004617')
+define(`FBIOGET_DISPINFO', `0x00004618')
+define(`FBIO_WAITEVENT', `0x00004688')
+define(`GSMIOC_DISABLE_NET', `0x00004703')
+define(`HIDIOCAPPLICATION', `0x00004802')
+define(`HIDIOCINITREPORT', `0x00004805')
+define(`SNDRV_SB_CSP_IOCTL_UNLOAD_CODE', `0x00004812')
+define(`SNDRV_SB_CSP_IOCTL_STOP', `0x00004814')
+define(`SNDRV_SB_CSP_IOCTL_PAUSE', `0x00004815')
+define(`SNDRV_SB_CSP_IOCTL_RESTART', `0x00004816')
+define(`SNDRV_DM_FM_IOCTL_RESET', `0x00004821')
+define(`SNDRV_DM_FM_IOCTL_CLEAR_PATCHES', `0x00004840')
+define(`SNDRV_EMU10K1_IOCTL_STOP', `0x00004880')
+define(`SNDRV_EMU10K1_IOCTL_CONTINUE', `0x00004881')
+define(`SNDRV_EMU10K1_IOCTL_ZERO_TRAM_COUNTER', `0x00004882')
+define(`SNDRV_EMUX_IOCTL_RESET_SAMPLES', `0x00004882')
+define(`SNDRV_EMUX_IOCTL_REMOVE_LAST_SAMPLES', `0x00004883')
+define(`SNDRV_FIREWIRE_IOCTL_LOCK', `0x000048f9')
+define(`SNDRV_FIREWIRE_IOCTL_UNLOCK', `0x000048fa')
+define(`IIOCNETAIF', `0x00004901')
+define(`IIOCNETDIF', `0x00004902')
+define(`IIOCNETSCF', `0x00004903')
+define(`IIOCNETGCF', `0x00004904')
+define(`IIOCNETANM', `0x00004905')
+define(`IIOCNETDNM', `0x00004906')
+define(`IIOCNETGNM', `0x00004907')
+define(`IIOCGETSET', `0x00004908')
+define(`IIOCSETSET', `0x00004909')
+define(`IIOCSETVER', `0x0000490a')
+define(`IIOCNETHUP', `0x0000490b')
+define(`IIOCSETGST', `0x0000490c')
+define(`IIOCSETBRJ', `0x0000490d')
+define(`IIOCSIGPRF', `0x0000490e')
+define(`IIOCGETPRF', `0x0000490f')
+define(`IIOCSETPRF', `0x00004910')
+define(`IIOCGETMAP', `0x00004911')
+define(`IIOCSETMAP', `0x00004912')
+define(`IIOCNETASL', `0x00004913')
+define(`IIOCNETDIL', `0x00004914')
+define(`IIOCGETCPS', `0x00004915')
+define(`IIOCGETDVR', `0x00004916')
+define(`IIOCNETLCR', `0x00004917')
+define(`IIOCNETDWRSET', `0x00004918')
+define(`IIOCNETALN', `0x00004920')
+define(`IIOCNETDLN', `0x00004921')
+define(`IIOCNETGPN', `0x00004922')
+define(`IIOCDBGVAR', `0x0000497f')
+define(`IIOCDRVCTL', `0x00004980')
+define(`ION_IOC_TEST_SET_FD', `0x000049f0')
+define(`KIOCSOUND', `0x00004b2f')
+define(`KDMKTONE', `0x00004b30')
+define(`KDGETLED', `0x00004b31')
+define(`KDSETLED', `0x00004b32')
+define(`KDGKBTYPE', `0x00004b33')
+define(`KDADDIO', `0x00004b34')
+define(`KDDELIO', `0x00004b35')
+define(`KDENABIO', `0x00004b36')
+define(`KDDISABIO', `0x00004b37')
+define(`KDSETMODE', `0x00004b3a')
+define(`KDGETMODE', `0x00004b3b')
+define(`KDMAPDISP', `0x00004b3c')
+define(`KDUNMAPDISP', `0x00004b3d')
+define(`GIO_SCRNMAP', `0x00004b40')
+define(`PIO_SCRNMAP', `0x00004b41')
+define(`KDGKBMODE', `0x00004b44')
+define(`KDSKBMODE', `0x00004b45')
+define(`KDGKBENT', `0x00004b46')
+define(`KDSKBENT', `0x00004b47')
+define(`KDGKBSENT', `0x00004b48')
+define(`KDSKBSENT', `0x00004b49')
+define(`KDGKBDIACR', `0x00004b4a')
+define(`KDSKBDIACR', `0x00004b4b')
+define(`KDGETKEYCODE', `0x00004b4c')
+define(`KDSETKEYCODE', `0x00004b4d')
+define(`KDSIGACCEPT', `0x00004b4e')
+define(`KDKBDREP', `0x00004b52')
+define(`GIO_FONT', `0x00004b60')
+define(`PIO_FONT', `0x00004b61')
+define(`KDGKBMETA', `0x00004b62')
+define(`KDSKBMETA', `0x00004b63')
+define(`KDGKBLED', `0x00004b64')
+define(`KDSKBLED', `0x00004b65')
+define(`GIO_UNIMAP', `0x00004b66')
+define(`PIO_UNIMAP', `0x00004b67')
+define(`PIO_UNIMAPCLR', `0x00004b68')
+define(`GIO_UNISCRNMAP', `0x00004b69')
+define(`PIO_UNISCRNMAP', `0x00004b6a')
+define(`GIO_FONTX', `0x00004b6b')
+define(`PIO_FONTX', `0x00004b6c')
+define(`PIO_FONTRESET', `0x00004b6d')
+define(`GIO_CMAP', `0x00004b70')
+define(`PIO_CMAP', `0x00004b71')
+define(`KDFONTOP', `0x00004b72')
+define(`KDGKBDIACRUC', `0x00004bfa')
+define(`KDSKBDIACRUC', `0x00004bfb')
+define(`LOOP_SET_FD', `0x00004c00')
+define(`LOOP_CLR_FD', `0x00004c01')
+define(`LOOP_SET_STATUS', `0x00004c02')
+define(`LOOP_GET_STATUS', `0x00004c03')
+define(`LOOP_SET_STATUS64', `0x00004c04')
+define(`LOOP_GET_STATUS64', `0x00004c05')
+define(`LOOP_CHANGE_FD', `0x00004c06')
+define(`LOOP_SET_CAPACITY', `0x00004c07')
+define(`LOOP_CTL_ADD', `0x00004c80')
+define(`LOOP_CTL_REMOVE', `0x00004c81')
+define(`LOOP_CTL_GET_FREE', `0x00004c82')
+define(`MTDFILEMODE', `0x00004d13')
+define(`NVME_IOCTL_ID', `0x00004e40')
+define(`UBI_IOCVOLRMBLK', `0x00004f08')
+define(`OMAPFB_SYNC_GFX', `0x00004f25')
+define(`OMAPFB_VSYNC', `0x00004f26')
+define(`OMAPFB_WAITFORVSYNC', `0x00004f39')
+define(`OMAPFB_WAITFORGO', `0x00004f3c')
+define(`SNDCTL_DSP_RESET', `0x00005000')
+define(`SNDCTL_DSP_SYNC', `0x00005001')
+define(`SNDCTL_DSP_POST', `0x00005008')
+define(`SNDCTL_DSP_NONBLOCK', `0x0000500e')
+define(`SNDCTL_DSP_SETSYNCRO', `0x00005015')
+define(`SNDCTL_DSP_SETDUPLEX', `0x00005016')
+define(`SNDCTL_SEQ_RESET', `0x00005100')
+define(`SNDCTL_SEQ_SYNC', `0x00005101')
+define(`SNDCTL_SEQ_PANIC', `0x00005111')
+define(`RFKILL_IOCTL_NOINPUT', `0x00005201')
+define(`RNDZAPENTCNT', `0x00005204')
+define(`RNDCLEARPOOL', `0x00005206')
+define(`CDROMPAUSE', `0x00005301')
+define(`CDROMRESUME', `0x00005302')
+define(`CDROMPLAYMSF', `0x00005303')
+define(`CDROMPLAYTRKIND', `0x00005304')
+define(`CDROMREADTOCHDR', `0x00005305')
+define(`CDROMREADTOCENTRY', `0x00005306')
+define(`CDROMSTOP', `0x00005307')
+define(`CDROMSTART', `0x00005308')
+define(`CDROMEJECT', `0x00005309')
+define(`CDROMVOLCTRL', `0x0000530a')
+define(`CDROMSUBCHNL', `0x0000530b')
+define(`CDROMREADMODE2', `0x0000530c')
+define(`CDROMREADMODE1', `0x0000530d')
+define(`CDROMREADAUDIO', `0x0000530e')
+define(`CDROMEJECT_SW', `0x0000530f')
+define(`CDROMMULTISESSION', `0x00005310')
+define(`CDROM_GET_MCN', `0x00005311')
+define(`CDROMRESET', `0x00005312')
+define(`CDROMVOLREAD', `0x00005313')
+define(`CDROMREADRAW', `0x00005314')
+define(`CDROMREADCOOKED', `0x00005315')
+define(`CDROMSEEK', `0x00005316')
+define(`CDROMPLAYBLK', `0x00005317')
+define(`CDROMREADALL', `0x00005318')
+define(`CDROMCLOSETRAY', `0x00005319')
+define(`CDROMGETSPINDOWN', `0x0000531d')
+define(`CDROMSETSPINDOWN', `0x0000531e')
+define(`CDROM_SET_OPTIONS', `0x00005320')
+define(`CDROM_CLEAR_OPTIONS', `0x00005321')
+define(`CDROM_SELECT_SPEED', `0x00005322')
+define(`CDROM_SELECT_DISC', `0x00005323')
+define(`CDROM_MEDIA_CHANGED', `0x00005325')
+define(`CDROM_DRIVE_STATUS', `0x00005326')
+define(`CDROM_DISC_STATUS', `0x00005327')
+define(`CDROM_CHANGER_NSLOTS', `0x00005328')
+define(`CDROM_LOCKDOOR', `0x00005329')
+define(`CDROM_DEBUG', `0x00005330')
+define(`CDROM_GET_CAPABILITY', `0x00005331')
+define(`SCSI_IOCTL_DOORLOCK', `0x00005380')
+define(`SCSI_IOCTL_DOORUNLOCK', `0x00005381')
+define(`CDROMAUDIOBUFSIZ', `0x00005382')
+define(`SCSI_IOCTL_GET_IDLUN', `0x00005382')
+define(`SCSI_IOCTL_PROBE_HOST', `0x00005385')
+define(`SCSI_IOCTL_GET_BUS_NUMBER', `0x00005386')
+define(`SCSI_IOCTL_GET_PCI', `0x00005387')
+define(`DVD_READ_STRUCT', `0x00005390')
+define(`DVD_WRITE_STRUCT', `0x00005391')
+define(`DVD_AUTH', `0x00005392')
+define(`CDROM_SEND_PACKET', `0x00005393')
+define(`CDROM_NEXT_WRITABLE', `0x00005394')
+define(`CDROM_LAST_WRITTEN', `0x00005395')
+define(`TCGETS', ifelse(target_arch, mips, 0x0000540d, 0x00005401))
+define(`SNDCTL_TMR_START', `0x00005402')
+define(`TCSETS', `0x00005402')
+define(`SNDCTL_TMR_STOP', `0x00005403')
+define(`TCSETSW', `0x00005403')
+define(`SNDCTL_TMR_CONTINUE', `0x00005404')
+define(`TCSETSF', `0x00005404')
+define(`TCGETA', `0x00005405')
+define(`TCSETA', `0x00005406')
+define(`TCSETAW', `0x00005407')
+define(`TCSETAF', `0x00005408')
+define(`TCSBRK', `0x00005409')
+define(`TCXONC', `0x0000540a')
+define(`TCFLSH', `0x0000540b')
+define(`TIOCEXCL', `0x0000540c')
+define(`TIOCNXCL', `0x0000540d')
+define(`TIOCSCTTY', `0x0000540e')
+define(`TIOCGPGRP', `0x0000540f')
+define(`TIOCSPGRP', `0x00005410')
+define(`TIOCOUTQ', ifelse(target_arch, mips, 0x00007472, 0x00005411))
+define(`TIOCSTI', `0x00005412')
+define(`TIOCGWINSZ', ifelse(target_arch, mips, 0x80087468, 0x00005413))
+define(`TIOCSWINSZ', ifelse(target_arch, mips, 0x40087467, 0x00005414))
+define(`TIOCMGET', `0x00005415')
+define(`TIOCMBIS', `0x00005416')
+define(`TIOCMBIC', `0x00005417')
+define(`TIOCMSET', `0x00005418')
+define(`TIOCGSOFTCAR', `0x00005419')
+define(`TIOCSSOFTCAR', `0x0000541a')
+define(`FIONREAD', ifelse(target_arch, mips, 0x0000467f, 0x0000541b))
+define(`TIOCLINUX', `0x0000541c')
+define(`TIOCCONS', `0x0000541d')
+define(`TIOCGSERIAL', `0x0000541e')
+define(`TIOCSSERIAL', `0x0000541f')
+define(`TIOCPKT', `0x00005420')
+define(`FIONBIO', `0x00005421')
+define(`TIOCNOTTY', `0x00005422')
+define(`TIOCSETD', `0x00005423')
+define(`TIOCGETD', `0x00005424')
+define(`TCSBRKP', `0x00005425')
+define(`TIOCSBRK', `0x00005427')
+define(`TIOCCBRK', `0x00005428')
+define(`TIOCGSID', `0x00005429')
+define(`TIOCGRS485', `0x0000542e')
+define(`TIOCSRS485', `0x0000542f')
+define(`TCGETX', `0x00005432')
+define(`TCSETX', `0x00005433')
+define(`TCSETXF', `0x00005434')
+define(`TCSETXW', `0x00005435')
+define(`TIOCVHANGUP', `0x00005437')
+define(`FIONCLEX', `0x00005450')
+define(`FIOCLEX', ifelse(target_arch, mips, 0x00006601, 0x00005451))
+define(`FIOASYNC', `0x00005452')
+define(`TIOCSERCONFIG', `0x00005453')
+define(`TIOCSERGWILD', `0x00005454')
+define(`TIOCSERSWILD', `0x00005455')
+define(`TIOCGLCKTRMIOS', `0x00005456')
+define(`TIOCSLCKTRMIOS', `0x00005457')
+define(`TIOCSERGSTRUCT', `0x00005458')
+define(`TIOCSERGETLSR', `0x00005459')
+define(`TIOCSERGETMULTI', `0x0000545a')
+define(`TIOCSERSETMULTI', `0x0000545b')
+define(`TIOCMIWAIT', `0x0000545c')
+define(`TIOCGICOUNT', `0x0000545d')
+define(`FIOQSIZE', `0x00005460')
+define(`SNDRV_TIMER_IOCTL_START', `0x000054a0')
+define(`SNDRV_TIMER_IOCTL_STOP', `0x000054a1')
+define(`SNDRV_TIMER_IOCTL_CONTINUE', `0x000054a2')
+define(`SNDRV_TIMER_IOCTL_PAUSE', `0x000054a3')
+define(`UI_DEV_CREATE', `0x00005501')
+define(`UI_DEV_DESTROY', `0x00005502')
+define(`USBDEVFS_DISCARDURB', `0x0000550b')
+define(`USBDEVFS_RESET', `0x00005514')
+define(`USBDEVFS_DISCONNECT', `0x00005516')
+define(`USBDEVFS_CONNECT', `0x00005517')
+define(`VT_OPENQRY', `0x00005600')
+define(`VIDIOC_RESERVED', `0x00005601')
+define(`VT_GETMODE', `0x00005601')
+define(`VT_SETMODE', `0x00005602')
+define(`VT_GETSTATE', `0x00005603')
+define(`VT_SENDSIG', `0x00005604')
+define(`VT_RELDISP', `0x00005605')
+define(`VT_ACTIVATE', `0x00005606')
+define(`VT_WAITACTIVE', `0x00005607')
+define(`VT_DISALLOCATE', `0x00005608')
+define(`VT_RESIZE', `0x00005609')
+define(`VT_RESIZEX', `0x0000560a')
+define(`VT_LOCKSWITCH', `0x0000560b')
+define(`VT_UNLOCKSWITCH', `0x0000560c')
+define(`VT_GETHIFONTMASK', `0x0000560d')
+define(`VT_WAITEVENT', `0x0000560e')
+define(`VT_SETACTIVATE', `0x0000560f')
+define(`VIDIOC_LOG_STATUS', `0x00005646')
+define(`ADV7842_CMD_RAM_TEST', `0x000056c0')
+define(`USBTMC_IOCTL_INDICATOR_PULSE', `0x00005b01')
+define(`USBTMC_IOCTL_CLEAR', `0x00005b02')
+define(`USBTMC_IOCTL_ABORT_BULK_OUT', `0x00005b03')
+define(`USBTMC_IOCTL_ABORT_BULK_IN', `0x00005b04')
+define(`USBTMC_IOCTL_CLEAR_OUT_HALT', `0x00005b06')
+define(`USBTMC_IOCTL_CLEAR_IN_HALT', `0x00005b07')
+define(`ANDROID_ALARM_WAIT', `0x00006101')
+define(`NS_ADJBUFLEV', `0x00006163')
+define(`SIOCSIFATMTCP', `0x00006180')
+define(`ATMTCP_CREATE', `0x0000618e')
+define(`ATMTCP_REMOVE', `0x0000618f')
+define(`ATMLEC_CTRL', `0x000061d0')
+define(`ATMLEC_DATA', `0x000061d1')
+define(`ATMLEC_MCAST', `0x000061d2')
+define(`ATMMPC_CTRL', `0x000061d8')
+define(`ATMMPC_DATA', `0x000061d9')
+define(`SIOCMKCLIP', `0x000061e0')
+define(`ATMARPD_CTRL', `0x000061e1')
+define(`ATMARP_MKIP', `0x000061e2')
+define(`ATMARP_SETENTRY', `0x000061e3')
+define(`ATMARP_ENCAP', `0x000061e5')
+define(`ATMSIGD_CTRL', `0x000061f0')
+define(`BT819_FIFO_RESET_LOW', `0x00006200')
+define(`BT819_FIFO_RESET_HIGH', `0x00006201')
+define(`CM_IOCSRDR', `0x00006303')
+define(`CM_IOCARDOFF', `0x00006304')
+define(`BC_REGISTER_LOOPER', `0x0000630b')
+define(`BC_ENTER_LOOPER', `0x0000630c')
+define(`BC_EXIT_LOOPER', `0x0000630d')
+define(`CHIOINITELEM', `0x00006311')
+define(`DRM_IOCTL_SET_MASTER', `0x0000641e')
+define(`DRM_IOCTL_DROP_MASTER', `0x0000641f')
+define(`DRM_IOCTL_AGP_ACQUIRE', `0x00006430')
+define(`DRM_IOCTL_AGP_RELEASE', `0x00006431')
+define(`DRM_IOCTL_I915_FLUSH', `0x00006441')
+define(`DRM_IOCTL_R128_CCE_START', `0x00006441')
+define(`DRM_IOCTL_RADEON_CP_START', `0x00006441')
+define(`DRM_IOCTL_I915_FLIP', `0x00006442')
+define(`DRM_IOCTL_MGA_RESET', `0x00006442')
+define(`DRM_IOCTL_I810_FLUSH', `0x00006443')
+define(`DRM_IOCTL_MGA_SWAP', `0x00006443')
+define(`DRM_IOCTL_R128_CCE_RESET', `0x00006443')
+define(`DRM_IOCTL_RADEON_CP_RESET', `0x00006443')
+define(`DRM_IOCTL_I810_GETAGE', `0x00006444')
+define(`DRM_IOCTL_R128_CCE_IDLE', `0x00006444')
+define(`DRM_IOCTL_RADEON_CP_IDLE', `0x00006444')
+define(`DRM_IOCTL_RADEON_RESET', `0x00006445')
+define(`DRM_IOCTL_I810_SWAP', `0x00006446')
+define(`DRM_IOCTL_R128_RESET', `0x00006446')
+define(`DRM_IOCTL_R128_SWAP', `0x00006447')
+define(`DRM_IOCTL_RADEON_SWAP', `0x00006447')
+define(`DRM_IOCTL_I810_DOCOPY', `0x00006448')
+define(`DRM_IOCTL_VIA_FLUSH', `0x00006449')
+define(`DRM_IOCTL_I810_FSTATUS', `0x0000644a')
+define(`DRM_IOCTL_I810_OV0FLIP', `0x0000644b')
+define(`DRM_IOCTL_I810_RSTATUS', `0x0000644d')
+define(`DRM_IOCTL_I810_FLIP', `0x0000644e')
+define(`DRM_IOCTL_RADEON_FLIP', `0x00006452')
+define(`DRM_IOCTL_R128_FLIP', `0x00006453')
+define(`DRM_IOCTL_I915_GEM_THROTTLE', `0x00006458')
+define(`DRM_IOCTL_RADEON_CP_RESUME', `0x00006458')
+define(`DRM_IOCTL_I915_GEM_ENTERVT', `0x00006459')
+define(`DRM_IOCTL_I915_GEM_LEAVEVT', `0x0000645a')
+define(`S5P_FIMC_TX_END_NOTIFY', `0x00006500')
+define(`FUNCTIONFS_FIFO_STATUS', `0x00006701')
+define(`GADGETFS_FIFO_STATUS', `0x00006701')
+define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702')
+define(`GADGETFS_FIFO_FLUSH', `0x00006702')
+define(`FUNCTIONFS_CLEAR_HALT', `0x00006703')
+define(`GADGETFS_CLEAR_HALT', `0x00006703')
+define(`FUNCTIONFS_INTERFACE_REVMAP', `0x00006780')
+define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781')
+define(`HPET_IE_ON', `0x00006801')
+define(`HPET_IE_OFF', `0x00006802')
+define(`HPET_EPI', `0x00006804')
+define(`HPET_DPI', `0x00006805')
+define(`LIRC_NOTIFY_DECODE', `0x00006920')
+define(`LIRC_SETUP_START', `0x00006921')
+define(`LIRC_SETUP_END', `0x00006922')
+define(`KYRO_IOCTL_OVERLAY_CREATE', `0x00006b00')
+define(`KYRO_IOCTL_OVERLAY_VIEWPORT_SET', `0x00006b01')
+define(`KYRO_IOCTL_SET_VIDEO_MODE', `0x00006b02')
+define(`KYRO_IOCTL_UVSTRIDE', `0x00006b03')
+define(`KYRO_IOCTL_OVERLAY_OFFSET', `0x00006b04')
+define(`KYRO_IOCTL_STRIDE', `0x00006b05')
+define(`HSC_RESET', `0x00006b10')
+define(`HSC_SET_PM', `0x00006b11')
+define(`HSC_SEND_BREAK', `0x00006b12')
+define(`MMTIMER_GETOFFSET', `0x00006d00')
+define(`MGSL_IOCSTXIDLE', `0x00006d02')
+define(`MGSL_IOCGTXIDLE', `0x00006d03')
+define(`MGSL_IOCTXENABLE', `0x00006d04')
+define(`MMTIMER_GETBITS', `0x00006d04')
+define(`MGSL_IOCRXENABLE', `0x00006d05')
+define(`MGSL_IOCTXABORT', `0x00006d06')
+define(`MMTIMER_MMAPAVAIL', `0x00006d06')
+define(`MGSL_IOCGSTATS', `0x00006d07')
+define(`MGSL_IOCLOOPTXDONE', `0x00006d09')
+define(`MGSL_IOCSIF', `0x00006d0a')
+define(`MGSL_IOCGIF', `0x00006d0b')
+define(`MGSL_IOCCLRMODCOUNT', `0x00006d0f')
+define(`MGSL_IOCSXSYNC', `0x00006d13')
+define(`MGSL_IOCGXSYNC', `0x00006d14')
+define(`MGSL_IOCSXCTRL', `0x00006d15')
+define(`MGSL_IOCGXCTRL', `0x00006d16')
+define(`NCP_IOC_CONN_LOGGED_IN', `0x00006e03')
+define(`AUDIO_STOP', `0x00006f01')
+define(`AUDIO_PLAY', `0x00006f02')
+define(`AUDIO_PAUSE', `0x00006f03')
+define(`AUDIO_CONTINUE', `0x00006f04')
+define(`AUDIO_SELECT_SOURCE', `0x00006f05')
+define(`AUDIO_SET_MUTE', `0x00006f06')
+define(`AUDIO_SET_AV_SYNC', `0x00006f07')
+define(`AUDIO_SET_BYPASS_MODE', `0x00006f08')
+define(`AUDIO_CHANNEL_SELECT', `0x00006f09')
+define(`AUDIO_CLEAR_BUFFER', `0x00006f0c')
+define(`AUDIO_SET_ID', `0x00006f0d')
+define(`AUDIO_SET_STREAMTYPE', `0x00006f0f')
+define(`AUDIO_SET_EXT_ID', `0x00006f10')
+define(`AUDIO_BILINGUAL_CHANNEL_SELECT', `0x00006f14')
+define(`VIDEO_STOP', `0x00006f15')
+define(`VIDEO_PLAY', `0x00006f16')
+define(`VIDEO_FREEZE', `0x00006f17')
+define(`VIDEO_CONTINUE', `0x00006f18')
+define(`VIDEO_SELECT_SOURCE', `0x00006f19')
+define(`VIDEO_SET_BLANK', `0x00006f1a')
+define(`VIDEO_SET_DISPLAY_FORMAT', `0x00006f1d')
+define(`VIDEO_FAST_FORWARD', `0x00006f1f')
+define(`VIDEO_SLOWMOTION', `0x00006f20')
+define(`VIDEO_CLEAR_BUFFER', `0x00006f22')
+define(`VIDEO_SET_ID', `0x00006f23')
+define(`VIDEO_SET_STREAMTYPE', `0x00006f24')
+define(`VIDEO_SET_FORMAT', `0x00006f25')
+define(`VIDEO_SET_SYSTEM', `0x00006f26')
+define(`DMX_START', `0x00006f29')
+define(`DMX_STOP', `0x00006f2a')
+define(`DMX_SET_BUFFER_SIZE', `0x00006f2d')
+define(`NET_REMOVE_IF', `0x00006f35')
+define(`VIDEO_SET_ATTRIBUTES', `0x00006f35')
+define(`FE_DISEQC_RESET_OVERLOAD', `0x00006f3e')
+define(`FE_DISEQC_SEND_BURST', `0x00006f41')
+define(`FE_SET_TONE', `0x00006f42')
+define(`FE_SET_VOLTAGE', `0x00006f43')
+define(`FE_ENABLE_HIGH_LNB_VOLTAGE', `0x00006f44')
+define(`FE_DISHNETWORK_SEND_LEGACY_CMD', `0x00006f50')
+define(`FE_SET_FRONTEND_TUNE_MODE', `0x00006f51')
+define(`CA_RESET', `0x00006f80')
+define(`RTC_AIE_ON', `0x00007001')
+define(`RTC_AIE_OFF', `0x00007002')
+define(`RTC_UIE_ON', `0x00007003')
+define(`PHN_NOT_OH', `0x00007004')
+define(`RTC_UIE_OFF', `0x00007004')
+define(`RTC_PIE_ON', `0x00007005')
+define(`RTC_PIE_OFF', `0x00007006')
+define(`RTC_WIE_ON', `0x0000700f')
+define(`RTC_WIE_OFF', `0x00007010')
+define(`RTC_VL_CLR', `0x00007014')
+define(`NVRAM_INIT', `0x00007040')
+define(`NVRAM_SETCKS', `0x00007041')
+define(`PPCLAIM', `0x0000708b')
+define(`PPRELEASE', `0x0000708c')
+define(`PPYIELD', `0x0000708d')
+define(`PPEXCL', `0x0000708f')
+define(`PHONE_CAPABILITIES', `0x00007180')
+define(`PHONE_RING', `0x00007183')
+define(`PHONE_HOOKSTATE', `0x00007184')
+define(`OLD_PHONE_RING_START', `0x00007187')
+define(`PHONE_RING_STOP', `0x00007188')
+define(`PHONE_REC_START', `0x0000718a')
+define(`PHONE_REC_STOP', `0x0000718b')
+define(`PHONE_REC_LEVEL', `0x0000718f')
+define(`PHONE_PLAY_START', `0x00007191')
+define(`PHONE_PLAY_STOP', `0x00007192')
+define(`PHONE_PLAY_LEVEL', `0x00007195')
+define(`PHONE_GET_TONE_ON_TIME', `0x0000719e')
+define(`PHONE_GET_TONE_OFF_TIME', `0x0000719f')
+define(`PHONE_GET_TONE_STATE', `0x000071a0')
+define(`PHONE_BUSY', `0x000071a1')
+define(`PHONE_RINGBACK', `0x000071a2')
+define(`PHONE_DIALTONE', `0x000071a3')
+define(`PHONE_CPT_STOP', `0x000071a4')
+define(`PHONE_PSTN_GET_STATE', `0x000071a5')
+define(`PHONE_PSTN_LINETEST', `0x000071a8')
+define(`IXJCTL_DSP_RESET', `0x000071c0')
+define(`IXJCTL_DSP_IDLE', `0x000071c5')
+define(`IXJCTL_TESTRAM', `0x000071c6')
+define(`IXJCTL_AEC_STOP', `0x000071cc')
+define(`IXJCTL_AEC_GET_LEVEL', `0x000071cd')
+define(`IXJCTL_PSTN_LINETEST', `0x000071d3')
+define(`IXJCTL_PLAY_CID', `0x000071d7')
+define(`IXJCTL_DRYBUFFER_CLEAR', `0x000071e7')
+define(`BR_OK', `0x00007201')
+define(`BR_DEAD_REPLY', `0x00007205')
+define(`BR_TRANSACTION_COMPLETE', `0x00007206')
+define(`BR_NOOP', `0x0000720c')
+define(`BR_SPAWN_LOOPER', `0x0000720d')
+define(`BR_FINISHED', `0x0000720e')
+define(`BR_FAILED_REPLY', `0x00007211')
+define(`MEYEIOC_STILLCAPT', `0x000076c4')
+define(`ASHMEM_GET_SIZE', `0x00007704')
+define(`ASHMEM_GET_PROT_MASK', `0x00007706')
+define(`ASHMEM_GET_PIN_STATUS', `0x00007709')
+define(`ASHMEM_PURGE_ALL_CACHES', `0x0000770a')
+define(`FIOSETOWN', `0x00008901')
+define(`SIOCSPGRP', `0x00008902')
+define(`FIOGETOWN', `0x00008903')
+define(`SIOCGPGRP', `0x00008904')
+define(`SIOCATMARK', `0x00008905')
+define(`SIOCGSTAMP', `0x00008906')
+define(`SIOCGSTAMPNS', `0x00008907')
+define(`SIOCADDRT', `0x0000890b')
+define(`SIOCDELRT', `0x0000890c')
+define(`SIOCRTMSG', `0x0000890d')
+define(`SIOCGIFNAME', `0x00008910')
+define(`SIOCSIFLINK', `0x00008911')
+define(`SIOCGIFCONF', `0x00008912')
+define(`SIOCGIFFLAGS', `0x00008913')
+define(`SIOCSIFFLAGS', `0x00008914')
+define(`SIOCGIFADDR', `0x00008915')
+define(`SIOCSIFADDR', `0x00008916')
+define(`SIOCGIFDSTADDR', `0x00008917')
+define(`SIOCSIFDSTADDR', `0x00008918')
+define(`SIOCGIFBRDADDR', `0x00008919')
+define(`SIOCSIFBRDADDR', `0x0000891a')
+define(`SIOCGIFNETMASK', `0x0000891b')
+define(`SIOCSIFNETMASK', `0x0000891c')
+define(`SIOCGIFMETRIC', `0x0000891d')
+define(`SIOCSIFMETRIC', `0x0000891e')
+define(`SIOCGIFMEM', `0x0000891f')
+define(`SIOCSIFMEM', `0x00008920')
+define(`SIOCGIFMTU', `0x00008921')
+define(`SIOCSIFMTU', `0x00008922')
+define(`SIOCSIFNAME', `0x00008923')
+define(`SIOCSIFHWADDR', `0x00008924')
+define(`SIOCGIFENCAP', `0x00008925')
+define(`SIOCSIFENCAP', `0x00008926')
+define(`SIOCGIFHWADDR', `0x00008927')
+define(`SIOCGIFSLAVE', `0x00008929')
+define(`SIOCSIFSLAVE', `0x00008930')
+define(`SIOCADDMULTI', `0x00008931')
+define(`SIOCDELMULTI', `0x00008932')
+define(`SIOCGIFINDEX', `0x00008933')
+define(`SIOCSIFPFLAGS', `0x00008934')
+define(`SIOCGIFPFLAGS', `0x00008935')
+define(`SIOCDIFADDR', `0x00008936')
+define(`SIOCSIFHWBROADCAST', `0x00008937')
+define(`SIOCGIFCOUNT', `0x00008938')
+define(`SIOCKILLADDR', `0x00008939')
+define(`SIOCGIFBR', `0x00008940')
+define(`SIOCSIFBR', `0x00008941')
+define(`SIOCGIFTXQLEN', `0x00008942')
+define(`SIOCSIFTXQLEN', `0x00008943')
+define(`SIOCETHTOOL', `0x00008946')
+define(`SIOCGMIIPHY', `0x00008947')
+define(`SIOCGMIIREG', `0x00008948')
+define(`SIOCSMIIREG', `0x00008949')
+define(`SIOCWANDEV', `0x0000894a')
+define(`SIOCOUTQNSD', `0x0000894b')
+define(`SIOCDARP', `0x00008953')
+define(`SIOCGARP', `0x00008954')
+define(`SIOCSARP', `0x00008955')
+define(`SIOCDRARP', `0x00008960')
+define(`SIOCGRARP', `0x00008961')
+define(`SIOCSRARP', `0x00008962')
+define(`SIOCGIFMAP', `0x00008970')
+define(`SIOCSIFMAP', `0x00008971')
+define(`SIOCADDDLCI', `0x00008980')
+define(`SIOCDELDLCI', `0x00008981')
+define(`SIOCGIFVLAN', `0x00008982')
+define(`SIOCSIFVLAN', `0x00008983')
+define(`SIOCBONDENSLAVE', `0x00008990')
+define(`SIOCBONDRELEASE', `0x00008991')
+define(`SIOCBONDSETHWADDR', `0x00008992')
+define(`SIOCBONDSLAVEINFOQUERY', `0x00008993')
+define(`SIOCBONDINFOQUERY', `0x00008994')
+define(`SIOCBONDCHANGEACTIVE', `0x00008995')
+define(`SIOCBRADDBR', `0x000089a0')
+define(`SIOCBRDELBR', `0x000089a1')
+define(`SIOCBRADDIF', `0x000089a2')
+define(`SIOCBRDELIF', `0x000089a3')
+define(`SIOCSHWTSTAMP', `0x000089b0')
+define(`SIOCGHWTSTAMP', `0x000089b1')
+define(`SIOCPROTOPRIVATE', `0x000089e0')
+define(`SIOCPROTOPRIVATE_1', `0x000089e1')
+define(`SIOCPROTOPRIVATE_2', `0x000089e2')
+define(`SIOCPROTOPRIVATE_3', `0x000089e3')
+define(`SIOCPROTOPRIVATE_4', `0x000089e4')
+define(`SIOCPROTOPRIVATE_5', `0x000089e5')
+define(`SIOCPROTOPRIVATE_6', `0x000089e6')
+define(`SIOCPROTOPRIVATE_7', `0x000089e7')
+define(`SIOCPROTOPRIVATE_8', `0x000089e8')
+define(`SIOCPROTOPRIVATE_9', `0x000089e9')
+define(`SIOCPROTOPRIVATE_A', `0x000089ea')
+define(`SIOCPROTOPRIVATE_B', `0x000089eb')
+define(`SIOCPROTOPRIVATE_C', `0x000089ec')
+define(`SIOCPROTOPRIVATE_D', `0x000089ed')
+define(`SIOCPROTOPRIVATE_E', `0x000089ee')
+define(`SIOCPROTOPRIVLAST', `0x000089ef')
+define(`SIOCDEVPRIVATE', `0x000089f0')
+define(`SIOCDEVPRIVATE_1', `0x000089f1')
+define(`SIOCDEVPRIVATE_2', `0x000089f2')
+define(`SIOCDEVPRIVATE_3', `0x000089f3')
+define(`SIOCDEVPRIVATE_4', `0x000089f4')
+define(`SIOCDEVPRIVATE_5', `0x000089f5')
+define(`SIOCDEVPRIVATE_6', `0x000089f6')
+define(`SIOCDEVPRIVATE_7', `0x000089f7')
+define(`SIOCDEVPRIVATE_8', `0x000089f8')
+define(`SIOCDEVPRIVATE_9', `0x000089f9')
+define(`SIOCDEVPRIVATE_A', `0x000089fa')
+define(`SIOCDEVPRIVATE_B', `0x000089fb')
+define(`SIOCDEVPRIVATE_C', `0x000089fc')
+define(`SIOCDEVPRIVATE_D', `0x000089fd')
+define(`SIOCDEVPRIVATE_E', `0x000089fe')
+define(`SIOCDEVPRIVLAST', `0x000089ff')
+define(`SIOCIWFIRST', `0x00008b00')
+define(`SIOCSIWCOMMIT', `0x00008b00')
+define(`SIOCGIWNAME', `0x00008b01')
+define(`SIOCSIWNWID', `0x00008b02')
+define(`SIOCGIWNWID', `0x00008b03')
+define(`SIOCSIWFREQ', `0x00008b04')
+define(`SIOCGIWFREQ', `0x00008b05')
+define(`SIOCSIWMODE', `0x00008b06')
+define(`SIOCGIWMODE', `0x00008b07')
+define(`SIOCSIWSENS', `0x00008b08')
+define(`SIOCGIWSENS', `0x00008b09')
+define(`SIOCSIWRANGE', `0x00008b0a')
+define(`SIOCGIWRANGE', `0x00008b0b')
+define(`SIOCSIWPRIV', `0x00008b0c')
+define(`SIOCGIWPRIV', `0x00008b0d')
+define(`SIOCSIWSTATS', `0x00008b0e')
+define(`SIOCGIWSTATS', `0x00008b0f')
+define(`SIOCSIWSPY', `0x00008b10')
+define(`SIOCGIWSPY', `0x00008b11')
+define(`SIOCSIWTHRSPY', `0x00008b12')
+define(`SIOCGIWTHRSPY', `0x00008b13')
+define(`SIOCSIWAP', `0x00008b14')
+define(`SIOCGIWAP', `0x00008b15')
+define(`SIOCSIWMLME', `0x00008b16')
+define(`SIOCGIWAPLIST', `0x00008b17')
+define(`SIOCSIWSCAN', `0x00008b18')
+define(`SIOCGIWSCAN', `0x00008b19')
+define(`SIOCSIWESSID', `0x00008b1a')
+define(`SIOCGIWESSID', `0x00008b1b')
+define(`SIOCSIWNICKN', `0x00008b1c')
+define(`SIOCGIWNICKN', `0x00008b1d')
+define(`SIOCSIWRATE', `0x00008b20')
+define(`SIOCGIWRATE', `0x00008b21')
+define(`SIOCSIWRTS', `0x00008b22')
+define(`SIOCGIWRTS', `0x00008b23')
+define(`SIOCSIWFRAG', `0x00008b24')
+define(`SIOCGIWFRAG', `0x00008b25')
+define(`SIOCSIWTXPOW', `0x00008b26')
+define(`SIOCGIWTXPOW', `0x00008b27')
+define(`SIOCSIWRETRY', `0x00008b28')
+define(`SIOCGIWRETRY', `0x00008b29')
+define(`SIOCSIWENCODE', `0x00008b2a')
+define(`SIOCGIWENCODE', `0x00008b2b')
+define(`SIOCSIWPOWER', `0x00008b2c')
+define(`SIOCGIWPOWER', `0x00008b2d')
+define(`SIOCSIWGENIE', `0x00008b30')
+define(`SIOCGIWGENIE', `0x00008b31')
+define(`SIOCSIWAUTH', `0x00008b32')
+define(`SIOCGIWAUTH', `0x00008b33')
+define(`SIOCSIWENCODEEXT', `0x00008b34')
+define(`SIOCGIWENCODEEXT', `0x00008b35')
+define(`SIOCSIWPMKSA', `0x00008b36')
+define(`SIOCIWFIRSTPRIV', `0x00008be0')
+define(`SIOCIWFIRSTPRIV_01', `0x00008be1')
+define(`SIOCIWFIRSTPRIV_02', `0x00008be2')
+define(`SIOCIWFIRSTPRIV_03', `0x00008be3')
+define(`SIOCIWFIRSTPRIV_04', `0x00008be4')
+define(`SIOCIWFIRSTPRIV_05', `0x00008be5')
+define(`SIOCIWFIRSTPRIV_06', `0x00008be6')
+define(`SIOCIWFIRSTPRIV_07', `0x00008be7')
+define(`SIOCIWFIRSTPRIV_08', `0x00008be8')
+define(`SIOCIWFIRSTPRIV_09', `0x00008be9')
+define(`SIOCIWFIRSTPRIV_0A', `0x00008bea')
+define(`SIOCIWFIRSTPRIV_0B', `0x00008beb')
+define(`SIOCIWFIRSTPRIV_0C', `0x00008bec')
+define(`SIOCIWFIRSTPRIV_0D', `0x00008bed')
+define(`SIOCIWFIRSTPRIV_0E', `0x00008bee')
+define(`SIOCIWFIRSTPRIV_0F', `0x00008bef')
+define(`SIOCIWFIRSTPRIV_10', `0x00008bf0')
+define(`SIOCIWFIRSTPRIV_11', `0x00008bf1')
+define(`SIOCIWFIRSTPRIV_12', `0x00008bf2')
+define(`SIOCIWFIRSTPRIV_13', `0x00008bf3')
+define(`SIOCIWFIRSTPRIV_14', `0x00008bf4')
+define(`SIOCIWFIRSTPRIV_15', `0x00008bf5')
+define(`SIOCIWFIRSTPRIV_16', `0x00008bf6')
+define(`SIOCIWFIRSTPRIV_17', `0x00008bf7')
+define(`SIOCIWFIRSTPRIV_18', `0x00008bf8')
+define(`SIOCIWFIRSTPRIV_19', `0x00008bf9')
+define(`SIOCIWFIRSTPRIV_1A', `0x00008bfa')
+define(`SIOCIWFIRSTPRIV_1B', `0x00008bfb')
+define(`SIOCIWFIRSTPRIV_1C', `0x00008bfc')
+define(`SIOCIWFIRSTPRIV_1D', `0x00008bfd')
+define(`SIOCIWFIRSTPRIV_1E', `0x00008bfe')
+define(`SIOCIWLASTPRIV', `0x00008bff')
+define(`AUTOFS_IOC_READY', `0x00009360')
+define(`AUTOFS_IOC_FAIL', `0x00009361')
+define(`AUTOFS_IOC_CATATONIC', `0x00009362')
+define(`BTRFS_IOC_TRANS_START', `0x00009406')
+define(`BTRFS_IOC_TRANS_END', `0x00009407')
+define(`BTRFS_IOC_SYNC', `0x00009408')
+define(`BTRFS_IOC_SCRUB_CANCEL', `0x0000941c')
+define(`BTRFS_IOC_QUOTA_RESCAN_WAIT', `0x0000942e')
+define(`NBD_SET_SOCK', `0x0000ab00')
+define(`NBD_SET_BLKSIZE', `0x0000ab01')
+define(`NBD_SET_SIZE', `0x0000ab02')
+define(`NBD_DO_IT', `0x0000ab03')
+define(`NBD_CLEAR_SOCK', `0x0000ab04')
+define(`NBD_CLEAR_QUE', `0x0000ab05')
+define(`NBD_PRINT_DEBUG', `0x0000ab06')
+define(`NBD_SET_SIZE_BLOCKS', `0x0000ab07')
+define(`NBD_DISCONNECT', `0x0000ab08')
+define(`NBD_SET_TIMEOUT', `0x0000ab09')
+define(`NBD_SET_FLAGS', `0x0000ab0a')
+define(`RAW_SETBIND', `0x0000ac00')
+define(`RAW_GETBIND', `0x0000ac01')
+define(`KVM_GET_API_VERSION', `0x0000ae00')
+define(`KVM_CREATE_VM', `0x0000ae01')
+define(`LOGGER_GET_LOG_BUF_SIZE', `0x0000ae01')
+define(`LOGGER_GET_LOG_LEN', `0x0000ae02')
+define(`KVM_CHECK_EXTENSION', `0x0000ae03')
+define(`LOGGER_GET_NEXT_ENTRY_LEN', `0x0000ae03')
+define(`KVM_GET_VCPU_MMAP_SIZE', `0x0000ae04')
+define(`LOGGER_FLUSH_LOG', `0x0000ae04')
+define(`LOGGER_GET_VERSION', `0x0000ae05')
+define(`KVM_S390_ENABLE_SIE', `0x0000ae06')
+define(`LOGGER_SET_VERSION', `0x0000ae06')
+define(`KVM_CREATE_VCPU', `0x0000ae41')
+define(`KVM_SET_NR_MMU_PAGES', `0x0000ae44')
+define(`KVM_GET_NR_MMU_PAGES', `0x0000ae45')
+define(`KVM_SET_TSS_ADDR', `0x0000ae47')
+define(`KVM_CREATE_IRQCHIP', `0x0000ae60')
+define(`KVM_CREATE_PIT', `0x0000ae64')
+define(`KVM_REINJECT_CONTROL', `0x0000ae71')
+define(`KVM_SET_BOOT_CPU_ID', `0x0000ae78')
+define(`KVM_RUN', `0x0000ae80')
+define(`KVM_S390_INITIAL_RESET', `0x0000ae97')
+define(`KVM_NMI', `0x0000ae9a')
+define(`KVM_SET_TSC_KHZ', `0x0000aea2')
+define(`KVM_GET_TSC_KHZ', `0x0000aea3')
+define(`KVM_KVMCLOCK_CTRL', `0x0000aead')
+define(`VHOST_SET_OWNER', `0x0000af01')
+define(`VHOST_RESET_OWNER', `0x0000af02')
+define(`PPPOEIOCDFWD', `0x0000b101')
+define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
+define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
+define(`IOCTL_EVTCHN_UNBIND', `0x00044503')
+define(`IOCTL_EVTCHN_NOTIFY', `0x00044504')
+define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_OWNER', `0x40005344')
+define(`MFB_SET_ALPHA', `0x40014d00')
+define(`MFB_SET_GAMMA', `0x40014d01')
+define(`MFB_SET_BRIGHTNESS', `0x40014d03')
+define(`SPI_IOC_WR_MODE', `0x40016b01')
+define(`SPI_IOC_WR_LSB_FIRST', `0x40016b02')
+define(`SPI_IOC_WR_BITS_PER_WORD', `0x40016b03')
+define(`PPWCONTROL', `0x40017084')
+define(`PPWDATA', `0x40017086')
+define(`PPWCTLONIRQ', `0x40017092')
+define(`PHONE_MAXRINGS', `0x40017185')
+define(`PHONE_PLAY_TONE', `0x4001719b')
+define(`SONYPI_IOCSBRT', `0x40017600')
+define(`SONYPI_IOCSBLUE', `0x40017609')
+define(`SONYPI_IOCSFAN', `0x4001760b')
+define(`ATM_SETBACKEND', `0x400261f2')
+define(`ATM_NEWBACKENDIF', `0x400261f3')
+define(`NCP_IOC_GETMOUNTUID', `0x40026e02')
+define(`AUDIO_SET_ATTRIBUTES', `0x40026f11')
+define(`DMX_ADD_PID', `0x40026f33')
+define(`DMX_REMOVE_PID', `0x40026f34')
+define(`PPFCONTROL', `0x4002708e')
+define(`PHONE_RING_CADENCE', `0x40027186')
+define(`SET_BITMAP_FILE', `0x4004092b')
+define(`IB_USER_MAD_UNREGISTER_AGENT', `0x40041b02')
+define(`FW_CDEV_IOC_DEALLOCATE', `0x40042303')
+define(`FW_CDEV_IOC_INITIATE_BUS_RESET', `0x40042305')
+define(`FW_CDEV_IOC_REMOVE_DESCRIPTOR', `0x40042307')
+define(`FW_CDEV_IOC_STOP_ISO', `0x4004230b')
+define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE', `0x4004230e')
+define(`FW_CDEV_IOC_FLUSH_ISO', `0x40042318')
+define(`BLKI2OSRSTRAT', `0x40043203')
+define(`BLKI2OSWSTRAT', `0x40043204')
+define(`SNAPSHOT_CREATE_IMAGE', `0x40043311')
+define(`PTP_ENABLE_PPS', `0x40043d04')
+define(`SYNC_IOC_WAIT', `0x40043e00')
+define(`SNDRV_PCM_IOCTL_TSTAMP', `0x40044102')
+define(`SNDRV_PCM_IOCTL_TTSTAMP', `0x40044103')
+define(`AGPIOC_DEALLOCATE', `0x40044107')
+define(`SNDRV_PCM_IOCTL_PAUSE', `0x40044145')
+define(`SNDRV_PCM_IOCTL_LINK', `0x40044160')
+define(`CCISS_REGNEWDISK', `0x4004420d')
+define(`EVIOCRMFF', `0x40044581')
+define(`EVIOCGRAB', `0x40044590')
+define(`EVIOCREVOKE', `0x40044591')
+define(`EVIOCSCLOCKID', `0x400445a0')
+define(`FBIOPUT_CONTRAST', `0x40044602')
+define(`FBIPUT_BRIGHTNESS', `0x40044603')
+define(`FBIPUT_COLOR', `0x40044606')
+define(`FBIPUT_HSYNC', `0x40044609')
+define(`FBIPUT_VSYNC', `0x4004460a')
+define(`FBIO_WAITFORVSYNC', `0x40044620')
+define(`SSTFB_SET_VGAPASS', `0x400446dd')
+define(`HIDIOCSFLAG', `0x4004480f')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_SETUP', `0x40044820')
+define(`SNDRV_DM_FM_IOCTL_SET_MODE', `0x40044825')
+define(`SNDRV_DM_FM_IOCTL_SET_CONNECTION', `0x40044826')
+define(`SNDRV_EMU10K1_IOCTL_SINGLE_STEP', `0x40044883')
+define(`SNDRV_EMUX_IOCTL_MEM_AVAIL', `0x40044884')
+define(`HCIDEVUP', `0x400448c9')
+define(`HCIDEVDOWN', `0x400448ca')
+define(`HCIDEVRESET', `0x400448cb')
+define(`HCIDEVRESTAT', `0x400448cc')
+define(`HCISETRAW', `0x400448dc')
+define(`HCISETSCAN', `0x400448dd')
+define(`HCISETAUTH', `0x400448de')
+define(`HCISETENCRYPT', `0x400448df')
+define(`HCISETPTYPE', `0x400448e0')
+define(`HCISETLINKPOL', `0x400448e1')
+define(`HCISETLINKMODE', `0x400448e2')
+define(`HCISETACLMTU', `0x400448e3')
+define(`HCISETSCOMTU', `0x400448e4')
+define(`HCIBLOCKADDR', `0x400448e6')
+define(`HCIUNBLOCKADDR', `0x400448e7')
+define(`MFB_SET_PIXFMT', `0x40044d08')
+define(`OTPGETREGIONCOUNT', `0x40044d0e')
+define(`UBI_IOCEBER', `0x40044f01')
+define(`UBI_IOCEBCH', `0x40044f02')
+define(`UBI_IOCEBUNMAP', `0x40044f04')
+define(`OMAPFB_MIRROR', `0x40044f1f')
+define(`OMAPFB_SET_UPDATE_MODE', `0x40044f28')
+define(`OMAPFB_GET_UPDATE_MODE', `0x40044f2b')
+define(`OMAPFB_LCD_TEST', `0x40044f2d')
+define(`OMAPFB_CTRL_TEST', `0x40044f2e')
+define(`SNDCTL_DSP_SETTRIGGER', `0x40045010')
+define(`SNDCTL_DSP_PROFILE', `0x40045017')
+define(`SNDCTL_DSP_SETSPDIF', `0x40045042')
+define(`SNDCTL_SEQ_PERCMODE', `0x40045106')
+define(`SNDCTL_SEQ_TESTMIDI', `0x40045108')
+define(`SNDCTL_SEQ_RESETSAMPLES', `0x40045109')
+define(`SNDCTL_SEQ_THRESHOLD', `0x4004510d')
+define(`SNDCTL_FM_4OP_ENABLE', `0x4004510f')
+define(`RNDADDTOENTCNT', `0x40045201')
+define(`SAA6588_CMD_CLOSE', `0x40045202')
+define(`RFCOMMCREATEDEV', `0x400452c8')
+define(`RFCOMMRELEASEDEV', `0x400452c9')
+define(`RFCOMMSTEALDLC', `0x400452dc')
+define(`SNDRV_TIMER_IOCTL_TREAD', `0x40045402')
+define(`SNDCTL_TMR_METRONOME', `0x40045407')
+define(`SNDCTL_TMR_SELECT', `0x40045408')
+define(`TIOCSPTLCK', `0x40045431')
+define(`TIOCSIG', `0x40045436')
+define(`TUNSETNOCSUM', `0x400454c8')
+define(`TUNSETDEBUG', `0x400454c9')
+define(`TUNSETIFF', `0x400454ca')
+define(`TUNSETPERSIST', `0x400454cb')
+define(`TUNSETOWNER', `0x400454cc')
+define(`TUNSETLINK', `0x400454cd')
+define(`TUNSETGROUP', `0x400454ce')
+define(`TUNSETOFFLOAD', `0x400454d0')
+define(`TUNSETTXFILTER', `0x400454d1')
+define(`TUNSETSNDBUF', `0x400454d4')
+define(`TUNSETVNETHDRSZ', `0x400454d8')
+define(`TUNSETQUEUE', `0x400454d9')
+define(`TUNSETIFINDEX', `0x400454da')
+define(`TUNSETVNETLE', `0x400454dc')
+define(`USBDEVFS_REAPURB32', `0x4004550c')
+define(`USBDEVFS_REAPURBNDELAY32', `0x4004550d')
+define(`SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE', `0x40045532')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_PREFER_SUBDEVICE', `0x40045542')
+define(`UI_SET_EVBIT', `0x40045564')
+define(`UI_SET_KEYBIT', `0x40045565')
+define(`UI_SET_RELBIT', `0x40045566')
+define(`UI_SET_ABSBIT', `0x40045567')
+define(`UI_SET_MSCBIT', `0x40045568')
+define(`UI_SET_LEDBIT', `0x40045569')
+define(`UI_SET_SNDBIT', `0x4004556a')
+define(`UI_SET_FFBIT', `0x4004556b')
+define(`UI_SET_SWBIT', `0x4004556d')
+define(`UI_SET_PROPBIT', `0x4004556e')
+define(`VIDIOC_OVERLAY', `0x4004560e')
+define(`VIDIOC_STREAMON', `0x40045612')
+define(`VIDIOC_STREAMOFF', `0x40045613')
+define(`VIDIOC_S_PRIORITY', `0x40045644')
+define(`IVTV_IOC_PASSTHROUGH_MODE', `0x400456c1')
+define(`SW_SYNC_IOC_INC', `0x40045701')
+define(`SNDRV_RAWMIDI_IOCTL_DROP', `0x40045730')
+define(`SNDRV_RAWMIDI_IOCTL_DRAIN', `0x40045731')
+define(`SONET_SETFRAMING', `0x40046115')
+define(`ATM_SETSC', `0x400461f1')
+define(`ATM_DROPPARTY', `0x400461f5')
+define(`BINDER_SET_MAX_THREADS', `0x40046205')
+define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
+define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
+define(`BINDER_THREAD_EXIT', `0x40046208')
+define(`BC_ACQUIRE_RESULT', `0x40046302')
+define(`BC_INCREFS', `0x40046304')
+define(`BC_ACQUIRE', `0x40046305')
+define(`CHIOSPICKER', `0x40046305')
+define(`BC_RELEASE', `0x40046306')
+define(`BC_DECREFS', `0x40046307')
+define(`DRM_IOCTL_AUTH_MAGIC', `0x40046411')
+define(`DRM_IOCTL_I915_IRQ_WAIT', `0x40046445')
+define(`DRM_IOCTL_MSM_GEM_CPU_FINI', `0x40046445')
+define(`DRM_IOCTL_RADEON_FULLSCREEN', `0x40046446')
+define(`DRM_IOCTL_MGA_SET_FENCE', `0x4004644a')
+define(`DRM_IOCTL_I915_DESTROY_HEAP', `0x4004644c')
+define(`DRM_IOCTL_I915_SET_VBLANK_PIPE', `0x4004644d')
+define(`DRM_IOCTL_R128_FULLSCREEN', `0x40046450')
+define(`DRM_IOCTL_RADEON_IRQ_WAIT', `0x40046457')
+define(`DRM_IOCTL_RADEON_SURF_FREE', `0x4004645b')
+define(`DRM_IOCTL_I915_GEM_SW_FINISH', `0x40046460')
+define(`VIDIOC_INT_RESET', `0x40046466')
+define(`DRM_IOCTL_NOUVEAU_GEM_CPU_FINI', `0x40046483')
+define(`FS_IOC32_SETFLAGS', `0x40046602')
+define(`LIRC_SET_SEND_MODE', `0x40046911')
+define(`LIRC_SET_REC_MODE', `0x40046912')
+define(`LIRC_SET_SEND_CARRIER', `0x40046913')
+define(`LIRC_SET_REC_CARRIER', `0x40046914')
+define(`LIRC_SET_SEND_DUTY_CYCLE', `0x40046915')
+define(`LIRC_SET_REC_DUTY_CYCLE', `0x40046916')
+define(`LIRC_SET_TRANSMITTER_MASK', `0x40046917')
+define(`LIRC_SET_REC_TIMEOUT', `0x40046918')
+define(`LIRC_SET_REC_TIMEOUT_REPORTS', `0x40046919')
+define(`LIRC_SET_REC_FILTER_PULSE', `0x4004691a')
+define(`LIRC_SET_REC_FILTER_SPACE', `0x4004691b')
+define(`LIRC_SET_REC_FILTER', `0x4004691c')
+define(`LIRC_SET_MEASURE_CARRIER_MODE', `0x4004691d')
+define(`LIRC_SET_REC_DUTY_CYCLE_RANGE', `0x4004691e')
+define(`IPMICTL_SET_MAINTENANCE_MODE_CMD', `0x4004691f')
+define(`LIRC_SET_REC_CARRIER_RANGE', `0x4004691f')
+define(`LIRC_SET_WIDEBAND_RECEIVER', `0x40046923')
+define(`SPI_IOC_WR_MAX_SPEED_HZ', `0x40046b04')
+define(`SPI_IOC_WR_MODE32', `0x40046b05')
+define(`MSMFB_GRP_DISP', `0x40046d01')
+define(`MSMFB_BLIT', `0x40046d02')
+define(`NCP_IOC_SET_SIGN_WANTED', `0x40046e06')
+define(`NCP_IOC_GETDENTRYTTL', `0x40046e0c')
+define(`SISFB_SET_AUTOMAXIMIZE_OLD', `0x40046efa')
+define(`UBI_IOCRMVOL', `0x40046f01')
+define(`DMX_SET_SOURCE', `0x40046f31')
+define(`UBI_IOCDET', `0x40046f41')
+define(`PPSETMODE', `0x40047080')
+define(`PPDATADIR', `0x40047090')
+define(`PPNEGOT', `0x40047091')
+define(`PPSETPHASE', `0x40047094')
+define(`PPSETFLAGS', `0x4004709b')
+define(`PHONE_REC_CODEC', `0x40047189')
+define(`PHONE_REC_DEPTH', `0x4004718c')
+define(`PHONE_FRAME', `0x4004718d')
+define(`PHONE_REC_VOLUME', `0x4004718e')
+define(`PHONE_PLAY_CODEC', `0x40047190')
+define(`PHONE_PLAY_DEPTH', `0x40047193')
+define(`PHONE_PLAY_VOLUME', `0x40047194')
+define(`PHONE_DTMF_OOB', `0x40047199')
+define(`PHONE_SET_TONE_ON_TIME', `0x4004719c')
+define(`PHONE_SET_TONE_OFF_TIME', `0x4004719d')
+define(`PHONE_PSTN_SET_STATE', `0x400471a4')
+define(`PHONE_WINK_DURATION', `0x400471a6')
+define(`PHONE_VAD', `0x400471a9')
+define(`PHONE_WINK', `0x400471aa')
+define(`IXJCTL_GET_FILTER_HIST', `0x400471c8')
+define(`IXJCTL_AEC_START', `0x400471cb')
+define(`IXJCTL_SET_LED', `0x400471ce')
+define(`IXJCTL_MIXER', `0x400471cf')
+define(`IXJCTL_DAA_COEFF_SET', `0x400471d0')
+define(`IXJCTL_PORT', `0x400471d1')
+define(`IXJCTL_DAA_AGAIN', `0x400471d2')
+define(`IXJCTL_POTS_PSTN', `0x400471d5')
+define(`PHONE_REC_VOLUME_LINEAR', `0x400471db')
+define(`PHONE_PLAY_VOLUME_LINEAR', `0x400471dc')
+define(`IXJCTL_HZ', `0x400471e0')
+define(`IXJCTL_RATE', `0x400471e1')
+define(`IXJCTL_DTMF_PRESCALE', `0x400471e8')
+define(`IXJCTL_SC_RXG', `0x400471ea')
+define(`IXJCTL_SC_TXG', `0x400471eb')
+define(`IXJCTL_INTERCOM_START', `0x400471fd')
+define(`IXJCTL_INTERCOM_STOP', `0x400471fe')
+define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
+define(`V4L2_SUBDEV_IR_RX_NOTIFY', `0x40047600')
+define(`V4L2_SUBDEV_IR_TX_NOTIFY', `0x40047601')
+define(`FS_IOC32_SETVERSION', `0x40047602')
+define(`MEYEIOC_QBUF_CAPT', `0x400476c2')
+define(`OSIOCSNETADDR', `0x400489e0')
+define(`SIOCSNETADDR', `0x400489e0')
+define(`AUTOFS_IOC_EXPIRE_MULTI', `0x40049366')
+define(`BTRFS_IOC_CLONE', `0x40049409')
+define(`BTRFS_IOC_BALANCE_CTL', `0x40049421')
+define(`KVM_INTERRUPT', `0x4004ae86')
+define(`KVM_SET_SIGNAL_MASK', `0x4004ae8b')
+define(`KVM_SET_MP_STATE', `0x4004ae99')
+define(`VHOST_SET_LOG_FD', `0x4004af07')
+define(`VHOST_SCSI_GET_ABI_VERSION', `0x4004af42')
+define(`VHOST_SCSI_SET_EVENTS_MISSED', `0x4004af43')
+define(`VHOST_SCSI_GET_EVENTS_MISSED', `0x4004af44')
+define(`SISFB_SET_AUTOMAXIMIZE', `0x4004f303')
+define(`SISFB_SET_TVPOSOFFSET', `0x4004f304')
+define(`SISFB_SET_LOCK', `0x4004f306')
+define(`GIGASET_BRKCHARS', `0x40064702')
+define(`MEYEIOC_S_PARAMS', `0x400676c1')
+define(`FE_DISEQC_SEND_MASTER_CMD', `0x40076f3f')
+define(`BLKBSZSET', `0x40081271')
+define(`FW_CDEV_IOC_RECEIVE_PHY_PACKETS', `0x40082316')
+define(`PERF_EVENT_IOC_PERIOD', `0x40082404')
+define(`PERF_EVENT_IOC_SET_FILTER', `0x40082406')
+define(`FBIO_RADEON_SET_MIRROR', `0x40084004')
+define(`AGPIOC_SETUP', `0x40084103')
+define(`AGPIOC_RESERVE', `0x40084104')
+define(`AGPIOC_PROTECT', `0x40084105')
+define(`AGPIOC_BIND', `0x40084108')
+define(`AGPIOC_UNBIND', `0x40084109')
+define(`SNDRV_PCM_IOCTL_REWIND', `0x40084146')
+define(`SNDRV_PCM_IOCTL_FORWARD', `0x40084149')
+define(`PMU_IOC_SET_BACKLIGHT', `0x40084202')
+define(`CCISS_SETINTINFO', `0x40084203')
+define(`APEI_ERST_CLEAR_RECORD', `0x40084501')
+define(`EVIOCSREP', `0x40084503')
+define(`EVIOCSKEYCODE', `0x40084504')
+define(`SNDRV_SB_CSP_IOCTL_START', `0x40084813')
+define(`SNDRV_HDSP_IOCTL_UPLOAD_FIRMWARE', `0x40084842')
+define(`MEMERASE', `0x40084d02')
+define(`MFB_SET_AOID', `0x40084d04')
+define(`MEMLOCK', `0x40084d05')
+define(`MEMUNLOCK', `0x40084d06')
+define(`MEMGETBADBLOCK', `0x40084d0b')
+define(`MEMSETBADBLOCK', `0x40084d0c')
+define(`UBI_IOCVOLUP', `0x40084f00')
+define(`UBI_IOCEBMAP', `0x40084f03')
+define(`OMAPFB_SETUP_MEM', `0x40084f37')
+define(`OMAPFB_QUERY_MEM', `0x40084f38')
+define(`OMAPFB_SET_TEARSYNC', `0x40084f3e')
+define(`SNDCTL_SEQ_OUTOFBAND', `0x40085112')
+define(`RNDADDENTROPY', `0x40085203')
+define(`TFD_IOC_SET_TICKS', `0x40085400')
+define(`USBDEVFS_REAPURB', `0x4008550c')
+define(`USBDEVFS_REAPURBNDELAY', `0x4008550d')
+define(`USBDEVFS_CONNECTINFO', `0x40085511')
+define(`UI_SET_PHYS', `0x4008556c')
+define(`VIDIOC_S_STD', `0x40085618')
+define(`VPFE_CMD_S_CCDC_RAW_PARAMS', `0x400856c1')
+define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
+define(`CM_IOCSPTS', `0x40086302')
+define(`BC_FREE_BUFFER', `0x40086303')
+define(`BC_ATTEMPT_ACQUIRE', `0x4008630a')
+define(`BC_DEAD_BINDER_DONE', `0x40086310')
+define(`CM_IOSDBGLVL', `0x400863fa')
+define(`DRM_IOCTL_MODESET_CTL', `0x40086408')
+define(`DRM_IOCTL_GEM_CLOSE', `0x40086409')
+define(`DRM_IOCTL_CONTROL', `0x40086414')
+define(`DRM_IOCTL_MOD_CTX', `0x40086422')
+define(`DRM_IOCTL_SWITCH_CTX', `0x40086424')
+define(`DRM_IOCTL_NEW_CTX', `0x40086425')
+define(`DRM_IOCTL_LOCK', `0x4008642a')
+define(`DRM_IOCTL_UNLOCK', `0x4008642b')
+define(`DRM_IOCTL_FINISH', `0x4008642c')
+define(`DRM_IOCTL_AGP_ENABLE', `0x40086432')
+define(`DRM_IOCTL_MGA_FLUSH', `0x40086441')
+define(`DRM_IOCTL_R128_CCE_STOP', `0x40086442')
+define(`DRM_IOCTL_RADEON_CP_STOP', `0x40086442')
+define(`DRM_IOCTL_SAVAGE_BCI_EVENT_WAIT', `0x40086443')
+define(`DRM_IOCTL_OMAP_GEM_CPU_PREP', `0x40086444')
+define(`DRM_IOCTL_QXL_CLIENTCAP', `0x40086445')
+define(`DRM_IOCTL_I915_SETPARAM', `0x40086447')
+define(`DRM_IOCTL_I915_FREE', `0x40086449')
+define(`DRM_IOCTL_RADEON_STIPPLE', `0x4008644c')
+define(`DRM_IOCTL_R128_STIPPLE', `0x4008644d')
+define(`DRM_IOCTL_VIA_BLIT_SYNC', `0x4008644f')
+define(`DRM_IOCTL_RADEON_FREE', `0x40086454')
+define(`DRM_IOCTL_I915_GEM_UNPIN', `0x40086456')
+define(`DRM_IOCTL_RADEON_GEM_WAIT_IDLE', `0x40086464')
+define(`DRM_IOCTL_I915_GEM_CONTEXT_DESTROY', `0x4008646e')
+define(`DRM_IOCTL_I915_GEM_SET_CACHING', `0x4008646f')
+define(`DRM_IOCTL_NOUVEAU_GEM_CPU_PREP', `0x40086482')
+define(`FS_IOC_SETFLAGS', `0x40086602')
+define(`HPET_IRQFREQ', `0x40086806')
+define(`MTIOCTOP', `0x40086d01')
+define(`NCP_IOC_GETMOUNTUID2', `0x40086e02')
+define(`NILFS_IOCTL_DELETE_CHECKPOINT', `0x40086e81')
+define(`NILFS_IOCTL_RESIZE', `0x40086e8b')
+define(`MATROXFB_SET_OUTPUT_CONNECTION', `0x40086ef8')
+define(`MATROXFB_SET_OUTPUT_MODE', `0x40086efa')
+define(`AUDIO_SET_MIXER', `0x40086f0e')
+define(`VIDEO_SET_SPU', `0x40086f32')
+define(`CA_SET_PID', `0x40086f87')
+define(`PHN_SET_REG', `0x40087001')
+define(`PHN_SET_REGS', `0x40087003')
+define(`PHN_SETREG', `0x40087006')
+define(`RTC_IRQP_SET', `0x4008700c')
+define(`RTC_EPOCH_SET', `0x4008700e')
+define(`PPS_SETPARAMS', `0x400870a2')
+define(`PPS_KC_BIND', `0x400870a5')
+define(`SPIOCSTYPE', `0x40087101')
+define(`PHONE_CAPABILITIES_CHECK', `0x40087182')
+define(`PHONE_RING_START', `0x40087187')
+define(`IXJCTL_SET_FILTER', `0x400871c7')
+define(`IXJCTL_INIT_TONE', `0x400871c9')
+define(`IXJCTL_TONE_CADENCE', `0x400871ca')
+define(`IXJCTL_FILTER_CADENCE', `0x400871d6')
+define(`IXJCTL_CIDCW', `0x400871d9')
+define(`IXJCTL_SET_FILTER_RAW', `0x400871dd')
+define(`IXJCTL_SIGCTL', `0x400871e9')
+define(`FS_IOC_SETVERSION', `0x40087602')
+define(`ASHMEM_SET_SIZE', `0x40087703')
+define(`ASHMEM_SET_PROT_MASK', `0x40087705')
+define(`ASHMEM_PIN', `0x40087707')
+define(`ASHMEM_UNPIN', `0x40087708')
+define(`BTRFS_IOC_DEFAULT_SUBVOL', `0x40089413')
+define(`BTRFS_IOC_WAIT_SYNC', `0x40089416')
+define(`BTRFS_IOC_SUBVOL_SETFLAGS', `0x4008941a')
+define(`KVM_SET_IDENTITY_MAP_ADDR', `0x4008ae48')
+define(`KVM_S390_VCPU_FAULT', `0x4008ae52')
+define(`KVM_IRQ_LINE', `0x4008ae61')
+define(`KVM_SET_GSI_ROUTING', `0x4008ae6a')
+define(`KVM_ASSIGN_SET_MSIX_NR', `0x4008ae73')
+define(`KVM_SET_MSRS', `0x4008ae89')
+define(`KVM_SET_CPUID', `0x4008ae8a')
+define(`KVM_SET_CPUID2', `0x4008ae90')
+define(`KVM_SET_VAPIC_ADDR', `0x4008ae93')
+define(`KVM_S390_STORE_STATUS', `0x4008ae95')
+define(`KVM_X86_SETUP_MCE', `0x4008ae9c')
+define(`VHOST_SET_FEATURES', `0x4008af00')
+define(`VHOST_SET_MEM_TABLE', `0x4008af03')
+define(`VHOST_SET_LOG_BASE', `0x4008af04')
+define(`VHOST_SET_VRING_NUM', `0x4008af10')
+define(`VHOST_SET_VRING_BASE', `0x4008af12')
+define(`VHOST_SET_VRING_KICK', `0x4008af20')
+define(`VHOST_SET_VRING_CALL', `0x4008af21')
+define(`VHOST_SET_VRING_ERR', `0x4008af22')
+define(`VHOST_NET_SET_BACKEND', `0x4008af30')
+define(`PPPOEIOCSFWD', `0x4008b100')
+define(`IOW_WRITE', `0x4008c001')
+define(`IOW_READ', `0x4008c002')
+define(`REISERFS_IOC_UNPACK', `0x4008cd01')
+define(`SNDRV_DM_FM_IOCTL_SET_PARAMS', `0x40094824')
+define(`FDFMTTRK', `0x400c0248')
+define(`RUN_ARRAY', `0x400c0930')
+define(`SNAPSHOT_SET_SWAP_AREA', `0x400c330d')
+define(`CAPI_REGISTER', `0x400c4301')
+define(`HIDIOCGREPORT', `0x400c4807')
+define(`HIDIOCSREPORT', `0x400c4808')
+define(`SNDRV_DM_FM_IOCTL_PLAY_NOTE', `0x400c4822')
+define(`MFB_SET_CHROMA_KEY', `0x400c4d01')
+define(`OTPGETREGIONINFO', `0x400c4d0f')
+define(`UI_END_FF_ERASE', `0x400c55cb')
+define(`CHIOPOSITION', `0x400c6303')
+define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
+define(`BC_CLEAR_DEATH_NOTIFICATION', `0x400c630f')
+define(`DRM_IOCTL_I810_VERTEX', `0x400c6441')
+define(`DRM_IOCTL_I810_CLEAR', `0x400c6442')
+define(`DRM_IOCTL_MGA_VERTEX', `0x400c6445')
+define(`DRM_IOCTL_MGA_ILOAD', `0x400c6447')
+define(`DRM_IOCTL_I915_INIT_HEAP', `0x400c644a')
+define(`DRM_IOCTL_RADEON_INIT_HEAP', `0x400c6455')
+define(`DRM_IOCTL_RADEON_SURF_ALLOC', `0x400c645a')
+define(`DRM_IOCTL_I915_GEM_SET_DOMAIN', `0x400c645f')
+define(`I2OEVTREG', `0x400c690a')
+define(`HSC_SET_RX', `0x400c6b13')
+define(`HSC_GET_RX', `0x400c6b14')
+define(`NCP_IOC_GETROOT', `0x400c6e08')
+define(`UBI_IOCRSVOL', `0x400c6f02')
+define(`AUDIO_SET_KARAOKE', `0x400c6f12')
+define(`KVM_CREATE_SPAPR_TCE', `0x400caea8')
+define(`MBXFB_IOCS_REG', `0x400cf404')
+define(`FW_CDEV_IOC_START_ISO', `0x4010230a')
+define(`FW_CDEV_IOC_SET_ISO_CHANNELS', `0x40102317')
+define(`PTP_EXTTS_REQUEST', `0x40103d02')
+define(`CCISS_SETNODENAME', `0x40104205')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_POKE', `0x40104821')
+define(`MTRRIOC_ADD_ENTRY', `0x40104d00')
+define(`MTRRIOC_SET_ENTRY', `0x40104d01')
+define(`MTRRIOC_DEL_ENTRY', `0x40104d02')
+define(`MTRRIOC_KILL_ENTRY', `0x40104d04')
+define(`MTRRIOC_ADD_PAGE_ENTRY', `0x40104d05')
+define(`MTRRIOC_SET_PAGE_ENTRY', `0x40104d06')
+define(`MTRRIOC_DEL_PAGE_ENTRY', `0x40104d07')
+define(`MTRRIOC_KILL_PAGE_ENTRY', `0x40104d09')
+define(`MEMERASE64', `0x40104d14')
+define(`UBI_IOCSETVOLPROP', `0x40104f06')
+define(`OMAPFB_SET_COLOR_KEY', `0x40104f32')
+define(`OMAPFB_GET_COLOR_KEY', `0x40104f33')
+define(`TUNATTACHFILTER', `0x401054d5')
+define(`TUNDETACHFILTER', `0x401054d6')
+define(`ANDROID_ALARM_SET_RTC', `0x40106105')
+define(`IDT77105_GETSTAT', `0x40106132')
+define(`IDT77105_GETSTATZ', `0x40106133')
+define(`ATM_GETSTAT', `0x40106150')
+define(`ATM_GETSTATZ', `0x40106151')
+define(`ATM_GETLOOP', `0x40106152')
+define(`ATM_SETLOOP', `0x40106153')
+define(`ATM_QUERYLOOP', `0x40106154')
+define(`ENI_MEMDUMP', `0x40106160')
+define(`HE_GET_REG', `0x40106160')
+define(`ZATM_GETPOOL', `0x40106161')
+define(`NS_SETBUFLEV', `0x40106162')
+define(`ZATM_GETPOOLZ', `0x40106162')
+define(`ZATM_SETPOOL', `0x40106163')
+define(`ENI_SETMULT', `0x40106167')
+define(`ATM_GETLINKRATE', `0x40106181')
+define(`ATM_GETNAMES', `0x40106183')
+define(`ATM_GETTYPE', `0x40106184')
+define(`ATM_GETESI', `0x40106185')
+define(`ATM_GETADDR', `0x40106186')
+define(`ATM_RSTADDR', `0x40106187')
+define(`ATM_ADDADDR', `0x40106188')
+define(`ATM_DELADDR', `0x40106189')
+define(`ATM_GETCIRANGE', `0x4010618a')
+define(`ATM_SETCIRANGE', `0x4010618b')
+define(`ATM_SETESI', `0x4010618c')
+define(`ATM_SETESIF', `0x4010618d')
+define(`ATM_ADDLECSADDR', `0x4010618e')
+define(`ATM_DELLECSADDR', `0x4010618f')
+define(`ATM_GETLECSADDR', `0x40106190')
+define(`ATM_ADDPARTY', `0x401061f4')
+define(`BC_INCREFS_DONE', `0x40106308')
+define(`CHIOGSTATUS', `0x40106308')
+define(`BC_ACQUIRE_DONE', `0x40106309')
+define(`DRM_IOCTL_SET_CLIENT_CAP', `0x4010640d')
+define(`DRM_IOCTL_SET_UNIQUE', `0x40106410')
+define(`DRM_IOCTL_FREE_BUFS', `0x4010641a')
+define(`DRM_IOCTL_SET_SAREA_CTX', `0x4010641c')
+define(`DRM_IOCTL_AGP_BIND', `0x40106436')
+define(`DRM_IOCTL_AGP_UNBIND', `0x40106437')
+define(`DRM_IOCTL_SG_FREE', `0x40106439')
+define(`DRM_IOCTL_OMAP_SET_PARAM', `0x40106441')
+define(`DRM_IOCTL_QXL_EXECBUFFER', `0x40106442')
+define(`DRM_IOCTL_OMAP_GEM_CPU_FINI', `0x40106445')
+define(`DRM_IOCTL_VIA_DEC_FUTEX', `0x40106445')
+define(`DRM_IOCTL_MGA_INDICES', `0x40106446')
+define(`DRM_IOCTL_I810_COPY', `0x40106447')
+define(`DRM_IOCTL_VIA_CMDBUFFER', `0x40106448')
+define(`DRM_IOCTL_R128_VERTEX', `0x40106449')
+define(`DRM_IOCTL_RADEON_VERTEX', `0x40106449')
+define(`DRM_IOCTL_VIA_PCICMD', `0x4010644a')
+define(`DRM_IOCTL_I915_HWS_ADDR', `0x40106451')
+define(`DRM_IOCTL_I915_GEM_INIT', `0x40106453')
+define(`DRM_IOCTL_SIS_FB_INIT', `0x40106456')
+define(`DRM_IOCTL_RADEON_SETPARAM', `0x40106459')
+define(`TUNER_SET_CONFIG', `0x4010645c')
+define(`HSC_SET_TX', `0x40106b15')
+define(`HSC_GET_TX', `0x40106b16')
+define(`MGSL_IOCSGPIO', `0x40106d10')
+define(`NILFS_IOCTL_CHANGE_CPMODE', `0x40106e80')
+define(`NILFS_IOCTL_SET_ALLOC_RANGE', `0x40106e8c')
+define(`VIDEO_STILLPICTURE', `0x40106f1e')
+define(`VIDEO_SET_HIGHLIGHT', `0x40106f27')
+define(`VIDEO_SET_SPU_PALETTE', `0x40106f33')
+define(`FE_SET_PROPERTY', `0x40106f52')
+define(`CA_SET_DESCR', `0x40106f86')
+define(`PPSETTIME', `0x40107096')
+define(`BTRFS_IOC_QGROUP_CREATE', `0x4010942a')
+define(`GENWQE_WRITE_REG64', `0x4010a51f')
+define(`GENWQE_WRITE_REG32', `0x4010a521')
+define(`GENWQE_WRITE_REG16', `0x4010a523')
+define(`KVM_GET_DIRTY_LOG', `0x4010ae42')
+define(`KVM_REGISTER_COALESCED_MMIO', `0x4010ae67')
+define(`KVM_UNREGISTER_COALESCED_MMIO', `0x4010ae68')
+define(`KVM_ASSIGN_SET_MSIX_ENTRY', `0x4010ae74')
+define(`KVM_S390_INTERRUPT', `0x4010ae94')
+define(`KVM_S390_SET_INITIAL_PSW', `0x4010ae96')
+define(`KVM_DIRTY_TLB', `0x4010aeaa')
+define(`KVM_ARM_SET_DEVICE_ADDR', `0x4010aeab')
+define(`KVM_GET_ONE_REG', `0x4010aeab')
+define(`KVM_SET_ONE_REG', `0x4010aeac')
+define(`SNDRV_DM_FM_IOCTL_SET_VOICE', `0x40124823')
+define(`FDSETMAXERRS', `0x4014024c')
+define(`ADD_NEW_DISK', `0x40140921')
+define(`SNDCTL_COPR_WDATA', `0x40144304')
+define(`SNDCTL_COPR_WCODE', `0x40144305')
+define(`OMAPFB_UPDATE_WINDOW_OLD', `0x40144f2f')
+define(`VIDIOC_S_CROP', `0x4014563c')
+define(`CHIOMOVE', `0x40146301')
+define(`DRM_IOCTL_MGA_CLEAR', `0x40146444')
+define(`DRM_IOCTL_R128_CLEAR', `0x40146448')
+define(`DRM_IOCTL_R128_INDICES', `0x4014644a')
+define(`DRM_IOCTL_RADEON_INDICES', `0x4014644a')
+define(`DMX_SET_PES_FILTER', `0x40146f2c')
+define(`FW_CDEV_IOC_SEND_RESPONSE', `0x40182304')
+define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE_ONCE', `0x4018230f')
+define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE_ONCE', `0x40182310')
+define(`SNDRV_PCM_IOCTL_WRITEI_FRAMES', `0x40184150')
+define(`SNDRV_PCM_IOCTL_WRITEN_FRAMES', `0x40184152')
+define(`HIDIOCSUSAGE', `0x4018480c')
+define(`HIDIOCGCOLLECTIONINDEX', `0x40184810')
+define(`AMDKFD_IOC_UPDATE_QUEUE', `0x40184b07')
+define(`IVTVFB_IOC_DMA_FRAME', `0x401856c0')
+define(`DRM_IOCTL_UPDATE_DRAW', `0x4018643f')
+define(`DRM_IOCTL_QXL_UPDATE_AREA', `0x40186443')
+define(`DRM_IOCTL_MSM_GEM_CPU_PREP', `0x40186444')
+define(`DRM_IOCTL_MSM_WAIT_FENCE', `0x40186447')
+define(`DRM_IOCTL_R128_BLIT', `0x4018644b')
+define(`NILFS_IOCTL_SET_SUINFO', `0x40186e8d')
+define(`UBI_IOCATT', `0x40186f40')
+define(`BTRFS_IOC_QGROUP_ASSIGN', `0x40189429')
+define(`KVM_SET_MEMORY_REGION', `0x4018ae40')
+define(`KVM_S390_UCAS_MAP', `0x4018ae50')
+define(`KVM_S390_UCAS_UNMAP', `0x4018ae51')
+define(`KVM_SET_DEVICE_ATTR', `0x4018aee1')
+define(`KVM_GET_DEVICE_ATTR', `0x4018aee2')
+define(`KVM_HAS_DEVICE_ATTR', `0x4018aee3')
+define(`MBXFB_IOCS_ALPHA', `0x4018f402')
+define(`BR2684_SETFILT', `0x401c6190')
+define(`CHIOEXCHANGE', `0x401c6302')
+define(`FDSETPRM', `0x40200242')
+define(`FDDEFPRM', `0x40200243')
+define(`ION_IOC_TEST_DMA_MAPPING', `0x402049f1')
+define(`ION_IOC_TEST_KERNEL_MAPPING', `0x402049f2')
+define(`AMDKFD_IOC_SET_MEMORY_POLICY', `0x40204b04')
+define(`VIDIOC_SUBSCRIBE_EVENT', `0x4020565a')
+define(`VIDIOC_UNSUBSCRIBE_EVENT', `0x4020565b')
+define(`DRM_IOCTL_MARK_BUFS', `0x40206417')
+define(`DRM_IOCTL_AGP_FREE', `0x40206435')
+define(`DRM_IOCTL_VIA_FREEMEM', `0x40206441')
+define(`DRM_IOCTL_I915_BATCHBUFFER', `0x40206443')
+define(`DRM_IOCTL_SIS_FB_FREE', `0x40206445')
+define(`DRM_IOCTL_RADEON_CLEAR', `0x40206448')
+define(`DRM_IOCTL_I915_CMDBUFFER', `0x4020644b')
+define(`DRM_IOCTL_I810_MC', `0x4020644c')
+define(`DRM_IOCTL_RADEON_CMDBUF', `0x40206450')
+define(`DRM_IOCTL_SIS_AGP_FREE', `0x40206455')
+define(`DRM_IOCTL_I915_GEM_PREAD', `0x4020645c')
+define(`DRM_IOCTL_I915_GEM_PWRITE', `0x4020645d')
+define(`OSD_SEND_CMD', `0x40206fa0')
+define(`RTC_PLL_SET', `0x40207012')
+define(`BTRFS_IOC_CLONE_RANGE', `0x4020940d')
+define(`KVM_SET_MEMORY_ALIAS', `0x4020ae43')
+define(`KVM_SET_USER_MEMORY_REGION', `0x4020ae46')
+define(`KVM_IRQFD', `0x4020ae76')
+define(`KVM_SIGNAL_MSI', `0x4020aea5')
+define(`KVM_PPC_GET_HTAB_FD', `0x4020aeaa')
+define(`KVM_ARM_VCPU_INIT', `0x4020aeae')
+define(`SNDRV_COMPRESS_SET_METADATA', `0x40244314')
+define(`JSIOCSCORR', `0x40246a21')
+define(`FE_SET_FRONTEND', `0x40246f4c')
+define(`RTC_ALM_SET', `0x40247007')
+define(`RTC_SET_TIME', `0x4024700a')
+define(`FW_CDEV_IOC_SEND_REQUEST', `0x40282301')
+define(`FW_CDEV_IOC_SEND_BROADCAST_REQUEST', `0x40282312')
+define(`FW_CDEV_IOC_SEND_STREAM_PACKET', `0x40282313')
+define(`EVIOCSKEYCODE_V2', `0x40284504')
+define(`SNDCTL_FM_LOAD_INSTR', `0x40285107')
+define(`DRM_IOCTL_RM_MAP', `0x4028641b')
+define(`DRM_IOCTL_R128_DEPTH', `0x4028644c')
+define(`DRM_IOCTL_RADEON_VERTEX2', `0x4028644f')
+define(`DRM_IOCTL_I915_GEM_EXECBUFFER', `0x40286454')
+define(`PHN_SETREGS', `0x40287008')
+define(`RTC_WKALM_SET', `0x4028700f')
+define(`VHOST_SET_VRING_ADDR', `0x4028af11')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO', `0x402c5342')
+define(`TCSETS2', `0x402c542b')
+define(`TCSETSW2', `0x402c542c')
+define(`TCSETSF2', `0x402c542d')
+define(`VIDIOC_S_FREQUENCY', `0x402c5639')
+define(`DRM_IOCTL_I915_OVERLAY_PUT_IMAGE', `0x402c6467')
+define(`EVIOCSFF', `0x40304580')
+define(`NVME_IOCTL_SUBMIT_IO', `0x40304e42')
+define(`VIDIOC_S_FBUF', `0x4030560b')
+define(`VIDIOC_S_HW_FREQ_SEEK', `0x40305652')
+define(`CHIOSVOLTAG', `0x40306312')
+define(`DRM_IOCTL_VIA_DMA_BLIT', `0x4030644e')
+define(`MGSL_IOCSPARAMS', `0x40306d00')
+define(`BTRFS_IOC_DEFRAG_RANGE', `0x40309410')
+define(`BTRFS_IOC_SET_FEATURES', `0x40309439')
+define(`KVM_SET_CLOCK', `0x4030ae7b')
+define(`GSMIOC_ENABLE_NET', `0x40344702')
+define(`SNDRV_TIMER_IOCTL_SELECT', `0x40345410')
+define(`VIDIOC_S_AUDIO', `0x40345622')
+define(`VIDIOC_S_AUDOUT', `0x40345632')
+define(`DRM_IOCTL_MGA_BLIT', `0x40346448')
+define(`PTP_PEROUT_REQUEST', `0x40383d03')
+define(`VIDIOC_DBG_S_REGISTER', `0x4038564f')
+define(`DRM_IOCTL_SAVAGE_BCI_CMDBUF', `0x40386441')
+define(`KVM_XEN_HVM_CONFIG', `0x4038ae7a')
+define(`DMX_SET_FILTER', `0x403c6f2b')
+define(`SNDRV_SEQ_IOCTL_REMOVE_EVENTS', `0x4040534e')
+define(`SNDRV_CTL_IOCTL_ELEM_LOCK', `0x40405514')
+define(`SNDRV_CTL_IOCTL_ELEM_UNLOCK', `0x40405515')
+define(`IVTV_IOC_DMA_FRAME', `0x404056c0')
+define(`BC_TRANSACTION', `0x40406300')
+define(`BC_REPLY', `0x40406301')
+define(`DRM_IOCTL_I810_INIT', `0x40406440')
+define(`DRM_IOCTL_I915_GEM_EXECBUFFER2', `0x40406469')
+define(`JSIOCSAXMAP', `0x40406a31')
+define(`BTRFS_IOC_QUOTA_RESCAN', `0x4040942c')
+define(`KVM_ASSIGN_DEV_IRQ', `0x4040ae70')
+define(`KVM_DEASSIGN_PCI_DEVICE', `0x4040ae72')
+define(`KVM_DEASSIGN_DEV_IRQ', `0x4040ae75')
+define(`KVM_CREATE_PIT2', `0x4040ae77')
+define(`KVM_IOEVENTFD', `0x4040ae79')
+define(`KVM_X86_SET_MCE', `0x4040ae9e')
+define(`KVM_SET_VCPU_EVENTS', `0x4040aea0')
+define(`KVM_ASSIGN_SET_INTX_MASK', `0x4040aea4')
+define(`CXL_IOCTL_START_WORK', `0x4040ca00')
+define(`OMAPFB_SETUP_PLANE', `0x40444f34')
+define(`OMAPFB_QUERY_PLANE', `0x40444f35')
+define(`OMAPFB_UPDATE_WINDOW', `0x40444f36')
+define(`VIDIOC_S_MODULATOR', `0x40445637')
+define(`DRM_IOCTL_I915_INIT', `0x40446440')
+define(`SET_ARRAY_INFO', `0x40480923')
+define(`SNDRV_EMU10K1_IOCTL_PCM_POKE', `0x40484830')
+define(`SNDRV_TIMER_IOCTL_GPARAMS', `0x40485404')
+define(`BTRFS_IOC_SEND', `0x40489426')
+define(`KVM_SET_GUEST_DEBUG', `0x4048ae9b')
+define(`GSMIOC_SETCONF', `0x404c4701')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT', `0x404c534a')
+define(`SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT', `0x40505330')
+define(`SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT', `0x40505331')
+define(`SNDRV_TIMER_IOCTL_PARAMS', `0x40505412')
+define(`VIDIOC_S_TUNER', `0x4054561e')
+define(`SNDRV_SEQ_IOCTL_SET_CLIENT_POOL', `0x4058534c')
+define(`PTP_PIN_SETFUNC', `0x40603d07')
+define(`SNDRV_HWDEP_IOCTL_DSP_LOAD', `0x40604803')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER', `0x40605346')
+define(`DRM_IOCTL_SAVAGE_BCI_INIT', `0x40606440')
+define(`UI_END_FF_UPLOAD', `0x406855c9')
+define(`KVM_ENABLE_CAP', `0x4068aea3')
+define(`CHIOGELEM', `0x406c6310')
+define(`KVM_SET_PIT2', `0x4070aea0')
+define(`DRM_IOCTL_R128_INIT', `0x40786440')
+define(`DRM_IOCTL_RADEON_CP_INIT', `0x40786440')
+define(`NILFS_IOCTL_CLEAN_SEGMENTS', `0x40786e88')
+define(`FDSETDRVPRM', `0x40800290')
+define(`UBI_IOCVOLCRBLK', `0x40804f07')
+define(`DRM_IOCTL_MGA_INIT', `0x40806440')
+define(`KVM_PPC_GET_PVINFO', `0x4080aea1')
+define(`KVM_SET_DEBUGREGS', `0x4080aea2')
+define(`KVM_PPC_RTAS_DEFINE_TOKEN', `0x4080aeac')
+define(`SNDRV_COMPRESS_SET_PARAMS', `0x40844312')
+define(`SNDRV_SEQ_IOCTL_DELETE_QUEUE', `0x408c5333')
+define(`VIDIOC_S_JPEGCOMP', `0x408c563e')
+define(`KVM_SET_REGS', `0x4090ae82')
+define(`UBI_IOCMKVOL', `0x40986f00')
+define(`SNDRV_SEQ_IOCTL_DELETE_PORT', `0x40a85321')
+define(`SNDRV_SEQ_IOCTL_SET_PORT_INFO', `0x40a85323')
+define(`SNDRV_SEQ_IOCTL_SET_CLIENT_INFO', `0x40bc5311')
+define(`VHOST_SCSI_SET_ENDPOINT', `0x40e8af40')
+define(`VHOST_SCSI_CLEAR_ENDPOINT', `0x40e8af41')
+define(`ASHMEM_SET_NAME', `0x41007701')
+define(`BTRFS_IOC_SET_FSLABEL', `0x41009432')
+define(`USBDEVFS_GETDRIVER', `0x41045508')
+define(`CA_SEND_MSG', `0x410c6f85')
+define(`KVM_SET_SREGS', `0x4138ae84')
+define(`KVM_SET_XCRS', `0x4188aea7')
+define(`KVM_SET_FPU', `0x41a0ae8d')
+define(`SNDRV_EMU10K1_IOCTL_CODE_POKE', `0x41b04811')
+define(`PTP_SYS_OFFSET', `0x43403d05')
+define(`JSIOCSBTNMAP', `0x44006a33')
+define(`KVM_SET_LAPIC', `0x4400ae8f')
+define(`BTRFS_IOC_SNAP_CREATE', `0x50009401')
+define(`BTRFS_IOC_DEFRAG', `0x50009402')
+define(`BTRFS_IOC_RESIZE', `0x50009403')
+define(`BTRFS_IOC_SCAN_DEV', `0x50009404')
+define(`BTRFS_IOC_ADD_DEV', `0x5000940a')
+define(`BTRFS_IOC_RM_DEV', `0x5000940b')
+define(`BTRFS_IOC_BALANCE', `0x5000940c')
+define(`BTRFS_IOC_SUBVOL_CREATE', `0x5000940e')
+define(`BTRFS_IOC_SNAP_DESTROY', `0x5000940f')
+define(`BTRFS_IOC_SNAP_CREATE_V2', `0x50009417')
+define(`BTRFS_IOC_SUBVOL_CREATE_V2', `0x50009418')
+define(`KVM_SET_XSAVE', `0x5000aea5')
+define(`HIDIOCSUSAGES', `0x501c4814')
+define(`UBI_IOCRNVOL', `0x51106f03')
+define(`SNDRV_SB_CSP_IOCTL_LOAD_CODE', `0x70124811')
+define(`MFB_GET_ALPHA', `0x80014d00')
+define(`MFB_GET_GAMMA', `0x80014d01')
+define(`GADGET_GET_PRINTER_STATUS', `0x80016721')
+define(`JSIOCGAXES', `0x80016a11')
+define(`JSIOCGBUTTONS', `0x80016a12')
+define(`SPI_IOC_RD_MODE', `0x80016b01')
+define(`SPI_IOC_RD_LSB_FIRST', `0x80016b02')
+define(`SPI_IOC_RD_BITS_PER_WORD', `0x80016b03')
+define(`PPRSTATUS', `0x80017081')
+define(`PPRCONTROL', `0x80017083')
+define(`PPRDATA', `0x80017085')
+define(`SONYPI_IOCGBRT', `0x80017600')
+define(`SONYPI_IOCGBATFLAGS', `0x80017607')
+define(`SONYPI_IOCGBLUE', `0x80017608')
+define(`SONYPI_IOCGFAN', `0x8001760a')
+define(`SONYPI_IOCGTEMP', `0x8001760c')
+define(`CAPI_GET_ERRCODE', `0x80024321')
+define(`CAPI_INSTALLED', `0x80024322')
+define(`SNDRV_DM_FM_IOCTL_INFO', `0x80024820')
+define(`IOCTL_WDM_MAX_COMMAND', `0x800248a0')
+define(`IPMICTL_REGISTER_FOR_CMD', `0x8002690e')
+define(`IPMICTL_UNREGISTER_FOR_CMD', `0x8002690f')
+define(`FE_READ_SIGNAL_STRENGTH', `0x80026f47')
+define(`FE_READ_SNR', `0x80026f48')
+define(`SONYPI_IOCGBAT1CAP', `0x80027602')
+define(`SONYPI_IOCGBAT1REM', `0x80027603')
+define(`SONYPI_IOCGBAT2CAP', `0x80027604')
+define(`SONYPI_IOCGBAT2REM', `0x80027605')
+define(`MBXFB_IOCS_PLANEORDER', `0x8002f403')
+define(`BLKI2OGRSTRAT', `0x80043201')
+define(`BLKI2OGWSTRAT', `0x80043202')
+define(`SNDRV_PCM_IOCTL_PVERSION', `0x80044100')
+define(`CCISS_GETHEARTBEAT', `0x80044206')
+define(`CCISS_GETBUSTYPES', `0x80044207')
+define(`CCISS_GETFIRMVER', `0x80044208')
+define(`CCISS_GETDRIVVER', `0x80044209')
+define(`SNDRV_COMPRESS_IOCTL_VERSION', `0x80044300')
+define(`CAPI_GET_FLAGS', `0x80044323')
+define(`CAPI_SET_FLAGS', `0x80044324')
+define(`CAPI_CLR_FLAGS', `0x80044325')
+define(`CAPI_NCCI_OPENCOUNT', `0x80044326')
+define(`CAPI_NCCI_GETUNIT', `0x80044327')
+define(`EVIOCGVERSION', `0x80044501')
+define(`APEI_ERST_GET_RECORD_COUNT', `0x80044502')
+define(`EVIOCGEFFECTS', `0x80044584')
+define(`FBIOGET_CONTRAST', `0x80044601')
+define(`FBIGET_BRIGHTNESS', `0x80044603')
+define(`FBIGET_COLOR', `0x80044605')
+define(`SSTFB_GET_VGAPASS', `0x800446dd')
+define(`SNDRV_HWDEP_IOCTL_PVERSION', `0x80044800')
+define(`HIDIOCGRDESCSIZE', `0x80044801')
+define(`HIDIOCGVERSION', `0x80044801')
+define(`HIDIOCGFLAG', `0x8004480e')
+define(`HDA_IOCTL_PVERSION', `0x80044810')
+define(`SNDRV_EMU10K1_IOCTL_PVERSION', `0x80044840')
+define(`SNDRV_EMUX_IOCTL_VERSION', `0x80044880')
+define(`SNDRV_EMU10K1_IOCTL_DBG_READ', `0x80044884')
+define(`HCIGETDEVLIST', `0x800448d2')
+define(`HCIGETDEVINFO', `0x800448d3')
+define(`HCIGETCONNLIST', `0x800448d4')
+define(`HCIGETCONNINFO', `0x800448d5')
+define(`HCIGETAUTHINFO', `0x800448d7')
+define(`HCIINQUIRY', `0x800448f0')
+define(`ROCCATIOCGREPSIZE', `0x800448f1')
+define(`IMADDTIMER', `0x80044940')
+define(`IMDELTIMER', `0x80044941')
+define(`IMGETVERSION', `0x80044942')
+define(`IMGETCOUNT', `0x80044943')
+define(`IMGETDEVINFO', `0x80044944')
+define(`IMCTRLREQ', `0x80044945')
+define(`IMCLEAR_L2', `0x80044946')
+define(`IMHOLD_L1', `0x80044948')
+define(`MCE_GET_RECORD_LEN', `0x80044d01')
+define(`MCE_GET_LOG_LEN', `0x80044d02')
+define(`MCE_GETCLEAR_FLAGS', `0x80044d03')
+define(`MEMGETREGIONCOUNT', `0x80044d07')
+define(`MFB_GET_PIXFMT', `0x80044d08')
+define(`OTPSELECT', `0x80044d0d')
+define(`OSS_GETVERSION', `0x80044d76')
+define(`UBI_IOCEBISMAP', `0x80044f05')
+define(`SOUND_PCM_READ_RATE', `0x80045002')
+define(`SOUND_PCM_READ_BITS', `0x80045005')
+define(`SOUND_PCM_READ_CHANNELS', `0x80045006')
+define(`SOUND_PCM_READ_FILTER', `0x80045007')
+define(`SNDCTL_DSP_GETFMTS', `0x8004500b')
+define(`SNDCTL_DSP_GETCAPS', `0x8004500f')
+define(`SNDCTL_DSP_GETTRIGGER', `0x80045010')
+define(`SNDCTL_DSP_GETODELAY', `0x80045017')
+define(`SNDCTL_DSP_GETSPDIF', `0x80045043')
+define(`SNDCTL_SEQ_GETOUTCOUNT', `0x80045104')
+define(`SNDCTL_SEQ_GETINCOUNT', `0x80045105')
+define(`SNDCTL_SEQ_NRSYNTHS', `0x8004510a')
+define(`SNDCTL_SEQ_NRMIDIS', `0x8004510b')
+define(`SNDCTL_SEQ_GETTIME', `0x80045113')
+define(`RNDGETENTCNT', `0x80045200')
+define(`SAA6588_CMD_READ', `0x80045203')
+define(`SAA6588_CMD_POLL', `0x80045204')
+define(`RFCOMMGETDEVLIST', `0x800452d2')
+define(`RFCOMMGETDEVINFO', `0x800452d3')
+define(`SNDRV_SEQ_IOCTL_PVERSION', `0x80045300')
+define(`SNDRV_SEQ_IOCTL_CLIENT_ID', `0x80045301')
+define(`SNDRV_TIMER_IOCTL_PVERSION', `0x80045400')
+define(`TIOCGPTN', `0x80045430')
+define(`TIOCGDEV', `0x80045432')
+define(`TIOCGPKT', `0x80045438')
+define(`TIOCGPTLCK', `0x80045439')
+define(`TIOCGEXCL', `0x80045440')
+define(`TUNGETFEATURES', `0x800454cf')
+define(`TUNGETIFF', `0x800454d2')
+define(`TUNGETSNDBUF', `0x800454d3')
+define(`TUNGETVNETHDRSZ', `0x800454d7')
+define(`TUNGETVNETLE', `0x800454dd')
+define(`SNDRV_CTL_IOCTL_PVERSION', `0x80045500')
+define(`USBDEVFS_RESETEP', `0x80045503')
+define(`USBDEVFS_SETCONFIGURATION', `0x80045505')
+define(`USBDEVFS_CLAIMINTERFACE', `0x8004550f')
+define(`USBDEVFS_RELEASEINTERFACE', `0x80045510')
+define(`USBDEVFS_CLEAR_HALT', `0x80045515')
+define(`USBDEVFS_CLAIM_PORT', `0x80045518')
+define(`USBDEVFS_RELEASE_PORT', `0x80045519')
+define(`USBDEVFS_GET_CAPABILITIES', `0x8004551a')
+define(`UI_GET_VERSION', `0x8004552d')
+define(`SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE', `0x80045530')
+define(`SNDRV_CTL_IOCTL_POWER_STATE', `0x800455d1')
+define(`VIDIOC_G_INPUT', `0x80045626')
+define(`VIDIOC_G_OUTPUT', `0x8004562e')
+define(`VIDIOC_G_PRIORITY', `0x80045643')
+define(`SNDRV_RAWMIDI_IOCTL_PVERSION', `0x80045700')
+define(`WDIOC_GETSTATUS', `0x80045701')
+define(`WDIOC_GETBOOTSTATUS', `0x80045702')
+define(`WDIOC_GETTEMP', `0x80045703')
+define(`WDIOC_SETOPTIONS', `0x80045704')
+define(`WDIOC_KEEPALIVE', `0x80045705')
+define(`WDIOC_GETTIMEOUT', `0x80045707')
+define(`WDIOC_GETPRETIMEOUT', `0x80045709')
+define(`WDIOC_GETTIMELEFT', `0x8004570a')
+define(`SONET_GETDIAG', `0x80046114')
+define(`SONET_GETFRAMING', `0x80046116')
+define(`CHIOGPICKER', `0x80046304')
+define(`DRM_IOCTL_GET_MAGIC', `0x80046402')
+define(`DRM_IOCTL_I915_GET_VBLANK_PIPE', `0x8004644e')
+define(`FS_IOC32_GETFLAGS', `0x80046601')
+define(`LIRC_GET_FEATURES', `0x80046900')
+define(`LIRC_GET_SEND_MODE', `0x80046901')
+define(`LIRC_GET_REC_MODE', `0x80046902')
+define(`LIRC_GET_SEND_CARRIER', `0x80046903')
+define(`LIRC_GET_REC_CARRIER', `0x80046904')
+define(`LIRC_GET_SEND_DUTY_CYCLE', `0x80046905')
+define(`LIRC_GET_REC_DUTY_CYCLE', `0x80046906')
+define(`LIRC_GET_REC_RESOLUTION', `0x80046907')
+define(`I2OVALIDATE', `0x80046908')
+define(`LIRC_GET_MIN_TIMEOUT', `0x80046908')
+define(`LIRC_GET_MAX_TIMEOUT', `0x80046909')
+define(`LIRC_GET_MIN_FILTER_PULSE', `0x8004690a')
+define(`LIRC_GET_MAX_FILTER_PULSE', `0x8004690b')
+define(`LIRC_GET_MIN_FILTER_SPACE', `0x8004690c')
+define(`LIRC_GET_MAX_FILTER_SPACE', `0x8004690d')
+define(`LIRC_GET_LENGTH', `0x8004690f')
+define(`IPMICTL_SET_GETS_EVENTS_CMD', `0x80046910')
+define(`IPMICTL_SET_MY_ADDRESS_CMD', `0x80046911')
+define(`IPMICTL_GET_MY_ADDRESS_CMD', `0x80046912')
+define(`IPMICTL_SET_MY_LUN_CMD', `0x80046913')
+define(`IPMICTL_GET_MY_LUN_CMD', `0x80046914')
+define(`IPMICTL_SET_MY_CHANNEL_ADDRESS_CMD', `0x80046918')
+define(`IPMICTL_GET_MY_CHANNEL_ADDRESS_CMD', `0x80046919')
+define(`IPMICTL_SET_MY_CHANNEL_LUN_CMD', `0x8004691a')
+define(`IPMICTL_GET_MY_CHANNEL_LUN_CMD', `0x8004691b')
+define(`IPMICTL_GET_MAINTENANCE_MODE_CMD', `0x8004691e')
+define(`I8K_BIOS_VERSION', `0x80046980')
+define(`I8K_MACHINE_ID', `0x80046981')
+define(`IIO_GET_EVENT_FD_IOCTL', `0x80046990')
+define(`JSIOCGVERSION', `0x80046a01')
+define(`SPI_IOC_RD_MAX_SPEED_HZ', `0x80046b04')
+define(`SPI_IOC_RD_MODE32', `0x80046b05')
+define(`UDF_GETEASIZE', `0x80046c40')
+define(`NCP_IOC_SIGN_WANTED', `0x80046e06')
+define(`NCP_IOC_SETDENTRYTTL', `0x80046e0c')
+define(`SISFB_GET_INFO_OLD', `0x80046ef8')
+define(`SISFB_GET_VBRSTATUS_OLD', `0x80046ef9')
+define(`SISFB_GET_AUTOMAXIMIZE_OLD', `0x80046efa')
+define(`AUDIO_GET_CAPABILITIES', `0x80046f0b')
+define(`VIDEO_GET_CAPABILITIES', `0x80046f21')
+define(`VIDEO_GET_FRAME_RATE', `0x80046f38')
+define(`FE_READ_STATUS', `0x80046f45')
+define(`FE_READ_BER', `0x80046f46')
+define(`FE_READ_UNCORRECTED_BLOCKS', `0x80046f49')
+define(`RTC_VL_READ', `0x80047013')
+define(`PPCLRIRQ', `0x80047093')
+define(`PPGETMODES', `0x80047097')
+define(`PPGETMODE', `0x80047098')
+define(`PPGETPHASE', `0x80047099')
+define(`PPGETFLAGS', `0x8004709a')
+define(`PHONE_DTMF_READY', `0x80047196')
+define(`PHONE_GET_DTMF', `0x80047197')
+define(`PHONE_GET_DTMF_ASCII', `0x80047198')
+define(`PHONE_EXCEPTION', `0x8004719a')
+define(`IXJCTL_CARDTYPE', `0x800471c1')
+define(`IXJCTL_SERIAL', `0x800471c2')
+define(`IXJCTL_DSP_TYPE', `0x800471c3')
+define(`IXJCTL_DSP_VERSION', `0x800471c4')
+define(`IXJCTL_VMWI', `0x800471d8')
+define(`BR_ERROR', `0x80047200')
+define(`BR_ACQUIRE_RESULT', `0x80047204')
+define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
+define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
+define(`FS_IOC32_GETVERSION', `0x80047601')
+define(`MEYEIOC_STILLJCAPT', `0x800476c5')
+define(`OSIOCGNETADDR', `0x800489e1')
+define(`SIOCGNETADDR', `0x800489e1')
+define(`AUTOFS_IOC_PROTOVER', `0x80049363')
+define(`AUTOFS_IOC_PROTOSUBVER', `0x80049367')
+define(`AUTOFS_IOC_ASKUMOUNT', `0x80049370')
+define(`GENWQE_GET_CARD_STATE', `0x8004a524')
+define(`KVM_GET_MP_STATE', `0x8004ae98')
+define(`CXL_IOCTL_GET_PROCESS_ELEMENT', `0x8004ca01')
+define(`SISFB_GET_INFO_SIZE', `0x8004f300')
+define(`SISFB_GET_VBRSTATUS', `0x8004f302')
+define(`SISFB_GET_AUTOMAXIMIZE', `0x8004f303')
+define(`SISFB_GET_TVPOSOFFSET', `0x8004f304')
+define(`SONET_GETFRSENSE', `0x80066117')
+define(`MEYEIOC_G_PARAMS', `0x800676c0')
+define(`BLKBSZGET', `0x80081270')
+define(`BLKGETSIZE64', `0x80081272')
+define(`PERF_EVENT_IOC_ID', `0x80082407')
+define(`SNAPSHOT_GET_IMAGE_SIZE', `0x8008330e')
+define(`SNAPSHOT_AVAIL_SWAP_SIZE', `0x80083313')
+define(`SNAPSHOT_ALLOC_SWAP_PAGE', `0x80083314')
+define(`FBIO_RADEON_GET_MIRROR', `0x80084003')
+define(`AGPIOC_INFO', `0x80084100')
+define(`SNDRV_PCM_IOCTL_DELAY', `0x80084121')
+define(`CCISS_GETPCIINFO', `0x80084201')
+define(`PMU_IOC_GET_BACKLIGHT', `0x80084201')
+define(`CCISS_GETINTINFO', `0x80084202')
+define(`PMU_IOC_GET_MODEL', `0x80084203')
+define(`PMU_IOC_HAS_ADB', `0x80084204')
+define(`PMU_IOC_CAN_SLEEP', `0x80084205')
+define(`PMU_IOC_GRAB_BACKLIGHT', `0x80084206')
+define(`EVIOCGID', `0x80084502')
+define(`EVIOCGREP', `0x80084503')
+define(`EVIOCGKEYCODE', `0x80084504')
+define(`FBIO_GETCONTROL2', `0x80084689')
+define(`HIDIOCGRAWINFO', `0x80084803')
+define(`SNDRV_HDSP_IOCTL_GET_VERSION', `0x80084843')
+define(`SNDRV_HDSPM_IOCTL_GET_MIXER', `0x80084844')
+define(`SNDRV_HDSP_IOCTL_GET_9632_AEB', `0x80084845')
+define(`AMDKFD_IOC_GET_VERSION', `0x80084b01')
+define(`MFB_GET_AOID', `0x80084d04')
+define(`MEMISLOCKED', `0x80084d17')
+define(`RNDGETPOOL', `0x80085202')
+define(`USBDEVFS_SETINTERFACE', `0x80085504')
+define(`USBDEVFS_DISCSIGNAL32', `0x8008550e')
+define(`USBDEVFS_ALLOC_STREAMS', `0x8008551c')
+define(`USBDEVFS_FREE_STREAMS', `0x8008551d')
+define(`VIDIOC_G_STD', `0x80085617')
+define(`VIDIOC_QUERYSTD', `0x8008563f')
+define(`CM_IOCGSTATUS', `0x80086300')
+define(`DRM_IOCTL_I810_OV0INFO', `0x80086449')
+define(`FS_IOC_GETFLAGS', `0x80086601')
+define(`I2OPASSTHRU32', `0x8008690c')
+define(`IPMICTL_SET_TIMING_PARMS_CMD', `0x80086916')
+define(`IPMICTL_GET_TIMING_PARMS_CMD', `0x80086917')
+define(`I8K_POWER_STATUS', `0x80086982')
+define(`I8K_FN_STATUS', `0x80086983')
+define(`I8K_GET_TEMP', `0x80086984')
+define(`UDF_GETEABLOCK', `0x80086c41')
+define(`UDF_GETVOLIDENT', `0x80086c42')
+define(`MMTIMER_GETRES', `0x80086d01')
+define(`MMTIMER_GETFREQ', `0x80086d02')
+define(`MTIOCPOS', `0x80086d03')
+define(`MMTIMER_GETCOUNTER', `0x80086d09')
+define(`NILFS_IOCTL_SYNC', `0x80086e8a')
+define(`MATROXFB_GET_OUTPUT_CONNECTION', `0x80086ef8')
+define(`MATROXFB_GET_AVAILABLE_OUTPUTS', `0x80086ef9')
+define(`MATROXFB_GET_ALL_OUTPUTS', `0x80086efb')
+define(`AUDIO_GET_PTS', `0x80086f13')
+define(`DMX_GET_CAPS', `0x80086f30')
+define(`VIDEO_GET_PTS', `0x80086f39')
+define(`VIDEO_GET_FRAME_COUNT', `0x80086f3a')
+define(`CA_GET_DESCR_INFO', `0x80086f83')
+define(`RTC_IRQP_READ', `0x8008700b')
+define(`RTC_EPOCH_READ', `0x8008700d')
+define(`PPS_GETPARAMS', `0x800870a1')
+define(`PPS_GETCAP', `0x800870a3')
+define(`PHONE_CAPABILITIES_LIST', `0x80087181')
+define(`IXJCTL_CID', `0x800871d4')
+define(`IXJCTL_VERSION', `0x800871da')
+define(`IXJCTL_FRAMES_READ', `0x800871e2')
+define(`IXJCTL_FRAMES_WRITTEN', `0x800871e3')
+define(`IXJCTL_READ_WAIT', `0x800871e4')
+define(`IXJCTL_WRITE_WAIT', `0x800871e5')
+define(`IXJCTL_DRYBUFFER_READ', `0x800871e6')
+define(`BR_DEAD_BINDER', `0x8008720f')
+define(`BR_CLEAR_DEATH_NOTIFICATION_DONE', `0x80087210')
+define(`FS_IOC_GETVERSION', `0x80087601')
+define(`BTRFS_IOC_START_SYNC', `0x80089418')
+define(`BTRFS_IOC_SUBVOL_GETFLAGS', `0x80089419')
+define(`KVM_X86_GET_MCE_CAP_SUPPORTED', `0x8008ae9d')
+define(`KVM_ALLOCATE_RMA', `0x8008aea9')
+define(`VHOST_GET_FEATURES', `0x8008af00')
+define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782')
+define(`DMX_GET_PES_PIDS', `0x800a6f2f')
+define(`RAID_VERSION', `0x800c0910')
+define(`CCISS_GETLUNINFO', `0x800c4211')
+define(`OTPLOCK', `0x800c4d10')
+define(`OMAPFB_GET_CAPS', `0x800c4f2a')
+define(`SNDCTL_DSP_GETIPTR', `0x800c5011')
+define(`SNDCTL_DSP_GETOPTR', `0x800c5012')
+define(`IPMICTL_REGISTER_FOR_CMD_CHANS', `0x800c691c')
+define(`IPMICTL_UNREGISTER_FOR_CMD_CHANS', `0x800c691d')
+define(`NCP_IOC_SETROOT', `0x800c6e08')
+define(`VIDEO_GET_SIZE', `0x800c6f37')
+define(`FE_DISEQC_RECV_SLAVE_REPLY', `0x800c6f40')
+define(`CA_GET_SLOT_INFO', `0x800c6f82')
+define(`FDGETDRVTYP', `0x8010020f')
+define(`FW_CDEV_IOC_GET_CYCLE_TIMER', `0x8010230c')
+define(`CCISS_GETNODENAME', `0x80104204')
+define(`SNDRV_HDSPM_IOCTL_GET_LTC', `0x80104846')
+define(`ECCGETSTATS', `0x80104d12')
+define(`SNDCTL_DSP_GETOSPACE', `0x8010500c')
+define(`SNDCTL_DSP_GETISPACE', `0x8010500d')
+define(`SNDCTL_DSP_MAPINBUF', `0x80105013')
+define(`SNDCTL_DSP_MAPOUTBUF', `0x80105014')
+define(`TUNGETFILTER', `0x801054db')
+define(`USBDEVFS_DISCSIGNAL', `0x8010550e')
+define(`DRM_IOCTL_I915_GEM_GET_APERTURE', `0x80106463')
+define(`I2OPASSTHRU', `0x8010690c')
+define(`MGSL_IOCGGPIO', `0x80106d11')
+define(`NCP_IOC_NCPREQUEST', `0x80106e01')
+define(`NCP_IOC_SETPRIVATEDATA', `0x80106e0a')
+define(`FE_GET_PROPERTY', `0x80106f53')
+define(`CA_GET_CAP', `0x80106f81')
+define(`OSD_GET_CAPABILITY', `0x80106fa1')
+define(`PPGETTIME', `0x80107095')
+define(`BR_INCREFS', `0x80107207')
+define(`BR_ACQUIRE', `0x80107208')
+define(`BR_RELEASE', `0x80107209')
+define(`BR_DECREFS', `0x8010720a')
+define(`GENWQE_READ_REG64', `0x8010a51e')
+define(`GENWQE_READ_REG32', `0x8010a520')
+define(`GENWQE_READ_REG16', `0x8010a522')
+define(`FDGETMAXERRS', `0x8014020e')
+define(`GET_DISK_INFO', `0x80140912')
+define(`SNDRV_COMPRESS_TSTAMP', `0x80144320')
+define(`CHIOGPARAMS', `0x80146306')
+define(`NCP_IOC_LOCKUNLOCK', `0x80146e07')
+define(`VIDEO_GET_STATUS', `0x80146f1b')
+define(`SNDRV_PCM_IOCTL_CHANNEL_INFO', `0x80184132')
+define(`SNDRV_PCM_IOCTL_READI_FRAMES', `0x80184151')
+define(`SNDRV_PCM_IOCTL_READN_FRAMES', `0x80184153')
+define(`SNDRV_HDSPM_IOCTL_GET_CONFIG', `0x80184841')
+define(`IMSETDEVNAME', `0x80184947')
+define(`OMAPFB_MEMORY_READ', `0x80184f3a')
+define(`HPET_INFO', `0x80186803')
+define(`NCP_IOC_SIGN_INIT', `0x80186e05')
+define(`NCP_IOC_SETOBJECTNAME', `0x80186e09')
+define(`NILFS_IOCTL_GET_CPINFO', `0x80186e82')
+define(`NILFS_IOCTL_GET_CPSTAT', `0x80186e83')
+define(`NILFS_IOCTL_GET_SUINFO', `0x80186e84')
+define(`BR_ATTEMPT_ACQUIRE', `0x8018720b')
+define(`BTRFS_IOC_GET_FEATURES', `0x80189439')
+define(`MBXFB_IOCG_ALPHA', `0x8018f401')
+define(`SNDRV_COMPRESS_AVAIL', `0x801c4321')
+define(`HIDIOCGDEVINFO', `0x801c4803')
+define(`FDGETPRM', `0x80200204')
+define(`FBIOGET_VBLANK', `0x80204612')
+define(`SNDRV_HDSPM_IOCTL_GET_STATUS', `0x80204847')
+define(`SNDRV_FIREWIRE_IOCTL_GET_INFO', `0x802048f8')
+define(`MEMGETINFO', `0x80204d01')
+define(`OMAPFB_GET_VRAM_INFO', `0x80204f3d')
+define(`OMAPFB_GET_DISPLAY_INFO', `0x80204f3f')
+define(`I2OGETIOPS', `0x80206900')
+define(`AUDIO_GET_STATUS', `0x80206f0a')
+define(`VIDEO_GET_EVENT', `0x80206f1c')
+define(`RTC_PLL_GET', `0x80207011')
+define(`KVM_ARM_PREFERRED_TARGET', `0x8020aeaf')
+define(`SNDRV_HDSP_IOCTL_GET_CONFIG_INFO', `0x80244841')
+define(`SNDRV_HDSPM_IOCTL_GET_VERSION', `0x80244848')
+define(`SONET_GETSTAT', `0x80246110')
+define(`SONET_GETSTATZ', `0x80246111')
+define(`JSIOCGCORR', `0x80246a22')
+define(`FE_GET_FRONTEND', `0x80246f4d')
+define(`RTC_ALM_READ', `0x80247008')
+define(`RTC_RD_TIME', `0x80247009')
+define(`FDGETFDCSTAT', `0x80280215')
+define(`FDWERRORGET', `0x80280217')
+define(`EVIOCGKEYCODE_V2', `0x80284504')
+define(`SNDRV_SB_CSP_IOCTL_INFO', `0x80284810')
+define(`WDIOC_GETSUPPORT', `0x80285700')
+define(`IPMICTL_SEND_COMMAND', `0x8028690d')
+define(`FE_GET_EVENT', `0x80286f4e')
+define(`RTC_WKALM_RD', `0x80287010')
+define(`IOW_GETINFO', `0x8028c003')
+define(`USBDEVFS_SUBMITURB32', `0x802a550a')
+define(`NCP_IOC_SETCHARSETS', `0x802a6e0b')
+define(`TCGETS2', `0x802c542a')
+define(`SOUND_OLD_MIXER_INFO', `0x80304d65')
+define(`VIDIOC_G_FBUF', `0x8030560a')
+define(`IPMICTL_SEND_COMMAND_SETTIME', `0x80306915')
+define(`MGSL_IOCGPARAMS', `0x80306d01')
+define(`MTIOCGET', `0x80306d02')
+define(`NILFS_IOCTL_GET_SUSTAT', `0x80306e85')
+define(`BTRFS_IOC_QGROUP_LIMIT', `0x8030942b')
+define(`KVM_GET_CLOCK', `0x8030ae7c')
+define(`VIDIOC_G_AUDIO', `0x80345621')
+define(`VIDIOC_G_AUDOUT', `0x80345631')
+define(`USBDEVFS_SUBMITURB', `0x8038550a')
+define(`DRM_IOCTL_AGP_INFO', `0x80386433')
+define(`OMAPFB_GET_OVERLAY_COLORMODE', `0x803c4f3b')
+define(`SNDRV_HWDEP_IOCTL_DSP_STATUS', `0x80404802')
+define(`JSIOCGAXMAP', `0x80406a32')
+define(`BR_TRANSACTION', `0x80407202')
+define(`BR_REPLY', `0x80407203')
+define(`BTRFS_IOC_QUOTA_RESCAN_STATUS', `0x8040942d')
+define(`KVM_ASSIGN_PCI_DEVICE', `0x8040ae69')
+define(`KVM_GET_VCPU_EVENTS', `0x8040ae9f')
+define(`GET_ARRAY_INFO', `0x80480911')
+define(`BTRFS_IOC_GET_SUPPORTED_FEATURES', `0x80489439')
+define(`KVM_SET_PIT', `0x8048ae66')
+define(`GSMIOC_GETCONF', `0x804c4700')
+define(`FDGETDRVSTAT', `0x80500212')
+define(`FDPOLLDRVSTAT', `0x80500213')
+define(`PTP_CLOCK_GETCAPS', `0x80503d01')
+define(`SOUND_MIXER_INFO', `0x805c4d65')
+define(`SNDRV_TIMER_IOCTL_STATUS', `0x80605414')
+define(`VIDIOC_QUERYCAP', `0x80685600')
+define(`I2OEVTGET', `0x8068690b')
+define(`CHIOGVPARAMS', `0x80706313')
+define(`KVM_GET_PIT2', `0x8070ae9f')
+define(`SNDRV_COMPRESS_GET_PARAMS', `0x80784313')
+define(`FDGETDRVPRM', `0x80800211')
+define(`USBDEVFS_HUB_PORTINFO', `0x80805513')
+define(`KVM_GET_DEBUGREGS', `0x8080aea1')
+define(`VIDIOC_QUERY_DV_TIMINGS', `0x80845663')
+define(`VIDIOC_SUBDEV_QUERY_DV_TIMINGS', `0x80845663')
+define(`VIDIOC_DQEVENT', `0x80885659')
+define(`VIDIOC_G_JPEGCOMP', `0x808c563d')
+define(`KVM_GET_REGS', `0x8090ae81')
+define(`SNDRV_PCM_IOCTL_STATUS', `0x80984120')
+define(`FE_GET_INFO', `0x80a86f3d')
+define(`MEMGETOOBSEL', `0x80c84d0a')
+define(`SNDRV_HWDEP_IOCTL_INFO', `0x80dc4801')
+define(`SNDRV_CTL_IOCTL_HWDEP_INFO', `0x80dc5521')
+define(`SNDRV_TIMER_IOCTL_INFO', `0x80e85411')
+define(`DRM_IOCTL_GET_STATS', `0x80f86406')
+define(`ASHMEM_GET_NAME', `0x81007702')
+define(`BTRFS_IOC_GET_FSLABEL', `0x81009431')
+define(`HIDIOCGSTRING', `0x81044804')
+define(`USBDEVFS_DISCONNECT_CLAIM', `0x8108551b')
+define(`SNDRV_RAWMIDI_IOCTL_INFO', `0x810c5701')
+define(`CA_GET_MSG', `0x810c6f84')
+define(`AUTOFS_IOC_EXPIRE', `0x810c9365')
+define(`SISFB_GET_INFO', `0x811cf301')
+define(`SNDRV_PCM_IOCTL_INFO', `0x81204101')
+define(`KVM_GET_SREGS', `0x8138ae83')
+define(`ECCGETLAYOUT', `0x81484d11')
+define(`SNDRV_CTL_IOCTL_CARD_INFO', `0x81785501')
+define(`KVM_GET_XCRS', `0x8188aea6')
+define(`AMDKFD_IOC_GET_PROCESS_APERTURES', `0x81904b06')
+define(`KVM_GET_FPU', `0x81a0ae8c')
+define(`KVM_SET_IRQCHIP', `0x8208ae63')
+define(`VFAT_IOCTL_READDIR_BOTH', `0x82307201')
+define(`VFAT_IOCTL_READDIR_SHORT', `0x82307202')
+define(`KVM_PPC_GET_SMMU_INFO', `0x8250aea6')
+define(`SNDRV_HDSP_IOCTL_GET_PEAK_RMS', `0x83b04840')
+define(`JSIOCGBTNMAP', `0x84006a34')
+define(`BTRFS_IOC_FS_INFO', `0x8400941f')
+define(`BTRFS_IOC_BALANCE_PROGRESS', `0x84009422')
+define(`KVM_GET_LAPIC', `0x8400ae8e')
+define(`VIDEO_GET_NAVI', `0x84046f34')
+define(`SNDRV_EMU10K1_IOCTL_INFO', `0x880c4810')
+define(`VIDIOC_G_ENC_INDEX', `0x8818564c')
+define(`SNDRV_HDSPM_IOCTL_GET_PEAK_RMS', `0x89084842')
+define(`SNDCTL_COPR_RCVMSG', `0x8fa44309')
+define(`GET_BITMAP_FILE', `0x90000915')
+define(`SNDRV_HDSP_IOCTL_GET_MIXER', `0x90004844')
+define(`BTRFS_IOC_DEVICES_READY', `0x90009427')
+define(`KVM_GET_XSAVE', `0x9000aea4')
+define(`HIDIOCGRDESC', `0x90044802')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_OWNER', `0xc0005343')
+define(`GADGET_SET_PRINTER_STATUS', `0xc0016722')
+define(`CAPI_GET_MANUFACTURER', `0xc0044306')
+define(`CAPI_GET_SERIAL', `0xc0044308')
+define(`GIGASET_REDIR', `0xc0044700')
+define(`GIGASET_CONFIG', `0xc0044701')
+define(`ION_IOC_FREE', `0xc0044901')
+define(`SOUND_MIXER_AGC', `0xc0044d67')
+define(`SOUND_MIXER_3DSE', `0xc0044d68')
+define(`SOUND_MIXER_PRIVATE1', `0xc0044d6f')
+define(`SOUND_MIXER_PRIVATE2', `0xc0044d70')
+define(`SOUND_MIXER_PRIVATE3', `0xc0044d71')
+define(`SOUND_MIXER_PRIVATE4', `0xc0044d72')
+define(`SOUND_MIXER_PRIVATE5', `0xc0044d73')
+define(`SNDCTL_DSP_SPEED', `0xc0045002')
+define(`SNDCTL_DSP_STEREO', `0xc0045003')
+define(`SNDCTL_DSP_GETBLKSIZE', `0xc0045004')
+define(`SNDCTL_DSP_SETFMT', `0xc0045005')
+define(`SNDCTL_DSP_CHANNELS', `0xc0045006')
+define(`SOUND_PCM_WRITE_FILTER', `0xc0045007')
+define(`SNDCTL_DSP_SUBDIVIDE', `0xc0045009')
+define(`SNDCTL_DSP_SETFRAGMENT', `0xc004500a')
+define(`SNDCTL_DSP_GETCHANNELMASK', `0xc0045040')
+define(`SNDCTL_DSP_BIND_CHANNEL', `0xc0045041')
+define(`SNDCTL_SEQ_CTRLRATE', `0xc0045103')
+define(`SNDCTL_SYNTH_MEMAVL', `0xc004510e')
+define(`SNDCTL_TMR_TIMEBASE', `0xc0045401')
+define(`SNDCTL_TMR_TEMPO', `0xc0045405')
+define(`SNDCTL_TMR_SOURCE', `0xc0045406')
+define(`SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS', `0xc0045516')
+define(`SNDRV_CTL_IOCTL_HWDEP_NEXT_DEVICE', `0xc0045520')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_NEXT_DEVICE', `0xc0045540')
+define(`SNDRV_CTL_IOCTL_POWER', `0xc00455d0')
+define(`VIDIOC_S_INPUT', `0xc0045627')
+define(`VIDIOC_S_OUTPUT', `0xc004562f')
+define(`WDIOC_SETTIMEOUT', `0xc0045706')
+define(`WDIOC_SETPRETIMEOUT', `0xc0045708')
+define(`FIFREEZE', `0xc0045877')
+define(`FITHAW', `0xc0045878')
+define(`SONET_SETDIAG', `0xc0046112')
+define(`SONET_CLRDIAG', `0xc0046113')
+define(`BINDER_VERSION', `0xc0046209')
+define(`DRM_IOCTL_BLOCK', `0xc0046412')
+define(`DRM_IOCTL_UNBLOCK', `0xc0046413')
+define(`DRM_IOCTL_ADD_DRAW', `0xc0046427')
+define(`DRM_IOCTL_RM_DRAW', `0xc0046428')
+define(`DRM_IOCTL_MGA_WAIT_FENCE', `0xc004644b')
+define(`DRM_IOCTL_MODE_RMFB', `0xc00464af')
+define(`DRM_IOCTL_MODE_DESTROY_DUMB', `0xc00464b4')
+define(`SNDCTL_MIDI_PRETIME', `0xc0046d00')
+define(`SNDCTL_MIDI_MPUMODE', `0xc0046d01')
+define(`MGSL_IOCWAITEVENT', `0xc0046d08')
+define(`TOSH_SMM', `0xc0047490')
+define(`MEYEIOC_SYNC', `0xc00476c3')
+define(`AUTOFS_IOC_SETTIMEOUT32', `0xc0049364')
+define(`KVM_GET_MSR_INDEX_LIST', `0xc004ae02')
+define(`KVM_PPC_ALLOCATE_HTAB', `0xc004aea7')
+define(`NET_ADD_IF', `0xc0066f34')
+define(`NET_GET_IF', `0xc0066f36')
+define(`AGPIOC_ALLOCATE', `0xc0084106')
+define(`HDA_IOCTL_VERB_WRITE', `0xc0084811')
+define(`HDA_IOCTL_GET_WCAP', `0xc0084812')
+define(`ION_IOC_MAP', `0xc0084902')
+define(`ION_IOC_SHARE', `0xc0084904')
+define(`ION_IOC_IMPORT', `0xc0084905')
+define(`ION_IOC_SYNC', `0xc0084907')
+define(`AMDKFD_IOC_DESTROY_QUEUE', `0xc0084b03')
+define(`SNDRV_CTL_IOCTL_TLV_READ', `0xc008551a')
+define(`SNDRV_CTL_IOCTL_TLV_WRITE', `0xc008551b')
+define(`SNDRV_CTL_IOCTL_TLV_COMMAND', `0xc008551c')
+define(`VIDIOC_G_CTRL', `0xc008561b')
+define(`VIDIOC_S_CTRL', `0xc008561c')
+define(`VIDIOC_OMAP3ISP_STAT_EN', `0xc00856c7')
+define(`CM_IOCGATR', `0xc0086301')
+define(`CIOC_KERNEL_VERSION', `0xc008630a')
+define(`DRM_IOCTL_GEM_FLINK', `0xc008640a')
+define(`DRM_IOCTL_ADD_CTX', `0xc0086420')
+define(`DRM_IOCTL_RM_CTX', `0xc0086421')
+define(`DRM_IOCTL_GET_CTX', `0xc0086423')
+define(`DRM_IOCTL_QXL_ALLOC', `0xc0086440')
+define(`DRM_IOCTL_TEGRA_GEM_MMAP', `0xc0086441')
+define(`DRM_IOCTL_SAVAGE_BCI_EVENT_EMIT', `0xc0086442')
+define(`DRM_IOCTL_TEGRA_SYNCPT_READ', `0xc0086442')
+define(`DRM_IOCTL_VIA_AGP_INIT', `0xc0086442')
+define(`DRM_IOCTL_TEGRA_SYNCPT_INCR', `0xc0086443')
+define(`DRM_IOCTL_VIA_FB_INIT', `0xc0086443')
+define(`DRM_IOCTL_I915_IRQ_EMIT', `0xc0086444')
+define(`DRM_IOCTL_TEGRA_GEM_SET_FLAGS', `0xc008644c')
+define(`DRM_IOCTL_TEGRA_GEM_GET_FLAGS', `0xc008644d')
+define(`DRM_IOCTL_RADEON_IRQ_EMIT', `0xc0086456')
+define(`DRM_IOCTL_I915_GEM_BUSY', `0xc0086457')
+define(`DRM_IOCTL_EXYNOS_G2D_GET_VER', `0xc0086460')
+define(`DRM_IOCTL_EXYNOS_G2D_EXEC', `0xc0086462')
+define(`DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID', `0xc0086465')
+define(`DRM_IOCTL_RADEON_GEM_BUSY', `0xc008646a')
+define(`DRM_IOCTL_I915_GEM_CONTEXT_CREATE', `0xc008646d')
+define(`DRM_IOCTL_I915_GEM_GET_CACHING', `0xc0086470')
+define(`DRM_IOCTL_EXYNOS_IPP_CMD_CTRL', `0xc0086473')
+define(`I8K_GET_SPEED', `0xc0086985')
+define(`I8K_GET_FAN', `0xc0086986')
+define(`I8K_SET_FAN', `0xc0086987')
+define(`UDF_RELOCATE_BLOCKS', `0xc0086c43')
+define(`MATROXFB_GET_OUTPUT_MODE', `0xc0086efa')
+define(`PHN_GET_REG', `0xc0087000')
+define(`PHN_GET_REGS', `0xc0087002')
+define(`PHN_GETREG', `0xc0087005')
+define(`PPS_FETCH', `0xc00870a4')
+define(`PHONE_QUERY_CODEC', `0xc00871a7')
+define(`MIC_VIRTIO_ADD_DEVICE', `0xc0087301')
+define(`MIC_VIRTIO_COPY_DESC', `0xc0087302')
+define(`MIC_VIRTIO_CONFIG_CHANGE', `0xc0087305')
+define(`AUTOFS_IOC_SETTIMEOUT', `0xc0089364')
+define(`KVM_GET_SUPPORTED_CPUID', `0xc008ae05')
+define(`KVM_GET_EMULATED_CPUID', `0xc008ae09')
+define(`KVM_IRQ_LINE_STATUS', `0xc008ae67')
+define(`KVM_GET_MSRS', `0xc008ae88')
+define(`KVM_GET_CPUID2', `0xc008ae91')
+define(`KVM_GET_REG_LIST', `0xc008aeb0')
+define(`FSL_HV_IOCTL_PARTITION_RESTART', `0xc008af01')
+define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04')
+define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
+define(`VHOST_GET_VRING_BASE', `0xc008af12')
+define(`HIDIOCGREPORTINFO', `0xc00c4809')
+define(`SNDCTL_SYNTH_REMOVESAMPLE', `0xc00c5116')
+define(`USBDEVFS_IOCTL32', `0xc00c5512')
+define(`UI_BEGIN_FF_ERASE', `0xc00c55ca')
+define(`DRM_IOCTL_PRIME_HANDLE_TO_FD', `0xc00c642d')
+define(`DRM_IOCTL_PRIME_FD_TO_HANDLE', `0xc00c642e')
+define(`DRM_IOCTL_VIA_CMDBUF_SIZE', `0xc00c644b')
+define(`DRM_IOCTL_I915_VBLANK_SWAP', `0xc00c644f')
+define(`DRM_IOCTL_RADEON_GEM_SET_DOMAIN', `0xc00c6463')
+define(`DRM_IOCTL_I915_GEM_MADVISE', `0xc00c6466')
+define(`DRM_IOCTL_RADEON_GEM_SET_TILING', `0xc00c6468')
+define(`DRM_IOCTL_RADEON_GEM_GET_TILING', `0xc00c6469')
+define(`KVM_CREATE_DEVICE', `0xc00caee0')
+define(`FSL_HV_IOCTL_PARTITION_GET_STATUS', `0xc00caf02')
+define(`MBXFB_IOCX_REG', `0xc00cf405')
+define(`CAPI_GET_VERSION', `0xc0104307')
+define(`CAPI_MANUFACTURER_CMD', `0xc0104320')
+define(`GIGASET_VERSION', `0xc0104703')
+define(`IOCTL_MEI_CONNECT_CLIENT', `0xc0104801')
+define(`HIDIOCGCOLLECTIONINFO', `0xc0104811')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_PEEK', `0xc0104822')
+define(`SNDRV_EMUX_IOCTL_LOAD_PATCH', `0xc0104881')
+define(`SNDRV_EMUX_IOCTL_MISC_MODE', `0xc0104884')
+define(`ION_IOC_CUSTOM', `0xc0104906')
+define(`MEMWRITEOOB', `0xc0104d03')
+define(`MEMREADOOB', `0xc0104d04')
+define(`MEMGETREGIONINFO', `0xc0104d08')
+define(`SNDRV_SEQ_IOCTL_RUNNING_MODE', `0xc0105303')
+define(`USBDEVFS_CONTROL32', `0xc0105500')
+define(`USBDEVFS_BULK32', `0xc0105502')
+define(`USBDEVFS_IOCTL', `0xc0105512')
+define(`NS_GETPSTAT', `0xc0106161')
+define(`DRM_IOCTL_GET_UNIQUE', `0xc0106401')
+define(`DRM_IOCTL_IRQ_BUSID', `0xc0106403')
+define(`DRM_IOCTL_SET_VERSION', `0xc0106407')
+define(`DRM_IOCTL_GEM_OPEN', `0xc010640b')
+define(`DRM_IOCTL_GET_CAP', `0xc010640c')
+define(`DRM_IOCTL_INFO_BUFS', `0xc0106418')
+define(`DRM_IOCTL_GET_SAREA_CTX', `0xc010641d')
+define(`DRM_IOCTL_RES_CTX', `0xc0106426')
+define(`DRM_IOCTL_SG_ALLOC', `0xc0106438')
+define(`DRM_IOCTL_EXYNOS_GEM_CREATE', `0xc0106440')
+define(`DRM_IOCTL_MSM_GET_PARAM', `0xc0106440')
+define(`DRM_IOCTL_OMAP_GET_PARAM', `0xc0106440')
+define(`DRM_IOCTL_TEGRA_GEM_CREATE', `0xc0106440')
+define(`DRM_IOCTL_QXL_MAP', `0xc0106441')
+define(`DRM_IOCTL_MSM_GEM_NEW', `0xc0106442')
+define(`DRM_IOCTL_MSM_GEM_INFO', `0xc0106443')
+define(`DRM_IOCTL_OMAP_GEM_NEW', `0xc0106443')
+define(`DRM_IOCTL_EXYNOS_GEM_GET', `0xc0106444')
+define(`DRM_IOCTL_QXL_GETPARAM', `0xc0106444')
+define(`DRM_IOCTL_TEGRA_SYNCPT_WAIT', `0xc0106444')
+define(`DRM_IOCTL_TEGRA_OPEN_CHANNEL', `0xc0106445')
+define(`DRM_IOCTL_I915_GETPARAM', `0xc0106446')
+define(`DRM_IOCTL_TEGRA_CLOSE_CHANNEL', `0xc0106446')
+define(`DRM_IOCTL_EXYNOS_VIDI_CONNECTION', `0xc0106447')
+define(`DRM_IOCTL_TEGRA_GET_SYNCPT', `0xc0106447')
+define(`DRM_IOCTL_MGA_GETPARAM', `0xc0106449')
+define(`DRM_IOCTL_TEGRA_GET_SYNCPT_BASE', `0xc0106449')
+define(`DRM_IOCTL_TEGRA_GEM_SET_TILING', `0xc010644a')
+define(`DRM_IOCTL_TEGRA_GEM_GET_TILING', `0xc010644b')
+define(`DRM_IOCTL_RADEON_INDIRECT', `0xc010644d')
+define(`DRM_IOCTL_R128_INDIRECT', `0xc010644f')
+define(`DRM_IOCTL_RADEON_GETPARAM', `0xc0106451')
+define(`DRM_IOCTL_R128_GETPARAM', `0xc0106452')
+define(`DRM_IOCTL_SIS_AGP_INIT', `0xc0106453')
+define(`DRM_IOCTL_I915_GEM_CREATE', `0xc010645b')
+define(`DRM_IOCTL_I915_GEM_SET_TILING', `0xc0106461')
+define(`DRM_IOCTL_I915_GEM_GET_TILING', `0xc0106462')
+define(`DRM_IOCTL_I915_GEM_MMAP_GTT', `0xc0106464')
+define(`DRM_IOCTL_RADEON_INFO', `0xc0106467')
+define(`DRM_IOCTL_I915_GEM_WAIT', `0xc010646c')
+define(`DRM_IOCTL_RADEON_GEM_OP', `0xc010646c')
+define(`DRM_IOCTL_I915_REG_READ', `0xc0106471')
+define(`DRM_IOCTL_MODE_SETPROPERTY', `0xc01064ab')
+define(`DRM_IOCTL_MODE_GETPROPBLOB', `0xc01064ac')
+define(`DRM_IOCTL_MODE_MAP_DUMB', `0xc01064b3')
+define(`DRM_IOCTL_MODE_GETPLANERESOURCES', `0xc01064b5')
+define(`MGSL_IOCWAITGPIO', `0xc0106d12')
+define(`NCP_IOC_GETPRIVATEDATA', `0xc0106e0a')
+define(`DMX_GET_STC', `0xc0106f32')
+define(`UVCIOC_CTRL_QUERY', `0xc0107521')
+define(`BTRFS_IOC_SPACE_INFO', `0xc0109414')
+define(`BTRFS_IOC_QUOTA_CTL', `0xc0109428')
+define(`FSL_HV_IOCTL_PARTITION_START', `0xc010af03')
+define(`SNDCTL_COPR_RDATA', `0xc0144302')
+define(`SNDCTL_COPR_RCODE', `0xc0144303')
+define(`SNDCTL_COPR_RUN', `0xc0144306')
+define(`SNDCTL_COPR_HALT', `0xc0144307')
+define(`SNDRV_TIMER_IOCTL_NEXT_DEVICE', `0xc0145401')
+define(`VIDIOC_REQBUFS', `0xc0145608')
+define(`VIDIOC_G_CROP', `0xc014563b')
+define(`DRM_IOCTL_I915_GET_SPRITE_COLORKEY', `0xc014646b')
+define(`DRM_IOCTL_I915_SET_SPRITE_COLORKEY', `0xc014646b')
+define(`DRM_IOCTL_MODE_GETENCODER', `0xc01464a6')
+define(`FW_CDEV_IOC_ADD_DESCRIPTOR', `0xc0182306')
+define(`FW_CDEV_IOC_QUEUE_ISO', `0xc0182309')
+define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE', `0xc018230d')
+define(`FW_CDEV_IOC_GET_CYCLE_TIMER2', `0xc0182314')
+define(`FW_CDEV_IOC_SEND_PHY_PACKET', `0xc0182315')
+define(`HIDIOCGUSAGE', `0xc018480b')
+define(`HIDIOCGUCODE', `0xc018480d')
+define(`MTRRIOC_GET_ENTRY', `0xc0184d03')
+define(`MTRRIOC_GET_PAGE_ENTRY', `0xc0184d08')
+define(`MEMWRITEOOB64', `0xc0184d15')
+define(`MEMREADOOB64', `0xc0184d16')
+define(`USBDEVFS_CONTROL', `0xc0185500')
+define(`USBDEVFS_BULK', `0xc0185502')
+define(`PACKET_CTRL_CMD', `0xc0185801')
+define(`FITRIM', `0xc0185879')
+define(`DRM_IOCTL_MAP_BUFS', `0xc0186419')
+define(`DRM_IOCTL_WAIT_VBLANK', `0xc018643a')
+define(`DRM_IOCTL_I810_GETBUF', `0xc0186445')
+define(`DRM_IOCTL_OMAP_GEM_INFO', `0xc0186446')
+define(`DRM_IOCTL_QXL_ALLOC_SURF', `0xc0186446')
+define(`DRM_IOCTL_I915_ALLOC', `0xc0186448')
+define(`DRM_IOCTL_VIA_WAIT_IRQ', `0xc018644d')
+define(`DRM_IOCTL_RADEON_ALLOC', `0xc0186453')
+define(`DRM_IOCTL_I915_GEM_PIN', `0xc0186455')
+define(`DRM_IOCTL_RADEON_GEM_INFO', `0xc018645c')
+define(`DRM_IOCTL_RADEON_GEM_VA', `0xc018646b')
+define(`DRM_IOCTL_RADEON_GEM_USERPTR', `0xc018646d')
+define(`DRM_IOCTL_I915_GET_RESET_STATS', `0xc0186472')
+define(`DRM_IOCTL_I915_GEM_USERPTR', `0xc0186473')
+define(`DRM_IOCTL_MODE_PAGE_FLIP', `0xc01864b0')
+define(`DRM_IOCTL_MODE_DIRTYFB', `0xc01864b1')
+define(`DRM_IOCTL_MODE_OBJ_SETPROPERTY', `0xc01864ba')
+define(`I2OHRTGET', `0xc0186901')
+define(`I2OLCTGET', `0xc0186902')
+define(`NCP_IOC_GETOBJECTNAME', `0xc0186e09')
+define(`NILFS_IOCTL_GET_VINFO', `0xc0186e86')
+define(`NILFS_IOCTL_GET_BDESCS', `0xc0186e87')
+define(`AUTOFS_DEV_IOCTL_VERSION', `0xc0189371')
+define(`AUTOFS_DEV_IOCTL_PROTOVER', `0xc0189372')
+define(`AUTOFS_DEV_IOCTL_PROTOSUBVER', `0xc0189373')
+define(`AUTOFS_DEV_IOCTL_OPENMOUNT', `0xc0189374')
+define(`AUTOFS_DEV_IOCTL_CLOSEMOUNT', `0xc0189375')
+define(`AUTOFS_DEV_IOCTL_READY', `0xc0189376')
+define(`AUTOFS_DEV_IOCTL_FAIL', `0xc0189377')
+define(`AUTOFS_DEV_IOCTL_SETPIPEFD', `0xc0189378')
+define(`AUTOFS_DEV_IOCTL_CATATONIC', `0xc0189379')
+define(`AUTOFS_DEV_IOCTL_TIMEOUT', `0xc018937a')
+define(`AUTOFS_DEV_IOCTL_REQUESTER', `0xc018937b')
+define(`AUTOFS_DEV_IOCTL_EXPIRE', `0xc018937c')
+define(`AUTOFS_DEV_IOCTL_ASKUMOUNT', `0xc018937d')
+define(`AUTOFS_DEV_IOCTL_ISMOUNTPOINT', `0xc018937e')
+define(`BTRFS_IOC_FILE_EXTENT_SAME', `0xc0189436')
+define(`KVM_TRANSLATE', `0xc018ae85')
+define(`IB_USER_MAD_REGISTER_AGENT', `0xc01c1b01')
+define(`SI4713_IOC_MEASURE_RNL', `0xc01c56c0')
+define(`DRM_IOCTL_MODE_CURSOR', `0xc01c64a3')
+define(`DRM_IOCTL_MODE_GETFB', `0xc01c64ad')
+define(`DRM_IOCTL_MODE_ADDFB', `0xc01c64ae')
+define(`FW_CDEV_IOC_ALLOCATE', `0xc0202302')
+define(`FW_CDEV_IOC_CREATE_ISO_CONTEXT', `0xc0202308')
+define(`ION_IOC_ALLOC', `0xc0204900')
+define(`VIDIOC_G_EXT_CTRLS', `0xc0205647')
+define(`VIDIOC_S_EXT_CTRLS', `0xc0205648')
+define(`VIDIOC_TRY_EXT_CTRLS', `0xc0205649')
+define(`VIDIOC_OMAP3ISP_AEWB_CFG', `0xc02056c3')
+define(`X86_IOC_RDMSR_REGS', `0xc02063a0')
+define(`X86_IOC_WRMSR_REGS', `0xc02063a1')
+define(`DRM_IOCTL_ADD_BUFS', `0xc0206416')
+define(`DRM_IOCTL_AGP_ALLOC', `0xc0206434')
+define(`DRM_IOCTL_VIA_ALLOCMEM', `0xc0206440')
+define(`DRM_IOCTL_SIS_FB_ALLOC', `0xc0206444')
+define(`DRM_IOCTL_MSM_GEM_SUBMIT', `0xc0206446')
+define(`DRM_IOCTL_VIA_DMA_INIT', `0xc0206447')
+define(`DRM_IOCTL_MGA_DMA_BOOTSTRAP', `0xc020644c')
+define(`DRM_IOCTL_RADEON_TEXTURE', `0xc020644e')
+define(`DRM_IOCTL_SIS_AGP_ALLOC', `0xc0206454')
+define(`DRM_IOCTL_RADEON_GEM_CREATE', `0xc020645d')
+define(`DRM_IOCTL_I915_GEM_MMAP', `0xc020645e')
+define(`DRM_IOCTL_RADEON_GEM_MMAP', `0xc020645e')
+define(`DRM_IOCTL_RADEON_GEM_PREAD', `0xc0206461')
+define(`DRM_IOCTL_RADEON_GEM_PWRITE', `0xc0206462')
+define(`DRM_IOCTL_RADEON_CS', `0xc0206466')
+define(`DRM_IOCTL_MODE_GETGAMMA', `0xc02064a4')
+define(`DRM_IOCTL_MODE_SETGAMMA', `0xc02064a5')
+define(`DRM_IOCTL_MODE_CREATE_DUMB', `0xc02064b2')
+define(`DRM_IOCTL_MODE_GETPLANE', `0xc02064b6')
+define(`DRM_IOCTL_MODE_OBJ_GETPROPERTIES', `0xc02064b9')
+define(`FS_IOC_FIEMAP', `0xc020660b')
+define(`GENWQE_PIN_MEM', `0xc020a528')
+define(`GENWQE_UNPIN_MEM', `0xc020a529')
+define(`SNDCTL_MIDI_MPUCMD', `0xc0216d02')
+define(`SNDRV_COMPRESS_GET_METADATA', `0xc0244315')
+define(`DRM_IOCTL_MODE_CURSOR2', `0xc02464bb')
+define(`IB_USER_MAD_REGISTER_AGENT2', `0xc0281b04')
+define(`FW_CDEV_IOC_GET_INFO', `0xc0282300')
+define(`SYNC_IOC_MERGE', `0xc0283e01')
+define(`SYNC_IOC_FENCE_INFO', `0xc0283e02')
+define(`AMDKFD_IOC_GET_CLOCK_COUNTERS', `0xc0284b05')
+define(`VIDIOC_G_EDID', `0xc0285628')
+define(`VIDIOC_SUBDEV_G_EDID', `0xc0285628')
+define(`VIDIOC_SUBDEV_S_EDID', `0xc0285629')
+define(`VIDIOC_S_EDID', `0xc0285629')
+define(`VIDIOC_ENCODER_CMD', `0xc028564d')
+define(`VIDIOC_TRY_ENCODER_CMD', `0xc028564e')
+define(`VIDIOC_OMAP3ISP_STAT_REQ', `0xc02856c6')
+define(`SW_SYNC_IOC_CREATE_FENCE', `0xc0285700')
+define(`DRM_IOCTL_GET_MAP', `0xc0286404')
+define(`DRM_IOCTL_GET_CLIENT', `0xc0286405')
+define(`DRM_IOCTL_ADD_MAP', `0xc0286415')
+define(`DRM_IOCTL_VIA_MAP_INIT', `0xc0286444')
+define(`DRM_IOCTL_EXYNOS_G2D_SET_CMDLIST', `0xc0286461')
+define(`DRM_IOCTL_EXYNOS_IPP_QUEUE_BUF', `0xc0286472')
+define(`DRM_IOCTL_NOUVEAU_GEM_INFO', `0xc0286484')
+define(`I2OPARMSET', `0xc0286903')
+define(`I2OPARMGET', `0xc0286904')
+define(`NCP_IOC_GET_FS_INFO', `0xc0286e04')
+define(`PHN_GETREGS', `0xc0287007')
+define(`MEDIA_IOC_ENUM_LINKS', `0xc0287c02')
+define(`KVM_TPR_ACCESS_REPORTING', `0xc028ae92')
+define(`FSL_HV_IOCTL_MEMCPY', `0xc028af05')
+define(`FSL_HV_IOCTL_GETPROP', `0xc028af07')
+define(`FSL_HV_IOCTL_SETPROP', `0xc028af08')
+define(`NCP_IOC_GETCHARSETS', `0xc02a6e0b')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO', `0xc02c5341')
+define(`VIDIOC_QUERYMENU', `0xc02c5625')
+define(`VIDIOC_G_FREQUENCY', `0xc02c5638')
+define(`VIDIOC_CROPCAP', `0xc02c563a')
+define(`VIDIOC_ENUM_FRAMESIZES', `0xc02c564a')
+define(`DRM_IOCTL_I915_OVERLAY_ATTRS', `0xc02c6468')
+define(`MEMWRITE', `0xc0304d18')
+define(`SNDRV_SEQ_IOCTL_SYSTEM_INFO', `0xc0305302')
+define(`VIDIOC_SUBDEV_ENUM_MBUS_CODE', `0xc0305602')
+define(`VIDIOC_SUBDEV_G_FRAME_INTERVAL', `0xc0305615')
+define(`VIDIOC_SUBDEV_S_FRAME_INTERVAL', `0xc0305616')
+define(`VIDIOC_OMAP3ISP_HIST_CFG', `0xc03056c4')
+define(`SNDRV_RAWMIDI_IOCTL_PARAMS', `0xc0305710')
+define(`BINDER_WRITE_READ', `0xc0306201')
+define(`DRM_IOCTL_NOUVEAU_GEM_NEW', `0xc0306480')
+define(`DRM_IOCTL_MODE_SETPLANE', `0xc03064b7')
+define(`I2OSWDL', `0xc0306905')
+define(`I2OSWUL', `0xc0306906')
+define(`I2OSWDEL', `0xc0306907')
+define(`I2OHTML', `0xc0306909')
+define(`IPMICTL_RECEIVE_MSG_TRUNC', `0xc030690b')
+define(`IPMICTL_RECEIVE_MSG', `0xc030690c')
+define(`NCP_IOC_GET_FS_INFO_V2', `0xc0306e04')
+define(`MBXFB_IOCX_OVERLAY', `0xc030f400')
+define(`VIDIOC_ENUMAUDIO', `0xc0345641')
+define(`VIDIOC_ENUMAUDOUT', `0xc0345642')
+define(`VIDIOC_ENUM_FRAMEINTERVALS', `0xc034564b')
+define(`MEDIA_IOC_SETUP_LINK', `0xc0347c03')
+define(`HIDIOCGFIELDINFO', `0xc038480a')
+define(`VIDIOC_SUBDEV_G_CROP', `0xc038563b')
+define(`VIDIOC_SUBDEV_S_CROP', `0xc038563c')
+define(`VIDIOC_DBG_G_REGISTER', `0xc0385650')
+define(`VIDIOC_OMAP3ISP_CCDC_CFG', `0xc03856c1')
+define(`SNDRV_RAWMIDI_IOCTL_STATUS', `0xc0385720')
+define(`BTRFS_IOC_INO_PATHS', `0xc0389423')
+define(`BTRFS_IOC_LOGICAL_INO', `0xc0389424')
+define(`GENWQE_SLU_UPDATE', `0xc038a550')
+define(`GENWQE_SLU_READ', `0xc038a551')
+define(`CAPI_GET_PROFILE', `0xc0404309')
+define(`SNDRV_CTL_IOCTL_ELEM_REMOVE', `0xc0405519')
+define(`VIDIOC_ENUM_FMT', `0xc0405602')
+define(`VIDIOC_EXPBUF', `0xc0405610')
+define(`VIDIOC_SUBDEV_G_SELECTION', `0xc040563d')
+define(`VIDIOC_SUBDEV_S_SELECTION', `0xc040563e')
+define(`VIDIOC_SUBDEV_ENUM_FRAME_SIZE', `0xc040564a')
+define(`VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL', `0xc040564b')
+define(`VIDIOC_G_SELECTION', `0xc040565e')
+define(`VIDIOC_S_SELECTION', `0xc040565f')
+define(`VIDIOC_ENUM_FREQ_BANDS', `0xc0405665')
+define(`DRM_IOCTL_VERSION', `0xc0406400')
+define(`DRM_IOCTL_DMA', `0xc0406429')
+define(`DRM_IOCTL_NOUVEAU_GEM_PUSHBUF', `0xc0406481')
+define(`DRM_IOCTL_MODE_GETRESOURCES', `0xc04064a0')
+define(`DRM_IOCTL_MODE_GETPROPERTY', `0xc04064aa')
+define(`VIDIOC_QUERYCTRL', `0xc0445624')
+define(`VIDIOC_G_MODULATOR', `0xc0445636')
+define(`DRM_IOCTL_MODE_ADDFB2', `0xc04464b8')
+define(`BLKTRACESETUP', `0xc0481273')
+define(`SNDRV_EMU10K1_IOCTL_PCM_PEEK', `0xc0484831')
+define(`NVME_IOCTL_ADMIN_CMD', `0xc0484e41')
+define(`NVME_IOCTL_IO_CMD', `0xc0484e43')
+define(`VIDIOC_ENUMSTD', `0xc0485619')
+define(`VIDIOC_ENUMOUTPUT', `0xc0485630')
+define(`VIDIOC_DECODER_CMD', `0xc0485660')
+define(`VIDIOC_TRY_DECODER_CMD', `0xc0485661')
+define(`DRM_IOCTL_MODE_ATTACHMODE', `0xc04864a8')
+define(`DRM_IOCTL_MODE_DETACHMODE', `0xc04864a9')
+define(`VIDEO_COMMAND', `0xc0486f3b')
+define(`VIDEO_TRY_COMMAND', `0xc0486f3c')
+define(`KVM_GET_PIT', `0xc048ae65')
+define(`MMC_IOC_CMD', `0xc048b300')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT', `0xc04c5349')
+define(`VIDIOC_OMAP3ISP_AF_CFG', `0xc04c56c5')
+define(`SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION', `0xc0505350')
+define(`SNDRV_TIMER_IOCTL_GSTATUS', `0xc0505405')
+define(`SNDRV_CTL_IOCTL_ELEM_LIST', `0xc0505510')
+define(`VIDIOC_ENUMINPUT', `0xc050561a')
+define(`DRM_IOCTL_EXYNOS_IPP_GET_PROPERTY', `0xc0506470')
+define(`DRM_IOCTL_MODE_GETCONNECTOR', `0xc05064a7')
+define(`VIDIOC_G_TUNER', `0xc054561d')
+define(`SISFB_COMMAND', `0xc054f305')
+define(`CCISS_PASSTHRU', `0xc058420b')
+define(`AMDKFD_IOC_CREATE_QUEUE', `0xc0584b02')
+define(`SNDRV_SEQ_IOCTL_GET_CLIENT_POOL', `0xc058534b')
+define(`SNDRV_SEQ_IOCTL_QUERY_SUBS', `0xc058534f')
+define(`VIDIOC_SUBDEV_G_FMT', `0xc0585604')
+define(`VIDIOC_SUBDEV_S_FMT', `0xc0585605')
+define(`VIDIOC_QUERYBUF', `0xc0585609')
+define(`VIDIOC_QBUF', `0xc058560f')
+define(`VIDIOC_DQBUF', `0xc0585611')
+define(`VIDIOC_PREPARE_BUF', `0xc058565d')
+define(`DRM_IOCTL_TEGRA_SUBMIT', `0xc0586448')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS', `0xc05c5340')
+define(`PTP_PIN_GETFUNC', `0xc0603d06')
+define(`CCISS_BIG_PASSTHRU', `0xc0604212')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TIMER', `0xc0605345')
+define(`DRM_IOCTL_EXYNOS_IPP_SET_PROPERTY', `0xc0606471')
+define(`UVCIOC_CTRL_MAP', `0xc0607520')
+define(`FBIO_CURSOR', `0xc0684608')
+define(`UI_BEGIN_FF_UPLOAD', `0xc06855c8')
+define(`DRM_IOCTL_MODE_GETCRTC', `0xc06864a1')
+define(`DRM_IOCTL_MODE_SETCRTC', `0xc06864a2')
+define(`VIDIOC_OMAP3ISP_PRV_CFG', `0xc07056c2')
+define(`BTRFS_IOC_TREE_SEARCH_V2', `0xc0709411')
+define(`SNDCTL_MIDI_INFO', `0xc074510c')
+define(`VIDIOC_G_SLICED_VBI_CAP', `0xc0745645')
+define(`SOUND_MIXER_ACCESS', `0xc0804d66')
+define(`VIDIOC_SUBDEV_S_DV_TIMINGS', `0xc0845657')
+define(`VIDIOC_S_DV_TIMINGS', `0xc0845657')
+define(`VIDIOC_G_DV_TIMINGS', `0xc0845658')
+define(`VIDIOC_SUBDEV_G_DV_TIMINGS', `0xc0845658')
+define(`SNDRV_PCM_IOCTL_SW_PARAMS', `0xc0884113')
+define(`SNDRV_PCM_IOCTL_SYNC_PTR', `0xc0884123')
+define(`SNDCTL_SYNTH_INFO', `0xc08c5102')
+define(`SNDCTL_SYNTH_ID', `0xc08c5114')
+define(`SNDRV_SEQ_IOCTL_CREATE_QUEUE', `0xc08c5332')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_INFO', `0xc08c5334')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_INFO', `0xc08c5335')
+define(`SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE', `0xc08c5336')
+define(`VIDIOC_DV_TIMINGS_CAP', `0xc0905664')
+define(`VIDIOC_SUBDEV_DV_TIMINGS_CAP', `0xc0905664')
+define(`VIDIOC_ENUM_DV_TIMINGS', `0xc0945662')
+define(`VIDIOC_SUBDEV_ENUM_DV_TIMINGS', `0xc0945662')
+define(`SOUND_MIXER_GETLEVELS', `0xc0a44d74')
+define(`SOUND_MIXER_SETLEVELS', `0xc0a44d75')
+define(`SNDRV_SEQ_IOCTL_CREATE_PORT', `0xc0a85320')
+define(`SNDRV_SEQ_IOCTL_GET_PORT_INFO', `0xc0a85322')
+define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_PORT', `0xc0a85352')
+define(`SNDRV_SEQ_IOCTL_GET_CLIENT_INFO', `0xc0bc5310')
+define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT', `0xc0bc5351')
+define(`SNDRV_COMPRESS_GET_CAPS', `0xc0c44310')
+define(`VIDIOC_DBG_G_CHIP_INFO', `0xc0c85666')
+define(`BTRFS_IOC_SET_RECEIVED_SUBVOL', `0xc0c89425')
+define(`VIDIOC_G_PARM', `0xc0cc5615')
+define(`VIDIOC_S_PARM', `0xc0cc5616')
+define(`VIDIOC_G_FMT', `0xc0d05604')
+define(`VIDIOC_S_FMT', `0xc0d05605')
+define(`VIDIOC_TRY_FMT', `0xc0d05640')
+define(`VIDIOC_QUERY_EXT_CTRL', `0xc0e85667')
+define(`GENWQE_EXECUTE_DDCB', `0xc0e8a532')
+define(`GENWQE_EXECUTE_RAW_DDCB', `0xc0e8a533')
+define(`SNDRV_TIMER_IOCTL_GINFO', `0xc0f85403')
+define(`VIDIOC_CREATE_BUFS', `0xc100565c')
+define(`MEDIA_IOC_DEVICE_INFO', `0xc1007c00')
+define(`MEDIA_IOC_ENUM_ENTITIES', `0xc1007c01')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_INFO', `0xc10c5541')
+define(`SNDRV_CTL_IOCTL_ELEM_INFO', `0xc1105511')
+define(`SNDRV_CTL_IOCTL_ELEM_ADD', `0xc1105517')
+define(`SNDRV_CTL_IOCTL_ELEM_REPLACE', `0xc1105518')
+define(`SNDRV_CTL_IOCTL_PCM_INFO', `0xc1205531')
+define(`DM_VERSION', `0xc138fd00')
+define(`DM_REMOVE_ALL', `0xc138fd01')
+define(`DM_LIST_DEVICES', `0xc138fd02')
+define(`DM_DEV_CREATE', `0xc138fd03')
+define(`DM_DEV_REMOVE', `0xc138fd04')
+define(`DM_DEV_RENAME', `0xc138fd05')
+define(`DM_DEV_SUSPEND', `0xc138fd06')
+define(`DM_DEV_STATUS', `0xc138fd07')
+define(`DM_DEV_WAIT', `0xc138fd08')
+define(`DM_TABLE_LOAD', `0xc138fd09')
+define(`DM_TABLE_CLEAR', `0xc138fd0a')
+define(`DM_TABLE_DEPS', `0xc138fd0b')
+define(`DM_TABLE_STATUS', `0xc138fd0c')
+define(`DM_LIST_VERSIONS', `0xc138fd0d')
+define(`DM_TARGET_MSG', `0xc138fd0e')
+define(`DM_DEV_SET_GEOMETRY', `0xc138fd0f')
+define(`SNDRV_EMU10K1_IOCTL_CODE_PEEK', `0xc1b04812')
+define(`KVM_GET_IRQCHIP', `0xc208ae62')
+define(`SNDRV_PCM_IOCTL_HW_REFINE', `0xc2604110')
+define(`SNDRV_PCM_IOCTL_HW_PARAMS', `0xc2604111')
+define(`VIDIOC_VSP1_LUT_CONFIG', `0xc40056c1')
+define(`BTRFS_IOC_SCRUB', `0xc400941b')
+define(`BTRFS_IOC_SCRUB_PROGRESS', `0xc400941d')
+define(`BTRFS_IOC_BALANCE_V2', `0xc4009420')
+define(`BTRFS_IOC_GET_DEV_STATS', `0xc4089434')
+define(`SNDRV_CTL_IOCTL_ELEM_READ', `0xc4c85512')
+define(`SNDRV_CTL_IOCTL_ELEM_WRITE', `0xc4c85513')
+define(`BTRFS_IOC_DEV_REPLACE', `0xca289435')
+define(`SNDCTL_COPR_SENDMSG', `0xcfa44308')
+define(`SNDCTL_SYNTH_CONTROL', `0xcfa45115')
+define(`SNDCTL_COPR_LOAD', `0xcfb04301')
+define(`BTRFS_IOC_TREE_SEARCH', `0xd0009411')
+define(`BTRFS_IOC_INO_LOOKUP', `0xd0009412')
+define(`BTRFS_IOC_DEV_INFO', `0xd000941e')
+define(`HIDIOCGUSAGES', `0xd01c4813')
+define(`SNDRV_COMPRESS_GET_CODEC_CAPS', `0xeb884311')
+define(`WAN_IOC_ADD_FLT_RULE', `0x00006900')
+define(`WAN_IOC_ADD_FLT_INDEX', `0x00006902')
+define(`PPPIOCGL2TPSTATS', `0x7436')
+define(`PPPIOCGCHAN', `0x7437')
+define(`PPPIOCATTCHAN', `0x7438')
+define(`PPPIOCDISCONN', `0x7439')
+define(`PPPIOCCONNECT', `0x743a')
+define(`PPPIOCSMRRU', `0x743b')
+define(`PPPIOCDETACH', `0x743c')
+define(`PPPIOCATTACH', `0x743d')
+define(`PPPIOCNEWUNIT', `0x743e')
+define(`PPPIOCGIDLE', `0x743f')
+define(`PPPIOCSDEBUG', `0x7440')
+define(`PPPIOCGDEBUG', `0x7441')
+define(`PPPIOCSACTIVE', `0x7446')
+define(`PPPIOCSPASS', `0x7447')
+define(`PPPIOCSNPMODE', `0x744b')
+define(`PPPIOCGNPMODE', `0x744c')
+define(`PPPIOCSCOMPRESS', `0x744d')
+define(`PPPIOCXFERUNIT', `0x744e')
+define(`PPPIOCSXASYNCMAP', `0x744f')
+define(`PPPIOCGXASYNCMAP', `0x7450')
+define(`PPPIOCSMAXCID', `0x7451')
+define(`PPPIOCSMRU', `0x7452')
+define(`PPPIOCGMRU', `0x7453')
+define(`PPPIOCSRASYNCMAP', `0x7454')
+define(`PPPIOCGRASYNCMAP', `0x7455')
+define(`PPPIOCGUNIT', `0x7456')
+define(`PPPIOCSASYNCMAP', `0x7457')
+define(`PPPIOCGASYNCMAP', `0x7458')
+define(`PPPIOCSFLAGS', `0x7459')
+define(`PPPIOCGFLAGS', `0x745a')
+define(`PPPIOCGCALLINFO', `0x7480')
+define(`PPPIOCBUNDLE', `0x7481')
+define(`PPPIOCGMPFLAGS', `0x7482')
+define(`PPPIOCSMPFLAGS', `0x7483')
+define(`PPPIOCSMPMTU', `0x7484')
+define(`PPPIOCSMPMRU', `0x7485')
+define(`PPPIOCGCOMPRESSORS', `0x7486')
+define(`PPPIOCSCOMPRESSOR', `0x7487')
+define(`PPPIOCGIFNAME', `0x7488')
diff --git a/prebuilts/api/27.0/public/ioctl_macros b/prebuilts/api/27.0/public/ioctl_macros
new file mode 100644
index 0000000..f7081d5
--- /dev/null
+++ b/prebuilts/api/27.0/public/ioctl_macros
@@ -0,0 +1,68 @@
+# socket ioctls allowed to unprivileged apps
+define(`unpriv_sock_ioctls', `
+{
+# Socket ioctls for gathering information about the interface
+SIOCGSTAMP SIOCGSTAMPNS
+SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFDSTADDR SIOCGIFBRDADDR
+SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
+# Wireless extension ioctls. Primarily get functions.
+SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
+SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
+SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
+}')
+
+# socket ioctls never allowed to unprivileged apps
+define(`priv_sock_ioctls', `
+{
+# qualcomm rmnet ioctls
+WAN_IOC_ADD_FLT_RULE WAN_IOC_ADD_FLT_INDEX
+# socket ioctls
+SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR
+SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM
+SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP
+SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI
+SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCKILLADDR SIOCGIFBR SIOCSIFBR
+SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV
+SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP
+SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE
+SIOCBONDRELEASE SIOCBONDSETHWADDR SIOCBONDSLAVEINFOQUERY SIOCBONDINFOQUERY
+SIOCBONDCHANGEACTIVE SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF SIOCSHWTSTAMP
+# device and protocol specific ioctls
+SIOCDEVPRIVATE-SIOCDEVPRIVLAST
+SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST
+# Wireless extension ioctls
+SIOCSIWCOMMIT SIOCSIWNWID SIOCSIWFREQ SIOCSIWMODE SIOCSIWSENS SIOCSIWRANGE
+SIOCSIWPRIV SIOCSIWSTATS SIOCSIWSPY SIOCSIWAP SIOCGIWAP SIOCSIWMLME SIOCGIWAPLIST
+SIOCSIWSCAN SIOCGIWSCAN SIOCSIWESSID SIOCGIWESSID SIOCSIWNICKN SIOCGIWNICKN
+SIOCSIWRATE SIOCSIWRTS SIOCSIWFRAG SIOCSIWTXPOW SIOCSIWRETRY SIOCSIWENCODE
+SIOCGIWENCODE SIOCSIWPOWER SIOCSIWGENIE SIOCGIWGENIE SIOCSIWAUTH SIOCGIWAUTH
+SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
+# Dev private ioctl i.e. hardware specific ioctls
+SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
+}')
+
+# commonly used ioctls on unix sockets
+define(`unpriv_unix_sock_ioctls', `{
+ TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
+}')
+
+# commonly used TTY ioctls
+# merge with unpriv_unix_sock_ioctls?
+define(`unpriv_tty_ioctls', `{
+ TIOCOUTQ FIOCLEX TCGETS TCSETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY TCSETSW
+ TCFLSH TIOCSPGRP TIOCGPGRP
+}')
+
+# point to point ioctls
+define(`ppp_ioctls', `{
+PPPIOCGL2TPSTATS PPPIOCGCHAN PPPIOCATTCHAN PPPIOCDISCONN
+PPPIOCCONNECT PPPIOCSMRRU PPPIOCDETACH PPPIOCATTACH
+PPPIOCNEWUNIT PPPIOCGIDLE PPPIOCSDEBUG PPPIOCGDEBUG
+PPPIOCSACTIVE PPPIOCSPASS PPPIOCSNPMODE PPPIOCGNPMODE
+PPPIOCSCOMPRESS PPPIOCXFERUNIT PPPIOCSXASYNCMAP
+PPPIOCGXASYNCMAP PPPIOCSMAXCID PPPIOCSMRU PPPIOCGMRU
+PPPIOCSRASYNCMAP PPPIOCGRASYNCMAP PPPIOCGUNIT PPPIOCSASYNCMAP
+PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO
+PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
+PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
+}')
diff --git a/prebuilts/api/27.0/public/isolated_app.te b/prebuilts/api/27.0/public/isolated_app.te
new file mode 100644
index 0000000..a907dac
--- /dev/null
+++ b/prebuilts/api/27.0/public/isolated_app.te
@@ -0,0 +1,9 @@
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules for isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+
+type isolated_app, domain;
diff --git a/prebuilts/api/27.0/public/kernel.te b/prebuilts/api/27.0/public/kernel.te
new file mode 100644
index 0000000..7f5d224
--- /dev/null
+++ b/prebuilts/api/27.0/public/kernel.te
@@ -0,0 +1,104 @@
+# Life begins with the kernel.
+type kernel, domain, mlstrustedsubject;
+
+allow kernel self:capability sys_nice;
+
+# Root fs.
+r_dir_file(kernel, rootfs)
+r_dir_file(kernel, proc)
+
+# Get SELinux enforcing status.
+allow kernel selinuxfs:dir r_dir_perms;
+allow kernel selinuxfs:file r_file_perms;
+
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
+# Allow init relabel itself.
+allow kernel rootfs:file relabelfrom;
+allow kernel init_exec:file relabelto;
+# TODO: investigate why we need this.
+allow kernel init:process share;
+
+# cgroup filesystem initialization prior to setting the cgroup root directory label.
+allow kernel unlabeled:dir search;
+
+# Mount usbfs.
+allow kernel usbfs:filesystem mount;
+allow kernel usbfs:dir search;
+
+# Initial setenforce by init prior to switching to init domain.
+# We use dontaudit instead of allow to prevent a kernel spawned userspace
+# process from turning off SELinux once enabled.
+dontaudit kernel self:security setenforce;
+
+# Write to /proc/1/oom_adj prior to switching to init domain.
+allow kernel self:capability sys_resource;
+
+# Init reboot before switching selinux domains under certain error
+# conditions. Allow it.
+# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
+# remount filesystems read-only. /data is not mounted at this point,
+# so we could ignore this. For now, we allow it.
+allow kernel self:capability sys_boot;
+allow kernel proc_sysrq:file w_file_perms;
+
+# Allow writing to /dev/kmsg which was created prior to loading policy.
+allow kernel tmpfs:chr_file write;
+
+# Set checkreqprot by init.rc prior to switching to init domain.
+allow kernel selinuxfs:file write;
+allow kernel self:security setcheckreqprot;
+
+# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
+allow kernel sdcard_type:file { read write };
+
+# f_mtp driver accesses files from kernel context.
+allow kernel mediaprovider:fd use;
+
+# Allow the kernel to read OBB files from app directories. (b/17428116)
+# Kernel thread "loop0" reads a vold supplied file descriptor.
+# Fixes CTS tests:
+# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
+# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
+allow kernel vold:fd use;
+allow kernel app_data_file:file read;
+allow kernel asec_image_file:file read;
+
+# Allow reading loop device in update_engine_unittests. (b/28319454)
+userdebug_or_eng(`
+ allow kernel update_engine_data_file:file read;
+ allow kernel nativetest_data_file:file read;
+')
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow kernel media_rw_data_file:dir create_dir_perms;
+allow kernel media_rw_data_file:file create_file_perms;
+
+# Access to /data/misc/vold/virtual_disk.
+allow kernel vold_data_file:file read;
+
+###
+### neverallow rules
+###
+
+# The initial task starts in the kernel domain (assigned via
+# initial_sid_contexts), but nothing ever transitions to it.
+neverallow * kernel:process { transition dyntransition };
+
+# The kernel domain is never entered via an exec, nor should it
+# ever execute a program outside the rootfs without changing to another domain.
+# If you encounter an execute_no_trans denial on the kernel domain, then
+# possible causes include:
+# - The program is a kernel usermodehelper. In this case, define a domain
+# for the program and domain_auto_trans() to it.
+# - You are running an exploit which switched to the init task credentials
+# and is then trying to exec a shell or other program. You lose!
+neverallow kernel *:file { entrypoint execute_no_trans };
+
+# the kernel should not be accessing files owned by other users.
+# Instead of adding dac_{read_search,override}, fix the unix permissions
+# on files being accessed.
+neverallow kernel self:capability { dac_override dac_read_search };
diff --git a/prebuilts/api/27.0/public/keystore.te b/prebuilts/api/27.0/public/keystore.te
new file mode 100644
index 0000000..ee5e675
--- /dev/null
+++ b/prebuilts/api/27.0/public/keystore.te
@@ -0,0 +1,34 @@
+type keystore, domain;
+type keystore_exec, exec_type, file_type;
+
+# keystore daemon
+typeattribute keystore mlstrustedsubject;
+binder_use(keystore)
+binder_service(keystore)
+binder_call(keystore, system_server)
+
+allow keystore keystore_data_file:dir create_dir_perms;
+allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
+allow keystore keystore_exec:file { getattr };
+
+add_service(keystore, keystore_service)
+allow keystore sec_key_att_app_id_provider_service:service_manager find;
+
+# Check SELinux permissions.
+selinux_check_access(keystore)
+
+r_dir_file(keystore, cgroup)
+
+###
+### Neverallow rules
+###
+### Protect ourself from others
+###
+
+neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow { domain -keystore -init } keystore_data_file:dir *;
+neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
+
+neverallow * keystore:process ptrace;
diff --git a/prebuilts/api/27.0/public/lmkd.te b/prebuilts/api/27.0/public/lmkd.te
new file mode 100644
index 0000000..208720c
--- /dev/null
+++ b/prebuilts/api/27.0/public/lmkd.te
@@ -0,0 +1,41 @@
+# lmkd low memory killer daemon
+type lmkd, domain, mlstrustedsubject;
+type lmkd_exec, exec_type, file_type;
+
+allow lmkd self:capability { dac_override sys_resource kill };
+
+# lmkd locks itself in memory, to prevent it from being
+# swapped out and unable to kill other memory hogs.
+# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
+# b/16236289
+allow lmkd self:capability ipc_lock;
+
+## Open and write to /proc/PID/oom_score_adj
+## TODO: maybe scope this down?
+r_dir_file(lmkd, appdomain)
+allow lmkd appdomain:file write;
+r_dir_file(lmkd, system_server)
+allow lmkd system_server:file write;
+
+## Writes to /sys/module/lowmemorykiller/parameters/minfree
+r_dir_file(lmkd, sysfs_type)
+allow lmkd sysfs_lowmemorykiller:file w_file_perms;
+
+# Send kill signals
+allow lmkd appdomain:process sigkill;
+
+# Clean up old cgroups
+allow lmkd cgroup:dir { remove_name rmdir };
+
+# Allow to read memcg stats
+allow lmkd cgroup:file r_file_perms;
+
+# Set self to SCHED_FIFO
+allow lmkd self:capability sys_nice;
+
+allow lmkd proc_zoneinfo:file r_file_perms;
+
+### neverallow rules
+
+# never honor LD_PRELOAD
+neverallow * lmkd:process noatsecure;
diff --git a/prebuilts/api/27.0/public/logd.te b/prebuilts/api/27.0/public/logd.te
new file mode 100644
index 0000000..62bff97
--- /dev/null
+++ b/prebuilts/api/27.0/public/logd.te
@@ -0,0 +1,73 @@
+# android user-space log manager
+type logd, domain, mlstrustedsubject;
+type logd_exec, exec_type, file_type;
+
+# Read access to pseudo filesystems.
+r_dir_file(logd, cgroup)
+r_dir_file(logd, proc)
+r_dir_file(logd, proc_meminfo)
+r_dir_file(logd, proc_net)
+
+allow logd self:capability { setuid setgid setpcap sys_nice audit_control };
+allow logd self:capability2 syslog;
+allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+allow logd kernel:system syslog_read;
+allow logd kmsg_device:chr_file w_file_perms;
+allow logd system_data_file:{ file lnk_file } r_file_perms;
+allow logd pstorefs:dir search;
+allow logd pstorefs:file r_file_perms;
+userdebug_or_eng(`
+ # Access to /data/misc/logd/event-log-tags
+ allow logd misc_logd_file:dir r_dir_perms;
+ allow logd misc_logd_file:file rw_file_perms;
+')
+allow logd runtime_event_log_tags_file:file rw_file_perms;
+
+# Access device logging gating property
+get_prop(logd, device_logging_prop)
+
+r_dir_file(logd, domain)
+
+allow logd kernel:system syslog_mod;
+
+control_logd(logd)
+read_runtime_log_tags(logd)
+
+allow runtime_event_log_tags_file tmpfs:filesystem associate;
+# Typically harmlessly blindly trying to access via liblog
+# event tag mapping while in the untrusted_app domain.
+# Access for that domain is controlled and gated via the
+# event log tag service (albeit at a performance penalty,
+# expected to be locally cached).
+dontaudit domain runtime_event_log_tags_file:file { open read };
+
+###
+### Neverallow rules
+###
+### logd should NEVER do any of this
+
+# Block device access.
+neverallow logd dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow logd domain:process ptrace;
+
+# ... and nobody may ptrace me (except on userdebug or eng builds)
+neverallow { domain userdebug_or_eng(`-crash_dump') } logd:process ptrace;
+
+# Write to /system.
+neverallow logd system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
+
+# Only init is allowed to enter the logd domain via exec()
+neverallow { domain -init } logd:process transition;
+neverallow * logd:process dyntransition;
+
+# protect the event-log-tags file
+neverallow {
+ domain
+ -init
+ -logd
+} runtime_event_log_tags_file:file no_w_file_perms;
diff --git a/prebuilts/api/27.0/public/logpersist.te b/prebuilts/api/27.0/public/logpersist.te
new file mode 100644
index 0000000..7536cb8
--- /dev/null
+++ b/prebuilts/api/27.0/public/logpersist.te
@@ -0,0 +1,26 @@
+# android debug logging, logpersist domains
+type logpersist, domain;
+
+###
+### Neverallow rules
+###
+### logpersist should NEVER do any of this
+
+# Block device access.
+neverallow logpersist dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow logpersist domain:process ptrace;
+
+# Write to files in /data/data or system files on /data except misc_logd_file
+neverallow logpersist { app_data_file system_data_file }:dir_file_class_set write;
+
+# Only init should be allowed to enter the logpersist domain via exec()
+# Following is a list of debug domains we know that transition to logpersist
+# neverallow_with_undefined_domains {
+# domain
+# -init # goldfish, logcatd, raft
+# -mmi # bat, mtp8996, msmcobalt
+# -system_app # Smith.apk
+# } logpersist:process transition;
+neverallow * logpersist:process dyntransition;
diff --git a/prebuilts/api/27.0/public/mdnsd.te b/prebuilts/api/27.0/public/mdnsd.te
new file mode 100644
index 0000000..ef7b065
--- /dev/null
+++ b/prebuilts/api/27.0/public/mdnsd.te
@@ -0,0 +1,2 @@
+# mdns daemon
+type mdnsd, domain;
diff --git a/prebuilts/api/27.0/public/mediacodec.te b/prebuilts/api/27.0/public/mediacodec.te
new file mode 100644
index 0000000..bcccbb8
--- /dev/null
+++ b/prebuilts/api/27.0/public/mediacodec.te
@@ -0,0 +1,69 @@
+# mediacodec - audio and video codecs live here
+type mediacodec, domain;
+type mediacodec_exec, exec_type, vendor_file_type, file_type;
+
+typeattribute mediacodec mlstrustedsubject;
+
+# TODO(b/36375899) attributize this domain appropriately as hal_omx
+# and use macro hal_server_domain
+get_prop(mediacodec, hwservicemanager_prop)
+
+# can route /dev/binder traffic to /dev/vndbinder
+vndbinder_use(mediacodec)
+
+not_full_treble(`
+ # on legacy devices, continue to allow /dev/binder traffic
+ binder_use(mediacodec)
+ binder_service(mediacodec)
+ add_service(mediacodec, mediacodec_service)
+ allow mediacodec mediametrics_service:service_manager find;
+ allow mediacodec surfaceflinger_service:service_manager find;
+')
+binder_call(mediacodec, binderservicedomain)
+binder_call(mediacodec, appdomain)
+
+# Allow mediacodec access to composer sync fences
+allow mediacodec hal_graphics_composer:fd use;
+
+allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec video_device:chr_file rw_file_perms;
+allow mediacodec video_device:dir search;
+allow mediacodec ion_device:chr_file rw_file_perms;
+allow mediacodec hal_camera:fd use;
+
+crash_dump_fallback(mediacodec)
+
+add_hwservice(mediacodec, hal_omx_hwservice)
+
+hal_client_domain(mediacodec, hal_allocator)
+
+hal_client_domain(mediacodec, hal_cas)
+
+# allocate and use graphic buffers
+hal_client_domain(mediacodec, hal_graphics_allocator)
+
+# Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
+# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
+# between those two: it talks to mediacodec via Binder and talks to bufferhubd
+# via PDX. Thus, there is no need to use pdx_client macro.
+allow mediacodec bufferhubd:fd use;
+
+###
+### neverallow rules
+###
+
+# mediacodec should never execute any executable without a
+# domain transition
+neverallow mediacodec { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/27.0/public/mediadrmserver.te b/prebuilts/api/27.0/public/mediadrmserver.te
new file mode 100644
index 0000000..123cb29
--- /dev/null
+++ b/prebuilts/api/27.0/public/mediadrmserver.te
@@ -0,0 +1,31 @@
+# mediadrmserver - mediadrm daemon
+type mediadrmserver, domain;
+type mediadrmserver_exec, exec_type, file_type;
+
+typeattribute mediadrmserver mlstrustedsubject;
+
+net_domain(mediadrmserver)
+binder_use(mediadrmserver)
+binder_call(mediadrmserver, binderservicedomain)
+binder_call(mediadrmserver, appdomain)
+binder_service(mediadrmserver)
+hal_client_domain(mediadrmserver, hal_drm)
+
+add_service(mediadrmserver, mediadrmserver_service)
+allow mediadrmserver mediaserver_service:service_manager find;
+allow mediadrmserver mediametrics_service:service_manager find;
+allow mediadrmserver processinfo_service:service_manager find;
+allow mediadrmserver surfaceflinger_service:service_manager find;
+allow mediadrmserver system_file:dir r_dir_perms;
+
+binder_call(mediadrmserver, mediacodec)
+###
+### neverallow rules
+###
+
+# mediadrmserver should never execute any executable without a
+# domain transition
+neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/27.0/public/mediaextractor.te b/prebuilts/api/27.0/public/mediaextractor.te
new file mode 100644
index 0000000..05e65bf
--- /dev/null
+++ b/prebuilts/api/27.0/public/mediaextractor.te
@@ -0,0 +1,52 @@
+# mediaextractor - multimedia daemon
+type mediaextractor, domain;
+type mediaextractor_exec, exec_type, file_type;
+
+typeattribute mediaextractor mlstrustedsubject;
+
+binder_use(mediaextractor)
+binder_call(mediaextractor, binderservicedomain)
+binder_call(mediaextractor, appdomain)
+binder_service(mediaextractor)
+
+add_service(mediaextractor, mediaextractor_service)
+allow mediaextractor mediametrics_service:service_manager find;
+allow mediaextractor hidl_token_hwservice:hwservice_manager find;
+
+allow mediaextractor system_server:fd use;
+
+hal_client_domain(mediaextractor, hal_cas)
+
+r_dir_file(mediaextractor, cgroup)
+allow mediaextractor proc_meminfo:file r_file_perms;
+
+crash_dump_fallback(mediaextractor)
+
+# allow mediaextractor read permissions for file sources
+allow mediaextractor media_rw_data_file:file { getattr read };
+allow mediaextractor app_data_file:file { getattr read };
+
+# Read resources from open apk files passed over Binder
+allow mediaextractor apk_data_file:file { read getattr };
+allow mediaextractor asec_apk_file:file { read getattr };
+allow mediaextractor ringtone_file:file { read getattr };
+
+###
+### neverallow rules
+###
+
+# mediaextractor should never execute any executable without a
+# domain transition
+neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/27.0/public/mediametrics.te b/prebuilts/api/27.0/public/mediametrics.te
new file mode 100644
index 0000000..ada90cc
--- /dev/null
+++ b/prebuilts/api/27.0/public/mediametrics.te
@@ -0,0 +1,41 @@
+# mediametrics - daemon for collecting media.metrics data
+type mediametrics, domain;
+type mediametrics_exec, exec_type, file_type;
+
+
+binder_use(mediametrics)
+binder_call(mediametrics, binderservicedomain)
+binder_service(mediametrics)
+
+add_service(mediametrics, mediametrics_service)
+
+allow mediametrics system_server:fd use;
+
+r_dir_file(mediametrics, cgroup)
+allow mediametrics proc_meminfo:file r_file_perms;
+
+# allows interactions with dumpsys to GMScore
+allow mediametrics app_data_file:file write;
+
+# allow access to package manager for uid->apk mapping
+allow mediametrics package_native_service:service_manager find;
+
+###
+### neverallow rules
+###
+
+# mediametrics should never execute any executable without a
+# domain transition
+neverallow mediametrics { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/27.0/public/mediaprovider.te b/prebuilts/api/27.0/public/mediaprovider.te
new file mode 100644
index 0000000..24170a5
--- /dev/null
+++ b/prebuilts/api/27.0/public/mediaprovider.te
@@ -0,0 +1,6 @@
+###
+### A domain for android.process.media, which contains both
+### MediaProvider and DownloadProvider and associated services.
+###
+
+type mediaprovider, domain;
diff --git a/prebuilts/api/27.0/public/mediaserver.te b/prebuilts/api/27.0/public/mediaserver.te
new file mode 100644
index 0000000..6efaf0f
--- /dev/null
+++ b/prebuilts/api/27.0/public/mediaserver.te
@@ -0,0 +1,150 @@
+# mediaserver - multimedia daemon
+type mediaserver, domain;
+type mediaserver_exec, exec_type, file_type;
+
+typeattribute mediaserver mlstrustedsubject;
+
+# TODO(b/36375899): replace with hal_client_domain macro on hal_omx
+typeattribute mediaserver halclientdomain;
+
+net_domain(mediaserver)
+
+r_dir_file(mediaserver, sdcard_type)
+r_dir_file(mediaserver, cgroup)
+
+# stat /proc/self
+allow mediaserver proc:lnk_file getattr;
+
+# open /vendor/lib/mediadrm
+allow mediaserver system_file:dir r_dir_perms;
+
+userdebug_or_eng(`
+ # ptrace to processes in the same domain for memory leak detection
+ allow mediaserver self:process ptrace;
+')
+
+binder_use(mediaserver)
+binder_call(mediaserver, binderservicedomain)
+binder_call(mediaserver, appdomain)
+binder_service(mediaserver)
+
+allow mediaserver media_data_file:dir create_dir_perms;
+allow mediaserver media_data_file:file create_file_perms;
+allow mediaserver app_data_file:dir search;
+allow mediaserver app_data_file:file rw_file_perms;
+allow mediaserver sdcard_type:file write;
+allow mediaserver gpu_device:chr_file rw_file_perms;
+allow mediaserver video_device:dir r_dir_perms;
+allow mediaserver video_device:chr_file rw_file_perms;
+
+set_prop(mediaserver, audio_prop)
+
+# XXX Label with a specific type?
+allow mediaserver sysfs:file r_file_perms;
+
+# Read resources from open apk files passed over Binder.
+allow mediaserver apk_data_file:file { read getattr };
+allow mediaserver asec_apk_file:file { read getattr };
+allow mediaserver ringtone_file:file { read getattr };
+
+# Read /data/data/com.android.providers.telephony files passed over Binder.
+allow mediaserver radio_data_file:file { read getattr };
+
+# Use pipes passed over Binder from app domains.
+allow mediaserver appdomain:fifo_file { getattr read write };
+
+allow mediaserver rpmsg_device:chr_file rw_file_perms;
+
+# Inter System processes communicate over named pipe (FIFO)
+allow mediaserver system_server:fifo_file r_file_perms;
+
+r_dir_file(mediaserver, media_rw_data_file)
+
+# Grant access to read files on appfuse.
+allow mediaserver app_fuse_file:file { read getattr };
+
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow mediaserver qtaguid_proc:file rw_file_perms;
+allow mediaserver qtaguid_device:chr_file r_file_perms;
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+unix_socket_connect(mediaserver, drmserver, drmserver)
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+unix_socket_connect(mediaserver, bluetooth, bluetooth)
+
+add_service(mediaserver, mediaserver_service)
+allow mediaserver activity_service:service_manager find;
+allow mediaserver appops_service:service_manager find;
+allow mediaserver audioserver_service:service_manager find;
+allow mediaserver cameraserver_service:service_manager find;
+allow mediaserver batterystats_service:service_manager find;
+allow mediaserver drmserver_service:service_manager find;
+allow mediaserver mediaextractor_service:service_manager find;
+allow mediaserver mediacodec_service:service_manager find;
+allow mediaserver mediametrics_service:service_manager find;
+allow mediaserver media_session_service:service_manager find;
+allow mediaserver permission_service:service_manager find;
+allow mediaserver power_service:service_manager find;
+allow mediaserver processinfo_service:service_manager find;
+allow mediaserver scheduling_policy_service:service_manager find;
+allow mediaserver surfaceflinger_service:service_manager find;
+
+# for ModDrm/MediaPlayer
+allow mediaserver mediadrmserver_service:service_manager find;
+
+# For interfacing with OMX HAL
+allow mediaserver hidl_token_hwservice:hwservice_manager find;
+
+# /oem access
+allow mediaserver oemfs:dir search;
+allow mediaserver oemfs:file r_file_perms;
+
+use_drmservice(mediaserver)
+allow mediaserver drmserver:drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+};
+
+# only allow unprivileged socket ioctl commands
+allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow mediaserver media_rw_data_file:dir create_dir_perms;
+allow mediaserver media_rw_data_file:file create_file_perms;
+
+# Access to media in /data/preloads
+allow mediaserver preloads_media_file:file { getattr read ioctl };
+
+allow mediaserver ion_device:chr_file r_file_perms;
+allow mediaserver hal_graphics_allocator:fd use;
+allow mediaserver hal_graphics_composer:fd use;
+allow mediaserver hal_camera:fd use;
+
+allow mediaserver system_server:fd use;
+
+hal_client_domain(mediaserver, hal_allocator)
+
+binder_call(mediaserver, mediacodec)
+
+###
+### neverallow rules
+###
+
+# mediaserver should never execute any executable without a
+# domain transition
+neverallow mediaserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/27.0/public/modprobe.te b/prebuilts/api/27.0/public/modprobe.te
new file mode 100644
index 0000000..3ed320e
--- /dev/null
+++ b/prebuilts/api/27.0/public/modprobe.te
@@ -0,0 +1,11 @@
+type modprobe, domain;
+
+allow modprobe proc_modules:file r_file_perms;
+allow modprobe self:capability sys_module;
+allow modprobe kernel:key search;
+recovery_only(`
+ allow modprobe rootfs:system module_load;
+ allow modprobe rootfs:file r_file_perms;
+')
+allow modprobe { system_file }:system module_load;
+r_dir_file(modprobe, { system_file })
diff --git a/prebuilts/api/27.0/public/mtp.te b/prebuilts/api/27.0/public/mtp.te
new file mode 100644
index 0000000..a776240
--- /dev/null
+++ b/prebuilts/api/27.0/public/mtp.te
@@ -0,0 +1,11 @@
+# vpn tunneling protocol manager
+type mtp, domain;
+type mtp_exec, exec_type, file_type;
+
+net_domain(mtp)
+
+# pptp policy
+allow mtp self:socket create_socket_perms_no_ioctl;
+allow mtp self:capability net_raw;
+allow mtp ppp:process signal;
+allow mtp vpn_data_file:dir search;
diff --git a/prebuilts/api/27.0/public/net.te b/prebuilts/api/27.0/public/net.te
new file mode 100644
index 0000000..7e00ed8
--- /dev/null
+++ b/prebuilts/api/27.0/public/net.te
@@ -0,0 +1,4 @@
+# Network types
+type node, node_type;
+type netif, netif_type;
+type port, port_type;
diff --git a/prebuilts/api/27.0/public/netd.te b/prebuilts/api/27.0/public/netd.te
new file mode 100644
index 0000000..aa99da2
--- /dev/null
+++ b/prebuilts/api/27.0/public/netd.te
@@ -0,0 +1,129 @@
+# network manager
+type netd, domain, mlstrustedsubject;
+type netd_exec, exec_type, file_type;
+
+net_domain(netd)
+# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(netd, cgroup)
+allow netd system_server:fd use;
+
+allow netd self:capability { net_admin net_raw kill };
+# Note: fsetid is deliberately not included above. fsetid checks are
+# triggered by chmod on a directory or file owned by a group other
+# than one of the groups assigned to the current process to see if
+# the setgid bit should be cleared, regardless of whether the setgid
+# bit was even set. We do not appear to truly need this capability
+# for netd to operate.
+dontaudit netd self:capability fsetid;
+
+allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_route_socket nlmsg_write;
+allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
+allow netd shell_exec:file rx_file_perms;
+allow netd system_file:file x_file_perms;
+not_full_treble(`allow netd vendor_file:file x_file_perms;')
+allow netd devpts:chr_file rw_file_perms;
+
+# Acquire advisory lock on /system/etc/xtables.lock
+allow netd system_file:file lock;
+
+r_dir_file(netd, proc_net)
+# For /proc/sys/net/ipv[46]/route/flush.
+allow netd proc_net:file rw_file_perms;
+
+# Enables PppController and interface enumeration (among others)
+r_dir_file(netd, sysfs_type)
+# Allows setting interface MTU
+allow netd sysfs:file write;
+
+# TODO: added to match above sysfs rule. Remove me?
+allow netd sysfs_usb:file write;
+
+# TODO: netd previously thought it needed these permissions to do WiFi related
+# work. However, after all the WiFi stuff is gone, we still need them.
+# Why?
+allow netd self:capability { dac_override chown };
+
+# Needed to update /data/misc/net/rt_tables
+allow netd net_data_file:file create_file_perms;
+allow netd net_data_file:dir rw_dir_perms;
+allow netd self:capability fowner;
+
+# Needed to lock the iptables lock.
+allow netd system_file:file lock;
+
+# Allow netd to spawn dnsmasq in it's own domain
+allow netd dnsmasq:process signal;
+
+# Allow netd to start clatd in its own domain
+allow netd clatd:process signal;
+
+set_prop(netd, ctl_mdnsd_prop)
+set_prop(netd, netd_stable_secret_prop)
+
+# Allow netd to publish a binder service and make binder calls.
+binder_use(netd)
+add_service(netd, netd_service)
+allow netd dumpstate:fifo_file { getattr write };
+
+# Allow netd to call into the system server so it can check permissions.
+allow netd system_server:binder call;
+allow netd permission_service:service_manager find;
+
+# Allow netd to talk to the framework service which collects netd events.
+allow netd netd_listener_service:service_manager find;
+
+# Allow netd to operate on sockets that are passed to it.
+allow netd netdomain:{
+ tcp_socket
+ udp_socket
+ rawip_socket
+ tun_socket
+} { read write getattr setattr getopt setopt };
+allow netd netdomain:fd use;
+
+# give netd permission to read and write netlink xfrm
+allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
+# Allow netd to register as hal server.
+add_hwservice(netd, system_net_netd_hwservice)
+hwbinder_use(netd)
+get_prop(netd, hwservicemanager_prop)
+
+###
+### Neverallow rules
+###
+### netd should NEVER do any of this
+
+# Block device access.
+neverallow netd dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow netd { domain }:process ptrace;
+
+# Write to /system.
+neverallow netd system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
+
+# only system_server and dumpstate may find netd service
+neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
+
+# apps may not interact with netd over binder.
+neverallow appdomain netd:binder call;
+neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
+
+# persist.netd.stable_secret contains RFC 7217 secret key which should never be
+# leaked to other processes. Make sure it never leaks.
+neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
+
+# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
+# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
+neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
diff --git a/prebuilts/api/27.0/public/netutils_wrapper.te b/prebuilts/api/27.0/public/netutils_wrapper.te
new file mode 100644
index 0000000..c844762
--- /dev/null
+++ b/prebuilts/api/27.0/public/netutils_wrapper.te
@@ -0,0 +1,4 @@
+type netutils_wrapper, domain;
+type netutils_wrapper_exec, exec_type, file_type;
+
+neverallow domain netutils_wrapper_exec:file execute_no_trans;
diff --git a/prebuilts/api/27.0/public/neverallow_macros b/prebuilts/api/27.0/public/neverallow_macros
new file mode 100644
index 0000000..e2b6ed1
--- /dev/null
+++ b/prebuilts/api/27.0/public/neverallow_macros
@@ -0,0 +1,15 @@
+#
+# Common neverallow permissions
+define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
+define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
+define(`no_x_file_perms', `{ execute execute_no_trans }')
+define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
+
+#####################################
+# neverallow_establish_socket_comms(src, dst)
+# neverallow src domain establishing socket connections to dst domain.
+#
+define(`neverallow_establish_socket_comms', `
+ neverallow $1 $2:socket_class_set { connect sendto };
+ neverallow $1 $2:unix_stream_socket connectto;
+')
diff --git a/prebuilts/api/27.0/public/nfc.te b/prebuilts/api/27.0/public/nfc.te
new file mode 100644
index 0000000..e3a03e7
--- /dev/null
+++ b/prebuilts/api/27.0/public/nfc.te
@@ -0,0 +1,2 @@
+# nfc subsystem
+type nfc, domain;
diff --git a/prebuilts/api/27.0/public/otapreopt_chroot.te b/prebuilts/api/27.0/public/otapreopt_chroot.te
new file mode 100644
index 0000000..c071f44
--- /dev/null
+++ b/prebuilts/api/27.0/public/otapreopt_chroot.te
@@ -0,0 +1,20 @@
+# otapreopt_chroot executable
+type otapreopt_chroot, domain;
+type otapreopt_chroot_exec, exec_type, file_type;
+
+# Chroot preparation and execution.
+# We need to create an unshared mount namespace, and then mount /data.
+allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot self:capability { sys_admin sys_chroot };
+
+# This is required to mount /vendor.
+allow otapreopt_chroot block_device:dir search;
+allow otapreopt_chroot labeledfs:filesystem mount;
+# Mounting /vendor can have this side-effect. Ignore denial.
+dontaudit otapreopt_chroot kernel:process setsched;
+
+# Allow otapreopt to use file descriptors from update-engine. It will
+# close them immediately.
+allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot update_engine:fd use;
+allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/prebuilts/api/27.0/public/otapreopt_slot.te b/prebuilts/api/27.0/public/otapreopt_slot.te
new file mode 100644
index 0000000..6551864
--- /dev/null
+++ b/prebuilts/api/27.0/public/otapreopt_slot.te
@@ -0,0 +1,27 @@
+# otapreopt_slot
+#
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+type otapreopt_slot, domain, mlstrustedsubject;
+type otapreopt_slot_exec, exec_type, file_type;
+
+
+# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
+# the directory afterwards. For logging of aggregate size, we need getattr.
+allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
+allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
+# (du follows symlinks)
+allow otapreopt_slot ota_data_file:lnk_file read;
+
+# Delete old content of the dalvik-cache.
+allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
+allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
+allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow otapreopt_slot shell_exec:file rx_file_perms;
+
+# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
+# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
+allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/prebuilts/api/27.0/public/performanced.te b/prebuilts/api/27.0/public/performanced.te
new file mode 100644
index 0000000..9bf813e
--- /dev/null
+++ b/prebuilts/api/27.0/public/performanced.te
@@ -0,0 +1,23 @@
+# performanced
+type performanced, domain, mlstrustedsubject;
+type performanced_exec, exec_type, file_type;
+
+# Needed to check for app permissions.
+binder_use(performanced)
+binder_call(performanced, system_server)
+allow performanced permission_service:service_manager find;
+
+pdx_server(performanced, performance_client)
+
+# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
+allow performanced self:capability { setuid setgid sys_nice };
+
+# Access /proc to validate we're only affecting threads in the same thread group.
+# Performanced also shields unbound kernel threads. It scans every task in the
+# root cpu set, but only affects the kernel threads.
+r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
+dontaudit performanced domain:dir read;
+allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
+
+# Access /dev/cpuset/cpuset.cpus
+r_dir_file(performanced, cgroup)
diff --git a/prebuilts/api/27.0/public/perfprofd.te b/prebuilts/api/27.0/public/perfprofd.te
new file mode 100644
index 0000000..bfb8693
--- /dev/null
+++ b/prebuilts/api/27.0/public/perfprofd.te
@@ -0,0 +1,59 @@
+# perfprofd - perf profile collection daemon
+type perfprofd, domain;
+type perfprofd_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+
+ typeattribute perfprofd coredomain;
+ typeattribute perfprofd mlstrustedsubject;
+
+ # perfprofd needs to control CPU hot-plug in order to avoid kernel
+ # perfevents problems in cases where CPU goes on/off during measurement;
+ # this means read access to /sys/devices/system/cpu/possible
+ # and read/write access to /sys/devices/system/cpu/cpu*/online
+ allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
+
+ # perfprofd checks for the existence of and then invokes simpleperf;
+ # simpleperf retains perfprofd domain after exec
+ allow perfprofd system_file:file rx_file_perms;
+
+ # perfprofd reads a config file from /data/data/com.google.android.gms/files
+ allow perfprofd app_data_file:file r_file_perms;
+ allow perfprofd app_data_file:dir search;
+ allow perfprofd self:capability { dac_override };
+
+ # perfprofd opens a file for writing in /data/misc/perfprofd
+ allow perfprofd perfprofd_data_file:file create_file_perms;
+ allow perfprofd perfprofd_data_file:dir rw_dir_perms;
+
+ # perfprofd uses the system log
+ read_logd(perfprofd);
+ write_logd(perfprofd);
+
+ # perfprofd inspects /sys/power/wake_unlock
+ wakelock_use(perfprofd);
+
+ # simpleperf uses ioctl() to turn on kernel perf events measurements
+ allow perfprofd self:capability sys_admin;
+
+ # simpleperf needs to examine /proc to collect task/thread info
+ r_dir_file(perfprofd, domain)
+
+ # simpleperf needs to access /proc/<pid>/exec
+ allow perfprofd self:capability { sys_resource sys_ptrace };
+ neverallow perfprofd domain:process ptrace;
+
+ # simpleperf needs open/read any file that turns up in a profile
+ # to see whether it has a build ID
+ allow perfprofd exec_type:file r_file_perms;
+
+ # simpleperf examines debugfs on startup to collect tracepoint event types
+ allow perfprofd debugfs_tracing:file r_file_perms;
+
+ # simpleperf is going to execute "sleep"
+ allow perfprofd toolbox_exec:file rx_file_perms;
+
+ # needed for simpleperf on some kernels
+ allow perfprofd self:capability ipc_lock;
+
+')
diff --git a/prebuilts/api/27.0/public/platform_app.te b/prebuilts/api/27.0/public/platform_app.te
new file mode 100644
index 0000000..9b1faf0
--- /dev/null
+++ b/prebuilts/api/27.0/public/platform_app.te
@@ -0,0 +1,5 @@
+###
+### Apps signed with the platform key.
+###
+
+type platform_app, domain;
diff --git a/prebuilts/api/27.0/public/postinstall.te b/prebuilts/api/27.0/public/postinstall.te
new file mode 100644
index 0000000..7fd4dc6
--- /dev/null
+++ b/prebuilts/api/27.0/public/postinstall.te
@@ -0,0 +1,36 @@
+# Domain where the postinstall program runs during the update.
+# Extend the permissions in this domain to allow this program to access other
+# files needed by the specific device on your device's sepolicy directory.
+type postinstall, domain;
+
+# Allow postinstall to write to its stdout/stderr when redirected via pipes to
+# update_engine.
+allow postinstall update_engine_common:fd use;
+allow postinstall update_engine_common:fifo_file rw_file_perms;
+
+# Allow postinstall to read and execute directories and files in the same
+# mounted location.
+allow postinstall postinstall_file:file rx_file_perms;
+allow postinstall postinstall_file:lnk_file r_file_perms;
+allow postinstall postinstall_file:dir r_dir_perms;
+
+# Allow postinstall to execute the shell or other system executables.
+allow postinstall shell_exec:file rx_file_perms;
+allow postinstall system_file:file rx_file_perms;
+allow postinstall toolbox_exec:file rx_file_perms;
+
+#
+# For OTA dexopt.
+#
+
+# Allow postinstall scripts to talk to the system server.
+binder_use(postinstall)
+binder_call(postinstall, system_server)
+
+# Need to talk to the otadexopt service.
+allow postinstall otadexopt_service:service_manager find;
+
+# No domain other than update_engine and recovery (via update_engine_sideload)
+# should transition to postinstall, as it is only meant to run during the
+# update.
+neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
diff --git a/prebuilts/api/27.0/public/postinstall_dexopt.te b/prebuilts/api/27.0/public/postinstall_dexopt.te
new file mode 100644
index 0000000..0ce617b
--- /dev/null
+++ b/prebuilts/api/27.0/public/postinstall_dexopt.te
@@ -0,0 +1,57 @@
+# Domain for the otapreopt executable, running under postinstall_dexopt
+#
+# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
+# this is derived and adapted from installd.te.
+
+type postinstall_dexopt, domain;
+
+allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
+
+allow postinstall_dexopt postinstall_file:filesystem getattr;
+allow postinstall_dexopt postinstall_file:dir { getattr search };
+allow postinstall_dexopt postinstall_file:lnk_file read;
+allow postinstall_dexopt proc:file { getattr open read };
+allow postinstall_dexopt tmpfs:file read;
+
+# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
+# here and having to relabel the directory.
+
+# Read app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, apk_data_file)
+# Read vendor app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, vendor_app_file)
+# Access to app oat directory.
+r_dir_file(postinstall_dexopt, dalvikcache_data_file)
+
+# Read profile data.
+allow postinstall_dexopt user_profile_data_file:dir { getattr search };
+allow postinstall_dexopt user_profile_data_file:file r_file_perms;
+
+# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
+allow postinstall_dexopt ota_data_file:dir create_dir_perms;
+allow postinstall_dexopt ota_data_file:file create_file_perms;
+allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
+
+# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
+# TODO: See whether we can apply ota_data_file?
+allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
+allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
+
+# Allow labeling of files under /data/app/com.example/oat/
+# TODO: Restrict to .b suffix?
+allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
+allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
+
+# Check validity of SELinux context before use.
+selinux_check_context(postinstall_dexopt)
+selinux_check_access(postinstall_dexopt)
+
+
+# Postinstall wants to know about our child.
+allow postinstall_dexopt postinstall:process sigchld;
+
+# Allow otapreopt to use file descriptors from otapreopt_chroot.
+# TODO: Probably we can actually close file descriptors...
+allow postinstall_dexopt otapreopt_chroot:fd use;
+
+allow postinstall_dexopt cpuctl_device:dir search;
diff --git a/prebuilts/api/27.0/public/ppp.te b/prebuilts/api/27.0/public/ppp.te
new file mode 100644
index 0000000..04e17f5
--- /dev/null
+++ b/prebuilts/api/27.0/public/ppp.te
@@ -0,0 +1,23 @@
+# Point to Point Protocol daemon
+type ppp, domain;
+type ppp_device, dev_type;
+type ppp_exec, exec_type, file_type;
+
+net_domain(ppp)
+
+r_dir_file(ppp, proc_net)
+
+allow ppp mtp:socket rw_socket_perms;
+
+# ioctls needed for VPN.
+allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
+allowxperm ppp mtp:socket ioctl ppp_ioctls;
+
+allow ppp mtp:unix_dgram_socket rw_socket_perms;
+allow ppp ppp_device:chr_file rw_file_perms;
+allow ppp self:capability net_admin;
+allow ppp system_file:file rx_file_perms;
+not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
+allow ppp vpn_data_file:dir w_dir_perms;
+allow ppp vpn_data_file:file create_file_perms;
+allow ppp mtp:fd use;
diff --git a/prebuilts/api/27.0/public/preopt2cachename.te b/prebuilts/api/27.0/public/preopt2cachename.te
new file mode 100644
index 0000000..49df647
--- /dev/null
+++ b/prebuilts/api/27.0/public/preopt2cachename.te
@@ -0,0 +1,13 @@
+# preopt2cachename executable
+#
+# This executable translates names from the preopted versions the build system
+# creates to the names the runtime expects in the data directory.
+type preopt2cachename, domain;
+type preopt2cachename_exec, exec_type, file_type;
+
+# Allow write to stdout.
+allow preopt2cachename cppreopts:fd use;
+allow preopt2cachename cppreopts:fifo_file { getattr read write };
+
+# Allow write to logcat.
+allow preopt2cachename proc_net:file r_file_perms;
diff --git a/prebuilts/api/27.0/public/priv_app.te b/prebuilts/api/27.0/public/priv_app.te
new file mode 100644
index 0000000..0761fc3
--- /dev/null
+++ b/prebuilts/api/27.0/public/priv_app.te
@@ -0,0 +1,5 @@
+###
+### A domain for further sandboxing privileged apps.
+###
+
+type priv_app, domain;
diff --git a/prebuilts/api/27.0/public/profman.te b/prebuilts/api/27.0/public/profman.te
new file mode 100644
index 0000000..a5c18b5
--- /dev/null
+++ b/prebuilts/api/27.0/public/profman.te
@@ -0,0 +1,26 @@
+# profman
+type profman, domain;
+type profman_exec, exec_type, file_type;
+
+allow profman user_profile_data_file:file { getattr read write lock };
+
+# Dumping profile info opens the application APK file for pretty printing.
+allow profman asec_apk_file:file { read };
+allow profman apk_data_file:file { read };
+allow profman oemfs:file { read };
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+allow profman tmpfs:file { read };
+allow profman profman_dump_data_file:file { write };
+
+allow profman installd:fd use;
+
+# Allow profman to analyze profiles for the secondary dex files. These
+# are application dex files reported back to the framework when using
+# BaseDexClassLoader.
+allow profman app_data_file:file { getattr read write lock };
+
+###
+### neverallow rules
+###
+
+neverallow profman app_data_file:notdevfile_class_set open;
diff --git a/prebuilts/api/27.0/public/property.te b/prebuilts/api/27.0/public/property.te
new file mode 100644
index 0000000..95efcaa
--- /dev/null
+++ b/prebuilts/api/27.0/public/property.te
@@ -0,0 +1,89 @@
+type audio_prop, property_type, core_property_type;
+type boottime_prop, property_type;
+type bluetooth_prop, property_type;
+type config_prop, property_type, core_property_type;
+type cppreopt_prop, property_type, core_property_type;
+type ctl_bootanim_prop, property_type;
+type ctl_bugreport_prop, property_type;
+type ctl_console_prop, property_type;
+type ctl_default_prop, property_type;
+type ctl_dumpstate_prop, property_type;
+type ctl_fuse_prop, property_type;
+type ctl_mdnsd_prop, property_type;
+type ctl_rildaemon_prop, property_type;
+type dalvik_prop, property_type, core_property_type;
+type debuggerd_prop, property_type, core_property_type;
+type debug_prop, property_type, core_property_type;
+type default_prop, property_type, core_property_type;
+type device_logging_prop, property_type;
+type dhcp_prop, property_type, core_property_type;
+type dumpstate_options_prop, property_type;
+type dumpstate_prop, property_type, core_property_type;
+type ffs_prop, property_type, core_property_type;
+type fingerprint_prop, property_type, core_property_type;
+type firstboot_prop, property_type;
+type hwservicemanager_prop, property_type;
+type logd_prop, property_type, core_property_type;
+type logpersistd_logging_prop, property_type;
+type log_prop, property_type, log_property_type;
+type log_tag_prop, property_type, log_property_type;
+type mmc_prop, property_type;
+type net_dns_prop, property_type;
+type net_radio_prop, property_type, core_property_type;
+type netd_stable_secret_prop, property_type;
+type nfc_prop, property_type, core_property_type;
+type overlay_prop, property_type;
+type pan_result_prop, property_type, core_property_type;
+type persist_debug_prop, property_type, core_property_type;
+type persistent_properties_ready_prop, property_type;
+type powerctl_prop, property_type, core_property_type;
+type radio_prop, property_type, core_property_type;
+type restorecon_prop, property_type, core_property_type;
+type safemode_prop, property_type;
+type serialno_prop, property_type;
+type shell_prop, property_type, core_property_type;
+type system_prop, property_type, core_property_type;
+type system_radio_prop, property_type, core_property_type;
+type vold_prop, property_type, core_property_type;
+type wifi_log_prop, property_type, log_property_type;
+type wifi_prop, property_type;
+
+allow property_type tmpfs:filesystem associate;
+
+###
+### Neverallow rules
+###
+
+# core_property_type should not be used for new properties or
+# device specific properties. Properties with this attribute
+# are readable to everyone, which is overly broad and should
+# be avoided.
+# New properties should have appropriate read / write access
+# control rules written.
+
+neverallow * {
+ core_property_type
+ -audio_prop
+ -config_prop
+ -cppreopt_prop
+ -dalvik_prop
+ -debuggerd_prop
+ -debug_prop
+ -default_prop
+ -dhcp_prop
+ -dumpstate_prop
+ -ffs_prop
+ -fingerprint_prop
+ -logd_prop
+ -net_radio_prop
+ -nfc_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -shell_prop
+ -system_prop
+ -system_radio_prop
+ -vold_prop
+}:file no_rw_file_perms;
diff --git a/prebuilts/api/27.0/public/racoon.te b/prebuilts/api/27.0/public/racoon.te
new file mode 100644
index 0000000..00744d8
--- /dev/null
+++ b/prebuilts/api/27.0/public/racoon.te
@@ -0,0 +1,33 @@
+# IKE key management daemon
+type racoon, domain;
+type racoon_exec, exec_type, file_type;
+
+typeattribute racoon mlstrustedsubject;
+
+net_domain(racoon)
+allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
+
+binder_use(racoon)
+
+allow racoon tun_device:chr_file r_file_perms;
+allow racoon cgroup:dir { add_name create };
+allow racoon kernel:system module_request;
+
+allow racoon self:key_socket create_socket_perms_no_ioctl;
+allow racoon self:tun_socket create_socket_perms_no_ioctl;
+allow racoon self:capability { net_admin net_bind_service net_raw };
+
+# XXX: should we give ip-up-vpn its own label (currently racoon domain)
+allow racoon system_file:file rx_file_perms;
+not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
+allow racoon vpn_data_file:file create_file_perms;
+allow racoon vpn_data_file:dir w_dir_perms;
+
+use_keystore(racoon)
+
+# Racoon (VPN) has a restricted set of permissions from the default.
+allow racoon keystore:keystore_key {
+ get
+ sign
+ verify
+};
diff --git a/prebuilts/api/27.0/public/radio.te b/prebuilts/api/27.0/public/radio.te
new file mode 100644
index 0000000..6f29a70
--- /dev/null
+++ b/prebuilts/api/27.0/public/radio.te
@@ -0,0 +1,39 @@
+# phone subsystem
+type radio, domain, mlstrustedsubject;
+
+net_domain(radio)
+bluetooth_domain(radio)
+binder_service(radio)
+
+# Talks to rild via the rild socket only for devices without full treble
+not_full_treble(`unix_socket_connect(radio, rild, rild)')
+
+# Data file accesses.
+allow radio radio_data_file:dir create_dir_perms;
+allow radio radio_data_file:notdevfile_class_set create_file_perms;
+
+allow radio alarm_device:chr_file rw_file_perms;
+
+allow radio net_data_file:dir search;
+allow radio net_data_file:file r_file_perms;
+
+# Property service
+set_prop(radio, radio_prop)
+set_prop(radio, net_radio_prop)
+
+# ctl interface
+set_prop(radio, ctl_rildaemon_prop)
+
+add_service(radio, radio_service)
+allow radio audioserver_service:service_manager find;
+allow radio cameraserver_service:service_manager find;
+allow radio drmserver_service:service_manager find;
+allow radio mediaserver_service:service_manager find;
+allow radio nfc_service:service_manager find;
+allow radio surfaceflinger_service:service_manager find;
+allow radio app_api_service:service_manager find;
+allow radio system_api_service:service_manager find;
+
+# Perform HwBinder IPC.
+hwbinder_use(radio)
+hal_client_domain(radio, hal_telephony)
diff --git a/prebuilts/api/27.0/public/recovery.te b/prebuilts/api/27.0/public/recovery.te
new file mode 100644
index 0000000..fe0b20e
--- /dev/null
+++ b/prebuilts/api/27.0/public/recovery.te
@@ -0,0 +1,159 @@
+# recovery console (used in recovery init.rc for /sbin/recovery)
+
+# Declare the domain unconditionally so we can always reference it
+# in neverallow rules.
+type recovery, domain;
+
+# But the allow rules are only included in the recovery policy.
+# Otherwise recovery is only allowed the domain rules.
+recovery_only(`
+ # Allow recovery to perform an update as update_engine would do.
+ typeattribute recovery update_engine_common;
+ # Recovery can only use HALs in passthrough mode
+ passthrough_hal_client_domain(recovery, hal_bootctl)
+
+ allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
+
+ # Set security contexts on files that are not known to the loaded policy.
+ allow recovery self:capability2 mac_admin;
+
+ # Run helpers from / or /system without changing domain.
+ r_dir_file(recovery, rootfs)
+ allow recovery rootfs:file execute_no_trans;
+ allow recovery system_file:file execute_no_trans;
+ allow recovery toolbox_exec:file rx_file_perms;
+
+ # Mount filesystems.
+ allow recovery rootfs:dir mounton;
+ allow recovery fs_type:filesystem ~relabelto;
+ allow recovery unlabeled:filesystem ~relabelto;
+ allow recovery contextmount_type:filesystem relabelto;
+
+ # Create and relabel files and directories under /system.
+ allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+ allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+ allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
+
+ # We may be asked to set an SELinux label for a type not known to the
+ # currently loaded policy. Allow it.
+ allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+ allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+ # Get file contexts
+ allow recovery file_contexts_file:file r_file_perms;
+
+ # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
+ # support to OTAs. However, that code has a bug. When an update occurs,
+ # some directories are inappropriately labeled as exec_type. This is
+ # only transient, and subsequent steps in the OTA script correct this
+ # mistake. New devices are moving to block based OTAs, so this is not
+ # worth fixing. b/15575013
+ allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
+
+ # Write to /proc/sys/vm/drop_caches
+ allow recovery proc_drop_caches:file w_file_perms;
+
+ # Read kernel config through libvintf for OTA matching
+ allow recovery config_gz:file { open read getattr };
+
+ # Write to /sys/class/android_usb/android0/enable.
+ # TODO: create more specific label?
+ r_dir_file(recovery, sysfs)
+ allow recovery sysfs:file w_file_perms;
+
+ # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
+ allow recovery sysfs_devices_system_cpu:file w_file_perms;
+
+ allow recovery sysfs_batteryinfo:file r_file_perms;
+
+ # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
+ # control backlight brightness.
+ allow recovery sysfs_leds:dir r_dir_perms;
+ allow recovery sysfs_leds:file rw_file_perms;
+ allow recovery sysfs_leds:lnk_file read;
+
+ allow recovery kernel:system syslog_read;
+
+ # Access /dev/usb-ffs/adb/ep0
+ allow recovery functionfs:dir search;
+ allow recovery functionfs:file rw_file_perms;
+
+ # Access to /sys/fs/selinux/policyvers for compatibility check
+ allow recovery selinuxfs:file r_file_perms;
+
+ # Required to e.g. wipe userdata/cache.
+ allow recovery device:dir r_dir_perms;
+ allow recovery block_device:dir r_dir_perms;
+ allow recovery dev_type:blk_file rw_file_perms;
+
+ # GUI
+ allow recovery graphics_device:chr_file rw_file_perms;
+ allow recovery graphics_device:dir r_dir_perms;
+ allow recovery input_device:dir r_dir_perms;
+ allow recovery input_device:chr_file r_file_perms;
+ allow recovery tty_device:chr_file rw_file_perms;
+
+ # Create /tmp/recovery.log and execute /tmp/update_binary.
+ allow recovery tmpfs:file { create_file_perms x_file_perms };
+ allow recovery tmpfs:dir create_dir_perms;
+
+ # Manage files on /cache and /cache/recovery
+ allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
+ allow recovery { cache_file cache_recovery_file }:file create_file_perms;
+
+ # Read /sys/class/thermal/*/temp for thermal info.
+ r_dir_file(recovery, sysfs_thermal)
+
+ # Read files on /oem.
+ r_dir_file(recovery, oemfs);
+
+ # Reboot the device
+ set_prop(recovery, powerctl_prop)
+
+ # Start/stop adbd via ctl.start adbd
+ set_prop(recovery, ctl_default_prop)
+
+ # Read serial number of the device from system properties
+ get_prop(recovery, serialno_prop)
+
+ # Set sys.usb.ffs.ready when starting minadbd for sideload.
+ set_prop(recovery, ffs_prop)
+
+ # Use setfscreatecon() to label files for OTA updates.
+ allow recovery self:process setfscreate;
+
+ # Allow recovery to create a fuse filesystem, and read files from it.
+ allow recovery fuse_device:chr_file rw_file_perms;
+ allow recovery fuse:dir r_dir_perms;
+ allow recovery fuse:file r_file_perms;
+
+ wakelock_use(recovery)
+
+ # This line seems suspect, as it should not really need to
+ # set scheduling parameters for a kernel domain task.
+ allow recovery kernel:process setsched;
+')
+
+###
+### neverallow rules
+###
+
+# Recovery should never touch /data.
+#
+# In particular, if /data is encrypted, it is not accessible
+# to recovery anyway.
+#
+# For now, we only enforce write/execute restrictions, as domain.te
+# contains a number of read-only rules that apply to all
+# domains, including recovery.
+#
+# TODO: tighten this up further.
+neverallow recovery {
+ data_file_type
+ -cache_file
+ -cache_recovery_file
+}:file { no_w_file_perms no_x_file_perms };
+neverallow recovery {
+ data_file_type
+ -cache_file
+ -cache_recovery_file
+}:dir no_w_dir_perms;
diff --git a/prebuilts/api/27.0/public/recovery_persist.te b/prebuilts/api/27.0/public/recovery_persist.te
new file mode 100644
index 0000000..091d300
--- /dev/null
+++ b/prebuilts/api/27.0/public/recovery_persist.te
@@ -0,0 +1,27 @@
+# android recovery persistent log manager
+type recovery_persist, domain;
+type recovery_persist_exec, exec_type, file_type;
+
+allow recovery_persist pstorefs:dir search;
+allow recovery_persist pstorefs:file r_file_perms;
+
+allow recovery_persist recovery_data_file:file create_file_perms;
+allow recovery_persist recovery_data_file:dir create_dir_perms;
+
+###
+### Neverallow rules
+###
+### recovery_persist should NEVER do any of this
+
+# Block device access.
+neverallow recovery_persist dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow recovery_persist domain:process ptrace;
+
+# Write to /system.
+neverallow recovery_persist system_file:dir_file_class_set write;
+
+# Write to files in /data/data
+neverallow recovery_persist { app_data_file system_data_file }:dir_file_class_set write;
+
diff --git a/prebuilts/api/27.0/public/recovery_refresh.te b/prebuilts/api/27.0/public/recovery_refresh.te
new file mode 100644
index 0000000..602ed51
--- /dev/null
+++ b/prebuilts/api/27.0/public/recovery_refresh.te
@@ -0,0 +1,24 @@
+# android recovery refresh log manager
+type recovery_refresh, domain;
+type recovery_refresh_exec, exec_type, file_type;
+
+allow recovery_refresh pstorefs:dir search;
+allow recovery_refresh pstorefs:file r_file_perms;
+# NB: domain inherits write_logd which hands us write to pmsg_device
+
+###
+### Neverallow rules
+###
+### recovery_refresh should NEVER do any of this
+
+# Block device access.
+neverallow recovery_refresh dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow recovery_refresh domain:process ptrace;
+
+# Write to /system.
+neverallow recovery_refresh system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow recovery_refresh { app_data_file system_data_file }:dir_file_class_set write;
diff --git a/public/rild.te b/prebuilts/api/27.0/public/rild.te
similarity index 100%
rename from public/rild.te
rename to prebuilts/api/27.0/public/rild.te
diff --git a/prebuilts/api/27.0/public/roles b/prebuilts/api/27.0/public/roles
new file mode 100644
index 0000000..ca92934
--- /dev/null
+++ b/prebuilts/api/27.0/public/roles
@@ -0,0 +1 @@
+role r types domain;
diff --git a/prebuilts/api/27.0/public/runas.te b/prebuilts/api/27.0/public/runas.te
new file mode 100644
index 0000000..12c4181
--- /dev/null
+++ b/prebuilts/api/27.0/public/runas.te
@@ -0,0 +1,38 @@
+type runas, domain, mlstrustedsubject;
+type runas_exec, exec_type, file_type;
+
+allow runas adbd:fd use;
+allow runas adbd:process sigchld;
+allow runas adbd:unix_stream_socket { read write };
+allow runas shell:fd use;
+allow runas shell:fifo_file { read write };
+allow runas shell:unix_stream_socket { read write };
+allow runas devpts:chr_file { read write ioctl };
+allow runas shell_data_file:file { read write };
+
+# run-as reads package information.
+allow runas system_data_file:file r_file_perms;
+
+# run-as checks and changes to the app data dir.
+dontaudit runas self:capability dac_override;
+allow runas app_data_file:dir { getattr search };
+
+# run-as switches to the app UID/GID.
+allow runas self:capability { setuid setgid };
+
+# run-as switches to the app security context.
+selinux_check_context(runas) # validate context
+allow runas self:process setcurrent;
+allow runas non_system_app_set:process dyntransition; # setcon
+
+# runas/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow runas seapp_contexts_file:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow runas self:capability ~{ setuid setgid };
+neverallow runas self:capability2 *;
diff --git a/prebuilts/api/27.0/public/sdcardd.te b/prebuilts/api/27.0/public/sdcardd.te
new file mode 100644
index 0000000..47a2f80
--- /dev/null
+++ b/prebuilts/api/27.0/public/sdcardd.te
@@ -0,0 +1,43 @@
+type sdcardd, domain;
+type sdcardd_exec, exec_type, file_type;
+
+allow sdcardd cgroup:dir create_dir_perms;
+allow sdcardd fuse_device:chr_file rw_file_perms;
+allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
+allow sdcardd sdcardfs:filesystem remount;
+allow sdcardd tmpfs:dir r_dir_perms;
+allow sdcardd mnt_media_rw_file:dir r_dir_perms;
+allow sdcardd storage_file:dir search;
+allow sdcardd storage_stub_file:dir { search mounton };
+allow sdcardd sdcard_type:filesystem { mount unmount };
+allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
+
+allow sdcardd sdcard_type:dir create_dir_perms;
+allow sdcardd sdcard_type:file create_file_perms;
+
+allow sdcardd media_rw_data_file:dir create_dir_perms;
+allow sdcardd media_rw_data_file:file create_file_perms;
+
+# Read /data/system/packages.list.
+allow sdcardd system_data_file:file r_file_perms;
+
+# Read /data/.layout_version
+allow sdcardd install_data_file:file r_file_perms;
+
+# Allow stdin/out back to vold
+allow sdcardd vold:fd use;
+allow sdcardd vold:fifo_file { read write getattr };
+
+# Allow running on top of expanded storage
+allow sdcardd mnt_expand_file:dir search;
+
+# access /proc/filesystems
+allow sdcardd proc:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# The sdcard daemon should no longer be started from init
+neverallow init sdcardd_exec:file execute;
+neverallow init sdcardd:process { transition dyntransition };
diff --git a/prebuilts/api/27.0/public/service.te b/prebuilts/api/27.0/public/service.te
new file mode 100644
index 0000000..e97b864
--- /dev/null
+++ b/prebuilts/api/27.0/public/service.te
@@ -0,0 +1,150 @@
+type audioserver_service, service_manager_type;
+type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
+type bluetooth_service, service_manager_type;
+type cameraserver_service, service_manager_type;
+type default_android_service, service_manager_type;
+type drmserver_service, service_manager_type;
+type dumpstate_service, service_manager_type;
+type fingerprintd_service, service_manager_type;
+type hal_fingerprint_service, service_manager_type;
+type gatekeeper_service, app_api_service, service_manager_type;
+type gpu_service, service_manager_type;
+type inputflinger_service, service_manager_type;
+type incident_service, service_manager_type;
+type installd_service, service_manager_type;
+type keystore_service, service_manager_type;
+type mediaserver_service, service_manager_type;
+type mediametrics_service, service_manager_type;
+type mediaextractor_service, service_manager_type;
+type mediacodec_service, service_manager_type;
+type mediadrmserver_service, service_manager_type;
+type netd_service, service_manager_type;
+type nfc_service, service_manager_type;
+type radio_service, service_manager_type;
+type storaged_service, service_manager_type;
+type surfaceflinger_service, service_manager_type;
+type system_app_service, service_manager_type;
+type thermal_service, service_manager_type;
+type update_engine_service, service_manager_type;
+type virtual_touchpad_service, service_manager_type;
+type vr_hwc_service, service_manager_type;
+
+# system_server_services broken down
+type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type battery_service, system_server_service, service_manager_type;
+type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type broadcastradio_service, system_server_service, service_manager_type;
+type cameraproxy_service, system_server_service, service_manager_type;
+type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type contexthub_service, app_api_service, system_server_service, service_manager_type;
+type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type commontime_management_service, system_server_service, service_manager_type;
+type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
+# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
+type coverage_service, system_server_service, service_manager_type;
+type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
+type dbinfo_service, system_api_service, system_server_service, service_manager_type;
+type device_policy_service, app_api_service, system_server_service, service_manager_type;
+type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type devicestoragemonitor_service, system_server_service, service_manager_type;
+type diskstats_service, system_api_service, system_server_service, service_manager_type;
+type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type netd_listener_service, system_server_service, service_manager_type;
+type DockObserver_service, system_server_service, service_manager_type;
+type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ethernet_service, app_api_service, system_server_service, service_manager_type;
+type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
+type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type hardware_service, system_server_service, service_manager_type;
+type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
+type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type lock_settings_service, system_api_service, system_server_service, service_manager_type;
+type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type meminfo_service, system_api_service, system_server_service, service_manager_type;
+type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type network_score_service, system_api_service, system_server_service, service_manager_type;
+type network_time_update_service, system_server_service, service_manager_type;
+type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type oem_lock_service, system_api_service, system_server_service, service_manager_type;
+type otadexopt_service, system_server_service, service_manager_type;
+type overlay_service, system_api_service, system_server_service, service_manager_type;
+type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type package_native_service, system_server_service, service_manager_type;
+type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
+type pinner_service, system_server_service, service_manager_type;
+type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type processinfo_service, system_server_service, service_manager_type;
+type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type recovery_service, system_server_service, service_manager_type;
+type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type samplingprofiler_service, system_server_service, service_manager_type;
+type scheduling_policy_service, system_server_service, service_manager_type;
+type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
+type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type serial_service, system_api_service, system_server_service, service_manager_type;
+type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type shortcut_service, app_api_service, system_server_service, service_manager_type;
+type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type task_service, system_server_service, service_manager_type;
+type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type timezone_service, system_server_service, service_manager_type;
+type trust_service, app_api_service, system_server_service, service_manager_type;
+type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type updatelock_service, system_api_service, system_server_service, service_manager_type;
+type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type usb_service, app_api_service, system_server_service, service_manager_type;
+type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vr_manager_service, system_server_service, service_manager_type;
+type wallpaper_service, app_api_service, system_server_service, service_manager_type;
+type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type wifip2p_service, app_api_service, system_server_service, service_manager_type;
+type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
+type wifi_service, app_api_service, system_server_service, service_manager_type;
+type wificond_service, service_manager_type;
+type wifiaware_service, app_api_service, system_server_service, service_manager_type;
+type window_service, system_api_service, system_server_service, service_manager_type;
diff --git a/prebuilts/api/27.0/public/servicemanager.te b/prebuilts/api/27.0/public/servicemanager.te
new file mode 100644
index 0000000..c7cd738
--- /dev/null
+++ b/prebuilts/api/27.0/public/servicemanager.te
@@ -0,0 +1,24 @@
+# servicemanager - the Binder context manager
+type servicemanager, domain, mlstrustedsubject;
+type servicemanager_exec, exec_type, file_type;
+
+# Note that we do not use the binder_* macros here.
+# servicemanager is unique in that it only provides
+# name service (aka context manager) for Binder.
+# As such, it only ever receives and transfers other references
+# created by other domains. It never passes its own references
+# or initiates a Binder IPC.
+allow servicemanager self:binder set_context_mgr;
+allow servicemanager {
+ domain
+ -init
+ -hwservicemanager
+ -vndservicemanager
+}:binder transfer;
+
+allow servicemanager service_contexts_file:file r_file_perms;
+# nonplat_service_contexts only accessible on non full-treble devices
+not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
+
+# Check SELinux permissions.
+selinux_check_access(servicemanager)
diff --git a/prebuilts/api/27.0/public/sgdisk.te b/prebuilts/api/27.0/public/sgdisk.te
new file mode 100644
index 0000000..3007398
--- /dev/null
+++ b/prebuilts/api/27.0/public/sgdisk.te
@@ -0,0 +1,22 @@
+# sgdisk called from vold
+type sgdisk, domain;
+type sgdisk_exec, exec_type, file_type;
+
+# Allowed to read/write low-level partition tables
+allow sgdisk block_device:dir search;
+allow sgdisk vold_device:blk_file rw_file_perms;
+
+# Inherit and use pty created by android_fork_execvp()
+allow sgdisk devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow sgdisk vold:fd use;
+allow sgdisk vold:fifo_file { read write getattr };
+
+# Used to probe kernel to reload partition tables
+allow sgdisk self:capability sys_admin;
+
+# Only allow entry from vold
+neverallow { domain -vold } sgdisk:process transition;
+neverallow * sgdisk:process dyntransition;
+neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
diff --git a/prebuilts/api/27.0/public/shared_relro.te b/prebuilts/api/27.0/public/shared_relro.te
new file mode 100644
index 0000000..91cf44d
--- /dev/null
+++ b/prebuilts/api/27.0/public/shared_relro.te
@@ -0,0 +1,9 @@
+# Process which creates/updates shared RELRO files to be used by other apps.
+type shared_relro, domain;
+
+# Grant write access to the shared relro files/directory.
+allow shared_relro shared_relro_file:dir rw_dir_perms;
+allow shared_relro shared_relro_file:file create_file_perms;
+
+# Needs to contact the "webviewupdate" and "activity" services
+allow shared_relro webviewupdate_service:service_manager find;
diff --git a/prebuilts/api/27.0/public/shell.te b/prebuilts/api/27.0/public/shell.te
new file mode 100644
index 0000000..9540cca
--- /dev/null
+++ b/prebuilts/api/27.0/public/shell.te
@@ -0,0 +1,185 @@
+# Domain for shell processes spawned by ADB or console service.
+type shell, domain, mlstrustedsubject;
+type shell_exec, exec_type, file_type;
+
+# Create and use network sockets.
+net_domain(shell)
+
+# logcat
+read_logd(shell)
+control_logd(shell)
+# logcat -L (directly, or via dumpstate)
+allow shell pstorefs:dir search;
+allow shell pstorefs:file r_file_perms;
+
+# Root fs.
+allow shell rootfs:dir r_dir_perms;
+
+# read files in /data/anr
+allow shell anr_data_file:dir r_dir_perms;
+allow shell anr_data_file:file r_file_perms;
+
+# Access /data/local/tmp.
+allow shell shell_data_file:dir create_dir_perms;
+allow shell shell_data_file:file create_file_perms;
+allow shell shell_data_file:file rx_file_perms;
+allow shell shell_data_file:lnk_file create_file_perms;
+
+# Access /data/misc/profman.
+allow shell profman_dump_data_file:dir { search getattr write remove_name };
+allow shell profman_dump_data_file:file { getattr unlink };
+
+# Read/execute files in /data/nativetest
+userdebug_or_eng(`
+ allow shell nativetest_data_file:dir r_dir_perms;
+ allow shell nativetest_data_file:file rx_file_perms;
+')
+
+# adb bugreport
+unix_socket_connect(shell, dumpstate, dumpstate)
+
+allow shell devpts:chr_file rw_file_perms;
+allow shell tty_device:chr_file rw_file_perms;
+allow shell console_device:chr_file rw_file_perms;
+allow shell input_device:dir r_dir_perms;
+allow shell input_device:chr_file rw_file_perms;
+r_dir_file(shell, system_file)
+allow shell system_file:file x_file_perms;
+allow shell toolbox_exec:file rx_file_perms;
+allow shell tzdatacheck_exec:file rx_file_perms;
+allow shell shell_exec:file rx_file_perms;
+allow shell zygote_exec:file rx_file_perms;
+
+r_dir_file(shell, apk_data_file)
+
+# Set properties.
+set_prop(shell, shell_prop)
+set_prop(shell, ctl_bugreport_prop)
+set_prop(shell, ctl_dumpstate_prop)
+set_prop(shell, dumpstate_prop)
+set_prop(shell, debug_prop)
+set_prop(shell, powerctl_prop)
+set_prop(shell, log_tag_prop)
+set_prop(shell, wifi_log_prop)
+# adjust is_loggable properties
+userdebug_or_eng(`set_prop(shell, log_prop)')
+# logpersist script
+userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
+
+userdebug_or_eng(`
+ # "systrace --boot" support - allow boottrace service to run
+ allow shell boottrace_data_file:dir rw_dir_perms;
+ allow shell boottrace_data_file:file create_file_perms;
+ set_prop(shell, persist_debug_prop)
+')
+
+# Read device's serial number from system properties
+get_prop(shell, serialno_prop)
+
+# Read state of logging-related properties
+get_prop(shell, device_logging_prop)
+
+# allow shell access to services
+allow shell servicemanager:service_manager list;
+# don't allow shell to access GateKeeper service
+# TODO: why is this so broad? Tightening candidate? It needs at list:
+# - dumpstate_service (so it can receive dumpstate progress updates)
+allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
+allow shell dumpstate:binder call;
+
+# allow shell to get information from hwservicemanager
+# for instance, listing hardware services with lshal
+hwbinder_use(shell)
+allow shell hwservicemanager:hwservice_manager list;
+
+# allow shell to look through /proc/ for ps, top, netstat
+r_dir_file(shell, proc)
+r_dir_file(shell, proc_net)
+allow shell proc_interrupts:file r_file_perms;
+allow shell proc_meminfo:file r_file_perms;
+allow shell proc_stat:file r_file_perms;
+allow shell proc_timer:file r_file_perms;
+allow shell proc_zoneinfo:file r_file_perms;
+r_dir_file(shell, cgroup)
+allow shell domain:dir { search open read getattr };
+allow shell domain:{ file lnk_file } { open read getattr };
+
+# statvfs() of /proc and other labeled filesystems
+# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
+allow shell { proc labeledfs }:filesystem getattr;
+
+# stat() of /dev
+allow shell device:dir getattr;
+
+# allow shell to read /proc/pid/attr/current for ps -Z
+allow shell domain:process getattr;
+
+# Allow pulling the SELinux policy for CTS purposes
+allow shell selinuxfs:dir r_dir_perms;
+allow shell selinuxfs:file r_file_perms;
+
+# enable shell domain to read/write files/dirs for bootchart data
+# User will creates the start and stop file via adb shell
+# and read other files created by init process under /data/bootchart
+allow shell bootchart_data_file:dir rw_dir_perms;
+allow shell bootchart_data_file:file create_file_perms;
+
+# Make sure strace works for the non-privileged shell user
+allow shell self:process ptrace;
+
+# allow shell to get battery info
+allow shell sysfs_batteryinfo:file r_file_perms;
+allow shell sysfs:dir r_dir_perms;
+
+# Allow access to ion memory allocation device.
+allow shell ion_device:chr_file rw_file_perms;
+
+#
+# filesystem test for insecure chr_file's is done
+# via a host side test
+#
+allow shell dev_type:dir r_dir_perms;
+allow shell dev_type:chr_file getattr;
+
+# /dev/fd is a symlink
+allow shell proc:lnk_file getattr;
+
+#
+# filesystem test for insucre blk_file's is done
+# via hostside test
+#
+allow shell dev_type:blk_file getattr;
+
+# read selinux policy files
+allow shell file_contexts_file:file r_file_perms;
+allow shell property_contexts_file:file r_file_perms;
+allow shell seapp_contexts_file:file r_file_perms;
+allow shell service_contexts_file:file r_file_perms;
+allow shell sepolicy_file:file r_file_perms;
+
+###
+### Neverallow rules
+###
+
+# Do not allow shell to hard link to any files.
+# In particular, if shell hard links to app data
+# files, installd will not be able to guarantee the deletion
+# of the linked to file. Hard links also contribute to security
+# bugs, so we want to ensure the shell user never has this
+# capability.
+neverallow shell file_type:file link;
+
+# Do not allow privileged socket ioctl commands
+neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
+# limit shell access to sensitive char drivers to
+# only getattr required for host side test.
+neverallow shell {
+ fuse_device
+ hw_random_device
+ kmem_device
+ port_device
+}:chr_file ~getattr;
+
+# Limit shell to only getattr on blk devices for host side tests.
+neverallow shell dev_type:blk_file ~getattr;
diff --git a/prebuilts/api/27.0/public/slideshow.te b/prebuilts/api/27.0/public/slideshow.te
new file mode 100644
index 0000000..86d4bff
--- /dev/null
+++ b/prebuilts/api/27.0/public/slideshow.te
@@ -0,0 +1,14 @@
+# slideshow seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type slideshow, domain;
+
+allow slideshow kmsg_device:chr_file rw_file_perms;
+wakelock_use(slideshow)
+allow slideshow device:dir r_dir_perms;
+allow slideshow self:capability sys_tty_config;
+allow slideshow graphics_device:dir r_dir_perms;
+allow slideshow graphics_device:chr_file rw_file_perms;
+allow slideshow input_device:dir r_dir_perms;
+allow slideshow input_device:chr_file r_file_perms;
+allow slideshow tty_device:chr_file rw_file_perms;
+
diff --git a/prebuilts/api/27.0/public/su.te b/prebuilts/api/27.0/public/su.te
new file mode 100644
index 0000000..8ddd162
--- /dev/null
+++ b/prebuilts/api/27.0/public/su.te
@@ -0,0 +1,53 @@
+# All types must be defined regardless of build variant to ensure
+# policy compilation succeeds with userdebug/user combination at boot
+type su, domain;
+
+# File types must be defined for file_contexts.
+type su_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+ # Domain used for su processes, as well as for adbd and adb shell
+ # after performing an adb root command. The domain definition is
+ # wrapped to ensure that it does not exist at all on -user builds.
+ typeattribute su mlstrustedsubject;
+
+ # Add su to various domains
+ net_domain(su)
+
+ # grant su access to vndbinder
+ vndbinder_use(su)
+
+ dontaudit su self:capability_class_set *;
+ dontaudit su kernel:security *;
+ dontaudit su kernel:system *;
+ dontaudit su self:memprotect *;
+ dontaudit su domain:process *;
+ dontaudit su domain:fd *;
+ dontaudit su domain:dir *;
+ dontaudit su domain:lnk_file *;
+ dontaudit su domain:{ fifo_file file } *;
+ dontaudit su domain:socket_class_set *;
+ dontaudit su domain:ipc_class_set *;
+ dontaudit su domain:key *;
+ dontaudit su fs_type:filesystem *;
+ dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+ dontaudit su node_type:node *;
+ dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+ dontaudit su netif_type:netif *;
+ dontaudit su port_type:socket_class_set *;
+ dontaudit su port_type:{ tcp_socket dccp_socket } *;
+ dontaudit su domain:peer *;
+ dontaudit su domain:binder *;
+ dontaudit su property_type:property_service *;
+ dontaudit su property_type:file *;
+ dontaudit su service_manager_type:service_manager *;
+ dontaudit su hwservice_manager_type:hwservice_manager *;
+ dontaudit su vndservice_manager_type:service_manager *;
+ dontaudit su servicemanager:service_manager list;
+ dontaudit su hwservicemanager:hwservice_manager list;
+ dontaudit su vndservicemanager:service_manager list;
+ dontaudit su keystore:keystore_key *;
+ dontaudit su domain:drmservice *;
+ dontaudit su unlabeled:filesystem *;
+ dontaudit su postinstall_file:filesystem *;
+')
diff --git a/prebuilts/api/27.0/public/surfaceflinger.te b/prebuilts/api/27.0/public/surfaceflinger.te
new file mode 100644
index 0000000..ae00287
--- /dev/null
+++ b/prebuilts/api/27.0/public/surfaceflinger.te
@@ -0,0 +1,2 @@
+# surfaceflinger - display compositor service
+type surfaceflinger, domain;
diff --git a/prebuilts/api/27.0/public/system_app.te b/prebuilts/api/27.0/public/system_app.te
new file mode 100644
index 0000000..023058e
--- /dev/null
+++ b/prebuilts/api/27.0/public/system_app.te
@@ -0,0 +1,7 @@
+###
+### Apps that run with the system UID, e.g. com.android.system.ui,
+### com.android.settings. These are not as privileged as the system
+### server.
+###
+
+type system_app, domain;
diff --git a/prebuilts/api/27.0/public/system_server.te b/prebuilts/api/27.0/public/system_server.te
new file mode 100644
index 0000000..805d617
--- /dev/null
+++ b/prebuilts/api/27.0/public/system_server.te
@@ -0,0 +1,5 @@
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
+type system_server, domain;
diff --git a/prebuilts/api/27.0/public/te_macros b/prebuilts/api/27.0/public/te_macros
new file mode 100644
index 0000000..cac977b
--- /dev/null
+++ b/prebuilts/api/27.0/public/te_macros
@@ -0,0 +1,581 @@
+#####################################
+# domain_trans(olddomain, type, newdomain)
+# Allow a transition from olddomain to newdomain
+# upon executing a file labeled with type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use domain_auto_trans
+# if that is what you want.
+#
+define(`domain_trans', `
+# Old domain may exec the file and transition to the new domain.
+allow $1 $2:file { getattr open read execute map };
+allow $1 $3:process transition;
+# New domain is entered by executing the file.
+allow $3 $2:file { entrypoint open read execute getattr map };
+# New domain can send SIGCHLD to its caller.
+ifelse($1, `init', `', `allow $3 $1:process sigchld;')
+# Enable AT_SECURE, i.e. libc secure mode.
+dontaudit $1 $3:process noatsecure;
+# XXX dontaudit candidate but requires further study.
+allow $1 $3:process { siginh rlimitinh };
+')
+
+#####################################
+# domain_auto_trans(olddomain, type, newdomain)
+# Automatically transition from olddomain to newdomain
+# upon executing a file labeled with type.
+#
+define(`domain_auto_trans', `
+# Allow the necessary permissions.
+domain_trans($1,$2,$3)
+# Make the transition occur by default.
+type_transition $1 $2:process $3;
+')
+
+#####################################
+# file_type_trans(domain, dir_type, file_type)
+# Allow domain to create a file labeled file_type in a
+# directory labeled dir_type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use file_type_auto_trans
+# if that is what you want.
+#
+define(`file_type_trans', `
+# Allow the domain to add entries to the directory.
+allow $1 $2:dir ra_dir_perms;
+# Allow the domain to create the file.
+allow $1 $3:notdevfile_class_set create_file_perms;
+allow $1 $3:dir create_dir_perms;
+')
+
+#####################################
+# file_type_auto_trans(domain, dir_type, file_type)
+# Automatically label new files with file_type when
+# they are created by domain in directories labeled dir_type.
+#
+define(`file_type_auto_trans', `
+# Allow the necessary permissions.
+file_type_trans($1, $2, $3)
+# Make the transition occur by default.
+type_transition $1 $2:dir $3;
+type_transition $1 $2:notdevfile_class_set $3;
+')
+
+#####################################
+# r_dir_file(domain, type)
+# Allow the specified domain to read directories, files
+# and symbolic links of the specified type.
+define(`r_dir_file', `
+allow $1 $2:dir r_dir_perms;
+allow $1 $2:{ file lnk_file } r_file_perms;
+')
+
+#####################################
+# tmpfs_domain(domain)
+# Define and allow access to a unique type for
+# this domain when creating tmpfs / shmem / ashmem files.
+define(`tmpfs_domain', `
+type $1_tmpfs, file_type;
+type_transition $1 tmpfs:file $1_tmpfs;
+allow $1 $1_tmpfs:file { read write getattr };
+allow $1 tmpfs:dir { getattr search };
+')
+
+# pdx macros for IPC. pdx is a high-level name which contains transport-specific
+# rules from underlying transport (e.g. UDS-based implementation).
+
+#####################################
+# pdx_service_attributes(service)
+# Defines type attribute used to identify various service-related types.
+define(`pdx_service_attributes', `
+attribute pdx_$1_endpoint_dir_type;
+attribute pdx_$1_endpoint_socket_type;
+attribute pdx_$1_channel_socket_type;
+attribute pdx_$1_server_type;
+')
+
+#####################################
+# pdx_service_socket_types(service, endpoint_dir_t)
+# Define types for endpoint and channel sockets.
+define(`pdx_service_socket_types', `
+typeattribute $2 pdx_$1_endpoint_dir_type;
+type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
+type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
+userdebug_or_eng(`
+dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
+dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
+')
+')
+
+#####################################
+# pdx_server(server_domain, service)
+define(`pdx_server', `
+# Mark the server domain as a PDX server.
+typeattribute $1 pdx_$2_server_type;
+# Allow the init process to create the initial endpoint socket.
+allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
+# Allow the server domain to use the endpoint socket and accept connections on it.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
+# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
+allow $1 self:process setsockcreate;
+# Allow the server domain to create a client channel socket.
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
+# Prevent other processes from claiming to be a server for the same service.
+neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
+')
+
+#####################################
+# pdx_connect(client, service)
+define(`pdx_connect', `
+# Allow client to open the service endpoint file.
+allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
+allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
+# Allow the client to connect to endpoint socket.
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
+')
+
+#####################################
+# pdx_use(client, service)
+define(`pdx_use', `
+# Allow the client to use the PDX channel socket.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
+# Client needs to use an channel event fd from the server.
+allow $1 pdx_$2_server_type:fd use;
+# Servers may receive sync fences, gralloc buffers, etc, from clients.
+# This could be tightened on a per-server basis, but keeping track of service
+# clients is error prone.
+allow pdx_$2_server_type $1:fd use;
+')
+
+#####################################
+# pdx_client(client, service)
+define(`pdx_client', `
+pdx_connect($1, $2)
+pdx_use($1, $2)
+')
+
+#####################################
+# init_daemon_domain(domain)
+# Set up a transition from init to the daemon domain
+# upon executing its binary.
+define(`init_daemon_domain', `
+domain_auto_trans(init, $1_exec, $1)
+tmpfs_domain($1)
+')
+
+#####################################
+# app_domain(domain)
+# Allow a base set of permissions required for all apps.
+define(`app_domain', `
+typeattribute $1 appdomain;
+# Label ashmem objects with our own unique type.
+tmpfs_domain($1)
+# Map with PROT_EXEC.
+allow $1 $1_tmpfs:file execute;
+')
+
+#####################################
+# untrusted_app_domain(domain)
+# Allow a base set of permissions required for all untrusted apps.
+define(`untrusted_app_domain', `
+typeattribute $1 untrusted_app_all;
+')
+
+#####################################
+# net_domain(domain)
+# Allow a base set of permissions required for network access.
+define(`net_domain', `
+typeattribute $1 netdomain;
+')
+
+#####################################
+# bluetooth_domain(domain)
+# Allow a base set of permissions required for bluetooth access.
+define(`bluetooth_domain', `
+typeattribute $1 bluetoothdomain;
+')
+
+#####################################
+# hal_server_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to offer a
+# HAL implementation of the specified type over HwBinder.
+#
+# For example, default implementation of Foo HAL:
+# type hal_foo_default, domain;
+# hal_server_domain(hal_foo_default, hal_foo)
+#
+define(`hal_server_domain', `
+typeattribute $1 halserverdomain;
+typeattribute $1 $2_server;
+typeattribute $1 $2;
+')
+
+#####################################
+# hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a HAL of the specified type.
+#
+# For example, make some_domain a client of Foo HAL:
+# hal_client_domain(some_domain, hal_foo)
+#
+define(`hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+
+# TODO(b/34170079): Make the inclusion of the rules below conditional also on
+# non-Treble devices. For now, on non-Treble device, always grant clients of a
+# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
+not_full_treble(`
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute map };
+')
+')
+
+#####################################
+# passthrough_hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a passthrough HAL of the specified type.
+#
+# For example, make some_domain a client of passthrough Foo HAL:
+# passthrough_hal_client_domain(some_domain, hal_foo)
+#
+define(`passthrough_hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute map };
+')
+
+#####################################
+# unix_socket_connect(clientdomain, socket, serverdomain)
+# Allow a local socket connection from clientdomain via
+# socket to serverdomain.
+#
+# Note: If you see denial records that distill to the
+# following allow rules:
+# allow clientdomain property_socket:sock_file write;
+# allow clientdomain init:unix_stream_socket connectto;
+# allow clientdomain something_prop:property_service set;
+#
+# This sequence is indicative of attempting to set a property.
+# use set_prop(sourcedomain, targetproperty)
+#
+define(`unix_socket_connect', `
+ifelse($2, `property', `
+ ifelse($3,`init', `
+ print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.')
+ ')
+')
+__unix_socket_connect__($1, $2, $3)
+')
+
+define(`__unix_socket_connect__', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_stream_socket connectto;
+')
+
+#####################################
+# set_prop(sourcedomain, targetproperty)
+# Allows source domain to set the
+# targetproperty.
+#
+define(`set_prop', `
+__unix_socket_connect__($1, property, init)
+allow $1 $2:property_service set;
+get_prop($1, $2)
+')
+
+#####################################
+# get_prop(sourcedomain, targetproperty)
+# Allows source domain to read the
+# targetproperty.
+#
+define(`get_prop', `
+allow $1 $2:file r_file_perms;
+')
+
+#####################################
+# unix_socket_send(clientdomain, socket, serverdomain)
+# Allow a local socket send from clientdomain via
+# socket to serverdomain.
+define(`unix_socket_send', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_dgram_socket sendto;
+')
+
+#####################################
+# binder_use(domain)
+# Allow domain to use Binder IPC.
+define(`binder_use', `
+# Call the servicemanager and transfer references to it.
+allow $1 servicemanager:binder { call transfer };
+# servicemanager performs getpidcon on clients.
+allow servicemanager $1:dir search;
+allow servicemanager $1:file { read open };
+allow servicemanager $1:process getattr;
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
+#####################################
+# hwbinder_use(domain)
+# Allow domain to use HwBinder IPC.
+define(`hwbinder_use', `
+# Call the hwservicemanager and transfer references to it.
+allow $1 hwservicemanager:binder { call transfer };
+# Allow hwservicemanager to send out callbacks
+allow hwservicemanager $1:binder { call transfer };
+# hwservicemanager performs getpidcon on clients.
+allow hwservicemanager $1:dir search;
+allow hwservicemanager $1:file { read open };
+allow hwservicemanager $1:process getattr;
+# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
+#####################################
+# vndbinder_use(domain)
+# Allow domain to use Binder IPC.
+define(`vndbinder_use', `
+# Talk to the vndbinder device node
+allow $1 vndbinder_device:chr_file rw_file_perms;
+# Call the vndservicemanager and transfer references to it.
+allow $1 vndservicemanager:binder { call transfer };
+# vndservicemanager performs getpidcon on clients.
+allow vndservicemanager $1:dir search;
+allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:process getattr;
+')
+
+#####################################
+# binder_call(clientdomain, serverdomain)
+# Allow clientdomain to perform binder IPC to serverdomain.
+define(`binder_call', `
+# Call the server domain and optionally transfer references to it.
+allow $1 $2:binder { call transfer };
+# Allow the serverdomain to transfer references to the client on the reply.
+allow $2 $1:binder transfer;
+# Receive and use open files from the server.
+allow $1 $2:fd use;
+')
+
+#####################################
+# binder_service(domain)
+# Mark a domain as being a Binder service domain.
+# Used to allow binder IPC to the various system services.
+define(`binder_service', `
+typeattribute $1 binderservicedomain;
+')
+
+#####################################
+# wakelock_use(domain)
+# Allow domain to manage wake locks
+define(`wakelock_use', `
+# Access /sys/power/wake_lock and /sys/power/wake_unlock
+allow $1 sysfs_wake_lock:file rw_file_perms;
+# Accessing these files requires CAP_BLOCK_SUSPEND
+allow $1 self:capability2 block_suspend;
+')
+
+#####################################
+# selinux_check_access(domain)
+# Allow domain to check SELinux permissions via selinuxfs.
+define(`selinux_check_access', `
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
+allow $1 kernel:security compute_av;
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
+')
+
+#####################################
+# selinux_check_context(domain)
+# Allow domain to check SELinux contexts via selinuxfs.
+define(`selinux_check_context', `
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
+allow $1 kernel:security check_context;
+')
+
+#####################################
+# create_pty(domain)
+# Allow domain to create and use a pty, isolated from any other domain ptys.
+define(`create_pty', `
+# Each domain gets a unique devpts type.
+type $1_devpts, fs_type;
+# Label the pty with the unique type when created.
+type_transition $1 devpts:chr_file $1_devpts;
+# Allow use of the pty after creation.
+allow $1 $1_devpts:chr_file { open getattr read write ioctl };
+allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
+# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
+# allowed to everyone via domain.te.
+')
+
+#####################################
+# Non system_app application set
+#
+define(`non_system_app_set', `{ appdomain -system_app }')
+
+#####################################
+# Recovery only
+# SELinux rules which apply only to recovery mode
+#
+define(`recovery_only', ifelse(target_recovery, `true', $1, ))
+
+#####################################
+# Full TREBLE only
+# SELinux rules which apply only to full TREBLE devices
+#
+define(`full_treble_only', ifelse(target_full_treble, `true', $1,
+ifelse(target_full_treble, `cts',
+# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# Not full TREBLE
+# SELinux rules which apply only to devices which are not full TREBLE devices
+#
+define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
+
+#####################################
+# Userdebug or eng builds
+# SELinux rules which apply only to userdebug or eng builds
+#
+define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
+
+#####################################
+# User builds
+# SELinux rules which apply only to user builds
+#
+define(`userbuild', ifelse(target_build_variant, `user', $1, ))
+
+#####################################
+# asan builds
+# SELinux rules which apply only to asan builds
+#
+define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
+
+####################################
+# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
+#
+define(`crash_dump_fallback', `
+userdebug_or_eng(`
+ allow $1 su:fifo_file append;
+')
+allow $1 anr_data_file:file append;
+allow $1 dumpstate:fd use;
+# TODO: Figure out why write is needed.
+allow $1 dumpstate:fifo_file { append write };
+allow $1 system_server:fifo_file { append write };
+allow $1 tombstoned:unix_stream_socket connectto;
+allow $1 tombstoned:fd use;
+allow $1 tombstoned_crash_socket:sock_file write;
+allow $1 tombstone_data_file:file append;
+')
+
+#####################################
+# WITH_DEXPREOPT builds
+# SELinux rules which apply only when pre-opting.
+#
+define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
+
+#####################################
+# write_logd(domain)
+# Ability to write to android log
+# daemon via sockets
+define(`write_logd', `
+unix_socket_send($1, logdw, logd)
+allow $1 pmsg_device:chr_file w_file_perms;
+')
+
+#####################################
+# read_logd(domain)
+# Ability to run logcat and read from android
+# log daemon via sockets
+define(`read_logd', `
+allow $1 logcat_exec:file rx_file_perms;
+unix_socket_connect($1, logdr, logd)
+')
+
+#####################################
+# read_runtime_log_tags(domain)
+# ability to directly map the runtime event log tags
+define(`read_runtime_log_tags', `
+allow $1 runtime_event_log_tags_file:file r_file_perms;
+')
+
+#####################################
+# control_logd(domain)
+# Ability to control
+# android log daemon via sockets
+define(`control_logd', `
+# Group AID_LOG checked by filesystem & logd
+# to permit control commands
+unix_socket_connect($1, logd, logd)
+')
+
+#####################################
+# use_keystore(domain)
+# Ability to use keystore.
+# Keystore is requires the following permissions
+# to call getpidcon.
+define(`use_keystore', `
+ allow keystore $1:dir search;
+ allow keystore $1:file { read open };
+ allow keystore $1:process getattr;
+ allow $1 keystore_service:service_manager find;
+ binder_call($1, keystore)
+')
+
+###########################################
+# use_drmservice(domain)
+# Ability to use DrmService which requires
+# DrmService to call getpidcon.
+define(`use_drmservice', `
+ allow drmserver $1:dir search;
+ allow drmserver $1:file { read open };
+ allow drmserver $1:process getattr;
+')
+
+###########################################
+# add_service(domain, service)
+# Ability for domain to add a service to service_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_service', `
+ allow $1 $2:service_manager { add find };
+ neverallow { domain -$1 } $2:service_manager add;
+')
+
+###########################################
+# add_hwservice(domain, service)
+# Ability for domain to add a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_hwservice', `
+ allow $1 $2:hwservice_manager { add find };
+ allow $1 hidl_base_hwservice:hwservice_manager add;
+ neverallow { domain -$1 } $2:hwservice_manager add;
+')
+
+##########################################
+# print a message with a trailing newline
+# print(`args')
+define(`print', `errprint(`m4: '__file__: __line__`: $*
+')')
diff --git a/prebuilts/api/27.0/public/tee.te b/prebuilts/api/27.0/public/tee.te
new file mode 100644
index 0000000..f023d5c
--- /dev/null
+++ b/prebuilts/api/27.0/public/tee.te
@@ -0,0 +1,7 @@
+##
+# trusted execution environment (tee) daemon
+#
+type tee, domain;
+
+# Device(s) for communicating with the TEE
+type tee_device, dev_type;
diff --git a/prebuilts/api/27.0/public/thermalserviced.te b/prebuilts/api/27.0/public/thermalserviced.te
new file mode 100644
index 0000000..5b6025c
--- /dev/null
+++ b/prebuilts/api/27.0/public/thermalserviced.te
@@ -0,0 +1,11 @@
+# thermalserviced -- thermal management services for system and vendor
+type thermalserviced, domain;
+type thermalserviced_exec, exec_type, file_type;
+
+binder_use(thermalserviced)
+binder_service(thermalserviced)
+add_service(thermalserviced, thermal_service)
+
+hwbinder_use(thermalserviced)
+hal_client_domain(thermalserviced, hal_thermal)
+add_hwservice(thermalserviced, thermalcallback_hwservice)
diff --git a/prebuilts/api/27.0/public/tombstoned.te b/prebuilts/api/27.0/public/tombstoned.te
new file mode 100644
index 0000000..cf3ddcb
--- /dev/null
+++ b/prebuilts/api/27.0/public/tombstoned.te
@@ -0,0 +1,22 @@
+# debugger interface
+type tombstoned, domain, mlstrustedsubject;
+type tombstoned_exec, exec_type, file_type;
+
+# Write to arbitrary pipes given to us.
+allow tombstoned domain:fd use;
+allow tombstoned domain:fifo_file write;
+
+allow tombstoned domain:dir r_dir_perms;
+allow tombstoned domain:file r_file_perms;
+allow tombstoned tombstone_data_file:dir rw_dir_perms;
+allow tombstoned tombstone_data_file:file create_file_perms;
+
+# TODO: Remove append / write permissions. They were temporarily
+# granted due to a bug which appears to have been fixed.
+allow tombstoned anr_data_file:file { append write };
+auditallow tombstoned anr_data_file:file { append write };
+
+# Changes for the new stack dumping mechanism. Each trace goes into a
+# separate file, and these files are managed by tombstoned.
+allow tombstoned anr_data_file:dir rw_dir_perms;
+allow tombstoned anr_data_file:file { getattr open create };
diff --git a/prebuilts/api/27.0/public/toolbox.te b/prebuilts/api/27.0/public/toolbox.te
new file mode 100644
index 0000000..59c3a9c
--- /dev/null
+++ b/prebuilts/api/27.0/public/toolbox.te
@@ -0,0 +1,24 @@
+# Any toolbox command run by init.
+# At present, the only known usage is for running mkswap via fs_mgr.
+# Do NOT use this domain for toolbox when run by any other domain.
+type toolbox, domain;
+type toolbox_exec, exec_type, file_type;
+
+# /dev/__null__ created by init prior to policy load,
+# open fd inherited by fsck.
+allow toolbox tmpfs:chr_file { read write ioctl };
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow toolbox devpts:chr_file { read write getattr ioctl };
+
+# mkswap-specific.
+# Read/write block devices used for swap partitions.
+# Assign swap_block_device type any such partition in your
+# device/<vendor>/<product>/sepolicy/file_contexts file.
+allow toolbox block_device:dir search;
+allow toolbox swap_block_device:blk_file rw_file_perms;
+
+# Only allow entry from init via the toolbox binary.
+neverallow { domain -init } toolbox:process transition;
+neverallow * toolbox:process dyntransition;
+neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
diff --git a/prebuilts/api/27.0/public/tzdatacheck.te b/prebuilts/api/27.0/public/tzdatacheck.te
new file mode 100644
index 0000000..6f60c8e2
--- /dev/null
+++ b/prebuilts/api/27.0/public/tzdatacheck.te
@@ -0,0 +1,18 @@
+# The tzdatacheck command run by init.
+type tzdatacheck, domain;
+type tzdatacheck_exec, exec_type, file_type;
+
+allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
+allow tzdatacheck zoneinfo_data_file:file unlink;
+
+# Below are strong assertion that only init, system_server and tzdatacheck
+# can modify the /data time zone rules directories. This is to make it very
+# clear that only these domains should modify the actual time zone rules data.
+# The tzdatacheck binary itself may be executed by shell for tests but it must
+# not be able to modify the real rules.
+# If other users / binaries could modify time zone rules on device this might
+# have negative implications for users (who may get incorrect local times)
+# or break assumptions made / invalidate data held by the components actually
+# responsible for updating time zone rules.
+neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms;
+neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms;
diff --git a/prebuilts/api/27.0/public/ueventd.te b/prebuilts/api/27.0/public/ueventd.te
new file mode 100644
index 0000000..212087e
--- /dev/null
+++ b/prebuilts/api/27.0/public/ueventd.te
@@ -0,0 +1,54 @@
+# ueventd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type ueventd, domain;
+
+# Write to /dev/kmsg.
+allow ueventd kmsg_device:chr_file rw_file_perms;
+
+allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd device:file create_file_perms;
+
+r_dir_file(ueventd, rootfs)
+
+# ueventd needs write access to files in /sys to regenerate uevents
+allow ueventd sysfs_type:file w_file_perms;
+r_dir_file(ueventd, sysfs_type)
+allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
+allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
+allow ueventd tmpfs:chr_file rw_file_perms;
+allow ueventd dev_type:dir create_dir_perms;
+allow ueventd dev_type:lnk_file { create unlink };
+allow ueventd dev_type:chr_file { getattr create setattr unlink };
+allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
+allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow ueventd efs_file:dir search;
+allow ueventd efs_file:file r_file_perms;
+
+# Get SELinux enforcing status.
+r_dir_file(ueventd, selinuxfs)
+
+# Access for /vendor/ueventd.rc and /vendor/firmware
+r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
+
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
+# Use setfscreatecon() to label /dev directories and files.
+allow ueventd self:process setfscreate;
+
+#####
+##### neverallow rules
+#####
+
+# ueventd must never set properties, otherwise deadlocks may occur.
+# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
+# No writing to the property socket, connecting to init, or setting properties.
+neverallow ueventd property_socket:sock_file write;
+neverallow ueventd init:unix_stream_socket connectto;
+neverallow ueventd property_type:property_service set;
+
+# Restrict ueventd access on block devices to maintenence operations.
+neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
+
+# Only relabelto as we would never want to relabelfrom kmem_device or port_device
+neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
diff --git a/prebuilts/api/27.0/public/uncrypt.te b/prebuilts/api/27.0/public/uncrypt.te
new file mode 100644
index 0000000..d10eb39
--- /dev/null
+++ b/prebuilts/api/27.0/public/uncrypt.te
@@ -0,0 +1,39 @@
+# uncrypt
+type uncrypt, domain, mlstrustedsubject;
+type uncrypt_exec, exec_type, file_type;
+
+allow uncrypt self:capability dac_override;
+
+# Read OTA zip file from /data/data/com.google.android.gsf/app_download
+r_dir_file(uncrypt, app_data_file)
+
+userdebug_or_eng(`
+ # For debugging, allow /data/local/tmp access
+ r_dir_file(uncrypt, shell_data_file)
+')
+
+# Read /cache/recovery/command
+# Read /cache/recovery/uncrypt_file
+allow uncrypt cache_file:dir search;
+allow uncrypt cache_recovery_file:dir rw_dir_perms;
+allow uncrypt cache_recovery_file:file create_file_perms;
+
+# Read OTA zip file at /data/ota_package/.
+allow uncrypt ota_package_file:dir r_dir_perms;
+allow uncrypt ota_package_file:file r_file_perms;
+
+# Write to /dev/socket/uncrypt
+unix_socket_connect(uncrypt, uncrypt, uncrypt)
+
+# Set a property to reboot the device.
+set_prop(uncrypt, powerctl_prop)
+
+# Raw writes to block device
+allow uncrypt self:capability sys_rawio;
+allow uncrypt misc_block_device:blk_file w_file_perms;
+allow uncrypt block_device:dir r_dir_perms;
+
+# Access userdata block device.
+allow uncrypt userdata_block_device:blk_file w_file_perms;
+
+r_dir_file(uncrypt, rootfs)
diff --git a/prebuilts/api/27.0/public/untrusted_app.te b/prebuilts/api/27.0/public/untrusted_app.te
new file mode 100644
index 0000000..6f29396
--- /dev/null
+++ b/prebuilts/api/27.0/public/untrusted_app.te
@@ -0,0 +1,19 @@
+###
+### Untrusted apps.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+type untrusted_app, domain;
diff --git a/public/untrusted_app_25.te b/prebuilts/api/27.0/public/untrusted_app_25.te
similarity index 100%
rename from public/untrusted_app_25.te
rename to prebuilts/api/27.0/public/untrusted_app_25.te
diff --git a/prebuilts/api/27.0/public/untrusted_v2_app.te b/prebuilts/api/27.0/public/untrusted_v2_app.te
new file mode 100644
index 0000000..ac82f15
--- /dev/null
+++ b/prebuilts/api/27.0/public/untrusted_v2_app.te
@@ -0,0 +1,5 @@
+###
+### Untrusted v2 sandbox apps.
+###
+
+type untrusted_v2_app, domain;
diff --git a/prebuilts/api/27.0/public/update_engine.te b/prebuilts/api/27.0/public/update_engine.te
new file mode 100644
index 0000000..b8f0035
--- /dev/null
+++ b/prebuilts/api/27.0/public/update_engine.te
@@ -0,0 +1,41 @@
+# Domain for update_engine daemon.
+type update_engine, domain, update_engine_common;
+type update_engine_exec, exec_type, file_type;
+
+net_domain(update_engine);
+
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network
+# sockets.
+allow update_engine qtaguid_proc:file rw_file_perms;
+allow update_engine qtaguid_device:chr_file r_file_perms;
+
+# Following permissions are needed for update_engine.
+allow update_engine self:process { setsched };
+allow update_engine self:capability { fowner sys_admin };
+allow update_engine kmsg_device:chr_file w_file_perms;
+allow update_engine update_engine_exec:file rx_file_perms;
+wakelock_use(update_engine);
+
+# Ignore these denials.
+dontaudit update_engine kernel:process setsched;
+
+# Allow using persistent storage in /data/misc/update_engine.
+allow update_engine update_engine_data_file:dir { create_dir_perms };
+allow update_engine update_engine_data_file:file { create_file_perms };
+
+# Don't allow kernel module loading, just silence the logs.
+dontaudit update_engine kernel:system module_request;
+
+# Register the service to perform Binder IPC.
+binder_use(update_engine)
+add_service(update_engine, update_engine_service)
+
+# Allow update_engine to call the callback function provided by priv_app.
+binder_call(update_engine, priv_app)
+
+# Read OTA zip file at /data/ota_package/.
+allow update_engine ota_package_file:file r_file_perms;
+allow update_engine ota_package_file:dir r_dir_perms;
+
+# Use Boot Control HAL
+hal_client_domain(update_engine, hal_bootctl)
diff --git a/prebuilts/api/27.0/public/update_engine_common.te b/prebuilts/api/27.0/public/update_engine_common.te
new file mode 100644
index 0000000..e9bf24f
--- /dev/null
+++ b/prebuilts/api/27.0/public/update_engine_common.te
@@ -0,0 +1,48 @@
+# update_engine payload application permissions. These are shared between the
+# background daemon and the recovery tool to sideload an update.
+
+# Allow update_engine to reach block devices in /dev/block.
+allow update_engine_common block_device:dir search;
+
+# Allow read/write on system and boot partitions.
+allow update_engine_common boot_block_device:blk_file rw_file_perms;
+allow update_engine_common system_block_device:blk_file rw_file_perms;
+
+# Allow to set recovery options in the BCB. Used to trigger factory reset when
+# the update to an older version (channel change) or incompatible version
+# requires it.
+allow update_engine_common misc_block_device:blk_file rw_file_perms;
+
+# read fstab
+allow update_engine_common rootfs:dir getattr;
+allow update_engine_common rootfs:file r_file_perms;
+
+# Allow update_engine_common to mount on the /postinstall directory and reset the
+# labels on the mounted filesystem to postinstall_file.
+allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
+allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
+allow update_engine_common labeledfs:filesystem relabelfrom;
+
+# Allow update_engine_common to read and execute postinstall_file.
+allow update_engine_common postinstall_file:file rx_file_perms;
+allow update_engine_common postinstall_file:lnk_file r_file_perms;
+allow update_engine_common postinstall_file:dir r_dir_perms;
+
+# install update.zip from cache
+r_dir_file(update_engine_common, cache_file)
+
+# A postinstall program is typically a shell script (with a #!), so we allow
+# to execute those.
+allow update_engine_common shell_exec:file rx_file_perms;
+
+# Allow update_engine_common to suspend, resume and kill the postinstall program.
+allow update_engine_common postinstall:process { signal sigstop sigkill };
+
+# access /proc/misc
+# Access is also granted to proc:file, but it is likely unneeded
+# due to the more specific grant to proc_misc immediately below.
+allow update_engine proc:file r_file_perms; # delete candidate
+allow update_engine proc_misc:file r_file_perms;
+
+# read directories on /system and /vendor
+allow update_engine system_file:dir r_dir_perms;
diff --git a/prebuilts/api/27.0/public/update_verifier.te b/prebuilts/api/27.0/public/update_verifier.te
new file mode 100644
index 0000000..4d4e1f9
--- /dev/null
+++ b/prebuilts/api/27.0/public/update_verifier.te
@@ -0,0 +1,19 @@
+# update_verifier
+type update_verifier, domain;
+type update_verifier_exec, exec_type, file_type;
+
+# Allow update_verifier to reach block devices in /dev/block.
+allow update_verifier block_device:dir search;
+
+# Read care map in /data/ota_package/.
+allow update_verifier ota_package_file:dir r_dir_perms;
+allow update_verifier ota_package_file:file r_file_perms;
+
+# Read all blocks in dm wrapped system partition.
+allow update_verifier dm_device:blk_file r_file_perms;
+
+# Allow update_verifier to reboot the device.
+set_prop(update_verifier, powerctl_prop)
+
+# Use Boot Control HAL
+hal_client_domain(update_verifier, hal_bootctl)
diff --git a/prebuilts/api/27.0/public/vdc.te b/prebuilts/api/27.0/public/vdc.te
new file mode 100644
index 0000000..53d7bbe
--- /dev/null
+++ b/prebuilts/api/27.0/public/vdc.te
@@ -0,0 +1,27 @@
+# vdc spawned from init for the following services:
+# defaultcrypto
+# encrypt
+#
+# We also transition into this domain from dumpstate, when
+# collecting bug reports.
+
+type vdc, domain;
+type vdc_exec, exec_type, file_type;
+
+unix_socket_connect(vdc, vold, vold)
+
+# vdc sends information back to dumpstate when "adb bugreport" is used
+allow vdc dumpstate:fd use;
+allow vdc dumpstate:unix_stream_socket { read write getattr };
+
+# vdc information is written to shell owned bugreport files
+allow vdc shell_data_file:file { write getattr };
+
+# Why?
+allow vdc dumpstate:unix_dgram_socket { read write };
+
+# vdc can be invoked with logwrapper, so let it write to pty
+allow vdc devpts:chr_file rw_file_perms;
+
+# vdc writes directly to kmsg during the boot process
+allow vdc kmsg_device:chr_file w_file_perms;
diff --git a/prebuilts/api/27.0/public/vendor_shell.te b/prebuilts/api/27.0/public/vendor_shell.te
new file mode 100644
index 0000000..b330542
--- /dev/null
+++ b/prebuilts/api/27.0/public/vendor_shell.te
@@ -0,0 +1,4 @@
+# vendor shell MUST never run as interactive or login shell.
+# vendor shell CAN never be traisitioned to by any process, so it is
+# only intended by shell script interpreter.
+type vendor_shell_exec, exec_type, vendor_file_type, file_type;
diff --git a/prebuilts/api/27.0/public/vendor_toolbox.te b/prebuilts/api/27.0/public/vendor_toolbox.te
new file mode 100644
index 0000000..eb292ca
--- /dev/null
+++ b/prebuilts/api/27.0/public/vendor_toolbox.te
@@ -0,0 +1,16 @@
+# Toolbox installation for vendor binaries / scripts
+# Non-vendor processes are not allowed to execute the binary
+# and is always executed without transition.
+type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
+
+# Do not allow domains to transition to vendor toolbox
+# or read, execute the vendor_toolbox file.
+full_treble_only(`
+ # Do not allow non-vendor domains to transition
+ # to vendor toolbox except for the whitelisted domains.
+ neverallow {
+ coredomain
+ -init
+ -modprobe
+ } vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
+')
diff --git a/prebuilts/api/27.0/public/virtual_touchpad.te b/prebuilts/api/27.0/public/virtual_touchpad.te
new file mode 100644
index 0000000..c2800e3
--- /dev/null
+++ b/prebuilts/api/27.0/public/virtual_touchpad.te
@@ -0,0 +1,16 @@
+type virtual_touchpad, domain;
+type virtual_touchpad_exec, exec_type, file_type;
+
+binder_use(virtual_touchpad)
+binder_service(virtual_touchpad)
+add_service(virtual_touchpad, virtual_touchpad_service)
+
+# Needed to check app permissions.
+binder_call(virtual_touchpad, system_server)
+
+# Requires access to /dev/uinput to create and feed the virtual device.
+allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
+
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow virtual_touchpad permission_service:service_manager find;
diff --git a/prebuilts/api/27.0/public/vndservice.te b/prebuilts/api/27.0/public/vndservice.te
new file mode 100644
index 0000000..0d309bf
--- /dev/null
+++ b/prebuilts/api/27.0/public/vndservice.te
@@ -0,0 +1 @@
+type default_android_vndservice, vndservice_manager_type;
diff --git a/prebuilts/api/27.0/public/vndservicemanager.te b/prebuilts/api/27.0/public/vndservicemanager.te
new file mode 100644
index 0000000..6b9f73d
--- /dev/null
+++ b/prebuilts/api/27.0/public/vndservicemanager.te
@@ -0,0 +1,2 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager, domain;
diff --git a/prebuilts/api/27.0/public/vold.te b/prebuilts/api/27.0/public/vold.te
new file mode 100644
index 0000000..836db5f
--- /dev/null
+++ b/prebuilts/api/27.0/public/vold.te
@@ -0,0 +1,190 @@
+# volume manager
+type vold, domain;
+type vold_exec, exec_type, file_type;
+
+# Read already opened /cache files.
+allow vold cache_file:dir r_dir_perms;
+allow vold cache_file:file { getattr read };
+allow vold cache_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(vold, proc)
+r_dir_file(vold, proc_net)
+r_dir_file(vold, sysfs_type)
+# XXX Label sysfs files with a specific type?
+allow vold sysfs:file w_file_perms;
+allow vold sysfs_usb:file w_file_perms;
+allow vold sysfs_zram_uevent:file w_file_perms;
+
+r_dir_file(vold, rootfs)
+allow vold proc_meminfo:file r_file_perms;
+
+#Get file contexts
+allow vold file_contexts_file:file r_file_perms;
+
+# Allow us to jump into execution domains of above tools
+allow vold self:process setexec;
+
+# For sgdisk launched through popen()
+allow vold shell_exec:file rx_file_perms;
+
+# For formatting adoptable storage devices
+allow vold e2fs_exec:file rx_file_perms;
+
+typeattribute vold mlstrustedsubject;
+allow vold self:process setfscreate;
+allow vold system_file:file x_file_perms;
+not_full_treble(`allow vold vendor_file:file x_file_perms;')
+allow vold block_device:dir create_dir_perms;
+allow vold device:dir write;
+allow vold devpts:chr_file rw_file_perms;
+allow vold rootfs:dir mounton;
+allow vold sdcard_type:dir mounton; # TODO: deprecated in M
+allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
+allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
+allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
+
+# Manage locations where storage is mounted
+allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
+allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
+
+# Access to storage that backs emulated FUSE daemons for migration optimization
+allow vold media_rw_data_file:dir create_dir_perms;
+allow vold media_rw_data_file:file create_file_perms;
+
+# Allow mounting of storage devices
+allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
+
+# Manage per-user primary symlinks
+allow vold mnt_user_file:dir create_dir_perms;
+allow vold mnt_user_file:lnk_file create_file_perms;
+
+# Allow to create and mount expanded storage
+allow vold mnt_expand_file:dir { create_dir_perms mounton };
+allow vold apk_data_file:dir { create getattr setattr };
+allow vold shell_data_file:dir { create getattr setattr };
+
+allow vold tmpfs:filesystem { mount unmount };
+allow vold tmpfs:dir create_dir_perms;
+allow vold tmpfs:dir mounton;
+allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
+allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow vold app_data_file:dir search;
+allow vold app_data_file:file rw_file_perms;
+allow vold loop_control_device:chr_file rw_file_perms;
+allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
+allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
+allow vold dm_device:chr_file rw_file_perms;
+allow vold dm_device:blk_file rw_file_perms;
+# For vold Process::killProcessesWithOpenFiles function.
+allow vold domain:dir r_dir_perms;
+allow vold domain:{ file lnk_file } r_file_perms;
+allow vold domain:process { signal sigkill };
+allow vold self:capability { sys_ptrace kill };
+
+# XXX Label sysfs files with a specific type?
+allow vold sysfs:file rw_file_perms;
+
+allow vold kmsg_device:chr_file rw_file_perms;
+
+# Run fsck in the fsck domain.
+allow vold fsck_exec:file { r_file_perms execute };
+
+# Log fsck results
+allow vold fscklogs:dir rw_dir_perms;
+allow vold fscklogs:file create_file_perms;
+
+#
+# Rules to support encrypted fs support.
+#
+
+# Unmount and mount the fs.
+allow vold labeledfs:filesystem { mount unmount };
+
+# Access /efs/userdata_footer.
+# XXX Split into a separate type?
+allow vold efs_file:file rw_file_perms;
+
+# Create and mount on /data/tmp_mnt and management of expansion mounts
+allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
+
+# Set scheduling policy of kernel processes
+allow vold kernel:process setsched;
+
+# Property Service
+set_prop(vold, vold_prop)
+set_prop(vold, powerctl_prop)
+set_prop(vold, ctl_fuse_prop)
+set_prop(vold, restorecon_prop)
+
+# ASEC
+allow vold asec_image_file:file create_file_perms;
+allow vold asec_image_file:dir rw_dir_perms;
+allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
+allow vold asec_public_file:dir { relabelto setattr };
+allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
+allow vold asec_public_file:file { relabelto setattr };
+# restorecon files in asec containers created on 4.2 or earlier.
+allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
+allow vold unlabeled:file { r_file_perms setattr relabelfrom };
+
+# Handle wake locks (used for device encryption)
+wakelock_use(vold)
+
+# talk to batteryservice
+binder_use(vold)
+binder_call(vold, healthd)
+
+# talk to keymaster
+hal_client_domain(vold, hal_keymaster)
+
+# Access userdata block device.
+allow vold userdata_block_device:blk_file rw_file_perms;
+
+# Access metadata block device used for encryption meta-data.
+allow vold metadata_block_device:blk_file rw_file_perms;
+
+# Allow vold to manipulate /data/unencrypted
+allow vold unencrypted_data_file:{ file } create_file_perms;
+allow vold unencrypted_data_file:dir create_dir_perms;
+
+# Write to /proc/sys/vm/drop_caches
+allow vold proc_drop_caches:file w_file_perms;
+
+# Give vold a place where only vold can store files; everyone else is off limits
+allow vold vold_data_file:dir create_dir_perms;
+allow vold vold_data_file:file create_file_perms;
+
+# linux keyring configuration
+allow vold init:key { write search setattr };
+allow vold vold:key { write search setattr };
+
+# vold temporarily changes its priority when running benchmarks
+allow vold self:capability sys_nice;
+
+# vold needs to chroot into app namespaces to remount when runtime permissions change
+allow vold self:capability sys_chroot;
+allow vold storage_file:dir mounton;
+
+# For AppFuse.
+allow vold fuse_device:chr_file rw_file_perms;
+allow vold fuse:filesystem { relabelfrom };
+allow vold app_fusefs:filesystem { relabelfrom relabelto };
+allow vold app_fusefs:filesystem { mount unmount };
+
+# MoveTask.cpp executes cp and rm
+allow vold toolbox_exec:file rx_file_perms;
+
+# Prepare profile dir for users.
+allow vold user_profile_data_file:dir create_dir_perms;
+
+# Raw writes to misc block device
+allow vold misc_block_device:blk_file w_file_perms;
+
+neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+neverallow { domain -vold -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+neverallow { domain -vold -init } vold_data_file:dir *;
+neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
+neverallow { domain -vold -init } restorecon_prop:property_service set;
+
+neverallow vold fsck_exec:file execute_no_trans;
diff --git a/prebuilts/api/27.0/public/vr_hwc.te b/prebuilts/api/27.0/public/vr_hwc.te
new file mode 100644
index 0000000..c05dd63
--- /dev/null
+++ b/prebuilts/api/27.0/public/vr_hwc.te
@@ -0,0 +1,31 @@
+type vr_hwc, domain;
+type vr_hwc_exec, exec_type, file_type;
+
+# Get buffer metadata.
+hal_client_domain(vr_hwc, hal_graphics_allocator)
+
+binder_use(vr_hwc)
+binder_service(vr_hwc)
+
+binder_call(vr_hwc, surfaceflinger)
+# Needed to check for app permissions.
+binder_call(vr_hwc, system_server)
+
+add_service(vr_hwc, vr_hwc_service)
+
+# Hosts the VR HWC implementation and provides a simple Binder interface for VR
+# Window Manager to receive the layers/buffers.
+hwbinder_use(vr_hwc)
+
+# Load vendor libraries.
+allow vr_hwc system_file:dir r_dir_perms;
+
+allow vr_hwc ion_device:chr_file r_file_perms;
+
+# Allow connection to VR DisplayClient to get the primary display metadata
+# (ie: size).
+pdx_client(vr_hwc, display_client)
+
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow vr_hwc permission_service:service_manager find;
diff --git a/prebuilts/api/27.0/public/watchdogd.te b/prebuilts/api/27.0/public/watchdogd.te
new file mode 100644
index 0000000..00292a9
--- /dev/null
+++ b/prebuilts/api/27.0/public/watchdogd.te
@@ -0,0 +1,4 @@
+# watchdogd seclabel is specified in init.<board>.rc
+type watchdogd, domain;
+allow watchdogd watchdog_device:chr_file rw_file_perms;
+allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/27.0/public/webview_zygote.te b/prebuilts/api/27.0/public/webview_zygote.te
new file mode 100644
index 0000000..5d19b32
--- /dev/null
+++ b/prebuilts/api/27.0/public/webview_zygote.te
@@ -0,0 +1,5 @@
+# webview_zygote is an auxiliary zygote process that is used to spawn
+# isolated_app processes for rendering untrusted web content.
+
+type webview_zygote, domain;
+type webview_zygote_exec, exec_type, file_type;
diff --git a/prebuilts/api/27.0/public/wificond.te b/prebuilts/api/27.0/public/wificond.te
new file mode 100644
index 0000000..c91053e
--- /dev/null
+++ b/prebuilts/api/27.0/public/wificond.te
@@ -0,0 +1,35 @@
+# wificond
+type wificond, domain;
+type wificond_exec, exec_type, file_type;
+
+binder_use(wificond)
+binder_call(wificond, system_server)
+
+add_service(wificond, wificond_service)
+
+set_prop(wificond, wifi_prop)
+set_prop(wificond, ctl_default_prop)
+
+# create sockets to set interfaces up and down
+allow wificond self:udp_socket create_socket_perms;
+# setting interface state up/down is a privileged ioctl
+allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS };
+allow wificond self:capability { net_admin net_raw };
+# allow wificond to speak to nl80211 in the kernel
+allow wificond self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
+allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+r_dir_file(wificond, proc_net)
+
+# wificond writes out configuration files for wpa_supplicant/hostapd.
+# wificond also reads pid files out of this directory
+allow wificond wifi_data_file:dir rw_dir_perms;
+allow wificond wifi_data_file:file create_file_perms;
+
+# allow wificond to check permission for dumping logs
+allow wificond permission_service:service_manager find;
+
+# dumpstate support
+allow wificond dumpstate:fd use;
+allow wificond dumpstate:fifo_file write;
diff --git a/prebuilts/api/27.0/public/zygote.te b/prebuilts/api/27.0/public/zygote.te
new file mode 100644
index 0000000..83c42ef
--- /dev/null
+++ b/prebuilts/api/27.0/public/zygote.te
@@ -0,0 +1,3 @@
+# zygote
+type zygote, domain;
+type zygote_exec, exec_type, file_type;
diff --git a/prebuilts/api/28.0/private/access_vectors b/prebuilts/api/28.0/private/access_vectors
new file mode 100644
index 0000000..898c884
--- /dev/null
+++ b/prebuilts/api/28.0/private/access_vectors
@@ -0,0 +1,726 @@
+#
+# Define common prefixes for access vectors
+#
+# common common_name { permission_name ... }
+
+
+#
+# Define a common prefix for file access vectors.
+#
+
+common file
+{
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ map
+ unlink
+ link
+ rename
+ execute
+ quotaon
+ mounton
+}
+
+
+#
+# Define a common prefix for socket access vectors.
+#
+
+common socket
+{
+# inherited from file
+ ioctl
+ read
+ write
+ create
+ getattr
+ setattr
+ lock
+ relabelfrom
+ relabelto
+ append
+ map
+# socket-specific
+ bind
+ connect
+ listen
+ accept
+ getopt
+ setopt
+ shutdown
+ recvfrom
+ sendto
+ name_bind
+}
+
+#
+# Define a common prefix for ipc access vectors.
+#
+
+common ipc
+{
+ create
+ destroy
+ getattr
+ setattr
+ read
+ write
+ associate
+ unix_read
+ unix_write
+}
+
+#
+# Define a common for capability access vectors.
+#
+common cap
+{
+ # The capabilities are defined in include/linux/capability.h
+ # Capabilities >= 32 are defined in the cap2 common.
+ # Care should be taken to ensure that these are consistent with
+ # those definitions. (Order matters)
+
+ chown
+ dac_override
+ dac_read_search
+ fowner
+ fsetid
+ kill
+ setgid
+ setuid
+ setpcap
+ linux_immutable
+ net_bind_service
+ net_broadcast
+ net_admin
+ net_raw
+ ipc_lock
+ ipc_owner
+ sys_module
+ sys_rawio
+ sys_chroot
+ sys_ptrace
+ sys_pacct
+ sys_admin
+ sys_boot
+ sys_nice
+ sys_resource
+ sys_time
+ sys_tty_config
+ mknod
+ lease
+ audit_write
+ audit_control
+ setfcap
+}
+
+common cap2
+{
+ mac_override # unused by SELinux
+ mac_admin # unused by SELinux
+ syslog
+ wake_alarm
+ block_suspend
+ audit_read
+}
+
+#
+# Define the access vectors.
+#
+# class class_name [ inherits common_name ] { permission_name ... }
+
+
+#
+# Define the access vector interpretation for file-related objects.
+#
+
+class filesystem
+{
+ mount
+ remount
+ unmount
+ getattr
+ relabelfrom
+ relabelto
+ associate
+ quotamod
+ quotaget
+}
+
+class dir
+inherits file
+{
+ add_name
+ remove_name
+ reparent
+ search
+ rmdir
+ open
+ audit_access
+ execmod
+}
+
+class file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+ audit_access
+}
+
+class lnk_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class chr_file
+inherits file
+{
+ execute_no_trans
+ entrypoint
+ execmod
+ open
+ audit_access
+}
+
+class blk_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class sock_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class fifo_file
+inherits file
+{
+ open
+ audit_access
+ execmod
+}
+
+class fd
+{
+ use
+}
+
+
+#
+# Define the access vector interpretation for network-related objects.
+#
+
+class socket
+inherits socket
+
+class tcp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class udp_socket
+inherits socket
+{
+ node_bind
+}
+
+class rawip_socket
+inherits socket
+{
+ node_bind
+}
+
+class node
+{
+ recvfrom
+ sendto
+}
+
+class netif
+{
+ ingress
+ egress
+}
+
+class netlink_socket
+inherits socket
+
+class packet_socket
+inherits socket
+
+class key_socket
+inherits socket
+
+class unix_stream_socket
+inherits socket
+{
+ connectto
+}
+
+class unix_dgram_socket
+inherits socket
+
+class bpf
+{
+ map_create
+ map_read
+ map_write
+ prog_load
+ prog_run
+}
+
+#
+# Define the access vector interpretation for process-related objects
+#
+
+class process
+{
+ fork
+ transition
+ sigchld # commonly granted from child to parent
+ sigkill # cannot be caught or ignored
+ sigstop # cannot be caught or ignored
+ signull # for kill(pid, 0)
+ signal # all other signals
+ ptrace
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ share
+ getattr
+ setexec
+ setfscreate
+ noatsecure
+ siginh
+ setrlimit
+ rlimitinh
+ dyntransition
+ setcurrent
+ execmem
+ execstack
+ execheap
+ setkeycreate
+ setsockcreate
+ getrlimit
+}
+
+
+#
+# Define the access vector interpretation for ipc-related objects
+#
+
+class ipc
+inherits ipc
+
+class sem
+inherits ipc
+
+class msgq
+inherits ipc
+{
+ enqueue
+}
+
+class msg
+{
+ send
+ receive
+}
+
+class shm
+inherits ipc
+{
+ lock
+}
+
+
+#
+# Define the access vector interpretation for the security server.
+#
+
+class security
+{
+ compute_av
+ compute_create
+ compute_member
+ check_context
+ load_policy
+ compute_relabel
+ compute_user
+ setenforce # was avc_toggle in system class
+ setbool
+ setsecparam
+ setcheckreqprot
+ read_policy
+ validate_trans
+}
+
+
+#
+# Define the access vector interpretation for system operations.
+#
+
+class system
+{
+ ipc_info
+ syslog_read
+ syslog_mod
+ syslog_console
+ module_request
+ module_load
+}
+
+#
+# Define the access vector interpretation for controlling capabilities
+#
+
+class capability
+inherits cap
+
+class capability2
+inherits cap2
+
+#
+# Extended Netlink classes
+#
+class netlink_route_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_tcpdiag_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_nflog_socket
+inherits socket
+
+class netlink_xfrm_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+}
+
+class netlink_selinux_socket
+inherits socket
+
+class netlink_audit_socket
+inherits socket
+{
+ nlmsg_read
+ nlmsg_write
+ nlmsg_relay
+ nlmsg_readpriv
+ nlmsg_tty_audit
+}
+
+class netlink_dnrt_socket
+inherits socket
+
+# Define the access vector interpretation for controlling
+# access to IPSec network data by association
+#
+class association
+{
+ sendto
+ recvfrom
+ setcontext
+ polmatch
+}
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+inherits socket
+
+class appletalk_socket
+inherits socket
+
+class packet
+{
+ send
+ recv
+ relabelto
+ flow_in # deprecated
+ flow_out # deprecated
+ forward_in
+ forward_out
+}
+
+class key
+{
+ view
+ read
+ write
+ search
+ link
+ setattr
+ create
+}
+
+class dccp_socket
+inherits socket
+{
+ node_bind
+ name_connect
+}
+
+class memprotect
+{
+ mmap_zero
+}
+
+# network peer labels
+class peer
+{
+ recv
+}
+
+class kernel_service
+{
+ use_as_override
+ create_files_as
+}
+
+class tun_socket
+inherits socket
+{
+ attach_queue
+}
+
+class binder
+{
+ impersonate
+ call
+ set_context_mgr
+ transfer
+}
+
+class netlink_iscsi_socket
+inherits socket
+
+class netlink_fib_lookup_socket
+inherits socket
+
+class netlink_connector_socket
+inherits socket
+
+class netlink_netfilter_socket
+inherits socket
+
+class netlink_generic_socket
+inherits socket
+
+class netlink_scsitransport_socket
+inherits socket
+
+class netlink_rdma_socket
+inherits socket
+
+class netlink_crypto_socket
+inherits socket
+
+#
+# Define the access vector interpretation for controlling capabilities
+# in user namespaces
+#
+
+class cap_userns
+inherits cap
+
+class cap2_userns
+inherits cap2
+
+
+#
+# Define the access vector interpretation for the new socket classes
+# enabled by the extended_socket_class policy capability.
+#
+
+#
+# The next two classes were previously mapped to rawip_socket and therefore
+# have the same definition as rawip_socket (until further permissions
+# are defined).
+#
+class sctp_socket
+inherits socket
+{
+ node_bind
+}
+
+class icmp_socket
+inherits socket
+{
+ node_bind
+}
+
+#
+# The remaining network socket classes were previously
+# mapped to the socket class and therefore have the
+# same definition as socket.
+#
+
+class ax25_socket
+inherits socket
+
+class ipx_socket
+inherits socket
+
+class netrom_socket
+inherits socket
+
+class atmpvc_socket
+inherits socket
+
+class x25_socket
+inherits socket
+
+class rose_socket
+inherits socket
+
+class decnet_socket
+inherits socket
+
+class atmsvc_socket
+inherits socket
+
+class rds_socket
+inherits socket
+
+class irda_socket
+inherits socket
+
+class pppox_socket
+inherits socket
+
+class llc_socket
+inherits socket
+
+class can_socket
+inherits socket
+
+class tipc_socket
+inherits socket
+
+class bluetooth_socket
+inherits socket
+
+class iucv_socket
+inherits socket
+
+class rxrpc_socket
+inherits socket
+
+class isdn_socket
+inherits socket
+
+class phonet_socket
+inherits socket
+
+class ieee802154_socket
+inherits socket
+
+class caif_socket
+inherits socket
+
+class alg_socket
+inherits socket
+
+class nfc_socket
+inherits socket
+
+class vsock_socket
+inherits socket
+
+class kcm_socket
+inherits socket
+
+class qipcrtr_socket
+inherits socket
+
+class smc_socket
+inherits socket
+
+class property_service
+{
+ set
+}
+
+class service_manager
+{
+ add
+ find
+ list
+}
+
+class hwservice_manager
+{
+ add
+ find
+ list
+}
+
+class keystore_key
+{
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ add_auth
+ user_changed
+ gen_unique_id
+}
+
+class drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+}
diff --git a/prebuilts/api/28.0/private/adbd.te b/prebuilts/api/28.0/private/adbd.te
new file mode 100644
index 0000000..77c0d73
--- /dev/null
+++ b/prebuilts/api/28.0/private/adbd.te
@@ -0,0 +1,148 @@
+### ADB daemon
+
+typeattribute adbd coredomain;
+typeattribute adbd mlstrustedsubject;
+
+init_daemon_domain(adbd)
+
+domain_auto_trans(adbd, shell_exec, shell)
+
+userdebug_or_eng(`
+ allow adbd self:process setcurrent;
+ allow adbd su:process dyntransition;
+')
+
+# Do not sanitize the environment or open fds of the shell. Allow signaling
+# created processes.
+allow adbd shell:process { noatsecure signal };
+
+# Set UID and GID to shell. Set supplementary groups.
+allow adbd self:global_capability_class_set { setuid setgid };
+
+# Drop capabilities from bounding set on user builds.
+allow adbd self:global_capability_class_set setpcap;
+
+# Create and use network sockets.
+net_domain(adbd)
+
+# Access /dev/usb-ffs/adb/ep0
+allow adbd functionfs:dir search;
+allow adbd functionfs:file rw_file_perms;
+
+# Use a pseudo tty.
+allow adbd devpts:chr_file rw_file_perms;
+
+# adb push/pull /data/local/tmp.
+allow adbd shell_data_file:dir create_dir_perms;
+allow adbd shell_data_file:file create_file_perms;
+
+# adb pull /data/local/traces/*
+allow adbd trace_data_file:dir r_dir_perms;
+allow adbd trace_data_file:file r_file_perms;
+
+# adb pull /data/misc/profman.
+allow adbd profman_dump_data_file:dir r_dir_perms;
+allow adbd profman_dump_data_file:file r_file_perms;
+
+# adb push/pull sdcard.
+allow adbd tmpfs:dir search;
+allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
+allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
+allow adbd sdcard_type:dir create_dir_perms;
+allow adbd sdcard_type:file create_file_perms;
+
+# adb pull /data/anr/traces.txt
+allow adbd anr_data_file:dir r_dir_perms;
+allow adbd anr_data_file:file r_file_perms;
+
+# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
+set_prop(adbd, shell_prop)
+set_prop(adbd, powerctl_prop)
+set_prop(adbd, ffs_prop)
+set_prop(adbd, exported_ffs_prop)
+
+# Access device logging gating property
+get_prop(adbd, device_logging_prop)
+
+# Read device's serial number from system properties
+get_prop(adbd, serialno_prop)
+
+# Run /system/bin/bu
+allow adbd system_file:file rx_file_perms;
+
+# Perform binder IPC to surfaceflinger (screencap)
+# XXX Run screencap in a separate domain?
+binder_use(adbd)
+binder_call(adbd, surfaceflinger)
+# b/13188914
+allow adbd gpu_device:chr_file rw_file_perms;
+allow adbd ion_device:chr_file rw_file_perms;
+r_dir_file(adbd, system_file)
+
+# Needed for various screenshots
+hal_client_domain(adbd, hal_graphics_allocator)
+
+# Read /data/misc/adb/adb_keys.
+allow adbd adb_keys_file:dir search;
+allow adbd adb_keys_file:file r_file_perms;
+
+userdebug_or_eng(`
+ # Write debugging information to /data/adb
+ # when persist.adb.trace_mask is set
+ # https://code.google.com/p/android/issues/detail?id=72895
+ allow adbd adb_data_file:dir rw_dir_perms;
+ allow adbd adb_data_file:file create_file_perms;
+')
+
+# ndk-gdb invokes adb forward to forward the gdbserver socket.
+allow adbd app_data_file:dir search;
+allow adbd app_data_file:sock_file write;
+allow adbd appdomain:unix_stream_socket connectto;
+
+# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
+allow adbd zygote_exec:file r_file_perms;
+allow adbd system_file:file r_file_perms;
+
+# Allow pulling the SELinux policy for CTS purposes
+allow adbd selinuxfs:dir r_dir_perms;
+allow adbd selinuxfs:file r_file_perms;
+allow adbd kernel:security read_policy;
+allow adbd service_contexts_file:file r_file_perms;
+allow adbd file_contexts_file:file r_file_perms;
+allow adbd seapp_contexts_file:file r_file_perms;
+allow adbd property_contexts_file:file r_file_perms;
+allow adbd sepolicy_file:file r_file_perms;
+
+# Allow pulling config.gz for CTS purposes
+allow adbd config_gz:file r_file_perms;
+
+allow adbd surfaceflinger_service:service_manager find;
+allow adbd bootchart_data_file:dir search;
+allow adbd bootchart_data_file:file r_file_perms;
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow adbd storage_file:dir r_dir_perms;
+allow adbd storage_file:lnk_file r_file_perms;
+allow adbd mnt_user_file:dir r_dir_perms;
+allow adbd mnt_user_file:lnk_file r_file_perms;
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow adbd media_rw_data_file:dir create_dir_perms;
+allow adbd media_rw_data_file:file create_file_perms;
+
+r_dir_file(adbd, apk_data_file)
+
+allow adbd rootfs:dir r_dir_perms;
+
+###
+### Neverallow rules
+###
+
+# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
+# transitions to the shell domain (except when it crashes). In particular, we
+# never want to see a transition from adbd to su (aka "adb root")
+neverallow adbd { domain -crash_dump -shell }:process transition;
+neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
diff --git a/prebuilts/api/28.0/private/app.te b/prebuilts/api/28.0/private/app.te
new file mode 100644
index 0000000..f3e1e2a
--- /dev/null
+++ b/prebuilts/api/28.0/private/app.te
@@ -0,0 +1,7 @@
+# TODO: deal with tmpfs_domain pub/priv split properly
+# Read system properties managed by zygote.
+allow appdomain zygote_tmpfs:file read;
+
+neverallow appdomain system_server:udp_socket {
+ accept append bind create ioctl listen lock name_bind
+ relabelfrom relabelto setattr shutdown };
diff --git a/prebuilts/api/28.0/private/app_neverallows.te b/prebuilts/api/28.0/private/app_neverallows.te
new file mode 100644
index 0000000..8d9ccd6
--- /dev/null
+++ b/prebuilts/api/28.0/private/app_neverallows.te
@@ -0,0 +1,262 @@
+###
+### neverallow rules for untrusted app domains
+###
+
+define(`all_untrusted_apps',`{
+ ephemeral_app
+ isolated_app
+ mediaprovider
+ untrusted_app
+ untrusted_app_25
+ untrusted_app_27
+ untrusted_app_all
+ untrusted_v2_app
+}')
+# Receive or send uevent messages.
+neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow all_untrusted_apps domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow all_untrusted_apps debugfs_type:file read;
+
+# Do not allow untrusted apps to register services.
+# Only trusted components of Android should be registering
+# services.
+neverallow all_untrusted_apps service_manager_type:service_manager add;
+
+# Do not allow untrusted apps to use VendorBinder
+neverallow all_untrusted_apps vndbinder_device:chr_file *;
+neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
+
+# Do not allow untrusted apps to connect to the property service
+# or set properties. b/10243159
+neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
+neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
+neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
+
+# net.dns properties are not a public API. Temporarily exempt pre-Oreo apps,
+# but otherwise disallow untrusted apps from reading this property.
+neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
+
+# Do not allow untrusted apps to be assigned mlstrustedsubject.
+# This would undermine the per-user isolation model being
+# enforced via levelFrom=user in seapp_contexts and the mls
+# constraints. As there is no direct way to specify a neverallow
+# on attribute assignment, this relies on the fact that fork
+# permission only makes sense within a domain (hence should
+# never be granted to any other domain within mlstrustedsubject)
+# and an untrusted app is allowed fork permission to itself.
+neverallow all_untrusted_apps mlstrustedsubject:process fork;
+
+# Do not allow untrusted apps to hard link to any files.
+# In particular, if an untrusted app links to other app data
+# files, installd will not be able to guarantee the deletion
+# of the linked to file. Hard links also contribute to security
+# bugs, so we want to ensure untrusted apps never have this
+# capability.
+neverallow all_untrusted_apps file_type:file link;
+
+# Do not allow untrusted apps to access network MAC address file
+neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
+
+# Do not allow any write access to files in /sys
+neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
+
+# Apps may never access the default sysfs label.
+neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
+
+# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
+# ioctl permission, or 3. disallow the socket class.
+neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
+neverallow all_untrusted_apps *:{
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket
+} *;
+
+# Do not allow untrusted apps access to /cache
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
+neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
+
+# Do not allow untrusted apps to create/unlink files outside of its sandbox,
+# internal storage or sdcard.
+# World accessible data locations allow application to fill the device
+# with unaccounted for data. This data will not get removed during
+# application un-installation.
+neverallow { all_untrusted_apps -mediaprovider } {
+ fs_type
+ -sdcard_type
+ file_type
+ -app_data_file # The apps sandbox itself
+ -media_rw_data_file # Internal storage. Known that apps can
+ # leave artfacts here after uninstall.
+ -user_profile_data_file # Access to profile files
+ userdebug_or_eng(`
+ -method_trace_data_file # only on ro.debuggable=1
+ -coredump_file # userdebug/eng only
+ ')
+}:dir_file_class_set { create unlink };
+
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
+
+# Do not allow untrusted apps to directly open tun_device
+neverallow all_untrusted_apps tun_device:chr_file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+neverallow all_untrusted_apps anr_data_file:file ~{ open append };
+neverallow all_untrusted_apps anr_data_file:dir ~search;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow all_untrusted_apps {
+ proc
+ proc_asound
+ proc_filesystems
+ proc_kmsg
+ proc_loadavg
+ proc_mounts
+ proc_pagetypeinfo
+ proc_stat
+ proc_swaps
+ proc_uptime
+ proc_version
+ proc_vmallocinfo
+ proc_vmstat
+}:file { no_rw_file_perms no_x_file_perms };
+
+# Avoid all access to kernel configuration
+neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
+
+# Do not allow untrusted apps access to preloads data files
+neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
+
+# Locking of files on /system could lead to denial of service attacks
+# against privileged system components
+neverallow all_untrusted_apps system_file:file lock;
+
+# Do not permit untrusted apps to perform actions on HwBinder service_manager
+# other than find actions for services listed below
+neverallow all_untrusted_apps *:hwservice_manager ~find;
+
+# Do not permit access from apps which host arbitrary code to HwBinder services,
+# except those considered sufficiently safe for access from such apps.
+# The two main reasons for this are:
+# 1. HwBinder servers do not perform client authentication because HIDL
+# currently does not expose caller UID information and, even if it did, many
+# HwBinder services either operate at a level below that of apps (e.g., HALs)
+# or must not rely on app identity for authorization. Thus, to be safe, the
+# default assumption is that every HwBinder service treats all its clients as
+# equally authorized to perform operations offered by the service.
+# 2. HAL servers (a subset of HwBinder services) contain code with higher
+# incidence rate of security issues than system/core components and have
+# access to lower layes of the stack (all the way down to hardware) thus
+# increasing opportunities for bypassing the Android security model.
+#
+# Safe services include:
+# - same process services: because they by definition run in the process
+# of the client and thus have the same access as the client domain in which
+# the process runs
+# - coredomain_hwservice: are considered safe because they do not pose risks
+# associated with reason #2 above.
+# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
+# designed for use by any domain.
+# - hal_graphics_allocator_hwservice: because these operations are also offered
+# by surfaceflinger Binder service, which apps are permitted to access
+# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
+# Binder service which apps were permitted to access.
+# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
+neverallow all_untrusted_apps {
+ hwservice_manager_type
+ -same_process_hwservice
+ -coredomain_hwservice
+ -hal_codec2_hwservice
+ -hal_configstore_ISurfaceFlingerConfigs
+ -hal_graphics_allocator_hwservice
+ -hal_omx_hwservice
+ -hal_cas_hwservice
+ -hal_neuralnetworks_hwservice
+ -untrusted_app_visible_hwservice
+}:hwservice_manager find;
+
+# Make sure that the following services are never accessible by untrusted_apps
+neverallow all_untrusted_apps {
+ default_android_hwservice
+ hal_audio_hwservice
+ hal_authsecret_hwservice
+ hal_bluetooth_hwservice
+ hal_bootctl_hwservice
+ hal_camera_hwservice
+ hal_confirmationui_hwservice
+ hal_contexthub_hwservice
+ hal_drm_hwservice
+ hal_dumpstate_hwservice
+ hal_fingerprint_hwservice
+ hal_gatekeeper_hwservice
+ hal_gnss_hwservice
+ hal_graphics_composer_hwservice
+ hal_health_hwservice
+ hal_ir_hwservice
+ hal_keymaster_hwservice
+ hal_light_hwservice
+ hal_memtrack_hwservice
+ hal_nfc_hwservice
+ hal_oemlock_hwservice
+ hal_power_hwservice
+ hal_secure_element_hwservice
+ hal_sensors_hwservice
+ hal_telephony_hwservice
+ hal_thermal_hwservice
+ hal_tv_cec_hwservice
+ hal_tv_input_hwservice
+ hal_usb_hwservice
+ hal_vibrator_hwservice
+ hal_vr_hwservice
+ hal_weaver_hwservice
+ hal_wifi_hwservice
+ hal_wifi_offload_hwservice
+ hal_wifi_supplicant_hwservice
+ hidl_base_hwservice
+ system_net_netd_hwservice
+ thermalcallback_hwservice
+}:hwservice_manager find;
+# HwBinder services offered by core components (as opposed to vendor components)
+# are considered somewhat safer due to point #2 above.
+neverallow all_untrusted_apps {
+ coredomain_hwservice
+ -same_process_hwservice
+ -hidl_allocator_hwservice # Designed for use by any domain
+ -hidl_manager_hwservice # Designed for use by any domain
+ -hidl_memory_hwservice # Designed for use by any domain
+ -hidl_token_hwservice # Designed for use by any domain
+}:hwservice_manager find;
+
+# SELinux is not an API for untrusted apps to use
+neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
+
+# Restrict *Binder access from apps to HAL domains. We can only do this on full
+# Treble devices where *Binder communications between apps and HALs are tightly
+# restricted.
+full_treble_only(`
+ neverallow all_untrusted_apps {
+ halserverdomain
+ -coredomain
+ -hal_configstore_server
+ -hal_graphics_allocator_server
+ -hal_cas_server
+ -hal_neuralnetworks_server
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ -untrusted_app_visible_halserver
+ }:binder { call transfer };
+')
+
+# Untrusted apps are not allowed to find mediaextractor update service.
+neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
diff --git a/prebuilts/api/28.0/private/asan_extract.te b/prebuilts/api/28.0/private/asan_extract.te
new file mode 100644
index 0000000..1c20d78
--- /dev/null
+++ b/prebuilts/api/28.0/private/asan_extract.te
@@ -0,0 +1,8 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# Technically not a daemon but we do want the transition from init domain to
+# asan_extract to occur.
+with_asan(`
+typeattribute asan_extract coredomain;
+init_daemon_domain(asan_extract)
+')
diff --git a/prebuilts/api/28.0/private/atrace.te b/prebuilts/api/28.0/private/atrace.te
new file mode 100644
index 0000000..630935d
--- /dev/null
+++ b/prebuilts/api/28.0/private/atrace.te
@@ -0,0 +1,46 @@
+# Domain for atrace process.
+# It is spawned either by traced_probes or by init for the boottrace service.
+
+type atrace, domain, coredomain;
+type atrace_exec, exec_type, file_type;
+
+# boottrace services uses /data/misc/boottrace/categories
+allow atrace boottrace_data_file:dir search;
+allow atrace boottrace_data_file:file r_file_perms;
+
+# Allow atrace to access tracefs.
+allow atrace debugfs_tracing:dir r_dir_perms;
+allow atrace debugfs_tracing:file rw_file_perms;
+allow atrace debugfs_trace_marker:file getattr;
+
+# atrace sets debug.atrace.* properties
+set_prop(atrace, debug_prop)
+
+# atrace pokes all the binder-enabled processes at startup with a
+# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
+
+binder_use(atrace)
+allow atrace healthd:binder call;
+allow atrace surfaceflinger:binder call;
+get_prop(atrace, hwservicemanager_prop)
+
+allow atrace {
+ service_manager_type
+ -incident_service
+ -netd_service
+ -stats_service
+ -dumpstate_service
+ -installd_service
+ -vold_service
+}:service_manager { find };
+allow atrace servicemanager:service_manager list;
+
+userdebug_or_eng(`
+ # atrace is generally invoked as a standalone binary from shell or perf
+ # daemons like Perfetto traced_probes. However, in userdebug builds, there is
+ # a further option to run atrace as an init daemon for boot tracing.
+ init_daemon_domain(atrace)
+
+ allow atrace debugfs_tracing_debug:dir r_dir_perms;
+ allow atrace debugfs_tracing_debug:file rw_file_perms;
+')
diff --git a/prebuilts/api/28.0/private/audioserver.te b/prebuilts/api/28.0/private/audioserver.te
new file mode 100644
index 0000000..1d4223f
--- /dev/null
+++ b/prebuilts/api/28.0/private/audioserver.te
@@ -0,0 +1,88 @@
+# audioserver - audio services daemon
+
+typeattribute audioserver coredomain;
+
+type audioserver_exec, exec_type, file_type;
+init_daemon_domain(audioserver)
+
+r_dir_file(audioserver, sdcard_type)
+
+binder_use(audioserver)
+binder_call(audioserver, binderservicedomain)
+binder_call(audioserver, appdomain)
+binder_service(audioserver)
+
+hal_client_domain(audioserver, hal_allocator)
+# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
+r_dir_file(audioserver, system_file)
+
+hal_client_domain(audioserver, hal_audio)
+
+userdebug_or_eng(`
+ # used for TEE sink - pcm capture for debug.
+ allow audioserver media_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:dir create_dir_perms;
+ allow audioserver audioserver_data_file:file create_file_perms;
+
+ # ptrace to processes in the same domain for memory leak detection
+ allow audioserver self:process ptrace;
+')
+
+add_service(audioserver, audioserver_service)
+allow audioserver activity_service:service_manager find;
+allow audioserver appops_service:service_manager find;
+allow audioserver batterystats_service:service_manager find;
+allow audioserver permission_service:service_manager find;
+allow audioserver power_service:service_manager find;
+allow audioserver scheduling_policy_service:service_manager find;
+allow audioserver mediametrics_service:service_manager find;
+
+# Allow read/write access to bluetooth-specific properties
+set_prop(audioserver, bluetooth_a2dp_offload_prop)
+set_prop(audioserver, bluetooth_prop)
+set_prop(audioserver, exported_bluetooth_prop)
+
+# Grant access to audio files to audioserver
+allow audioserver audio_data_file:dir ra_dir_perms;
+allow audioserver audio_data_file:file create_file_perms;
+
+# allow access to ALSA MMAP FDs for AAudio API
+allow audioserver audio_device:chr_file { read write };
+
+not_full_treble(`allow audioserver audio_device:dir r_dir_perms;')
+not_full_treble(`allow audioserver audio_device:chr_file rw_file_perms;')
+
+# For A2DP bridge which is loaded directly into audioserver
+unix_socket_connect(audioserver, bluetooth, bluetooth)
+
+# Allow shell commands from ADB and shell for CTS testing/dumping
+allow audioserver adbd:fd use;
+allow audioserver adbd:unix_stream_socket { read write };
+allow audioserver shell:fifo_file { read write };
+
+# Allow shell commands from ADB for CTS testing/dumping
+userdebug_or_eng(`
+ allow audioserver su:fd use;
+ allow audioserver su:fifo_file { read write };
+ allow audioserver su:unix_stream_socket { read write };
+')
+
+###
+### neverallow rules
+###
+
+# audioserver should never execute any executable without a
+# domain transition
+neverallow audioserver { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/28.0/private/binder_in_vendor_violators.te b/prebuilts/api/28.0/private/binder_in_vendor_violators.te
new file mode 100644
index 0000000..4a1218e
--- /dev/null
+++ b/prebuilts/api/28.0/private/binder_in_vendor_violators.te
@@ -0,0 +1 @@
+allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/28.0/private/binderservicedomain.te b/prebuilts/api/28.0/private/binderservicedomain.te
new file mode 100644
index 0000000..0891ee5
--- /dev/null
+++ b/prebuilts/api/28.0/private/binderservicedomain.te
@@ -0,0 +1,22 @@
+# Rules common to all binder service domains
+
+# Allow dumpstate and incidentd to collect information from binder services
+allow binderservicedomain { dumpstate incidentd }:fd use;
+allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
+allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
+allow binderservicedomain shell_data_file:file { getattr write };
+
+# Allow dumpsys to work from adb shell or the serial console
+allow binderservicedomain devpts:chr_file rw_file_perms;
+allow binderservicedomain console_device:chr_file rw_file_perms;
+
+# Receive and write to a pipe received over Binder from an app.
+allow binderservicedomain appdomain:fd use;
+allow binderservicedomain appdomain:fifo_file write;
+
+# allow all services to run permission checks
+allow binderservicedomain permission_service:service_manager find;
+
+allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
+
+use_keystore(binderservicedomain)
diff --git a/prebuilts/api/28.0/private/blank_screen.te b/prebuilts/api/28.0/private/blank_screen.te
new file mode 100644
index 0000000..43d273b
--- /dev/null
+++ b/prebuilts/api/28.0/private/blank_screen.te
@@ -0,0 +1,6 @@
+type blank_screen, domain, coredomain;
+type blank_screen_exec, exec_type, file_type;
+
+init_daemon_domain(blank_screen)
+
+hal_client_domain(blank_screen, hal_light)
diff --git a/prebuilts/api/28.0/private/blkid.te b/prebuilts/api/28.0/private/blkid.te
new file mode 100644
index 0000000..090912b
--- /dev/null
+++ b/prebuilts/api/28.0/private/blkid.te
@@ -0,0 +1,22 @@
+# blkid called from vold
+
+typeattribute blkid coredomain;
+
+type blkid_exec, exec_type, file_type;
+
+# Allowed read-only access to encrypted devices to extract UUID/label
+allow blkid block_device:dir search;
+allow blkid userdata_block_device:blk_file r_file_perms;
+allow blkid dm_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid vold:fd use;
+allow blkid vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid blkid_exec:file rx_file_perms;
+
+# Only allow entry from vold
+neverallow { domain -vold } blkid:process transition;
+neverallow * blkid:process dyntransition;
+neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/prebuilts/api/28.0/private/blkid_untrusted.te b/prebuilts/api/28.0/private/blkid_untrusted.te
new file mode 100644
index 0000000..1256771
--- /dev/null
+++ b/prebuilts/api/28.0/private/blkid_untrusted.te
@@ -0,0 +1,37 @@
+# blkid for untrusted block devices
+
+typeattribute blkid_untrusted coredomain;
+
+# Allowed read-only access to vold block devices to extract UUID/label
+allow blkid_untrusted block_device:dir search;
+allow blkid_untrusted vold_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid_untrusted vold:fd use;
+allow blkid_untrusted vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid_untrusted blkid_exec:file rx_file_perms;
+
+###
+### neverallow rules
+###
+
+# Untrusted blkid should never be run on block devices holding sensitive data
+neverallow blkid_untrusted {
+ boot_block_device
+ frp_block_device
+ metadata_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ userdata_block_device
+ cache_block_device
+ dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via blkid binary
+neverallow { domain -vold } blkid_untrusted:process transition;
+neverallow * blkid_untrusted:process dyntransition;
+neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/prebuilts/api/28.0/private/bluetooth.te b/prebuilts/api/28.0/private/bluetooth.te
new file mode 100644
index 0000000..d419855
--- /dev/null
+++ b/prebuilts/api/28.0/private/bluetooth.te
@@ -0,0 +1,80 @@
+# bluetooth app
+
+typeattribute bluetooth coredomain;
+
+app_domain(bluetooth)
+net_domain(bluetooth)
+
+# Socket creation under /data/misc/bluedroid.
+type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
+
+# Allow access to net_admin ioctls
+allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
+
+wakelock_use(bluetooth);
+
+# Data file accesses.
+allow bluetooth bluetooth_data_file:dir create_dir_perms;
+allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
+allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
+allow bluetooth bluetooth_logs_data_file:file create_file_perms;
+
+# Socket creation under /data/misc/bluedroid.
+allow bluetooth bluetooth_socket:sock_file create_file_perms;
+
+allow bluetooth self:global_capability_class_set net_admin;
+allow bluetooth self:global_capability2_class_set wake_alarm;
+
+# tethering
+allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
+allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
+allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
+allow bluetooth tun_device:chr_file rw_file_perms;
+allow bluetooth efs_file:dir search;
+
+# allow Bluetooth to access uhid device for HID profile
+allow bluetooth uhid_device:chr_file rw_file_perms;
+
+# proc access.
+allow bluetooth proc_bluetooth_writable:file rw_file_perms;
+
+# Allow write access to bluetooth specific properties
+set_prop(bluetooth, bluetooth_a2dp_offload_prop)
+set_prop(bluetooth, bluetooth_prop)
+set_prop(bluetooth, exported_bluetooth_prop)
+set_prop(bluetooth, pan_result_prop)
+
+allow bluetooth audioserver_service:service_manager find;
+allow bluetooth bluetooth_service:service_manager find;
+allow bluetooth drmserver_service:service_manager find;
+allow bluetooth mediaserver_service:service_manager find;
+allow bluetooth radio_service:service_manager find;
+allow bluetooth app_api_service:service_manager find;
+allow bluetooth system_api_service:service_manager find;
+
+# already open bugreport file descriptors may be shared with
+# the bluetooth process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow bluetooth shell_data_file:file read;
+
+# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
+allow bluetooth self:global_capability_class_set sys_nice;
+
+hal_client_domain(bluetooth, hal_bluetooth)
+hal_client_domain(bluetooth, hal_telephony)
+
+# Bluetooth A2DP offload requires binding with audio HAL
+hal_client_domain(bluetooth, hal_audio)
+
+read_runtime_log_tags(bluetooth)
+
+###
+### Neverallow rules
+###
+### These are things that the bluetooth app should NEVER be able to do
+###
+
+# Superuser capabilities.
+# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
+neverallow bluetooth self:global_capability_class_set ~{ net_admin net_raw net_bind_service sys_nice};
+neverallow bluetooth self:global_capability2_class_set ~{ wake_alarm block_suspend };
diff --git a/prebuilts/api/28.0/private/bluetoothdomain.te b/prebuilts/api/28.0/private/bluetoothdomain.te
new file mode 100644
index 0000000..fe4f0e6
--- /dev/null
+++ b/prebuilts/api/28.0/private/bluetoothdomain.te
@@ -0,0 +1,2 @@
+# Allow clients to use a socket provided by the bluetooth app.
+allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
diff --git a/prebuilts/api/28.0/private/bootanim.te b/prebuilts/api/28.0/private/bootanim.te
new file mode 100644
index 0000000..20ff193
--- /dev/null
+++ b/prebuilts/api/28.0/private/bootanim.te
@@ -0,0 +1,6 @@
+typeattribute bootanim coredomain;
+
+init_daemon_domain(bootanim)
+
+# b/68864350
+dontaudit bootanim unlabeled:dir search;
diff --git a/prebuilts/api/28.0/private/bootstat.te b/prebuilts/api/28.0/private/bootstat.te
new file mode 100644
index 0000000..806144c
--- /dev/null
+++ b/prebuilts/api/28.0/private/bootstat.te
@@ -0,0 +1,3 @@
+typeattribute bootstat coredomain;
+
+init_daemon_domain(bootstat)
diff --git a/prebuilts/api/28.0/private/bpfloader.te b/prebuilts/api/28.0/private/bpfloader.te
new file mode 100644
index 0000000..4e8ec2b
--- /dev/null
+++ b/prebuilts/api/28.0/private/bpfloader.te
@@ -0,0 +1,30 @@
+# bpf program loader
+type bpfloader, domain;
+type bpfloader_exec, exec_type, file_type;
+typeattribute bpfloader coredomain;
+
+# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
+allow bpfloader self:global_capability_class_set net_admin;
+
+r_dir_file(bpfloader, cgroup_bpf)
+
+# These permission is required for pin bpf program for netd.
+allow bpfloader fs_bpf:dir create_dir_perms;
+allow bpfloader fs_bpf:file create_file_perms;
+allow bpfloader devpts:chr_file { read write };
+
+allow bpfloader netd:fd use;
+
+# Use pinned bpf map files from netd.
+allow bpfloader netd:bpf { map_read map_write };
+allow bpfloader self:bpf { prog_load prog_run };
+
+# Neverallow rules
+neverallow { domain -bpfloader } *:bpf prog_load;
+neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
+neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
+neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
+# only system_server, netd and bpfloader can read/write the bpf maps
+neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
+
+dontaudit bpfloader self:capability sys_admin;
diff --git a/prebuilts/api/28.0/private/bufferhubd.te b/prebuilts/api/28.0/private/bufferhubd.te
new file mode 100644
index 0000000..012eb20
--- /dev/null
+++ b/prebuilts/api/28.0/private/bufferhubd.te
@@ -0,0 +1,3 @@
+typeattribute bufferhubd coredomain;
+
+init_daemon_domain(bufferhubd)
diff --git a/prebuilts/api/28.0/private/bug_map b/prebuilts/api/28.0/private/bug_map
new file mode 100644
index 0000000..5c551c8
--- /dev/null
+++ b/prebuilts/api/28.0/private/bug_map
@@ -0,0 +1,45 @@
+cppreopts cppreopts capability 79414024
+dexoptanalyzer apk_data_file file 77853712
+dexoptanalyzer app_data_file file 77853712
+dexoptanalyzer app_data_file lnk_file 77853712
+dexoptanalyzer system_data_file lnk_file 77853712
+dnsmasq netd fifo_file 77868789
+dnsmasq netd unix_stream_socket 77868789
+init app_data_file file 77873135
+init cache_file blk_file 77873135
+init logpersist file 77873135
+init nativetest_data_file dir 77873135
+init pstorefs dir 77873135
+init shell_data_file dir 77873135
+init shell_data_file file 77873135
+init shell_data_file lnk_file 77873135
+init shell_data_file sock_file 77873135
+init system_data_file chr_file 77873135
+mediaextractor app_data_file file 77923736
+mediaextractor radio_data_file file 77923736
+mediaprovider cache_file blk_file 77925342
+mediaprovider mnt_media_rw_file dir 77925342
+mediaprovider shell_data_file dir 77925342
+netd priv_app unix_stream_socket 77870037
+netd untrusted_app unix_stream_socket 77870037
+netd untrusted_app_25 unix_stream_socket 77870037
+netd untrusted_app_27 unix_stream_socket 77870037
+otapreopt_chroot postinstall_file lnk_file 75287236
+platform_app nfc_data_file dir 74331887
+postinstall postinstall capability 77958490
+postinstall_dexopt postinstall_dexopt capability 77958490
+postinstall_dexopt user_profile_data_file file 77958490
+priv_app system_data_file dir 72811052
+profman apk_data_file dir 77922323
+radio statsdw_socket sock_file 78456764
+statsd hal_health_default binder 77919007
+storaged storaged capability 77634061
+surfaceflinger mediacodec binder 77924251
+system_server crash_dump process 73128755
+system_server logd_socket sock_file 64734187
+system_server sdcardfs file 77856826
+system_server zygote process 77856826
+untrusted_app_25 system_data_file dir 72550646
+untrusted_app_27 system_data_file dir 72550646
+usbd usbd capability 72472544
+zygote untrusted_app_25 process 77925912
diff --git a/prebuilts/api/28.0/private/cameraserver.te b/prebuilts/api/28.0/private/cameraserver.te
new file mode 100644
index 0000000..c16c132
--- /dev/null
+++ b/prebuilts/api/28.0/private/cameraserver.te
@@ -0,0 +1,3 @@
+typeattribute cameraserver coredomain;
+
+init_daemon_domain(cameraserver)
diff --git a/prebuilts/api/28.0/private/charger.te b/prebuilts/api/28.0/private/charger.te
new file mode 100644
index 0000000..65109de
--- /dev/null
+++ b/prebuilts/api/28.0/private/charger.te
@@ -0,0 +1 @@
+typeattribute charger coredomain;
diff --git a/prebuilts/api/28.0/private/clatd.te b/prebuilts/api/28.0/private/clatd.te
new file mode 100644
index 0000000..5ba0fc5
--- /dev/null
+++ b/prebuilts/api/28.0/private/clatd.te
@@ -0,0 +1 @@
+typeattribute clatd coredomain;
diff --git a/prebuilts/api/28.0/private/compat/26.0/26.0.cil b/prebuilts/api/28.0/private/compat/26.0/26.0.cil
new file mode 100644
index 0000000..0478a56
--- /dev/null
+++ b/prebuilts/api/28.0/private/compat/26.0/26.0.cil
@@ -0,0 +1,762 @@
+;; attributes removed from current policy
+(typeattribute hal_wifi_keystore)
+(typeattribute hal_wifi_keystore_client)
+(typeattribute hal_wifi_keystore_server)
+
+;; types removed from current policy
+(type asan_reboot_prop)
+(type log_device)
+(type mediacasserver_service)
+(type reboot_data_file)
+(type tracing_shell_writable)
+(type tracing_shell_writable_debug)
+(type vold_socket)
+(type webview_zygote_socket)
+(type rild)
+
+(typeattributeset accessibility_service_26_0 (accessibility_service))
+(typeattributeset account_service_26_0 (account_service))
+(typeattributeset activity_service_26_0 (activity_service))
+(typeattributeset adbd_26_0 (adbd))
+(typeattributeset adb_data_file_26_0 (adb_data_file))
+(typeattributeset adbd_socket_26_0 (adbd_socket))
+(typeattributeset adb_keys_file_26_0 (adb_keys_file))
+(typeattributeset alarm_device_26_0 (alarm_device))
+(typeattributeset alarm_service_26_0 (alarm_service))
+(typeattributeset anr_data_file_26_0 (anr_data_file))
+(typeattributeset apk_data_file_26_0 (apk_data_file))
+(typeattributeset apk_private_data_file_26_0 (apk_private_data_file))
+(typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file))
+(typeattributeset apk_tmp_file_26_0 (apk_tmp_file))
+(typeattributeset app_data_file_26_0 (app_data_file))
+(typeattributeset app_fuse_file_26_0 (app_fuse_file))
+(typeattributeset app_fusefs_26_0 (app_fusefs))
+(typeattributeset appops_service_26_0 (appops_service))
+(typeattributeset appwidget_service_26_0 (appwidget_service))
+(typeattributeset asan_reboot_prop_26_0 (asan_reboot_prop))
+(typeattributeset asec_apk_file_26_0 (asec_apk_file))
+(typeattributeset asec_image_file_26_0 (asec_image_file))
+(typeattributeset asec_public_file_26_0 (asec_public_file))
+(typeattributeset ashmem_device_26_0 (ashmem_device))
+(typeattributeset assetatlas_service_26_0 (assetatlas_service))
+(typeattributeset audio_data_file_26_0 (audio_data_file))
+(typeattributeset audio_device_26_0 (audio_device))
+(typeattributeset audiohal_data_file_26_0 (audiohal_data_file))
+(typeattributeset audio_prop_26_0 (audio_prop))
+(typeattributeset audio_seq_device_26_0 (audio_seq_device))
+(typeattributeset audioserver_26_0 (audioserver))
+(typeattributeset audioserver_data_file_26_0 (audioserver_data_file))
+(typeattributeset audioserver_service_26_0 (audioserver_service))
+(typeattributeset audio_service_26_0 (audio_service))
+(typeattributeset audio_timer_device_26_0 (audio_timer_device))
+(typeattributeset autofill_service_26_0 (autofill_service))
+(typeattributeset backup_data_file_26_0 (backup_data_file))
+(typeattributeset backup_service_26_0 (backup_service))
+(typeattributeset batteryproperties_service_26_0 (batteryproperties_service))
+(typeattributeset battery_service_26_0 (battery_service))
+(typeattributeset batterystats_service_26_0 (batterystats_service))
+(typeattributeset binder_device_26_0 (binder_device))
+(typeattributeset binfmt_miscfs_26_0 (binfmt_miscfs))
+(typeattributeset blkid_26_0 (blkid))
+(typeattributeset blkid_untrusted_26_0 (blkid_untrusted))
+(typeattributeset block_device_26_0 (block_device))
+(typeattributeset bluetooth_26_0 (bluetooth))
+(typeattributeset bluetooth_data_file_26_0 (bluetooth_data_file))
+(typeattributeset bluetooth_efs_file_26_0 (bluetooth_efs_file))
+(typeattributeset bluetooth_logs_data_file_26_0 (bluetooth_logs_data_file))
+(typeattributeset bluetooth_manager_service_26_0 (bluetooth_manager_service))
+(typeattributeset bluetooth_prop_26_0 (bluetooth_prop))
+(typeattributeset bluetooth_service_26_0 (bluetooth_service))
+(typeattributeset bluetooth_socket_26_0 (bluetooth_socket))
+(typeattributeset bootanim_26_0 (bootanim))
+(typeattributeset bootanim_exec_26_0 (bootanim_exec))
+(typeattributeset boot_block_device_26_0 (boot_block_device))
+(typeattributeset bootchart_data_file_26_0 (bootchart_data_file))
+(typeattributeset bootstat_26_0 (bootstat))
+(typeattributeset bootstat_data_file_26_0 (bootstat_data_file))
+(typeattributeset bootstat_exec_26_0 (bootstat_exec))
+(typeattributeset boottime_prop_26_0 (boottime_prop))
+(typeattributeset boottrace_data_file_26_0 (boottrace_data_file))
+(typeattributeset bufferhubd_26_0 (bufferhubd))
+(typeattributeset bufferhubd_exec_26_0 (bufferhubd_exec))
+(typeattributeset cache_backup_file_26_0 (cache_backup_file))
+(typeattributeset cache_block_device_26_0 (cache_block_device))
+(typeattributeset cache_file_26_0 (cache_file))
+(typeattributeset cache_private_backup_file_26_0 (cache_private_backup_file))
+(typeattributeset cache_recovery_file_26_0 (cache_recovery_file))
+(typeattributeset camera_data_file_26_0 (camera_data_file))
+(typeattributeset camera_device_26_0 (camera_device))
+(typeattributeset cameraproxy_service_26_0 (cameraproxy_service))
+(typeattributeset cameraserver_26_0 (cameraserver))
+(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
+(typeattributeset cameraserver_service_26_0 (cameraserver_service))
+(typeattributeset cgroup_26_0 (cgroup))
+(typeattributeset charger_26_0 (charger))
+(typeattributeset clatd_26_0 (clatd))
+(typeattributeset clatd_exec_26_0 (clatd_exec))
+(typeattributeset clipboard_service_26_0 (clipboard_service))
+(typeattributeset commontime_management_service_26_0 (commontime_management_service))
+(typeattributeset companion_device_service_26_0 (companion_device_service))
+(typeattributeset configfs_26_0 (configfs))
+(typeattributeset config_prop_26_0 (config_prop))
+(typeattributeset connectivity_service_26_0 (connectivity_service))
+(typeattributeset connmetrics_service_26_0 (connmetrics_service))
+(typeattributeset console_device_26_0 (console_device))
+(typeattributeset consumer_ir_service_26_0 (consumer_ir_service))
+(typeattributeset content_service_26_0 (content_service))
+(typeattributeset contexthub_service_26_0 (contexthub_service))
+(typeattributeset coredump_file_26_0 (coredump_file))
+(typeattributeset country_detector_service_26_0 (country_detector_service))
+(typeattributeset coverage_service_26_0 (coverage_service))
+(typeattributeset cppreopt_prop_26_0 (cppreopt_prop))
+(typeattributeset cppreopts_26_0 (cppreopts))
+(typeattributeset cppreopts_exec_26_0 (cppreopts_exec))
+(typeattributeset cpuctl_device_26_0 (cpuctl_device))
+(typeattributeset cpuinfo_service_26_0 (cpuinfo_service))
+(typeattributeset crash_dump_26_0 (crash_dump))
+(typeattributeset crash_dump_exec_26_0 (crash_dump_exec))
+(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
+(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
+(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
+(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
+(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
+(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
+(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
+(typeattributeset ctl_rildaemon_prop_26_0 (ctl_rildaemon_prop))
+(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
+(typeattributeset dalvik_prop_26_0 (dalvik_prop))
+(typeattributeset dbinfo_service_26_0 (dbinfo_service))
+(typeattributeset debugfs_26_0
+ ( debugfs
+ debugfs_wakeup_sources
+ ))
+(typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
+(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
+(typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
+(typeattributeset debugfs_tracing_instances_26_0 (debugfs_tracing_instances))
+(typeattributeset debugfs_wifi_tracing_26_0 (debugfs_wifi_tracing))
+(typeattributeset debuggerd_prop_26_0 (debuggerd_prop))
+(typeattributeset debug_prop_26_0 (debug_prop))
+(typeattributeset default_android_hwservice_26_0 (default_android_hwservice))
+(typeattributeset default_android_service_26_0 (default_android_service))
+(typeattributeset default_android_vndservice_26_0 (default_android_vndservice))
+(typeattributeset default_prop_26_0
+ ( default_prop pm_prop))
+(typeattributeset device_26_0 (device))
+(typeattributeset device_identifiers_service_26_0 (device_identifiers_service))
+(typeattributeset deviceidle_service_26_0 (deviceidle_service))
+(typeattributeset device_logging_prop_26_0 (device_logging_prop))
+(typeattributeset device_policy_service_26_0 (device_policy_service))
+(typeattributeset devicestoragemonitor_service_26_0 (devicestoragemonitor_service))
+(typeattributeset devpts_26_0 (devpts))
+(typeattributeset dex2oat_26_0 (dex2oat))
+(typeattributeset dex2oat_exec_26_0 (dex2oat_exec))
+(typeattributeset dhcp_26_0 (dhcp))
+(typeattributeset dhcp_data_file_26_0 (dhcp_data_file))
+(typeattributeset dhcp_exec_26_0 (dhcp_exec))
+(typeattributeset dhcp_prop_26_0 (dhcp_prop))
+(typeattributeset diskstats_service_26_0 (diskstats_service))
+(typeattributeset display_service_26_0 (display_service))
+(typeattributeset dm_device_26_0 (dm_device))
+(typeattributeset dnsmasq_26_0 (dnsmasq))
+(typeattributeset dnsmasq_exec_26_0 (dnsmasq_exec))
+(typeattributeset dnsproxyd_socket_26_0 (dnsproxyd_socket))
+(typeattributeset DockObserver_service_26_0 (DockObserver_service))
+(typeattributeset dreams_service_26_0 (dreams_service))
+(typeattributeset drm_data_file_26_0 (drm_data_file))
+(typeattributeset drmserver_26_0 (drmserver))
+(typeattributeset drmserver_exec_26_0 (drmserver_exec))
+(typeattributeset drmserver_service_26_0 (drmserver_service))
+(typeattributeset drmserver_socket_26_0 (drmserver_socket))
+(typeattributeset dropbox_service_26_0 (dropbox_service))
+(typeattributeset dumpstate_26_0 (dumpstate))
+(typeattributeset dumpstate_exec_26_0 (dumpstate_exec))
+(typeattributeset dumpstate_options_prop_26_0 (dumpstate_options_prop))
+(typeattributeset dumpstate_prop_26_0 (dumpstate_prop))
+(typeattributeset dumpstate_service_26_0 (dumpstate_service))
+(typeattributeset dumpstate_socket_26_0 (dumpstate_socket))
+(typeattributeset efs_file_26_0 (efs_file))
+(typeattributeset ephemeral_app_26_0 (ephemeral_app))
+(typeattributeset ethernet_service_26_0 (ethernet_service))
+(typeattributeset ffs_prop_26_0 (ffs_prop))
+(typeattributeset file_contexts_file_26_0 (file_contexts_file))
+(typeattributeset fingerprintd_26_0 (fingerprintd))
+(typeattributeset fingerprintd_data_file_26_0 (fingerprintd_data_file))
+(typeattributeset fingerprintd_exec_26_0 (fingerprintd_exec))
+(typeattributeset fingerprintd_service_26_0 (fingerprintd_service))
+(typeattributeset fingerprint_prop_26_0 (fingerprint_prop))
+(typeattributeset fingerprint_service_26_0 (fingerprint_service))
+(typeattributeset firstboot_prop_26_0 (firstboot_prop))
+(typeattributeset font_service_26_0 (font_service))
+(typeattributeset frp_block_device_26_0 (frp_block_device))
+(typeattributeset fsck_26_0 (fsck))
+(typeattributeset fsck_exec_26_0 (fsck_exec))
+(typeattributeset fscklogs_26_0 (fscklogs))
+(typeattributeset fsck_untrusted_26_0 (fsck_untrusted))
+(typeattributeset full_device_26_0 (full_device))
+(typeattributeset functionfs_26_0 (functionfs))
+(typeattributeset fuse_26_0 (fuse))
+(typeattributeset fuse_device_26_0 (fuse_device))
+(typeattributeset fwk_display_hwservice_26_0 (fwk_display_hwservice))
+(typeattributeset fwk_scheduler_hwservice_26_0 (fwk_scheduler_hwservice))
+(typeattributeset fwk_sensor_hwservice_26_0 (fwk_sensor_hwservice))
+(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))
+(typeattributeset gatekeeperd_26_0 (gatekeeperd))
+(typeattributeset gatekeeper_data_file_26_0 (gatekeeper_data_file))
+(typeattributeset gatekeeperd_exec_26_0 (gatekeeperd_exec))
+(typeattributeset gatekeeper_service_26_0 (gatekeeper_service))
+(typeattributeset gfxinfo_service_26_0 (gfxinfo_service))
+(typeattributeset gps_control_26_0 (gps_control))
+(typeattributeset gpu_device_26_0 (gpu_device))
+(typeattributeset gpu_service_26_0 (gpu_service))
+(typeattributeset graphics_device_26_0 (graphics_device))
+(typeattributeset graphicsstats_service_26_0 (graphicsstats_service))
+(typeattributeset hal_audio_hwservice_26_0 (hal_audio_hwservice))
+(typeattributeset hal_bluetooth_hwservice_26_0 (hal_bluetooth_hwservice))
+(typeattributeset hal_bootctl_hwservice_26_0 (hal_bootctl_hwservice))
+(typeattributeset hal_camera_hwservice_26_0 (hal_camera_hwservice))
+(typeattributeset hal_configstore_ISurfaceFlingerConfigs_26_0 (hal_configstore_ISurfaceFlingerConfigs))
+(typeattributeset hal_contexthub_hwservice_26_0 (hal_contexthub_hwservice))
+(typeattributeset hal_drm_hwservice_26_0 (hal_drm_hwservice))
+(typeattributeset hal_dumpstate_hwservice_26_0 (hal_dumpstate_hwservice))
+(typeattributeset hal_fingerprint_hwservice_26_0 (hal_fingerprint_hwservice))
+(typeattributeset hal_fingerprint_service_26_0 (hal_fingerprint_service))
+(typeattributeset hal_gatekeeper_hwservice_26_0 (hal_gatekeeper_hwservice))
+(typeattributeset hal_gnss_hwservice_26_0 (hal_gnss_hwservice))
+(typeattributeset hal_graphics_allocator_hwservice_26_0 (hal_graphics_allocator_hwservice))
+(typeattributeset hal_graphics_composer_hwservice_26_0 (hal_graphics_composer_hwservice))
+(typeattributeset hal_graphics_mapper_hwservice_26_0 (hal_graphics_mapper_hwservice))
+(typeattributeset hal_health_hwservice_26_0 (hal_health_hwservice))
+(typeattributeset hal_ir_hwservice_26_0 (hal_ir_hwservice))
+(typeattributeset hal_keymaster_hwservice_26_0 (hal_keymaster_hwservice))
+(typeattributeset hal_light_hwservice_26_0 (hal_light_hwservice))
+(typeattributeset hal_memtrack_hwservice_26_0 (hal_memtrack_hwservice))
+(typeattributeset hal_nfc_hwservice_26_0 (hal_nfc_hwservice))
+(typeattributeset hal_oemlock_hwservice_26_0 (hal_oemlock_hwservice))
+(typeattributeset hal_omx_hwservice_26_0 (hal_omx_hwservice))
+(typeattributeset hal_power_hwservice_26_0 (hal_power_hwservice))
+(typeattributeset hal_renderscript_hwservice_26_0 (hal_renderscript_hwservice))
+(typeattributeset hal_sensors_hwservice_26_0 (hal_sensors_hwservice))
+(typeattributeset hal_telephony_hwservice_26_0 (hal_telephony_hwservice))
+(typeattributeset hal_thermal_hwservice_26_0 (hal_thermal_hwservice))
+(typeattributeset hal_tv_cec_hwservice_26_0 (hal_tv_cec_hwservice))
+(typeattributeset hal_tv_input_hwservice_26_0 (hal_tv_input_hwservice))
+(typeattributeset hal_usb_hwservice_26_0 (hal_usb_hwservice))
+(typeattributeset hal_vibrator_hwservice_26_0 (hal_vibrator_hwservice))
+(typeattributeset hal_vr_hwservice_26_0 (hal_vr_hwservice))
+(typeattributeset hal_weaver_hwservice_26_0 (hal_weaver_hwservice))
+(typeattributeset hal_wifi_hwservice_26_0 (hal_wifi_hwservice))
+(typeattributeset hal_wifi_supplicant_hwservice_26_0 (hal_wifi_supplicant_hwservice))
+(typeattributeset hardware_properties_service_26_0 (hardware_properties_service))
+(typeattributeset hardware_service_26_0 (hardware_service))
+(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))
+(typeattributeset hdmi_control_service_26_0 (hdmi_control_service))
+(typeattributeset healthd_26_0 (healthd))
+(typeattributeset healthd_exec_26_0 (healthd_exec))
+(typeattributeset heapdump_data_file_26_0 (heapdump_data_file))
+(typeattributeset hidl_allocator_hwservice_26_0 (hidl_allocator_hwservice))
+(typeattributeset hidl_base_hwservice_26_0 (hidl_base_hwservice))
+(typeattributeset hidl_manager_hwservice_26_0 (hidl_manager_hwservice))
+(typeattributeset hidl_memory_hwservice_26_0 (hidl_memory_hwservice))
+(typeattributeset hidl_token_hwservice_26_0 (hidl_token_hwservice))
+(typeattributeset hwbinder_device_26_0 (hwbinder_device))
+(typeattributeset hw_random_device_26_0 (hw_random_device))
+(typeattributeset hwservice_contexts_file_26_0 (hwservice_contexts_file))
+(typeattributeset hwservicemanager_26_0 (hwservicemanager))
+(typeattributeset hwservicemanager_exec_26_0 (hwservicemanager_exec))
+(typeattributeset hwservicemanager_prop_26_0 (hwservicemanager_prop))
+(typeattributeset i2c_device_26_0 (i2c_device))
+(typeattributeset icon_file_26_0 (icon_file))
+(typeattributeset idmap_26_0 (idmap))
+(typeattributeset idmap_exec_26_0 (idmap_exec))
+(typeattributeset iio_device_26_0 (iio_device))
+(typeattributeset imms_service_26_0 (imms_service))
+(typeattributeset incident_26_0 (incident))
+(typeattributeset incidentd_26_0 (incidentd))
+(typeattributeset incident_data_file_26_0 (incident_data_file))
+(typeattributeset incident_service_26_0 (incident_service))
+(typeattributeset init_26_0 (init))
+(typeattributeset init_exec_26_0 (init_exec))
+(typeattributeset inotify_26_0 (inotify))
+(typeattributeset input_device_26_0 (input_device))
+(typeattributeset inputflinger_26_0 (inputflinger))
+(typeattributeset inputflinger_exec_26_0 (inputflinger_exec))
+(typeattributeset inputflinger_service_26_0 (inputflinger_service))
+(typeattributeset input_method_service_26_0 (input_method_service))
+(typeattributeset input_service_26_0 (input_service))
+(typeattributeset installd_26_0 (installd))
+(typeattributeset install_data_file_26_0 (install_data_file))
+(typeattributeset installd_exec_26_0 (installd_exec))
+(typeattributeset installd_service_26_0 (installd_service))
+(typeattributeset install_recovery_26_0 (install_recovery))
+(typeattributeset install_recovery_exec_26_0 (install_recovery_exec))
+(typeattributeset ion_device_26_0 (ion_device))
+(typeattributeset IProxyService_service_26_0 (IProxyService_service))
+(typeattributeset ipsec_service_26_0 (ipsec_service))
+(typeattributeset isolated_app_26_0 (isolated_app))
+(typeattributeset jobscheduler_service_26_0 (jobscheduler_service))
+(typeattributeset kernel_26_0 (kernel))
+(typeattributeset keychain_data_file_26_0 (keychain_data_file))
+(typeattributeset keychord_device_26_0 (keychord_device))
+(typeattributeset keystore_26_0 (keystore))
+(typeattributeset keystore_data_file_26_0 (keystore_data_file))
+(typeattributeset keystore_exec_26_0 (keystore_exec))
+(typeattributeset keystore_service_26_0 (keystore_service))
+(typeattributeset kmem_device_26_0 (kmem_device))
+(typeattributeset kmsg_device_26_0 (kmsg_device))
+(typeattributeset labeledfs_26_0 (labeledfs))
+(typeattributeset launcherapps_service_26_0 (launcherapps_service))
+(typeattributeset lmkd_26_0 (lmkd))
+(typeattributeset lmkd_exec_26_0 (lmkd_exec))
+(typeattributeset lmkd_socket_26_0 (lmkd_socket))
+(typeattributeset location_service_26_0 (location_service))
+(typeattributeset lock_settings_service_26_0 (lock_settings_service))
+(typeattributeset logcat_exec_26_0 (logcat_exec))
+(typeattributeset logd_26_0 (logd))
+(typeattributeset log_device_26_0 (log_device))
+(typeattributeset logd_exec_26_0 (logd_exec))
+(typeattributeset logd_prop_26_0 (logd_prop))
+(typeattributeset logdr_socket_26_0 (logdr_socket))
+(typeattributeset logd_socket_26_0 (logd_socket))
+(typeattributeset logdw_socket_26_0 (logdw_socket))
+(typeattributeset logpersist_26_0 (logpersist))
+(typeattributeset logpersistd_logging_prop_26_0 (logpersistd_logging_prop))
+(typeattributeset log_prop_26_0 (log_prop))
+(typeattributeset log_tag_prop_26_0 (log_tag_prop))
+(typeattributeset loop_control_device_26_0 (loop_control_device))
+(typeattributeset loop_device_26_0 (loop_device))
+(typeattributeset mac_perms_file_26_0 (mac_perms_file))
+(typeattributeset mdnsd_26_0 (mdnsd))
+(typeattributeset mdnsd_socket_26_0 (mdnsd_socket))
+(typeattributeset mdns_socket_26_0 (mdns_socket))
+(typeattributeset mediacasserver_service_26_0 (mediacasserver_service))
+(typeattributeset mediacodec_26_0 (mediacodec))
+(typeattributeset mediacodec_exec_26_0 (mediacodec_exec))
+(typeattributeset mediacodec_service_26_0 (mediacodec_service))
+(typeattributeset media_data_file_26_0 (media_data_file))
+(typeattributeset mediadrmserver_26_0 (mediadrmserver))
+(typeattributeset mediadrmserver_exec_26_0 (mediadrmserver_exec))
+(typeattributeset mediadrmserver_service_26_0 (mediadrmserver_service))
+(typeattributeset mediaextractor_26_0 (mediaextractor))
+(typeattributeset mediaextractor_exec_26_0 (mediaextractor_exec))
+(typeattributeset mediaextractor_service_26_0 (mediaextractor_service))
+(typeattributeset mediametrics_26_0 (mediametrics))
+(typeattributeset mediametrics_exec_26_0 (mediametrics_exec))
+(typeattributeset mediametrics_service_26_0 (mediametrics_service))
+(typeattributeset media_projection_service_26_0 (media_projection_service))
+(typeattributeset media_router_service_26_0 (media_router_service))
+(typeattributeset media_rw_data_file_26_0 (media_rw_data_file))
+(typeattributeset mediaserver_26_0 (mediaserver))
+(typeattributeset mediaserver_exec_26_0 (mediaserver_exec))
+(typeattributeset mediaserver_service_26_0 (mediaserver_service))
+(typeattributeset media_session_service_26_0 (media_session_service))
+(typeattributeset meminfo_service_26_0 (meminfo_service))
+(typeattributeset metadata_block_device_26_0 (metadata_block_device))
+(typeattributeset method_trace_data_file_26_0 (method_trace_data_file))
+(typeattributeset midi_service_26_0 (midi_service))
+(typeattributeset misc_block_device_26_0 (misc_block_device))
+(typeattributeset misc_logd_file_26_0 (misc_logd_file))
+(typeattributeset misc_user_data_file_26_0 (misc_user_data_file))
+(typeattributeset mmc_prop_26_0 (mmc_prop))
+(typeattributeset mnt_expand_file_26_0 (mnt_expand_file))
+(typeattributeset mnt_media_rw_file_26_0 (mnt_media_rw_file))
+(typeattributeset mnt_media_rw_stub_file_26_0 (mnt_media_rw_stub_file))
+(typeattributeset mnt_user_file_26_0 (mnt_user_file))
+(typeattributeset modprobe_26_0 (modprobe))
+(typeattributeset mount_service_26_0 (mount_service))
+(typeattributeset mqueue_26_0 (mqueue))
+(typeattributeset mtd_device_26_0 (mtd_device))
+(typeattributeset mtp_26_0 (mtp))
+(typeattributeset mtp_device_26_0 (mtp_device))
+(typeattributeset mtpd_socket_26_0 (mtpd_socket))
+(typeattributeset mtp_exec_26_0 (mtp_exec))
+(typeattributeset nativetest_data_file_26_0 (nativetest_data_file))
+(typeattributeset netd_26_0 (netd))
+(typeattributeset net_data_file_26_0 (net_data_file))
+(typeattributeset netd_exec_26_0 (netd_exec))
+(typeattributeset netd_listener_service_26_0 (netd_listener_service))
+(typeattributeset net_dns_prop_26_0 (net_dns_prop))
+(typeattributeset netd_service_26_0 (netd_service))
+(typeattributeset netd_socket_26_0 (netd_socket))
+(typeattributeset netif_26_0 (netif))
+(typeattributeset netpolicy_service_26_0 (netpolicy_service))
+(typeattributeset net_radio_prop_26_0 (net_radio_prop))
+(typeattributeset netstats_service_26_0 (netstats_service))
+(typeattributeset netutils_wrapper_26_0 (netutils_wrapper))
+(typeattributeset netutils_wrapper_exec_26_0 (netutils_wrapper_exec))
+(typeattributeset network_management_service_26_0 (network_management_service))
+(typeattributeset network_score_service_26_0 (network_score_service))
+(typeattributeset network_time_update_service_26_0 (network_time_update_service))
+(typeattributeset nfc_26_0 (nfc))
+(typeattributeset nfc_data_file_26_0 (nfc_data_file))
+(typeattributeset nfc_device_26_0 (nfc_device))
+(typeattributeset nfc_prop_26_0 (nfc_prop))
+(typeattributeset nfc_service_26_0 (nfc_service))
+(typeattributeset node_26_0 (node))
+(typeattributeset notification_service_26_0 (notification_service))
+(typeattributeset null_device_26_0 (null_device))
+(typeattributeset oemfs_26_0 (oemfs))
+(typeattributeset oem_lock_service_26_0 (oem_lock_service))
+(typeattributeset ota_data_file_26_0 (ota_data_file))
+(typeattributeset otadexopt_service_26_0 (otadexopt_service))
+(typeattributeset ota_package_file_26_0 (ota_package_file))
+(typeattributeset otapreopt_chroot_26_0 (otapreopt_chroot))
+(typeattributeset otapreopt_chroot_exec_26_0 (otapreopt_chroot_exec))
+(typeattributeset otapreopt_slot_26_0 (otapreopt_slot))
+(typeattributeset otapreopt_slot_exec_26_0 (otapreopt_slot_exec))
+(typeattributeset overlay_prop_26_0 (overlay_prop))
+(typeattributeset overlay_service_26_0 (overlay_service))
+(typeattributeset owntty_device_26_0 (owntty_device))
+(typeattributeset package_service_26_0 (package_service))
+(typeattributeset pan_result_prop_26_0 (pan_result_prop))
+(typeattributeset pdx_bufferhub_client_channel_socket_26_0 (pdx_bufferhub_client_channel_socket))
+(typeattributeset pdx_bufferhub_client_endpoint_socket_26_0 (pdx_bufferhub_client_endpoint_socket))
+(typeattributeset pdx_bufferhub_dir_26_0 (pdx_bufferhub_dir))
+(typeattributeset pdx_display_client_channel_socket_26_0 (pdx_display_client_channel_socket))
+(typeattributeset pdx_display_client_endpoint_socket_26_0 (pdx_display_client_endpoint_socket))
+(typeattributeset pdx_display_dir_26_0 (pdx_display_dir))
+(typeattributeset pdx_display_manager_channel_socket_26_0 (pdx_display_manager_channel_socket))
+(typeattributeset pdx_display_manager_endpoint_socket_26_0 (pdx_display_manager_endpoint_socket))
+(typeattributeset pdx_display_screenshot_channel_socket_26_0 (pdx_display_screenshot_channel_socket))
+(typeattributeset pdx_display_screenshot_endpoint_socket_26_0 (pdx_display_screenshot_endpoint_socket))
+(typeattributeset pdx_display_vsync_channel_socket_26_0 (pdx_display_vsync_channel_socket))
+(typeattributeset pdx_display_vsync_endpoint_socket_26_0 (pdx_display_vsync_endpoint_socket))
+(typeattributeset pdx_performance_client_channel_socket_26_0 (pdx_performance_client_channel_socket))
+(typeattributeset pdx_performance_client_endpoint_socket_26_0 (pdx_performance_client_endpoint_socket))
+(typeattributeset pdx_performance_dir_26_0 (pdx_performance_dir))
+(typeattributeset performanced_26_0 (performanced))
+(typeattributeset performanced_exec_26_0 (performanced_exec))
+(typeattributeset perfprofd_26_0 (perfprofd))
+(typeattributeset perfprofd_data_file_26_0 (perfprofd_data_file))
+(typeattributeset perfprofd_exec_26_0 (perfprofd_exec))
+(typeattributeset permission_service_26_0 (permission_service))
+(typeattributeset persist_debug_prop_26_0 (persist_debug_prop))
+(typeattributeset persistent_data_block_service_26_0 (persistent_data_block_service))
+(typeattributeset persistent_properties_ready_prop_26_0 (persistent_properties_ready_prop))
+(typeattributeset pinner_service_26_0 (pinner_service))
+(typeattributeset pipefs_26_0 (pipefs))
+(typeattributeset platform_app_26_0 (platform_app))
+(typeattributeset pmsg_device_26_0 (pmsg_device))
+(typeattributeset port_26_0 (port))
+(typeattributeset port_device_26_0 (port_device))
+(typeattributeset postinstall_26_0 (postinstall))
+(typeattributeset postinstall_dexopt_26_0 (postinstall_dexopt))
+(typeattributeset postinstall_file_26_0 (postinstall_file))
+(typeattributeset postinstall_mnt_dir_26_0 (postinstall_mnt_dir))
+(typeattributeset powerctl_prop_26_0 (powerctl_prop))
+(typeattributeset power_service_26_0 (power_service))
+(typeattributeset ppp_26_0 (ppp))
+(typeattributeset ppp_device_26_0 (ppp_device))
+(typeattributeset ppp_exec_26_0 (ppp_exec))
+(typeattributeset preloads_data_file_26_0 (preloads_data_file))
+(typeattributeset preloads_media_file_26_0 (preloads_media_file))
+(typeattributeset preopt2cachename_26_0 (preopt2cachename))
+(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
+(typeattributeset print_service_26_0 (print_service))
+(typeattributeset priv_app_26_0 (mediaprovider priv_app))
+(typeattributeset proc_26_0
+ ( proc
+ proc_abi
+ proc_asound
+ proc_buddyinfo
+ proc_cmdline
+ proc_dirty
+ proc_diskstats
+ proc_extra_free_kbytes
+ proc_filesystems
+ proc_hostname
+ proc_hung_task
+ proc_kmsg
+ proc_loadavg
+ proc_max_map_count
+ proc_min_free_order_shift
+ proc_mounts
+ proc_page_cluster
+ proc_pagetypeinfo
+ proc_panic
+ proc_pid_max
+ proc_pipe_conf
+ proc_random
+ proc_sched
+ proc_swaps
+ proc_uid_time_in_state
+ proc_uid_concurrent_active_time
+ proc_uid_concurrent_policy_time
+ proc_uid_cpupower
+ proc_uptime
+ proc_version
+ proc_vmallocinfo
+ proc_vmstat))
+(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
+(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
+(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
+(typeattributeset processinfo_service_26_0 (processinfo_service))
+(typeattributeset proc_interrupts_26_0 (proc_interrupts))
+(typeattributeset proc_iomem_26_0 (proc_iomem))
+(typeattributeset proc_meminfo_26_0 (proc_meminfo))
+(typeattributeset proc_misc_26_0 (proc_misc))
+(typeattributeset proc_modules_26_0 (proc_modules))
+(typeattributeset proc_net_26_0
+ ( proc_net
+ proc_qtaguid_stat))
+(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
+(typeattributeset proc_perf_26_0 (proc_perf))
+(typeattributeset proc_security_26_0 (proc_security))
+(typeattributeset proc_stat_26_0 (proc_stat))
+(typeattributeset procstats_service_26_0 (procstats_service))
+(typeattributeset proc_sysrq_26_0 (proc_sysrq))
+(typeattributeset proc_timer_26_0 (proc_timer))
+(typeattributeset proc_tty_drivers_26_0 (proc_tty_drivers))
+(typeattributeset proc_uid_cputime_removeuid_26_0 (proc_uid_cputime_removeuid))
+(typeattributeset proc_uid_cputime_showstat_26_0 (proc_uid_cputime_showstat))
+(typeattributeset proc_uid_io_stats_26_0 (proc_uid_io_stats))
+(typeattributeset proc_uid_procstat_set_26_0 (proc_uid_procstat_set))
+(typeattributeset proc_zoneinfo_26_0 (proc_zoneinfo))
+(typeattributeset profman_26_0 (profman))
+(typeattributeset profman_dump_data_file_26_0 (profman_dump_data_file))
+(typeattributeset profman_exec_26_0 (profman_exec))
+(typeattributeset properties_device_26_0 (properties_device))
+(typeattributeset properties_serial_26_0 (properties_serial))
+(typeattributeset property_contexts_file_26_0 (property_contexts_file))
+(typeattributeset property_data_file_26_0 (property_data_file))
+(typeattributeset property_socket_26_0 (property_socket))
+(typeattributeset pstorefs_26_0 (pstorefs))
+(typeattributeset ptmx_device_26_0 (ptmx_device))
+(typeattributeset qtaguid_device_26_0 (qtaguid_device))
+(typeattributeset qtaguid_proc_26_0 (qtaguid_proc))
+(typeattributeset racoon_26_0 (racoon))
+(typeattributeset racoon_exec_26_0 (racoon_exec))
+(typeattributeset racoon_socket_26_0 (racoon_socket))
+(typeattributeset radio_26_0 (radio))
+(typeattributeset radio_data_file_26_0 (radio_data_file))
+(typeattributeset radio_device_26_0 (radio_device))
+(typeattributeset radio_prop_26_0 (radio_prop))
+(typeattributeset radio_service_26_0 (radio_service))
+(typeattributeset ram_device_26_0 (ram_device))
+(typeattributeset random_device_26_0 (random_device))
+(typeattributeset reboot_data_file_26_0 (reboot_data_file))
+(typeattributeset recovery_26_0 (recovery))
+(typeattributeset recovery_block_device_26_0 (recovery_block_device))
+(typeattributeset recovery_data_file_26_0 (recovery_data_file))
+(typeattributeset recovery_persist_26_0 (recovery_persist))
+(typeattributeset recovery_persist_exec_26_0 (recovery_persist_exec))
+(typeattributeset recovery_refresh_26_0 (recovery_refresh))
+(typeattributeset recovery_refresh_exec_26_0 (recovery_refresh_exec))
+(typeattributeset recovery_service_26_0 (recovery_service))
+(typeattributeset registry_service_26_0 (registry_service))
+(typeattributeset resourcecache_data_file_26_0 (resourcecache_data_file))
+(typeattributeset restorecon_prop_26_0 (restorecon_prop))
+(typeattributeset restrictions_service_26_0 (restrictions_service))
+(typeattributeset rild_26_0 (rild))
+(typeattributeset rild_debug_socket_26_0 (rild_debug_socket))
+(typeattributeset rild_socket_26_0 (rild_socket))
+(typeattributeset ringtone_file_26_0 (ringtone_file))
+(typeattributeset root_block_device_26_0 (root_block_device))
+(typeattributeset rootfs_26_0 (rootfs))
+(typeattributeset rpmsg_device_26_0 (rpmsg_device))
+(typeattributeset rtc_device_26_0 (rtc_device))
+(typeattributeset rttmanager_service_26_0 (rttmanager_service))
+(typeattributeset runas_26_0 (runas))
+(typeattributeset runas_exec_26_0 (runas_exec))
+(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
+(typeattributeset safemode_prop_26_0 (safemode_prop))
+(typeattributeset same_process_hal_file_26_0 (same_process_hal_file))
+(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
+(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
+(typeattributeset sdcardd_26_0 (sdcardd))
+(typeattributeset sdcardd_exec_26_0 (sdcardd_exec))
+(typeattributeset sdcardfs_26_0 (sdcardfs))
+(typeattributeset seapp_contexts_file_26_0 (seapp_contexts_file))
+(typeattributeset search_service_26_0 (search_service))
+(typeattributeset sec_key_att_app_id_provider_service_26_0 (sec_key_att_app_id_provider_service))
+(typeattributeset selinuxfs_26_0 (selinuxfs))
+(typeattributeset sensors_device_26_0 (sensors_device))
+(typeattributeset sensorservice_service_26_0 (sensorservice_service))
+(typeattributeset sepolicy_file_26_0 (sepolicy_file))
+(typeattributeset serial_device_26_0 (serial_device))
+(typeattributeset serialno_prop_26_0 (serialno_prop))
+(typeattributeset serial_service_26_0 (serial_service))
+(typeattributeset service_contexts_file_26_0 (service_contexts_file nonplat_service_contexts_file))
+(typeattributeset servicediscovery_service_26_0 (servicediscovery_service))
+(typeattributeset servicemanager_26_0 (servicemanager))
+(typeattributeset servicemanager_exec_26_0 (servicemanager_exec))
+(typeattributeset settings_service_26_0 (settings_service))
+(typeattributeset sgdisk_26_0 (sgdisk))
+(typeattributeset sgdisk_exec_26_0 (sgdisk_exec))
+(typeattributeset shared_relro_26_0 (shared_relro))
+(typeattributeset shared_relro_file_26_0 (shared_relro_file))
+(typeattributeset shell_26_0 (shell))
+(typeattributeset shell_data_file_26_0 (shell_data_file))
+(typeattributeset shell_exec_26_0 (shell_exec))
+(typeattributeset shell_prop_26_0 (shell_prop))
+(typeattributeset shm_26_0 (shm))
+(typeattributeset shortcut_manager_icons_26_0 (shortcut_manager_icons))
+(typeattributeset shortcut_service_26_0 (shortcut_service))
+(typeattributeset slideshow_26_0 (slideshow))
+(typeattributeset socket_device_26_0 (socket_device))
+(typeattributeset sockfs_26_0 (sockfs))
+(typeattributeset statusbar_service_26_0 (statusbar_service))
+(typeattributeset storaged_service_26_0 (storaged_service))
+(typeattributeset storage_file_26_0 (storage_file))
+(typeattributeset storagestats_service_26_0 (storagestats_service))
+(typeattributeset storage_stub_file_26_0 (storage_stub_file))
+(typeattributeset su_26_0 (su))
+(typeattributeset su_exec_26_0 (su_exec))
+(typeattributeset surfaceflinger_26_0 (surfaceflinger))
+(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
+(typeattributeset swap_block_device_26_0 (swap_block_device))
+(typeattributeset sysfs_26_0
+ ( sysfs
+ sysfs_android_usb
+ sysfs_dm
+ sysfs_dt_firmware_android
+ sysfs_ipv4
+ sysfs_kernel_notes
+ sysfs_net
+ sysfs_power
+ sysfs_rtc
+ sysfs_switch
+ sysfs_wakeup_reasons))
+(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
+(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
+(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
+(typeattributeset sysfs_hwrandom_26_0 (sysfs_hwrandom))
+(typeattributeset sysfs_leds_26_0 (sysfs_leds))
+(typeattributeset sysfs_lowmemorykiller_26_0 (sysfs_lowmemorykiller))
+(typeattributeset sysfs_mac_address_26_0 (sysfs_mac_address))
+(typeattributeset sysfs_nfc_power_writable_26_0 (sysfs_nfc_power_writable))
+(typeattributeset sysfs_thermal_26_0 (sysfs_thermal))
+(typeattributeset sysfs_uio_26_0 (sysfs_uio))
+(typeattributeset sysfs_usb_26_0 (sysfs_usb))
+(typeattributeset sysfs_vibrator_26_0 (sysfs_vibrator))
+(typeattributeset sysfs_wake_lock_26_0 (sysfs_wake_lock))
+(typeattributeset sysfs_wlan_fwpath_26_0 (sysfs_wlan_fwpath))
+(typeattributeset sysfs_zram_26_0 (sysfs_zram))
+(typeattributeset sysfs_zram_uevent_26_0 (sysfs_zram_uevent))
+(typeattributeset system_app_26_0 (system_app))
+(typeattributeset system_app_data_file_26_0 (system_app_data_file))
+(typeattributeset system_app_service_26_0 (system_app_service))
+(typeattributeset system_block_device_26_0 (system_block_device))
+(typeattributeset system_data_file_26_0
+ ( system_data_file
+ vendor_data_file))
+(typeattributeset system_file_26_0 (system_file))
+(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
+(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
+(typeattributeset system_prop_26_0 (system_prop))
+(typeattributeset system_radio_prop_26_0 (system_radio_prop))
+(typeattributeset system_server_26_0 (system_server))
+(typeattributeset system_wifi_keystore_hwservice_26_0 (system_wifi_keystore_hwservice))
+(typeattributeset system_wpa_socket_26_0 (system_wpa_socket))
+(typeattributeset task_service_26_0 (task_service))
+(typeattributeset tee_26_0 (tee))
+(typeattributeset tee_data_file_26_0 (tee_data_file))
+(typeattributeset tee_device_26_0 (tee_device))
+(typeattributeset telecom_service_26_0 (telecom_service))
+(typeattributeset textclassification_service_26_0 (textclassification_service))
+(typeattributeset textclassifier_data_file_26_0 (textclassifier_data_file))
+(typeattributeset textservices_service_26_0 (textservices_service))
+(typeattributeset tmpfs_26_0 (tmpfs))
+(typeattributeset tombstoned_26_0 (tombstoned))
+(typeattributeset tombstone_data_file_26_0 (tombstone_data_file))
+(typeattributeset tombstoned_crash_socket_26_0 (tombstoned_crash_socket))
+(typeattributeset tombstoned_exec_26_0 (tombstoned_exec))
+(typeattributeset tombstoned_intercept_socket_26_0 (tombstoned_intercept_socket))
+(typeattributeset toolbox_26_0 (toolbox))
+(typeattributeset toolbox_exec_26_0 (toolbox_exec))
+(typeattributeset tracing_shell_writable_26_0 (debugfs_tracing tracing_shell_writable))
+(typeattributeset tracing_shell_writable_debug_26_0 (debugfs_tracing_debug tracing_shell_writable_debug))
+(typeattributeset trust_service_26_0 (trust_service))
+(typeattributeset tty_device_26_0 (tty_device))
+(typeattributeset tun_device_26_0 (tun_device))
+(typeattributeset tv_input_service_26_0 (tv_input_service))
+(typeattributeset tzdatacheck_26_0 (tzdatacheck))
+(typeattributeset tzdatacheck_exec_26_0 (tzdatacheck_exec))
+(typeattributeset ueventd_26_0 (ueventd))
+(typeattributeset uhid_device_26_0 (uhid_device))
+(typeattributeset uimode_service_26_0 (uimode_service))
+(typeattributeset uio_device_26_0 (uio_device))
+(typeattributeset uncrypt_26_0 (uncrypt))
+(typeattributeset uncrypt_exec_26_0 (uncrypt_exec))
+(typeattributeset uncrypt_socket_26_0 (uncrypt_socket))
+(typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file))
+(typeattributeset unlabeled_26_0 (unlabeled))
+(typeattributeset untrusted_app_25_26_0 (untrusted_app_25))
+(typeattributeset untrusted_app_26_0
+ ( untrusted_app
+ untrusted_app_27))
+(typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app))
+(typeattributeset update_engine_26_0 (update_engine))
+(typeattributeset update_engine_data_file_26_0 (update_engine_data_file))
+(typeattributeset update_engine_exec_26_0 (update_engine_exec))
+(typeattributeset update_engine_service_26_0 (update_engine_service))
+(typeattributeset updatelock_service_26_0 (updatelock_service))
+(typeattributeset update_verifier_26_0 (update_verifier))
+(typeattributeset update_verifier_exec_26_0 (update_verifier_exec))
+(typeattributeset usagestats_service_26_0 (usagestats_service))
+(typeattributeset usbaccessory_device_26_0 (usbaccessory_device))
+(typeattributeset usb_device_26_0 (usb_device))
+(typeattributeset usbfs_26_0 (usbfs))
+(typeattributeset usb_service_26_0 (usb_service))
+(typeattributeset userdata_block_device_26_0 (userdata_block_device))
+(typeattributeset usermodehelper_26_0 (sysfs_usermodehelper usermodehelper))
+(typeattributeset user_profile_data_file_26_0 (user_profile_data_file))
+(typeattributeset user_service_26_0 (user_service))
+(typeattributeset vcs_device_26_0 (vcs_device))
+(typeattributeset vdc_26_0 (vdc))
+(typeattributeset vdc_exec_26_0 (vdc_exec))
+(typeattributeset vendor_app_file_26_0 (vendor_app_file))
+(typeattributeset vendor_configs_file_26_0 (vendor_configs_file))
+(typeattributeset vendor_file_26_0 (vendor_file))
+(typeattributeset vendor_framework_file_26_0 (vendor_framework_file))
+(typeattributeset vendor_hal_file_26_0 (vendor_hal_file))
+(typeattributeset vendor_overlay_file_26_0 (vendor_overlay_file))
+(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec))
+(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec))
+(typeattributeset vfat_26_0 (vfat))
+(typeattributeset vibrator_service_26_0 (vibrator_service))
+(typeattributeset video_device_26_0 (video_device))
+(typeattributeset virtual_touchpad_26_0 (virtual_touchpad))
+(typeattributeset virtual_touchpad_exec_26_0 (virtual_touchpad_exec))
+(typeattributeset virtual_touchpad_service_26_0 (virtual_touchpad_service))
+(typeattributeset vndbinder_device_26_0 (vndbinder_device))
+(typeattributeset vndk_sp_file_26_0 (vndk_sp_file))
+(typeattributeset vndservice_contexts_file_26_0 (vndservice_contexts_file))
+(typeattributeset vndservicemanager_26_0 (vndservicemanager))
+(typeattributeset voiceinteraction_service_26_0 (voiceinteraction_service))
+(typeattributeset vold_26_0 (vold))
+(typeattributeset vold_data_file_26_0 (vold_data_file))
+(typeattributeset vold_device_26_0 (vold_device))
+(typeattributeset vold_exec_26_0 (vold_exec))
+(typeattributeset vold_prop_26_0 (vold_prop))
+(typeattributeset vold_socket_26_0 (vold_socket))
+(typeattributeset vpn_data_file_26_0 (vpn_data_file))
+(typeattributeset vr_hwc_26_0 (vr_hwc))
+(typeattributeset vr_hwc_exec_26_0 (vr_hwc_exec))
+(typeattributeset vr_hwc_service_26_0 (vr_hwc_service))
+(typeattributeset vr_manager_service_26_0 (vr_manager_service))
+(typeattributeset wallpaper_file_26_0 (wallpaper_file))
+(typeattributeset wallpaper_service_26_0 (wallpaper_service))
+(typeattributeset watchdogd_26_0 (watchdogd))
+(typeattributeset watchdog_device_26_0 (watchdog_device))
+(typeattributeset webviewupdate_service_26_0 (webviewupdate_service))
+(typeattributeset webview_zygote_26_0 (webview_zygote))
+(typeattributeset webview_zygote_exec_26_0 (webview_zygote_exec))
+(typeattributeset webview_zygote_socket_26_0 (webview_zygote_socket))
+(typeattributeset wifiaware_service_26_0 (wifiaware_service))
+(typeattributeset wificond_26_0 (wificond))
+(typeattributeset wificond_exec_26_0 (wificond_exec))
+(typeattributeset wificond_service_26_0 (wificond_service))
+(typeattributeset wifi_data_file_26_0 (wifi_data_file))
+(typeattributeset wifi_log_prop_26_0 (wifi_log_prop))
+(typeattributeset wifip2p_service_26_0 (wifip2p_service))
+(typeattributeset wifi_prop_26_0 (wifi_prop))
+(typeattributeset wifiscanner_service_26_0 (wifiscanner_service))
+(typeattributeset wifi_service_26_0 (wifi_service))
+(typeattributeset window_service_26_0 (window_service))
+(typeattributeset wpa_socket_26_0 (wpa_socket))
+(typeattributeset zero_device_26_0 (zero_device))
+(typeattributeset zoneinfo_data_file_26_0 (zoneinfo_data_file))
+(typeattributeset zygote_26_0 (zygote))
+(typeattributeset zygote_exec_26_0 (zygote_exec))
+(typeattributeset zygote_socket_26_0 (zygote_socket))
diff --git a/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil
new file mode 100644
index 0000000..4e0aae2
--- /dev/null
+++ b/prebuilts/api/28.0/private/compat/26.0/26.0.ignore.cil
@@ -0,0 +1,158 @@
+;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( adbd_exec
+ atrace
+ binder_calls_stats_service
+ bootloader_boot_reason_prop
+ blank_screen
+ blank_screen_exec
+ blank_screen_tmpfs
+ bluetooth_a2dp_offload_prop
+ bpfloader
+ bpfloader_exec
+ broadcastradio_service
+ cgroup_bpf
+ crossprofileapps_service
+ ctl_interface_restart_prop
+ ctl_interface_start_prop
+ ctl_interface_stop_prop
+ ctl_sigstop_prop
+ e2fs
+ e2fs_exec
+ exfat
+ exported_audio_prop
+ exported_bluetooth_prop
+ exported_config_prop
+ exported_dalvik_prop
+ exported_default_prop
+ exported_dumpstate_prop
+ exported_ffs_prop
+ exported_fingerprint_prop
+ exported_overlay_prop
+ exported_pm_prop
+ exported_radio_prop
+ exported_secure_prop
+ exported_system_prop
+ exported_system_radio_prop
+ exported_vold_prop
+ exported_wifi_prop
+ exported2_config_prop
+ exported2_default_prop
+ exported2_radio_prop
+ exported2_system_prop
+ exported2_vold_prop
+ exported3_default_prop
+ exported3_radio_prop
+ exported3_system_prop
+ fingerprint_vendor_data_file
+ fs_bpf
+ hal_audiocontrol_hwservice
+ hal_authsecret_hwservice
+ hal_broadcastradio_hwservice
+ hal_cas_hwservice
+ hal_codec2_hwservice
+ hal_confirmationui_hwservice
+ hal_evs_hwservice
+ hal_lowpan_hwservice
+ hal_neuralnetworks_hwservice
+ hal_secure_element_hwservice
+ hal_tetheroffload_hwservice
+ hal_wifi_hostapd_hwservice
+ hal_usb_gadget_hwservice
+ hal_vehicle_hwservice
+ hal_wifi_offload_hwservice
+ incident_helper
+ incident_helper_exec
+ kmsg_debug_device
+ last_boot_reason_prop
+ lowpan_device
+ lowpan_prop
+ lowpan_service
+ mediaextractor_update_service
+ mediaprovider_tmpfs
+ metadata_file
+ mnt_vendor_file
+ netd_stable_secret_prop
+ network_watchlist_data_file
+ network_watchlist_service
+ package_native_service
+ perfetto
+ perfetto_exec
+ perfetto_tmpfs
+ perfetto_traces_data_file
+ perfprofd_service
+ property_info
+ secure_element
+ secure_element_device
+ secure_element_tmpfs
+ secure_element_service
+ slice_service
+ stats
+ stats_data_file
+ stats_exec
+ stats_service
+ statsd
+ statsd_exec
+ statsd_tmpfs
+ statsdw
+ statsdw_socket
+ statscompanion_service
+ storaged_data_file
+ sysfs_fs_ext4_features
+ system_boot_reason_prop
+ system_net_netd_hwservice
+ system_update_service
+ test_boot_reason_prop
+ thermal_service
+ thermalcallback_hwservice
+ thermalserviced
+ thermalserviced_exec
+ thermalserviced_tmpfs
+ timezone_service
+ tombstoned_java_trace_socket
+ tombstone_wifi_data_file
+ trace_data_file
+ traceur_app
+ traceur_app_tmpfs
+ traced
+ traced_consumer_socket
+ traced_enabled_prop
+ traced_exec
+ traced_probes
+ traced_probes_exec
+ traced_probes_tmpfs
+ traced_producer_socket
+ traced_tmpfs
+ untrusted_app_all_devpts
+ update_engine_log_data_file
+ vendor_default_prop
+ vendor_security_patch_level_prop
+ usbd
+ usbd_exec
+ usbd_tmpfs
+ vendor_init
+ vendor_shell
+ vold_metadata_file
+ vold_prepare_subdirs
+ vold_prepare_subdirs_exec
+ vold_service
+ wait_for_keymaster
+ wait_for_keymaster_exec
+ wait_for_keymaster_tmpfs
+ wpantund
+ wpantund_exec
+ wpantund_service
+ wpantund_tmpfs
+ wm_trace_data_file))
+
+;; private_objects - a collection of types that were labeled differently in
+;; older policy, but that should not remain accessible to vendor policy.
+;; Thus, these types are also not mapped, but recorded for checkapi tests
+(typeattribute priv_objects)
+(typeattributeset priv_objects
+ ( adbd_tmpfs
+ untrusted_app_27_tmpfs
+ ))
diff --git a/prebuilts/api/28.0/private/compat/27.0/27.0.cil b/prebuilts/api/28.0/private/compat/27.0/27.0.cil
new file mode 100644
index 0000000..dbe3e88
--- /dev/null
+++ b/prebuilts/api/28.0/private/compat/27.0/27.0.cil
@@ -0,0 +1,1484 @@
+;; types removed from current policy
+(type webview_zygote_socket)
+(type reboot_data_file)
+(type vold_socket)
+(type rild)
+
+(expandtypeattribute (accessibility_service_27_0) true)
+(expandtypeattribute (account_service_27_0) true)
+(expandtypeattribute (activity_service_27_0) true)
+(expandtypeattribute (adbd_27_0) true)
+(expandtypeattribute (adb_data_file_27_0) true)
+(expandtypeattribute (adbd_exec_27_0) true)
+(expandtypeattribute (adbd_socket_27_0) true)
+(expandtypeattribute (adb_keys_file_27_0) true)
+(expandtypeattribute (alarm_device_27_0) true)
+(expandtypeattribute (alarm_service_27_0) true)
+(expandtypeattribute (anr_data_file_27_0) true)
+(expandtypeattribute (apk_data_file_27_0) true)
+(expandtypeattribute (apk_private_data_file_27_0) true)
+(expandtypeattribute (apk_private_tmp_file_27_0) true)
+(expandtypeattribute (apk_tmp_file_27_0) true)
+(expandtypeattribute (app_data_file_27_0) true)
+(expandtypeattribute (app_fuse_file_27_0) true)
+(expandtypeattribute (app_fusefs_27_0) true)
+(expandtypeattribute (appops_service_27_0) true)
+(expandtypeattribute (appwidget_service_27_0) true)
+(expandtypeattribute (asec_apk_file_27_0) true)
+(expandtypeattribute (asec_image_file_27_0) true)
+(expandtypeattribute (asec_public_file_27_0) true)
+(expandtypeattribute (ashmem_device_27_0) true)
+(expandtypeattribute (assetatlas_service_27_0) true)
+(expandtypeattribute (audio_data_file_27_0) true)
+(expandtypeattribute (audio_device_27_0) true)
+(expandtypeattribute (audiohal_data_file_27_0) true)
+(expandtypeattribute (audio_prop_27_0) true)
+(expandtypeattribute (audio_seq_device_27_0) true)
+(expandtypeattribute (audioserver_27_0) true)
+(expandtypeattribute (audioserver_data_file_27_0) true)
+(expandtypeattribute (audioserver_service_27_0) true)
+(expandtypeattribute (audio_service_27_0) true)
+(expandtypeattribute (audio_timer_device_27_0) true)
+(expandtypeattribute (autofill_service_27_0) true)
+(expandtypeattribute (backup_data_file_27_0) true)
+(expandtypeattribute (backup_service_27_0) true)
+(expandtypeattribute (batteryproperties_service_27_0) true)
+(expandtypeattribute (battery_service_27_0) true)
+(expandtypeattribute (batterystats_service_27_0) true)
+(expandtypeattribute (binder_device_27_0) true)
+(expandtypeattribute (binfmt_miscfs_27_0) true)
+(expandtypeattribute (blkid_27_0) true)
+(expandtypeattribute (blkid_untrusted_27_0) true)
+(expandtypeattribute (block_device_27_0) true)
+(expandtypeattribute (bluetooth_27_0) true)
+(expandtypeattribute (bluetooth_data_file_27_0) true)
+(expandtypeattribute (bluetooth_efs_file_27_0) true)
+(expandtypeattribute (bluetooth_logs_data_file_27_0) true)
+(expandtypeattribute (bluetooth_manager_service_27_0) true)
+(expandtypeattribute (bluetooth_prop_27_0) true)
+(expandtypeattribute (bluetooth_service_27_0) true)
+(expandtypeattribute (bluetooth_socket_27_0) true)
+(expandtypeattribute (bootanim_27_0) true)
+(expandtypeattribute (bootanim_exec_27_0) true)
+(expandtypeattribute (boot_block_device_27_0) true)
+(expandtypeattribute (bootchart_data_file_27_0) true)
+(expandtypeattribute (bootstat_27_0) true)
+(expandtypeattribute (bootstat_data_file_27_0) true)
+(expandtypeattribute (bootstat_exec_27_0) true)
+(expandtypeattribute (boottime_prop_27_0) true)
+(expandtypeattribute (boottrace_data_file_27_0) true)
+(expandtypeattribute (broadcastradio_service_27_0) true)
+(expandtypeattribute (bufferhubd_27_0) true)
+(expandtypeattribute (bufferhubd_exec_27_0) true)
+(expandtypeattribute (cache_backup_file_27_0) true)
+(expandtypeattribute (cache_block_device_27_0) true)
+(expandtypeattribute (cache_file_27_0) true)
+(expandtypeattribute (cache_private_backup_file_27_0) true)
+(expandtypeattribute (cache_recovery_file_27_0) true)
+(expandtypeattribute (camera_data_file_27_0) true)
+(expandtypeattribute (camera_device_27_0) true)
+(expandtypeattribute (cameraproxy_service_27_0) true)
+(expandtypeattribute (cameraserver_27_0) true)
+(expandtypeattribute (cameraserver_exec_27_0) true)
+(expandtypeattribute (cameraserver_service_27_0) true)
+(expandtypeattribute (cgroup_27_0) true)
+(expandtypeattribute (charger_27_0) true)
+(expandtypeattribute (clatd_27_0) true)
+(expandtypeattribute (clatd_exec_27_0) true)
+(expandtypeattribute (clipboard_service_27_0) true)
+(expandtypeattribute (commontime_management_service_27_0) true)
+(expandtypeattribute (companion_device_service_27_0) true)
+(expandtypeattribute (configfs_27_0) true)
+(expandtypeattribute (config_prop_27_0) true)
+(expandtypeattribute (connectivity_service_27_0) true)
+(expandtypeattribute (connmetrics_service_27_0) true)
+(expandtypeattribute (console_device_27_0) true)
+(expandtypeattribute (consumer_ir_service_27_0) true)
+(expandtypeattribute (content_service_27_0) true)
+(expandtypeattribute (contexthub_service_27_0) true)
+(expandtypeattribute (coredump_file_27_0) true)
+(expandtypeattribute (country_detector_service_27_0) true)
+(expandtypeattribute (coverage_service_27_0) true)
+(expandtypeattribute (cppreopt_prop_27_0) true)
+(expandtypeattribute (cppreopts_27_0) true)
+(expandtypeattribute (cppreopts_exec_27_0) true)
+(expandtypeattribute (cpuctl_device_27_0) true)
+(expandtypeattribute (cpuinfo_service_27_0) true)
+(expandtypeattribute (crash_dump_27_0) true)
+(expandtypeattribute (crash_dump_exec_27_0) true)
+(expandtypeattribute (ctl_bootanim_prop_27_0) true)
+(expandtypeattribute (ctl_bugreport_prop_27_0) true)
+(expandtypeattribute (ctl_console_prop_27_0) true)
+(expandtypeattribute (ctl_default_prop_27_0) true)
+(expandtypeattribute (ctl_dumpstate_prop_27_0) true)
+(expandtypeattribute (ctl_fuse_prop_27_0) true)
+(expandtypeattribute (ctl_mdnsd_prop_27_0) true)
+(expandtypeattribute (ctl_rildaemon_prop_27_0) true)
+(expandtypeattribute (dalvikcache_data_file_27_0) true)
+(expandtypeattribute (dalvik_prop_27_0) true)
+(expandtypeattribute (dbinfo_service_27_0) true)
+(expandtypeattribute (debugfs_27_0) true)
+(expandtypeattribute (debugfs_mmc_27_0) true)
+(expandtypeattribute (debugfs_trace_marker_27_0) true)
+(expandtypeattribute (debugfs_tracing_27_0) true)
+(expandtypeattribute (debugfs_tracing_debug_27_0) true)
+(expandtypeattribute (debugfs_tracing_instances_27_0) true)
+(expandtypeattribute (debugfs_wifi_tracing_27_0) true)
+(expandtypeattribute (debuggerd_prop_27_0) true)
+(expandtypeattribute (debug_prop_27_0) true)
+(expandtypeattribute (default_android_hwservice_27_0) true)
+(expandtypeattribute (default_android_service_27_0) true)
+(expandtypeattribute (default_android_vndservice_27_0) true)
+(expandtypeattribute (default_prop_27_0) true)
+(expandtypeattribute (device_27_0) true)
+(expandtypeattribute (device_identifiers_service_27_0) true)
+(expandtypeattribute (deviceidle_service_27_0) true)
+(expandtypeattribute (device_logging_prop_27_0) true)
+(expandtypeattribute (device_policy_service_27_0) true)
+(expandtypeattribute (devicestoragemonitor_service_27_0) true)
+(expandtypeattribute (devpts_27_0) true)
+(expandtypeattribute (dex2oat_27_0) true)
+(expandtypeattribute (dex2oat_exec_27_0) true)
+(expandtypeattribute (dhcp_27_0) true)
+(expandtypeattribute (dhcp_data_file_27_0) true)
+(expandtypeattribute (dhcp_exec_27_0) true)
+(expandtypeattribute (dhcp_prop_27_0) true)
+(expandtypeattribute (diskstats_service_27_0) true)
+(expandtypeattribute (display_service_27_0) true)
+(expandtypeattribute (dm_device_27_0) true)
+(expandtypeattribute (dnsmasq_27_0) true)
+(expandtypeattribute (dnsmasq_exec_27_0) true)
+(expandtypeattribute (dnsproxyd_socket_27_0) true)
+(expandtypeattribute (DockObserver_service_27_0) true)
+(expandtypeattribute (dreams_service_27_0) true)
+(expandtypeattribute (drm_data_file_27_0) true)
+(expandtypeattribute (drmserver_27_0) true)
+(expandtypeattribute (drmserver_exec_27_0) true)
+(expandtypeattribute (drmserver_service_27_0) true)
+(expandtypeattribute (drmserver_socket_27_0) true)
+(expandtypeattribute (dropbox_service_27_0) true)
+(expandtypeattribute (dumpstate_27_0) true)
+(expandtypeattribute (dumpstate_exec_27_0) true)
+(expandtypeattribute (dumpstate_options_prop_27_0) true)
+(expandtypeattribute (dumpstate_prop_27_0) true)
+(expandtypeattribute (dumpstate_service_27_0) true)
+(expandtypeattribute (dumpstate_socket_27_0) true)
+(expandtypeattribute (e2fs_27_0) true)
+(expandtypeattribute (e2fs_exec_27_0) true)
+(expandtypeattribute (efs_file_27_0) true)
+(expandtypeattribute (ephemeral_app_27_0) true)
+(expandtypeattribute (ethernet_service_27_0) true)
+(expandtypeattribute (ffs_prop_27_0) true)
+(expandtypeattribute (file_contexts_file_27_0) true)
+(expandtypeattribute (fingerprintd_27_0) true)
+(expandtypeattribute (fingerprintd_data_file_27_0) true)
+(expandtypeattribute (fingerprintd_exec_27_0) true)
+(expandtypeattribute (fingerprintd_service_27_0) true)
+(expandtypeattribute (fingerprint_prop_27_0) true)
+(expandtypeattribute (fingerprint_service_27_0) true)
+(expandtypeattribute (firstboot_prop_27_0) true)
+(expandtypeattribute (font_service_27_0) true)
+(expandtypeattribute (frp_block_device_27_0) true)
+(expandtypeattribute (fsck_27_0) true)
+(expandtypeattribute (fsck_exec_27_0) true)
+(expandtypeattribute (fscklogs_27_0) true)
+(expandtypeattribute (fsck_untrusted_27_0) true)
+(expandtypeattribute (full_device_27_0) true)
+(expandtypeattribute (functionfs_27_0) true)
+(expandtypeattribute (fuse_27_0) true)
+(expandtypeattribute (fuse_device_27_0) true)
+(expandtypeattribute (fwk_display_hwservice_27_0) true)
+(expandtypeattribute (fwk_scheduler_hwservice_27_0) true)
+(expandtypeattribute (fwk_sensor_hwservice_27_0) true)
+(expandtypeattribute (fwmarkd_socket_27_0) true)
+(expandtypeattribute (gatekeeperd_27_0) true)
+(expandtypeattribute (gatekeeper_data_file_27_0) true)
+(expandtypeattribute (gatekeeperd_exec_27_0) true)
+(expandtypeattribute (gatekeeper_service_27_0) true)
+(expandtypeattribute (gfxinfo_service_27_0) true)
+(expandtypeattribute (gps_control_27_0) true)
+(expandtypeattribute (gpu_device_27_0) true)
+(expandtypeattribute (gpu_service_27_0) true)
+(expandtypeattribute (graphics_device_27_0) true)
+(expandtypeattribute (graphicsstats_service_27_0) true)
+(expandtypeattribute (hal_audio_hwservice_27_0) true)
+(expandtypeattribute (hal_bluetooth_hwservice_27_0) true)
+(expandtypeattribute (hal_bootctl_hwservice_27_0) true)
+(expandtypeattribute (hal_broadcastradio_hwservice_27_0) true)
+(expandtypeattribute (hal_camera_hwservice_27_0) true)
+(expandtypeattribute (hal_cas_hwservice_27_0) true)
+(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_27_0) true)
+(expandtypeattribute (hal_contexthub_hwservice_27_0) true)
+(expandtypeattribute (hal_drm_hwservice_27_0) true)
+(expandtypeattribute (hal_dumpstate_hwservice_27_0) true)
+(expandtypeattribute (hal_fingerprint_hwservice_27_0) true)
+(expandtypeattribute (hal_fingerprint_service_27_0) true)
+(expandtypeattribute (hal_gatekeeper_hwservice_27_0) true)
+(expandtypeattribute (hal_gnss_hwservice_27_0) true)
+(expandtypeattribute (hal_graphics_allocator_hwservice_27_0) true)
+(expandtypeattribute (hal_graphics_composer_hwservice_27_0) true)
+(expandtypeattribute (hal_graphics_mapper_hwservice_27_0) true)
+(expandtypeattribute (hal_health_hwservice_27_0) true)
+(expandtypeattribute (hal_ir_hwservice_27_0) true)
+(expandtypeattribute (hal_keymaster_hwservice_27_0) true)
+(expandtypeattribute (hal_light_hwservice_27_0) true)
+(expandtypeattribute (hal_memtrack_hwservice_27_0) true)
+(expandtypeattribute (hal_neuralnetworks_hwservice_27_0) true)
+(expandtypeattribute (hal_nfc_hwservice_27_0) true)
+(expandtypeattribute (hal_oemlock_hwservice_27_0) true)
+(expandtypeattribute (hal_omx_hwservice_27_0) true)
+(expandtypeattribute (hal_power_hwservice_27_0) true)
+(expandtypeattribute (hal_renderscript_hwservice_27_0) true)
+(expandtypeattribute (hal_sensors_hwservice_27_0) true)
+(expandtypeattribute (hal_telephony_hwservice_27_0) true)
+(expandtypeattribute (hal_tetheroffload_hwservice_27_0) true)
+(expandtypeattribute (hal_thermal_hwservice_27_0) true)
+(expandtypeattribute (hal_tv_cec_hwservice_27_0) true)
+(expandtypeattribute (hal_tv_input_hwservice_27_0) true)
+(expandtypeattribute (hal_usb_hwservice_27_0) true)
+(expandtypeattribute (hal_vibrator_hwservice_27_0) true)
+(expandtypeattribute (hal_vr_hwservice_27_0) true)
+(expandtypeattribute (hal_weaver_hwservice_27_0) true)
+(expandtypeattribute (hal_wifi_hwservice_27_0) true)
+(expandtypeattribute (hal_wifi_offload_hwservice_27_0) true)
+(expandtypeattribute (hal_wifi_supplicant_hwservice_27_0) true)
+(expandtypeattribute (hardware_properties_service_27_0) true)
+(expandtypeattribute (hardware_service_27_0) true)
+(expandtypeattribute (hci_attach_dev_27_0) true)
+(expandtypeattribute (hdmi_control_service_27_0) true)
+(expandtypeattribute (healthd_27_0) true)
+(expandtypeattribute (healthd_exec_27_0) true)
+(expandtypeattribute (heapdump_data_file_27_0) true)
+(expandtypeattribute (hidl_allocator_hwservice_27_0) true)
+(expandtypeattribute (hidl_base_hwservice_27_0) true)
+(expandtypeattribute (hidl_manager_hwservice_27_0) true)
+(expandtypeattribute (hidl_memory_hwservice_27_0) true)
+(expandtypeattribute (hidl_token_hwservice_27_0) true)
+(expandtypeattribute (hwbinder_device_27_0) true)
+(expandtypeattribute (hw_random_device_27_0) true)
+(expandtypeattribute (hwservice_contexts_file_27_0) true)
+(expandtypeattribute (hwservicemanager_27_0) true)
+(expandtypeattribute (hwservicemanager_exec_27_0) true)
+(expandtypeattribute (hwservicemanager_prop_27_0) true)
+(expandtypeattribute (i2c_device_27_0) true)
+(expandtypeattribute (icon_file_27_0) true)
+(expandtypeattribute (idmap_27_0) true)
+(expandtypeattribute (idmap_exec_27_0) true)
+(expandtypeattribute (iio_device_27_0) true)
+(expandtypeattribute (imms_service_27_0) true)
+(expandtypeattribute (incident_27_0) true)
+(expandtypeattribute (incidentd_27_0) true)
+(expandtypeattribute (incident_data_file_27_0) true)
+(expandtypeattribute (incident_service_27_0) true)
+(expandtypeattribute (init_27_0) true)
+(expandtypeattribute (init_exec_27_0) true)
+(expandtypeattribute (inotify_27_0) true)
+(expandtypeattribute (input_device_27_0) true)
+(expandtypeattribute (inputflinger_27_0) true)
+(expandtypeattribute (inputflinger_exec_27_0) true)
+(expandtypeattribute (inputflinger_service_27_0) true)
+(expandtypeattribute (input_method_service_27_0) true)
+(expandtypeattribute (input_service_27_0) true)
+(expandtypeattribute (installd_27_0) true)
+(expandtypeattribute (install_data_file_27_0) true)
+(expandtypeattribute (installd_exec_27_0) true)
+(expandtypeattribute (installd_service_27_0) true)
+(expandtypeattribute (install_recovery_27_0) true)
+(expandtypeattribute (install_recovery_exec_27_0) true)
+(expandtypeattribute (ion_device_27_0) true)
+(expandtypeattribute (IProxyService_service_27_0) true)
+(expandtypeattribute (ipsec_service_27_0) true)
+(expandtypeattribute (isolated_app_27_0) true)
+(expandtypeattribute (jobscheduler_service_27_0) true)
+(expandtypeattribute (kernel_27_0) true)
+(expandtypeattribute (keychain_data_file_27_0) true)
+(expandtypeattribute (keychord_device_27_0) true)
+(expandtypeattribute (keystore_27_0) true)
+(expandtypeattribute (keystore_data_file_27_0) true)
+(expandtypeattribute (keystore_exec_27_0) true)
+(expandtypeattribute (keystore_service_27_0) true)
+(expandtypeattribute (kmem_device_27_0) true)
+(expandtypeattribute (kmsg_debug_device_27_0) true)
+(expandtypeattribute (kmsg_device_27_0) true)
+(expandtypeattribute (labeledfs_27_0) true)
+(expandtypeattribute (launcherapps_service_27_0) true)
+(expandtypeattribute (lmkd_27_0) true)
+(expandtypeattribute (lmkd_exec_27_0) true)
+(expandtypeattribute (lmkd_socket_27_0) true)
+(expandtypeattribute (location_service_27_0) true)
+(expandtypeattribute (lock_settings_service_27_0) true)
+(expandtypeattribute (logcat_exec_27_0) true)
+(expandtypeattribute (logd_27_0) true)
+(expandtypeattribute (logd_exec_27_0) true)
+(expandtypeattribute (logd_prop_27_0) true)
+(expandtypeattribute (logdr_socket_27_0) true)
+(expandtypeattribute (logd_socket_27_0) true)
+(expandtypeattribute (logdw_socket_27_0) true)
+(expandtypeattribute (logpersist_27_0) true)
+(expandtypeattribute (logpersistd_logging_prop_27_0) true)
+(expandtypeattribute (log_prop_27_0) true)
+(expandtypeattribute (log_tag_prop_27_0) true)
+(expandtypeattribute (loop_control_device_27_0) true)
+(expandtypeattribute (loop_device_27_0) true)
+(expandtypeattribute (mac_perms_file_27_0) true)
+(expandtypeattribute (mdnsd_27_0) true)
+(expandtypeattribute (mdnsd_socket_27_0) true)
+(expandtypeattribute (mdns_socket_27_0) true)
+(expandtypeattribute (mediacodec_27_0) true)
+(expandtypeattribute (mediacodec_exec_27_0) true)
+(expandtypeattribute (mediacodec_service_27_0) true)
+(expandtypeattribute (media_data_file_27_0) true)
+(expandtypeattribute (mediadrmserver_27_0) true)
+(expandtypeattribute (mediadrmserver_exec_27_0) true)
+(expandtypeattribute (mediadrmserver_service_27_0) true)
+(expandtypeattribute (mediaextractor_27_0) true)
+(expandtypeattribute (mediaextractor_exec_27_0) true)
+(expandtypeattribute (mediaextractor_service_27_0) true)
+(expandtypeattribute (mediametrics_27_0) true)
+(expandtypeattribute (mediametrics_exec_27_0) true)
+(expandtypeattribute (mediametrics_service_27_0) true)
+(expandtypeattribute (media_projection_service_27_0) true)
+(expandtypeattribute (mediaprovider_27_0) true)
+(expandtypeattribute (media_router_service_27_0) true)
+(expandtypeattribute (media_rw_data_file_27_0) true)
+(expandtypeattribute (mediaserver_27_0) true)
+(expandtypeattribute (mediaserver_exec_27_0) true)
+(expandtypeattribute (mediaserver_service_27_0) true)
+(expandtypeattribute (media_session_service_27_0) true)
+(expandtypeattribute (meminfo_service_27_0) true)
+(expandtypeattribute (metadata_block_device_27_0) true)
+(expandtypeattribute (method_trace_data_file_27_0) true)
+(expandtypeattribute (midi_service_27_0) true)
+(expandtypeattribute (misc_block_device_27_0) true)
+(expandtypeattribute (misc_logd_file_27_0) true)
+(expandtypeattribute (misc_user_data_file_27_0) true)
+(expandtypeattribute (mmc_prop_27_0) true)
+(expandtypeattribute (mnt_expand_file_27_0) true)
+(expandtypeattribute (mnt_media_rw_file_27_0) true)
+(expandtypeattribute (mnt_media_rw_stub_file_27_0) true)
+(expandtypeattribute (mnt_user_file_27_0) true)
+(expandtypeattribute (modprobe_27_0) true)
+(expandtypeattribute (mount_service_27_0) true)
+(expandtypeattribute (mqueue_27_0) true)
+(expandtypeattribute (mtd_device_27_0) true)
+(expandtypeattribute (mtp_27_0) true)
+(expandtypeattribute (mtp_device_27_0) true)
+(expandtypeattribute (mtpd_socket_27_0) true)
+(expandtypeattribute (mtp_exec_27_0) true)
+(expandtypeattribute (nativetest_data_file_27_0) true)
+(expandtypeattribute (netd_27_0) true)
+(expandtypeattribute (net_data_file_27_0) true)
+(expandtypeattribute (netd_exec_27_0) true)
+(expandtypeattribute (netd_listener_service_27_0) true)
+(expandtypeattribute (net_dns_prop_27_0) true)
+(expandtypeattribute (netd_service_27_0) true)
+(expandtypeattribute (netd_socket_27_0) true)
+(expandtypeattribute (netd_stable_secret_prop_27_0) true)
+(expandtypeattribute (netif_27_0) true)
+(expandtypeattribute (netpolicy_service_27_0) true)
+(expandtypeattribute (net_radio_prop_27_0) true)
+(expandtypeattribute (netstats_service_27_0) true)
+(expandtypeattribute (netutils_wrapper_27_0) true)
+(expandtypeattribute (netutils_wrapper_exec_27_0) true)
+(expandtypeattribute (network_management_service_27_0) true)
+(expandtypeattribute (network_score_service_27_0) true)
+(expandtypeattribute (network_time_update_service_27_0) true)
+(expandtypeattribute (nfc_27_0) true)
+(expandtypeattribute (nfc_data_file_27_0) true)
+(expandtypeattribute (nfc_device_27_0) true)
+(expandtypeattribute (nfc_prop_27_0) true)
+(expandtypeattribute (nfc_service_27_0) true)
+(expandtypeattribute (node_27_0) true)
+(expandtypeattribute (nonplat_service_contexts_file_27_0) true)
+(expandtypeattribute (notification_service_27_0) true)
+(expandtypeattribute (null_device_27_0) true)
+(expandtypeattribute (oemfs_27_0) true)
+(expandtypeattribute (oem_lock_service_27_0) true)
+(expandtypeattribute (ota_data_file_27_0) true)
+(expandtypeattribute (otadexopt_service_27_0) true)
+(expandtypeattribute (ota_package_file_27_0) true)
+(expandtypeattribute (otapreopt_chroot_27_0) true)
+(expandtypeattribute (otapreopt_chroot_exec_27_0) true)
+(expandtypeattribute (otapreopt_slot_27_0) true)
+(expandtypeattribute (otapreopt_slot_exec_27_0) true)
+(expandtypeattribute (overlay_prop_27_0) true)
+(expandtypeattribute (overlay_service_27_0) true)
+(expandtypeattribute (owntty_device_27_0) true)
+(expandtypeattribute (package_native_service_27_0) true)
+(expandtypeattribute (package_service_27_0) true)
+(expandtypeattribute (pan_result_prop_27_0) true)
+(expandtypeattribute (pdx_bufferhub_client_channel_socket_27_0) true)
+(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_27_0) true)
+(expandtypeattribute (pdx_bufferhub_dir_27_0) true)
+(expandtypeattribute (pdx_display_client_channel_socket_27_0) true)
+(expandtypeattribute (pdx_display_client_endpoint_socket_27_0) true)
+(expandtypeattribute (pdx_display_dir_27_0) true)
+(expandtypeattribute (pdx_display_manager_channel_socket_27_0) true)
+(expandtypeattribute (pdx_display_manager_endpoint_socket_27_0) true)
+(expandtypeattribute (pdx_display_screenshot_channel_socket_27_0) true)
+(expandtypeattribute (pdx_display_screenshot_endpoint_socket_27_0) true)
+(expandtypeattribute (pdx_display_vsync_channel_socket_27_0) true)
+(expandtypeattribute (pdx_display_vsync_endpoint_socket_27_0) true)
+(expandtypeattribute (pdx_performance_client_channel_socket_27_0) true)
+(expandtypeattribute (pdx_performance_client_endpoint_socket_27_0) true)
+(expandtypeattribute (pdx_performance_dir_27_0) true)
+(expandtypeattribute (performanced_27_0) true)
+(expandtypeattribute (performanced_exec_27_0) true)
+(expandtypeattribute (perfprofd_27_0) true)
+(expandtypeattribute (perfprofd_data_file_27_0) true)
+(expandtypeattribute (perfprofd_exec_27_0) true)
+(expandtypeattribute (permission_service_27_0) true)
+(expandtypeattribute (persist_debug_prop_27_0) true)
+(expandtypeattribute (persistent_data_block_service_27_0) true)
+(expandtypeattribute (persistent_properties_ready_prop_27_0) true)
+(expandtypeattribute (pinner_service_27_0) true)
+(expandtypeattribute (pipefs_27_0) true)
+(expandtypeattribute (platform_app_27_0) true)
+(expandtypeattribute (pmsg_device_27_0) true)
+(expandtypeattribute (port_27_0) true)
+(expandtypeattribute (port_device_27_0) true)
+(expandtypeattribute (postinstall_27_0) true)
+(expandtypeattribute (postinstall_dexopt_27_0) true)
+(expandtypeattribute (postinstall_file_27_0) true)
+(expandtypeattribute (postinstall_mnt_dir_27_0) true)
+(expandtypeattribute (powerctl_prop_27_0) true)
+(expandtypeattribute (power_service_27_0) true)
+(expandtypeattribute (ppp_27_0) true)
+(expandtypeattribute (ppp_device_27_0) true)
+(expandtypeattribute (ppp_exec_27_0) true)
+(expandtypeattribute (preloads_data_file_27_0) true)
+(expandtypeattribute (preloads_media_file_27_0) true)
+(expandtypeattribute (preopt2cachename_27_0) true)
+(expandtypeattribute (preopt2cachename_exec_27_0) true)
+(expandtypeattribute (print_service_27_0) true)
+(expandtypeattribute (priv_app_27_0) true)
+(expandtypeattribute (proc_27_0) true)
+(expandtypeattribute (proc_bluetooth_writable_27_0) true)
+(expandtypeattribute (proc_cpuinfo_27_0) true)
+(expandtypeattribute (proc_drop_caches_27_0) true)
+(expandtypeattribute (processinfo_service_27_0) true)
+(expandtypeattribute (proc_interrupts_27_0) true)
+(expandtypeattribute (proc_iomem_27_0) true)
+(expandtypeattribute (proc_meminfo_27_0) true)
+(expandtypeattribute (proc_misc_27_0) true)
+(expandtypeattribute (proc_modules_27_0) true)
+(expandtypeattribute (proc_net_27_0) true)
+(expandtypeattribute (proc_overcommit_memory_27_0) true)
+(expandtypeattribute (proc_perf_27_0) true)
+(expandtypeattribute (proc_security_27_0) true)
+(expandtypeattribute (proc_stat_27_0) true)
+(expandtypeattribute (procstats_service_27_0) true)
+(expandtypeattribute (proc_sysrq_27_0) true)
+(expandtypeattribute (proc_timer_27_0) true)
+(expandtypeattribute (proc_tty_drivers_27_0) true)
+(expandtypeattribute (proc_uid_cputime_removeuid_27_0) true)
+(expandtypeattribute (proc_uid_cputime_showstat_27_0) true)
+(expandtypeattribute (proc_uid_io_stats_27_0) true)
+(expandtypeattribute (proc_uid_procstat_set_27_0) true)
+(expandtypeattribute (proc_uid_time_in_state_27_0) true)
+(expandtypeattribute (proc_zoneinfo_27_0) true)
+(expandtypeattribute (profman_27_0) true)
+(expandtypeattribute (profman_dump_data_file_27_0) true)
+(expandtypeattribute (profman_exec_27_0) true)
+(expandtypeattribute (properties_device_27_0) true)
+(expandtypeattribute (properties_serial_27_0) true)
+(expandtypeattribute (property_contexts_file_27_0) true)
+(expandtypeattribute (property_data_file_27_0) true)
+(expandtypeattribute (property_socket_27_0) true)
+(expandtypeattribute (pstorefs_27_0) true)
+(expandtypeattribute (ptmx_device_27_0) true)
+(expandtypeattribute (qtaguid_device_27_0) true)
+(expandtypeattribute (qtaguid_proc_27_0) true)
+(expandtypeattribute (racoon_27_0) true)
+(expandtypeattribute (racoon_exec_27_0) true)
+(expandtypeattribute (racoon_socket_27_0) true)
+(expandtypeattribute (radio_27_0) true)
+(expandtypeattribute (radio_data_file_27_0) true)
+(expandtypeattribute (radio_device_27_0) true)
+(expandtypeattribute (radio_prop_27_0) true)
+(expandtypeattribute (radio_service_27_0) true)
+(expandtypeattribute (ram_device_27_0) true)
+(expandtypeattribute (random_device_27_0) true)
+(expandtypeattribute (reboot_data_file_27_0) true)
+(expandtypeattribute (recovery_27_0) true)
+(expandtypeattribute (recovery_block_device_27_0) true)
+(expandtypeattribute (recovery_data_file_27_0) true)
+(expandtypeattribute (recovery_persist_27_0) true)
+(expandtypeattribute (recovery_persist_exec_27_0) true)
+(expandtypeattribute (recovery_refresh_27_0) true)
+(expandtypeattribute (recovery_refresh_exec_27_0) true)
+(expandtypeattribute (recovery_service_27_0) true)
+(expandtypeattribute (registry_service_27_0) true)
+(expandtypeattribute (resourcecache_data_file_27_0) true)
+(expandtypeattribute (restorecon_prop_27_0) true)
+(expandtypeattribute (restrictions_service_27_0) true)
+(expandtypeattribute (rild_27_0) true)
+(expandtypeattribute (rild_debug_socket_27_0) true)
+(expandtypeattribute (rild_socket_27_0) true)
+(expandtypeattribute (ringtone_file_27_0) true)
+(expandtypeattribute (root_block_device_27_0) true)
+(expandtypeattribute (rootfs_27_0) true)
+(expandtypeattribute (rpmsg_device_27_0) true)
+(expandtypeattribute (rtc_device_27_0) true)
+(expandtypeattribute (rttmanager_service_27_0) true)
+(expandtypeattribute (runas_27_0) true)
+(expandtypeattribute (runas_exec_27_0) true)
+(expandtypeattribute (runtime_event_log_tags_file_27_0) true)
+(expandtypeattribute (safemode_prop_27_0) true)
+(expandtypeattribute (same_process_hal_file_27_0) true)
+(expandtypeattribute (samplingprofiler_service_27_0) true)
+(expandtypeattribute (scheduling_policy_service_27_0) true)
+(expandtypeattribute (sdcardd_27_0) true)
+(expandtypeattribute (sdcardd_exec_27_0) true)
+(expandtypeattribute (sdcardfs_27_0) true)
+(expandtypeattribute (seapp_contexts_file_27_0) true)
+(expandtypeattribute (search_service_27_0) true)
+(expandtypeattribute (sec_key_att_app_id_provider_service_27_0) true)
+(expandtypeattribute (selinuxfs_27_0) true)
+(expandtypeattribute (sensors_device_27_0) true)
+(expandtypeattribute (sensorservice_service_27_0) true)
+(expandtypeattribute (sepolicy_file_27_0) true)
+(expandtypeattribute (serial_device_27_0) true)
+(expandtypeattribute (serialno_prop_27_0) true)
+(expandtypeattribute (serial_service_27_0) true)
+(expandtypeattribute (service_contexts_file_27_0) true)
+(expandtypeattribute (servicediscovery_service_27_0) true)
+(expandtypeattribute (servicemanager_27_0) true)
+(expandtypeattribute (servicemanager_exec_27_0) true)
+(expandtypeattribute (settings_service_27_0) true)
+(expandtypeattribute (sgdisk_27_0) true)
+(expandtypeattribute (sgdisk_exec_27_0) true)
+(expandtypeattribute (shared_relro_27_0) true)
+(expandtypeattribute (shared_relro_file_27_0) true)
+(expandtypeattribute (shell_27_0) true)
+(expandtypeattribute (shell_data_file_27_0) true)
+(expandtypeattribute (shell_exec_27_0) true)
+(expandtypeattribute (shell_prop_27_0) true)
+(expandtypeattribute (shm_27_0) true)
+(expandtypeattribute (shortcut_manager_icons_27_0) true)
+(expandtypeattribute (shortcut_service_27_0) true)
+(expandtypeattribute (slideshow_27_0) true)
+(expandtypeattribute (socket_device_27_0) true)
+(expandtypeattribute (sockfs_27_0) true)
+(expandtypeattribute (statusbar_service_27_0) true)
+(expandtypeattribute (storaged_service_27_0) true)
+(expandtypeattribute (storage_file_27_0) true)
+(expandtypeattribute (storagestats_service_27_0) true)
+(expandtypeattribute (storage_stub_file_27_0) true)
+(expandtypeattribute (su_27_0) true)
+(expandtypeattribute (su_exec_27_0) true)
+(expandtypeattribute (surfaceflinger_27_0) true)
+(expandtypeattribute (surfaceflinger_service_27_0) true)
+(expandtypeattribute (swap_block_device_27_0) true)
+(expandtypeattribute (sysfs_27_0) true)
+(expandtypeattribute (sysfs_batteryinfo_27_0) true)
+(expandtypeattribute (sysfs_bluetooth_writable_27_0) true)
+(expandtypeattribute (sysfs_devices_system_cpu_27_0) true)
+(expandtypeattribute (sysfs_fs_ext4_features_27_0) true)
+(expandtypeattribute (sysfs_hwrandom_27_0) true)
+(expandtypeattribute (sysfs_leds_27_0) true)
+(expandtypeattribute (sysfs_lowmemorykiller_27_0) true)
+(expandtypeattribute (sysfs_mac_address_27_0) true)
+(expandtypeattribute (sysfs_nfc_power_writable_27_0) true)
+(expandtypeattribute (sysfs_thermal_27_0) true)
+(expandtypeattribute (sysfs_uio_27_0) true)
+(expandtypeattribute (sysfs_usb_27_0) true)
+(expandtypeattribute (sysfs_usermodehelper_27_0) true)
+(expandtypeattribute (sysfs_vibrator_27_0) true)
+(expandtypeattribute (sysfs_wake_lock_27_0) true)
+(expandtypeattribute (sysfs_wlan_fwpath_27_0) true)
+(expandtypeattribute (sysfs_zram_27_0) true)
+(expandtypeattribute (sysfs_zram_uevent_27_0) true)
+(expandtypeattribute (system_app_27_0) true)
+(expandtypeattribute (system_app_data_file_27_0) true)
+(expandtypeattribute (system_app_service_27_0) true)
+(expandtypeattribute (system_block_device_27_0) true)
+(expandtypeattribute (system_data_file_27_0) true)
+(expandtypeattribute (system_file_27_0) true)
+(expandtypeattribute (systemkeys_data_file_27_0) true)
+(expandtypeattribute (system_ndebug_socket_27_0) true)
+(expandtypeattribute (system_net_netd_hwservice_27_0) true)
+(expandtypeattribute (system_prop_27_0) true)
+(expandtypeattribute (system_radio_prop_27_0) true)
+(expandtypeattribute (system_server_27_0) true)
+(expandtypeattribute (system_wifi_keystore_hwservice_27_0) true)
+(expandtypeattribute (system_wpa_socket_27_0) true)
+(expandtypeattribute (task_service_27_0) true)
+(expandtypeattribute (tee_27_0) true)
+(expandtypeattribute (tee_data_file_27_0) true)
+(expandtypeattribute (tee_device_27_0) true)
+(expandtypeattribute (telecom_service_27_0) true)
+(expandtypeattribute (textclassification_service_27_0) true)
+(expandtypeattribute (textclassifier_data_file_27_0) true)
+(expandtypeattribute (textservices_service_27_0) true)
+(expandtypeattribute (thermalcallback_hwservice_27_0) true)
+(expandtypeattribute (thermal_service_27_0) true)
+(expandtypeattribute (thermalserviced_27_0) true)
+(expandtypeattribute (thermalserviced_exec_27_0) true)
+(expandtypeattribute (timezone_service_27_0) true)
+(expandtypeattribute (tmpfs_27_0) true)
+(expandtypeattribute (tombstoned_27_0) true)
+(expandtypeattribute (tombstone_data_file_27_0) true)
+(expandtypeattribute (tombstoned_crash_socket_27_0) true)
+(expandtypeattribute (tombstoned_exec_27_0) true)
+(expandtypeattribute (tombstoned_intercept_socket_27_0) true)
+(expandtypeattribute (tombstoned_java_trace_socket_27_0) true)
+(expandtypeattribute (toolbox_27_0) true)
+(expandtypeattribute (toolbox_exec_27_0) true)
+(expandtypeattribute (trust_service_27_0) true)
+(expandtypeattribute (tty_device_27_0) true)
+(expandtypeattribute (tun_device_27_0) true)
+(expandtypeattribute (tv_input_service_27_0) true)
+(expandtypeattribute (tzdatacheck_27_0) true)
+(expandtypeattribute (tzdatacheck_exec_27_0) true)
+(expandtypeattribute (ueventd_27_0) true)
+(expandtypeattribute (uhid_device_27_0) true)
+(expandtypeattribute (uimode_service_27_0) true)
+(expandtypeattribute (uio_device_27_0) true)
+(expandtypeattribute (uncrypt_27_0) true)
+(expandtypeattribute (uncrypt_exec_27_0) true)
+(expandtypeattribute (uncrypt_socket_27_0) true)
+(expandtypeattribute (unencrypted_data_file_27_0) true)
+(expandtypeattribute (unlabeled_27_0) true)
+(expandtypeattribute (untrusted_app_25_27_0) true)
+(expandtypeattribute (untrusted_app_27_0) true)
+(expandtypeattribute (untrusted_v2_app_27_0) true)
+(expandtypeattribute (update_engine_27_0) true)
+(expandtypeattribute (update_engine_data_file_27_0) true)
+(expandtypeattribute (update_engine_exec_27_0) true)
+(expandtypeattribute (update_engine_service_27_0) true)
+(expandtypeattribute (updatelock_service_27_0) true)
+(expandtypeattribute (update_verifier_27_0) true)
+(expandtypeattribute (update_verifier_exec_27_0) true)
+(expandtypeattribute (usagestats_service_27_0) true)
+(expandtypeattribute (usbaccessory_device_27_0) true)
+(expandtypeattribute (usb_device_27_0) true)
+(expandtypeattribute (usbfs_27_0) true)
+(expandtypeattribute (usb_service_27_0) true)
+(expandtypeattribute (userdata_block_device_27_0) true)
+(expandtypeattribute (usermodehelper_27_0) true)
+(expandtypeattribute (user_profile_data_file_27_0) true)
+(expandtypeattribute (user_service_27_0) true)
+(expandtypeattribute (vcs_device_27_0) true)
+(expandtypeattribute (vdc_27_0) true)
+(expandtypeattribute (vdc_exec_27_0) true)
+(expandtypeattribute (vendor_app_file_27_0) true)
+(expandtypeattribute (vendor_configs_file_27_0) true)
+(expandtypeattribute (vendor_file_27_0) true)
+(expandtypeattribute (vendor_framework_file_27_0) true)
+(expandtypeattribute (vendor_hal_file_27_0) true)
+(expandtypeattribute (vendor_overlay_file_27_0) true)
+(expandtypeattribute (vendor_shell_exec_27_0) true)
+(expandtypeattribute (vendor_toolbox_exec_27_0) true)
+(expandtypeattribute (vfat_27_0) true)
+(expandtypeattribute (vibrator_service_27_0) true)
+(expandtypeattribute (video_device_27_0) true)
+(expandtypeattribute (virtual_touchpad_27_0) true)
+(expandtypeattribute (virtual_touchpad_exec_27_0) true)
+(expandtypeattribute (virtual_touchpad_service_27_0) true)
+(expandtypeattribute (vndbinder_device_27_0) true)
+(expandtypeattribute (vndk_sp_file_27_0) true)
+(expandtypeattribute (vndservice_contexts_file_27_0) true)
+(expandtypeattribute (vndservicemanager_27_0) true)
+(expandtypeattribute (voiceinteraction_service_27_0) true)
+(expandtypeattribute (vold_27_0) true)
+(expandtypeattribute (vold_data_file_27_0) true)
+(expandtypeattribute (vold_device_27_0) true)
+(expandtypeattribute (vold_exec_27_0) true)
+(expandtypeattribute (vold_prop_27_0) true)
+(expandtypeattribute (vold_socket_27_0) true)
+(expandtypeattribute (vpn_data_file_27_0) true)
+(expandtypeattribute (vr_hwc_27_0) true)
+(expandtypeattribute (vr_hwc_exec_27_0) true)
+(expandtypeattribute (vr_hwc_service_27_0) true)
+(expandtypeattribute (vr_manager_service_27_0) true)
+(expandtypeattribute (wallpaper_file_27_0) true)
+(expandtypeattribute (wallpaper_service_27_0) true)
+(expandtypeattribute (watchdogd_27_0) true)
+(expandtypeattribute (watchdog_device_27_0) true)
+(expandtypeattribute (webviewupdate_service_27_0) true)
+(expandtypeattribute (webview_zygote_27_0) true)
+(expandtypeattribute (webview_zygote_exec_27_0) true)
+(expandtypeattribute (webview_zygote_socket_27_0) true)
+(expandtypeattribute (wifiaware_service_27_0) true)
+(expandtypeattribute (wificond_27_0) true)
+(expandtypeattribute (wificond_exec_27_0) true)
+(expandtypeattribute (wificond_service_27_0) true)
+(expandtypeattribute (wifi_data_file_27_0) true)
+(expandtypeattribute (wifi_log_prop_27_0) true)
+(expandtypeattribute (wifip2p_service_27_0) true)
+(expandtypeattribute (wifi_prop_27_0) true)
+(expandtypeattribute (wifiscanner_service_27_0) true)
+(expandtypeattribute (wifi_service_27_0) true)
+(expandtypeattribute (window_service_27_0) true)
+(expandtypeattribute (wpa_socket_27_0) true)
+(expandtypeattribute (zero_device_27_0) true)
+(expandtypeattribute (zoneinfo_data_file_27_0) true)
+(expandtypeattribute (zygote_27_0) true)
+(expandtypeattribute (zygote_exec_27_0) true)
+(expandtypeattribute (zygote_socket_27_0) true)
+(typeattributeset accessibility_service_27_0 (accessibility_service))
+(typeattributeset account_service_27_0 (account_service))
+(typeattributeset activity_service_27_0 (activity_service))
+(typeattributeset adbd_27_0 (adbd))
+(typeattributeset adb_data_file_27_0 (adb_data_file))
+(typeattributeset adbd_exec_27_0 (adbd_exec))
+(typeattributeset adbd_socket_27_0 (adbd_socket))
+(typeattributeset adb_keys_file_27_0 (adb_keys_file))
+(typeattributeset alarm_device_27_0 (alarm_device))
+(typeattributeset alarm_service_27_0 (alarm_service))
+(typeattributeset anr_data_file_27_0 (anr_data_file))
+(typeattributeset apk_data_file_27_0 (apk_data_file))
+(typeattributeset apk_private_data_file_27_0 (apk_private_data_file))
+(typeattributeset apk_private_tmp_file_27_0 (apk_private_tmp_file))
+(typeattributeset apk_tmp_file_27_0 (apk_tmp_file))
+(typeattributeset app_data_file_27_0 (app_data_file))
+(typeattributeset app_fuse_file_27_0 (app_fuse_file))
+(typeattributeset app_fusefs_27_0 (app_fusefs))
+(typeattributeset appops_service_27_0 (appops_service))
+(typeattributeset appwidget_service_27_0 (appwidget_service))
+(typeattributeset asec_apk_file_27_0 (asec_apk_file))
+(typeattributeset asec_image_file_27_0 (asec_image_file))
+(typeattributeset asec_public_file_27_0 (asec_public_file))
+(typeattributeset ashmem_device_27_0 (ashmem_device))
+(typeattributeset assetatlas_service_27_0 (assetatlas_service))
+(typeattributeset audio_data_file_27_0 (audio_data_file))
+(typeattributeset audio_device_27_0 (audio_device))
+(typeattributeset audiohal_data_file_27_0 (audiohal_data_file))
+(typeattributeset audio_prop_27_0 (audio_prop))
+(typeattributeset audio_seq_device_27_0 (audio_seq_device))
+(typeattributeset audioserver_27_0 (audioserver))
+(typeattributeset audioserver_data_file_27_0 (audioserver_data_file))
+(typeattributeset audioserver_service_27_0 (audioserver_service))
+(typeattributeset audio_service_27_0 (audio_service))
+(typeattributeset audio_timer_device_27_0 (audio_timer_device))
+(typeattributeset autofill_service_27_0 (autofill_service))
+(typeattributeset backup_data_file_27_0 (backup_data_file))
+(typeattributeset backup_service_27_0 (backup_service))
+(typeattributeset batteryproperties_service_27_0 (batteryproperties_service))
+(typeattributeset battery_service_27_0 (battery_service))
+(typeattributeset batterystats_service_27_0 (batterystats_service))
+(typeattributeset binder_device_27_0 (binder_device))
+(typeattributeset binfmt_miscfs_27_0 (binfmt_miscfs))
+(typeattributeset blkid_27_0 (blkid))
+(typeattributeset blkid_untrusted_27_0 (blkid_untrusted))
+(typeattributeset block_device_27_0 (block_device))
+(typeattributeset bluetooth_27_0 (bluetooth))
+(typeattributeset bluetooth_data_file_27_0 (bluetooth_data_file))
+(typeattributeset bluetooth_efs_file_27_0 (bluetooth_efs_file))
+(typeattributeset bluetooth_logs_data_file_27_0 (bluetooth_logs_data_file))
+(typeattributeset bluetooth_manager_service_27_0 (bluetooth_manager_service))
+(typeattributeset bluetooth_prop_27_0 (bluetooth_prop))
+(typeattributeset bluetooth_service_27_0 (bluetooth_service))
+(typeattributeset bluetooth_socket_27_0 (bluetooth_socket))
+(typeattributeset bootanim_27_0 (bootanim))
+(typeattributeset bootanim_exec_27_0 (bootanim_exec))
+(typeattributeset boot_block_device_27_0 (boot_block_device))
+(typeattributeset bootchart_data_file_27_0 (bootchart_data_file))
+(typeattributeset bootstat_27_0 (bootstat))
+(typeattributeset bootstat_data_file_27_0 (bootstat_data_file))
+(typeattributeset bootstat_exec_27_0 (bootstat_exec))
+(typeattributeset boottime_prop_27_0 (boottime_prop))
+(typeattributeset boottrace_data_file_27_0 (boottrace_data_file))
+(typeattributeset broadcastradio_service_27_0 (broadcastradio_service))
+(typeattributeset bufferhubd_27_0 (bufferhubd))
+(typeattributeset bufferhubd_exec_27_0 (bufferhubd_exec))
+(typeattributeset cache_backup_file_27_0 (cache_backup_file))
+(typeattributeset cache_block_device_27_0 (cache_block_device))
+(typeattributeset cache_file_27_0 (cache_file))
+(typeattributeset cache_private_backup_file_27_0 (cache_private_backup_file))
+(typeattributeset cache_recovery_file_27_0 (cache_recovery_file))
+(typeattributeset camera_data_file_27_0 (camera_data_file))
+(typeattributeset camera_device_27_0 (camera_device))
+(typeattributeset cameraproxy_service_27_0 (cameraproxy_service))
+(typeattributeset cameraserver_27_0 (cameraserver))
+(typeattributeset cameraserver_exec_27_0 (cameraserver_exec))
+(typeattributeset cameraserver_service_27_0 (cameraserver_service))
+(typeattributeset cgroup_27_0 (cgroup))
+(typeattributeset charger_27_0 (charger))
+(typeattributeset clatd_27_0 (clatd))
+(typeattributeset clatd_exec_27_0 (clatd_exec))
+(typeattributeset clipboard_service_27_0 (clipboard_service))
+(typeattributeset commontime_management_service_27_0 (commontime_management_service))
+(typeattributeset companion_device_service_27_0 (companion_device_service))
+(typeattributeset configfs_27_0 (configfs))
+(typeattributeset config_prop_27_0 (config_prop))
+(typeattributeset connectivity_service_27_0 (connectivity_service))
+(typeattributeset connmetrics_service_27_0 (connmetrics_service))
+(typeattributeset console_device_27_0 (console_device))
+(typeattributeset consumer_ir_service_27_0 (consumer_ir_service))
+(typeattributeset content_service_27_0 (content_service))
+(typeattributeset contexthub_service_27_0 (contexthub_service))
+(typeattributeset coredump_file_27_0 (coredump_file))
+(typeattributeset country_detector_service_27_0 (country_detector_service))
+(typeattributeset coverage_service_27_0 (coverage_service))
+(typeattributeset cppreopt_prop_27_0 (cppreopt_prop))
+(typeattributeset cppreopts_27_0 (cppreopts))
+(typeattributeset cppreopts_exec_27_0 (cppreopts_exec))
+(typeattributeset cpuctl_device_27_0 (cpuctl_device))
+(typeattributeset cpuinfo_service_27_0 (cpuinfo_service))
+(typeattributeset crash_dump_27_0 (crash_dump))
+(typeattributeset crash_dump_exec_27_0 (crash_dump_exec))
+(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
+(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
+(typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
+(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
+(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
+(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
+(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
+(typeattributeset ctl_rildaemon_prop_27_0 (ctl_rildaemon_prop))
+(typeattributeset dalvikcache_data_file_27_0 (dalvikcache_data_file))
+(typeattributeset dalvik_prop_27_0 (dalvik_prop))
+(typeattributeset dbinfo_service_27_0 (dbinfo_service))
+(typeattributeset debugfs_27_0
+ ( debugfs
+ debugfs_wakeup_sources))
+(typeattributeset debugfs_mmc_27_0 (debugfs_mmc))
+(typeattributeset debugfs_trace_marker_27_0 (debugfs_trace_marker))
+(typeattributeset debugfs_tracing_27_0 (debugfs_tracing))
+(typeattributeset debugfs_tracing_debug_27_0 (debugfs_tracing_debug))
+(typeattributeset debugfs_tracing_instances_27_0 (debugfs_tracing_instances))
+(typeattributeset debugfs_wifi_tracing_27_0 (debugfs_wifi_tracing))
+(typeattributeset debuggerd_prop_27_0 (debuggerd_prop))
+(typeattributeset debug_prop_27_0 (debug_prop))
+(typeattributeset default_android_hwservice_27_0 (default_android_hwservice))
+(typeattributeset default_android_service_27_0 (default_android_service))
+(typeattributeset default_android_vndservice_27_0 (default_android_vndservice))
+(typeattributeset default_prop_27_0
+ ( default_prop
+ pm_prop))
+(typeattributeset device_27_0 (device))
+(typeattributeset device_identifiers_service_27_0 (device_identifiers_service))
+(typeattributeset deviceidle_service_27_0 (deviceidle_service))
+(typeattributeset device_logging_prop_27_0 (device_logging_prop))
+(typeattributeset device_policy_service_27_0 (device_policy_service))
+(typeattributeset devicestoragemonitor_service_27_0 (devicestoragemonitor_service))
+(typeattributeset devpts_27_0 (devpts))
+(typeattributeset dex2oat_27_0 (dex2oat))
+(typeattributeset dex2oat_exec_27_0 (dex2oat_exec))
+(typeattributeset dhcp_27_0 (dhcp))
+(typeattributeset dhcp_data_file_27_0 (dhcp_data_file))
+(typeattributeset dhcp_exec_27_0 (dhcp_exec))
+(typeattributeset dhcp_prop_27_0 (dhcp_prop))
+(typeattributeset diskstats_service_27_0 (diskstats_service))
+(typeattributeset display_service_27_0 (display_service))
+(typeattributeset dm_device_27_0 (dm_device))
+(typeattributeset dnsmasq_27_0 (dnsmasq))
+(typeattributeset dnsmasq_exec_27_0 (dnsmasq_exec))
+(typeattributeset dnsproxyd_socket_27_0 (dnsproxyd_socket))
+(typeattributeset DockObserver_service_27_0 (DockObserver_service))
+(typeattributeset dreams_service_27_0 (dreams_service))
+(typeattributeset drm_data_file_27_0 (drm_data_file))
+(typeattributeset drmserver_27_0 (drmserver))
+(typeattributeset drmserver_exec_27_0 (drmserver_exec))
+(typeattributeset drmserver_service_27_0 (drmserver_service))
+(typeattributeset drmserver_socket_27_0 (drmserver_socket))
+(typeattributeset dropbox_service_27_0 (dropbox_service))
+(typeattributeset dumpstate_27_0 (dumpstate))
+(typeattributeset dumpstate_exec_27_0 (dumpstate_exec))
+(typeattributeset dumpstate_options_prop_27_0 (dumpstate_options_prop))
+(typeattributeset dumpstate_prop_27_0 (dumpstate_prop))
+(typeattributeset dumpstate_service_27_0 (dumpstate_service))
+(typeattributeset dumpstate_socket_27_0 (dumpstate_socket))
+(typeattributeset e2fs_27_0 (e2fs))
+(typeattributeset e2fs_exec_27_0 (e2fs_exec))
+(typeattributeset efs_file_27_0 (efs_file))
+(typeattributeset ephemeral_app_27_0 (ephemeral_app))
+(typeattributeset ethernet_service_27_0 (ethernet_service))
+(typeattributeset ffs_prop_27_0 (ffs_prop))
+(typeattributeset file_contexts_file_27_0 (file_contexts_file))
+(typeattributeset fingerprintd_27_0 (fingerprintd))
+(typeattributeset fingerprintd_data_file_27_0 (fingerprintd_data_file))
+(typeattributeset fingerprintd_exec_27_0 (fingerprintd_exec))
+(typeattributeset fingerprintd_service_27_0 (fingerprintd_service))
+(typeattributeset fingerprint_prop_27_0 (fingerprint_prop))
+(typeattributeset fingerprint_service_27_0 (fingerprint_service))
+(typeattributeset firstboot_prop_27_0 (firstboot_prop))
+(typeattributeset font_service_27_0 (font_service))
+(typeattributeset frp_block_device_27_0 (frp_block_device))
+(typeattributeset fsck_27_0 (fsck))
+(typeattributeset fsck_exec_27_0 (fsck_exec))
+(typeattributeset fscklogs_27_0 (fscklogs))
+(typeattributeset fsck_untrusted_27_0 (fsck_untrusted))
+(typeattributeset full_device_27_0 (full_device))
+(typeattributeset functionfs_27_0 (functionfs))
+(typeattributeset fuse_27_0 (fuse))
+(typeattributeset fuse_device_27_0 (fuse_device))
+(typeattributeset fwk_display_hwservice_27_0 (fwk_display_hwservice))
+(typeattributeset fwk_scheduler_hwservice_27_0 (fwk_scheduler_hwservice))
+(typeattributeset fwk_sensor_hwservice_27_0 (fwk_sensor_hwservice))
+(typeattributeset fwmarkd_socket_27_0 (fwmarkd_socket))
+(typeattributeset gatekeeperd_27_0 (gatekeeperd))
+(typeattributeset gatekeeper_data_file_27_0 (gatekeeper_data_file))
+(typeattributeset gatekeeperd_exec_27_0 (gatekeeperd_exec))
+(typeattributeset gatekeeper_service_27_0 (gatekeeper_service))
+(typeattributeset gfxinfo_service_27_0 (gfxinfo_service))
+(typeattributeset gps_control_27_0 (gps_control))
+(typeattributeset gpu_device_27_0 (gpu_device))
+(typeattributeset gpu_service_27_0 (gpu_service))
+(typeattributeset graphics_device_27_0 (graphics_device))
+(typeattributeset graphicsstats_service_27_0 (graphicsstats_service))
+(typeattributeset hal_audio_hwservice_27_0 (hal_audio_hwservice))
+(typeattributeset hal_bluetooth_hwservice_27_0 (hal_bluetooth_hwservice))
+(typeattributeset hal_bootctl_hwservice_27_0 (hal_bootctl_hwservice))
+(typeattributeset hal_broadcastradio_hwservice_27_0 (hal_broadcastradio_hwservice))
+(typeattributeset hal_camera_hwservice_27_0 (hal_camera_hwservice))
+(typeattributeset hal_cas_hwservice_27_0 (hal_cas_hwservice))
+(typeattributeset hal_configstore_ISurfaceFlingerConfigs_27_0 (hal_configstore_ISurfaceFlingerConfigs))
+(typeattributeset hal_contexthub_hwservice_27_0 (hal_contexthub_hwservice))
+(typeattributeset hal_drm_hwservice_27_0 (hal_drm_hwservice))
+(typeattributeset hal_dumpstate_hwservice_27_0 (hal_dumpstate_hwservice))
+(typeattributeset hal_fingerprint_hwservice_27_0 (hal_fingerprint_hwservice))
+(typeattributeset hal_fingerprint_service_27_0 (hal_fingerprint_service))
+(typeattributeset hal_gatekeeper_hwservice_27_0 (hal_gatekeeper_hwservice))
+(typeattributeset hal_gnss_hwservice_27_0 (hal_gnss_hwservice))
+(typeattributeset hal_graphics_allocator_hwservice_27_0 (hal_graphics_allocator_hwservice))
+(typeattributeset hal_graphics_composer_hwservice_27_0 (hal_graphics_composer_hwservice))
+(typeattributeset hal_graphics_mapper_hwservice_27_0 (hal_graphics_mapper_hwservice))
+(typeattributeset hal_health_hwservice_27_0 (hal_health_hwservice))
+(typeattributeset hal_ir_hwservice_27_0 (hal_ir_hwservice))
+(typeattributeset hal_keymaster_hwservice_27_0 (hal_keymaster_hwservice))
+(typeattributeset hal_light_hwservice_27_0 (hal_light_hwservice))
+(typeattributeset hal_memtrack_hwservice_27_0 (hal_memtrack_hwservice))
+(typeattributeset hal_neuralnetworks_hwservice_27_0 (hal_neuralnetworks_hwservice))
+(typeattributeset hal_nfc_hwservice_27_0 (hal_nfc_hwservice))
+(typeattributeset hal_oemlock_hwservice_27_0 (hal_oemlock_hwservice))
+(typeattributeset hal_omx_hwservice_27_0 (hal_omx_hwservice))
+(typeattributeset hal_power_hwservice_27_0 (hal_power_hwservice))
+(typeattributeset hal_renderscript_hwservice_27_0 (hal_renderscript_hwservice))
+(typeattributeset hal_sensors_hwservice_27_0 (hal_sensors_hwservice))
+(typeattributeset hal_telephony_hwservice_27_0 (hal_telephony_hwservice))
+(typeattributeset hal_tetheroffload_hwservice_27_0 (hal_tetheroffload_hwservice))
+(typeattributeset hal_thermal_hwservice_27_0 (hal_thermal_hwservice))
+(typeattributeset hal_tv_cec_hwservice_27_0 (hal_tv_cec_hwservice))
+(typeattributeset hal_tv_input_hwservice_27_0 (hal_tv_input_hwservice))
+(typeattributeset hal_usb_hwservice_27_0 (hal_usb_hwservice))
+(typeattributeset hal_vibrator_hwservice_27_0 (hal_vibrator_hwservice))
+(typeattributeset hal_vr_hwservice_27_0 (hal_vr_hwservice))
+(typeattributeset hal_weaver_hwservice_27_0 (hal_weaver_hwservice))
+(typeattributeset hal_wifi_hwservice_27_0 (hal_wifi_hwservice))
+(typeattributeset hal_wifi_offload_hwservice_27_0 (hal_wifi_offload_hwservice))
+(typeattributeset hal_wifi_supplicant_hwservice_27_0 (hal_wifi_supplicant_hwservice))
+(typeattributeset hardware_properties_service_27_0 (hardware_properties_service))
+(typeattributeset hardware_service_27_0 (hardware_service))
+(typeattributeset hci_attach_dev_27_0 (hci_attach_dev))
+(typeattributeset hdmi_control_service_27_0 (hdmi_control_service))
+(typeattributeset healthd_27_0 (healthd))
+(typeattributeset healthd_exec_27_0 (healthd_exec))
+(typeattributeset heapdump_data_file_27_0 (heapdump_data_file))
+(typeattributeset hidl_allocator_hwservice_27_0 (hidl_allocator_hwservice))
+(typeattributeset hidl_base_hwservice_27_0 (hidl_base_hwservice))
+(typeattributeset hidl_manager_hwservice_27_0 (hidl_manager_hwservice))
+(typeattributeset hidl_memory_hwservice_27_0 (hidl_memory_hwservice))
+(typeattributeset hidl_token_hwservice_27_0 (hidl_token_hwservice))
+(typeattributeset hwbinder_device_27_0 (hwbinder_device))
+(typeattributeset hw_random_device_27_0 (hw_random_device))
+(typeattributeset hwservice_contexts_file_27_0 (hwservice_contexts_file))
+(typeattributeset hwservicemanager_27_0 (hwservicemanager))
+(typeattributeset hwservicemanager_exec_27_0 (hwservicemanager_exec))
+(typeattributeset hwservicemanager_prop_27_0 (hwservicemanager_prop))
+(typeattributeset i2c_device_27_0 (i2c_device))
+(typeattributeset icon_file_27_0 (icon_file))
+(typeattributeset idmap_27_0 (idmap))
+(typeattributeset idmap_exec_27_0 (idmap_exec))
+(typeattributeset iio_device_27_0 (iio_device))
+(typeattributeset imms_service_27_0 (imms_service))
+(typeattributeset incident_27_0 (incident))
+(typeattributeset incidentd_27_0 (incidentd))
+(typeattributeset incident_data_file_27_0 (incident_data_file))
+(typeattributeset incident_service_27_0 (incident_service))
+(typeattributeset init_27_0 (init))
+(typeattributeset init_exec_27_0 (init_exec))
+(typeattributeset inotify_27_0 (inotify))
+(typeattributeset input_device_27_0 (input_device))
+(typeattributeset inputflinger_27_0 (inputflinger))
+(typeattributeset inputflinger_exec_27_0 (inputflinger_exec))
+(typeattributeset inputflinger_service_27_0 (inputflinger_service))
+(typeattributeset input_method_service_27_0 (input_method_service))
+(typeattributeset input_service_27_0 (input_service))
+(typeattributeset installd_27_0 (installd))
+(typeattributeset install_data_file_27_0 (install_data_file))
+(typeattributeset installd_exec_27_0 (installd_exec))
+(typeattributeset installd_service_27_0 (installd_service))
+(typeattributeset install_recovery_27_0 (install_recovery))
+(typeattributeset install_recovery_exec_27_0 (install_recovery_exec))
+(typeattributeset ion_device_27_0 (ion_device))
+(typeattributeset IProxyService_service_27_0 (IProxyService_service))
+(typeattributeset ipsec_service_27_0 (ipsec_service))
+(typeattributeset isolated_app_27_0 (isolated_app))
+(typeattributeset jobscheduler_service_27_0 (jobscheduler_service))
+(typeattributeset kernel_27_0 (kernel))
+(typeattributeset keychain_data_file_27_0 (keychain_data_file))
+(typeattributeset keychord_device_27_0 (keychord_device))
+(typeattributeset keystore_27_0 (keystore))
+(typeattributeset keystore_data_file_27_0 (keystore_data_file))
+(typeattributeset keystore_exec_27_0 (keystore_exec))
+(typeattributeset keystore_service_27_0 (keystore_service))
+(typeattributeset kmem_device_27_0 (kmem_device))
+(typeattributeset kmsg_debug_device_27_0 (kmsg_debug_device))
+(typeattributeset kmsg_device_27_0 (kmsg_device))
+(typeattributeset labeledfs_27_0 (labeledfs))
+(typeattributeset launcherapps_service_27_0 (launcherapps_service))
+(typeattributeset lmkd_27_0 (lmkd))
+(typeattributeset lmkd_exec_27_0 (lmkd_exec))
+(typeattributeset lmkd_socket_27_0 (lmkd_socket))
+(typeattributeset location_service_27_0 (location_service))
+(typeattributeset lock_settings_service_27_0 (lock_settings_service))
+(typeattributeset logcat_exec_27_0 (logcat_exec))
+(typeattributeset logd_27_0 (logd))
+(typeattributeset logd_exec_27_0 (logd_exec))
+(typeattributeset logd_prop_27_0 (logd_prop))
+(typeattributeset logdr_socket_27_0 (logdr_socket))
+(typeattributeset logd_socket_27_0 (logd_socket))
+(typeattributeset logdw_socket_27_0 (logdw_socket))
+(typeattributeset logpersist_27_0 (logpersist))
+(typeattributeset logpersistd_logging_prop_27_0 (logpersistd_logging_prop))
+(typeattributeset log_prop_27_0 (log_prop))
+(typeattributeset log_tag_prop_27_0 (log_tag_prop))
+(typeattributeset loop_control_device_27_0 (loop_control_device))
+(typeattributeset loop_device_27_0 (loop_device))
+(typeattributeset mac_perms_file_27_0 (mac_perms_file))
+(typeattributeset mdnsd_27_0 (mdnsd))
+(typeattributeset mdnsd_socket_27_0 (mdnsd_socket))
+(typeattributeset mdns_socket_27_0 (mdns_socket))
+(typeattributeset mediacodec_27_0 (mediacodec))
+(typeattributeset mediacodec_exec_27_0 (mediacodec_exec))
+(typeattributeset mediacodec_service_27_0 (mediacodec_service))
+(typeattributeset media_data_file_27_0 (media_data_file))
+(typeattributeset mediadrmserver_27_0 (mediadrmserver))
+(typeattributeset mediadrmserver_exec_27_0 (mediadrmserver_exec))
+(typeattributeset mediadrmserver_service_27_0 (mediadrmserver_service))
+(typeattributeset mediaextractor_27_0 (mediaextractor))
+(typeattributeset mediaextractor_exec_27_0 (mediaextractor_exec))
+(typeattributeset mediaextractor_service_27_0 (mediaextractor_service))
+(typeattributeset mediametrics_27_0 (mediametrics))
+(typeattributeset mediametrics_exec_27_0 (mediametrics_exec))
+(typeattributeset mediametrics_service_27_0 (mediametrics_service))
+(typeattributeset media_projection_service_27_0 (media_projection_service))
+(typeattributeset mediaprovider_27_0 (mediaprovider))
+(typeattributeset media_router_service_27_0 (media_router_service))
+(typeattributeset media_rw_data_file_27_0 (media_rw_data_file))
+(typeattributeset mediaserver_27_0 (mediaserver))
+(typeattributeset mediaserver_exec_27_0 (mediaserver_exec))
+(typeattributeset mediaserver_service_27_0 (mediaserver_service))
+(typeattributeset media_session_service_27_0 (media_session_service))
+(typeattributeset meminfo_service_27_0 (meminfo_service))
+(typeattributeset metadata_block_device_27_0 (metadata_block_device))
+(typeattributeset method_trace_data_file_27_0 (method_trace_data_file))
+(typeattributeset midi_service_27_0 (midi_service))
+(typeattributeset misc_block_device_27_0 (misc_block_device))
+(typeattributeset misc_logd_file_27_0 (misc_logd_file))
+(typeattributeset misc_user_data_file_27_0 (misc_user_data_file))
+(typeattributeset mmc_prop_27_0 (mmc_prop))
+(typeattributeset mnt_expand_file_27_0 (mnt_expand_file))
+(typeattributeset mnt_media_rw_file_27_0 (mnt_media_rw_file))
+(typeattributeset mnt_media_rw_stub_file_27_0 (mnt_media_rw_stub_file))
+(typeattributeset mnt_user_file_27_0 (mnt_user_file))
+(typeattributeset modprobe_27_0 (modprobe))
+(typeattributeset mount_service_27_0 (mount_service))
+(typeattributeset mqueue_27_0 (mqueue))
+(typeattributeset mtd_device_27_0 (mtd_device))
+(typeattributeset mtp_27_0 (mtp))
+(typeattributeset mtp_device_27_0 (mtp_device))
+(typeattributeset mtpd_socket_27_0 (mtpd_socket))
+(typeattributeset mtp_exec_27_0 (mtp_exec))
+(typeattributeset nativetest_data_file_27_0 (nativetest_data_file))
+(typeattributeset netd_27_0 (netd))
+(typeattributeset net_data_file_27_0 (net_data_file))
+(typeattributeset netd_exec_27_0 (netd_exec))
+(typeattributeset netd_listener_service_27_0 (netd_listener_service))
+(typeattributeset net_dns_prop_27_0 (net_dns_prop))
+(typeattributeset netd_service_27_0 (netd_service))
+(typeattributeset netd_socket_27_0 (netd_socket))
+(typeattributeset netd_stable_secret_prop_27_0 (netd_stable_secret_prop))
+(typeattributeset netif_27_0 (netif))
+(typeattributeset netpolicy_service_27_0 (netpolicy_service))
+(typeattributeset net_radio_prop_27_0 (net_radio_prop))
+(typeattributeset netstats_service_27_0 (netstats_service))
+(typeattributeset netutils_wrapper_27_0 (netutils_wrapper))
+(typeattributeset netutils_wrapper_exec_27_0 (netutils_wrapper_exec))
+(typeattributeset network_management_service_27_0 (network_management_service))
+(typeattributeset network_score_service_27_0 (network_score_service))
+(typeattributeset network_time_update_service_27_0 (network_time_update_service))
+(typeattributeset nfc_27_0 (nfc))
+(typeattributeset nfc_data_file_27_0 (nfc_data_file))
+(typeattributeset nfc_device_27_0 (nfc_device))
+(typeattributeset nfc_prop_27_0 (nfc_prop))
+(typeattributeset nfc_service_27_0 (nfc_service))
+(typeattributeset node_27_0 (node))
+(typeattributeset nonplat_service_contexts_file_27_0 (nonplat_service_contexts_file))
+(typeattributeset notification_service_27_0 (notification_service))
+(typeattributeset null_device_27_0 (null_device))
+(typeattributeset oemfs_27_0 (oemfs))
+(typeattributeset oem_lock_service_27_0 (oem_lock_service))
+(typeattributeset ota_data_file_27_0 (ota_data_file))
+(typeattributeset otadexopt_service_27_0 (otadexopt_service))
+(typeattributeset ota_package_file_27_0 (ota_package_file))
+(typeattributeset otapreopt_chroot_27_0 (otapreopt_chroot))
+(typeattributeset otapreopt_chroot_exec_27_0 (otapreopt_chroot_exec))
+(typeattributeset otapreopt_slot_27_0 (otapreopt_slot))
+(typeattributeset otapreopt_slot_exec_27_0 (otapreopt_slot_exec))
+(typeattributeset overlay_prop_27_0 (overlay_prop))
+(typeattributeset overlay_service_27_0 (overlay_service))
+(typeattributeset owntty_device_27_0 (owntty_device))
+(typeattributeset package_native_service_27_0 (package_native_service))
+(typeattributeset package_service_27_0 (package_service))
+(typeattributeset pan_result_prop_27_0 (pan_result_prop))
+(typeattributeset pdx_bufferhub_client_channel_socket_27_0 (pdx_bufferhub_client_channel_socket))
+(typeattributeset pdx_bufferhub_client_endpoint_socket_27_0 (pdx_bufferhub_client_endpoint_socket))
+(typeattributeset pdx_bufferhub_dir_27_0 (pdx_bufferhub_dir))
+(typeattributeset pdx_display_client_channel_socket_27_0 (pdx_display_client_channel_socket))
+(typeattributeset pdx_display_client_endpoint_socket_27_0 (pdx_display_client_endpoint_socket))
+(typeattributeset pdx_display_dir_27_0 (pdx_display_dir))
+(typeattributeset pdx_display_manager_channel_socket_27_0 (pdx_display_manager_channel_socket))
+(typeattributeset pdx_display_manager_endpoint_socket_27_0 (pdx_display_manager_endpoint_socket))
+(typeattributeset pdx_display_screenshot_channel_socket_27_0 (pdx_display_screenshot_channel_socket))
+(typeattributeset pdx_display_screenshot_endpoint_socket_27_0 (pdx_display_screenshot_endpoint_socket))
+(typeattributeset pdx_display_vsync_channel_socket_27_0 (pdx_display_vsync_channel_socket))
+(typeattributeset pdx_display_vsync_endpoint_socket_27_0 (pdx_display_vsync_endpoint_socket))
+(typeattributeset pdx_performance_client_channel_socket_27_0 (pdx_performance_client_channel_socket))
+(typeattributeset pdx_performance_client_endpoint_socket_27_0 (pdx_performance_client_endpoint_socket))
+(typeattributeset pdx_performance_dir_27_0 (pdx_performance_dir))
+(typeattributeset performanced_27_0 (performanced))
+(typeattributeset performanced_exec_27_0 (performanced_exec))
+(typeattributeset perfprofd_27_0 (perfprofd))
+(typeattributeset perfprofd_data_file_27_0 (perfprofd_data_file))
+(typeattributeset perfprofd_exec_27_0 (perfprofd_exec))
+(typeattributeset permission_service_27_0 (permission_service))
+(typeattributeset persist_debug_prop_27_0 (persist_debug_prop))
+(typeattributeset persistent_data_block_service_27_0 (persistent_data_block_service))
+(typeattributeset persistent_properties_ready_prop_27_0 (persistent_properties_ready_prop))
+(typeattributeset pinner_service_27_0 (pinner_service))
+(typeattributeset pipefs_27_0 (pipefs))
+(typeattributeset platform_app_27_0 (platform_app))
+(typeattributeset pmsg_device_27_0 (pmsg_device))
+(typeattributeset port_27_0 (port))
+(typeattributeset port_device_27_0 (port_device))
+(typeattributeset postinstall_27_0 (postinstall))
+(typeattributeset postinstall_dexopt_27_0 (postinstall_dexopt))
+(typeattributeset postinstall_file_27_0 (postinstall_file))
+(typeattributeset postinstall_mnt_dir_27_0 (postinstall_mnt_dir))
+(typeattributeset powerctl_prop_27_0 (powerctl_prop))
+(typeattributeset power_service_27_0 (power_service))
+(typeattributeset ppp_27_0 (ppp))
+(typeattributeset ppp_device_27_0 (ppp_device))
+(typeattributeset ppp_exec_27_0 (ppp_exec))
+(typeattributeset preloads_data_file_27_0 (preloads_data_file))
+(typeattributeset preloads_media_file_27_0 (preloads_media_file))
+(typeattributeset preopt2cachename_27_0 (preopt2cachename))
+(typeattributeset preopt2cachename_exec_27_0 (preopt2cachename_exec))
+(typeattributeset print_service_27_0 (print_service))
+(typeattributeset priv_app_27_0 (priv_app))
+(typeattributeset proc_27_0
+ ( proc
+ proc_abi
+ proc_asound
+ proc_buddyinfo
+ proc_cmdline
+ proc_dirty
+ proc_diskstats
+ proc_extra_free_kbytes
+ proc_filesystems
+ proc_hostname
+ proc_hung_task
+ proc_kmsg
+ proc_loadavg
+ proc_max_map_count
+ proc_min_free_order_shift
+ proc_mounts
+ proc_page_cluster
+ proc_pagetypeinfo
+ proc_panic
+ proc_pid_max
+ proc_pipe_conf
+ proc_random
+ proc_sched
+ proc_swaps
+ proc_uid_concurrent_active_time
+ proc_uid_concurrent_policy_time
+ proc_uid_cpupower
+ proc_uptime
+ proc_version
+ proc_vmallocinfo
+ proc_vmstat))
+(typeattributeset proc_bluetooth_writable_27_0 (proc_bluetooth_writable))
+(typeattributeset proc_cpuinfo_27_0 (proc_cpuinfo))
+(typeattributeset proc_drop_caches_27_0 (proc_drop_caches))
+(typeattributeset processinfo_service_27_0 (processinfo_service))
+(typeattributeset proc_interrupts_27_0 (proc_interrupts))
+(typeattributeset proc_iomem_27_0 (proc_iomem))
+(typeattributeset proc_meminfo_27_0 (proc_meminfo))
+(typeattributeset proc_misc_27_0 (proc_misc))
+(typeattributeset proc_modules_27_0 (proc_modules))
+(typeattributeset proc_net_27_0
+ ( proc_net
+ proc_qtaguid_stat))
+(typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
+(typeattributeset proc_perf_27_0 (proc_perf))
+(typeattributeset proc_security_27_0 (proc_security))
+(typeattributeset proc_stat_27_0 (proc_stat))
+(typeattributeset procstats_service_27_0 (procstats_service))
+(typeattributeset proc_sysrq_27_0 (proc_sysrq))
+(typeattributeset proc_timer_27_0 (proc_timer))
+(typeattributeset proc_tty_drivers_27_0 (proc_tty_drivers))
+(typeattributeset proc_uid_cputime_removeuid_27_0 (proc_uid_cputime_removeuid))
+(typeattributeset proc_uid_cputime_showstat_27_0 (proc_uid_cputime_showstat))
+(typeattributeset proc_uid_io_stats_27_0 (proc_uid_io_stats))
+(typeattributeset proc_uid_procstat_set_27_0 (proc_uid_procstat_set))
+(typeattributeset proc_uid_time_in_state_27_0 (proc_uid_time_in_state))
+(typeattributeset proc_zoneinfo_27_0 (proc_zoneinfo))
+(typeattributeset profman_27_0 (profman))
+(typeattributeset profman_dump_data_file_27_0 (profman_dump_data_file))
+(typeattributeset profman_exec_27_0 (profman_exec))
+(typeattributeset properties_device_27_0 (properties_device))
+(typeattributeset properties_serial_27_0 (properties_serial))
+(typeattributeset property_contexts_file_27_0 (property_contexts_file))
+(typeattributeset property_data_file_27_0 (property_data_file))
+(typeattributeset property_socket_27_0 (property_socket))
+(typeattributeset pstorefs_27_0 (pstorefs))
+(typeattributeset ptmx_device_27_0 (ptmx_device))
+(typeattributeset qtaguid_device_27_0 (qtaguid_device))
+(typeattributeset qtaguid_proc_27_0 (qtaguid_proc))
+(typeattributeset racoon_27_0 (racoon))
+(typeattributeset racoon_exec_27_0 (racoon_exec))
+(typeattributeset racoon_socket_27_0 (racoon_socket))
+(typeattributeset radio_27_0 (radio))
+(typeattributeset radio_data_file_27_0 (radio_data_file))
+(typeattributeset radio_device_27_0 (radio_device))
+(typeattributeset radio_prop_27_0 (radio_prop))
+(typeattributeset radio_service_27_0 (radio_service))
+(typeattributeset ram_device_27_0 (ram_device))
+(typeattributeset random_device_27_0 (random_device))
+(typeattributeset reboot_data_file_27_0 (reboot_data_file))
+(typeattributeset recovery_27_0 (recovery))
+(typeattributeset recovery_block_device_27_0 (recovery_block_device))
+(typeattributeset recovery_data_file_27_0 (recovery_data_file))
+(typeattributeset recovery_persist_27_0 (recovery_persist))
+(typeattributeset recovery_persist_exec_27_0 (recovery_persist_exec))
+(typeattributeset recovery_refresh_27_0 (recovery_refresh))
+(typeattributeset recovery_refresh_exec_27_0 (recovery_refresh_exec))
+(typeattributeset recovery_service_27_0 (recovery_service))
+(typeattributeset registry_service_27_0 (registry_service))
+(typeattributeset resourcecache_data_file_27_0 (resourcecache_data_file))
+(typeattributeset restorecon_prop_27_0 (restorecon_prop))
+(typeattributeset restrictions_service_27_0 (restrictions_service))
+(typeattributeset rild_27_0 (rild))
+(typeattributeset rild_debug_socket_27_0 (rild_debug_socket))
+(typeattributeset rild_socket_27_0 (rild_socket))
+(typeattributeset ringtone_file_27_0 (ringtone_file))
+(typeattributeset root_block_device_27_0 (root_block_device))
+(typeattributeset rootfs_27_0 (rootfs))
+(typeattributeset rpmsg_device_27_0 (rpmsg_device))
+(typeattributeset rtc_device_27_0 (rtc_device))
+(typeattributeset rttmanager_service_27_0 (rttmanager_service))
+(typeattributeset runas_27_0 (runas))
+(typeattributeset runas_exec_27_0 (runas_exec))
+(typeattributeset runtime_event_log_tags_file_27_0 (runtime_event_log_tags_file))
+(typeattributeset safemode_prop_27_0 (safemode_prop))
+(typeattributeset same_process_hal_file_27_0 (same_process_hal_file))
+(typeattributeset samplingprofiler_service_27_0 (samplingprofiler_service))
+(typeattributeset scheduling_policy_service_27_0 (scheduling_policy_service))
+(typeattributeset sdcardd_27_0 (sdcardd))
+(typeattributeset sdcardd_exec_27_0 (sdcardd_exec))
+(typeattributeset sdcardfs_27_0 (sdcardfs))
+(typeattributeset seapp_contexts_file_27_0 (seapp_contexts_file))
+(typeattributeset search_service_27_0 (search_service))
+(typeattributeset sec_key_att_app_id_provider_service_27_0 (sec_key_att_app_id_provider_service))
+(typeattributeset selinuxfs_27_0 (selinuxfs))
+(typeattributeset sensors_device_27_0 (sensors_device))
+(typeattributeset sensorservice_service_27_0 (sensorservice_service))
+(typeattributeset sepolicy_file_27_0 (sepolicy_file))
+(typeattributeset serial_device_27_0 (serial_device))
+(typeattributeset serialno_prop_27_0 (serialno_prop))
+(typeattributeset serial_service_27_0 (serial_service))
+(typeattributeset service_contexts_file_27_0 (service_contexts_file))
+(typeattributeset servicediscovery_service_27_0 (servicediscovery_service))
+(typeattributeset servicemanager_27_0 (servicemanager))
+(typeattributeset servicemanager_exec_27_0 (servicemanager_exec))
+(typeattributeset settings_service_27_0 (settings_service))
+(typeattributeset sgdisk_27_0 (sgdisk))
+(typeattributeset sgdisk_exec_27_0 (sgdisk_exec))
+(typeattributeset shared_relro_27_0 (shared_relro))
+(typeattributeset shared_relro_file_27_0 (shared_relro_file))
+(typeattributeset shell_27_0 (shell))
+(typeattributeset shell_data_file_27_0 (shell_data_file))
+(typeattributeset shell_exec_27_0 (shell_exec))
+(typeattributeset shell_prop_27_0 (shell_prop))
+(typeattributeset shm_27_0 (shm))
+(typeattributeset shortcut_manager_icons_27_0 (shortcut_manager_icons))
+(typeattributeset shortcut_service_27_0 (shortcut_service))
+(typeattributeset slideshow_27_0 (slideshow))
+(typeattributeset socket_device_27_0 (socket_device))
+(typeattributeset sockfs_27_0 (sockfs))
+(typeattributeset statusbar_service_27_0 (statusbar_service))
+(typeattributeset storaged_service_27_0 (storaged_service))
+(typeattributeset storage_file_27_0 (storage_file))
+(typeattributeset storagestats_service_27_0 (storagestats_service))
+(typeattributeset storage_stub_file_27_0 (storage_stub_file))
+(typeattributeset su_27_0 (su))
+(typeattributeset su_exec_27_0 (su_exec))
+(typeattributeset surfaceflinger_27_0 (surfaceflinger))
+(typeattributeset surfaceflinger_service_27_0 (surfaceflinger_service))
+(typeattributeset swap_block_device_27_0 (swap_block_device))
+(typeattributeset sysfs_27_0
+ ( sysfs
+ sysfs_android_usb
+ sysfs_dm
+ sysfs_dt_firmware_android
+ sysfs_ipv4
+ sysfs_kernel_notes
+ sysfs_net
+ sysfs_power
+ sysfs_rtc
+ sysfs_switch
+ sysfs_wakeup_reasons))
+(typeattributeset sysfs_batteryinfo_27_0 (sysfs_batteryinfo))
+(typeattributeset sysfs_bluetooth_writable_27_0 (sysfs_bluetooth_writable))
+(typeattributeset sysfs_devices_system_cpu_27_0 (sysfs_devices_system_cpu))
+(typeattributeset sysfs_fs_ext4_features_27_0 (sysfs_fs_ext4_features))
+(typeattributeset sysfs_hwrandom_27_0 (sysfs_hwrandom))
+(typeattributeset sysfs_leds_27_0 (sysfs_leds))
+(typeattributeset sysfs_lowmemorykiller_27_0 (sysfs_lowmemorykiller))
+(typeattributeset sysfs_mac_address_27_0 (sysfs_mac_address))
+(typeattributeset sysfs_nfc_power_writable_27_0 (sysfs_nfc_power_writable))
+(typeattributeset sysfs_thermal_27_0 (sysfs_thermal))
+(typeattributeset sysfs_uio_27_0 (sysfs_uio))
+(typeattributeset sysfs_usb_27_0 (sysfs_usb))
+(typeattributeset sysfs_usermodehelper_27_0 (sysfs_usermodehelper))
+(typeattributeset sysfs_vibrator_27_0 (sysfs_vibrator))
+(typeattributeset sysfs_wake_lock_27_0 (sysfs_wake_lock))
+(typeattributeset sysfs_wlan_fwpath_27_0 (sysfs_wlan_fwpath))
+(typeattributeset sysfs_zram_27_0 (sysfs_zram))
+(typeattributeset sysfs_zram_uevent_27_0 (sysfs_zram_uevent))
+(typeattributeset system_app_27_0 (system_app))
+(typeattributeset system_app_data_file_27_0 (system_app_data_file))
+(typeattributeset system_app_service_27_0 (system_app_service))
+(typeattributeset system_block_device_27_0 (system_block_device))
+(typeattributeset system_data_file_27_0
+ ( system_data_file
+ vendor_data_file))
+(typeattributeset system_file_27_0 (system_file))
+(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
+(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
+(typeattributeset system_net_netd_hwservice_27_0 (system_net_netd_hwservice))
+(typeattributeset system_prop_27_0 (system_prop))
+(typeattributeset system_radio_prop_27_0 (system_radio_prop))
+(typeattributeset system_server_27_0 (system_server))
+(typeattributeset system_wifi_keystore_hwservice_27_0 (system_wifi_keystore_hwservice))
+(typeattributeset system_wpa_socket_27_0 (system_wpa_socket))
+(typeattributeset task_service_27_0 (task_service))
+(typeattributeset tee_27_0 (tee))
+(typeattributeset tee_data_file_27_0 (tee_data_file))
+(typeattributeset tee_device_27_0 (tee_device))
+(typeattributeset telecom_service_27_0 (telecom_service))
+(typeattributeset textclassification_service_27_0 (textclassification_service))
+(typeattributeset textclassifier_data_file_27_0 (textclassifier_data_file))
+(typeattributeset textservices_service_27_0 (textservices_service))
+(typeattributeset thermalcallback_hwservice_27_0 (thermalcallback_hwservice))
+(typeattributeset thermal_service_27_0 (thermal_service))
+(typeattributeset thermalserviced_27_0 (thermalserviced))
+(typeattributeset thermalserviced_exec_27_0 (thermalserviced_exec))
+(typeattributeset timezone_service_27_0 (timezone_service))
+(typeattributeset tmpfs_27_0 (tmpfs))
+(typeattributeset tombstoned_27_0 (tombstoned))
+(typeattributeset tombstone_data_file_27_0 (tombstone_data_file))
+(typeattributeset tombstoned_crash_socket_27_0 (tombstoned_crash_socket))
+(typeattributeset tombstoned_exec_27_0 (tombstoned_exec))
+(typeattributeset tombstoned_intercept_socket_27_0 (tombstoned_intercept_socket))
+(typeattributeset tombstoned_java_trace_socket_27_0 (tombstoned_java_trace_socket))
+(typeattributeset toolbox_27_0 (toolbox))
+(typeattributeset toolbox_exec_27_0 (toolbox_exec))
+(typeattributeset trust_service_27_0 (trust_service))
+(typeattributeset tty_device_27_0 (tty_device))
+(typeattributeset tun_device_27_0 (tun_device))
+(typeattributeset tv_input_service_27_0 (tv_input_service))
+(typeattributeset tzdatacheck_27_0 (tzdatacheck))
+(typeattributeset tzdatacheck_exec_27_0 (tzdatacheck_exec))
+(typeattributeset ueventd_27_0 (ueventd))
+(typeattributeset uhid_device_27_0 (uhid_device))
+(typeattributeset uimode_service_27_0 (uimode_service))
+(typeattributeset uio_device_27_0 (uio_device))
+(typeattributeset uncrypt_27_0 (uncrypt))
+(typeattributeset uncrypt_exec_27_0 (uncrypt_exec))
+(typeattributeset uncrypt_socket_27_0 (uncrypt_socket))
+(typeattributeset unencrypted_data_file_27_0 (unencrypted_data_file))
+(typeattributeset unlabeled_27_0 (unlabeled))
+(typeattributeset untrusted_app_25_27_0 (untrusted_app_25))
+(typeattributeset untrusted_app_27_0
+ ( untrusted_app
+ untrusted_app_27))
+(typeattributeset untrusted_v2_app_27_0 (untrusted_v2_app))
+(typeattributeset update_engine_27_0 (update_engine))
+(typeattributeset update_engine_data_file_27_0 (update_engine_data_file))
+(typeattributeset update_engine_exec_27_0 (update_engine_exec))
+(typeattributeset update_engine_service_27_0 (update_engine_service))
+(typeattributeset updatelock_service_27_0 (updatelock_service))
+(typeattributeset update_verifier_27_0 (update_verifier))
+(typeattributeset update_verifier_exec_27_0 (update_verifier_exec))
+(typeattributeset usagestats_service_27_0 (usagestats_service))
+(typeattributeset usbaccessory_device_27_0 (usbaccessory_device))
+(typeattributeset usb_device_27_0 (usb_device))
+(typeattributeset usbfs_27_0 (usbfs))
+(typeattributeset usb_service_27_0 (usb_service))
+(typeattributeset userdata_block_device_27_0 (userdata_block_device))
+(typeattributeset usermodehelper_27_0 (usermodehelper))
+(typeattributeset user_profile_data_file_27_0 (user_profile_data_file))
+(typeattributeset user_service_27_0 (user_service))
+(typeattributeset vcs_device_27_0 (vcs_device))
+(typeattributeset vdc_27_0 (vdc))
+(typeattributeset vdc_exec_27_0 (vdc_exec))
+(typeattributeset vendor_app_file_27_0 (vendor_app_file))
+(typeattributeset vendor_configs_file_27_0 (vendor_configs_file))
+(typeattributeset vendor_file_27_0 (vendor_file))
+(typeattributeset vendor_framework_file_27_0 (vendor_framework_file))
+(typeattributeset vendor_hal_file_27_0 (vendor_hal_file))
+(typeattributeset vendor_overlay_file_27_0 (vendor_overlay_file))
+(typeattributeset vendor_shell_exec_27_0 (vendor_shell_exec))
+(typeattributeset vendor_toolbox_exec_27_0 (vendor_toolbox_exec))
+(typeattributeset vfat_27_0 (vfat))
+(typeattributeset vibrator_service_27_0 (vibrator_service))
+(typeattributeset video_device_27_0 (video_device))
+(typeattributeset virtual_touchpad_27_0 (virtual_touchpad))
+(typeattributeset virtual_touchpad_exec_27_0 (virtual_touchpad_exec))
+(typeattributeset virtual_touchpad_service_27_0 (virtual_touchpad_service))
+(typeattributeset vndbinder_device_27_0 (vndbinder_device))
+(typeattributeset vndk_sp_file_27_0 (vndk_sp_file))
+(typeattributeset vndservice_contexts_file_27_0 (vndservice_contexts_file))
+(typeattributeset vndservicemanager_27_0 (vndservicemanager))
+(typeattributeset voiceinteraction_service_27_0 (voiceinteraction_service))
+(typeattributeset vold_27_0 (vold))
+(typeattributeset vold_data_file_27_0 (vold_data_file))
+(typeattributeset vold_device_27_0 (vold_device))
+(typeattributeset vold_exec_27_0 (vold_exec))
+(typeattributeset vold_prop_27_0 (vold_prop))
+(typeattributeset vold_socket_27_0 (vold_socket))
+(typeattributeset vpn_data_file_27_0 (vpn_data_file))
+(typeattributeset vr_hwc_27_0 (vr_hwc))
+(typeattributeset vr_hwc_exec_27_0 (vr_hwc_exec))
+(typeattributeset vr_hwc_service_27_0 (vr_hwc_service))
+(typeattributeset vr_manager_service_27_0 (vr_manager_service))
+(typeattributeset wallpaper_file_27_0 (wallpaper_file))
+(typeattributeset wallpaper_service_27_0 (wallpaper_service))
+(typeattributeset watchdogd_27_0 (watchdogd))
+(typeattributeset watchdog_device_27_0 (watchdog_device))
+(typeattributeset webviewupdate_service_27_0 (webviewupdate_service))
+(typeattributeset webview_zygote_27_0 (webview_zygote))
+(typeattributeset webview_zygote_exec_27_0 (webview_zygote_exec))
+(typeattributeset webview_zygote_socket_27_0 (webview_zygote_socket))
+(typeattributeset wifiaware_service_27_0 (wifiaware_service))
+(typeattributeset wificond_27_0 (wificond))
+(typeattributeset wificond_exec_27_0 (wificond_exec))
+(typeattributeset wificond_service_27_0 (wificond_service))
+(typeattributeset wifi_data_file_27_0 (wifi_data_file))
+(typeattributeset wifi_log_prop_27_0 (wifi_log_prop))
+(typeattributeset wifip2p_service_27_0 (wifip2p_service))
+(typeattributeset wifi_prop_27_0 (wifi_prop))
+(typeattributeset wifiscanner_service_27_0 (wifiscanner_service))
+(typeattributeset wifi_service_27_0 (wifi_service))
+(typeattributeset window_service_27_0 (window_service))
+(typeattributeset wpa_socket_27_0 (wpa_socket))
+(typeattributeset zero_device_27_0 (zero_device))
+(typeattributeset zoneinfo_data_file_27_0 (zoneinfo_data_file))
+(typeattributeset zygote_27_0 (zygote))
+(typeattributeset zygote_exec_27_0 (zygote_exec))
+(typeattributeset zygote_socket_27_0 (zygote_socket))
diff --git a/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil b/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil
new file mode 100644
index 0000000..747478c
--- /dev/null
+++ b/prebuilts/api/28.0/private/compat/27.0/27.0.ignore.cil
@@ -0,0 +1,133 @@
+;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( atrace
+ binder_calls_stats_service
+ blank_screen
+ blank_screen_exec
+ blank_screen_tmpfs
+ bootloader_boot_reason_prop
+ bluetooth_a2dp_offload_prop
+ bpfloader
+ bpfloader_exec
+ cgroup_bpf
+ crossprofileapps_service
+ ctl_interface_restart_prop
+ ctl_interface_start_prop
+ ctl_interface_stop_prop
+ ctl_sigstop_prop
+ exfat
+ exported2_config_prop
+ exported2_default_prop
+ exported2_radio_prop
+ exported2_system_prop
+ exported2_vold_prop
+ exported3_default_prop
+ exported3_radio_prop
+ exported3_system_prop
+ exported_audio_prop
+ exported_bluetooth_prop
+ exported_config_prop
+ exported_dalvik_prop
+ exported_default_prop
+ exported_dumpstate_prop
+ exported_ffs_prop
+ exported_fingerprint_prop
+ exported_overlay_prop
+ exported_pm_prop
+ exported_radio_prop
+ exported_secure_prop
+ exported_system_prop
+ exported_system_radio_prop
+ exported_vold_prop
+ exported_wifi_prop
+ fingerprint_vendor_data_file
+ fs_bpf
+ hal_audiocontrol_hwservice
+ hal_authsecret_hwservice
+ hal_codec2_hwservice
+ hal_confirmationui_hwservice
+ hal_evs_hwservice
+ hal_lowpan_hwservice
+ hal_secure_element_hwservice
+ hal_usb_gadget_hwservice
+ hal_vehicle_hwservice
+ hal_wifi_hostapd_hwservice
+ incident_helper
+ incident_helper_exec
+ last_boot_reason_prop
+ lowpan_device
+ lowpan_prop
+ lowpan_service
+ mediaextractor_update_service
+ metadata_file
+ mnt_vendor_file
+ network_watchlist_data_file
+ network_watchlist_service
+ perfetto
+ perfetto_exec
+ perfetto_tmpfs
+ perfetto_traces_data_file
+ perfprofd_service
+ property_info
+ secure_element
+ secure_element_device
+ secure_element_service
+ secure_element_tmpfs
+ slice_service
+ stats
+ stats_data_file
+ stats_exec
+ stats_service
+ statscompanion_service
+ statsd
+ statsd_exec
+ statsd_tmpfs
+ statsdw
+ statsdw_socket
+ storaged_data_file
+ system_boot_reason_prop
+ system_update_service
+ test_boot_reason_prop
+ tombstone_wifi_data_file
+ trace_data_file
+ traced
+ traced_consumer_socket
+ traced_enabled_prop
+ traced_exec
+ traced_probes
+ traced_probes_exec
+ traced_probes_tmpfs
+ traced_producer_socket
+ traced_tmpfs
+ traceur_app
+ traceur_app_tmpfs
+ untrusted_app_all_devpts
+ update_engine_log_data_file
+ usbd
+ usbd_exec
+ usbd_tmpfs
+ vendor_default_prop
+ vendor_init
+ vendor_security_patch_level_prop
+ vendor_shell
+ vold_metadata_file
+ vold_prepare_subdirs
+ vold_prepare_subdirs_exec
+ vold_service
+ wait_for_keymaster
+ wait_for_keymaster_exec
+ wait_for_keymaster_tmpfs
+ wm_trace_data_file
+ wpantund
+ wpantund_exec
+ wpantund_service
+ wpantund_tmpfs))
+
+;; private_objects - a collection of types that were labeled differently in
+;; older policy, but that should not remain accessible to vendor policy.
+;; Thus, these types are also not mapped, but recorded for checkapi tests
+(typeattribute priv_objects)
+(typeattributeset priv_objects (untrusted_app_27_tmpfs))
diff --git a/prebuilts/api/28.0/private/coredomain.te b/prebuilts/api/28.0/private/coredomain.te
new file mode 100644
index 0000000..23224c3
--- /dev/null
+++ b/prebuilts/api/28.0/private/coredomain.te
@@ -0,0 +1,15 @@
+get_prop(coredomain, pm_prop)
+get_prop(coredomain, exported_pm_prop)
+
+full_treble_only(`
+neverallow {
+ coredomain
+
+ # for chowning
+ -init
+
+ # generic access to sysfs_type
+ -ueventd
+ -vold
+} sysfs_leds:file *;
+')
diff --git a/prebuilts/api/28.0/private/cppreopts.te b/prebuilts/api/28.0/private/cppreopts.te
new file mode 100644
index 0000000..34f0d66
--- /dev/null
+++ b/prebuilts/api/28.0/private/cppreopts.te
@@ -0,0 +1,6 @@
+typeattribute cppreopts coredomain;
+
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(cppreopts)
+domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
diff --git a/prebuilts/api/28.0/private/crash_dump.te b/prebuilts/api/28.0/private/crash_dump.te
new file mode 100644
index 0000000..c3d2ed5
--- /dev/null
+++ b/prebuilts/api/28.0/private/crash_dump.te
@@ -0,0 +1,14 @@
+typeattribute crash_dump coredomain;
+
+allow crash_dump {
+ domain
+ -bpfloader
+ -crash_dump
+ -init
+ -kernel
+ -keystore
+ -logd
+ -ueventd
+ -vendor_init
+ -vold
+}:process { ptrace signal sigchld sigstop sigkill };
diff --git a/prebuilts/api/28.0/private/dex2oat.te b/prebuilts/api/28.0/private/dex2oat.te
new file mode 100644
index 0000000..fd45484
--- /dev/null
+++ b/prebuilts/api/28.0/private/dex2oat.te
@@ -0,0 +1 @@
+typeattribute dex2oat coredomain;
diff --git a/prebuilts/api/28.0/private/dexoptanalyzer.te b/prebuilts/api/28.0/private/dexoptanalyzer.te
new file mode 100644
index 0000000..dfc81b8
--- /dev/null
+++ b/prebuilts/api/28.0/private/dexoptanalyzer.te
@@ -0,0 +1,30 @@
+# dexoptanalyzer
+type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
+type dexoptanalyzer_exec, exec_type, file_type;
+
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
+# own label, which differs from other labels created by other processes.
+# This allows to distinguish in policy files created by dexoptanalyzer vs other
+#processes.
+tmpfs_domain(dexoptanalyzer)
+
+# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
+# app_data_file the oat file is symlinked to the original file in /system.
+allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
+allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
+allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
+
+allow dexoptanalyzer installd:fd use;
+
+# Allow reading secondary dex files that were reported by the app to the
+# package manager.
+allow dexoptanalyzer app_data_file:dir { getattr search };
+allow dexoptanalyzer app_data_file:file { getattr read };
+# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
+# "dontaudit...audit_access" policy line to suppress the audit access without
+# suppressing denial on actual access.
+dontaudit dexoptanalyzer app_data_file:dir audit_access;
+
+# Allow testing /data/user/0 which symlinks to /data/data
+allow dexoptanalyzer system_data_file:lnk_file { getattr };
diff --git a/prebuilts/api/28.0/private/dhcp.te b/prebuilts/api/28.0/private/dhcp.te
new file mode 100644
index 0000000..b2f8ac7
--- /dev/null
+++ b/prebuilts/api/28.0/private/dhcp.te
@@ -0,0 +1,4 @@
+typeattribute dhcp coredomain;
+
+init_daemon_domain(dhcp)
+type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/prebuilts/api/28.0/private/dnsmasq.te b/prebuilts/api/28.0/private/dnsmasq.te
new file mode 100644
index 0000000..96084b4
--- /dev/null
+++ b/prebuilts/api/28.0/private/dnsmasq.te
@@ -0,0 +1 @@
+typeattribute dnsmasq coredomain;
diff --git a/prebuilts/api/28.0/private/domain.te b/prebuilts/api/28.0/private/domain.te
new file mode 100644
index 0000000..fb6ba4f
--- /dev/null
+++ b/prebuilts/api/28.0/private/domain.te
@@ -0,0 +1,118 @@
+# Transition to crash_dump when /system/bin/crash_dump* is executed.
+# This occurs when the process crashes.
+domain_auto_trans(domain, crash_dump_exec, crash_dump);
+allow domain crash_dump:process sigchld;
+
+# Limit ability to ptrace or read sensitive /proc/pid files of processes
+# with other UIDs to these whitelisted domains.
+neverallow {
+ domain
+ -vold
+ -dumpstate
+ userdebug_or_eng(`-incidentd')
+ -storaged
+ -system_server
+ userdebug_or_eng(`-perfprofd')
+} self:global_capability_class_set sys_ptrace;
+
+# Limit ability to generate hardware unique device ID attestations to priv_apps
+neverallow { domain -priv_app } *:keystore_key gen_unique_id;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ userdebug_or_eng(`-domain')
+} debugfs_tracing_debug:file no_rw_file_perms;
+
+# Core domains are not permitted to use kernel interfaces which are not
+# explicitly labeled.
+# TODO(b/65643247): Apply these neverallow rules to all coredomain.
+full_treble_only(`
+ # /proc
+ neverallow {
+ coredomain
+ -vold
+ } proc:file no_rw_file_perms;
+
+ # /sys
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ -vold
+ } sysfs:file no_rw_file_perms;
+
+ # /dev
+ neverallow {
+ coredomain
+ -fsck
+ -init
+ -ueventd
+ } device:{ blk_file file } no_rw_file_perms;
+
+ # debugfs
+ neverallow {
+ coredomain
+ -dumpstate
+ -init
+ -system_server
+ } debugfs:file no_rw_file_perms;
+
+ # tracefs
+ neverallow {
+ coredomain
+ -atrace
+ -dumpstate
+ -init
+ userdebug_or_eng(`-perfprofd')
+ -traced_probes
+ -shell
+ -traceur_app
+ } debugfs_tracing:file no_rw_file_perms;
+
+ # inotifyfs
+ neverallow {
+ coredomain
+ -init
+ } inotify:file no_rw_file_perms;
+
+ # pstorefs
+ neverallow {
+ coredomain
+ -bootstat
+ -charger
+ -dumpstate
+ -healthd
+ userdebug_or_eng(`-incidentd')
+ -init
+ -logd
+ -logpersist
+ -recovery_persist
+ -recovery_refresh
+ -shell
+ -system_server
+ } pstorefs:file no_rw_file_perms;
+
+ # configfs
+ neverallow {
+ coredomain
+ -init
+ -system_server
+ } configfs:file no_rw_file_perms;
+
+ # functionfs
+ neverallow {
+ coredomain
+ -adbd
+ -init
+ -mediaprovider
+ -system_server
+ } functionfs:file no_rw_file_perms;
+
+ # usbfs and binfmt_miscfs
+ neverallow {
+ coredomain
+ -init
+ }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
+')
diff --git a/prebuilts/api/28.0/private/drmserver.te b/prebuilts/api/28.0/private/drmserver.te
new file mode 100644
index 0000000..afe4f0a
--- /dev/null
+++ b/prebuilts/api/28.0/private/drmserver.te
@@ -0,0 +1,7 @@
+typeattribute drmserver coredomain;
+
+init_daemon_domain(drmserver)
+
+type_transition drmserver apk_data_file:sock_file drmserver_socket;
+
+typeattribute drmserver_socket coredomain_socket;
diff --git a/prebuilts/api/28.0/private/dumpstate.te b/prebuilts/api/28.0/private/dumpstate.te
new file mode 100644
index 0000000..2c2a62f
--- /dev/null
+++ b/prebuilts/api/28.0/private/dumpstate.te
@@ -0,0 +1,47 @@
+typeattribute dumpstate coredomain;
+
+init_daemon_domain(dumpstate)
+
+# Execute and transition to the vdc domain
+domain_auto_trans(dumpstate, vdc_exec, vdc)
+
+# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
+allow dumpstate system_file:file lock;
+
+# TODO: deal with tmpfs_domain pub/priv split properly
+allow dumpstate dumpstate_tmpfs:file execute;
+
+# systrace support - allow atrace to run
+allow dumpstate debugfs_tracing:dir r_dir_perms;
+allow dumpstate debugfs_tracing:file rw_file_perms;
+allow dumpstate debugfs_tracing_debug:dir r_dir_perms;
+allow dumpstate debugfs_trace_marker:file getattr;
+allow dumpstate atrace_exec:file rx_file_perms;
+allow dumpstate storaged_exec:file rx_file_perms;
+
+# /data/misc/wmtrace for wm traces
+userdebug_or_eng(`
+ allow dumpstate wm_trace_data_file:dir r_dir_perms;
+ allow dumpstate wm_trace_data_file:file r_file_perms;
+')
+
+# Allow dumpstate to make binder calls to storaged service
+binder_call(dumpstate, storaged)
+
+# Allow dumpstate to make binder calls to statsd
+binder_call(dumpstate, statsd)
+
+# Collect metrics on boot time created by init
+get_prop(dumpstate, boottime_prop)
+
+# Signal native processes to dump their stack.
+allow dumpstate {
+ statsd
+}:process signal;
+
+# For collecting bugreports.
+allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+allow dumpstate dev_type:blk_file getattr;
+allow dumpstate webview_zygote:process signal;
+dontaudit dumpstate perfprofd:binder call;
+dontaudit dumpstate update_engine:binder call;
diff --git a/prebuilts/api/28.0/private/ephemeral_app.te b/prebuilts/api/28.0/private/ephemeral_app.te
new file mode 100644
index 0000000..75a6317
--- /dev/null
+++ b/prebuilts/api/28.0/private/ephemeral_app.te
@@ -0,0 +1,81 @@
+###
+### Ephemeral apps.
+###
+### This file defines the security policy for apps with the ephemeral
+### feature.
+###
+### The ephemeral_app domain is a reduced permissions sandbox allowing
+### ephemeral applications to be safely installed and run. Non ephemeral
+### applications may also opt-in to ephemeral to take advantage of the
+### additional security features.
+###
+### PackageManager flags an app as ephemeral at install time.
+
+typeattribute ephemeral_app coredomain;
+
+net_domain(ephemeral_app)
+app_domain(ephemeral_app)
+
+# Allow ephemeral apps to read/write files in visible storage if provided fds
+allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow ephemeral_app app_data_file:file {r_file_perms execute};
+
+# services
+allow ephemeral_app audioserver_service:service_manager find;
+allow ephemeral_app cameraserver_service:service_manager find;
+allow ephemeral_app mediaserver_service:service_manager find;
+allow ephemeral_app mediaextractor_service:service_manager find;
+allow ephemeral_app mediacodec_service:service_manager find;
+allow ephemeral_app mediametrics_service:service_manager find;
+allow ephemeral_app mediadrmserver_service:service_manager find;
+allow ephemeral_app drmserver_service:service_manager find;
+allow ephemeral_app radio_service:service_manager find;
+allow ephemeral_app ephemeral_app_api_service:service_manager find;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+allow ephemeral_app traced:fd use;
+allow ephemeral_app traced_tmpfs:file { read write getattr map };
+unix_socket_connect(ephemeral_app, traced_producer, traced)
+
+# allow ephemeral apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow ephemeral_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+###
+### neverallow rules
+###
+
+neverallow ephemeral_app app_data_file:file execute_no_trans;
+
+# Receive or send uevent messages.
+neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow ephemeral_app domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow ephemeral_app debugfs:file read;
+
+# execute gpu_device
+neverallow ephemeral_app gpu_device:chr_file execute;
+
+# access files in /sys with the default sysfs label
+neverallow ephemeral_app sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
+
+# Directly access external storage
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+
+# Avoid reads to proc_net, it contains too much device wide information about
+# ongoing connections.
+neverallow ephemeral_app proc_net:file no_rw_file_perms;
diff --git a/prebuilts/api/28.0/private/file.te b/prebuilts/api/28.0/private/file.te
new file mode 100644
index 0000000..58ee0de
--- /dev/null
+++ b/prebuilts/api/28.0/private/file.te
@@ -0,0 +1,16 @@
+# /proc/config.gz
+type config_gz, fs_type, proc_type;
+
+# /data/misc/stats-data, /data/misc/stats-service
+type stats_data_file, file_type, data_file_type, core_data_file_type;
+
+type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
+
+# /data/misc/storaged
+type storaged_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/wmtrace for wm traces
+type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/perfetto-traces for perfetto traces
+type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/prebuilts/api/28.0/private/file_contexts b/prebuilts/api/28.0/private/file_contexts
new file mode 100644
index 0000000..564e45c
--- /dev/null
+++ b/prebuilts/api/28.0/private/file_contexts
@@ -0,0 +1,541 @@
+###########################################
+# Root
+/ u:object_r:rootfs:s0
+
+# Data files
+/adb_keys u:object_r:adb_keys_file:s0
+/build\.prop u:object_r:rootfs:s0
+/default\.prop u:object_r:rootfs:s0
+/fstab\..* u:object_r:rootfs:s0
+/init\..* u:object_r:rootfs:s0
+/res(/.*)? u:object_r:rootfs:s0
+/selinux_version u:object_r:rootfs:s0
+/ueventd\..* u:object_r:rootfs:s0
+/verity_key u:object_r:rootfs:s0
+
+# Executables
+/charger u:object_r:rootfs:s0
+/init u:object_r:init_exec:s0
+/sbin(/.*)? u:object_r:rootfs:s0
+
+# For kernel modules
+/lib(/.*)? u:object_r:rootfs:s0
+
+# Empty directories
+/lost\+found u:object_r:rootfs:s0
+/acct u:object_r:cgroup:s0
+/config u:object_r:rootfs:s0
+/mnt u:object_r:tmpfs:s0
+/postinstall u:object_r:postinstall_mnt_dir:s0
+/proc u:object_r:rootfs:s0
+/sys u:object_r:sysfs:s0
+
+# Symlinks
+/bin u:object_r:rootfs:s0
+/bugreports u:object_r:rootfs:s0
+/d u:object_r:rootfs:s0
+/etc u:object_r:rootfs:s0
+/sdcard u:object_r:rootfs:s0
+
+# SELinux policy files
+/vendor_file_contexts u:object_r:file_contexts_file:s0
+/nonplat_file_contexts u:object_r:file_contexts_file:s0
+/plat_file_contexts u:object_r:file_contexts_file:s0
+/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
+/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
+/plat_property_contexts u:object_r:property_contexts_file:s0
+/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/vendor_property_contexts u:object_r:property_contexts_file:s0
+/seapp_contexts u:object_r:seapp_contexts_file:s0
+/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0
+/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/sepolicy u:object_r:sepolicy_file:s0
+/plat_service_contexts u:object_r:service_contexts_file:s0
+/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
+# Use nonplat_service_contexts_file to allow servicemanager to read it
+# on non full-treble devices.
+/vendor_service_contexts u:object_r:nonplat_service_contexts_file:s0
+/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vendor_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vndservice_contexts u:object_r:vndservice_contexts_file:s0
+
+##########################
+# Devices
+#
+/dev(/.*)? u:object_r:device:s0
+/dev/akm8973.* u:object_r:sensors_device:s0
+/dev/accelerometer u:object_r:sensors_device:s0
+/dev/adf[0-9]* u:object_r:graphics_device:s0
+/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0
+/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0
+/dev/alarm u:object_r:alarm_device:s0
+/dev/ashmem u:object_r:ashmem_device:s0
+/dev/audio.* u:object_r:audio_device:s0
+/dev/binder u:object_r:binder_device:s0
+/dev/block(/.*)? u:object_r:block_device:s0
+/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
+/dev/block/loop[0-9]* u:object_r:loop_device:s0
+/dev/block/vold/.+ u:object_r:vold_device:s0
+/dev/block/ram[0-9]* u:object_r:ram_device:s0
+/dev/block/zram[0-9]* u:object_r:ram_device:s0
+/dev/bus/usb(.*)? u:object_r:usb_device:s0
+/dev/cam u:object_r:camera_device:s0
+/dev/console u:object_r:console_device:s0
+/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
+/dev/memcg(/.*)? u:object_r:cgroup:s0
+/dev/device-mapper u:object_r:dm_device:s0
+/dev/eac u:object_r:audio_device:s0
+/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
+/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
+/dev/full u:object_r:full_device:s0
+/dev/fuse u:object_r:fuse_device:s0
+/dev/graphics(/.*)? u:object_r:graphics_device:s0
+/dev/hw_random u:object_r:hw_random_device:s0
+/dev/hwbinder u:object_r:hwbinder_device:s0
+/dev/i2c-[0-9]+ u:object_r:i2c_device:s0
+/dev/input(/.*)? u:object_r:input_device:s0
+/dev/iio:device[0-9]+ u:object_r:iio_device:s0
+/dev/ion u:object_r:ion_device:s0
+/dev/keychord u:object_r:keychord_device:s0
+/dev/kmem u:object_r:kmem_device:s0
+/dev/loop-control u:object_r:loop_control_device:s0
+/dev/mem u:object_r:kmem_device:s0
+/dev/modem.* u:object_r:radio_device:s0
+/dev/mtd(/.*)? u:object_r:mtd_device:s0
+/dev/mtp_usb u:object_r:mtp_device:s0
+/dev/pmsg0 u:object_r:pmsg_device:s0
+/dev/pn544 u:object_r:nfc_device:s0
+/dev/port u:object_r:port_device:s0
+/dev/ppp u:object_r:ppp_device:s0
+/dev/ptmx u:object_r:ptmx_device:s0
+/dev/pvrsrvkm u:object_r:gpu_device:s0
+/dev/kmsg u:object_r:kmsg_device:s0
+/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
+/dev/null u:object_r:null_device:s0
+/dev/nvhdcp1 u:object_r:video_device:s0
+/dev/random u:object_r:random_device:s0
+/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
+/dev/rproc_user u:object_r:rpmsg_device:s0
+/dev/rtc[0-9] u:object_r:rtc_device:s0
+/dev/snd(/.*)? u:object_r:audio_device:s0
+/dev/snd/audio_timer_device u:object_r:audio_timer_device:s0
+/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0
+/dev/socket(/.*)? u:object_r:socket_device:s0
+/dev/socket/adbd u:object_r:adbd_socket:s0
+/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
+/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
+/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
+/dev/socket/lmkd u:object_r:lmkd_socket:s0
+/dev/socket/logd u:object_r:logd_socket:s0
+/dev/socket/logdr u:object_r:logdr_socket:s0
+/dev/socket/logdw u:object_r:logdw_socket:s0
+/dev/socket/statsdw u:object_r:statsdw_socket:s0
+/dev/socket/mdns u:object_r:mdns_socket:s0
+/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
+/dev/socket/mtpd u:object_r:mtpd_socket:s0
+/dev/socket/netd u:object_r:netd_socket:s0
+/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
+/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
+/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
+/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0
+/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
+/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
+/dev/socket/property_service u:object_r:property_socket:s0
+/dev/socket/racoon u:object_r:racoon_socket:s0
+/dev/socket/rild u:object_r:rild_socket:s0
+/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
+/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
+/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
+/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
+/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
+/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
+/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
+/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
+/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
+/dev/socket/zygote u:object_r:zygote_socket:s0
+/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
+/dev/spdif_out.* u:object_r:audio_device:s0
+/dev/tegra.* u:object_r:video_device:s0
+/dev/tty u:object_r:owntty_device:s0
+/dev/tty[0-9]* u:object_r:tty_device:s0
+/dev/ttyS[0-9]* u:object_r:serial_device:s0
+/dev/tun u:object_r:tun_device:s0
+/dev/uhid u:object_r:uhid_device:s0
+/dev/uinput u:object_r:uhid_device:s0
+/dev/uio[0-9]* u:object_r:uio_device:s0
+/dev/urandom u:object_r:random_device:s0
+/dev/usb_accessory u:object_r:usbaccessory_device:s0
+/dev/v4l-touch[0-9]* u:object_r:input_device:s0
+/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
+/dev/video[0-9]* u:object_r:video_device:s0
+/dev/vndbinder u:object_r:vndbinder_device:s0
+/dev/watchdog u:object_r:watchdog_device:s0
+/dev/xt_qtaguid u:object_r:qtaguid_device:s0
+/dev/zero u:object_r:zero_device:s0
+/dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/property_info u:object_r:property_info:s0
+#############################
+# System files
+#
+/system(/.*)? u:object_r:system_file:s0
+/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/blank_screen u:object_r:blank_screen_exec:s0
+/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
+/system/bin/mke2fs u:object_r:e2fs_exec:s0
+/system/bin/e2fsck -- u:object_r:fsck_exec:s0
+/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
+/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
+/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
+/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
+/system/bin/tune2fs -- u:object_r:fsck_exec:s0
+/system/bin/toolbox -- u:object_r:toolbox_exec:s0
+/system/bin/toybox -- u:object_r:toolbox_exec:s0
+/system/bin/logcat -- u:object_r:logcat_exec:s0
+/system/bin/logcatd -- u:object_r:logcat_exec:s0
+/system/bin/sh -- u:object_r:shell_exec:s0
+/system/bin/run-as -- u:object_r:runas_exec:s0
+/system/bin/bootanimation u:object_r:bootanim_exec:s0
+/system/bin/bootstat u:object_r:bootstat_exec:s0
+/system/bin/app_process32 u:object_r:zygote_exec:s0
+/system/bin/app_process64 u:object_r:zygote_exec:s0
+/system/bin/servicemanager u:object_r:servicemanager_exec:s0
+/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
+/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
+/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
+/system/bin/performanced u:object_r:performanced_exec:s0
+/system/bin/drmserver u:object_r:drmserver_exec:s0
+/system/bin/dumpstate u:object_r:dumpstate_exec:s0
+/system/bin/incident u:object_r:incident_exec:s0
+/system/bin/incidentd u:object_r:incidentd_exec:s0
+/system/bin/incident_helper u:object_r:incident_helper_exec:s0
+/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
+/system/bin/vold u:object_r:vold_exec:s0
+/system/bin/netd u:object_r:netd_exec:s0
+/system/bin/wificond u:object_r:wificond_exec:s0
+/system/bin/audioserver u:object_r:audioserver_exec:s0
+/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
+/system/bin/mediaserver u:object_r:mediaserver_exec:s0
+/system/bin/mediametrics u:object_r:mediametrics_exec:s0
+/system/bin/cameraserver u:object_r:cameraserver_exec:s0
+/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
+/system/bin/mdnsd u:object_r:mdnsd_exec:s0
+/system/bin/installd u:object_r:installd_exec:s0
+/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
+/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
+/system/bin/keystore u:object_r:keystore_exec:s0
+/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
+/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
+/system/bin/crash_dump32 u:object_r:crash_dump_exec:s0
+/system/bin/crash_dump64 u:object_r:crash_dump_exec:s0
+/system/bin/tombstoned u:object_r:tombstoned_exec:s0
+/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
+/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
+/system/bin/sdcard u:object_r:sdcardd_exec:s0
+/system/bin/dhcpcd u:object_r:dhcp_exec:s0
+/system/bin/dhcpcd-6.8.2 u:object_r:dhcp_exec:s0
+/system/bin/mtpd u:object_r:mtp_exec:s0
+/system/bin/pppd u:object_r:ppp_exec:s0
+/system/bin/racoon u:object_r:racoon_exec:s0
+/system/xbin/su u:object_r:su_exec:s0
+/system/bin/perfprofd u:object_r:perfprofd_exec:s0
+/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
+/system/bin/healthd u:object_r:healthd_exec:s0
+/system/bin/clatd u:object_r:clatd_exec:s0
+/system/bin/lmkd u:object_r:lmkd_exec:s0
+/system/bin/usbd u:object_r:usbd_exec:s0
+/system/bin/inputflinger u:object_r:inputflinger_exec:s0
+/system/bin/logd u:object_r:logd_exec:s0
+/system/bin/perfetto u:object_r:perfetto_exec:s0
+/system/bin/traced u:object_r:traced_exec:s0
+/system/bin/traced_probes u:object_r:traced_probes_exec:s0
+/system/bin/uncrypt u:object_r:uncrypt_exec:s0
+/system/bin/update_verifier u:object_r:update_verifier_exec:s0
+/system/bin/logwrapper u:object_r:system_file:s0
+/system/bin/vdc u:object_r:vdc_exec:s0
+/system/bin/cppreopts.sh u:object_r:cppreopts_exec:s0
+/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
+/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
+/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
+/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
+# patchoat executable has (essentially) the same requirements as dex2oat.
+/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
+/system/bin/profman(d)? u:object_r:profman_exec:s0
+/system/bin/sgdisk u:object_r:sgdisk_exec:s0
+/system/bin/blkid u:object_r:blkid_exec:s0
+/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
+/system/bin/idmap u:object_r:idmap_exec:s0
+/system/bin/update_engine u:object_r:update_engine_exec:s0
+/system/bin/bspatch u:object_r:update_engine_exec:s0
+/system/bin/storaged u:object_r:storaged_exec:s0
+/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0
+/system/bin/wpantund u:object_r:wpantund_exec:s0
+/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
+/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
+/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
+/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/system/etc/selinux/plat_sepolicy.cil u:object_r:sepolicy_file:s0
+/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
+/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
+/system/bin/adbd u:object_r:adbd_exec:s0
+/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
+/system/bin/stats u:object_r:stats_exec:s0
+/system/bin/statsd u:object_r:statsd_exec:s0
+/system/bin/bpfloader u:object_r:bpfloader_exec:s0
+/system/bin/wait_for_keymaster u:object_r:wait_for_keymaster_exec:s0
+
+#############################
+# Vendor files
+#
+/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
+/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0
+/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
+/(vendor|system/vendor)/bin/toolbox u:object_r:vendor_toolbox_exec:s0
+/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
+
+/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+
+/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+
+/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/priv-app(/.*)? u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
+
+# HAL location
+/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
+
+#############################
+# OEM and ODM files
+#
+/(odm|vendor/odm)(/.*)? u:object_r:vendor_file:s0
+/(odm|vendor/odm)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+/(odm|vendor/odm)/lib(64)?/hw u:object_r:vendor_hal_file:s0
+/(odm|vendor/odm)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+/(odm|vendor/odm)/bin/sh u:object_r:vendor_shell_exec:s0
+/(odm|vendor/odm)/etc(/.*)? u:object_r:vendor_configs_file:s0
+/(odm|vendor/odm)/app(/.*)? u:object_r:vendor_app_file:s0
+/(odm|vendor/odm)/priv-app(/.*)? u:object_r:vendor_app_file:s0
+/(odm|vendor/odm)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(odm|vendor/odm)/framework(/.*)? u:object_r:vendor_framework_file:s0
+
+/oem(/.*)? u:object_r:oemfs:s0
+
+# The precompiled monolithic sepolicy will be under /odm only when
+# BOARD_USES_ODMIMAGE is true: a separate odm.img is built.
+/odm/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
+/odm/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
+
+/(odm|vendor/odm)/etc/selinux/odm_sepolicy.cil u:object_r:sepolicy_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_file_contexts u:object_r:file_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_mac_permissions.xml u:object_r:mac_perms_file:s0
+
+#############################
+# Product files
+#
+/(product|system/product)(/.*)? u:object_r:system_file:s0
+
+#############################
+# Data files
+#
+# NOTE: When modifying existing label rules, changes may also need to
+# propagate to the "Expanded data files" section.
+#
+/data(/.*)? u:object_r:system_data_file:s0
+/data/.layout_version u:object_r:install_data_file:s0
+/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
+/data/backup(/.*)? u:object_r:backup_data_file:s0
+/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
+/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
+/data/drm(/.*)? u:object_r:drm_data_file:s0
+/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
+/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/ota(/.*)? u:object_r:ota_data_file:s0
+/data/ota_package(/.*)? u:object_r:ota_package_file:s0
+/data/adb(/.*)? u:object_r:adb_data_file:s0
+/data/anr(/.*)? u:object_r:anr_data_file:s0
+/data/app(/.*)? u:object_r:apk_data_file:s0
+/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
+/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
+/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
+/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
+/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
+/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
+/data/local/traces(/.*)? u:object_r:trace_data_file:s0
+/data/media(/.*)? u:object_r:media_rw_data_file:s0
+/data/mediadrm(/.*)? u:object_r:media_data_file:s0
+/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
+/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0
+/data/property(/.*)? u:object_r:property_data_file:s0
+/data/preloads(/.*)? u:object_r:preloads_data_file:s0
+/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
+/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
+
+# Misc data
+/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
+/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
+/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
+/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
+/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
+/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
+/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
+/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
+/data/misc/bluetooth/logs(/.*)? u:object_r:bluetooth_logs_data_file:s0
+/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
+/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
+/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
+/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
+/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
+/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/dhcp-6.8.2(/.*)? u:object_r:dhcp_data_file:s0
+/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
+/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
+/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
+/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
+/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
+/data/misc/media(/.*)? u:object_r:media_data_file:s0
+/data/misc/net(/.*)? u:object_r:net_data_file:s0
+/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
+/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
+/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
+/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
+/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
+/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
+/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
+/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
+/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
+/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
+/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
+/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
+/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
+/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
+/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
+/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
+/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
+/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
+/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
+/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
+/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
+/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
+# TODO(calin) label profile reference differently so that only
+# profman run as a special user can write to them
+/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
+/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
+/data/vendor(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_ce(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_de(/.*)? u:object_r:vendor_data_file:s0
+
+# storaged proto files
+/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
+/data/misc_ce/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
+
+# Fingerprint data
+/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
+
+# Fingerprint vendor data file
+/data/vendor_de/[0-9]+/fpdata(/.*)? u:object_r:fingerprint_vendor_data_file:s0
+
+# Bootchart data
+/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
+
+#############################
+# Expanded data files
+#
+/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
+/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
+/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
+/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
+/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
+/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
+/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
+
+# coredump directory for userdebug/eng devices
+/cores(/.*)? u:object_r:coredump_file:s0
+
+# Wallpaper files
+/data/system/users/[0-9]+/wallpaper_lock_orig u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
+/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
+
+# Ringtone files
+/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0
+
+# ShortcutManager icons, e.g.
+# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png
+/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0
+
+# User icon files
+/data/system/users/[0-9]+/photo.png u:object_r:icon_file:s0
+
+# vold per-user data
+/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
+/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
+
+#############################
+# efs files
+#
+/efs(/.*)? u:object_r:efs_file:s0
+
+#############################
+# Cache files
+#
+/cache(/.*)? u:object_r:cache_file:s0
+/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
+# General backup/restore interchange with apps
+/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
+# LocalTransport (backup) uses this subtree
+/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
+
+/data/cache(/.*)? u:object_r:cache_file:s0
+/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
+# General backup/restore interchange with apps
+/data/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
+# LocalTransport (backup) uses this subtree
+/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
+
+#############################
+# Metadata files
+#
+/metadata(/.*)? u:object_r:metadata_file:s0
+/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
+
+#############################
+# asec containers
+/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
+/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
+/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
+/data/app-asec(/.*)? u:object_r:asec_image_file:s0
+
+#############################
+# external storage
+/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
+/mnt/user(/.*)? u:object_r:mnt_user_file:s0
+/mnt/runtime(/.*)? u:object_r:storage_file:s0
+/storage(/.*)? u:object_r:storage_file:s0
+
+#############################
+# mount point for read-write vendor partitions
+/mnt/vendor(/.*)? u:object_r:mnt_vendor_file:s0
diff --git a/prebuilts/api/28.0/private/file_contexts_asan b/prebuilts/api/28.0/private/file_contexts_asan
new file mode 100644
index 0000000..17ee9d7
--- /dev/null
+++ b/prebuilts/api/28.0/private/file_contexts_asan
@@ -0,0 +1,11 @@
+/data/asan/system/lib(/.*)? u:object_r:system_file:s0
+/data/asan/system/lib64(/.*)? u:object_r:system_file:s0
+/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
+/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
+/data/asan/odm/lib(/.*)? u:object_r:system_file:s0
+/data/asan/odm/lib64(/.*)? u:object_r:system_file:s0
+/system/bin/asan_extract u:object_r:asan_extract_exec:s0
+/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
+/system/bin/asan/app_process u:object_r:zygote_exec:s0
+/system/bin/asan/app_process32 u:object_r:zygote_exec:s0
+/system/bin/asan/app_process64 u:object_r:zygote_exec:s0
diff --git a/prebuilts/api/28.0/private/fingerprintd.te b/prebuilts/api/28.0/private/fingerprintd.te
new file mode 100644
index 0000000..eb73ef8
--- /dev/null
+++ b/prebuilts/api/28.0/private/fingerprintd.te
@@ -0,0 +1,3 @@
+typeattribute fingerprintd coredomain;
+
+init_daemon_domain(fingerprintd)
diff --git a/prebuilts/api/28.0/private/fs_use b/prebuilts/api/28.0/private/fs_use
new file mode 100644
index 0000000..4bd1112
--- /dev/null
+++ b/prebuilts/api/28.0/private/fs_use
@@ -0,0 +1,23 @@
+# Label inodes via getxattr.
+fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
+fs_use_xattr jffs2 u:object_r:labeledfs:s0;
+fs_use_xattr ext2 u:object_r:labeledfs:s0;
+fs_use_xattr ext3 u:object_r:labeledfs:s0;
+fs_use_xattr ext4 u:object_r:labeledfs:s0;
+fs_use_xattr xfs u:object_r:labeledfs:s0;
+fs_use_xattr btrfs u:object_r:labeledfs:s0;
+fs_use_xattr f2fs u:object_r:labeledfs:s0;
+fs_use_xattr squashfs u:object_r:labeledfs:s0;
+
+# Label inodes from task label.
+fs_use_task pipefs u:object_r:pipefs:s0;
+fs_use_task sockfs u:object_r:sockfs:s0;
+
+# Label inodes from combination of task label and fs label.
+# Define type_transition rules if you want per-domain types.
+fs_use_trans devpts u:object_r:devpts:s0;
+fs_use_trans tmpfs u:object_r:tmpfs:s0;
+fs_use_trans devtmpfs u:object_r:device:s0;
+fs_use_trans shm u:object_r:shm:s0;
+fs_use_trans mqueue u:object_r:mqueue:s0;
+
diff --git a/prebuilts/api/28.0/private/fsck.te b/prebuilts/api/28.0/private/fsck.te
new file mode 100644
index 0000000..f8e09b6
--- /dev/null
+++ b/prebuilts/api/28.0/private/fsck.te
@@ -0,0 +1,5 @@
+typeattribute fsck coredomain;
+
+init_daemon_domain(fsck)
+
+allow fsck metadata_block_device:blk_file rw_file_perms;
diff --git a/prebuilts/api/28.0/private/fsck_untrusted.te b/prebuilts/api/28.0/private/fsck_untrusted.te
new file mode 100644
index 0000000..9a57bf0
--- /dev/null
+++ b/prebuilts/api/28.0/private/fsck_untrusted.te
@@ -0,0 +1 @@
+typeattribute fsck_untrusted coredomain;
diff --git a/prebuilts/api/28.0/private/gatekeeperd.te b/prebuilts/api/28.0/private/gatekeeperd.te
new file mode 100644
index 0000000..5e4d0a2
--- /dev/null
+++ b/prebuilts/api/28.0/private/gatekeeperd.te
@@ -0,0 +1,3 @@
+typeattribute gatekeeperd coredomain;
+
+init_daemon_domain(gatekeeperd)
diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts
new file mode 100644
index 0000000..7e2ea50
--- /dev/null
+++ b/prebuilts/api/28.0/private/genfs_contexts
@@ -0,0 +1,244 @@
+# Label inodes with the fs label.
+genfscon rootfs / u:object_r:rootfs:s0
+# proc labeling can be further refined (longest matching prefix).
+genfscon proc / u:object_r:proc:s0
+genfscon proc /asound u:object_r:proc_asound:s0
+genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
+genfscon proc /cmdline u:object_r:proc_cmdline:s0
+genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /diskstats u:object_r:proc_diskstats:s0
+genfscon proc /filesystems u:object_r:proc_filesystems:s0
+genfscon proc /interrupts u:object_r:proc_interrupts:s0
+genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /kmsg u:object_r:proc_kmsg:s0
+genfscon proc /loadavg u:object_r:proc_loadavg:s0
+genfscon proc /meminfo u:object_r:proc_meminfo:s0
+genfscon proc /misc u:object_r:proc_misc:s0
+genfscon proc /modules u:object_r:proc_modules:s0
+genfscon proc /mounts u:object_r:proc_mounts:s0
+genfscon proc /net u:object_r:proc_net:s0
+genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
+genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
+genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
+genfscon proc /softirqs u:object_r:proc_timer:s0
+genfscon proc /stat u:object_r:proc_stat:s0
+genfscon proc /swaps u:object_r:proc_swaps:s0
+genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
+genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
+genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
+genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
+genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
+genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
+genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/hung_task_timeout_secs u:object_r:proc_hung_task:s0
+genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0
+genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/pid_max u:object_r:proc_pid_max:s0
+genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/random u:object_r:proc_random:s0
+genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
+genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/net u:object_r:proc_net:s0
+genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
+genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0
+genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
+genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
+genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
+genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
+genfscon proc /timer_list u:object_r:proc_timer:s0
+genfscon proc /timer_stats u:object_r:proc_timer:s0
+genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
+genfscon proc /uid/ u:object_r:proc_uid_time_in_state:s0
+genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
+genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
+genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
+genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
+genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
+genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
+genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
+genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
+genfscon proc /uptime u:object_r:proc_uptime:s0
+genfscon proc /version u:object_r:proc_version:s0
+genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
+genfscon proc /vmstat u:object_r:proc_vmstat:s0
+genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+
+# selinuxfs booleans can be individually labeled.
+genfscon selinuxfs / u:object_r:selinuxfs:s0
+genfscon cgroup / u:object_r:cgroup:s0
+genfscon cgroup2 / u:object_r:cgroup_bpf:s0
+# sysfs labels can be set by userspace.
+genfscon sysfs / u:object_r:sysfs:s0
+genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
+genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
+genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
+genfscon sysfs /class/net u:object_r:sysfs_net:s0
+genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
+genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
+genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
+genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
+genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
+genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
+genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
+genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
+genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
+genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
+genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
+genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
+genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
+genfscon sysfs /power/state u:object_r:sysfs_power:s0
+genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
+genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
+genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
+genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
+genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
+genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
+genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
+genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
+genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
+
+genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
+genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0
+genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0
+genfscon tracefs /trace u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0
+genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
+genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
+genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
+genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
+genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
+genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
+genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
+
+genfscon debugfs /tracing/events/workqueue/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/regulator/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/pagecache/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
+
+genfscon tracefs /events/workqueue/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/regulator/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/pagecache/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/irq/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
+
+genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
+genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
+genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
+
+genfscon inotifyfs / u:object_r:inotify:s0
+genfscon vfat / u:object_r:vfat:s0
+genfscon exfat / u:object_r:exfat:s0
+genfscon debugfs / u:object_r:debugfs:s0
+genfscon fuse / u:object_r:fuse:s0
+genfscon configfs / u:object_r:configfs:s0
+genfscon sdcardfs / u:object_r:sdcardfs:s0
+genfscon esdfs / u:object_r:sdcardfs:s0
+genfscon pstore / u:object_r:pstorefs:s0
+genfscon functionfs / u:object_r:functionfs:s0
+genfscon usbfs / u:object_r:usbfs:s0
+genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+genfscon bpf / u:object_r:fs_bpf:s0
diff --git a/prebuilts/api/28.0/private/hal_allocator_default.te b/prebuilts/api/28.0/private/hal_allocator_default.te
new file mode 100644
index 0000000..49ef178
--- /dev/null
+++ b/prebuilts/api/28.0/private/hal_allocator_default.te
@@ -0,0 +1,5 @@
+type hal_allocator_default, domain, coredomain;
+hal_server_domain(hal_allocator_default, hal_allocator)
+
+type hal_allocator_default_exec, exec_type, file_type;
+init_daemon_domain(hal_allocator_default)
diff --git a/prebuilts/api/28.0/private/halclientdomain.te b/prebuilts/api/28.0/private/halclientdomain.te
new file mode 100644
index 0000000..9dcd3ee
--- /dev/null
+++ b/prebuilts/api/28.0/private/halclientdomain.te
@@ -0,0 +1,13 @@
+###
+### Rules for all domains which are clients of a HAL
+###
+
+# Find out whether a HAL in passthrough/in-process mode or
+# binderized/out-of-process mode
+hwbinder_use(halclientdomain)
+
+# Used to wait for hwservicemanager
+get_prop(halclientdomain, hwservicemanager_prop)
+
+# Wait for HAL server to be up (used by getService)
+allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/private/halserverdomain.te b/prebuilts/api/28.0/private/halserverdomain.te
new file mode 100644
index 0000000..f36e0e7
--- /dev/null
+++ b/prebuilts/api/28.0/private/halserverdomain.te
@@ -0,0 +1,12 @@
+###
+### Rules for all domains which offer a HAL service over HwBinder
+###
+
+# Register the HAL service with hwservicemanager
+hwbinder_use(halserverdomain)
+
+# Find HAL implementations
+allow halserverdomain system_file:dir r_dir_perms;
+
+# Used to wait for hwservicemanager
+get_prop(halserverdomain, hwservicemanager_prop)
diff --git a/prebuilts/api/28.0/private/healthd.te b/prebuilts/api/28.0/private/healthd.te
new file mode 100644
index 0000000..20d0791
--- /dev/null
+++ b/prebuilts/api/28.0/private/healthd.te
@@ -0,0 +1,6 @@
+typeattribute healthd coredomain;
+
+init_daemon_domain(healthd)
+
+# Allow healthd to serve health HAL
+hal_server_domain(healthd, hal_health)
diff --git a/prebuilts/api/28.0/private/hwservice_contexts b/prebuilts/api/28.0/private/hwservice_contexts
new file mode 100644
index 0000000..c75c0a5
--- /dev/null
+++ b/prebuilts/api/28.0/private/hwservice_contexts
@@ -0,0 +1,71 @@
+android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
+android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
+android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
+android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0
+android.hardware.automotive.audiocontrol::IAudioControl u:object_r:hal_audiocontrol_hwservice:s0
+android.hardware.automotive.evs::IEvsEnumerator u:object_r:hal_evs_hwservice:s0
+android.hardware.automotive.vehicle::IVehicle u:object_r:hal_vehicle_hwservice:s0
+android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
+android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
+android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0
+android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
+android.hardware.broadcastradio::IBroadcastRadio u:object_r:hal_broadcastradio_hwservice:s0
+android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
+android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
+android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
+android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
+android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
+android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
+android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
+android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
+android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
+android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
+android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
+android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
+android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
+android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
+android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
+android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
+android.hardware.lowpan::ILowpanDevice u:object_r:hal_lowpan_hwservice:s0
+android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
+android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
+android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
+android.hardware.neuralnetworks::IDevice u:object_r:hal_neuralnetworks_hwservice:s0
+android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
+android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
+android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
+android.hardware.radio.config::IRadioConfig u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
+android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
+android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
+android.hardware.secure_element::ISecureElement u:object_r:hal_secure_element_hwservice:s0
+android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
+android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
+android.hardware.tetheroffload.config::IOffloadConfig u:object_r:hal_tetheroffload_hwservice:s0
+android.hardware.tetheroffload.control::IOffloadControl u:object_r:hal_tetheroffload_hwservice:s0
+android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
+android.hardware.thermal::IThermalCallback u:object_r:thermalcallback_hwservice:s0
+android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
+android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
+android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
+android.hardware.usb.gadget::IUsbGadget u:object_r:hal_usb_gadget_hwservice:s0
+android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
+android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
+android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
+android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.hostapd::IHostapd u:object_r:hal_wifi_hostapd_hwservice:s0
+android.hardware.wifi.offload::IOffload u:object_r:hal_wifi_offload_hwservice:s0
+android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
+android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
+android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
+android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
+android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
+android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
+android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0
+android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
+* u:object_r:default_android_hwservice:s0
diff --git a/prebuilts/api/28.0/private/hwservicemanager.te b/prebuilts/api/28.0/private/hwservicemanager.te
new file mode 100644
index 0000000..0705cc7
--- /dev/null
+++ b/prebuilts/api/28.0/private/hwservicemanager.te
@@ -0,0 +1,8 @@
+typeattribute hwservicemanager coredomain;
+
+init_daemon_domain(hwservicemanager)
+
+add_hwservice(hwservicemanager, hidl_manager_hwservice)
+add_hwservice(hwservicemanager, hidl_token_hwservice)
+
+set_prop(hwservicemanager, ctl_interface_start_prop)
diff --git a/prebuilts/api/28.0/private/idmap.te b/prebuilts/api/28.0/private/idmap.te
new file mode 100644
index 0000000..73abf35
--- /dev/null
+++ b/prebuilts/api/28.0/private/idmap.te
@@ -0,0 +1 @@
+typeattribute idmap coredomain;
diff --git a/prebuilts/api/28.0/private/incident.te b/prebuilts/api/28.0/private/incident.te
new file mode 100644
index 0000000..1844898
--- /dev/null
+++ b/prebuilts/api/28.0/private/incident.te
@@ -0,0 +1,30 @@
+typeattribute incident coredomain;
+
+type incident_exec, exec_type, file_type;
+
+# switch to incident domain for incident command
+domain_auto_trans(shell, incident_exec, incident)
+
+# allow incident access to stdout from its parent shell.
+allow incident shell:fd use;
+
+# allow incident be able to output data for CTS to fetch.
+allow incident devpts:chr_file { read write };
+
+# allow incident to communicate use, read and write over the adb
+# connection.
+allow incident adbd:fd use;
+allow incident adbd:unix_stream_socket { read write };
+
+# allow adbd to reap incident
+allow incident adbd:process { sigchld };
+
+# Allow the incident command to talk to the incidentd over the binder, and get
+# back the incident report data from a ParcelFileDescriptor.
+binder_use(incident)
+allow incident incident_service:service_manager find;
+binder_call(incident, incidentd)
+allow incident incidentd:fifo_file write;
+
+# only allow incident being called by shell
+neverallow { domain -su -shell -incident } incident_exec:file { execute execute_no_trans };
diff --git a/prebuilts/api/28.0/private/incident_helper.te b/prebuilts/api/28.0/private/incident_helper.te
new file mode 100644
index 0000000..e1e3fc8
--- /dev/null
+++ b/prebuilts/api/28.0/private/incident_helper.te
@@ -0,0 +1,14 @@
+typeattribute incident_helper coredomain;
+
+type incident_helper_exec, exec_type, file_type;
+
+# switch to incident_helper domain for incident_helper command
+domain_auto_trans(incidentd, incident_helper_exec, incident_helper)
+
+# use pipe to transmit data from/to incidentd/incident_helper for parsing
+allow incident_helper { shell incident incidentd }:fd use;
+allow incident_helper { shell incident incidentd }:fifo_file { getattr read write };
+allow incident_helper incidentd:unix_stream_socket { read write };
+
+# only allow incidentd and shell to call incident_helper
+neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };
diff --git a/prebuilts/api/28.0/private/incidentd.te b/prebuilts/api/28.0/private/incidentd.te
new file mode 100644
index 0000000..6b248f1
--- /dev/null
+++ b/prebuilts/api/28.0/private/incidentd.te
@@ -0,0 +1,166 @@
+typeattribute incidentd coredomain;
+typeattribute incidentd mlstrustedsubject;
+
+init_daemon_domain(incidentd)
+type incidentd_exec, exec_type, file_type;
+binder_use(incidentd)
+wakelock_use(incidentd)
+
+# Allow incidentd to scan through /proc/pid for all processes
+r_dir_file(incidentd, domain)
+
+# Allow incidentd to kill incident_helper when timeout
+allow incidentd incident_helper:process sigkill;
+
+# Allow executing files on system, such as:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow incidentd system_file:file execute_no_trans;
+allow incidentd toolbox_exec:file rx_file_perms;
+
+# section id 2001, allow reading /proc/pagetypeinfo
+allow incidentd proc_pagetypeinfo:file r_file_perms;
+
+# section id 2002, allow reading /d/wakeup_sources
+allow incidentd debugfs_wakeup_sources:file r_file_perms;
+
+# section id 2003, allow executing top
+allow incidentd proc_meminfo:file { open read };
+
+# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
+allow incidentd sysfs_devices_system_cpu:file r_file_perms;
+
+# section id 2005, allow reading ps dump in full
+allow incidentd domain:process getattr;
+
+# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
+allow incidentd sysfs_batteryinfo:dir { search };
+allow incidentd sysfs_batteryinfo:file r_file_perms;
+
+# section id 2007, allow reading LAST_KMSG /sys/fs/pstore/console-ramoops
+userdebug_or_eng(`allow incidentd pstorefs:dir search');
+userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
+
+# Create and write into /data/misc/incidents
+allow incidentd incident_data_file:dir rw_dir_perms;
+allow incidentd incident_data_file:file create_file_perms;
+
+# Enable incidentd to get stack traces.
+binder_use(incidentd)
+hwbinder_use(incidentd)
+allow incidentd hwservicemanager:hwservice_manager { list };
+get_prop(incidentd, hwservicemanager_prop)
+allow incidentd hidl_manager_hwservice:hwservice_manager { find };
+
+# Read files in /proc
+allow incidentd {
+ proc_cmdline
+ proc_pipe_conf
+ proc_stat
+}:file r_file_perms;
+
+# Signal java processes to dump their stack and get the results
+allow incidentd { appdomain ephemeral_app system_server }:process signal;
+
+# Signal native processes to dump their stack.
+# This list comes from native_processes_to_dump in incidentd/utils.c
+allow incidentd {
+ # This list comes from native_processes_to_dump in dumputils/dump_utils.cpp
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediadrmserver
+ mediaextractor
+ mediametrics
+ mediaserver
+ sdcardd
+ statsd
+ surfaceflinger
+
+ # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.cpp
+ hal_audio_server
+ hal_bluetooth_server
+ hal_camera_server
+ hal_graphics_composer_server
+ hal_sensors_server
+ hal_vr_server
+ mediacodec # TODO(b/36375899): hal_omx_server
+}:process signal;
+
+# Allow incidentd to make binder calls to any binder service
+binder_call(incidentd, system_server)
+binder_call(incidentd, appdomain)
+
+# Reading /proc/PID/maps of other processes
+userdebug_or_eng(`allow incidentd self:global_capability_class_set { sys_ptrace }');
+# incidentd has capability sys_ptrace, but should only use that capability for
+# accessing sensitive /proc/PID files, never for using ptrace attach.
+neverallow incidentd *:process ptrace;
+
+allow incidentd self:global_capability_class_set {
+ # Send signals to processes
+ kill
+};
+
+# Connect to tombstoned to intercept dumps.
+unix_socket_connect(incidentd, tombstoned_intercept, tombstoned)
+
+# Run a shell.
+allow incidentd shell_exec:file rx_file_perms;
+
+# logd access - work to be done is a PII safe log (possibly an event log?)
+userdebug_or_eng(`read_logd(incidentd)')
+# TODO control_logd(incidentd)
+
+# Allow incidentd to find these standard groups of services.
+# Others can be whitelisted individually.
+allow incidentd {
+ system_server_service
+ app_api_service
+ system_api_service
+}:service_manager find;
+
+# Only incidentd can publish the binder service
+add_service(incidentd, incident_service)
+
+# Allow pipes from (and only from) incident
+allow incidentd incident:fd use;
+allow incidentd incident:fifo_file write;
+
+# Allow incident to call back to incident with status updates.
+binder_call(incidentd, incident)
+
+###
+### neverallow rules
+###
+
+# only system_server, system_app and incident command can find the incident service
+neverallow {
+ domain
+ -incident
+ -incidentd
+ -statsd
+ -system_app
+ -system_server
+} incident_service:service_manager find;
+
+# only incidentd and the other root services in limited circumstances
+# can get to the files in /data/misc/incidents
+#
+# write, execute, append are forbidden almost everywhere
+neverallow { domain -incidentd -init -vold } incident_data_file:file {
+ w_file_perms
+ x_file_perms
+ create
+ rename
+ setattr
+ unlink
+ append
+};
+# read is also allowed by system_server, for when the file is handed to dropbox
+neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms;
+# limited access to the directory itself
+neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms;
+
diff --git a/prebuilts/api/28.0/private/init.te b/prebuilts/api/28.0/private/init.te
new file mode 100644
index 0000000..e9959d3
--- /dev/null
+++ b/prebuilts/api/28.0/private/init.te
@@ -0,0 +1,22 @@
+typeattribute init coredomain;
+
+tmpfs_domain(init)
+
+# Transitions to seclabel processes in init.rc
+domain_trans(init, rootfs, charger)
+domain_trans(init, rootfs, healthd)
+domain_trans(init, rootfs, slideshow)
+domain_auto_trans(init, e2fs_exec, e2fs)
+recovery_only(`
+ domain_trans(init, rootfs, adbd)
+ domain_trans(init, rootfs, recovery)
+')
+domain_trans(init, shell_exec, shell)
+domain_trans(init, init_exec, ueventd)
+domain_trans(init, init_exec, watchdogd)
+domain_trans(init, init_exec, vendor_init)
+domain_trans(init, { rootfs toolbox_exec }, modprobe)
+# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
+userdebug_or_eng(`
+ domain_auto_trans(init, logcat_exec, logpersist)
+')
diff --git a/prebuilts/api/28.0/private/initial_sid_contexts b/prebuilts/api/28.0/private/initial_sid_contexts
new file mode 100644
index 0000000..9819051
--- /dev/null
+++ b/prebuilts/api/28.0/private/initial_sid_contexts
@@ -0,0 +1,27 @@
+sid kernel u:r:kernel:s0
+sid security u:object_r:kernel:s0
+sid unlabeled u:object_r:unlabeled:s0
+sid fs u:object_r:labeledfs:s0
+sid file u:object_r:unlabeled:s0
+sid file_labels u:object_r:unlabeled:s0
+sid init u:object_r:unlabeled:s0
+sid any_socket u:object_r:unlabeled:s0
+sid port u:object_r:port:s0
+sid netif u:object_r:netif:s0
+sid netmsg u:object_r:unlabeled:s0
+sid node u:object_r:node:s0
+sid igmp_packet u:object_r:unlabeled:s0
+sid icmp_socket u:object_r:unlabeled:s0
+sid tcp_socket u:object_r:unlabeled:s0
+sid sysctl_modprobe u:object_r:unlabeled:s0
+sid sysctl u:object_r:proc:s0
+sid sysctl_fs u:object_r:unlabeled:s0
+sid sysctl_kernel u:object_r:unlabeled:s0
+sid sysctl_net u:object_r:unlabeled:s0
+sid sysctl_net_unix u:object_r:unlabeled:s0
+sid sysctl_vm u:object_r:unlabeled:s0
+sid sysctl_dev u:object_r:unlabeled:s0
+sid kmod u:object_r:unlabeled:s0
+sid policy u:object_r:unlabeled:s0
+sid scmp_packet u:object_r:unlabeled:s0
+sid devnull u:object_r:null_device:s0
diff --git a/prebuilts/api/28.0/private/initial_sids b/prebuilts/api/28.0/private/initial_sids
new file mode 100644
index 0000000..91ac816
--- /dev/null
+++ b/prebuilts/api/28.0/private/initial_sids
@@ -0,0 +1,35 @@
+# FLASK
+
+#
+# Define initial security identifiers
+#
+
+sid kernel
+sid security
+sid unlabeled
+sid fs
+sid file
+sid file_labels
+sid init
+sid any_socket
+sid port
+sid netif
+sid netmsg
+sid node
+sid igmp_packet
+sid icmp_socket
+sid tcp_socket
+sid sysctl_modprobe
+sid sysctl
+sid sysctl_fs
+sid sysctl_kernel
+sid sysctl_net
+sid sysctl_net_unix
+sid sysctl_vm
+sid sysctl_dev
+sid kmod
+sid policy
+sid scmp_packet
+sid devnull
+
+# FLASK
diff --git a/prebuilts/api/28.0/private/inputflinger.te b/prebuilts/api/28.0/private/inputflinger.te
new file mode 100644
index 0000000..9696b49
--- /dev/null
+++ b/prebuilts/api/28.0/private/inputflinger.te
@@ -0,0 +1,3 @@
+typeattribute inputflinger coredomain;
+
+init_daemon_domain(inputflinger)
diff --git a/prebuilts/api/28.0/private/install_recovery.te b/prebuilts/api/28.0/private/install_recovery.te
new file mode 100644
index 0000000..b79d683
--- /dev/null
+++ b/prebuilts/api/28.0/private/install_recovery.te
@@ -0,0 +1,3 @@
+typeattribute install_recovery coredomain;
+
+init_daemon_domain(install_recovery)
diff --git a/prebuilts/api/28.0/private/installd.te b/prebuilts/api/28.0/private/installd.te
new file mode 100644
index 0000000..0553716
--- /dev/null
+++ b/prebuilts/api/28.0/private/installd.te
@@ -0,0 +1,22 @@
+typeattribute installd coredomain;
+
+init_daemon_domain(installd)
+
+# Run dex2oat in its own sandbox.
+domain_auto_trans(installd, dex2oat_exec, dex2oat)
+
+# Run dexoptanalyzer in its own sandbox.
+domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
+
+# Run profman in its own sandbox.
+domain_auto_trans(installd, profman_exec, profman)
+
+# Run idmap in its own sandbox.
+domain_auto_trans(installd, idmap_exec, idmap)
+
+# Create /data/.layout_version.* file
+type_transition installd system_data_file:file install_data_file;
+
+# For collecting bugreports.
+allow installd dumpstate:fd use;
+allow installd dumpstate:fifo_file r_file_perms;
diff --git a/prebuilts/api/28.0/private/isolated_app.te b/prebuilts/api/28.0/private/isolated_app.te
new file mode 100644
index 0000000..a6276b3
--- /dev/null
+++ b/prebuilts/api/28.0/private/isolated_app.te
@@ -0,0 +1,119 @@
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules for isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+
+typeattribute isolated_app coredomain;
+
+app_domain(isolated_app)
+
+# Access already open app data files received over Binder or local socket IPC.
+allow isolated_app app_data_file:file { append read write getattr lock };
+
+allow isolated_app activity_service:service_manager find;
+allow isolated_app display_service:service_manager find;
+allow isolated_app webviewupdate_service:service_manager find;
+
+# Google Breakpad (crash reporter for Chrome) relies on ptrace
+# functionality. Without the ability to ptrace, the crash reporter
+# tool is broken.
+# b/20150694
+# https://code.google.com/p/chromium/issues/detail?id=475270
+allow isolated_app self:process ptrace;
+
+# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
+# by other processes. Open should never be allowed, and is blocked by
+# neverallow rules below.
+# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
+# is modified to change the secontext when accessing the lower filesystem.
+allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
+
+# For webviews, isolated_app processes can be forked from the webview_zygote
+# in addition to the zygote. Allow access to resources inherited from the
+# webview_zygote process. These rules are specialized copies of the ones in app.te.
+# Inherit FDs from the webview_zygote.
+allow isolated_app webview_zygote:fd use;
+# Notify webview_zygote of child death.
+allow isolated_app webview_zygote:process sigchld;
+# Inherit logd write socket.
+allow isolated_app webview_zygote:unix_dgram_socket write;
+# Read system properties managed by webview_zygote.
+allow isolated_app webview_zygote_tmpfs:file read;
+
+# TODO (b/63631799) fix this access
+# suppress denials to /data/local/tmp
+dontaudit isolated_app shell_data_file:dir search;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+allow isolated_app traced:fd use;
+allow isolated_app traced_tmpfs:file { read write getattr map };
+unix_socket_connect(isolated_app, traced_producer, traced)
+
+#####
+##### Neverallow
+#####
+
+# Do not allow isolated_app to directly open tun_device
+neverallow isolated_app tun_device:chr_file open;
+
+# Isolated apps should not directly open app data files themselves.
+neverallow isolated_app app_data_file:file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+# TODO: are there situations where isolated_apps write to this file?
+# TODO: should we tighten these restrictions further?
+neverallow isolated_app anr_data_file:file ~{ open append };
+neverallow isolated_app anr_data_file:dir ~search;
+
+# Isolated apps must not be permitted to use HwBinder
+neverallow isolated_app hwbinder_device:chr_file *;
+neverallow isolated_app *:hwservice_manager *;
+
+# Isolated apps must not be permitted to use VndBinder
+neverallow isolated_app vndbinder_device:chr_file *;
+
+# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
+# except the find actions for services whitelisted below.
+neverallow isolated_app *:service_manager ~find;
+
+# b/17487348
+# Isolated apps can only access three services,
+# activity_service, display_service and webviewupdate_service.
+neverallow isolated_app {
+ service_manager_type
+ -activity_service
+ -display_service
+ -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
+
+# Do not allow isolated_app access to /cache
+neverallow isolated_app cache_file:dir ~{ r_dir_perms };
+neverallow isolated_app cache_file:file ~{ read getattr };
+
+# Do not allow isolated_app to access external storage, except for files passed
+# via file descriptors (b/32896414).
+neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
+neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
+neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
+neverallow isolated_app sdcard_type:file ~{ read write append getattr lock };
+
+# Do not allow USB access
+neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
+
+# Restrict the webview_zygote control socket.
+neverallow isolated_app webview_zygote:sock_file write;
+
+# Limit the /sys files which isolated_app can access. This is important
+# for controlling isolated_app attack surface.
+neverallow isolated_app {
+ sysfs_type
+ -sysfs_devices_system_cpu
+ -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
+}:file no_rw_file_perms;
diff --git a/prebuilts/api/28.0/private/kernel.te b/prebuilts/api/28.0/private/kernel.te
new file mode 100644
index 0000000..a4e6ebe
--- /dev/null
+++ b/prebuilts/api/28.0/private/kernel.te
@@ -0,0 +1,3 @@
+typeattribute kernel coredomain;
+
+domain_auto_trans(kernel, init_exec, init)
diff --git a/prebuilts/api/28.0/private/keys.conf b/prebuilts/api/28.0/private/keys.conf
new file mode 100644
index 0000000..7a307b5
--- /dev/null
+++ b/prebuilts/api/28.0/private/keys.conf
@@ -0,0 +1,25 @@
+#
+# Maps an arbitrary tag [TAGNAME] with the string contents found in
+# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
+# name it after the base file name of the pem file.
+#
+# Each tag (section) then allows one to specify any string found in
+# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
+# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
+#
+
+[@PLATFORM]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
+
+[@MEDIA]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
+
+[@SHARED]
+ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
+
+# Example of ALL TARGET_BUILD_VARIANTS
+[@RELEASE]
+ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
+
diff --git a/prebuilts/api/28.0/private/keystore.te b/prebuilts/api/28.0/private/keystore.te
new file mode 100644
index 0000000..7f71028
--- /dev/null
+++ b/prebuilts/api/28.0/private/keystore.te
@@ -0,0 +1,19 @@
+typeattribute keystore coredomain;
+
+init_daemon_domain(keystore)
+
+# talk to keymaster
+hal_client_domain(keystore, hal_keymaster)
+
+# talk to confirmationui
+hal_client_domain(keystore, hal_confirmationui)
+
+# This is used for the ConfirmationUI async callback.
+allow keystore platform_app:binder call;
+
+# Offer the Wifi Keystore HwBinder service
+typeattribute keystore wifi_keystore_service_server;
+add_hwservice(keystore, system_wifi_keystore_hwservice)
+
+# Allow to check whether security logging is enabled.
+get_prop(keystore, device_logging_prop)
diff --git a/prebuilts/api/28.0/private/lmkd.te b/prebuilts/api/28.0/private/lmkd.te
new file mode 100644
index 0000000..a07ce87
--- /dev/null
+++ b/prebuilts/api/28.0/private/lmkd.te
@@ -0,0 +1,3 @@
+typeattribute lmkd coredomain;
+
+init_daemon_domain(lmkd)
diff --git a/prebuilts/api/28.0/private/logd.te b/prebuilts/api/28.0/private/logd.te
new file mode 100644
index 0000000..4338e40
--- /dev/null
+++ b/prebuilts/api/28.0/private/logd.te
@@ -0,0 +1,39 @@
+typeattribute logd coredomain;
+
+init_daemon_domain(logd)
+
+# logd is not allowed to write anywhere other than /data/misc/logd, and then
+# only on userdebug or eng builds
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow logd {
+ file_type
+ -logd_tmpfs
+ -runtime_event_log_tags_file
+ userdebug_or_eng(`-coredump_file -misc_logd_file')
+}:file { create write append };
+
+# protect the event-log-tags file
+neverallow {
+ domain
+ -appdomain # covered below
+ -bootstat
+ -dumpstate
+ -init
+ -logd
+ userdebug_or_eng(`-logpersist')
+ -servicemanager
+ -system_server
+ -surfaceflinger
+ -zygote
+} runtime_event_log_tags_file:file no_rw_file_perms;
+
+neverallow {
+ appdomain
+ -bluetooth
+ -platform_app
+ -priv_app
+ -radio
+ -shell
+ userdebug_or_eng(`-su')
+ -system_app
+} runtime_event_log_tags_file:file no_rw_file_perms;
diff --git a/prebuilts/api/28.0/private/logpersist.te b/prebuilts/api/28.0/private/logpersist.te
new file mode 100644
index 0000000..8cdbd2d
--- /dev/null
+++ b/prebuilts/api/28.0/private/logpersist.te
@@ -0,0 +1,24 @@
+typeattribute logpersist coredomain;
+
+# android debug log storage in logpersist domains (eng and userdebug only)
+userdebug_or_eng(`
+
+ r_dir_file(logpersist, cgroup)
+
+ allow logpersist misc_logd_file:file create_file_perms;
+ allow logpersist misc_logd_file:dir rw_dir_perms;
+
+ allow logpersist self:global_capability_class_set sys_nice;
+ allow logpersist pstorefs:dir search;
+ allow logpersist pstorefs:file r_file_perms;
+
+ control_logd(logpersist)
+ unix_socket_connect(logpersist, logdr, logd)
+ read_runtime_log_tags(logpersist)
+
+')
+
+# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
+neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/prebuilts/api/28.0/private/mac_permissions.xml b/prebuilts/api/28.0/private/mac_permissions.xml
new file mode 100644
index 0000000..1fcd2a4
--- /dev/null
+++ b/prebuilts/api/28.0/private/mac_permissions.xml
@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+ * A signature is a hex encoded X.509 certificate or a tag defined in
+ keys.conf and is required for each signer tag. The signature can
+ either appear as a set of attached cert child tags or as an attribute.
+ * A signer tag must contain a seinfo tag XOR multiple package stanzas.
+ * Each signer/package tag is allowed to contain one seinfo tag. This tag
+ represents additional info that each app can use in setting a SELinux security
+ context on the eventual process as well as the apps data directory.
+ * seinfo assignments are made according to the following rules:
+ - Stanzas with package name refinements will be checked first.
+ - Stanzas w/o package name refinements will be checked second.
+ - The "default" seinfo label is automatically applied.
+
+ * valid stanzas can take one of the following forms:
+
+ // single cert protecting seinfo
+ <signer signature="@PLATFORM" >
+ <seinfo value="platform" />
+ </signer>
+
+ // multiple certs protecting seinfo (all contained certs must match)
+ <signer>
+ <cert signature="@PLATFORM1"/>
+ <cert signature="@PLATFORM2"/>
+ <seinfo value="platform" />
+ </signer>
+
+ // single cert protecting explicitly named app
+ <signer signature="@PLATFORM" >
+ <package name="com.android.foo">
+ <seinfo value="bar" />
+ </package>
+ </signer>
+
+ // multiple certs protecting explicitly named app (all certs must match)
+ <signer>
+ <cert signature="@PLATFORM1"/>
+ <cert signature="@PLATFORM2"/>
+ <package name="com.android.foo">
+ <seinfo value="bar" />
+ </package>
+ </signer>
+-->
+
+ <!-- Platform dev key in AOSP -->
+ <signer signature="@PLATFORM" >
+ <seinfo value="platform" />
+ </signer>
+
+ <!-- Media key in AOSP -->
+ <signer signature="@MEDIA" >
+ <seinfo value="media" />
+ </signer>
+
+</policy>
diff --git a/prebuilts/api/28.0/private/mdnsd.te b/prebuilts/api/28.0/private/mdnsd.te
new file mode 100644
index 0000000..96259e2
--- /dev/null
+++ b/prebuilts/api/28.0/private/mdnsd.te
@@ -0,0 +1,12 @@
+# mdns daemon
+
+typeattribute mdnsd coredomain;
+typeattribute mdnsd mlstrustedsubject;
+
+type mdnsd_exec, exec_type, file_type;
+init_daemon_domain(mdnsd)
+
+net_domain(mdnsd)
+
+# Read from /proc/net
+r_dir_file(mdnsd, proc_net)
diff --git a/prebuilts/api/28.0/private/mediadrmserver.te b/prebuilts/api/28.0/private/mediadrmserver.te
new file mode 100644
index 0000000..4e511a8
--- /dev/null
+++ b/prebuilts/api/28.0/private/mediadrmserver.te
@@ -0,0 +1,8 @@
+typeattribute mediadrmserver coredomain;
+
+init_daemon_domain(mediadrmserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediadrmserver, hal_graphics_allocator)
+auditallow mediadrmserver hal_graphics_allocator_server:binder call;
+
diff --git a/prebuilts/api/28.0/private/mediaextractor.te b/prebuilts/api/28.0/private/mediaextractor.te
new file mode 100644
index 0000000..c1a8521
--- /dev/null
+++ b/prebuilts/api/28.0/private/mediaextractor.te
@@ -0,0 +1,3 @@
+typeattribute mediaextractor coredomain;
+
+init_daemon_domain(mediaextractor)
diff --git a/prebuilts/api/28.0/private/mediametrics.te b/prebuilts/api/28.0/private/mediametrics.te
new file mode 100644
index 0000000..f8b2fa5
--- /dev/null
+++ b/prebuilts/api/28.0/private/mediametrics.te
@@ -0,0 +1,3 @@
+typeattribute mediametrics coredomain;
+
+init_daemon_domain(mediametrics)
diff --git a/prebuilts/api/28.0/private/mediaprovider.te b/prebuilts/api/28.0/private/mediaprovider.te
new file mode 100644
index 0000000..f5c9f69
--- /dev/null
+++ b/prebuilts/api/28.0/private/mediaprovider.te
@@ -0,0 +1,43 @@
+###
+### A domain for android.process.media, which contains both
+### MediaProvider and DownloadProvider and associated services.
+###
+
+typeattribute mediaprovider coredomain;
+app_domain(mediaprovider)
+
+# DownloadProvider accesses the network.
+net_domain(mediaprovider)
+
+# DownloadProvider uses /cache.
+allow mediaprovider cache_file:dir create_dir_perms;
+allow mediaprovider cache_file:file create_file_perms;
+# /cache is a symlink to /data/cache on some devices. Allow reading the link.
+allow mediaprovider cache_file:lnk_file r_file_perms;
+# mediaprovider searches through /cache looking for orphans
+# Ignore denials to /cache/recovery and /cache/backup.
+dontaudit mediaprovider cache_private_backup_file:dir getattr;
+dontaudit mediaprovider cache_recovery_file:dir getattr;
+
+# Access external sdcards through /mnt/media_rw
+allow mediaprovider { mnt_media_rw_file }:dir search;
+
+allow mediaprovider app_api_service:service_manager find;
+allow mediaprovider audioserver_service:service_manager find;
+allow mediaprovider drmserver_service:service_manager find;
+allow mediaprovider mediaextractor_service:service_manager find;
+allow mediaprovider mediaserver_service:service_manager find;
+
+# Allow MediaProvider to read/write cached ringtones (opened by system).
+allow mediaprovider ringtone_file:file { getattr read write };
+
+# MtpServer uses /dev/mtp_usb
+allow mediaprovider mtp_device:chr_file rw_file_perms;
+
+# MtpServer uses /dev/usb-ffs/mtp
+allow mediaprovider functionfs:dir search;
+allow mediaprovider functionfs:file rw_file_perms;
+
+# MtpServer sets sys.usb.ffs.mtp.ready
+set_prop(mediaprovider, ffs_prop)
+set_prop(mediaprovider, exported_ffs_prop)
diff --git a/prebuilts/api/28.0/private/mediaserver.te b/prebuilts/api/28.0/private/mediaserver.te
new file mode 100644
index 0000000..a5fa9e1
--- /dev/null
+++ b/prebuilts/api/28.0/private/mediaserver.te
@@ -0,0 +1,11 @@
+typeattribute mediaserver coredomain;
+
+init_daemon_domain(mediaserver)
+
+# allocate and use graphic buffers
+hal_client_domain(mediaserver, hal_graphics_allocator)
+
+# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
+# of OMX HAL.
+allow mediaserver hal_codec2_hwservice:hwservice_manager find;
+allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/private/mls b/prebuilts/api/28.0/private/mls
new file mode 100644
index 0000000..3b8ee3f
--- /dev/null
+++ b/prebuilts/api/28.0/private/mls
@@ -0,0 +1,100 @@
+#################################################
+# MLS policy constraints
+#
+
+#
+# Process constraints
+#
+
+# Process transition: Require equivalence unless the subject is trusted.
+mlsconstrain process { transition dyntransition }
+ ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
+
+# Process read operations: No read up unless trusted.
+mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
+ (l1 dom l2 or t1 == mlstrustedsubject);
+
+# Process write operations: Require equivalence unless trusted.
+mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
+ (l1 eq l2 or t1 == mlstrustedsubject);
+
+#
+# Socket constraints
+#
+
+# Create/relabel operations: Subject must be equivalent to object unless
+# the subject is trusted. Sockets inherit the range of their creator.
+mlsconstrain socket_class_set { create relabelfrom relabelto }
+ ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
+
+# Datagram send: Sender must be equivalent to the receiver unless one of them
+# is trusted.
+mlsconstrain unix_dgram_socket { sendto }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+# Stream connect: Client must be equivalent to server unless one of them
+# is trusted.
+mlsconstrain unix_stream_socket { connectto }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
+
+#
+# Directory/file constraints
+#
+
+# Create/relabel operations: Subject must be equivalent to object unless
+# the subject is trusted. Also, files should always be single-level.
+# Do NOT exempt mlstrustedobject types from this constraint.
+mlsconstrain dir_file_class_set { create relabelfrom relabelto }
+ (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
+
+#
+# Constraints for app data files only.
+#
+
+# Only constrain open, not read/write.
+# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
+# Subject must dominate object unless the subject is trusted.
+mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
+ (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
+mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
+ (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
+
+#
+# Constraints for file types other than app data files.
+#
+
+# Read operations: Subject must dominate object unless the subject
+# or the object is trusted.
+mlsconstrain dir { read getattr search }
+ (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
+ (t2 == app_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Write operations: Subject must be equivalent to the object unless the
+# subject or the object is trusted.
+mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
+ (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
+ (t2 == app_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+
+# Special case for FIFOs.
+# These can be unnamed pipes, in which case they will be labeled with the
+# creating process' label. Thus we also have an exemption when the "object"
+# is a domain type, so that processes can communicate via unnamed pipes
+# passed by binder or local socket IPC.
+mlsconstrain fifo_file { read getattr }
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
+
+mlsconstrain fifo_file { write setattr append unlink link rename }
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
+
+#
+# Binder IPC constraints
+#
+# Presently commented out, as apps are expected to call one another.
+# This would only make sense if apps were assigned categories
+# based on allowable communications rather than per-app categories.
+#mlsconstrain binder call
+# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
diff --git a/prebuilts/api/28.0/private/mls_decl b/prebuilts/api/28.0/private/mls_decl
new file mode 100644
index 0000000..dd53bea
--- /dev/null
+++ b/prebuilts/api/28.0/private/mls_decl
@@ -0,0 +1,10 @@
+#########################################
+# MLS declarations
+#
+
+# Generate the desired number of sensitivities and categories.
+gen_sens(mls_num_sens)
+gen_cats(mls_num_cats)
+
+# Generate level definitions for each sensitivity and category.
+gen_levels(mls_num_sens,mls_num_cats)
diff --git a/prebuilts/api/28.0/private/mls_macros b/prebuilts/api/28.0/private/mls_macros
new file mode 100644
index 0000000..83e0542
--- /dev/null
+++ b/prebuilts/api/28.0/private/mls_macros
@@ -0,0 +1,54 @@
+########################################
+#
+# gen_cats(N)
+#
+# declares categores c0 to c(N-1)
+#
+define(`decl_cats',`dnl
+category c$1;
+ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
+')
+
+define(`gen_cats',`decl_cats(0,decr($1))')
+
+########################################
+#
+# gen_sens(N)
+#
+# declares sensitivites s0 to s(N-1) with dominance
+# in increasing numeric order with s0 lowest, s(N-1) highest
+#
+define(`decl_sens',`dnl
+sensitivity s$1;
+ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
+')
+
+define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
+
+define(`gen_sens',`
+# Each sensitivity has a name and zero or more aliases.
+decl_sens(0,decr($1))
+
+# Define the ordering of the sensitivity levels (least to greatest)
+dominance { gen_dominance(0,decr($1)) }
+')
+
+########################################
+#
+# gen_levels(N,M)
+#
+# levels from s0 to (N-1) with categories c0 to (M-1)
+#
+define(`decl_levels',`dnl
+level s$1:c0.c$3;
+ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
+')
+
+define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
+
+########################################
+#
+# Basic level names for system low and high
+#
+define(`mls_systemlow',`s0')
+define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
diff --git a/prebuilts/api/28.0/private/modprobe.te b/prebuilts/api/28.0/private/modprobe.te
new file mode 100644
index 0000000..9858675
--- /dev/null
+++ b/prebuilts/api/28.0/private/modprobe.te
@@ -0,0 +1 @@
+typeattribute modprobe coredomain;
diff --git a/prebuilts/api/28.0/private/mtp.te b/prebuilts/api/28.0/private/mtp.te
new file mode 100644
index 0000000..732e111
--- /dev/null
+++ b/prebuilts/api/28.0/private/mtp.te
@@ -0,0 +1,3 @@
+typeattribute mtp coredomain;
+
+init_daemon_domain(mtp)
diff --git a/prebuilts/api/28.0/private/net.te b/prebuilts/api/28.0/private/net.te
new file mode 100644
index 0000000..f16daf9
--- /dev/null
+++ b/prebuilts/api/28.0/private/net.te
@@ -0,0 +1,24 @@
+###
+### Domain with network access
+###
+
+# Use network sockets.
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ udp_socket rawip_socket } create_socket_perms;
+# Connect to ports.
+allow netdomain port_type:tcp_socket name_connect;
+# Bind to ports.
+allow {netdomain -ephemeral_app} node_type:{ tcp_socket udp_socket } node_bind;
+allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
+allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
+# See changes to the routing table.
+allow netdomain self:netlink_route_socket { create read getattr write setattr lock append bind connect getopt setopt shutdown nlmsg_read };
+
+# Talks to netd via dnsproxyd socket.
+unix_socket_connect(netdomain, dnsproxyd, netd)
+
+# Talks to netd via fwmarkd socket.
+unix_socket_connect(netdomain, fwmarkd, netd)
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/prebuilts/api/28.0/private/netd.te b/prebuilts/api/28.0/private/netd.te
new file mode 100644
index 0000000..281105d
--- /dev/null
+++ b/prebuilts/api/28.0/private/netd.te
@@ -0,0 +1,15 @@
+typeattribute netd coredomain;
+
+init_daemon_domain(netd)
+
+# Allow netd to spawn dnsmasq in it's own domain
+domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
+
+# Allow netd to start clatd in its own domain
+domain_auto_trans(netd, clatd_exec, clatd)
+
+# Allow netd to start bpfloader_exec in its own domain
+domain_auto_trans(netd, bpfloader_exec, bpfloader)
+
+# give netd permission to setup iptables rule with xt_bpf
+allow netd bpfloader:bpf prog_run;
diff --git a/prebuilts/api/28.0/private/netutils_wrapper.te b/prebuilts/api/28.0/private/netutils_wrapper.te
new file mode 100644
index 0000000..ea58814
--- /dev/null
+++ b/prebuilts/api/28.0/private/netutils_wrapper.te
@@ -0,0 +1,41 @@
+typeattribute netutils_wrapper coredomain;
+
+r_dir_file(netutils_wrapper, system_file);
+
+# For netutils (ip, iptables, tc)
+allow netutils_wrapper self:global_capability_class_set net_raw;
+
+allow netutils_wrapper system_file:file { execute execute_no_trans };
+allow netutils_wrapper proc_net:file { open read getattr };
+allow netutils_wrapper self:rawip_socket create_socket_perms;
+allow netutils_wrapper self:udp_socket create_socket_perms;
+allow netutils_wrapper self:global_capability_class_set net_admin;
+# ip utils need everything but ioctl
+allow netutils_wrapper self:netlink_route_socket ~ioctl;
+allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
+
+# For netutils (ndc) to be able to talk to netd
+allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
+allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
+
+# For vendor code that update the iptables rules at runtime. They need to reload
+# the whole chain including the xt_bpf rules. They need to access to the pinned
+# program when reloading the rule.
+allow netutils_wrapper fs_bpf:dir search;
+allow netutils_wrapper fs_bpf:file { read write };
+allow netutils_wrapper bpfloader:bpf prog_run;
+
+# For /data/misc/net access to ndc and ip
+r_dir_file(netutils_wrapper, net_data_file)
+
+domain_auto_trans({
+ domain
+ -coredomain
+ -appdomain
+}, netutils_wrapper_exec, netutils_wrapper)
+
+# suppress spurious denials
+dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
+
+# netutils wrapper may only use the following capabilities.
+neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
diff --git a/prebuilts/api/28.0/private/nfc.te b/prebuilts/api/28.0/private/nfc.te
new file mode 100644
index 0000000..5e85672
--- /dev/null
+++ b/prebuilts/api/28.0/private/nfc.te
@@ -0,0 +1,34 @@
+# nfc subsystem
+typeattribute nfc coredomain;
+app_domain(nfc)
+net_domain(nfc)
+
+binder_service(nfc)
+add_service(nfc, nfc_service)
+
+hal_client_domain(nfc, hal_nfc)
+
+# Data file accesses.
+allow nfc nfc_data_file:dir create_dir_perms;
+allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
+
+# SoundPool loading and playback
+allow nfc audioserver_service:service_manager find;
+allow nfc drmserver_service:service_manager find;
+allow nfc mediacodec_service:service_manager find;
+allow nfc mediametrics_service:service_manager find;
+allow nfc mediaextractor_service:service_manager find;
+allow nfc mediaserver_service:service_manager find;
+
+allow nfc radio_service:service_manager find;
+allow nfc app_api_service:service_manager find;
+allow nfc system_api_service:service_manager find;
+allow nfc vr_manager_service:service_manager find;
+allow nfc secure_element_service:service_manager find;
+
+set_prop(nfc, nfc_prop);
+
+# already open bugreport file descriptors may be shared with
+# the nfc process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow nfc shell_data_file:file read;
diff --git a/prebuilts/api/28.0/private/otapreopt_chroot.te b/prebuilts/api/28.0/private/otapreopt_chroot.te
new file mode 100644
index 0000000..1f69931
--- /dev/null
+++ b/prebuilts/api/28.0/private/otapreopt_chroot.te
@@ -0,0 +1,4 @@
+typeattribute otapreopt_chroot coredomain;
+
+# Allow to transition to postinstall_ota, to run otapreopt in its own sandbox.
+domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
diff --git a/prebuilts/api/28.0/private/otapreopt_slot.te b/prebuilts/api/28.0/private/otapreopt_slot.te
new file mode 100644
index 0000000..98b93d4
--- /dev/null
+++ b/prebuilts/api/28.0/private/otapreopt_slot.te
@@ -0,0 +1,5 @@
+typeattribute otapreopt_slot coredomain;
+
+# Technically not a daemon but we do want the transition from init domain to
+# cppreopts to occur.
+init_daemon_domain(otapreopt_slot)
diff --git a/prebuilts/api/28.0/private/perfetto.te b/prebuilts/api/28.0/private/perfetto.te
new file mode 100644
index 0000000..9ac5d87
--- /dev/null
+++ b/prebuilts/api/28.0/private/perfetto.te
@@ -0,0 +1,68 @@
+# Perfetto command-line client. Can be used only from the domains that are
+# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# This command line client accesses the privileged socket of the traced
+# daemon.
+
+type perfetto, domain, coredomain;
+type perfetto_exec, exec_type, file_type;
+
+tmpfs_domain(perfetto);
+
+# Allow to access traced's privileged consumer socket.
+unix_socket_connect(perfetto, traced_consumer, traced)
+
+# Allow to write and unlink traces into /data/misc/perfetto-traces.
+allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
+allow perfetto perfetto_traces_data_file:file create_file_perms;
+
+# Allow to access binder to pass the traces to Dropbox.
+binder_use(perfetto)
+binder_call(perfetto, system_server)
+allow perfetto dropbox_service:service_manager find;
+
+# Allow statsd and shell to pipe the trace config to perfetto on stdin and to
+# print out on stdout/stderr.
+allow perfetto statsd:fd use;
+allow perfetto statsd:fifo_file { getattr read write };
+allow perfetto shell:fd use;
+allow perfetto shell:fifo_file { getattr read write };
+
+# Allow to communicate use, read and write over the adb connection.
+allow perfetto adbd:fd use;
+allow perfetto adbd:unix_stream_socket { read write };
+
+# allow adbd to reap perfetto
+allow perfetto adbd:process { sigchld };
+
+# Allow to access /dev/pts when launched in an adb shell.
+allow perfetto devpts:chr_file rw_file_perms;
+
+###
+### Neverallow rules
+###
+### perfetto should NEVER do any of this
+
+# Disallow mapping executable memory (execstack and exec are already disallowed
+# globally in domain.te).
+neverallow perfetto self:process execmem;
+
+# Block device access.
+neverallow perfetto dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow perfetto domain:process ptrace;
+
+# Disallows access to other /data files.
+neverallow perfetto {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+ # neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+ -perfetto_traces_data_file
+}:dir *;
+neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
+neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
+neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
+neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write;
diff --git a/prebuilts/api/28.0/private/performanced.te b/prebuilts/api/28.0/private/performanced.te
new file mode 100644
index 0000000..792826e
--- /dev/null
+++ b/prebuilts/api/28.0/private/performanced.te
@@ -0,0 +1,3 @@
+typeattribute performanced coredomain;
+
+init_daemon_domain(performanced)
diff --git a/prebuilts/api/28.0/private/perfprofd.te b/prebuilts/api/28.0/private/perfprofd.te
new file mode 100644
index 0000000..4da5410
--- /dev/null
+++ b/prebuilts/api/28.0/private/perfprofd.te
@@ -0,0 +1,8 @@
+userdebug_or_eng(`
+ typeattribute perfprofd coredomain;
+ init_daemon_domain(perfprofd)
+')
+
+# Only servicemanager, statsd, su and systemserver can communicate.
+neverallow { domain userdebug_or_eng(`-statsd') } perfprofd:binder call;
+neverallow perfprofd { domain userdebug_or_eng(`-servicemanager -statsd -su -system_server') }:binder call;
diff --git a/prebuilts/api/28.0/private/platform_app.te b/prebuilts/api/28.0/private/platform_app.te
new file mode 100644
index 0000000..6d6ec98
--- /dev/null
+++ b/prebuilts/api/28.0/private/platform_app.te
@@ -0,0 +1,85 @@
+###
+### Apps signed with the platform key.
+###
+
+typeattribute platform_app coredomain;
+
+app_domain(platform_app)
+
+# Access the network.
+net_domain(platform_app)
+# Access bluetooth.
+bluetooth_domain(platform_app)
+# Read from /data/local/tmp or /data/data/com.android.shell.
+allow platform_app shell_data_file:dir search;
+allow platform_app shell_data_file:file { open getattr read };
+allow platform_app icon_file:file { open getattr read };
+# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
+# created by system server.
+allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
+allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
+allow platform_app apk_private_data_file:dir search;
+# ASEC
+allow platform_app asec_apk_file:dir create_dir_perms;
+allow platform_app asec_apk_file:file create_file_perms;
+
+# Access to /data/media.
+allow platform_app media_rw_data_file:dir create_dir_perms;
+allow platform_app media_rw_data_file:file create_file_perms;
+
+# Write to /cache.
+allow platform_app cache_file:dir create_dir_perms;
+allow platform_app cache_file:file create_file_perms;
+
+# Direct access to vold-mounted storage under /mnt/media_rw
+# This is a performance optimization that allows platform apps to bypass the FUSE layer
+allow platform_app mnt_media_rw_file:dir r_dir_perms;
+allow platform_app sdcard_type:dir create_dir_perms;
+allow platform_app sdcard_type:file create_file_perms;
+
+# com.android.systemui
+allow platform_app rootfs:dir getattr;
+
+# com.android.captiveportallogin reads /proc/vmstat
+allow platform_app {
+ proc_vmstat
+}:file r_file_perms;
+
+allow platform_app audioserver_service:service_manager find;
+allow platform_app cameraserver_service:service_manager find;
+allow platform_app drmserver_service:service_manager find;
+allow platform_app mediaserver_service:service_manager find;
+allow platform_app mediametrics_service:service_manager find;
+allow platform_app mediaextractor_service:service_manager find;
+allow platform_app mediacodec_service:service_manager find;
+allow platform_app mediadrmserver_service:service_manager find;
+allow platform_app persistent_data_block_service:service_manager find;
+allow platform_app radio_service:service_manager find;
+allow platform_app thermal_service:service_manager find;
+allow platform_app timezone_service:service_manager find;
+allow platform_app app_api_service:service_manager find;
+allow platform_app system_api_service:service_manager find;
+allow platform_app vr_manager_service:service_manager find;
+
+# Access to /data/preloads
+allow platform_app preloads_data_file:file r_file_perms;
+allow platform_app preloads_data_file:dir r_dir_perms;
+allow platform_app preloads_media_file:file r_file_perms;
+allow platform_app preloads_media_file:dir r_dir_perms;
+
+read_runtime_log_tags(platform_app)
+
+# allow platform apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow platform_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# allow platform apps to connect to the property service
+set_prop(platform_app, test_boot_reason_prop)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as platform_app
+neverallow platform_app fuse_device:chr_file *;
diff --git a/prebuilts/api/28.0/private/policy_capabilities b/prebuilts/api/28.0/private/policy_capabilities
new file mode 100644
index 0000000..ab55c15
--- /dev/null
+++ b/prebuilts/api/28.0/private/policy_capabilities
@@ -0,0 +1,13 @@
+# Enable new networking controls.
+policycap network_peer_controls;
+
+# Enable open permission check.
+policycap open_perms;
+
+# Enable separate security classes for
+# all network address families previously
+# mapped to the socket class and for
+# ICMP and SCTP sockets previously mapped
+# to the rawip_socket class.
+policycap extended_socket_class;
+
diff --git a/prebuilts/api/28.0/private/port_contexts b/prebuilts/api/28.0/private/port_contexts
new file mode 100644
index 0000000..b473c0c
--- /dev/null
+++ b/prebuilts/api/28.0/private/port_contexts
@@ -0,0 +1,3 @@
+# portcon statements go here, e.g.
+# portcon tcp 80 u:object_r:http_port:s0
+
diff --git a/prebuilts/api/28.0/private/postinstall.te b/prebuilts/api/28.0/private/postinstall.te
new file mode 100644
index 0000000..363e362
--- /dev/null
+++ b/prebuilts/api/28.0/private/postinstall.te
@@ -0,0 +1,3 @@
+typeattribute postinstall coredomain;
+
+domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
diff --git a/prebuilts/api/28.0/private/postinstall_dexopt.te b/prebuilts/api/28.0/private/postinstall_dexopt.te
new file mode 100644
index 0000000..ff5fe87
--- /dev/null
+++ b/prebuilts/api/28.0/private/postinstall_dexopt.te
@@ -0,0 +1,5 @@
+typeattribute postinstall_dexopt coredomain;
+
+# Run dex2oat/patchoat in its own sandbox.
+# We have to manually transition, as we don't have an entrypoint.
+domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
diff --git a/prebuilts/api/28.0/private/ppp.te b/prebuilts/api/28.0/private/ppp.te
new file mode 100644
index 0000000..968b221
--- /dev/null
+++ b/prebuilts/api/28.0/private/ppp.te
@@ -0,0 +1,3 @@
+typeattribute ppp coredomain;
+
+domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/prebuilts/api/28.0/private/preopt2cachename.te b/prebuilts/api/28.0/private/preopt2cachename.te
new file mode 100644
index 0000000..d10f767
--- /dev/null
+++ b/prebuilts/api/28.0/private/preopt2cachename.te
@@ -0,0 +1 @@
+typeattribute preopt2cachename coredomain;
diff --git a/prebuilts/api/28.0/private/priv_app.te b/prebuilts/api/28.0/private/priv_app.te
new file mode 100644
index 0000000..9ff8d09
--- /dev/null
+++ b/prebuilts/api/28.0/private/priv_app.te
@@ -0,0 +1,206 @@
+###
+### A domain for further sandboxing privileged apps.
+###
+
+typeattribute priv_app coredomain;
+app_domain(priv_app)
+
+# Access the network.
+net_domain(priv_app)
+# Access bluetooth.
+bluetooth_domain(priv_app)
+
+# Allow the allocation and use of ptys
+# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
+create_pty(priv_app)
+
+# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
+allow priv_app self:process ptrace;
+
+# Some apps ship with shared libraries that they write out
+# to their sandbox directory and then dlopen().
+allow priv_app app_data_file:file execute;
+
+allow priv_app app_api_service:service_manager find;
+allow priv_app audioserver_service:service_manager find;
+allow priv_app cameraserver_service:service_manager find;
+allow priv_app drmserver_service:service_manager find;
+allow priv_app mediacodec_service:service_manager find;
+allow priv_app mediadrmserver_service:service_manager find;
+allow priv_app mediaextractor_service:service_manager find;
+allow priv_app mediametrics_service:service_manager find;
+allow priv_app mediaserver_service:service_manager find;
+allow priv_app network_watchlist_service:service_manager find;
+allow priv_app nfc_service:service_manager find;
+allow priv_app oem_lock_service:service_manager find;
+allow priv_app persistent_data_block_service:service_manager find;
+allow priv_app radio_service:service_manager find;
+allow priv_app recovery_service:service_manager find;
+allow priv_app stats_service:service_manager find;
+allow priv_app system_api_service:service_manager find;
+
+# Write to /cache.
+allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
+allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
+# /cache is a symlink to /data/cache on some devices. Allow reading the link.
+allow priv_app cache_file:lnk_file r_file_perms;
+
+# Write to /data/ota_package for OTA packages.
+allow priv_app ota_package_file:dir rw_dir_perms;
+allow priv_app ota_package_file:file create_file_perms;
+
+# Access to /data/media.
+allow priv_app media_rw_data_file:dir create_dir_perms;
+allow priv_app media_rw_data_file:file create_file_perms;
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+allow priv_app shell_data_file:file r_file_perms;
+allow priv_app shell_data_file:dir r_dir_perms;
+
+# Allow traceur to pass file descriptors through a content provider to betterbug
+allow priv_app trace_data_file:file { getattr read };
+
+# Allow verifier to access staged apks.
+allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
+allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
+
+# b/18504118: Allow reads from /data/anr/traces.txt
+allow priv_app anr_data_file:file r_file_perms;
+
+# Allow GMS core to access perfprofd output, which is stored
+# in /data/misc/perfprofd/. GMS core will need to list all
+# data stored in that directory to process them one by one.
+userdebug_or_eng(`
+ allow priv_app perfprofd_data_file:file r_file_perms;
+ allow priv_app perfprofd_data_file:dir r_dir_perms;
+')
+
+# For AppFuse.
+allow priv_app vold:fd use;
+allow priv_app fuse_device:chr_file { read write };
+
+# /proc access
+allow priv_app {
+ proc_vmstat
+}:file r_file_perms;
+
+allow priv_app sysfs_type:dir search;
+# Read access to /sys/class/net/wlan*/address
+r_dir_file(priv_app, sysfs_net)
+# Read access to /sys/block/zram*/mm_stat
+r_dir_file(priv_app, sysfs_zram)
+
+r_dir_file(priv_app, rootfs)
+
+# Allow GMS core to open kernel config for OTA matching through libvintf
+allow priv_app config_gz:file { open read getattr };
+
+# access the mac address
+allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
+
+# Allow GMS core to communicate with update_engine for A/B update.
+binder_call(priv_app, update_engine)
+allow priv_app update_engine_service:service_manager find;
+
+# Allow GMS core to communicate with dumpsys storaged.
+binder_call(priv_app, storaged)
+allow priv_app storaged_service:service_manager find;
+
+# Allow GMS core to access system_update_service (e.g. to publish pending
+# system update info).
+allow priv_app system_update_service:service_manager find;
+
+# Allow GMS core to communicate with statsd.
+binder_call(priv_app, statsd)
+
+# Allow Phone to read/write cached ringtones (opened by system).
+allow priv_app ringtone_file:file { getattr read write };
+
+# Access to /data/preloads
+allow priv_app preloads_data_file:file r_file_perms;
+allow priv_app preloads_data_file:dir r_dir_perms;
+allow priv_app preloads_media_file:file r_file_perms;
+allow priv_app preloads_media_file:dir r_dir_perms;
+
+# Allow privileged apps (e.g. GMS core) to generate unique hardware IDs
+allow priv_app keystore:keystore_key gen_unique_id;
+
+# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
+allow priv_app selinuxfs:file r_file_perms;
+
+read_runtime_log_tags(priv_app)
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+allow priv_app traced:fd use;
+allow priv_app traced_tmpfs:file { read write getattr map };
+unix_socket_connect(priv_app, traced_producer, traced)
+
+# suppress denials for non-API accesses.
+dontaudit priv_app exec_type:file getattr;
+dontaudit priv_app device:dir read;
+dontaudit priv_app fs_bpf:dir search;
+dontaudit priv_app net_dns_prop:file read;
+dontaudit priv_app proc:file read;
+dontaudit priv_app proc_interrupts:file read;
+dontaudit priv_app proc_modules:file read;
+dontaudit priv_app proc_stat:file read;
+dontaudit priv_app proc_version:file read;
+dontaudit priv_app sysfs:dir read;
+dontaudit priv_app sysfs_android_usb:file read;
+dontaudit priv_app wifi_prop:file read;
+dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
+
+# allow privileged apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow priv_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+###
+### neverallow rules
+###
+
+# Receive or send uevent messages.
+neverallow priv_app domain:netlink_kobject_uevent_socket *;
+
+# Receive or send generic netlink messages
+neverallow priv_app domain:netlink_socket *;
+
+# Too much leaky information in debugfs. It's a security
+# best practice to ensure these files aren't readable.
+neverallow priv_app debugfs:file read;
+
+# Do not allow privileged apps to register services.
+# Only trusted components of Android should be registering
+# services.
+neverallow priv_app service_manager_type:service_manager add;
+
+# Do not allow privileged apps to connect to the property service
+# or set properties. b/10243159
+neverallow priv_app property_socket:sock_file write;
+neverallow priv_app init:unix_stream_socket connectto;
+neverallow priv_app property_type:property_service set;
+
+# Do not allow priv_app to be assigned mlstrustedsubject.
+# This would undermine the per-user isolation model being
+# enforced via levelFrom=user in seapp_contexts and the mls
+# constraints. As there is no direct way to specify a neverallow
+# on attribute assignment, this relies on the fact that fork
+# permission only makes sense within a domain (hence should
+# never be granted to any other domain within mlstrustedsubject)
+# and priv_app is allowed fork permission to itself.
+neverallow priv_app mlstrustedsubject:process fork;
+
+# Do not allow priv_app to hard link to any files.
+# In particular, if priv_app links to other app data
+# files, installd will not be able to guarantee the deletion
+# of the linked to file. Hard links also contribute to security
+# bugs, so we want to ensure priv_app never has this
+# capability.
+neverallow priv_app file_type:file link;
+
+# priv apps should not be able to open trace data files, they should depend
+# upon traceur to pass a file descriptor which they can then read
+neverallow priv_app trace_data_file:dir *;
+neverallow priv_app trace_data_file:file { no_w_file_perms open };
diff --git a/prebuilts/api/28.0/private/profman.te b/prebuilts/api/28.0/private/profman.te
new file mode 100644
index 0000000..f61d05e
--- /dev/null
+++ b/prebuilts/api/28.0/private/profman.te
@@ -0,0 +1 @@
+typeattribute profman coredomain;
diff --git a/prebuilts/api/28.0/private/property_contexts b/prebuilts/api/28.0/private/property_contexts
new file mode 100644
index 0000000..32be0b3
--- /dev/null
+++ b/prebuilts/api/28.0/private/property_contexts
@@ -0,0 +1,147 @@
+##########################
+# property service keys
+#
+#
+net.rmnet u:object_r:net_radio_prop:s0
+net.gprs u:object_r:net_radio_prop:s0
+net.ppp u:object_r:net_radio_prop:s0
+net.qmi u:object_r:net_radio_prop:s0
+net.lte u:object_r:net_radio_prop:s0
+net.cdma u:object_r:net_radio_prop:s0
+net.dns u:object_r:net_dns_prop:s0
+sys.usb.config u:object_r:system_radio_prop:s0
+ril. u:object_r:radio_prop:s0
+ro.ril. u:object_r:radio_prop:s0
+gsm. u:object_r:radio_prop:s0
+persist.radio u:object_r:radio_prop:s0
+
+net. u:object_r:system_prop:s0
+dev. u:object_r:system_prop:s0
+ro.runtime. u:object_r:system_prop:s0
+ro.runtime.firstboot u:object_r:firstboot_prop:s0
+hw. u:object_r:system_prop:s0
+ro.hw. u:object_r:system_prop:s0
+sys. u:object_r:system_prop:s0
+sys.cppreopt u:object_r:cppreopt_prop:s0
+sys.powerctl u:object_r:powerctl_prop:s0
+sys.usb.ffs. u:object_r:ffs_prop:s0
+service. u:object_r:system_prop:s0
+dhcp. u:object_r:dhcp_prop:s0
+dhcp.bt-pan.result u:object_r:pan_result_prop:s0
+bluetooth. u:object_r:bluetooth_prop:s0
+
+debug. u:object_r:debug_prop:s0
+debug.db. u:object_r:debuggerd_prop:s0
+dumpstate. u:object_r:dumpstate_prop:s0
+dumpstate.options u:object_r:dumpstate_options_prop:s0
+log. u:object_r:log_prop:s0
+log.tag u:object_r:log_tag_prop:s0
+log.tag.WifiHAL u:object_r:wifi_log_prop:s0
+security.perf_harden u:object_r:shell_prop:s0
+service.adb.root u:object_r:shell_prop:s0
+service.adb.tcp.port u:object_r:shell_prop:s0
+
+persist.audio. u:object_r:audio_prop:s0
+persist.bluetooth. u:object_r:bluetooth_prop:s0
+persist.debug. u:object_r:persist_debug_prop:s0
+persist.logd. u:object_r:logd_prop:s0
+ro.logd. u:object_r:logd_prop:s0
+persist.logd.security u:object_r:device_logging_prop:s0
+persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
+logd.logpersistd u:object_r:logpersistd_logging_prop:s0
+persist.log.tag u:object_r:log_tag_prop:s0
+persist.mmc. u:object_r:mmc_prop:s0
+persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
+persist.sys. u:object_r:system_prop:s0
+persist.sys.safemode u:object_r:safemode_prop:s0
+ro.sys.safemode u:object_r:safemode_prop:s0
+persist.sys.audit_safemode u:object_r:safemode_prop:s0
+persist.service. u:object_r:system_prop:s0
+persist.service.bdroid. u:object_r:bluetooth_prop:s0
+persist.security. u:object_r:system_prop:s0
+persist.traced.enable u:object_r:traced_enabled_prop:s0
+persist.vendor.overlay. u:object_r:overlay_prop:s0
+ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
+ro.boottime. u:object_r:boottime_prop:s0
+ro.serialno u:object_r:serialno_prop:s0
+ro.boot.btmacaddr u:object_r:bluetooth_prop:s0
+ro.boot.serialno u:object_r:serialno_prop:s0
+ro.bt. u:object_r:bluetooth_prop:s0
+ro.boot.bootreason u:object_r:bootloader_boot_reason_prop:s0
+persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0
+sys.boot.reason u:object_r:system_boot_reason_prop:s0
+pm. u:object_r:pm_prop:s0
+test.sys.boot.reason u:object_r:test_boot_reason_prop:s0
+
+# Boolean property set by system server upon boot indicating
+# if device owner is provisioned.
+ro.device_owner u:object_r:device_logging_prop:s0
+
+# selinux non-persistent properties
+selinux.restorecon_recursive u:object_r:restorecon_prop:s0
+
+# default property context
+* u:object_r:default_prop:s0
+
+# data partition encryption properties
+vold. u:object_r:vold_prop:s0
+ro.crypto. u:object_r:vold_prop:s0
+
+# ro.build.fingerprint is either set in /system/build.prop, or is
+# set at runtime by system_server.
+ro.build.fingerprint u:object_r:fingerprint_prop:s0
+
+ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
+
+# ctl properties
+ctl.bootanim u:object_r:ctl_bootanim_prop:s0
+ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
+ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
+ctl.fuse_ u:object_r:ctl_fuse_prop:s0
+ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
+ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
+ctl.bugreport u:object_r:ctl_bugreport_prop:s0
+ctl.console u:object_r:ctl_console_prop:s0
+ctl. u:object_r:ctl_default_prop:s0
+
+# Don't allow blind access to all services
+ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
+ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
+ctl.start$ u:object_r:ctl_start_prop:s0
+ctl.stop$ u:object_r:ctl_stop_prop:s0
+ctl.restart$ u:object_r:ctl_restart_prop:s0
+ctl.interface_start$ u:object_r:ctl_interface_start_prop:s0
+ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0
+ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0
+
+# NFC properties
+nfc. u:object_r:nfc_prop:s0
+
+# These properties are not normally set by processes other than init.
+# They are only distinguished here for setting by qemu-props on the
+# emulator/goldfish.
+config. u:object_r:config_prop:s0
+ro.config. u:object_r:config_prop:s0
+dalvik. u:object_r:dalvik_prop:s0
+ro.dalvik. u:object_r:dalvik_prop:s0
+
+# Shared between system server and wificond
+wlan. u:object_r:wifi_prop:s0
+
+# Lowpan properties
+lowpan. u:object_r:lowpan_prop:s0
+ro.lowpan. u:object_r:lowpan_prop:s0
+
+# hwservicemanager properties
+hwservicemanager. u:object_r:hwservicemanager_prop:s0
+
+# Common default properties for vendor and odm.
+init.svc.odm. u:object_r:vendor_default_prop:s0
+init.svc.vendor. u:object_r:vendor_default_prop:s0
+ro.hardware. u:object_r:vendor_default_prop:s0
+ro.odm. u:object_r:vendor_default_prop:s0
+ro.vendor. u:object_r:vendor_default_prop:s0
+odm. u:object_r:vendor_default_prop:s0
+persist.odm. u:object_r:vendor_default_prop:s0
+persist.vendor. u:object_r:vendor_default_prop:s0
+vendor. u:object_r:vendor_default_prop:s0
diff --git a/prebuilts/api/28.0/private/racoon.te b/prebuilts/api/28.0/private/racoon.te
new file mode 100644
index 0000000..42ea7c9
--- /dev/null
+++ b/prebuilts/api/28.0/private/racoon.te
@@ -0,0 +1,3 @@
+typeattribute racoon coredomain;
+
+init_daemon_domain(racoon)
diff --git a/prebuilts/api/28.0/private/radio.te b/prebuilts/api/28.0/private/radio.te
new file mode 100644
index 0000000..b4f5390
--- /dev/null
+++ b/prebuilts/api/28.0/private/radio.te
@@ -0,0 +1,5 @@
+typeattribute radio coredomain;
+
+app_domain(radio)
+
+read_runtime_log_tags(radio)
diff --git a/prebuilts/api/28.0/private/recovery.te b/prebuilts/api/28.0/private/recovery.te
new file mode 100644
index 0000000..2a7fdc7
--- /dev/null
+++ b/prebuilts/api/28.0/private/recovery.te
@@ -0,0 +1 @@
+typeattribute recovery coredomain;
diff --git a/prebuilts/api/28.0/private/recovery_persist.te b/prebuilts/api/28.0/private/recovery_persist.te
new file mode 100644
index 0000000..1fdd758
--- /dev/null
+++ b/prebuilts/api/28.0/private/recovery_persist.te
@@ -0,0 +1,7 @@
+typeattribute recovery_persist coredomain;
+
+init_daemon_domain(recovery_persist)
+
+# recovery_persist is not allowed to write anywhere other than recovery_data_file
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow recovery_persist { file_type -recovery_data_file -recovery_persist_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/prebuilts/api/28.0/private/recovery_refresh.te b/prebuilts/api/28.0/private/recovery_refresh.te
new file mode 100644
index 0000000..327098d
--- /dev/null
+++ b/prebuilts/api/28.0/private/recovery_refresh.te
@@ -0,0 +1,7 @@
+typeattribute recovery_refresh coredomain;
+
+init_daemon_domain(recovery_refresh)
+
+# recovery_refresh is not allowed to write anywhere
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow recovery_refresh { file_type -recovery_refresh_tmpfs userdebug_or_eng(`-coredump_file') }:file write;
diff --git a/prebuilts/api/28.0/private/roles_decl b/prebuilts/api/28.0/private/roles_decl
new file mode 100644
index 0000000..c84fcba
--- /dev/null
+++ b/prebuilts/api/28.0/private/roles_decl
@@ -0,0 +1 @@
+role r;
diff --git a/prebuilts/api/28.0/private/runas.te b/prebuilts/api/28.0/private/runas.te
new file mode 100644
index 0000000..ef31aac
--- /dev/null
+++ b/prebuilts/api/28.0/private/runas.te
@@ -0,0 +1,4 @@
+typeattribute runas coredomain;
+
+# ndk-gdb invokes adb shell run-as.
+domain_auto_trans(shell, runas_exec, runas)
diff --git a/prebuilts/api/28.0/private/sdcardd.te b/prebuilts/api/28.0/private/sdcardd.te
new file mode 100644
index 0000000..126d643
--- /dev/null
+++ b/prebuilts/api/28.0/private/sdcardd.te
@@ -0,0 +1,3 @@
+typeattribute sdcardd coredomain;
+
+type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/prebuilts/api/28.0/private/seapp_contexts b/prebuilts/api/28.0/private/seapp_contexts
new file mode 100644
index 0000000..c21d49f
--- /dev/null
+++ b/prebuilts/api/28.0/private/seapp_contexts
@@ -0,0 +1,118 @@
+# Input selectors:
+# isSystemServer (boolean)
+# isEphemeralApp (boolean)
+# isV2App (boolean)
+# isOwner (boolean)
+# user (string)
+# seinfo (string)
+# name (string)
+# path (string)
+# isPrivApp (boolean)
+# minTargetSdkVersion (unsigned integer)
+# isSystemServer=true can only be used once.
+# An unspecified isSystemServer defaults to false.
+# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
+# isV2App=true will match apps in the v2 app sandbox.
+# isOwner=true will only match for the owner/primary user.
+# isOwner=false will only match for secondary users.
+# If unspecified, the entry can match either case.
+# An unspecified string selector will match any value.
+# A user string selector that ends in * will perform a prefix match.
+# user=_app will match any regular app UID.
+# user=_isolated will match any isolated service UID.
+# isPrivApp=true will only match for applications preinstalled in
+# /system/priv-app.
+# minTargetSdkVersion will match applications with a targetSdkVersion
+# greater than or equal to the specified value. If unspecified,
+# it has a default value of 0.
+# All specified input selectors in an entry must match (i.e. logical AND).
+# Matching is case-insensitive.
+#
+# Precedence rules (see external/selinux/libselinux/src/android/android.c seapp_context_cmp()):
+# (1) isSystemServer=true before isSystemServer=false.
+# (2) Specified isEphemeralApp= before unspecified isEphemeralApp= boolean.
+# (3) Specified isV2App= before unspecified isV2App= boolean.
+# (4) Specified isOwner= before unspecified isOwner= boolean.
+# (5) Specified user= string before unspecified user= string.
+# (6) Fixed user= string before user= prefix (i.e. ending in *).
+# (7) Longer user= prefix before shorter user= prefix.
+# (8) Specified seinfo= string before unspecified seinfo= string.
+# ':' character is reserved and may not be used.
+# (9) Specified name= string before unspecified name= string.
+# (10) Specified path= string before unspecified path= string.
+# (11) Specified isPrivApp= before unspecified isPrivApp= boolean.
+# (12) Higher value of minTargetSdkVersion= before lower value of minTargetSdkVersion=
+# integer. Note that minTargetSdkVersion= defaults to 0 if unspecified.
+#
+# Outputs:
+# domain (string)
+# type (string)
+# levelFrom (string; one of none, all, app, or user)
+# level (string)
+# Only entries that specify domain= will be used for app process labeling.
+# Only entries that specify type= will be used for app directory labeling.
+# levelFrom=user is only supported for _app or _isolated UIDs.
+# levelFrom=app or levelFrom=all is only supported for _app UIDs.
+# level may be used to specify a fixed level for any UID.
+#
+#
+# Neverallow Assertions
+# Additional compile time assertion checks can be added as well. The assertion
+# rules are lines beginning with the keyword neverallow. Full support for PCRE
+# regular expressions exists on all input and output selectors. Neverallow
+# rules are never output to the built seapp_contexts file. Like all keywords,
+# neverallows are case-insensitive. A neverallow is asserted when all key value
+# inputs are matched on a key value rule line.
+#
+
+# only the system server can be in system_server domain
+neverallow isSystemServer=false domain=system_server
+neverallow isSystemServer="" domain=system_server
+
+# system domains should never be assigned outside of system uid
+neverallow user=((?!system).)* domain=system_app
+neverallow user=((?!system).)* type=system_app_data_file
+
+# anything with a non-known uid with a specified name should have a specified seinfo
+neverallow user=_app name=.* seinfo=""
+neverallow user=_app name=.* seinfo=default
+
+# neverallow shared relro to any other domain
+# and neverallow any other uid into shared_relro
+neverallow user=shared_relro domain=((?!shared_relro).)*
+neverallow user=((?!shared_relro).)* domain=shared_relro
+
+# neverallow non-isolated uids into isolated_app domain
+# and vice versa
+neverallow user=_isolated domain=((?!isolated_app).)*
+neverallow user=((?!_isolated).)* domain=isolated_app
+
+# uid shell should always be in shell domain, however non-shell
+# uid's can be in shell domain
+neverallow user=shell domain=((?!shell).)*
+
+# only the package named com.android.shell can run in the shell domain
+neverallow domain=shell name=((?!com\.android\.shell).)*
+neverallow user=shell name=((?!com\.android\.shell).)*
+
+# Ephemeral Apps must run in the ephemeral_app domain
+neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
+
+isSystemServer=true domain=system_server
+user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
+user=system seinfo=platform domain=system_app type=system_app_data_file
+user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
+user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=secure_element seinfo=platform domain=secure_element levelFrom=all
+user=radio seinfo=platform domain=radio type=radio_data_file
+user=shared_relro domain=shared_relro
+user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
+user=webview_zygote seinfo=webview_zygote domain=webview_zygote
+user=_isolated domain=isolated_app levelFrom=all
+user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
+user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
+user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
+user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
+user=_app minTargetSdkVersion=28 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
+user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/prebuilts/api/28.0/private/secure_element.te b/prebuilts/api/28.0/private/secure_element.te
new file mode 100644
index 0000000..57f512b
--- /dev/null
+++ b/prebuilts/api/28.0/private/secure_element.te
@@ -0,0 +1,14 @@
+# secure element subsystem
+typeattribute secure_element coredomain;
+app_domain(secure_element)
+
+binder_service(secure_element)
+add_service(secure_element, secure_element_service)
+
+allow secure_element app_api_service:service_manager find;
+hal_client_domain(secure_element, hal_secure_element)
+
+# already open bugreport file descriptors may be shared with
+# the secure element process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow secure_element shell_data_file:file read;
diff --git a/prebuilts/api/28.0/private/security_classes b/prebuilts/api/28.0/private/security_classes
new file mode 100644
index 0000000..251b721
--- /dev/null
+++ b/prebuilts/api/28.0/private/security_classes
@@ -0,0 +1,146 @@
+# FLASK
+
+#
+# Define the security object classes
+#
+
+# Classes marked as userspace are classes
+# for userspace object managers
+
+class security
+class process
+class system
+class capability
+
+# file-related classes
+class filesystem
+class file
+class dir
+class fd
+class lnk_file
+class chr_file
+class blk_file
+class sock_file
+class fifo_file
+
+# network-related classes
+class socket
+class tcp_socket
+class udp_socket
+class rawip_socket
+class node
+class netif
+class netlink_socket
+class packet_socket
+class key_socket
+class unix_stream_socket
+class unix_dgram_socket
+class bpf
+
+# sysv-ipc-related classes
+class sem
+class msg
+class msgq
+class shm
+class ipc
+
+# extended netlink sockets
+class netlink_route_socket
+class netlink_tcpdiag_socket
+class netlink_nflog_socket
+class netlink_xfrm_socket
+class netlink_selinux_socket
+class netlink_audit_socket
+class netlink_dnrt_socket
+
+# IPSec association
+class association
+
+# Updated Netlink class for KOBJECT_UEVENT family.
+class netlink_kobject_uevent_socket
+
+class appletalk_socket
+
+class packet
+
+# Kernel access key retention
+class key
+
+class dccp_socket
+
+class memprotect
+
+# network peer labels
+class peer
+
+# Capabilities >= 32
+class capability2
+
+# kernel services that need to override task security, e.g. cachefiles
+class kernel_service
+
+class tun_socket
+
+class binder
+
+# Updated netlink classes for more recent netlink protocols.
+class netlink_iscsi_socket
+class netlink_fib_lookup_socket
+class netlink_connector_socket
+class netlink_netfilter_socket
+class netlink_generic_socket
+class netlink_scsitransport_socket
+class netlink_rdma_socket
+class netlink_crypto_socket
+
+# Capability checks when on a non-init user namespace
+class cap_userns
+class cap2_userns
+
+# New socket classes introduced by extended_socket_class policy capability.
+# These two were previously mapped to rawip_socket.
+class sctp_socket
+class icmp_socket
+# These were previously mapped to socket.
+class ax25_socket
+class ipx_socket
+class netrom_socket
+class atmpvc_socket
+class x25_socket
+class rose_socket
+class decnet_socket
+class atmsvc_socket
+class rds_socket
+class irda_socket
+class pppox_socket
+class llc_socket
+class can_socket
+class tipc_socket
+class bluetooth_socket
+class iucv_socket
+class rxrpc_socket
+class isdn_socket
+class phonet_socket
+class ieee802154_socket
+class caif_socket
+class alg_socket
+class nfc_socket
+class vsock_socket
+class kcm_socket
+class qipcrtr_socket
+class smc_socket
+
+# Property service
+class property_service # userspace
+
+# Service manager
+class service_manager # userspace
+
+# hardware service manager # userspace
+class hwservice_manager
+
+# Keystore Key
+class keystore_key # userspace
+
+class drmservice # userspace
+# FLASK
diff --git a/prebuilts/api/28.0/private/service.te b/prebuilts/api/28.0/private/service.te
new file mode 100644
index 0000000..3fec882
--- /dev/null
+++ b/prebuilts/api/28.0/private/service.te
@@ -0,0 +1,2 @@
+type stats_service, service_manager_type;
+type statscompanion_service, system_server_service, service_manager_type;
diff --git a/prebuilts/api/28.0/private/service_contexts b/prebuilts/api/28.0/private/service_contexts
new file mode 100644
index 0000000..5ec45a2
--- /dev/null
+++ b/prebuilts/api/28.0/private/service_contexts
@@ -0,0 +1,188 @@
+accessibility u:object_r:accessibility_service:s0
+account u:object_r:account_service:s0
+activity u:object_r:activity_service:s0
+alarm u:object_r:alarm_service:s0
+android.os.UpdateEngineService u:object_r:update_engine_service:s0
+android.security.keystore u:object_r:keystore_service:s0
+android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
+appops u:object_r:appops_service:s0
+appwidget u:object_r:appwidget_service:s0
+assetatlas u:object_r:assetatlas_service:s0
+audio u:object_r:audio_service:s0
+autofill u:object_r:autofill_service:s0
+backup u:object_r:backup_service:s0
+batteryproperties u:object_r:batteryproperties_service:s0
+batterystats u:object_r:batterystats_service:s0
+battery u:object_r:battery_service:s0
+binder_calls_stats u:object_r:binder_calls_stats_service:s0
+bluetooth_manager u:object_r:bluetooth_manager_service:s0
+bluetooth u:object_r:bluetooth_service:s0
+broadcastradio u:object_r:broadcastradio_service:s0
+carrier_config u:object_r:radio_service:s0
+clipboard u:object_r:clipboard_service:s0
+com.android.net.IProxyService u:object_r:IProxyService_service:s0
+commontime_management u:object_r:commontime_management_service:s0
+common_time.clock u:object_r:mediaserver_service:s0
+common_time.config u:object_r:mediaserver_service:s0
+companiondevice u:object_r:companion_device_service:s0
+connectivity u:object_r:connectivity_service:s0
+connmetrics u:object_r:connmetrics_service:s0
+consumer_ir u:object_r:consumer_ir_service:s0
+content u:object_r:content_service:s0
+contexthub u:object_r:contexthub_service:s0
+country_detector u:object_r:country_detector_service:s0
+coverage u:object_r:coverage_service:s0
+cpuinfo u:object_r:cpuinfo_service:s0
+crossprofileapps u:object_r:crossprofileapps_service:s0
+dbinfo u:object_r:dbinfo_service:s0
+device_policy u:object_r:device_policy_service:s0
+device_identifiers u:object_r:device_identifiers_service:s0
+deviceidle u:object_r:deviceidle_service:s0
+devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
+diskstats u:object_r:diskstats_service:s0
+display u:object_r:display_service:s0
+netd_listener u:object_r:netd_listener_service:s0
+network_watchlist u:object_r:network_watchlist_service:s0
+DockObserver u:object_r:DockObserver_service:s0
+dreams u:object_r:dreams_service:s0
+drm.drmManager u:object_r:drmserver_service:s0
+dropbox u:object_r:dropbox_service:s0
+dumpstate u:object_r:dumpstate_service:s0
+econtroller u:object_r:radio_service:s0
+euicc_card_controller u:object_r:radio_service:s0
+lowpan u:object_r:lowpan_service:s0
+ethernet u:object_r:ethernet_service:s0
+fingerprint u:object_r:fingerprint_service:s0
+font u:object_r:font_service:s0
+android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
+gfxinfo u:object_r:gfxinfo_service:s0
+graphicsstats u:object_r:graphicsstats_service:s0
+gpu u:object_r:gpu_service:s0
+hardware u:object_r:hardware_service:s0
+hardware_properties u:object_r:hardware_properties_service:s0
+hdmi_control u:object_r:hdmi_control_service:s0
+incident u:object_r:incident_service:s0
+inputflinger u:object_r:inputflinger_service:s0
+input_method u:object_r:input_method_service:s0
+input u:object_r:input_service:s0
+installd u:object_r:installd_service:s0
+iphonesubinfo_msim u:object_r:radio_service:s0
+iphonesubinfo2 u:object_r:radio_service:s0
+iphonesubinfo u:object_r:radio_service:s0
+ims u:object_r:radio_service:s0
+imms u:object_r:imms_service:s0
+ipsec u:object_r:ipsec_service:s0
+isms_msim u:object_r:radio_service:s0
+isms2 u:object_r:radio_service:s0
+isms u:object_r:radio_service:s0
+isub u:object_r:radio_service:s0
+jobscheduler u:object_r:jobscheduler_service:s0
+launcherapps u:object_r:launcherapps_service:s0
+location u:object_r:location_service:s0
+lock_settings u:object_r:lock_settings_service:s0
+media.aaudio u:object_r:audioserver_service:s0
+media.audio_flinger u:object_r:audioserver_service:s0
+media.audio_policy u:object_r:audioserver_service:s0
+media.camera u:object_r:cameraserver_service:s0
+media.camera.proxy u:object_r:cameraproxy_service:s0
+media.log u:object_r:audioserver_service:s0
+media.player u:object_r:mediaserver_service:s0
+media.metrics u:object_r:mediametrics_service:s0
+media.extractor u:object_r:mediaextractor_service:s0
+media.extractor.update u:object_r:mediaextractor_update_service:s0
+media.codec u:object_r:mediacodec_service:s0
+media.resource_manager u:object_r:mediaserver_service:s0
+media.sound_trigger_hw u:object_r:audioserver_service:s0
+media.drm u:object_r:mediadrmserver_service:s0
+media_projection u:object_r:media_projection_service:s0
+media_resource_monitor u:object_r:media_session_service:s0
+media_router u:object_r:media_router_service:s0
+media_session u:object_r:media_session_service:s0
+meminfo u:object_r:meminfo_service:s0
+midi u:object_r:midi_service:s0
+mount u:object_r:mount_service:s0
+netd u:object_r:netd_service:s0
+netpolicy u:object_r:netpolicy_service:s0
+netstats u:object_r:netstats_service:s0
+network_management u:object_r:network_management_service:s0
+network_score u:object_r:network_score_service:s0
+network_time_update_service u:object_r:network_time_update_service:s0
+nfc u:object_r:nfc_service:s0
+notification u:object_r:notification_service:s0
+oem_lock u:object_r:oem_lock_service:s0
+otadexopt u:object_r:otadexopt_service:s0
+overlay u:object_r:overlay_service:s0
+package u:object_r:package_service:s0
+package_native u:object_r:package_native_service:s0
+perfprofd u:object_r:perfprofd_service:s0
+permission u:object_r:permission_service:s0
+persistent_data_block u:object_r:persistent_data_block_service:s0
+phone_msim u:object_r:radio_service:s0
+phone1 u:object_r:radio_service:s0
+phone2 u:object_r:radio_service:s0
+phone u:object_r:radio_service:s0
+pinner u:object_r:pinner_service:s0
+power u:object_r:power_service:s0
+print u:object_r:print_service:s0
+processinfo u:object_r:processinfo_service:s0
+procstats u:object_r:procstats_service:s0
+radio.phonesubinfo u:object_r:radio_service:s0
+radio.phone u:object_r:radio_service:s0
+radio.sms u:object_r:radio_service:s0
+recovery u:object_r:recovery_service:s0
+restrictions u:object_r:restrictions_service:s0
+rttmanager u:object_r:rttmanager_service:s0
+samplingprofiler u:object_r:samplingprofiler_service:s0
+scheduling_policy u:object_r:scheduling_policy_service:s0
+search u:object_r:search_service:s0
+secure_element u:object_r:secure_element_service:s0
+sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
+sensorservice u:object_r:sensorservice_service:s0
+serial u:object_r:serial_service:s0
+servicediscovery u:object_r:servicediscovery_service:s0
+settings u:object_r:settings_service:s0
+shortcut u:object_r:shortcut_service:s0
+simphonebook_msim u:object_r:radio_service:s0
+simphonebook2 u:object_r:radio_service:s0
+simphonebook u:object_r:radio_service:s0
+sip u:object_r:radio_service:s0
+slice u:object_r:slice_service:s0
+stats u:object_r:stats_service:s0
+statscompanion u:object_r:statscompanion_service:s0
+soundtrigger u:object_r:voiceinteraction_service:s0
+statusbar u:object_r:statusbar_service:s0
+storaged u:object_r:storaged_service:s0
+storaged_pri u:object_r:storaged_service:s0
+storagestats u:object_r:storagestats_service:s0
+SurfaceFlinger u:object_r:surfaceflinger_service:s0
+system_update u:object_r:system_update_service:s0
+task u:object_r:task_service:s0
+telecom u:object_r:telecom_service:s0
+telephony.registry u:object_r:registry_service:s0
+textclassification u:object_r:textclassification_service:s0
+textservices u:object_r:textservices_service:s0
+timezone u:object_r:timezone_service:s0
+thermalservice u:object_r:thermal_service:s0
+trust u:object_r:trust_service:s0
+tv_input u:object_r:tv_input_service:s0
+uimode u:object_r:uimode_service:s0
+updatelock u:object_r:updatelock_service:s0
+usagestats u:object_r:usagestats_service:s0
+usb u:object_r:usb_service:s0
+user u:object_r:user_service:s0
+vibrator u:object_r:vibrator_service:s0
+virtual_touchpad u:object_r:virtual_touchpad_service:s0
+voiceinteraction u:object_r:voiceinteraction_service:s0
+vold u:object_r:vold_service:s0
+vr_hwc u:object_r:vr_hwc_service:s0
+vrmanager u:object_r:vr_manager_service:s0
+wallpaper u:object_r:wallpaper_service:s0
+webviewupdate u:object_r:webviewupdate_service:s0
+wifip2p u:object_r:wifip2p_service:s0
+wifiscanner u:object_r:wifiscanner_service:s0
+wifi u:object_r:wifi_service:s0
+wificond u:object_r:wificond_service:s0
+wifiaware u:object_r:wifiaware_service:s0
+wifirtt u:object_r:rttmanager_service:s0
+window u:object_r:window_service:s0
+* u:object_r:default_android_service:s0
diff --git a/prebuilts/api/28.0/private/servicemanager.te b/prebuilts/api/28.0/private/servicemanager.te
new file mode 100644
index 0000000..9f675a2
--- /dev/null
+++ b/prebuilts/api/28.0/private/servicemanager.te
@@ -0,0 +1,5 @@
+typeattribute servicemanager coredomain;
+
+init_daemon_domain(servicemanager)
+
+read_runtime_log_tags(servicemanager)
diff --git a/prebuilts/api/28.0/private/sgdisk.te b/prebuilts/api/28.0/private/sgdisk.te
new file mode 100644
index 0000000..a17342e
--- /dev/null
+++ b/prebuilts/api/28.0/private/sgdisk.te
@@ -0,0 +1 @@
+typeattribute sgdisk coredomain;
diff --git a/prebuilts/api/28.0/private/shared_relro.te b/prebuilts/api/28.0/private/shared_relro.te
new file mode 100644
index 0000000..02f7206
--- /dev/null
+++ b/prebuilts/api/28.0/private/shared_relro.te
@@ -0,0 +1,5 @@
+typeattribute shared_relro coredomain;
+
+# The shared relro process is a Java program forked from the zygote, so it
+# inherits from app to get basic permissions it needs to run.
+app_domain(shared_relro)
diff --git a/prebuilts/api/28.0/private/shell.te b/prebuilts/api/28.0/private/shell.te
new file mode 100644
index 0000000..130a130
--- /dev/null
+++ b/prebuilts/api/28.0/private/shell.te
@@ -0,0 +1,53 @@
+typeattribute shell coredomain;
+
+# allow shell input injection
+allow shell uhid_device:chr_file rw_file_perms;
+
+# systrace support - allow atrace to run
+allow shell debugfs_tracing_debug:dir r_dir_perms;
+allow shell debugfs_tracing:dir r_dir_perms;
+allow shell debugfs_tracing:file rw_file_perms;
+allow shell debugfs_trace_marker:file getattr;
+allow shell atrace_exec:file rx_file_perms;
+
+userdebug_or_eng(`
+ allow shell debugfs_tracing_debug:file rw_file_perms;
+')
+
+# read config.gz for CTS purposes
+allow shell config_gz:file r_file_perms;
+
+# Run app_process.
+# XXX Transition into its own domain?
+app_domain(shell)
+
+# allow shell to call dumpsys storaged
+binder_call(shell, storaged)
+
+# Perform SELinux access checks, needed for CTS
+selinux_check_access(shell)
+selinux_check_context(shell)
+
+# Control Perfetto traced and obtain traces from it.
+# Needed for Studio and debugging.
+unix_socket_connect(shell, traced_consumer, traced)
+
+# Allow shell binaries to write trace data to Perfetto. Used for testing and
+# cmdline utils.
+allow shell traced:fd use;
+allow shell traced_tmpfs:file { read write getattr map };
+unix_socket_connect(shell, traced_producer, traced)
+
+domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
+
+# Allow shell binaries to exec the perfetto cmdline util and have that
+# transition into its own domain, so that it behaves consistently to
+# when exec()-d by statsd.
+domain_auto_trans(shell, perfetto_exec, perfetto)
+
+# Allow shell to run adb shell cmd stats commands. Needed for CTS.
+binder_call(shell, statsd);
+
+# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
+allow shell perfetto_traces_data_file:dir rw_dir_perms;
+allow shell perfetto_traces_data_file:file r_file_perms;
diff --git a/prebuilts/api/28.0/private/slideshow.te b/prebuilts/api/28.0/private/slideshow.te
new file mode 100644
index 0000000..7dfa994
--- /dev/null
+++ b/prebuilts/api/28.0/private/slideshow.te
@@ -0,0 +1 @@
+typeattribute slideshow coredomain;
diff --git a/prebuilts/api/28.0/private/stats.te b/prebuilts/api/28.0/private/stats.te
new file mode 100644
index 0000000..be8cfbd
--- /dev/null
+++ b/prebuilts/api/28.0/private/stats.te
@@ -0,0 +1,25 @@
+type stats, domain;
+typeattribute stats coredomain;
+type stats_exec, exec_type, file_type;
+
+# switch to stats domain for stats command
+domain_auto_trans(shell, stats_exec, stats)
+
+# allow stats access to stdout from its parent shell.
+allow stats shell:fd use;
+
+# allow stats to communicate use, read and write over the adb
+# connection.
+allow stats adbd:fd use;
+allow stats adbd:unix_stream_socket { read write };
+
+# allow adbd to reap stats
+allow stats adbd:process { sigchld };
+
+# Allow the stats command to talk to the statsd over the binder, and get
+# back the stats report data from a ParcelFileDescriptor.
+binder_use(stats)
+allow stats stats_service:service_manager find;
+binder_call(stats, statsd)
+allow stats statsd:fifo_file write;
+
diff --git a/prebuilts/api/28.0/private/statsd.te b/prebuilts/api/28.0/private/statsd.te
new file mode 100644
index 0000000..74b89c2
--- /dev/null
+++ b/prebuilts/api/28.0/private/statsd.te
@@ -0,0 +1,116 @@
+type statsd, domain, mlstrustedsubject;
+typeattribute statsd coredomain;
+
+init_daemon_domain(statsd)
+
+type statsd_exec, exec_type, file_type;
+binder_use(statsd)
+
+# Allow statsd to scan through /proc/pid for all processes.
+r_dir_file(statsd, domain)
+
+# Allow executing files on system, such as running a shell or running:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow statsd devpts:chr_file { getattr ioctl read write };
+allow statsd shell_exec:file rx_file_perms;
+allow statsd system_file:file execute_no_trans;
+allow statsd toolbox_exec:file rx_file_perms;
+
+userdebug_or_eng(`
+ allow statsd su:fifo_file read;
+')
+
+# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
+allow statsd stats_data_file:dir create_dir_perms;
+allow statsd stats_data_file:file create_file_perms;
+
+# Allow statsd to make binder calls to any binder service.
+binder_call(statsd, appdomain)
+binder_call(statsd, healthd)
+binder_call(statsd, incidentd)
+userdebug_or_eng(`
+ binder_call(statsd, perfprofd)
+')
+binder_call(statsd, statscompanion_service)
+binder_call(statsd, system_server)
+
+# Allow logd access.
+read_logd(statsd)
+control_logd(statsd)
+
+# Allow to exec the perfetto cmdline client and pass it the trace config on
+# stdint through a pipe. It allows statsd to capture traces and hand them
+# to Android dropbox.
+allow statsd perfetto_exec:file rx_file_perms;
+domain_auto_trans(statsd, perfetto_exec, perfetto)
+
+# Grant statsd with permissions to register the services.
+allow statsd {
+ app_api_service
+ incident_service
+ statscompanion_service
+ system_api_service
+}:service_manager find;
+
+# Grant statsd to access health hal to access battery metrics.
+allow statsd hal_health_hwservice:hwservice_manager find;
+
+# Only statsd can publish the binder service.
+add_service(statsd, stats_service)
+
+# Allow pipes from (and only from) stats.
+allow statsd stats:fd use;
+allow statsd stats:fifo_file write;
+
+# Allow statsd to send dump info to dumpstate
+allow statsd dumpstate:fd use;
+allow statsd dumpstate:fifo_file { getattr write };
+
+# Allow statsd to call back to stats with status updates.
+binder_call(statsd, stats)
+
+# Allow access to with hardware layer and process stats.
+allow statsd proc_uid_cputime_showstat:file { getattr open read };
+hal_client_domain(statsd, hal_health)
+hal_client_domain(statsd, hal_power)
+hal_client_domain(statsd, hal_thermal)
+
+# Allow 'adb shell cmd' to upload configs and download output.
+allow statsd adbd:fd use;
+allow statsd adbd:unix_stream_socket { getattr read write };
+allow statsd shell:fifo_file { getattr read };
+
+unix_socket_send(bluetooth, statsdw, statsd)
+unix_socket_send(bootstat, statsdw, statsd)
+unix_socket_send(lmkd, statsdw, statsd)
+unix_socket_send(platform_app, statsdw, statsd)
+unix_socket_send(radio, statsdw, statsd)
+unix_socket_send(statsd, statsdw, statsd)
+unix_socket_send(system_server, statsdw, statsd)
+
+###
+### neverallow rules
+###
+
+# Only system_server, system_app, traceur_app, and stats command can find the stats service.
+neverallow {
+ domain
+ -dumpstate
+ -priv_app
+ -shell
+ -stats
+ -statsd
+ -system_app
+ -system_server
+ -traceur_app
+} stats_service:service_manager find;
+
+# Only statsd and the other root services in limited circumstances.
+# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
+# Other services are prohibitted from accessing the file.
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
+
+# Limited access to the directory itself.
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
diff --git a/prebuilts/api/28.0/private/storaged.te b/prebuilts/api/28.0/private/storaged.te
new file mode 100644
index 0000000..8ad872f
--- /dev/null
+++ b/prebuilts/api/28.0/private/storaged.te
@@ -0,0 +1,61 @@
+# storaged daemon
+type storaged, domain, coredomain, mlstrustedsubject;
+type storaged_exec, exec_type, file_type;
+
+init_daemon_domain(storaged)
+
+# Read access to pseudo filesystems
+r_dir_file(storaged, proc_net)
+r_dir_file(storaged, domain)
+
+# Read /proc/uid_io/stats
+allow storaged proc_uid_io_stats:file r_file_perms;
+
+# Read /data/system/packages.list
+allow storaged system_data_file:file r_file_perms;
+
+# Store storaged proto file
+allow storaged storaged_data_file:dir rw_dir_perms;
+allow storaged storaged_data_file:file create_file_perms;
+
+userdebug_or_eng(`
+ # Read access to debugfs
+ allow storaged debugfs_mmc:dir search;
+ allow storaged debugfs_mmc:file r_file_perms;
+')
+
+# Needed to provide debug dump output via dumpsys pipes.
+allow storaged shell:fd use;
+allow storaged shell:fifo_file write;
+
+# Needed for GMScore to call dumpsys storaged
+allow storaged priv_app:fd use;
+allow storaged app_data_file:file write;
+allow storaged permission_service:service_manager find;
+
+# Binder permissions
+add_service(storaged, storaged_service)
+
+binder_use(storaged)
+binder_call(storaged, system_server)
+
+hal_client_domain(storaged, hal_health)
+
+# Implements a dumpsys interface.
+allow storaged dumpstate:fd use;
+
+# use a subset of the package manager service
+allow storaged package_native_service:service_manager find;
+
+# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
+# running as root. See b/35323867 #3.
+dontaudit storaged self:global_capability_class_set dac_override;
+
+# For collecting bugreports.
+allow storaged dumpstate:fifo_file write;
+
+###
+### neverallow
+###
+neverallow storaged domain:process ptrace;
+neverallow storaged self:capability_class_set *;
diff --git a/prebuilts/api/28.0/private/su.te b/prebuilts/api/28.0/private/su.te
new file mode 100644
index 0000000..16e47bb
--- /dev/null
+++ b/prebuilts/api/28.0/private/su.te
@@ -0,0 +1,23 @@
+userdebug_or_eng(`
+ typeattribute su coredomain;
+
+ domain_auto_trans(shell, su_exec, su)
+ # Allow dumpstate to call su on userdebug / eng builds to collect
+ # additional information.
+ domain_auto_trans(dumpstate, su_exec, su)
+
+ # Make sure that dumpstate runs the same from the "su" domain as
+ # from the "init" domain.
+ domain_auto_trans(su, dumpstate_exec, dumpstate)
+
+ # Put the incident command into its domain so it is the same on user, userdebug and eng.
+ domain_auto_trans(su, incident_exec, incident)
+
+ # Put the perfetto command into its domain so it is the same on user, userdebug and eng.
+ domain_auto_trans(su, perfetto_exec, perfetto)
+
+ # su is also permissive to permit setenforce.
+ permissive su;
+
+ app_domain(su)
+')
diff --git a/prebuilts/api/28.0/private/surfaceflinger.te b/prebuilts/api/28.0/private/surfaceflinger.te
new file mode 100644
index 0000000..e2f1a07
--- /dev/null
+++ b/prebuilts/api/28.0/private/surfaceflinger.te
@@ -0,0 +1,121 @@
+# surfaceflinger - display compositor service
+
+typeattribute surfaceflinger coredomain;
+
+type surfaceflinger_exec, exec_type, file_type;
+init_daemon_domain(surfaceflinger)
+
+typeattribute surfaceflinger mlstrustedsubject;
+typeattribute surfaceflinger display_service_server;
+
+read_runtime_log_tags(surfaceflinger)
+
+# Perform HwBinder IPC.
+hal_client_domain(surfaceflinger, hal_graphics_allocator)
+hal_client_domain(surfaceflinger, hal_graphics_composer)
+hal_client_domain(surfaceflinger, hal_configstore)
+hal_client_domain(surfaceflinger, hal_power)
+allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
+
+# Perform Binder IPC.
+binder_use(surfaceflinger)
+binder_call(surfaceflinger, binderservicedomain)
+binder_call(surfaceflinger, appdomain)
+binder_call(surfaceflinger, bootanim)
+binder_service(surfaceflinger)
+
+# Binder IPC to bu, presently runs in adbd domain.
+binder_call(surfaceflinger, adbd)
+
+# Read /proc/pid files for Binder clients.
+r_dir_file(surfaceflinger, binderservicedomain)
+r_dir_file(surfaceflinger, appdomain)
+
+# Access the GPU.
+allow surfaceflinger gpu_device:chr_file rw_file_perms;
+
+# Access /dev/graphics/fb0.
+allow surfaceflinger graphics_device:dir search;
+allow surfaceflinger graphics_device:chr_file rw_file_perms;
+
+# Access /dev/video1.
+allow surfaceflinger video_device:dir r_dir_perms;
+allow surfaceflinger video_device:chr_file rw_file_perms;
+
+# Create and use netlink kobject uevent sockets.
+allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Set properties.
+set_prop(surfaceflinger, system_prop)
+set_prop(surfaceflinger, exported_system_prop)
+set_prop(surfaceflinger, exported2_system_prop)
+set_prop(surfaceflinger, exported3_system_prop)
+set_prop(surfaceflinger, ctl_bootanim_prop)
+
+# Use open files supplied by an app.
+allow surfaceflinger appdomain:fd use;
+allow surfaceflinger app_data_file:file { read write };
+
+# Allow writing surface traces to /data/misc/wmtrace.
+userdebug_or_eng(`
+ allow surfaceflinger wm_trace_data_file:dir rw_dir_perms;
+ allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
+')
+
+# Use socket supplied by adbd, for cmd gpu vkjson etc.
+allow surfaceflinger adbd:unix_stream_socket { read write getattr };
+
+# Allow a dumpstate triggered screenshot
+binder_call(surfaceflinger, dumpstate)
+binder_call(surfaceflinger, shell)
+r_dir_file(surfaceflinger, dumpstate)
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+allow surfaceflinger tee_device:chr_file rw_file_perms;
+
+
+# media.player service
+add_service(surfaceflinger, gpu_service)
+
+# do not use add_service() as hal_graphics_composer_default may be the
+# provider as well
+#add_service(surfaceflinger, surfaceflinger_service)
+allow surfaceflinger surfaceflinger_service:service_manager { add find };
+
+allow surfaceflinger mediaserver_service:service_manager find;
+allow surfaceflinger permission_service:service_manager find;
+allow surfaceflinger power_service:service_manager find;
+allow surfaceflinger vr_manager_service:service_manager find;
+allow surfaceflinger window_service:service_manager find;
+
+
+# allow self to set SCHED_FIFO
+allow surfaceflinger self:global_capability_class_set sys_nice;
+allow surfaceflinger proc_meminfo:file r_file_perms;
+r_dir_file(surfaceflinger, cgroup)
+r_dir_file(surfaceflinger, system_file)
+allow surfaceflinger tmpfs:dir r_dir_perms;
+allow surfaceflinger system_server:fd use;
+allow surfaceflinger ion_device:chr_file r_file_perms;
+
+# pdx IPC
+pdx_server(surfaceflinger, display_client)
+pdx_server(surfaceflinger, display_manager)
+pdx_server(surfaceflinger, display_screenshot)
+pdx_server(surfaceflinger, display_vsync)
+
+pdx_client(surfaceflinger, bufferhub_client)
+pdx_client(surfaceflinger, performance_client)
+
+###
+### Neverallow rules
+###
+### surfaceflinger should NEVER do any of this
+
+# Do not allow accessing SDcard files as unsafe ejection could
+# cause the kernel to kill the process.
+neverallow surfaceflinger sdcard_type:file rw_file_perms;
+
+# b/68864350
+dontaudit surfaceflinger unlabeled:dir search;
diff --git a/prebuilts/api/28.0/private/system_app.te b/prebuilts/api/28.0/private/system_app.te
new file mode 100644
index 0000000..eb7e050
--- /dev/null
+++ b/prebuilts/api/28.0/private/system_app.te
@@ -0,0 +1,129 @@
+###
+### Apps that run with the system UID, e.g. com.android.system.ui,
+### com.android.settings. These are not as privileged as the system
+### server.
+###
+
+typeattribute system_app coredomain;
+
+app_domain(system_app)
+net_domain(system_app)
+binder_service(system_app)
+
+# android.ui and system.ui
+allow system_app rootfs:dir getattr;
+
+# Read and write /data/data subdirectory.
+allow system_app system_app_data_file:dir create_dir_perms;
+allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
+
+# Read and write to /data/misc/user.
+allow system_app misc_user_data_file:dir create_dir_perms;
+allow system_app misc_user_data_file:file create_file_perms;
+
+# Access to vold-mounted storage for measuring free space
+allow system_app mnt_media_rw_file:dir search;
+
+# Read wallpaper file.
+allow system_app wallpaper_file:file r_file_perms;
+
+# Read icon file.
+allow system_app icon_file:file r_file_perms;
+
+# Write to properties
+set_prop(system_app, bluetooth_a2dp_offload_prop)
+set_prop(system_app, bluetooth_prop)
+set_prop(system_app, debug_prop)
+set_prop(system_app, system_prop)
+set_prop(system_app, exported_bluetooth_prop)
+set_prop(system_app, exported_system_prop)
+set_prop(system_app, exported2_system_prop)
+set_prop(system_app, exported3_system_prop)
+set_prop(system_app, logd_prop)
+set_prop(system_app, net_radio_prop)
+set_prop(system_app, system_radio_prop)
+set_prop(system_app, exported_system_radio_prop)
+set_prop(system_app, log_tag_prop)
+userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
+auditallow system_app net_radio_prop:property_service set;
+auditallow system_app system_radio_prop:property_service set;
+auditallow system_app exported_system_radio_prop:property_service set;
+
+# ctl interface
+set_prop(system_app, ctl_default_prop)
+set_prop(system_app, ctl_bugreport_prop)
+
+# Create /data/anr/traces.txt.
+allow system_app anr_data_file:dir ra_dir_perms;
+allow system_app anr_data_file:file create_file_perms;
+
+# Settings need to access app name and icon from asec
+allow system_app asec_apk_file:file r_file_perms;
+
+# Allow system apps (like Settings) to interact with statsd
+binder_call(system_app, statsd)
+
+# Allow system apps to interact with incidentd
+binder_call(system_app, incidentd)
+
+allow system_app servicemanager:service_manager list;
+# TODO: scope this down? Too broad?
+allow system_app {
+ service_manager_type
+ -dumpstate_service
+ -installd_service
+ -netd_service
+ -virtual_touchpad_service
+ -vold_service
+ -vr_hwc_service
+}:service_manager find;
+# suppress denials for services system_app should not be accessing.
+dontaudit system_app {
+ dumpstate_service
+ installd_service
+ netd_service
+ virtual_touchpad_service
+ vold_service
+ vr_hwc_service
+}:service_manager find;
+
+allow system_app keystore:keystore_key {
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ user_changed
+};
+
+# settings app reads /proc/version
+allow system_app {
+ proc_version
+}:file r_file_perms;
+
+control_logd(system_app)
+read_runtime_log_tags(system_app)
+get_prop(system_app, device_logging_prop)
+
+# allow system apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow system_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as system_app
+neverallow system_app fuse_device:chr_file *;
diff --git a/prebuilts/api/28.0/private/system_server.te b/prebuilts/api/28.0/private/system_server.te
new file mode 100644
index 0000000..fa84c32
--- /dev/null
+++ b/prebuilts/api/28.0/private/system_server.te
@@ -0,0 +1,868 @@
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
+
+typeattribute system_server coredomain;
+typeattribute system_server mlstrustedsubject;
+
+# Define a type for tmpfs-backed ashmem regions.
+tmpfs_domain(system_server)
+
+# Create a socket for connections from crash_dump.
+type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
+
+allow system_server zygote_tmpfs:file read;
+
+# For art.
+allow system_server dalvikcache_data_file:dir r_dir_perms;
+allow system_server dalvikcache_data_file:file r_file_perms;
+
+# When running system server under --invoke-with, we'll try to load the boot image under the
+# system server domain, following links to the system partition.
+with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
+
+# /data/resource-cache
+allow system_server resourcecache_data_file:file r_file_perms;
+allow system_server resourcecache_data_file:dir r_dir_perms;
+
+# ptrace to processes in the same domain for debugging crashes.
+allow system_server self:process ptrace;
+
+# Child of the zygote.
+allow system_server zygote:fd use;
+allow system_server zygote:process sigchld;
+
+# May kill zygote on crashes.
+allow system_server zygote:process sigkill;
+allow system_server crash_dump:process sigkill;
+allow system_server webview_zygote:process sigkill;
+
+# Read /system/bin/app_process.
+allow system_server zygote_exec:file r_file_perms;
+
+# Needed to close the zygote socket, which involves getopt / getattr
+allow system_server zygote:unix_stream_socket { getopt getattr };
+
+# system server gets network and bluetooth permissions.
+net_domain(system_server)
+# in addition to ioctls whitelisted for all domains, also allow system_server
+# to use privileged ioctls commands. Needed to set up VPNs.
+allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
+bluetooth_domain(system_server)
+
+# These are the capabilities assigned by the zygote to the
+# system server.
+allow system_server self:global_capability_class_set {
+ ipc_lock
+ kill
+ net_admin
+ net_bind_service
+ net_broadcast
+ net_raw
+ sys_boot
+ sys_nice
+ sys_ptrace
+ sys_time
+ sys_tty_config
+};
+
+wakelock_use(system_server)
+
+# Trigger module auto-load.
+allow system_server kernel:system module_request;
+
+# Allow alarmtimers to be set
+allow system_server self:global_capability2_class_set wake_alarm;
+
+# Create and share netlink_netfilter_sockets for tetheroffload.
+allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
+
+# Use netlink uevent sockets.
+allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Use generic netlink sockets.
+allow system_server self:netlink_socket create_socket_perms_no_ioctl;
+allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+# libvintf reads the kernel config to verify vendor interface compatibility.
+allow system_server config_gz:file { read open };
+
+# Use generic "sockets" where the address family is not known
+# to the kernel. The ioctl permission is specifically omitted here, but may
+# be added to device specific policy along with the ioctl commands to be
+# whitelisted.
+allow system_server self:socket create_socket_perms_no_ioctl;
+
+# Set and get routes directly via netlink.
+allow system_server self:netlink_route_socket nlmsg_write;
+
+# Kill apps.
+allow system_server appdomain:process { getpgid sigkill signal };
+
+# Set scheduling info for apps.
+allow system_server appdomain:process { getsched setsched };
+allow system_server audioserver:process { getsched setsched };
+allow system_server hal_audio:process { getsched setsched };
+allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server mediacodec:process { getsched setsched };
+allow system_server cameraserver:process { getsched setsched };
+allow system_server hal_camera:process { getsched setsched };
+allow system_server mediaserver:process { getsched setsched };
+allow system_server bootanim:process { getsched setsched };
+
+# Allow system_server to write to /proc/<pid>/timerslack_ns
+allow system_server appdomain:file w_file_perms;
+allow system_server audioserver:file w_file_perms;
+allow system_server mediacodec:file w_file_perms;
+allow system_server cameraserver:file w_file_perms;
+allow system_server hal_audio_server:file w_file_perms;
+
+# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
+# within system_server to keep track of memory and CPU usage for
+# all processes on the device. In addition, /proc/pid files access is needed
+# for dumping stack traces of native processes.
+r_dir_file(system_server, domain)
+
+# Read/Write to /proc/net/xt_qtaguid/ctrl and and /dev/xt_qtaguid.
+allow system_server qtaguid_proc:file rw_file_perms;
+allow system_server qtaguid_device:chr_file rw_file_perms;
+
+# Write /proc/uid_cputime/remove_uid_range.
+allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
+
+# Write /proc/uid_procstat/set.
+allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
+
+# Write to /proc/sysrq-trigger.
+allow system_server proc_sysrq:file rw_file_perms;
+
+# Read /sys/kernel/debug/wakeup_sources.
+allow system_server debugfs:file r_file_perms;
+allow system_server debugfs_wakeup_sources:file r_file_perms;
+
+# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
+allow system_server stats_data_file:dir { open read remove_name search write };
+allow system_server stats_data_file:file unlink;
+
+# The DhcpClient and WifiWatchdog use packet_sockets
+allow system_server self:packet_socket create_socket_perms_no_ioctl;
+
+# NetworkDiagnostics requires explicit bind() calls to ping sockets. These aren't actually the same
+# as raw sockets, but the kernel doesn't yet distinguish between the two.
+allow system_server node:rawip_socket node_bind;
+
+# 3rd party VPN clients require a tun_socket to be created
+allow system_server self:tun_socket create_socket_perms_no_ioctl;
+
+# Talk to init and various daemons via sockets.
+unix_socket_connect(system_server, lmkd, lmkd)
+unix_socket_connect(system_server, mtpd, mtp)
+unix_socket_connect(system_server, netd, netd)
+unix_socket_connect(system_server, zygote, zygote)
+unix_socket_connect(system_server, racoon, racoon)
+unix_socket_connect(system_server, uncrypt, uncrypt)
+
+# Communicate over a socket created by surfaceflinger.
+allow system_server surfaceflinger:unix_stream_socket { read write setopt };
+
+# Communicate over a socket created by webview_zygote.
+allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
+
+# Perform Binder IPC.
+binder_use(system_server)
+binder_call(system_server, appdomain)
+binder_call(system_server, binderservicedomain)
+binder_call(system_server, dumpstate)
+binder_call(system_server, fingerprintd)
+binder_call(system_server, gatekeeperd)
+binder_call(system_server, installd)
+binder_call(system_server, incidentd)
+binder_call(system_server, netd)
+binder_call(system_server, statsd)
+binder_call(system_server, storaged)
+binder_call(system_server, vold)
+binder_call(system_server, wificond)
+binder_call(system_server, wpantund)
+binder_service(system_server)
+
+# Use HALs
+hal_client_domain(system_server, hal_allocator)
+hal_client_domain(system_server, hal_authsecret)
+hal_client_domain(system_server, hal_broadcastradio)
+hal_client_domain(system_server, hal_configstore)
+hal_client_domain(system_server, hal_contexthub)
+hal_client_domain(system_server, hal_fingerprint)
+hal_client_domain(system_server, hal_gnss)
+hal_client_domain(system_server, hal_graphics_allocator)
+hal_client_domain(system_server, hal_health)
+hal_client_domain(system_server, hal_ir)
+hal_client_domain(system_server, hal_light)
+hal_client_domain(system_server, hal_memtrack)
+hal_client_domain(system_server, hal_neuralnetworks)
+hal_client_domain(system_server, hal_oemlock)
+allow system_server hal_codec2_hwservice:hwservice_manager find;
+allow system_server hal_omx_hwservice:hwservice_manager find;
+allow system_server hidl_token_hwservice:hwservice_manager find;
+hal_client_domain(system_server, hal_power)
+hal_client_domain(system_server, hal_sensors)
+hal_client_domain(system_server, hal_tetheroffload)
+hal_client_domain(system_server, hal_thermal)
+hal_client_domain(system_server, hal_tv_cec)
+hal_client_domain(system_server, hal_tv_input)
+hal_client_domain(system_server, hal_usb)
+hal_client_domain(system_server, hal_usb_gadget)
+hal_client_domain(system_server, hal_vibrator)
+hal_client_domain(system_server, hal_vr)
+hal_client_domain(system_server, hal_weaver)
+hal_client_domain(system_server, hal_wifi)
+hal_client_domain(system_server, hal_wifi_hostapd)
+hal_client_domain(system_server, hal_wifi_offload)
+hal_client_domain(system_server, hal_wifi_supplicant)
+
+binder_call(system_server, mediacodec)
+
+# Talk with graphics composer fences
+allow system_server hal_graphics_composer:fd use;
+
+# Use RenderScript always-passthrough HAL
+allow system_server hal_renderscript_hwservice:hwservice_manager find;
+
+# Offer HwBinder services
+add_hwservice(system_server, fwk_scheduler_hwservice)
+add_hwservice(system_server, fwk_sensor_hwservice)
+
+# Talk to tombstoned to get ANR traces.
+unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
+
+# List HAL interfaces to get ANR traces.
+allow system_server hwservicemanager:hwservice_manager list;
+
+# Send signals to trigger ANR traces.
+allow system_server {
+ # This is derived from the list that system server defines as interesting native processes
+ # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
+ # frameworks/base/services/core/java/com/android/server/Watchdog.java.
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediadrmserver
+ mediaextractor
+ mediaserver
+ mediametrics
+ sdcardd
+ statsd
+ surfaceflinger
+
+ # This list comes from HAL_INTERFACES_OF_INTEREST in
+ # frameworks/base/services/core/java/com/android/server/Watchdog.java.
+ hal_audio_server
+ hal_bluetooth_server
+ hal_camera_server
+ hal_graphics_composer_server
+ hal_sensors_server
+ hal_vr_server
+ mediacodec # TODO(b/36375899): hal_omx_server
+}:process { signal };
+
+# Use sockets received over binder from various services.
+allow system_server audioserver:tcp_socket rw_socket_perms;
+allow system_server audioserver:udp_socket rw_socket_perms;
+allow system_server mediaserver:tcp_socket rw_socket_perms;
+allow system_server mediaserver:udp_socket rw_socket_perms;
+
+# Use sockets received over binder from various services.
+allow system_server mediadrmserver:tcp_socket rw_socket_perms;
+allow system_server mediadrmserver:udp_socket rw_socket_perms;
+
+# Get file context
+allow system_server file_contexts_file:file r_file_perms;
+# access for mac_permissions
+allow system_server mac_perms_file: file r_file_perms;
+# Check SELinux permissions.
+selinux_check_access(system_server)
+
+allow system_server sysfs_type:dir search;
+
+r_dir_file(system_server, sysfs_android_usb)
+allow system_server sysfs_android_usb:file w_file_perms;
+
+r_dir_file(system_server, sysfs_ipv4)
+allow system_server sysfs_ipv4:file w_file_perms;
+
+r_dir_file(system_server, sysfs_rtc)
+r_dir_file(system_server, sysfs_switch)
+r_dir_file(system_server, sysfs_wakeup_reasons)
+
+allow system_server sysfs_nfc_power_writable:file rw_file_perms;
+allow system_server sysfs_mac_address:file r_file_perms;
+allow system_server sysfs_power:dir search;
+allow system_server sysfs_power:file rw_file_perms;
+allow system_server sysfs_thermal:dir search;
+allow system_server sysfs_thermal:file r_file_perms;
+
+# TODO: Remove when HALs are forced into separate processes
+allow system_server sysfs_vibrator:file { write append };
+
+# TODO: added to match above sysfs rule. Remove me?
+allow system_server sysfs_usb:file w_file_perms;
+
+# Access devices.
+allow system_server device:dir r_dir_perms;
+allow system_server mdns_socket:sock_file rw_file_perms;
+allow system_server alarm_device:chr_file rw_file_perms;
+allow system_server gpu_device:chr_file rw_file_perms;
+allow system_server iio_device:chr_file rw_file_perms;
+allow system_server input_device:dir r_dir_perms;
+allow system_server input_device:chr_file rw_file_perms;
+allow system_server radio_device:chr_file r_file_perms;
+allow system_server tty_device:chr_file rw_file_perms;
+allow system_server usbaccessory_device:chr_file rw_file_perms;
+allow system_server video_device:dir r_dir_perms;
+allow system_server video_device:chr_file rw_file_perms;
+allow system_server adbd_socket:sock_file rw_file_perms;
+allow system_server rtc_device:chr_file rw_file_perms;
+allow system_server audio_device:dir r_dir_perms;
+
+# write access needed for MIDI
+allow system_server audio_device:chr_file rw_file_perms;
+
+# tun device used for 3rd party vpn apps
+allow system_server tun_device:chr_file rw_file_perms;
+
+# Manage system data files.
+allow system_server system_data_file:dir create_dir_perms;
+allow system_server system_data_file:notdevfile_class_set create_file_perms;
+allow system_server keychain_data_file:dir create_dir_perms;
+allow system_server keychain_data_file:file create_file_perms;
+allow system_server keychain_data_file:lnk_file create_file_perms;
+
+# Manage /data/app.
+allow system_server apk_data_file:dir create_dir_perms;
+allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
+allow system_server apk_tmp_file:dir create_dir_perms;
+allow system_server apk_tmp_file:file create_file_perms;
+
+# Access /vendor/{app,framework,overlay}
+r_dir_file(system_server, vendor_app_file)
+r_dir_file(system_server, vendor_framework_file)
+r_dir_file(system_server, vendor_overlay_file)
+
+# Manage /data/app-private.
+allow system_server apk_private_data_file:dir create_dir_perms;
+allow system_server apk_private_data_file:file create_file_perms;
+allow system_server apk_private_tmp_file:dir create_dir_perms;
+allow system_server apk_private_tmp_file:file create_file_perms;
+
+# Manage files within asec containers.
+allow system_server asec_apk_file:dir create_dir_perms;
+allow system_server asec_apk_file:file create_file_perms;
+allow system_server asec_public_file:file create_file_perms;
+
+# Manage /data/anr.
+#
+# TODO: Some of these permissions can be withdrawn once we've switched to the
+# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
+# the system_server should never need to create a new anr_data_file:file or write
+# to one, but it will still need to read and append to existing files.
+allow system_server anr_data_file:dir create_dir_perms;
+allow system_server anr_data_file:file create_file_perms;
+
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow system_server to connect and write to the tombstoned java trace socket in
+# order to dump its traces. Also allow the system server to write its traces to
+# dumpstate during bugreport capture and incidentd during incident collection.
+unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
+allow system_server tombstoned:fd use;
+allow system_server dumpstate:fifo_file append;
+allow system_server incidentd:fifo_file append;
+
+# Read /data/misc/incidents - only read. The fd will be sent over binder,
+# with no DAC access to it, for dropbox to read.
+allow system_server incident_data_file:file read;
+
+# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
+# binder.
+allow system_server perfetto_traces_data_file:file read;
+allow system_server perfetto:fd use;
+
+# Allow dropbox to read /data/misc/perfprofd. Only the fd is sent over binder.
+userdebug_or_eng(`
+ allow system_server perfprofd_data_file:file read;
+ allow system_server perfprofd:fd use;
+')
+
+# Manage /data/backup.
+allow system_server backup_data_file:dir create_dir_perms;
+allow system_server backup_data_file:file create_file_perms;
+
+# Write to /data/system/heapdump
+allow system_server heapdump_data_file:dir rw_dir_perms;
+allow system_server heapdump_data_file:file create_file_perms;
+
+# Manage /data/misc/adb.
+allow system_server adb_keys_file:dir create_dir_perms;
+allow system_server adb_keys_file:file create_file_perms;
+
+# Manage /data/misc/network_watchlist
+allow system_server network_watchlist_data_file:dir create_dir_perms;
+allow system_server network_watchlist_data_file:file create_file_perms;
+
+# Manage /data/misc/sms.
+# TODO: Split into a separate type?
+allow system_server radio_data_file:dir create_dir_perms;
+allow system_server radio_data_file:file create_file_perms;
+
+# Manage /data/misc/systemkeys.
+allow system_server systemkeys_data_file:dir create_dir_perms;
+allow system_server systemkeys_data_file:file create_file_perms;
+
+# Manage /data/misc/textclassifier.
+allow system_server textclassifier_data_file:dir create_dir_perms;
+allow system_server textclassifier_data_file:file create_file_perms;
+
+# Access /data/tombstones.
+allow system_server tombstone_data_file:dir r_dir_perms;
+allow system_server tombstone_data_file:file r_file_perms;
+
+# Manage /data/misc/vpn.
+allow system_server vpn_data_file:dir create_dir_perms;
+allow system_server vpn_data_file:file create_file_perms;
+
+# Manage /data/misc/wifi.
+allow system_server wifi_data_file:dir create_dir_perms;
+allow system_server wifi_data_file:file create_file_perms;
+
+# Manage /data/misc/zoneinfo.
+allow system_server zoneinfo_data_file:dir create_dir_perms;
+allow system_server zoneinfo_data_file:file create_file_perms;
+
+# Walk /data/data subdirectories.
+# Types extracted from seapp_contexts type= fields.
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:dir { getattr read search };
+# Also permit for unlabeled /data/data subdirectories and
+# for unlabeled asec containers on upgrades from 4.2.
+allow system_server unlabeled:dir r_dir_perms;
+# Read pkg.apk file before it has been relabeled by vold.
+allow system_server unlabeled:file r_file_perms;
+
+# Populate com.android.providers.settings/databases/settings.db.
+allow system_server system_app_data_file:dir create_dir_perms;
+allow system_server system_app_data_file:file create_file_perms;
+
+# Receive and use open app data files passed over binder IPC.
+# Types extracted from seapp_contexts type= fields.
+allow system_server { system_app_data_file bluetooth_data_file nfc_data_file radio_data_file shell_data_file app_data_file }:file { getattr read write append };
+
+# Access to /data/media for measuring disk usage.
+allow system_server media_rw_data_file:dir { search getattr open read };
+
+# Receive and use open /data/media files passed over binder IPC.
+# Also used for measuring disk usage.
+allow system_server media_rw_data_file:file { getattr read write append };
+
+# Relabel apk files.
+allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
+allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
+
+# Relabel wallpaper.
+allow system_server system_data_file:file relabelfrom;
+allow system_server wallpaper_file:file relabelto;
+allow system_server wallpaper_file:file { rw_file_perms rename unlink };
+
+# Backup of wallpaper imagery uses temporary hard links to avoid data churn
+allow system_server { system_data_file wallpaper_file }:file link;
+
+# ShortcutManager icons
+allow system_server system_data_file:dir relabelfrom;
+allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
+allow system_server shortcut_manager_icons:file create_file_perms;
+
+# Manage ringtones.
+allow system_server ringtone_file:dir { create_dir_perms relabelto };
+allow system_server ringtone_file:file create_file_perms;
+
+# Relabel icon file.
+allow system_server icon_file:file relabelto;
+allow system_server icon_file:file { rw_file_perms unlink };
+
+# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
+allow system_server system_data_file:dir relabelfrom;
+
+# Property Service write
+set_prop(system_server, system_prop)
+set_prop(system_server, exported_system_prop)
+set_prop(system_server, exported2_system_prop)
+set_prop(system_server, exported3_system_prop)
+set_prop(system_server, safemode_prop)
+set_prop(system_server, dhcp_prop)
+set_prop(system_server, net_radio_prop)
+set_prop(system_server, net_dns_prop)
+set_prop(system_server, system_radio_prop)
+set_prop(system_server, exported_system_radio_prop)
+set_prop(system_server, debug_prop)
+set_prop(system_server, powerctl_prop)
+set_prop(system_server, fingerprint_prop)
+set_prop(system_server, exported_fingerprint_prop)
+set_prop(system_server, device_logging_prop)
+set_prop(system_server, dumpstate_options_prop)
+set_prop(system_server, overlay_prop)
+set_prop(system_server, exported_overlay_prop)
+set_prop(system_server, pm_prop)
+set_prop(system_server, exported_pm_prop)
+userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
+
+# ctl interface
+set_prop(system_server, ctl_default_prop)
+set_prop(system_server, ctl_bugreport_prop)
+
+# cppreopt property
+set_prop(system_server, cppreopt_prop)
+
+# BootReceiver to read ro.boot.bootreason
+get_prop(system_server, bootloader_boot_reason_prop)
+# PowerManager to read persist.sys.boot.reason
+get_prop(system_server, last_boot_reason_prop)
+
+# Collect metrics on boot time created by init
+get_prop(system_server, boottime_prop)
+
+# Read device's serial number from system properties
+get_prop(system_server, serialno_prop)
+
+# Read/write the property which keeps track of whether this is the first start of system_server
+set_prop(system_server, firstboot_prop)
+
+# Audio service in system server can read exported audio properties,
+# such as camera shutter enforcement
+get_prop(system_server, exported_audio_prop)
+
+# Create a socket for connections from debuggerd.
+allow system_server system_ndebug_socket:sock_file create_file_perms;
+
+# Manage cache files.
+allow system_server cache_file:lnk_file r_file_perms;
+allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
+allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
+allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
+
+allow system_server system_file:dir r_dir_perms;
+allow system_server system_file:lnk_file r_file_perms;
+
+# LocationManager(e.g, GPS) needs to read and write
+# to uart driver and ctrl proc entry
+allow system_server gps_control:file rw_file_perms;
+
+# Allow system_server to use app-created sockets and pipes.
+allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
+allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
+
+# BackupManagerService needs to manipulate backup data files
+allow system_server cache_backup_file:dir rw_dir_perms;
+allow system_server cache_backup_file:file create_file_perms;
+# LocalTransport works inside /cache/backup
+allow system_server cache_private_backup_file:dir create_dir_perms;
+allow system_server cache_private_backup_file:file create_file_perms;
+
+# Allow system to talk to usb device
+allow system_server usb_device:chr_file rw_file_perms;
+allow system_server usb_device:dir r_dir_perms;
+
+# Read from HW RNG (needed by EntropyMixer).
+allow system_server hw_random_device:chr_file r_file_perms;
+
+# Read and delete files under /dev/fscklogs.
+r_dir_file(system_server, fscklogs)
+allow system_server fscklogs:dir { write remove_name };
+allow system_server fscklogs:file unlink;
+
+# logd access, system_server inherit logd write socket
+# (urge is to deprecate this long term)
+allow system_server zygote:unix_dgram_socket write;
+
+# Read from log daemon.
+read_logd(system_server)
+read_runtime_log_tags(system_server)
+
+# Be consistent with DAC permissions. Allow system_server to write to
+# /sys/module/lowmemorykiller/parameters/adj
+# /sys/module/lowmemorykiller/parameters/minfree
+allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow system_server pstorefs:dir r_dir_perms;
+allow system_server pstorefs:file r_file_perms;
+
+# /sys access
+allow system_server sysfs_zram:dir search;
+allow system_server sysfs_zram:file r_file_perms;
+
+add_service(system_server, system_server_service);
+allow system_server audioserver_service:service_manager find;
+allow system_server batteryproperties_service:service_manager find;
+allow system_server cameraserver_service:service_manager find;
+allow system_server drmserver_service:service_manager find;
+allow system_server dumpstate_service:service_manager find;
+allow system_server fingerprintd_service:service_manager find;
+allow system_server hal_fingerprint_service:service_manager find;
+allow system_server gatekeeper_service:service_manager find;
+allow system_server incident_service:service_manager find;
+allow system_server installd_service:service_manager find;
+allow system_server keystore_service:service_manager find;
+allow system_server mediaserver_service:service_manager find;
+allow system_server mediametrics_service:service_manager find;
+allow system_server mediaextractor_service:service_manager find;
+allow system_server mediacodec_service:service_manager find;
+allow system_server mediadrmserver_service:service_manager find;
+allow system_server netd_service:service_manager find;
+allow system_server nfc_service:service_manager find;
+allow system_server radio_service:service_manager find;
+allow system_server stats_service:service_manager find;
+allow system_server storaged_service:service_manager find;
+allow system_server surfaceflinger_service:service_manager find;
+allow system_server vold_service:service_manager find;
+allow system_server wificond_service:service_manager find;
+
+add_service(system_server, batteryproperties_service)
+
+allow system_server keystore:keystore_key {
+ get_state
+ get
+ insert
+ delete
+ exist
+ list
+ reset
+ password
+ lock
+ unlock
+ is_empty
+ sign
+ verify
+ grant
+ duplicate
+ clear_uid
+ add_auth
+ user_changed
+};
+
+# Allow system server to search and write to the persistent factory reset
+# protection partition. This block device does not get wiped in a factory reset.
+allow system_server block_device:dir search;
+allow system_server frp_block_device:blk_file rw_file_perms;
+
+# Clean up old cgroups
+allow system_server cgroup:dir { remove_name rmdir };
+
+# /oem access
+r_dir_file(system_server, oemfs)
+
+# Allow resolving per-user storage symlinks
+allow system_server { mnt_user_file storage_file }:dir { getattr search };
+allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
+
+# Allow statfs() on storage devices, which happens fast enough that
+# we shouldn't be killed during unsafe removal
+allow system_server sdcard_type:dir { getattr search };
+
+# Traverse into expanded storage
+allow system_server mnt_expand_file:dir r_dir_perms;
+
+# Allow system process to relabel the fingerprint directory after mkdir
+# and delete the directory and files when no longer needed
+allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
+allow system_server fingerprintd_data_file:file { getattr unlink };
+
+# Allow system process to read network MAC address
+allow system_server sysfs_mac_address:file r_file_perms;
+
+userdebug_or_eng(`
+ # Allow system server to create and write method traces in /data/misc/trace.
+ allow system_server method_trace_data_file:dir w_dir_perms;
+ allow system_server method_trace_data_file:file { create w_file_perms };
+
+ # Allow system server to read dmesg
+ allow system_server kernel:system syslog_read;
+
+ # Allow writing and removing window traces in /data/misc/wmtrace.
+ allow system_server wm_trace_data_file:dir rw_dir_perms;
+ allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
+')
+
+# For AppFuse.
+allow system_server vold:fd use;
+allow system_server fuse_device:chr_file { read write ioctl getattr };
+allow system_server app_fuse_file:dir rw_dir_perms;
+allow system_server app_fuse_file:file { read write open getattr append };
+
+# For configuring sdcardfs
+allow system_server configfs:dir { create_dir_perms };
+allow system_server configfs:file { getattr open create unlink write };
+
+# Connect to adbd and use a socket transferred from it.
+# Used for e.g. jdwp.
+allow system_server adbd:unix_stream_socket connectto;
+allow system_server adbd:fd use;
+allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+# Allow invoking tools like "timeout"
+allow system_server toolbox_exec:file rx_file_perms;
+
+# Postinstall
+#
+# For OTA dexopt, allow calls coming from postinstall.
+binder_call(system_server, postinstall)
+
+allow system_server postinstall:fifo_file write;
+allow system_server update_engine:fd use;
+allow system_server update_engine:fifo_file write;
+
+# Access to /data/preloads
+allow system_server preloads_data_file:file { r_file_perms unlink };
+allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
+allow system_server preloads_media_file:file { r_file_perms unlink };
+allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
+
+r_dir_file(system_server, cgroup)
+allow system_server ion_device:chr_file r_file_perms;
+
+r_dir_file(system_server, proc_asound)
+r_dir_file(system_server, proc_net)
+r_dir_file(system_server, proc_qtaguid_stat)
+allow system_server {
+ proc_loadavg
+ proc_meminfo
+ proc_pagetypeinfo
+ proc_pipe_conf
+ proc_stat
+ proc_uid_cputime_showstat
+ proc_uid_time_in_state
+ proc_uid_concurrent_active_time
+ proc_uid_concurrent_policy_time
+ proc_version
+ proc_vmallocinfo
+}:file r_file_perms;
+
+allow system_server proc_uid_time_in_state:dir r_dir_perms;
+allow system_server proc_uid_cpupower:file r_file_perms;
+
+r_dir_file(system_server, rootfs)
+
+# Allow WifiService to start, stop, and read wifi-specific trace events.
+allow system_server debugfs_tracing_instances:dir search;
+allow system_server debugfs_wifi_tracing:dir search;
+allow system_server debugfs_wifi_tracing:file rw_file_perms;
+
+# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
+# asanwrapper.
+with_asan(`
+ allow system_server shell_exec:file rx_file_perms;
+ allow system_server asanwrapper_exec:file rx_file_perms;
+ allow system_server zygote_exec:file rx_file_perms;
+')
+
+# allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
+# the map after snapshot is recorded
+allow system_server fs_bpf:dir search;
+allow system_server fs_bpf:file read;
+allow system_server netd:bpf map_read;
+
+# ART Profiles.
+# Allow system_server to open profile snapshots for read.
+# System server never reads the actual content. It passes the descriptor to
+# to privileged apps which acquire the permissions to inspect the profiles.
+allow system_server user_profile_data_file:dir { getattr search };
+allow system_server user_profile_data_file:file { getattr open read };
+
+# System server may dump profile data for debuggable apps in the /data/misc/profman.
+# As such it needs to be able create files but it should never read from them.
+allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
+allow system_server profman_dump_data_file:dir w_dir_perms;
+
+# On userdebug build we may profile system server. Allow it to write and create its own profile.
+userdebug_or_eng(`
+ allow system_server user_profile_data_file:file create_file_perms;
+')
+
+userdebug_or_eng(`
+ # Allow system server to notify mediaextractor of the plugin update.
+ allow system_server mediaextractor_update_service:service_manager find;
+')
+
+# UsbDeviceManager uses /dev/usb-ffs
+allow system_server functionfs:dir search;
+allow system_server functionfs:file rw_file_perms;
+
+###
+### Neverallow rules
+###
+### system_server should NEVER do any of this
+
+# Do not allow opening files from external storage as unsafe ejection
+# could cause the kernel to kill the system_server.
+neverallow system_server sdcard_type:dir { open read write };
+neverallow system_server sdcard_type:file rw_file_perms;
+
+# system server should never be operating on zygote spawned app data
+# files directly. Rather, they should always be passed via a
+# file descriptor.
+# Types extracted from seapp_contexts type= fields, excluding
+# those types that system_server needs to open directly.
+neverallow system_server { bluetooth_data_file nfc_data_file shell_data_file app_data_file }:file { open create unlink link };
+
+# Forking and execing is inherently dangerous and racy. See, for
+# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
+# Prevent the addition of new file execs to stop the problem from
+# getting worse. b/28035297
+neverallow system_server {
+ file_type
+ -toolbox_exec
+ -logcat_exec
+ with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
+}:file execute_no_trans;
+
+# Ensure that system_server doesn't perform any domain transitions other than
+# transitioning to the crash_dump domain when a crash occurs.
+neverallow system_server { domain -crash_dump }:process transition;
+neverallow system_server *:process dyntransition;
+
+# Only allow crash_dump to connect to system_ndebug_socket.
+neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
+
+# system_server should never be executing dex2oat. This is either
+# a bug (for example, bug 16317188), or represents an attempt by
+# system server to dynamically load a dex file, something we do not
+# want to allow.
+neverallow system_server dex2oat_exec:file no_x_file_perms;
+
+# system_server should never execute or load executable shared libraries
+# in /data
+neverallow system_server data_file_type:file no_x_file_perms;
+
+# The only block device system_server should be accessing is
+# the frp_block_device. This helps avoid a system_server to root
+# escalation by writing to raw block devices.
+neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
+
+# system_server should never use JIT functionality
+neverallow system_server self:process execmem;
+neverallow system_server ashmem_device:chr_file execute;
+
+# TODO: deal with tmpfs_domain pub/priv split properly
+neverallow system_server system_server_tmpfs:file execute;
+
+# dexoptanalyzer is currently used only for secondary dex files which
+# system_server should never access.
+neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
+
+# No ptracing others
+neverallow system_server { domain -system_server }:process ptrace;
+
+# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
+# file read access. However, that is now unnecessary (b/34951864)
+neverallow system_server system_server:global_capability_class_set sys_resource;
diff --git a/prebuilts/api/28.0/private/technical_debt.cil b/prebuilts/api/28.0/private/technical_debt.cil
new file mode 100644
index 0000000..7f9d315
--- /dev/null
+++ b/prebuilts/api/28.0/private/technical_debt.cil
@@ -0,0 +1,38 @@
+; THIS IS A WORKAROUND for the current limitations of the module policy language
+; This should be used sparingly until we figure out a saner way to achieve the
+; stuff below, for example, by improving typeattribute statement of module
+; language.
+;
+; NOTE: This file has no effect on recovery policy.
+
+; Apps, except isolated apps, are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_allocator_client;
+; typeattribute hal_allocator_client halclientdomain;
+(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
+(typeattributeset halclientdomain (hal_allocator_client))
+
+; Apps, except isolated apps, are clients of Configstore HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_configstore_client;
+(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
+
+; Apps, except isolated apps, are clients of Graphics Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
+(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
+
+; Apps, except isolated apps, are clients of Cas HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_cas_client;
+(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app))))))
+
+; Domains hosting Camera HAL implementations are clients of Allocator HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute hal_camera hal_allocator_client;
+(typeattributeset hal_allocator_client (hal_camera))
+
+; Apps, except isolated apps, are clients of Neuralnetworks HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_neuralnetworks_client;
+(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))
diff --git a/prebuilts/api/28.0/private/thermalserviced.te b/prebuilts/api/28.0/private/thermalserviced.te
new file mode 100644
index 0000000..1a09e20
--- /dev/null
+++ b/prebuilts/api/28.0/private/thermalserviced.te
@@ -0,0 +1,4 @@
+typeattribute thermalserviced coredomain;
+
+init_daemon_domain(thermalserviced)
+
diff --git a/prebuilts/api/28.0/private/tombstoned.te b/prebuilts/api/28.0/private/tombstoned.te
new file mode 100644
index 0000000..305f9d0
--- /dev/null
+++ b/prebuilts/api/28.0/private/tombstoned.te
@@ -0,0 +1,3 @@
+typeattribute tombstoned coredomain;
+
+init_daemon_domain(tombstoned)
diff --git a/prebuilts/api/28.0/private/toolbox.te b/prebuilts/api/28.0/private/toolbox.te
new file mode 100644
index 0000000..a2b958d
--- /dev/null
+++ b/prebuilts/api/28.0/private/toolbox.te
@@ -0,0 +1,3 @@
+typeattribute toolbox coredomain;
+
+init_daemon_domain(toolbox)
diff --git a/prebuilts/api/28.0/private/traced.te b/prebuilts/api/28.0/private/traced.te
new file mode 100644
index 0000000..49edc51
--- /dev/null
+++ b/prebuilts/api/28.0/private/traced.te
@@ -0,0 +1,60 @@
+# Perfetto user-space tracing daemon (unprivileged)
+type traced, domain, coredomain, mlstrustedsubject;
+type traced_exec, exec_type, file_type;
+
+# Allow init to exec the daemon.
+init_daemon_domain(traced)
+
+# Allow apps in other MLS contexts (for multi-user) to access
+# share memory buffers created by traced.
+typeattribute traced_tmpfs mlstrustedobject;
+
+# Allow traced to start with a lower scheduling class and change
+# class accordingly to what defined in the config provided by
+# the privileged process that controls it.
+allow traced self:global_capability_class_set { sys_nice };
+
+# Allow to pass a file descriptor for the output trace from "perfetto" (the
+# cmdline client) and other shell binaries to traced and let traced write
+# directly into that (rather than returning the trace contents over the socket).
+allow traced perfetto:fd use;
+allow traced shell:fd use;
+allow traced perfetto_traces_data_file:file { read write };
+
+###
+### Neverallow rules
+###
+### traced should NEVER do any of this
+
+# Disallow mapping executable memory (execstack and exec are already disallowed
+# globally in domain.te).
+neverallow traced self:process execmem;
+
+# Block device access.
+neverallow traced dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow traced domain:process ptrace;
+
+# Disallows access to /data files, still allowing to write to file descriptors
+# passed through the socket.
+neverallow traced {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+ # subsequent neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+}:dir *;
+neverallow traced { system_data_file }:dir ~{ getattr search };
+neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
+neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
+neverallow traced {
+ data_file_type
+ -zoneinfo_data_file
+ -perfetto_traces_data_file
+}:file ~write;
+
+# Only init is allowed to enter the traced domain via exec()
+neverallow { domain -init } traced:process transition;
+neverallow * traced:process dyntransition;
diff --git a/prebuilts/api/28.0/private/traced_probes.te b/prebuilts/api/28.0/private/traced_probes.te
new file mode 100644
index 0000000..5d80f7e
--- /dev/null
+++ b/prebuilts/api/28.0/private/traced_probes.te
@@ -0,0 +1,99 @@
+# Perfetto tracing probes, has tracefs access.
+type traced_probes_exec, exec_type, file_type;
+
+# Allow init to exec the daemon.
+init_daemon_domain(traced_probes)
+
+# Write trace data to the Perfetto traced damon. This requires connecting to its
+# producer socket and obtaining a (per-process) tmpfs fd.
+allow traced_probes traced:fd use;
+allow traced_probes traced_tmpfs:file { read write getattr map };
+unix_socket_connect(traced_probes, traced_producer, traced)
+
+# Allow traced_probes to access tracefs.
+allow traced_probes debugfs_tracing:dir r_dir_perms;
+allow traced_probes debugfs_tracing:file rw_file_perms;
+allow traced_probes debugfs_trace_marker:file getattr;
+
+# TODO(primiano): temporarily I/O tracing categories are still
+# userdebug only until we nail down the blacklist/whitelist.
+userdebug_or_eng(`
+allow traced_probes debugfs_tracing_debug:file rw_file_perms;
+')
+
+# Allow traced_probes to start with a higher scheduling class and then downgrade
+# itself.
+allow traced_probes self:global_capability_class_set { sys_nice };
+
+# Allow procfs access
+r_dir_file(traced_probes, domain)
+
+# Allow to log to kernel dmesg when starting / stopping ftrace.
+allow traced_probes kmsg_device:chr_file write;
+
+# Allow traced_probes to list the system partition.
+allow traced_probes system_file:dir { open read };
+
+# Allow traced_probes to list some of the data partition.
+allow traced_probes self:capability dac_read_search;
+
+allow traced_probes apk_data_file:dir { getattr open read search };
+allow traced_probes dalvikcache_data_file:dir { getattr open read search };
+userdebug_or_eng(`
+allow traced_probes system_data_file:dir { getattr open read search };
+')
+allow traced_probes system_app_data_file:dir { getattr open read search };
+allow traced_probes backup_data_file:dir { getattr open read search };
+allow traced_probes bootstat_data_file:dir { getattr open read search };
+allow traced_probes update_engine_data_file:dir { getattr open read search };
+allow traced_probes update_engine_log_data_file:dir { getattr open read search };
+allow traced_probes user_profile_data_file:dir { getattr open read search };
+
+# Allow traced_probes to run atrace. atrace pokes at system services to enable
+# their userspace TRACE macros.
+domain_auto_trans(traced_probes, atrace_exec, atrace);
+
+# This is needed for: path="/system/bin/linker64"
+# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
+allow atrace traced_probes:fd use;
+
+###
+### Neverallow rules
+###
+### traced_probes should NEVER do any of this
+
+# Disallow mapping executable memory (execstack and exec are already disallowed
+# globally in domain.te).
+neverallow traced_probes self:process execmem;
+
+# Block device access.
+neverallow traced_probes dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow traced_probes domain:process ptrace;
+
+# Disallows access to /data files.
+neverallow traced_probes {
+ data_file_type
+ -apk_data_file
+ -dalvikcache_data_file
+ -system_data_file
+ -system_app_data_file
+ -backup_data_file
+ -bootstat_data_file
+ -update_engine_data_file
+ -update_engine_log_data_file
+ -user_profile_data_file
+ # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+ # subsequent neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+}:dir *;
+neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
+neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
+neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
+neverallow traced_probes { data_file_type -zoneinfo_data_file }:file *;
+
+# Only init is allowed to enter the traced_probes domain via exec()
+neverallow { domain -init } traced_probes:process transition;
+neverallow * traced_probes:process dyntransition;
diff --git a/prebuilts/api/28.0/private/traceur_app.te b/prebuilts/api/28.0/private/traceur_app.te
new file mode 100644
index 0000000..a3c435c
--- /dev/null
+++ b/prebuilts/api/28.0/private/traceur_app.te
@@ -0,0 +1,15 @@
+typeattribute traceur_app coredomain;
+
+app_domain(traceur_app);
+allow traceur_app debugfs_tracing:file rw_file_perms;
+allow traceur_app debugfs_tracing_debug:dir r_dir_perms;
+
+userdebug_or_eng(`
+ allow traceur_app debugfs_tracing_debug:file rw_file_perms;
+')
+
+allow traceur_app trace_data_file:file create_file_perms;
+allow traceur_app trace_data_file:dir rw_dir_perms;
+allow traceur_app atrace_exec:file rx_file_perms;
+
+dontaudit traceur_app debugfs_tracing_debug:file audit_access;
diff --git a/prebuilts/api/28.0/private/tzdatacheck.te b/prebuilts/api/28.0/private/tzdatacheck.te
new file mode 100644
index 0000000..502735c
--- /dev/null
+++ b/prebuilts/api/28.0/private/tzdatacheck.te
@@ -0,0 +1,3 @@
+typeattribute tzdatacheck coredomain;
+
+init_daemon_domain(tzdatacheck)
diff --git a/prebuilts/api/28.0/private/ueventd.te b/prebuilts/api/28.0/private/ueventd.te
new file mode 100644
index 0000000..1bd6773
--- /dev/null
+++ b/prebuilts/api/28.0/private/ueventd.te
@@ -0,0 +1,3 @@
+typeattribute ueventd coredomain;
+
+tmpfs_domain(ueventd)
diff --git a/prebuilts/api/28.0/private/uncrypt.te b/prebuilts/api/28.0/private/uncrypt.te
new file mode 100644
index 0000000..e4e9224
--- /dev/null
+++ b/prebuilts/api/28.0/private/uncrypt.te
@@ -0,0 +1,3 @@
+typeattribute uncrypt coredomain;
+
+init_daemon_domain(uncrypt)
diff --git a/prebuilts/api/28.0/private/untrusted_app.te b/prebuilts/api/28.0/private/untrusted_app.te
new file mode 100644
index 0000000..c15fa22
--- /dev/null
+++ b/prebuilts/api/28.0/private/untrusted_app.te
@@ -0,0 +1,25 @@
+###
+### Untrusted apps.
+###
+### This file defines the rules for untrusted apps.
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+typeattribute untrusted_app coredomain;
+
+app_domain(untrusted_app)
+untrusted_app_domain(untrusted_app)
+net_domain(untrusted_app)
+bluetooth_domain(untrusted_app)
diff --git a/prebuilts/api/28.0/private/untrusted_app_25.te b/prebuilts/api/28.0/private/untrusted_app_25.te
new file mode 100644
index 0000000..ba2c1e1
--- /dev/null
+++ b/prebuilts/api/28.0/private/untrusted_app_25.te
@@ -0,0 +1,42 @@
+###
+### Untrusted_app_25
+###
+### This file defines the rules for untrusted apps running with
+### targetSdkVersion <= 25.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+typeattribute untrusted_app_25 coredomain;
+
+app_domain(untrusted_app_25)
+untrusted_app_domain(untrusted_app_25)
+net_domain(untrusted_app_25)
+bluetooth_domain(untrusted_app_25)
+
+# b/34115651 - net.dns* properties read
+# This will go away in a future Android release
+get_prop(untrusted_app_25, net_dns_prop)
+
+# b/35917228 - /proc/misc access
+# This will go away in a future Android release
+allow untrusted_app_25 proc_misc:file r_file_perms;
+
+# Access to /proc/tty/drivers, to allow apps to determine if they
+# are running in an emulated environment.
+# b/33214085 b/33814662 b/33791054 b/33211769
+# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
+# This will go away in a future Android release
+allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
diff --git a/prebuilts/api/28.0/private/untrusted_app_27.te b/prebuilts/api/28.0/private/untrusted_app_27.te
new file mode 100644
index 0000000..79c7762
--- /dev/null
+++ b/prebuilts/api/28.0/private/untrusted_app_27.te
@@ -0,0 +1,28 @@
+###
+### Untrusted_27.
+###
+### This file defines the rules for untrusted apps running with
+### 25 < targetSdkVersion <= 27.
+###
+### This file defines the rules for untrusted apps.
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app_27 domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+typeattribute untrusted_app_27 coredomain;
+
+app_domain(untrusted_app_27)
+untrusted_app_domain(untrusted_app_27)
+net_domain(untrusted_app_27)
+bluetooth_domain(untrusted_app_27)
diff --git a/prebuilts/api/28.0/private/untrusted_app_all.te b/prebuilts/api/28.0/private/untrusted_app_all.te
new file mode 100644
index 0000000..6cf1668
--- /dev/null
+++ b/prebuilts/api/28.0/private/untrusted_app_all.te
@@ -0,0 +1,140 @@
+###
+### Untrusted_app_all.
+###
+### This file defines the rules shared by all untrusted app domains except
+### apps which target the v2 security sandbox (ephemeral_app for instant apps,
+### untrusted_v2_app for fully installed v2 apps).
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app_all attribute is assigned to all default
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### attribute is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+### Note that rules that should apply to all untrusted apps must be in app.te or also
+### added to untrusted_v2_app.te and ephemeral_app.te.
+
+# Legacy text relocations
+allow untrusted_app_all apk_data_file:file execmod;
+
+# Some apps ship with shared libraries and binaries that they write out
+# to their sandbox directory and then execute.
+allow untrusted_app_all app_data_file:file { rx_file_perms execmod };
+
+# ASEC
+allow untrusted_app_all asec_apk_file:file r_file_perms;
+allow untrusted_app_all asec_apk_file:dir r_dir_perms;
+# Execute libs in asec containers.
+allow untrusted_app_all asec_public_file:file { execute execmod };
+
+# Used by Finsky / Android "Verify Apps" functionality when
+# running "adb install foo.apk".
+# TODO: Long term, we don't want apps probing into shell data files.
+# Figure out a way to remove these rules.
+allow untrusted_app_all shell_data_file:file r_file_perms;
+allow untrusted_app_all shell_data_file:dir r_dir_perms;
+
+# Allow traceur to pass file descriptors through a content provider to untrusted apps
+# for the purpose of sharing files through e.g. gmail
+allow untrusted_app_all trace_data_file:file { getattr read };
+
+# untrusted apps should not be able to open trace data files, they should depend
+# upon traceur to pass a file descriptor
+neverallow untrusted_app_all trace_data_file:dir *;
+neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
+
+# Allow to read staged apks.
+allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
+
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow untrusted_app_all system_app_data_file:file { read write getattr };
+
+#
+# Rules migrated from old app domains coalesced into untrusted_app.
+# This includes what used to be media_app, shared_app, and release_app.
+#
+
+# Access to /data/media.
+allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
+allow untrusted_app_all media_rw_data_file:file create_file_perms;
+
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow untrusted_app_all mnt_media_rw_file:dir search;
+
+# allow cts to query all services
+allow untrusted_app_all servicemanager:service_manager list;
+
+allow untrusted_app_all audioserver_service:service_manager find;
+allow untrusted_app_all cameraserver_service:service_manager find;
+allow untrusted_app_all drmserver_service:service_manager find;
+allow untrusted_app_all mediaserver_service:service_manager find;
+allow untrusted_app_all mediaextractor_service:service_manager find;
+allow untrusted_app_all mediacodec_service:service_manager find;
+allow untrusted_app_all mediametrics_service:service_manager find;
+allow untrusted_app_all mediadrmserver_service:service_manager find;
+allow untrusted_app_all nfc_service:service_manager find;
+allow untrusted_app_all radio_service:service_manager find;
+allow untrusted_app_all app_api_service:service_manager find;
+allow untrusted_app_all vr_manager_service:service_manager find;
+
+# Allow GMS core to access perfprofd output, which is stored
+# in /data/misc/perfprofd/. GMS core will need to list all
+# data stored in that directory to process them one by one.
+userdebug_or_eng(`
+ allow untrusted_app_all perfprofd_data_file:file r_file_perms;
+ allow untrusted_app_all perfprofd_data_file:dir r_dir_perms;
+')
+
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow untrusted_app_all self:process ptrace;
+
+# Cts: HwRngTest
+allow untrusted_app_all sysfs_hwrandom:dir search;
+allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
+
+# Allow apps to view preloaded media content
+allow untrusted_app_all preloads_media_file:dir r_dir_perms;
+allow untrusted_app_all preloads_media_file:file r_file_perms;
+allow untrusted_app_all preloads_data_file:dir search;
+
+# Allow untrusted apps read / execute access to /vendor/app for there can
+# be pre-installed vendor apps that package a library within themselves.
+# TODO (b/37784178) Consider creating a special type for /vendor/app installed
+# apps.
+allow untrusted_app_all vendor_app_file:dir { open getattr read search };
+allow untrusted_app_all vendor_app_file:file { open getattr read execute };
+allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+allow untrusted_app_all traced:fd use;
+allow untrusted_app_all traced_tmpfs:file { read write getattr map };
+unix_socket_connect(untrusted_app_all, traced_producer, traced)
+
+# allow untrusted apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow untrusted_app_all system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+create_pty(untrusted_app_all)
+
+# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
+dontaudit untrusted_app_all net_dns_prop:file read;
+
+# These have been disallowed since Android O.
+# For P, we assume that apps are safely handling the denial.
+dontaudit untrusted_app_all proc_stat:file read;
+dontaudit untrusted_app_all proc_vmstat:file read;
+dontaudit untrusted_app_all proc_uptime:file read;
diff --git a/prebuilts/api/28.0/private/untrusted_v2_app.te b/prebuilts/api/28.0/private/untrusted_v2_app.te
new file mode 100644
index 0000000..8f4bceb
--- /dev/null
+++ b/prebuilts/api/28.0/private/untrusted_v2_app.te
@@ -0,0 +1,47 @@
+###
+### Untrusted v2 sandbox apps.
+###
+
+typeattribute untrusted_v2_app coredomain;
+
+app_domain(untrusted_v2_app)
+net_domain(untrusted_v2_app)
+bluetooth_domain(untrusted_v2_app)
+
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow untrusted_v2_app system_app_data_file:file { read write getattr };
+
+# Access to /data/media.
+allow untrusted_v2_app media_rw_data_file:dir create_dir_perms;
+allow untrusted_v2_app media_rw_data_file:file create_file_perms;
+
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow untrusted_v2_app mnt_media_rw_file:dir search;
+
+# allow cts to query all services
+allow untrusted_v2_app servicemanager:service_manager list;
+
+allow untrusted_v2_app audioserver_service:service_manager find;
+allow untrusted_v2_app cameraserver_service:service_manager find;
+allow untrusted_v2_app drmserver_service:service_manager find;
+allow untrusted_v2_app mediaserver_service:service_manager find;
+allow untrusted_v2_app mediaextractor_service:service_manager find;
+allow untrusted_v2_app mediacodec_service:service_manager find;
+allow untrusted_v2_app mediametrics_service:service_manager find;
+allow untrusted_v2_app mediadrmserver_service:service_manager find;
+allow untrusted_v2_app nfc_service:service_manager find;
+allow untrusted_v2_app radio_service:service_manager find;
+# TODO: potentially provide a tighter list of services here
+allow untrusted_v2_app app_api_service:service_manager find;
+
+# gdbserver for ndk-gdb ptrace attaches to app process.
+allow untrusted_v2_app self:process ptrace;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+allow untrusted_v2_app traced:fd use;
+allow untrusted_v2_app traced_tmpfs:file { read write getattr map };
+unix_socket_connect(untrusted_v2_app, traced_producer, traced)
diff --git a/prebuilts/api/28.0/private/update_engine.te b/prebuilts/api/28.0/private/update_engine.te
new file mode 100644
index 0000000..5af7db6
--- /dev/null
+++ b/prebuilts/api/28.0/private/update_engine.te
@@ -0,0 +1,3 @@
+typeattribute update_engine coredomain;
+
+init_daemon_domain(update_engine);
diff --git a/prebuilts/api/28.0/private/update_engine_common.te b/prebuilts/api/28.0/private/update_engine_common.te
new file mode 100644
index 0000000..a7fb584
--- /dev/null
+++ b/prebuilts/api/28.0/private/update_engine_common.te
@@ -0,0 +1,5 @@
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+# The postinstall program is run by update_engine_common and will always be tagged as a
+# postinstall_file regardless of its attributes in the new system.
+domain_auto_trans(update_engine_common, postinstall_file, postinstall)
diff --git a/prebuilts/api/28.0/private/update_verifier.te b/prebuilts/api/28.0/private/update_verifier.te
new file mode 100644
index 0000000..1b934d9
--- /dev/null
+++ b/prebuilts/api/28.0/private/update_verifier.te
@@ -0,0 +1,3 @@
+typeattribute update_verifier coredomain;
+
+init_daemon_domain(update_verifier)
diff --git a/prebuilts/api/28.0/private/usbd.te b/prebuilts/api/28.0/private/usbd.te
new file mode 100644
index 0000000..13a0ad7
--- /dev/null
+++ b/prebuilts/api/28.0/private/usbd.te
@@ -0,0 +1,12 @@
+typeattribute usbd coredomain;
+
+init_daemon_domain(usbd)
+
+# Access usb gadget hal
+hal_client_domain(usbd, hal_usb_gadget)
+
+# Access persist.sys.usb.config
+get_prop(usbd, system_prop)
+
+# start adbd during boot if adb is enabled
+set_prop(usbd, ctl_default_prop)
diff --git a/prebuilts/api/28.0/private/users b/prebuilts/api/28.0/private/users
new file mode 100644
index 0000000..51b7b57
--- /dev/null
+++ b/prebuilts/api/28.0/private/users
@@ -0,0 +1 @@
+user u roles { r } level s0 range s0 - mls_systemhigh;
diff --git a/prebuilts/api/28.0/private/vdc.te b/prebuilts/api/28.0/private/vdc.te
new file mode 100644
index 0000000..bc7409e
--- /dev/null
+++ b/prebuilts/api/28.0/private/vdc.te
@@ -0,0 +1,3 @@
+typeattribute vdc coredomain;
+
+init_daemon_domain(vdc)
diff --git a/prebuilts/api/28.0/private/vendor_init.te b/prebuilts/api/28.0/private/vendor_init.te
new file mode 100644
index 0000000..50efc22
--- /dev/null
+++ b/prebuilts/api/28.0/private/vendor_init.te
@@ -0,0 +1,4 @@
+# Creating files on sysfs is impossible so this isn't a threat
+# Sometimes we have to write to non-existent files to avoid conditional
+# init behavior. See b/35303861 for an example.
+dontaudit vendor_init sysfs:dir write;
diff --git a/prebuilts/api/28.0/private/virtual_touchpad.te b/prebuilts/api/28.0/private/virtual_touchpad.te
new file mode 100644
index 0000000..e735172
--- /dev/null
+++ b/prebuilts/api/28.0/private/virtual_touchpad.te
@@ -0,0 +1,3 @@
+typeattribute virtual_touchpad coredomain;
+
+init_daemon_domain(virtual_touchpad)
diff --git a/prebuilts/api/28.0/private/vold.te b/prebuilts/api/28.0/private/vold.te
new file mode 100644
index 0000000..a6d1001
--- /dev/null
+++ b/prebuilts/api/28.0/private/vold.te
@@ -0,0 +1,19 @@
+typeattribute vold coredomain;
+
+init_daemon_domain(vold)
+
+# Switch to more restrictive domains when executing common tools
+domain_auto_trans(vold, sgdisk_exec, sgdisk);
+domain_auto_trans(vold, sdcardd_exec, sdcardd);
+
+# For a handful of probing tools, we choose an even more restrictive
+# domain when working with untrusted block devices
+domain_trans(vold, shell_exec, blkid);
+domain_trans(vold, shell_exec, blkid_untrusted);
+domain_trans(vold, fsck_exec, fsck);
+domain_trans(vold, fsck_exec, fsck_untrusted);
+
+# Newly created storage dirs are always treated as mount stubs to prevent us
+# from accidentally writing when the mount point isn't present.
+type_transition vold storage_file:dir storage_stub_file;
+type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
diff --git a/prebuilts/api/28.0/private/vold_prepare_subdirs.te b/prebuilts/api/28.0/private/vold_prepare_subdirs.te
new file mode 100644
index 0000000..0a11558
--- /dev/null
+++ b/prebuilts/api/28.0/private/vold_prepare_subdirs.te
@@ -0,0 +1,26 @@
+domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
+
+allow vold_prepare_subdirs system_file:file execute_no_trans;
+allow vold_prepare_subdirs shell_exec:file rx_file_perms;
+allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
+allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
+allow vold_prepare_subdirs vold:fd use;
+allow vold_prepare_subdirs vold:fifo_file { read write };
+allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner };
+allow vold_prepare_subdirs self:process setfscreate;
+allow vold_prepare_subdirs {
+ system_data_file
+ vendor_data_file
+}:dir { open read write add_name remove_name rmdir relabelfrom };
+allow vold_prepare_subdirs {
+ fingerprint_vendor_data_file
+ storaged_data_file
+ vold_data_file
+}:dir { create_dir_perms relabelto };
+allow vold_prepare_subdirs {
+ fingerprint_vendor_data_file
+ storaged_data_file
+ system_data_file
+ vold_data_file
+}:file { getattr unlink };
diff --git a/prebuilts/api/28.0/private/vr_hwc.te b/prebuilts/api/28.0/private/vr_hwc.te
new file mode 100644
index 0000000..053c03d
--- /dev/null
+++ b/prebuilts/api/28.0/private/vr_hwc.te
@@ -0,0 +1,6 @@
+typeattribute vr_hwc coredomain;
+
+# Daemon started by init.
+init_daemon_domain(vr_hwc)
+
+hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/prebuilts/api/28.0/private/wait_for_keymaster.te b/prebuilts/api/28.0/private/wait_for_keymaster.te
new file mode 100644
index 0000000..8b8dd29
--- /dev/null
+++ b/prebuilts/api/28.0/private/wait_for_keymaster.te
@@ -0,0 +1,9 @@
+# wait_for_keymaster service
+type wait_for_keymaster, domain, coredomain;
+type wait_for_keymaster_exec, exec_type, file_type;
+
+init_daemon_domain(wait_for_keymaster)
+
+hal_client_domain(wait_for_keymaster, hal_keymaster)
+
+allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
diff --git a/prebuilts/api/28.0/private/watchdogd.te b/prebuilts/api/28.0/private/watchdogd.te
new file mode 100644
index 0000000..36dd30f
--- /dev/null
+++ b/prebuilts/api/28.0/private/watchdogd.te
@@ -0,0 +1 @@
+typeattribute watchdogd coredomain;
diff --git a/prebuilts/api/28.0/private/webview_zygote.te b/prebuilts/api/28.0/private/webview_zygote.te
new file mode 100644
index 0000000..55b268a
--- /dev/null
+++ b/prebuilts/api/28.0/private/webview_zygote.te
@@ -0,0 +1,140 @@
+# webview_zygote is an auxiliary zygote process that is used to spawn
+# isolated_app processes for rendering untrusted web content.
+
+typeattribute webview_zygote coredomain;
+
+# The webview_zygote needs to be able to transition domains.
+typeattribute webview_zygote mlstrustedsubject;
+
+# Allow access to temporary files, which is normally permitted through
+# a domain macro.
+tmpfs_domain(webview_zygote);
+
+# Allow reading/executing installed binaries to enable preloading the
+# installed WebView implementation.
+allow webview_zygote apk_data_file:dir r_dir_perms;
+allow webview_zygote apk_data_file:file { r_file_perms execute };
+
+# Access to the WebView relro file.
+allow webview_zygote shared_relro_file:dir search;
+allow webview_zygote shared_relro_file:file r_file_perms;
+
+# Set the UID/GID of the process.
+allow webview_zygote self:global_capability_class_set { setgid setuid };
+# Drop capabilities from bounding set.
+allow webview_zygote self:global_capability_class_set setpcap;
+# Switch SELinux context to app domains.
+allow webview_zygote self:process setcurrent;
+allow webview_zygote isolated_app:process dyntransition;
+
+# For art.
+allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
+allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
+allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
+
+# Allow webview_zygote to stat the files that it opens. It must
+# be able to inspect them so that it can reopen them on fork
+# if necessary: b/30963384.
+allow webview_zygote debugfs_trace_marker:file getattr;
+
+# Allow webview_zygote to manage the pgroup of its children.
+allow webview_zygote system_server:process getpgid;
+
+# Interaction between the webview_zygote and its children.
+allow webview_zygote isolated_app:process setpgid;
+
+# TODO (b/63631799) fix this access
+# Suppress denials to storage. Webview zygote should not be accessing.
+dontaudit webview_zygote mnt_expand_file:dir getattr;
+
+# TODO (b/72957399) remove this when webview_zygote is reparented to
+# app_process zygote
+dontaudit webview_zygote dex2oat_exec:file execute;
+
+# Get seapp_contexts
+allow webview_zygote seapp_contexts_file:file r_file_perms;
+# Check validity of SELinux context before use.
+selinux_check_context(webview_zygote)
+# Check SELinux permissions.
+selinux_check_access(webview_zygote)
+
+# Directory listing in /system.
+allow webview_zygote system_file:dir r_dir_perms;
+
+# Read system properties managed by zygote.
+allow webview_zygote zygote_tmpfs:file read;
+# Child of zygote.
+allow webview_zygote zygote:fd use;
+allow webview_zygote zygote:process sigchld;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(webview_zygote, vendor_overlay_file)
+
+#####
+##### Neverallow
+#####
+
+# Only permit transition to isolated_app.
+neverallow webview_zygote { domain -isolated_app }:process dyntransition;
+
+# Only setcon() transitions, no exec() based transitions, except for crash_dump.
+neverallow webview_zygote { domain -crash_dump }:process transition;
+
+# Must not exec() a program without changing domains.
+# Having said that, exec() above is not allowed.
+neverallow webview_zygote *:file execute_no_trans;
+
+# The only way to enter this domain is for the zygote to fork a new
+# webview_zygote child.
+neverallow { domain -zygote } webview_zygote:process dyntransition;
+
+# Disallow write access to properties.
+neverallow webview_zygote property_socket:sock_file write;
+neverallow webview_zygote property_type:property_service set;
+
+# Should not have any access to app data files.
+neverallow webview_zygote {
+ app_data_file
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+}:file { rwx_file_perms };
+
+neverallow webview_zygote {
+ service_manager_type
+ -activity_service
+ -webviewupdate_service
+}:service_manager find;
+
+# Isolated apps shouldn't be able to access the driver directly.
+neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };
+
+# Do not allow webview_zygote access to /cache.
+neverallow webview_zygote cache_file:dir ~{ r_dir_perms };
+neverallow webview_zygote cache_file:file ~{ read getattr };
+
+# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
+# unix_stream_socket, and netlink_selinux_socket.
+neverallow webview_zygote domain:{
+ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
+ appletalk_socket netlink_route_socket netlink_tcpdiag_socket
+ netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
+ netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
+ netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
+ sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
+ x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
+ pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
+ rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
+ alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
+} *;
+
+# Do not allow access to Bluetooth-related system properties.
+# neverallow rules for Bluetooth-related data files are listed above.
+neverallow webview_zygote {
+ bluetooth_a2dp_offload_prop
+ bluetooth_prop
+ exported_bluetooth_prop
+}:file create_file_perms;
diff --git a/prebuilts/api/28.0/private/wificond.te b/prebuilts/api/28.0/private/wificond.te
new file mode 100644
index 0000000..cc76447
--- /dev/null
+++ b/prebuilts/api/28.0/private/wificond.te
@@ -0,0 +1,4 @@
+typeattribute wificond coredomain;
+
+init_daemon_domain(wificond)
+hal_client_domain(wificond, hal_wifi_offload)
diff --git a/prebuilts/api/28.0/private/wpantund.te b/prebuilts/api/28.0/private/wpantund.te
new file mode 100644
index 0000000..e91662c
--- /dev/null
+++ b/prebuilts/api/28.0/private/wpantund.te
@@ -0,0 +1,3 @@
+typeattribute wpantund coredomain;
+
+init_daemon_domain(wpantund)
diff --git a/prebuilts/api/28.0/private/zygote.te b/prebuilts/api/28.0/private/zygote.te
new file mode 100644
index 0000000..2dcbdf1
--- /dev/null
+++ b/prebuilts/api/28.0/private/zygote.te
@@ -0,0 +1,140 @@
+# zygote
+typeattribute zygote coredomain;
+typeattribute zygote mlstrustedsubject;
+
+init_daemon_domain(zygote)
+
+read_runtime_log_tags(zygote)
+
+# Override DAC on files and switch uid/gid.
+allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown };
+
+# Drop capabilities from bounding set.
+allow zygote self:global_capability_class_set setpcap;
+
+# Switch SELinux context to app domains.
+allow zygote self:process setcurrent;
+allow zygote system_server:process dyntransition;
+allow zygote appdomain:process dyntransition;
+allow zygote webview_zygote:process dyntransition;
+
+# Allow zygote to read app /proc/pid dirs (b/10455872).
+allow zygote appdomain:dir { getattr search };
+allow zygote appdomain:file { r_file_perms };
+
+# Move children into the peer process group.
+allow zygote system_server:process { getpgid setpgid };
+allow zygote appdomain:process { getpgid setpgid };
+allow zygote webview_zygote:process { getpgid setpgid };
+
+# Read system data.
+allow zygote system_data_file:dir r_dir_perms;
+allow zygote system_data_file:file r_file_perms;
+
+# Write to /data/dalvik-cache.
+allow zygote dalvikcache_data_file:dir create_dir_perms;
+allow zygote dalvikcache_data_file:file create_file_perms;
+
+# Create symlinks in /data/dalvik-cache.
+allow zygote dalvikcache_data_file:lnk_file create_file_perms;
+
+# Write to /data/resource-cache.
+allow zygote resourcecache_data_file:dir rw_dir_perms;
+allow zygote resourcecache_data_file:file create_file_perms;
+
+# When WITH_DEXPREOPT is true, the zygote does not load executable content from
+# /data/dalvik-cache.
+allow { zygote with_dexpreopt(`-zygote') } dalvikcache_data_file:file execute;
+
+# Execute idmap and dex2oat within zygote's own domain.
+# TODO: Should either of these be transitioned to the same domain
+# used by installd or stay in-domain for zygote?
+allow zygote idmap_exec:file rx_file_perms;
+allow zygote dex2oat_exec:file rx_file_perms;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(zygote, vendor_overlay_file)
+
+# Control cgroups.
+allow zygote cgroup:dir create_dir_perms;
+allow zygote cgroup:{ file lnk_file } r_file_perms;
+allow zygote self:global_capability_class_set sys_admin;
+
+# Allow zygote to stat the files that it opens. The zygote must
+# be able to inspect them so that it can reopen them on fork
+# if necessary: b/30963384.
+allow zygote pmsg_device:chr_file getattr;
+allow zygote debugfs_trace_marker:file getattr;
+
+# Get seapp_contexts
+allow zygote seapp_contexts_file:file r_file_perms;
+# Check validity of SELinux context before use.
+selinux_check_context(zygote)
+# Check SELinux permissions.
+selinux_check_access(zygote)
+
+# Native bridge functionality requires that zygote replaces
+# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
+allow zygote proc_cpuinfo:file mounton;
+
+# Allow remounting rootfs as MS_SLAVE.
+allow zygote rootfs:dir mounton;
+allow zygote tmpfs:filesystem { mount unmount };
+allow zygote fuse:filesystem { unmount };
+allow zygote sdcardfs:filesystem { unmount };
+
+# Allow creating user-specific storage source if started before vold.
+allow zygote mnt_user_file:dir create_dir_perms;
+allow zygote mnt_user_file:lnk_file create_file_perms;
+# Allowed to mount user-specific storage into place
+allow zygote storage_file:dir { search mounton };
+
+# Handle --invoke-with command when launching Zygote with a wrapper command.
+allow zygote zygote_exec:file rx_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(zygote, proc_net)
+
+# Root fs.
+r_dir_file(zygote, rootfs)
+
+# System file accesses.
+r_dir_file(zygote, system_file)
+
+userdebug_or_eng(`
+ # Allow zygote to create and write method traces in /data/misc/trace.
+ allow zygote method_trace_data_file:dir w_dir_perms;
+ allow zygote method_trace_data_file:file { create w_file_perms };
+')
+
+allow zygote ion_device:chr_file r_file_perms;
+allow zygote tmpfs:dir r_dir_perms;
+
+# Let the zygote access overlays so it can initialize the AssetManager.
+get_prop(zygote, overlay_prop)
+get_prop(zygote, exported_overlay_prop)
+
+###
+### neverallow rules
+###
+
+# Ensure that all types assigned to app processes are included
+# in the appdomain attribute, so that all allow and neverallow rules
+# written on appdomain are applied to all app processes.
+# This is achieved by ensuring that it is impossible for zygote to
+# setcon (dyntransition) to any types other than those associated
+# with appdomain plus system_server and webview_zygote.
+neverallow zygote ~{ appdomain system_server webview_zygote }:process dyntransition;
+
+# Zygote should never execute anything from /data except for /data/dalvik-cache files.
+neverallow zygote {
+ data_file_type
+ -dalvikcache_data_file # map PROT_EXEC
+}:file no_x_file_perms;
+
+# Do not allow access to Bluetooth-related system properties and files
+neverallow zygote {
+ bluetooth_a2dp_offload_prop
+ bluetooth_prop
+ exported_bluetooth_prop
+}:file create_file_perms;
diff --git a/prebuilts/api/28.0/public/adbd.te b/prebuilts/api/28.0/public/adbd.te
new file mode 100644
index 0000000..95854c0
--- /dev/null
+++ b/prebuilts/api/28.0/public/adbd.te
@@ -0,0 +1,4 @@
+# adbd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type adbd, domain;
+type adbd_exec, exec_type, file_type;
diff --git a/prebuilts/api/28.0/public/app.te b/prebuilts/api/28.0/public/app.te
new file mode 100644
index 0000000..439c1f8
--- /dev/null
+++ b/prebuilts/api/28.0/public/app.te
@@ -0,0 +1,572 @@
+###
+### Domain for all zygote spawned apps
+###
+### This file is the base policy for all zygote spawned apps.
+### Other policy files, such as isolated_app.te, untrusted_app.te, etc
+### extend from this policy. Only policies which should apply to ALL
+### zygote spawned apps should be added here.
+###
+
+# WebView and other application-specific JIT compilers
+allow appdomain self:process execmem;
+
+allow appdomain ashmem_device:chr_file execute;
+
+# Receive and use open file descriptors inherited from zygote.
+allow appdomain zygote:fd use;
+
+# gdbserver for ndk-gdb reads the zygote.
+# valgrind needs mmap exec for zygote
+allow appdomain zygote_exec:file rx_file_perms;
+
+# Notify zygote of death;
+allow appdomain zygote:process sigchld;
+
+# Place process into foreground / background
+allow appdomain cgroup:dir { search write };
+allow appdomain cgroup:file rw_file_perms;
+
+# Read /data/dalvik-cache.
+allow appdomain dalvikcache_data_file:dir { search getattr };
+allow appdomain dalvikcache_data_file:file r_file_perms;
+
+# Read the /sdcard and /mnt/sdcard symlinks
+allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
+
+# Search /storage/emulated tmpfs mount.
+allow appdomain tmpfs:dir r_dir_perms;
+
+# Notify zygote of the wrapped process PID when using --invoke-with.
+allow appdomain zygote:fifo_file write;
+
+userdebug_or_eng(`
+ # Allow apps to create and write method traces in /data/misc/trace.
+ allow appdomain method_trace_data_file:dir w_dir_perms;
+ allow appdomain method_trace_data_file:file { create w_file_perms };
+')
+
+# Notify shell and adbd of death when spawned via runas for ndk-gdb.
+allow appdomain shell:process sigchld;
+allow appdomain adbd:process sigchld;
+
+# child shell or gdbserver pty access for runas.
+allow appdomain devpts:chr_file { getattr read write ioctl };
+
+# Use pipes and sockets provided by system_server via binder or local socket.
+allow appdomain system_server:fd use;
+allow appdomain system_server:fifo_file rw_file_perms;
+allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
+
+# Communication with other apps via fifos
+allow appdomain appdomain:fifo_file rw_file_perms;
+
+# Communicate with surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+
+# App sandbox file accesses.
+allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
+
+# Traverse into expanded storage
+allow appdomain mnt_expand_file:dir r_dir_perms;
+
+# Keychain and user-trusted credentials
+r_dir_file(appdomain, keychain_data_file)
+allow appdomain misc_user_data_file:dir r_dir_perms;
+allow appdomain misc_user_data_file:file r_file_perms;
+
+# TextClassifier
+r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+
+# Access to OEM provided data and apps
+allow appdomain oemfs:dir r_dir_perms;
+allow appdomain oemfs:file rx_file_perms;
+
+# Execute the shell or other system executables.
+allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
+allow { appdomain -untrusted_v2_app } system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
+
+# Renderscript needs the ability to read directories on /system
+allow appdomain system_file:dir r_dir_perms;
+allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+ allow appdomain vendor_file_type:dir r_dir_perms;
+ allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+ # For looking up Renderscript vendor drivers
+ allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
+allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
+# Allow apps access to /vendor/framework
+# for vendor provided libraries.
+r_dir_file(appdomain, vendor_framework_file)
+
+# Execute dex2oat when apps call dexclassloader
+allow appdomain dex2oat_exec:file rx_file_perms;
+
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { getattr read write };
+
+# Read/write cached ringtones (opened by system).
+allow appdomain ringtone_file:file { getattr read write };
+
+# Read ShortcutManager icon files (opened by system).
+allow appdomain shortcut_manager_icons:file { getattr read };
+
+# Read icon file (opened by system).
+allow appdomain icon_file:file { getattr read };
+
+# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
+#
+# TODO: All of these permissions except for anr_data_file:file append can be
+# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
+# and the rules below.
+allow appdomain anr_data_file:dir search;
+allow appdomain anr_data_file:file { open append };
+
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow apps to connect and write to the tombstoned java trace socket in
+# order to dump their traces. Also allow them to append traces to pipes
+# created by dumptrace. (Also see the rules below where they are given
+# additional permissions to dumpstate pipes for other aspects of bug report
+# creation).
+unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
+allow appdomain tombstoned:fd use;
+allow appdomain dumpstate:fifo_file append;
+allow appdomain incidentd:fifo_file append;
+
+# Allow apps to send dump information to dumpstate
+allow appdomain dumpstate:fd use;
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
+allow appdomain dumpstate:fifo_file { write getattr };
+allow appdomain shell_data_file:file { write getattr };
+
+# Allow apps to send dump information to incidentd
+allow appdomain incidentd:fd use;
+allow appdomain incidentd:fifo_file { write getattr };
+
+# Write profiles /data/misc/profiles
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+
+# Send heap dumps to system_server via an already open file descriptor
+# % adb shell am set-watch-heap com.android.systemui 1048576
+# % adb shell dumpsys procstats --start-testing
+# debuggable builds only.
+userdebug_or_eng(`
+ allow appdomain heapdump_data_file:file append;
+')
+
+# Write to /proc/net/xt_qtaguid/ctrl file.
+allow {
+ untrusted_app_25
+ untrusted_app_27
+ priv_app
+ system_app
+ platform_app
+ shell
+} qtaguid_proc:file rw_file_perms;
+r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
+# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
+# Exclude isolated app which may not use network sockets.
+r_dir_file({
+ untrusted_app_25
+ untrusted_app_27
+ priv_app
+ system_app
+ platform_app
+ shell
+}, proc_qtaguid_stat)
+# Everybody can read the xt_qtaguid resource tracking misc dev.
+# So allow all apps to read from /dev/xt_qtaguid.
+allow {
+ untrusted_app_25
+ untrusted_app_27
+ priv_app
+ system_app
+ platform_app
+ shell
+} qtaguid_device:chr_file r_file_perms;
+
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
+
+# Use the Binder.
+binder_use(appdomain)
+# Perform binder IPC to binder services.
+binder_call(appdomain, binderservicedomain)
+# Perform binder IPC to other apps.
+binder_call(appdomain, appdomain)
+# Perform binder IPC to ephemeral apps.
+binder_call(appdomain, ephemeral_app)
+
+# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
+# as OMX HAL
+hwbinder_use({ appdomain -isolated_app })
+allow { appdomain -isolated_app } hal_codec2_hwservice:hwservice_manager find;
+allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
+allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
+
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
+
+# Backup ability for every app. BMS opens and passes the fd
+# to any app that has backup ability. Hence, no open permissions here.
+allow appdomain backup_data_file:file { read write getattr };
+allow appdomain cache_backup_file:file { read write getattr };
+allow appdomain cache_backup_file:dir getattr;
+# Backup ability using 'adb backup'
+allow appdomain system_data_file:lnk_file r_file_perms;
+allow appdomain system_data_file:file { getattr read };
+
+# Allow read/stat of /data/media files passed by Binder or local socket IPC.
+allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
+
+# Read and write /data/data/com.android.providers.telephony files passed over Binder.
+allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
+
+# Read/write visible storage
+allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
+
+# Allow apps to use the USB Accessory interface.
+# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
+#
+# USB devices are first opened by the system server (USBDeviceManagerService)
+# and the file descriptor is passed to the right Activity via binder.
+allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
+
+# For art.
+allow appdomain dalvikcache_data_file:file execute;
+allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
+
+# Allow any app to read shared RELRO files.
+allow appdomain shared_relro_file:dir search;
+allow appdomain shared_relro_file:file r_file_perms;
+
+# Allow apps to read/execute installed binaries
+allow appdomain apk_data_file:dir r_dir_perms;
+allow appdomain apk_data_file:file rx_file_perms;
+
+# /data/resource-cache
+allow appdomain resourcecache_data_file:file r_file_perms;
+allow appdomain resourcecache_data_file:dir r_dir_perms;
+
+# logd access
+read_logd(appdomain)
+control_logd({ appdomain -ephemeral_app untrusted_v2_app })
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
+
+use_keystore({ appdomain -isolated_app -ephemeral_app })
+
+allow appdomain console_device:chr_file { read write };
+
+# only allow unprivileged socket ioctl commands
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
+# TODO is write really necessary ?
+auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
+
+# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
+get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
+
+# Allow app access to mediacodec (IOMX HAL)
+binder_call({ appdomain -isolated_app }, mediacodec)
+
+# Allow AAudio apps to use shared memory file descriptors from the HAL
+allow { appdomain -isolated_app } hal_audio:fd use;
+
+# Allow app to access shared memory created by camera HAL1
+allow { appdomain -isolated_app } hal_camera:fd use;
+
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+
+# TODO: switch to meminfo service
+allow appdomain proc_meminfo:file r_file_perms;
+
+# For app fuse.
+allow appdomain app_fuse_file:file { getattr read append write };
+
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
+
+###
+### CTS-specific rules
+###
+
+# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
+# testRunAsHasCorrectCapabilities
+allow appdomain runas_exec:file getattr;
+# Others are either allowed elsewhere or not desired.
+
+# Apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow appdomain adbd:unix_stream_socket connectto;
+allow appdomain adbd:fd use;
+allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+allow appdomain cache_file:dir getattr;
+
+# Allow apps to run with asanwrapper.
+with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
+
+###
+### Neverallow rules
+###
+### These are things that Android apps should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_admin and wake_alarm.
+neverallow { appdomain -bluetooth } self:capability_class_set *;
+
+# Block device access.
+neverallow appdomain dev_type:blk_file { read write };
+
+# Access to any of the following character devices.
+neverallow appdomain {
+ audio_device
+ camera_device
+ dm_device
+ radio_device
+ rpmsg_device
+ video_device
+}:chr_file { read write };
+
+# Note: Try expanding list of app domains in the future.
+neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
+
+neverallow { appdomain -nfc } nfc_device:chr_file
+ { read write };
+neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
+ { read write };
+neverallow appdomain tee_device:chr_file { read write };
+
+# Privileged netlink socket interfaces.
+neverallow appdomain
+ domain:{
+ netlink_tcpdiag_socket
+ netlink_nflog_socket
+ netlink_xfrm_socket
+ netlink_audit_socket
+ netlink_dnrt_socket
+ } *;
+
+# These messages are broadcast messages from the kernel to userspace.
+# Do not allow the writing of netlink messages, which has been a source
+# of rooting vulns in the past.
+neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
+
+# Sockets under /dev/socket that are not specifically typed.
+neverallow appdomain socket_device:sock_file write;
+
+# Unix domain sockets.
+neverallow appdomain adbd_socket:sock_file write;
+neverallow { appdomain -radio } rild_socket:sock_file write;
+neverallow appdomain zygote_socket:sock_file write;
+
+# ptrace access to non-app domains.
+neverallow appdomain { domain -appdomain }:process ptrace;
+
+# Read or write access to /proc/pid entries for any non-app domain.
+# A different form of hidepid=2 like protections
+neverallow appdomain { domain -appdomain }:file no_w_file_perms;
+neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
+
+# signal access to non-app domains.
+# sigchld allowed for parent death notification.
+# signull allowed for kill(pid, 0) existence test.
+# All others prohibited.
+neverallow appdomain { domain -appdomain }:process
+ { sigkill sigstop signal };
+
+# Transition to a non-app domain.
+# Exception for the shell and su domains, can transition to runas, etc.
+# Exception for crash_dump.
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
+ { transition };
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
+ { dyntransition };
+
+# Write to rootfs.
+neverallow appdomain rootfs:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to /system.
+neverallow appdomain system_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to entrypoint executables.
+neverallow appdomain exec_type:file
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to system-owned parts of /data.
+# This is the default type for anything under /data not otherwise
+# specified in file_contexts. Define a different type for portions
+# that should be writable by apps.
+neverallow appdomain system_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to various other parts of /data.
+neverallow appdomain drm_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_private_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_private_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -shell }
+ shell_data_file:dir_file_class_set
+ { create setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -bluetooth }
+ bluetooth_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ keystore_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ systemkeys_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ wifi_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ dhcp_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# access tmp apk files
+neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
+ { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
+
+neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
+
+# Access to factory files.
+neverallow appdomain efs_file:dir_file_class_set write;
+neverallow { appdomain -shell } efs_file:dir_file_class_set read;
+
+# Write to various pseudo file systems.
+neverallow { appdomain -bluetooth -nfc }
+ sysfs:dir_file_class_set write;
+neverallow appdomain
+ proc:dir_file_class_set write;
+
+# Access to syslog(2) or /proc/kmsg.
+neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+
+# SELinux is not an API for apps to use
+neverallow { appdomain -shell } *:security { compute_av check_context };
+neverallow { appdomain -shell } *:netlink_selinux_socket *;
+
+# Ability to perform any filesystem operation other than statfs(2).
+# i.e. no mount(2), unmount(2), etc.
+neverallow appdomain fs_type:filesystem ~getattr;
+
+# prevent creation/manipulation of globally readable symlinks
+neverallow appdomain {
+ apk_data_file
+ cache_file
+ cache_recovery_file
+ dev_type
+ rootfs
+ system_file
+ tmpfs
+}:lnk_file no_w_file_perms;
+
+# Blacklist app domains not allowed to execute from /data
+neverallow {
+ bluetooth
+ isolated_app
+ nfc
+ radio
+ shared_relro
+ system_app
+} {
+ data_file_type
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
+# Applications should use the activity model for receiving events
+neverallow {
+ appdomain
+ -shell # bugreport
+} input_device:chr_file ~getattr;
+
+# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# neverallow rules for access to Bluetooth-related data files are above.
+neverallow {
+ appdomain
+ -bluetooth
+ -system_app
+} { bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
+
+# Apps cannot access proc_uid_time_in_state
+neverallow appdomain proc_uid_time_in_state:file *;
+
+# Apps cannot access proc_uid_concurrent_active_time
+neverallow appdomain proc_uid_concurrent_active_time:file *;
+
+# Apps cannot access proc_uid_concurrent_policy_time
+neverallow appdomain proc_uid_concurrent_policy_time:file *;
+
+# Apps cannot access proc_uid_cpupower
+neverallow appdomain proc_uid_cpupower:file *;
diff --git a/prebuilts/api/28.0/public/asan_extract.te b/prebuilts/api/28.0/public/asan_extract.te
new file mode 100644
index 0000000..15c5a09
--- /dev/null
+++ b/prebuilts/api/28.0/public/asan_extract.te
@@ -0,0 +1,36 @@
+# asan_extract
+#
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+with_asan(`
+ type asan_extract, domain, coredomain;
+ type asan_extract_exec, exec_type, file_type;
+
+ # Allow asan_extract to execute itself using #!/system/bin/sh
+ allow asan_extract shell_exec:file rx_file_perms;
+
+ # We execute log, rm, gzip and tar.
+ allow asan_extract toolbox_exec:file rx_file_perms;
+ allow asan_extract system_file:file execute_no_trans;
+
+ # asan_extract deletes old /data/lib.
+ allow asan_extract system_file:dir { open read remove_name rmdir write };
+ allow asan_extract system_file:file unlink;
+
+ # asan_extract untars ASAN libraries into /data.
+ allow asan_extract system_data_file:dir create_dir_perms ;
+ allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
+
+ # Relabel the libraries with restorecon.
+ allow asan_extract file_contexts_file:file r_file_perms;
+ allow asan_extract system_data_file:{ dir file } relabelfrom;
+ allow asan_extract system_file:dir { relabelto setattr };
+ allow asan_extract system_file:file relabelto;
+
+ # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
+ allow asan_extract system_data_file:file execute;
+
+ # We need to signal a reboot when done.
+ set_prop(asan_extract, powerctl_prop)
+')
diff --git a/prebuilts/api/28.0/public/attributes b/prebuilts/api/28.0/public/attributes
new file mode 100644
index 0000000..0c7ca2e
--- /dev/null
+++ b/prebuilts/api/28.0/public/attributes
@@ -0,0 +1,311 @@
+######################################
+# Attribute declarations
+#
+
+# All types used for devices.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# in tools/checkfc.c
+attribute dev_type;
+
+# All types used for processes.
+attribute domain;
+
+# All types used for filesystems.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute fs_type;
+
+# All types used for context= mounts.
+attribute contextmount_type;
+
+# All types used for files that can exist on a labeled fs.
+# Do not use for pseudo file types.
+# On change, update CHECK_FC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute file_type;
+
+# All types used for domain entry points.
+attribute exec_type;
+
+# All types used for /data files.
+attribute data_file_type;
+expandattribute data_file_type false;
+# All types in /data, not in /data/vendor
+attribute core_data_file_type;
+expandattribute core_data_file_type false;
+# All types in /vendor
+attribute vendor_file_type;
+
+# All types used for procfs files.
+attribute proc_type;
+expandattribute proc_type false;
+
+# All types used for sysfs files.
+attribute sysfs_type;
+
+# All types use for debugfs files.
+attribute debugfs_type;
+
+# Attribute used for all sdcards
+attribute sdcard_type;
+
+# All types used for nodes/hosts.
+attribute node_type;
+
+# All types used for network interfaces.
+attribute netif_type;
+
+# All types used for network ports.
+attribute port_type;
+
+# All types used for property service
+# On change, update CHECK_PC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute property_type;
+
+# All properties defined in core SELinux policy. Should not be
+# used by device specific properties
+attribute core_property_type;
+
+# All properties used to configure log filtering.
+attribute log_property_type;
+
+# All properties that are not specific to device but are added from
+# outside of AOSP. (e.g. OEM-specific properties)
+# These properties are not accessible from device-specific domains
+attribute extended_core_property_type;
+
+# All service_manager types created by system_server
+attribute system_server_service;
+
+# services which should be available to all but isolated apps
+attribute app_api_service;
+
+# services which should be available to all ephemeral apps
+attribute ephemeral_app_api_service;
+
+# services which export only system_api
+attribute system_api_service;
+
+# All types used for services managed by servicemanager.
+# On change, update CHECK_SC_ASSERT_ATTRS
+# definition in tools/checkfc.c.
+attribute service_manager_type;
+
+# All types used for services managed by hwservicemanager
+attribute hwservice_manager_type;
+
+# All HwBinder services guaranteed to be passthrough. These services always run
+# in the process of their clients, and thus operate with the same access as
+# their clients.
+attribute same_process_hwservice;
+
+# All HwBinder services guaranteed to be offered only by core domain components
+attribute coredomain_hwservice;
+
+# All types used for services managed by vndservicemanager
+attribute vndservice_manager_type;
+
+
+# All domains that can override MLS restrictions.
+# i.e. processes that can read up and write down.
+attribute mlstrustedsubject;
+
+# All types that can override MLS restrictions.
+# i.e. files that can be read by lower and written by higher
+attribute mlstrustedobject;
+
+# All domains used for apps.
+attribute appdomain;
+
+# All third party apps.
+attribute untrusted_app_all;
+
+# All domains used for apps with network access.
+attribute netdomain;
+
+# All domains used for apps with bluetooth access.
+attribute bluetoothdomain;
+
+# All domains used for binder service domains.
+attribute binderservicedomain;
+
+# update_engine related domains that need to apply an update and run
+# postinstall. This includes the background daemon and the sideload tool from
+# recovery for A/B devices.
+attribute update_engine_common;
+
+# All core domains (as opposed to vendor/device-specific domains)
+attribute coredomain;
+
+# All socket devices owned by core domain components
+attribute coredomain_socket;
+expandattribute coredomain_socket false;
+
+# All vendor domains which violate the requirement of not using Binder
+# TODO(b/35870313): Remove this once there are no violations
+attribute binder_in_vendor_violators;
+expandattribute binder_in_vendor_violators false;
+
+# All vendor domains which violate the requirement of not using sockets for
+# communicating with core components
+# TODO(b/36577153): Remove this once there are no violations
+attribute socket_between_core_and_vendor_violators;
+expandattribute socket_between_core_and_vendor_violators false;
+
+# All vendor domains which violate the requirement of not executing
+# system processes
+# TODO(b/36463595)
+attribute vendor_executes_system_violators;
+expandattribute vendor_executes_system_violators false;
+
+# All domains which violate the requirement of not sharing files by path
+# between between vendor and core domains.
+# TODO(b/34980020)
+attribute data_between_core_and_vendor_violators;
+expandattribute data_between_core_and_vendor_violators false;
+
+# All system domains which violate the requirement of not executing vendor
+# binaries/libraries.
+# TODO(b/62041836)
+attribute system_executes_vendor_violators;
+expandattribute system_executes_vendor_violators false;
+
+# All system domains which violate the requirement of not writing vendor
+# properties.
+# TODO(b/78598545): Remove this once there are no violations
+attribute system_writes_vendor_properties_violators;
+expandattribute system_writes_vendor_properties_violators false;
+
+# hwservices that are accessible from untrusted applications
+# WARNING: Use of this attribute should be avoided unless
+# absolutely necessary. It is a temporary allowance to aid the
+# transition to treble and will be removed in a future platform
+# version, requiring all hwservices that are labeled with this
+# attribute to be submitted to AOSP in order to maintain their
+# app-visibility.
+attribute untrusted_app_visible_hwservice;
+expandattribute untrusted_app_visible_hwservice false;
+
+# halserver domains that are accessible to untrusted applications. These
+# domains are typically those hosting hwservices attributed by the
+# untrusted_app_visible_hwservice.
+# WARNING: Use of this attribute should be avoided unless absolutely necessary.
+# It is a temporary allowance to aid the transition to treble and will be
+# removed in the future platform version, requiring all halserver domains that
+# are labeled with this attribute to be submitted to AOSP in order to maintain
+# their app-visibility.
+attribute untrusted_app_visible_halserver;
+expandattribute untrusted_app_visible_halserver false;
+
+# PDX services
+attribute pdx_endpoint_dir_type;
+attribute pdx_endpoint_socket_type;
+expandattribute pdx_endpoint_socket_type false;
+attribute pdx_channel_socket_type;
+expandattribute pdx_channel_socket_type false;
+
+pdx_service_attributes(display_client)
+pdx_service_attributes(display_manager)
+pdx_service_attributes(display_screenshot)
+pdx_service_attributes(display_vsync)
+pdx_service_attributes(performance_client)
+pdx_service_attributes(bufferhub_client)
+
+# All HAL servers
+attribute halserverdomain;
+# All HAL clients
+attribute halclientdomain;
+expandattribute halclientdomain true;
+
+# Exempt for halserverdomain to access sockets. Only builds for automotive
+# device types are allowed to use this attribute (enforced by CTS).
+# Unlike phone, in a car many modules are external from Android perspective and
+# HALs should be able to communicate with those devices through sockets.
+attribute hal_automotive_socket_exemption;
+
+# TODO(b/72757373): Use hal_attribute macro once expandattribute value conflicts
+# can be resolve.
+attribute hal_audio;
+attribute hal_audio_client;
+expandattribute hal_audio_client true;
+attribute hal_audio_server;
+expandattribute hal_audio_server false;
+
+attribute hal_bootctl;
+attribute hal_bootctl_client;
+expandattribute hal_bootctl_client true;
+attribute hal_bootctl_server;
+expandattribute hal_bootctl_server false;
+
+attribute hal_camera;
+attribute hal_camera_client;
+expandattribute hal_camera_client true;
+attribute hal_camera_server;
+expandattribute hal_camera_server false;
+
+attribute hal_drm;
+attribute hal_drm_client;
+expandattribute hal_drm_client true;
+attribute hal_drm_server;
+expandattribute hal_drm_server false;
+
+attribute hal_cas;
+attribute hal_cas_client;
+expandattribute hal_cas_client true;
+attribute hal_cas_server;
+expandattribute hal_cas_server false;
+
+# HALs
+hal_attribute(allocator);
+hal_attribute(audiocontrol);
+hal_attribute(authsecret);
+hal_attribute(bluetooth);
+hal_attribute(broadcastradio);
+hal_attribute(configstore);
+hal_attribute(confirmationui);
+hal_attribute(contexthub);
+hal_attribute(dumpstate);
+hal_attribute(evs);
+hal_attribute(fingerprint);
+hal_attribute(gatekeeper);
+hal_attribute(gnss);
+hal_attribute(graphics_allocator);
+hal_attribute(graphics_composer);
+hal_attribute(health);
+hal_attribute(ir);
+hal_attribute(keymaster);
+hal_attribute(light);
+hal_attribute(lowpan);
+hal_attribute(memtrack);
+hal_attribute(neuralnetworks);
+hal_attribute(nfc);
+hal_attribute(oemlock);
+hal_attribute(power);
+hal_attribute(secure_element);
+hal_attribute(sensors);
+hal_attribute(telephony);
+hal_attribute(tetheroffload);
+hal_attribute(thermal);
+hal_attribute(tv_cec);
+hal_attribute(tv_input);
+hal_attribute(usb);
+hal_attribute(usb_gadget);
+hal_attribute(vehicle);
+hal_attribute(vibrator);
+hal_attribute(vr);
+hal_attribute(weaver);
+hal_attribute(wifi);
+hal_attribute(wifi_hostapd);
+hal_attribute(wifi_offload);
+hal_attribute(wifi_supplicant);
+
+# HwBinder services offered across the core-vendor boundary
+#
+# We annotate server domains with x_server to loosen the coupling between
+# system and vendor images. For example, it should be possible to move a service
+# from one core domain to another, without having to update the vendor image
+# which contains clients of this service.
+
+attribute display_service_server;
+attribute wifi_keystore_service_server;
diff --git a/prebuilts/api/28.0/public/audioserver.te b/prebuilts/api/28.0/public/audioserver.te
new file mode 100644
index 0000000..9a72858
--- /dev/null
+++ b/prebuilts/api/28.0/public/audioserver.te
@@ -0,0 +1,2 @@
+# audioserver - audio services daemon
+type audioserver, domain;
diff --git a/prebuilts/api/28.0/public/blkid.te b/prebuilts/api/28.0/public/blkid.te
new file mode 100644
index 0000000..dabe014
--- /dev/null
+++ b/prebuilts/api/28.0/public/blkid.te
@@ -0,0 +1,2 @@
+# blkid called from vold
+type blkid, domain;
diff --git a/prebuilts/api/28.0/public/blkid_untrusted.te b/prebuilts/api/28.0/public/blkid_untrusted.te
new file mode 100644
index 0000000..4be4c0c
--- /dev/null
+++ b/prebuilts/api/28.0/public/blkid_untrusted.te
@@ -0,0 +1,2 @@
+# blkid for untrusted block devices
+type blkid_untrusted, domain;
diff --git a/prebuilts/api/28.0/public/bluetooth.te b/prebuilts/api/28.0/public/bluetooth.te
new file mode 100644
index 0000000..9b3442a
--- /dev/null
+++ b/prebuilts/api/28.0/public/bluetooth.te
@@ -0,0 +1,2 @@
+# bluetooth subsystem
+type bluetooth, domain;
diff --git a/prebuilts/api/28.0/public/bootanim.te b/prebuilts/api/28.0/public/bootanim.te
new file mode 100644
index 0000000..3260227
--- /dev/null
+++ b/prebuilts/api/28.0/public/bootanim.te
@@ -0,0 +1,42 @@
+# bootanimation oneshot service
+type bootanim, domain;
+type bootanim_exec, exec_type, file_type;
+
+hal_client_domain(bootanim, hal_configstore)
+hal_client_domain(bootanim, hal_graphics_allocator)
+hal_client_domain(bootanim, hal_graphics_composer)
+
+binder_use(bootanim)
+binder_call(bootanim, surfaceflinger)
+binder_call(bootanim, audioserver)
+
+hwbinder_use(bootanim)
+
+allow bootanim gpu_device:chr_file rw_file_perms;
+
+# /oem access
+allow bootanim oemfs:dir search;
+allow bootanim oemfs:file r_file_perms;
+
+allow bootanim audio_device:dir r_dir_perms;
+allow bootanim audio_device:chr_file rw_file_perms;
+
+allow bootanim audioserver_service:service_manager find;
+allow bootanim surfaceflinger_service:service_manager find;
+
+# Allow access to ion memory allocation device
+allow bootanim ion_device:chr_file rw_file_perms;
+allow bootanim hal_graphics_allocator:fd use;
+
+# Fences
+allow bootanim hal_graphics_composer:fd use;
+
+# Read access to pseudo filesystems.
+allow bootanim proc_meminfo:file r_file_perms;
+
+# System file accesses.
+allow bootanim system_file:dir r_dir_perms;
+
+# Read ro.boot.bootreason b/30654343
+get_prop(bootanim, bootloader_boot_reason_prop)
+
diff --git a/prebuilts/api/28.0/public/bootstat.te b/prebuilts/api/28.0/public/bootstat.te
new file mode 100644
index 0000000..7ba0238
--- /dev/null
+++ b/prebuilts/api/28.0/public/bootstat.te
@@ -0,0 +1,57 @@
+# bootstat command
+type bootstat, domain;
+type bootstat_exec, exec_type, file_type;
+
+read_runtime_log_tags(bootstat)
+
+# Allow persistent storage in /data/misc/bootstat.
+allow bootstat bootstat_data_file:dir rw_dir_perms;
+allow bootstat bootstat_data_file:file create_file_perms;
+
+# Collect metrics on boot time created by init
+get_prop(bootstat, boottime_prop)
+
+# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
+set_prop(bootstat, bootloader_boot_reason_prop)
+set_prop(bootstat, system_boot_reason_prop)
+set_prop(bootstat, last_boot_reason_prop)
+
+# ToDo: TBI move access for the following to a system health HAL
+
+# Allow access to /sys/fs/pstore/ and syslog
+allow bootstat pstorefs:dir search;
+allow bootstat pstorefs:file r_file_perms;
+allow bootstat kernel:system syslog_read;
+
+# Allow access to reading the logs to read aspects of system health
+read_logd(bootstat)
+
+# ToDo: end
+
+neverallow {
+ domain
+ -bootanim
+ -bootstat
+ -dumpstate
+ -init
+ -recovery
+ -shell
+ -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
+# ... and refine, as these components should not set the last boot reason
+neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
+
+neverallow {
+ domain
+ -bootstat
+ -init
+ -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
+# ... and refine ... for a ro propertly no less ... keep this _tight_
+neverallow system_server bootloader_boot_reason_prop:property_service set;
+
+neverallow {
+ domain
+ -bootstat
+ -init
+} system_boot_reason_prop:property_service set;
diff --git a/prebuilts/api/28.0/public/bufferhubd.te b/prebuilts/api/28.0/public/bufferhubd.te
new file mode 100644
index 0000000..274c271
--- /dev/null
+++ b/prebuilts/api/28.0/public/bufferhubd.te
@@ -0,0 +1,20 @@
+# bufferhubd
+type bufferhubd, domain, mlstrustedsubject;
+type bufferhubd_exec, exec_type, file_type;
+
+hal_client_domain(bufferhubd, hal_graphics_allocator)
+
+pdx_server(bufferhubd, bufferhub_client)
+pdx_client(bufferhubd, performance_client)
+
+# Access the GPU.
+allow bufferhubd gpu_device:chr_file rw_file_perms;
+
+# Access /dev/ion
+allow bufferhubd ion_device:chr_file r_file_perms;
+
+# Receive sync fence FDs from mediacodec. Note that mediacodec never directly
+# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
+# those two: it talks to mediacodec via Binder and talks to bufferhubd via PDX.
+# Thus, there is no need to use pdx_client macro.
+allow bufferhubd mediacodec:fd use;
diff --git a/prebuilts/api/28.0/public/cameraserver.te b/prebuilts/api/28.0/public/cameraserver.te
new file mode 100644
index 0000000..3fdca53
--- /dev/null
+++ b/prebuilts/api/28.0/public/cameraserver.te
@@ -0,0 +1,65 @@
+# cameraserver - camera daemon
+type cameraserver, domain;
+type cameraserver_exec, exec_type, file_type;
+
+binder_use(cameraserver)
+binder_call(cameraserver, binderservicedomain)
+binder_call(cameraserver, appdomain)
+binder_service(cameraserver)
+
+hal_client_domain(cameraserver, hal_camera)
+
+hal_client_domain(cameraserver, hal_graphics_allocator)
+
+allow cameraserver ion_device:chr_file rw_file_perms;
+
+# Talk with graphics composer fences
+allow cameraserver hal_graphics_composer:fd use;
+
+add_service(cameraserver, cameraserver_service)
+
+allow cameraserver activity_service:service_manager find;
+allow cameraserver appops_service:service_manager find;
+allow cameraserver audioserver_service:service_manager find;
+allow cameraserver batterystats_service:service_manager find;
+allow cameraserver cameraproxy_service:service_manager find;
+allow cameraserver mediaserver_service:service_manager find;
+allow cameraserver processinfo_service:service_manager find;
+allow cameraserver scheduling_policy_service:service_manager find;
+allow cameraserver surfaceflinger_service:service_manager find;
+
+allow cameraserver hidl_token_hwservice:hwservice_manager find;
+
+###
+### neverallow rules
+###
+
+# cameraserver should never execute any executable without a
+# domain transition
+neverallow cameraserver { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Allow shell commands from ADB for CTS testing/dumping
+allow cameraserver adbd:fd use;
+allow cameraserver adbd:unix_stream_socket { read write };
+allow cameraserver shell:fd use;
+allow cameraserver shell:unix_stream_socket { read write };
+allow cameraserver shell:fifo_file { read write };
+
+# Allow shell commands from ADB for CTS testing/dumping
+userdebug_or_eng(`
+ allow cameraserver su:fd use;
+ allow cameraserver su:fifo_file { read write };
+ allow cameraserver su:unix_stream_socket { read write };
+')
diff --git a/prebuilts/api/28.0/public/charger.te b/prebuilts/api/28.0/public/charger.te
new file mode 100644
index 0000000..7145548
--- /dev/null
+++ b/prebuilts/api/28.0/public/charger.te
@@ -0,0 +1,45 @@
+# charger seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type charger, domain;
+
+# Write to /dev/kmsg
+allow charger kmsg_device:chr_file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(charger, rootfs)
+r_dir_file(charger, cgroup)
+
+# Allow to read /sys/class/power_supply directory
+allow charger sysfs_type:dir r_dir_perms;
+
+allow charger self:global_capability_class_set { sys_tty_config };
+allow charger self:global_capability_class_set sys_boot;
+
+wakelock_use(charger)
+
+allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Read/write to /sys/power/state
+allow charger sysfs_power:file rw_file_perms;
+
+r_dir_file(charger, sysfs_batteryinfo)
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow charger pstorefs:dir r_dir_perms;
+allow charger pstorefs:file r_file_perms;
+
+allow charger graphics_device:dir r_dir_perms;
+allow charger graphics_device:chr_file rw_file_perms;
+allow charger input_device:dir r_dir_perms;
+allow charger input_device:chr_file r_file_perms;
+allow charger tty_device:chr_file rw_file_perms;
+allow charger proc_sysrq:file rw_file_perms;
+
+# charger needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(charger, system_prop)
+set_prop(charger, exported_system_prop)
+set_prop(charger, exported2_system_prop)
+set_prop(charger, exported3_system_prop)
diff --git a/prebuilts/api/28.0/public/clatd.te b/prebuilts/api/28.0/public/clatd.te
new file mode 100644
index 0000000..ee44abf
--- /dev/null
+++ b/prebuilts/api/28.0/public/clatd.te
@@ -0,0 +1,33 @@
+# 464xlat daemon
+type clatd, domain;
+type clatd_exec, exec_type, file_type;
+
+net_domain(clatd)
+
+r_dir_file(clatd, proc_net)
+
+# Access objects inherited from netd.
+allow clatd netd:fd use;
+allow clatd netd:fifo_file { read write };
+# TODO: Check whether some or all of these sockets should be close-on-exec.
+allow clatd netd:netlink_kobject_uevent_socket { read write };
+allow clatd netd:netlink_nflog_socket { read write };
+allow clatd netd:netlink_route_socket { read write };
+allow clatd netd:udp_socket { read write };
+allow clatd netd:unix_stream_socket { read write };
+allow clatd netd:unix_dgram_socket { read write };
+
+allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
+
+# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
+# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
+# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
+# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
+# so we permit any requests we see from clatd asking for this capability.
+# See https://android-review.googlesource.com/127940 and
+# https://b.corp.google.com/issues/21736319
+allow clatd self:global_capability_class_set ipc_lock;
+
+allow clatd self:netlink_route_socket nlmsg_write;
+allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;
+allow clatd tun_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/28.0/public/cppreopts.te b/prebuilts/api/28.0/public/cppreopts.te
new file mode 100644
index 0000000..fb9855e
--- /dev/null
+++ b/prebuilts/api/28.0/public/cppreopts.te
@@ -0,0 +1,22 @@
+# cppreopts
+#
+# This command copies preopted files from the system_b partition to the data
+# partition. This domain ensures that we are only copying into specific
+# directories.
+
+type cppreopts, domain, mlstrustedsubject;
+type cppreopts_exec, exec_type, file_type;
+
+# Allow cppreopts copy files into the dalvik-cache
+allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
+allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow cppreopts shell_exec:file rx_file_perms;
+
+# Allow us to run find on /postinstall
+allow cppreopts system_file:dir { open read };
+
+# Allow running the cp command using cppreopts permissions. Needed so we can
+# write into dalvik-cache
+allow cppreopts toolbox_exec:file rx_file_perms;
diff --git a/prebuilts/api/28.0/public/crash_dump.te b/prebuilts/api/28.0/public/crash_dump.te
new file mode 100644
index 0000000..cd1e5a8
--- /dev/null
+++ b/prebuilts/api/28.0/public/crash_dump.te
@@ -0,0 +1,65 @@
+type crash_dump, domain;
+type crash_dump_exec, exec_type, file_type;
+
+# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
+# which will result in an audit log even when it's allowed to trace.
+dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
+
+userdebug_or_eng(`
+ allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
+
+ # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
+ allow crash_dump kmsg_debug_device:chr_file { open append };
+')
+
+# Use inherited file descriptors
+allow crash_dump domain:fd use;
+
+# Read/write IPC pipes inherited from crashing processes.
+allow crash_dump domain:fifo_file { read write };
+
+# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
+allow crash_dump domain:fifo_file { append };
+
+r_dir_file(crash_dump, domain)
+allow crash_dump exec_type:file r_file_perms;
+
+# Read /data/dalvik-cache.
+allow crash_dump dalvikcache_data_file:dir { search getattr };
+allow crash_dump dalvikcache_data_file:file r_file_perms;
+
+# Read APK files.
+r_dir_file(crash_dump, apk_data_file);
+
+# Read all /vendor
+r_dir_file(crash_dump, { vendor_file same_process_hal_file })
+
+# Talk to tombstoned
+unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
+
+# Talk to ActivityManager.
+unix_socket_connect(crash_dump, system_ndebug, system_server)
+
+# Append to ANR files.
+allow crash_dump anr_data_file:file { append getattr };
+
+# Append to tombstone files.
+allow crash_dump tombstone_data_file:file { append getattr };
+
+read_logd(crash_dump)
+
+# Crash dump is not intended to access the following data types. Since these
+# are WAI, suppress the denials to clean up the logs.
+dontaudit crash_dump {
+ core_data_file_type
+ vendor_file_type
+}:dir search;
+dontaudit crash_dump system_data_file:file read;
+
+###
+### neverallow assertions
+###
+
+# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
+# Do not allow the execution of crash_dump without a domain transition.
+neverallow domain crash_dump_exec:file execute_no_trans;
diff --git a/prebuilts/api/28.0/public/device.te b/prebuilts/api/28.0/public/device.te
new file mode 100644
index 0000000..231c839
--- /dev/null
+++ b/prebuilts/api/28.0/public/device.te
@@ -0,0 +1,106 @@
+# Device types
+type device, dev_type, fs_type;
+type alarm_device, dev_type, mlstrustedobject;
+type ashmem_device, dev_type, mlstrustedobject;
+type audio_device, dev_type;
+type audio_timer_device, dev_type;
+type audio_seq_device, dev_type;
+type binder_device, dev_type, mlstrustedobject;
+type hwbinder_device, dev_type, mlstrustedobject;
+type vndbinder_device, dev_type;
+type block_device, dev_type;
+type camera_device, dev_type;
+type dm_device, dev_type;
+type keychord_device, dev_type;
+type loop_control_device, dev_type;
+type loop_device, dev_type;
+type pmsg_device, dev_type, mlstrustedobject;
+type radio_device, dev_type;
+type ram_device, dev_type;
+type rtc_device, dev_type;
+type vold_device, dev_type;
+type console_device, dev_type;
+type cpuctl_device, dev_type;
+type fscklogs, dev_type;
+type full_device, dev_type;
+# GPU (used by most UI apps)
+type gpu_device, dev_type, mlstrustedobject;
+type graphics_device, dev_type;
+type hw_random_device, dev_type;
+type input_device, dev_type;
+type kmem_device, dev_type;
+type port_device, dev_type;
+type lowpan_device, dev_type;
+type mtd_device, dev_type;
+type mtp_device, dev_type, mlstrustedobject;
+type nfc_device, dev_type;
+type ptmx_device, dev_type, mlstrustedobject;
+type kmsg_device, dev_type;
+type kmsg_debug_device, dev_type;
+type null_device, dev_type, mlstrustedobject;
+type random_device, dev_type, mlstrustedobject;
+type secure_element_device, dev_type;
+type sensors_device, dev_type;
+type serial_device, dev_type;
+type socket_device, dev_type;
+type owntty_device, dev_type, mlstrustedobject;
+type tty_device, dev_type;
+type video_device, dev_type;
+type vcs_device, dev_type;
+type zero_device, dev_type, mlstrustedobject;
+type fuse_device, dev_type, mlstrustedobject;
+type iio_device, dev_type;
+type ion_device, dev_type, mlstrustedobject;
+type qtaguid_device, dev_type;
+type watchdog_device, dev_type;
+type uhid_device, dev_type;
+type uio_device, dev_type;
+type tun_device, dev_type, mlstrustedobject;
+type usbaccessory_device, dev_type, mlstrustedobject;
+type usb_device, dev_type, mlstrustedobject;
+type properties_device, dev_type;
+type properties_serial, dev_type;
+type property_info, dev_type;
+type i2c_device, dev_type;
+
+# All devices have a uart for the hci
+# attach service. The uart dev node
+# varies per device. This type
+# is used in per device policy
+type hci_attach_dev, dev_type;
+
+# All devices have a rpmsg device for
+# achieving remoteproc and rpmsg modules
+type rpmsg_device, dev_type;
+
+# Partition layout block device
+type root_block_device, dev_type;
+
+# factory reset protection block device
+type frp_block_device, dev_type;
+
+# System block device mounted on /system.
+type system_block_device, dev_type;
+
+# Recovery block device.
+type recovery_block_device, dev_type;
+
+# boot block device.
+type boot_block_device, dev_type;
+
+# Userdata block device mounted on /data.
+type userdata_block_device, dev_type;
+
+# Cache block device mounted on /cache.
+type cache_block_device, dev_type;
+
+# Block device for any swap partition.
+type swap_block_device, dev_type;
+
+# Metadata block device used for encryption metadata.
+# Assign this type to the partition specified by the encryptable=
+# mount option in your fstab file in the entry for userdata.
+type metadata_block_device, dev_type;
+
+# The 'misc' partition used by recovery and A/B.
+type misc_block_device, dev_type;
diff --git a/prebuilts/api/28.0/public/dex2oat.te b/prebuilts/api/28.0/public/dex2oat.te
new file mode 100644
index 0000000..608ba79
--- /dev/null
+++ b/prebuilts/api/28.0/public/dex2oat.te
@@ -0,0 +1,66 @@
+# dex2oat
+type dex2oat, domain;
+type dex2oat_exec, exec_type, file_type;
+
+r_dir_file(dex2oat, apk_data_file)
+# Access to /vendor/app
+r_dir_file(dex2oat, vendor_app_file)
+# Access /vendor/framework
+allow dex2oat vendor_framework_file:dir { getattr search };
+allow dex2oat vendor_framework_file:file { getattr open read };
+
+allow dex2oat tmpfs:file { read getattr };
+
+r_dir_file(dex2oat, dalvikcache_data_file)
+allow dex2oat dalvikcache_data_file:file write;
+# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
+# the oat file is symlinked to the original file in /system.
+allow dex2oat dalvikcache_data_file:lnk_file read;
+allow dex2oat installd:fd use;
+
+# Acquire advisory lock on /system/framework/arm/*
+allow dex2oat system_file:file lock;
+
+# Read already open asec_apk_file file descriptors passed by installd.
+# Also allow reading unlabeled files, to allow for upgrading forward
+# locked APKs.
+allow dex2oat asec_apk_file:file read;
+allow dex2oat unlabeled:file read;
+allow dex2oat oemfs:file read;
+allow dex2oat apk_tmp_file:dir search;
+allow dex2oat apk_tmp_file:file r_file_perms;
+allow dex2oat user_profile_data_file:file { getattr read lock };
+
+# Allow dex2oat to compile app's secondary dex files which were reported back to
+# the framework.
+allow dex2oat app_data_file:file { getattr read write lock };
+
+##################
+# A/B OTA Dexopt #
+##################
+
+# Allow dex2oat to use file descriptors from otapreopt.
+allow dex2oat postinstall_dexopt:fd use;
+
+allow dex2oat postinstall_file:dir { getattr search };
+allow dex2oat postinstall_file:filesystem getattr;
+allow dex2oat postinstall_file:lnk_file { getattr read };
+
+# Allow dex2oat access to files in /data/ota.
+allow dex2oat ota_data_file:dir ra_dir_perms;
+allow dex2oat ota_data_file:file r_file_perms;
+
+# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
+# where the oat file is symlinked to the original file in /system.
+allow dex2oat ota_data_file:lnk_file { create read };
+
+# It would be nice to tie this down, but currently, because of how images are written, we can't
+# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
+# create them itself (and make them world-readable).
+allow dex2oat ota_data_file:file { create w_file_perms setattr };
+
+##############
+# Neverallow #
+##############
+
+neverallow dex2oat app_data_file:notdevfile_class_set open;
diff --git a/prebuilts/api/28.0/public/dhcp.te b/prebuilts/api/28.0/public/dhcp.te
new file mode 100644
index 0000000..1f1ef2b
--- /dev/null
+++ b/prebuilts/api/28.0/public/dhcp.te
@@ -0,0 +1,30 @@
+type dhcp, domain;
+type dhcp_exec, exec_type, file_type;
+
+net_domain(dhcp)
+
+allow dhcp cgroup:dir { create write add_name };
+allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
+allow dhcp self:packet_socket create_socket_perms_no_ioctl;
+allow dhcp self:netlink_route_socket nlmsg_write;
+allow dhcp shell_exec:file rx_file_perms;
+allow dhcp system_file:file rx_file_perms;
+not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
+
+# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
+allow dhcp toolbox_exec:file rx_file_perms;
+
+# For /proc/sys/net/ipv4/conf/*/promote_secondaries
+allow dhcp proc_net:file write;
+
+set_prop(dhcp, dhcp_prop)
+set_prop(dhcp, pan_result_prop)
+
+allow dhcp dhcp_data_file:dir create_dir_perms;
+allow dhcp dhcp_data_file:file create_file_perms;
+
+# PAN connections
+allow dhcp netd:fd use;
+allow dhcp netd:fifo_file rw_file_perms;
+allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
+allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
diff --git a/prebuilts/api/28.0/public/display_service_server.te b/prebuilts/api/28.0/public/display_service_server.te
new file mode 100644
index 0000000..c5839fa
--- /dev/null
+++ b/prebuilts/api/28.0/public/display_service_server.te
@@ -0,0 +1 @@
+add_hwservice(display_service_server, fwk_display_hwservice)
diff --git a/prebuilts/api/28.0/public/dnsmasq.te b/prebuilts/api/28.0/public/dnsmasq.te
new file mode 100644
index 0000000..3aaefd3
--- /dev/null
+++ b/prebuilts/api/28.0/public/dnsmasq.te
@@ -0,0 +1,25 @@
+# DNS, DHCP services
+type dnsmasq, domain;
+type dnsmasq_exec, exec_type, file_type;
+
+net_domain(dnsmasq)
+allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
+
+# TODO: Run with dhcp group to avoid need for dac_override.
+allow dnsmasq self:global_capability_class_set dac_override;
+
+allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
+
+allow dnsmasq dhcp_data_file:dir w_dir_perms;
+allow dnsmasq dhcp_data_file:file create_file_perms;
+
+# Inherit and use open files from netd.
+allow dnsmasq netd:fd use;
+allow dnsmasq netd:fifo_file { read write };
+# TODO: Investigate whether these inherited sockets should be closed on exec.
+allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
+allow dnsmasq netd:netlink_nflog_socket { read write };
+allow dnsmasq netd:netlink_route_socket { read write };
+allow dnsmasq netd:unix_stream_socket { read write };
+allow dnsmasq netd:unix_dgram_socket { read write };
+allow dnsmasq netd:udp_socket { read write };
diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
new file mode 100644
index 0000000..e9337b6
--- /dev/null
+++ b/prebuilts/api/28.0/public/domain.te
@@ -0,0 +1,1399 @@
+# Rules for all domains.
+
+# Allow reaping by init.
+allow domain init:process sigchld;
+
+# Intra-domain accesses.
+allow domain self:process {
+ fork
+ sigchld
+ sigkill
+ sigstop
+ signull
+ signal
+ getsched
+ setsched
+ getsession
+ getpgid
+ setpgid
+ getcap
+ setcap
+ getattr
+ setrlimit
+};
+allow domain self:fd use;
+allow domain proc:dir r_dir_perms;
+allow domain proc_net:dir search;
+r_dir_file(domain, self)
+allow domain self:{ fifo_file file } rw_file_perms;
+allow domain self:unix_dgram_socket { create_socket_perms sendto };
+allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
+
+# Inherit or receive open files from others.
+allow domain init:fd use;
+
+userdebug_or_eng(`
+ allow domain su:fd use;
+ allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown };
+ allow domain su:unix_dgram_socket sendto;
+
+ allow { domain -init } su:binder { call transfer };
+
+ # Running something like "pm dump com.android.bluetooth" requires
+ # fifo writes
+ allow domain su:fifo_file { write getattr };
+
+ # allow "gdbserver --attach" to work for su.
+ allow domain su:process sigchld;
+
+ # Allow writing coredumps to /cores/*
+ allow domain coredump_file:file create_file_perms;
+ allow domain coredump_file:dir ra_dir_perms;
+')
+
+# Root fs.
+allow domain rootfs:dir search;
+allow domain rootfs:lnk_file { read getattr };
+
+# Device accesses.
+allow domain device:dir search;
+allow domain dev_type:lnk_file r_file_perms;
+allow domain devpts:dir search;
+allow domain socket_device:dir r_dir_perms;
+allow domain owntty_device:chr_file rw_file_perms;
+allow domain null_device:chr_file rw_file_perms;
+allow domain zero_device:chr_file rw_file_perms;
+allow domain ashmem_device:chr_file rw_file_perms;
+# /dev/binder can be accessed by non-vendor domains and by apps
+allow {
+ coredomain
+ appdomain
+ binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ -hwservicemanager
+} binder_device:chr_file rw_file_perms;
+# Devices which are not full TREBLE have fewer restrictions on access to /dev/binder
+not_full_treble(`allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;')
+allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
+allow domain ptmx_device:chr_file rw_file_perms;
+allow domain alarm_device:chr_file r_file_perms;
+allow domain random_device:chr_file rw_file_perms;
+allow domain proc_random:dir r_dir_perms;
+allow domain proc_random:file r_file_perms;
+allow domain properties_device:dir { search getattr };
+allow domain properties_serial:file r_file_perms;
+allow domain property_info:file r_file_perms;
+
+# For now, everyone can access core property files
+# Device specific properties are not granted by default
+not_compatible_property(`
+ get_prop(domain, core_property_type)
+ get_prop(domain, exported_dalvik_prop)
+ get_prop(domain, exported_ffs_prop)
+ get_prop(domain, exported_system_radio_prop)
+ get_prop(domain, exported2_config_prop)
+ get_prop(domain, exported2_radio_prop)
+ get_prop(domain, exported2_system_prop)
+ get_prop(domain, exported2_vold_prop)
+ get_prop(domain, exported3_default_prop)
+ get_prop(domain, exported3_radio_prop)
+ get_prop(domain, exported3_system_prop)
+ get_prop(domain, vendor_default_prop)
+')
+compatible_property_only(`
+ get_prop({coredomain appdomain shell}, core_property_type)
+ get_prop({coredomain appdomain shell}, exported_dalvik_prop)
+ get_prop({coredomain appdomain shell}, exported_ffs_prop)
+ get_prop({coredomain appdomain shell}, exported_system_radio_prop)
+ get_prop({coredomain appdomain shell}, exported2_config_prop)
+ get_prop({coredomain appdomain shell}, exported2_radio_prop)
+ get_prop({coredomain appdomain shell}, exported2_system_prop)
+ get_prop({coredomain appdomain shell}, exported2_vold_prop)
+ get_prop({coredomain appdomain shell}, exported3_default_prop)
+ get_prop({coredomain appdomain shell}, exported3_radio_prop)
+ get_prop({coredomain appdomain shell}, exported3_system_prop)
+ userdebug_or_eng(`
+ get_prop(su, core_property_type)
+ get_prop(su, exported_dalvik_prop)
+ get_prop(su, exported_ffs_prop)
+ get_prop(su, exported_system_radio_prop)
+ get_prop(su, exported2_config_prop)
+ get_prop(su, exported2_radio_prop)
+ get_prop(su, exported2_system_prop)
+ get_prop(su, exported2_vold_prop)
+ get_prop(su, exported3_default_prop)
+ get_prop(su, exported3_radio_prop)
+ get_prop(su, exported3_system_prop)
+ ')
+ get_prop({domain -coredomain -appdomain}, vendor_default_prop)
+')
+
+# Public readable properties
+get_prop(domain, debug_prop)
+get_prop(domain, exported_config_prop)
+get_prop(domain, exported_default_prop)
+get_prop(domain, exported_dumpstate_prop)
+get_prop(domain, exported_fingerprint_prop)
+get_prop(domain, exported_radio_prop)
+get_prop(domain, exported_secure_prop)
+get_prop(domain, exported_system_prop)
+get_prop(domain, exported_vold_prop)
+get_prop(domain, exported2_default_prop)
+get_prop(domain, logd_prop)
+
+# Let everyone read log properties, so that liblog can avoid sending unloggable
+# messages to logd.
+get_prop(domain, log_property_type)
+dontaudit domain property_type:file audit_access;
+allow domain property_contexts_file:file r_file_perms;
+
+allow domain init:key search;
+allow domain vold:key search;
+
+# logd access
+write_logd(domain)
+
+# System file accesses.
+allow domain system_file:dir { search getattr };
+allow domain system_file:file { execute read open getattr map };
+allow domain system_file:lnk_file { getattr read };
+
+# Make sure system/vendor split doesn not affect non-treble
+# devices
+not_full_treble(`
+ allow domain vendor_file_type:dir { search getattr };
+ allow domain vendor_file_type:file { execute read open getattr map };
+ allow domain vendor_file_type:lnk_file { getattr read };
+')
+
+# All domains are allowed to open and read directories
+# that contain HAL implementations (e.g. passthrough
+# HALs require clients to have these permissions)
+allow domain vendor_hal_file:dir r_dir_perms;
+
+# Everyone can read and execute all same process HALs
+allow domain same_process_hal_file:dir r_dir_perms;
+allow domain same_process_hal_file:file { execute read open getattr map };
+
+# Any process can load vndk-sp libraries, which are system libraries
+# used by same process HALs
+allow domain vndk_sp_file:dir r_dir_perms;
+allow domain vndk_sp_file:file { execute read open getattr map };
+
+# All domains get access to /vendor/etc
+allow domain vendor_configs_file:dir r_dir_perms;
+allow domain vendor_configs_file:file { read open getattr };
+
+full_treble_only(`
+ # Allow all domains to be able to follow /system/vendor and/or
+ # /vendor/odm symlinks.
+ allow domain vendor_file_type:lnk_file { getattr open read };
+
+ # This is required to be able to search & read /vendor/lib64
+ # in order to lookup vendor libraries. The execute permission
+ # for coredomains is granted *only* for same process HALs
+ allow domain vendor_file:dir { getattr search };
+
+ # Allow reading and executing out of /vendor to all vendor domains
+ allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
+ allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
+ allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
+')
+
+# read and stat any sysfs symlinks
+allow domain sysfs:lnk_file { getattr read };
+
+# libc references /data/misc/zoneinfo for timezone related information
+# This directory is considered to be a VNDK-stable
+allow domain zoneinfo_data_file:file r_file_perms;
+allow domain zoneinfo_data_file:dir r_dir_perms;
+
+# Lots of processes access current CPU information
+r_dir_file(domain, sysfs_devices_system_cpu)
+
+r_dir_file(domain, sysfs_usb);
+
+# files under /data.
+not_full_treble(`
+ allow domain system_data_file:dir getattr;
+')
+allow { coredomain appdomain } system_data_file:dir getattr;
+# /data has the label system_data_file. Vendor components need the search
+# permission on system_data_file for path traversal to /data/vendor.
+allow domain system_data_file:dir search;
+# TODO restrict this to non-coredomain
+allow domain vendor_data_file:dir { getattr search };
+
+# required by the dynamic linker
+allow domain proc:lnk_file { getattr read };
+
+# /proc/cpuinfo
+allow domain proc_cpuinfo:file r_file_perms;
+
+# jemalloc needs to read /proc/sys/vm/overcommit_memory
+allow domain proc_overcommit_memory:file r_file_perms;
+
+# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
+allow domain proc_perf:file r_file_perms;
+
+# toybox loads libselinux which stats /sys/fs/selinux/
+allow domain selinuxfs:dir search;
+allow domain selinuxfs:file getattr;
+allow domain sysfs:dir search;
+allow domain selinuxfs:filesystem getattr;
+
+# For /acct/uid/*/tasks.
+allow domain cgroup:dir { search write };
+allow domain cgroup:file w_file_perms;
+
+# Almost all processes log tracing information to
+# /sys/kernel/debug/tracing/trace_marker
+# The reason behind this is documented in b/6513400
+allow domain debugfs:dir search;
+allow domain debugfs_tracing:dir search;
+allow domain debugfs_tracing_debug:dir search;
+allow domain debugfs_trace_marker:file w_file_perms;
+
+# Filesystem access.
+allow domain fs_type:filesystem getattr;
+allow domain fs_type:dir getattr;
+
+# Restrict all domains to a whitelist for common socket types. Additional
+# ioctl commands may be added to individual domains, but this sets safe
+# defaults for all processes. Note that granting this whitelist to domain does
+# not grant the ioctl permission on these socket types. That must be granted
+# separately.
+allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+# default whitelist for unix sockets.
+allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
+ ioctl unpriv_unix_sock_ioctls;
+
+# Restrict PTYs to only whitelisted ioctls.
+# Note that granting this whitelist to domain does
+# not grant the wider ioctl permission. That must be granted
+# separately.
+allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
+
+# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
+# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
+# when it's not explicitly used in allow rules
+allow { domain -domain } vndservice_manager_type:service_manager { add find };
+
+# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
+with_asan(`allow domain system_data_file:dir getattr;')
+
+###
+### neverallow rules
+###
+
+# All socket ioctls must be restricted to a whitelist.
+neverallowxperm domain domain:socket_class_set ioctl { 0 };
+
+# b/68014825 and https://android-review.googlesource.com/516535
+# rfc6093 says that processes should not use the TCP urgent mechanism
+neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
+
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * devpts:chr_file ioctl TIOCSTI;
+
+# Do not allow any domain other than init to create unlabeled files.
+neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
+
+# Limit device node creation to these whitelisted domains.
+neverallow {
+ domain
+ -kernel
+ -init
+ -ueventd
+ -vold
+} self:global_capability_class_set mknod;
+
+# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain')
+ -kernel
+ -init
+ -recovery
+ -ueventd
+ -healthd
+ -uncrypt
+ -tee
+} self:global_capability_class_set sys_rawio;
+
+# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
+neverallow * self:memprotect mmap_zero;
+
+# No domain needs mac_override as it is unused by SELinux.
+neverallow * self:global_capability2_class_set mac_override;
+
+# Disallow attempts to set contexts not defined in current policy
+# This helps guarantee that unknown or dangerous contents will not ever
+# be set.
+neverallow * self:global_capability2_class_set mac_admin;
+
+# Once the policy has been loaded there shall be none to modify the policy.
+# It is sealed.
+neverallow * kernel:security load_policy;
+
+# Only init prior to switching context should be able to set enforcing mode.
+# init starts in kernel domain and switches to init domain via setcon in
+# the init.rc, so the setenforce occurs while still in kernel. After
+# switching domains, there is never any need to setenforce again by init.
+neverallow * kernel:security setenforce;
+neverallow { domain -kernel } kernel:security setcheckreqprot;
+
+# No booleans in AOSP policy, so no need to ever set them.
+neverallow * kernel:security setbool;
+
+# Adjusting the AVC cache threshold.
+# Not presently allowed to anything in policy, but possibly something
+# that could be set from init.rc.
+neverallow { domain -init } kernel:security setsecparam;
+
+# Only init, ueventd, shell and system_server should be able to access HW RNG
+neverallow {
+ domain
+ -init
+ -shell # For CTS and is restricted to getattr in shell.te
+ -system_server
+ -ueventd
+} hw_random_device:chr_file *;
+# b/78174219 b/64114943
+neverallow {
+ domain
+ -init
+ -shell # stat of /dev, getattr only
+ -vendor_init
+ -ueventd
+} keychord_device:chr_file *;
+
+# Ensure that all entrypoint executables are in exec_type or postinstall_file.
+neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
+
+# Ensure that nothing in userspace can access /dev/mem or /dev/kmem
+neverallow {
+ domain
+ -shell # For CTS and is restricted to getattr in shell.te
+ -ueventd # Further restricted in ueventd.te
+} kmem_device:chr_file *;
+neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr getattr };
+
+#Ensure that nothing in userspace can access /dev/port
+neverallow {
+ domain
+ -shell # Shell user should not have any abilities outside of getattr
+ -ueventd
+} port_device:chr_file *;
+neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
+# Only init should be able to configure kernel usermodehelpers or
+# security-sensitive proc settings.
+neverallow { domain -init } usermodehelper:file { append write };
+neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
+neverallow { domain -init -vendor_init } proc_security:file { append open read write };
+
+# No domain should be allowed to ptrace init.
+neverallow * init:process ptrace;
+
+# Init can't do anything with binder calls. If this neverallow rule is being
+# triggered, it's probably due to a service with no SELinux domain.
+neverallow * init:binder *;
+neverallow * vendor_init:binder *;
+
+# Don't allow raw read/write/open access to block_device
+# Rather force a relabel to a more specific type
+neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
+
+# Do not allow renaming of block files or character files
+# Ability to do so can lead to possible use in an exploit chain
+# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
+neverallow * *:{ blk_file chr_file } rename;
+
+# Don't allow raw read/write/open access to generic devices.
+# Rather force a relabel to a more specific type.
+neverallow domain device:chr_file { open read write };
+
+# Limit what domains can mount filesystems or change their mount flags.
+# sdcard_type / vfat is exempt as a larger set of domains need
+# this capability, including device-specific domains.
+neverallow { domain -kernel -init -recovery -vold -zygote -update_engine -otapreopt_chroot } { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
+
+#
+# Assert that, to the extent possible, we're not loading executable content from
+# outside the rootfs or /system partition except for a few whitelisted domains.
+#
+neverallow {
+ domain
+ -appdomain
+ with_asan(`-asan_extract')
+ -dumpstate
+ -shell
+ userdebug_or_eng(`-su')
+ -webview_zygote
+ -zygote
+ userdebug_or_eng(`-mediaextractor')
+} {
+ file_type
+ -system_file
+ -vendor_file_type
+ -exec_type
+ -postinstall_file
+}:file execute;
+
+neverallow {
+ domain
+ -appdomain # for oemfs
+ -bootanim # for oemfs
+ -recovery # for /tmp/update_binary in tmpfs
+} { fs_type -rootfs }:file execute;
+
+# Files from cache should never be executed
+neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
+
+# Protect most domains from executing arbitrary content from /data.
+neverallow {
+ domain
+ -appdomain
+} {
+ data_file_type
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
+# The test files and executables MUST not be accessible to any domain
+neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
+neverallow domain nativetest_data_file:dir no_w_dir_perms;
+neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
+
+# Only the init property service should write to /data/property and /dev/__properties__
+neverallow { domain -init } property_data_file:dir no_w_dir_perms;
+neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
+
+# Nobody should be doing writes to /system & /vendor
+# These partitions are intended to be read-only and must never be
+# modified. Doing so would violate important Android security guarantees
+# and invalidate dm-verity signatures.
+neverallow {
+ domain
+ with_asan(`-asan_extract')
+} {
+ system_file
+ vendor_file_type
+ exec_type
+}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
+
+neverallow { domain -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
+
+# Don't allow mounting on top of /system files or directories
+neverallow * exec_type:dir_file_class_set mounton;
+neverallow { domain -init } { system_file vendor_file_type }:dir_file_class_set mounton;
+
+# Nothing should be writing to files in the rootfs.
+neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
+
+# Restrict context mounts to specific types marked with
+# the contextmount_type attribute.
+neverallow * {fs_type -contextmount_type}:filesystem relabelto;
+
+# Ensure that context mount types are not writable, to ensure that
+# the write to /system restriction above is not bypassed via context=
+# mount to another type.
+neverallow * contextmount_type:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Do not allow service_manager add for default service labels.
+# Instead domains should use a more specific type such as
+# system_app_service rather than the generic type.
+# New service_types are defined in {,hw,vnd}service.te and new mappings
+# from service name to service_type are defined in {,hw,vnd}service_contexts.
+neverallow * default_android_service:service_manager add;
+neverallow * default_android_vndservice:service_manager { add find };
+neverallow * default_android_hwservice:hwservice_manager { add find };
+
+# Looking up the base class/interface of all HwBinder services is a bad idea.
+# hwservicemanager currently offer such lookups only to make it so that security
+# decisions are expressed in SELinux policy. However, it's unclear whether this
+# lookup has security implications. If it doesn't, hwservicemanager should be
+# modified to not offer this lookup.
+# This rule can be removed if hwservicemanager is modified to not permit these
+# lookups.
+neverallow * hidl_base_hwservice:hwservice_manager find;
+
+# Require that domains explicitly label unknown properties, and do not allow
+# anyone but init to modify unknown properties.
+neverallow { domain -init -vendor_init } default_prop:property_service set;
+neverallow { domain -init -vendor_init } mmc_prop:property_service set;
+
+compatible_property_only(`
+ neverallow { domain -init } default_prop:property_service set;
+ neverallow { domain -init } mmc_prop:property_service set;
+ neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
+ neverallow { domain -init } exported_secure_prop:property_service set;
+ neverallow { domain -init } exported2_default_prop:property_service set;
+ neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
+ neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
+')
+
+# Only core domains are allowed to access package_manager properties
+neverallow { domain -init -system_server } pm_prop:property_service set;
+neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
+
+compatible_property_only(`
+ neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
+ neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
+')
+
+# Do not allow reading device's serial number from system properties except form
+# a few whitelisted domains.
+neverallow {
+ domain
+ -adbd
+ -dumpstate
+ -hal_drm_server
+ -hal_cas_server
+ -init
+ -mediadrmserver
+ -recovery
+ -shell
+ -system_server
+ -vendor_init
+} serialno_prop:file r_file_perms;
+
+# Do not allow reading the last boot timestamp from system properties
+neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
+
+neverallow {
+ domain
+ -init
+ -recovery
+ -system_server
+ -shell # Shell is further restricted in shell.te
+ -ueventd # Further restricted in ueventd.te
+} frp_block_device:blk_file no_rw_file_perms;
+
+# The metadata block device is set aside for device encryption and
+# verified boot metadata. It may be reset at will and should not
+# be used by other domains.
+neverallow {
+ domain
+ -init
+ -recovery
+ -vold
+ -e2fs
+ -fsck
+} metadata_block_device:blk_file { append link rename write open read ioctl lock };
+
+# No domain other than recovery and update_engine can write to system partition(s).
+neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
+
+# No domains other than install_recovery or recovery can write to recovery.
+neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append };
+
+# No domains other than a select few can access the misc_block_device. This
+# block device is reserved for OTA use.
+# Do not assert this rule on userdebug/eng builds, due to some devices using
+# this partition for testing purposes.
+neverallow {
+ domain
+ userdebug_or_eng(`-domain') # exclude debuggable builds
+ -hal_bootctl_server
+ -init
+ -uncrypt
+ -update_engine
+ -vendor_init
+ -vold
+ -recovery
+ -ueventd
+} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
+
+# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
+neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
+# The service managers are only allowed to access their own device node
+neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
+neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
+neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
+
+# On full TREBLE devices, only core components and apps can use Binder and servicemanager. Non-core
+# domain apps need this because Android framework offers many of its services to apps as Binder
+# services.
+full_treble_only(`
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } binder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
+ neverallow {
+ domain
+ -coredomain
+ -appdomain # restrictions for vendor apps are declared lower down
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } service_manager_type:service_manager find;
+')
+full_treble_only(`
+ # Vendor apps are permited to use only stable public services. If they were to use arbitrary
+ # services which can change any time framework/core is updated, breakage is likely.
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ service_manager_type
+ -app_api_service
+ -ephemeral_app_api_service
+ -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
+ -cameraserver_service
+ -drmserver_service
+ -keystore_service
+ -mediadrmserver_service
+ -mediaextractor_service
+ -mediametrics_service
+ -mediaserver_service
+ -nfc_service
+ -radio_service
+ -virtual_touchpad_service
+ -vr_hwc_service
+ -vr_manager_service
+ }:service_manager find;
+')
+full_treble_only(`
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
+ } servicemanager:binder { call transfer };
+')
+
+# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ -ueventd # uevent is granted create for this device, but we still neverallow I/O below
+ } vndbinder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
+ neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+')
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservice_manager_type:service_manager *;
+')
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ userdebug_or_eng(`-su')
+ } vndservicemanager:binder *;
+')
+
+# On full TREBLE devices, socket communications between core components and vendor components are
+# not permitted.
+ # Most general rules first, more specific rules below.
+
+ # Core domains are not permitted to initiate communications to vendor domain sockets.
+ # We are not restricting the use of already established sockets because it is fine for a process
+ # to obtain an already established socket via some public/official/stable API and then exchange
+ # data with its peer over that socket. The wire format in this scenario is dicatated by the API
+ # and thus does not break the core-vendor separation.
+full_treble_only(`
+ neverallow_establish_socket_comms({
+ coredomain
+ -init
+ -adbd
+ }, {
+ domain
+ -coredomain
+ -socket_between_core_and_vendor_violators
+ });
+')
+ # Vendor domains are not permitted to initiate communications to core domain sockets
+full_treble_only(`
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -appdomain
+ -socket_between_core_and_vendor_violators
+ }, {
+ coredomain
+ -logd # Logging by writing to logd Unix domain socket is public API
+ -netd # netdomain needs this
+ -mdnsd # netdomain needs this
+ userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
+ -init
+ -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
+ -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
+ });
+')
+
+ # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+full_treble_only(`
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -netdomain
+ -socket_between_core_and_vendor_violators
+ }, netd);
+')
+
+ # Vendor domains are not permitted to initiate create/open sockets owned by core domains
+full_treble_only(`
+ neverallow {
+ domain
+ -coredomain
+ -appdomain # appdomain restrictions below
+ -data_between_core_and_vendor_violators # b/70393317
+ -socket_between_core_and_vendor_violators
+ -vendor_init
+ } {
+ coredomain_socket
+ core_data_file_type
+ unlabeled # used only by core domains
+ }:sock_file ~{ append getattr ioctl read write };
+')
+full_treble_only(`
+ neverallow {
+ appdomain
+ -coredomain
+ } {
+ coredomain_socket
+ unlabeled # used only by core domains
+ core_data_file_type
+ -app_data_file
+ -pdx_endpoint_socket_type # used by VR layer
+ -pdx_channel_socket_type # used by VR layer
+ }:sock_file ~{ append getattr ioctl read write };
+')
+
+ # Core domains are not permitted to create/open sockets owned by vendor domains
+full_treble_only(`
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ -socket_between_core_and_vendor_violators
+ } {
+ file_type
+ dev_type
+ -coredomain_socket
+ -core_data_file_type
+ -unlabeled
+ }:sock_file ~{ append getattr ioctl read write };
+')
+
+# On TREBLE devices, vendor and system components are only allowed to share
+# files by passing open FDs over hwbinder. Ban all directory access and all file
+# accesses other than what can be applied to an open FD such as
+# ioctl/stat/read/write/append. This is enforced by segregating /data.
+# Vendor domains may directly access file in /data/vendor by path, but may only
+# access files outside of /data/vendor via an open FD passed over hwbinder.
+# Likewise, core domains may only directly access files outside /data/vendor by
+# path and files in /data/vendor by open FD.
+full_treble_only(`
+ # only coredomains may only access core_data_file_type, particularly not
+ # /data/vendor
+ neverallow {
+ coredomain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -data_between_core_and_vendor_violators
+ -init
+ -vold_prepare_subdirs
+ } {
+ data_file_type
+ -core_data_file_type
+ }:file_class_set ~{ append getattr ioctl read write };
+')
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -data_between_core_and_vendor_violators
+ -init
+ -vold_prepare_subdirs
+ } {
+ data_file_type
+ -core_data_file_type
+ # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+ # neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ }:dir *;
+
+')
+full_treble_only(`
+ # vendor domains may only access files in /data/vendor, never core_data_file_types
+ neverallow {
+ domain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -vendor_init
+ } {
+ core_data_file_type
+ # libc includes functions like mktime and localtime which attempt to access
+ # files in /data/misc/zoneinfo/tzdata file. These functions are considered
+ # vndk-stable and thus must be allowed for all processes.
+ -zoneinfo_data_file
+ }:file_class_set ~{ append getattr ioctl read write };
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -zoneinfo_data_file
+ }:file_class_set ~{ append getattr ioctl read write };
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
+')
+full_treble_only(`
+ # vendor domains may only access dirs in /data/vendor, never core_data_file_types
+ neverallow {
+ domain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -coredomain
+ -data_between_core_and_vendor_violators
+ -vendor_init
+ } {
+ core_data_file_type
+ -system_data_file # default label for files on /data. Covered below...
+ -vendor_data_file
+ -zoneinfo_data_file
+ }:dir *;
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -system_data_file
+ -vendor_data_file
+ -zoneinfo_data_file
+ }:dir *;
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:dir ~search;
+')
+full_treble_only(`
+ # vendor domains may only access dirs in /data/vendor, never core_data_file_types
+ neverallow {
+ domain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ } {
+ system_data_file # default label for files on /data. Covered below
+ }:dir ~{ getattr search };
+')
+
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ -vold # vold creates per-user storage for both system and vendor
+ -vold_prepare_subdirs
+ } {
+ vendor_data_file # default label for files on /data. Covered below
+ }:dir ~{ getattr search };
+')
+
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ } {
+ vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
+ }:file_class_set ~{ append getattr ioctl read write };
+')
+
+# On TREBLE devices, a limited set of files in /vendor are accessible to
+# only a few whitelisted coredomains to keep system/vendor separation.
+full_treble_only(`
+ # Limit access to /vendor/app
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ userdebug_or_eng(`-perfprofd')
+ -postinstall_dexopt
+ -system_server
+ } vendor_app_file:dir { open read getattr search };
+')
+
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ -dex2oat
+ -idmap
+ -init
+ -installd
+ userdebug_or_eng(`-perfprofd')
+ -postinstall_dexopt
+ -system_server
+ } vendor_app_file:file r_file_perms;
+')
+
+full_treble_only(`
+ # Limit access to /vendor/overlay
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -installd
+ -system_server
+ -webview_zygote
+ -zygote
+ } vendor_overlay_file:dir { getattr open read search };
+')
+
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ -idmap
+ -init
+ -installd
+ -system_server
+ -webview_zygote
+ -zygote
+ } vendor_overlay_file:file r_file_perms;
+')
+
+full_treble_only(`
+ # Non-vendor domains are not allowed to file execute shell
+ # from vendor
+ neverallow {
+ coredomain
+ -init
+ -shell
+ } vendor_shell_exec:file { execute execute_no_trans };
+')
+
+full_treble_only(`
+ # Do not allow vendor components to execute files from system
+ # except for the ones whitelist here.
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_executes_system_violators
+ -vendor_init
+ } {
+ exec_type
+ -vendor_file_type
+ -crash_dump_exec
+ -netutils_wrapper_exec
+ }:file { entrypoint execute execute_no_trans };
+')
+
+full_treble_only(`
+ # Do not allow system components to execute files from vendor
+ # except for the ones whitelisted here.
+ neverallow {
+ coredomain
+ -init
+ -shell
+ -system_executes_vendor_violators
+ } {
+ vendor_file_type
+ -same_process_hal_file
+ -vndk_sp_file
+ -vendor_app_file
+ }:file execute;
+')
+
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ -system_executes_vendor_violators
+ } vendor_file_type:file execute_no_trans;
+')
+
+# Only authorized processes should be writing to files in /data/dalvik-cache
+neverallow {
+ domain
+ -init # TODO: limit init to relabelfrom for files
+ -zygote
+ -installd
+ -postinstall_dexopt
+ -cppreopts
+ -dex2oat
+ -otapreopt_slot
+} dalvikcache_data_file:file no_w_file_perms;
+
+neverallow {
+ domain
+ -init
+ -installd
+ -postinstall_dexopt
+ -cppreopts
+ -dex2oat
+ -zygote
+ -otapreopt_slot
+} dalvikcache_data_file:dir no_w_dir_perms;
+
+# Only system_server should be able to send commands via the zygote socket
+neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
+neverallow { domain -system_server } zygote_socket:sock_file write;
+
+neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
+neverallow { domain -system_server } webview_zygote:sock_file write;
+
+neverallow {
+ domain
+ -tombstoned
+ -crash_dump
+ -dumpstate
+ -incidentd
+ -system_server
+
+ # Processes that can't exec crash_dump
+ -mediacodec
+ -mediaextractor
+} tombstoned_crash_socket:unix_stream_socket connectto;
+
+# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
+# the tombstoned intercept socket.
+neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
+neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
+
+# Android does not support System V IPCs.
+#
+# The reason for this is due to the fact that, by design, they lead to global
+# kernel resource leakage.
+#
+# For example, there is no way to automatically release a SysV semaphore
+# allocated in the kernel when:
+#
+# - a buggy or malicious process exits
+# - a non-buggy and non-malicious process crashes or is explicitly killed.
+#
+# Killing processes automatically to make room for new ones is an
+# important part of Android's application lifecycle implementation. This means
+# that, even assuming only non-buggy and non-malicious code, it is very likely
+# that over time, the kernel global tables used to implement SysV IPCs will fill
+# up.
+neverallow * *:{ shm sem msg msgq } *;
+
+# Do not mount on top of symlinks, fifos, or sockets.
+# Feature parity with Chromium LSM.
+neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
+
+# Nobody should be able to execute su on user builds.
+# On userdebug/eng builds, only dumpstate, shell, and
+# su itself execute su.
+neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
+
+# Do not allow the introduction of new execmod rules. Text relocations
+# and modification of executable pages are unsafe.
+# The only exceptions are for NDK text relocations associated with
+# https://code.google.com/p/android/issues/detail?id=23203
+# which, long term, need to go away.
+neverallow * {
+ file_type
+ -apk_data_file
+ -app_data_file
+ -asec_public_file
+}:file execmod;
+
+# Do not allow making the stack or heap executable.
+# We would also like to minimize execmem but it seems to be
+# required by some device-specific service domains.
+neverallow * self:process { execstack execheap };
+
+# prohibit non-zygote spawned processes from using shared libraries
+# with text relocations. b/20013628 .
+neverallow { domain -untrusted_app_all } file_type:file execmod;
+
+neverallow { domain -init } proc:{ file dir } mounton;
+
+# Ensure that all types assigned to processes are included
+# in the domain attribute, so that all allow and neverallow rules
+# written on domain are applied to all processes.
+# This is achieved by ensuring that it is impossible to transition
+# from a domain to a non-domain type and vice versa.
+# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
+neverallow ~domain domain:process { transition dyntransition };
+
+#
+# Only system_app and system_server should be creating or writing
+# their files. The proper way to share files is to setup
+# type transitions to a more specific type or assigning a type
+# to its parent directory via a file_contexts entry.
+# Example type transition:
+# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
+#
+neverallow {
+ domain
+ -system_server
+ -system_app
+ -init
+ -installd # for relabelfrom and unlink, check for this in explicit neverallow
+ -vold_prepare_subdirs # For unlink
+ with_asan(`-asan_extract')
+} system_data_file:file no_w_file_perms;
+# do not grant anything greater than r_file_perms and relabelfrom unlink
+# to installd
+neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
+
+# respect system_app sandboxes
+neverallow {
+ domain
+ -appdomain # finer-grained rules for appdomain are listed below
+ -system_server #populate com.android.providers.settings/databases/settings.db.
+ -installd # creation of app sandbox
+ -traced_probes # resolve inodes for i/o tracing.
+ # only needs open and read, the rest is neverallow in
+ # traced_probes.te.
+} system_app_data_file:dir_file_class_set { create unlink open };
+neverallow {
+ isolated_app
+ untrusted_app_all # finer-grained rules for appdomain are listed below
+ ephemeral_app
+ priv_app
+} system_app_data_file:dir_file_class_set { create unlink open };
+
+
+# Services should respect app sandboxes
+neverallow {
+ domain
+ -appdomain
+ -installd # creation of sandbox
+} app_data_file:dir_file_class_set { create unlink };
+
+#
+# Only these domains should transition to shell domain. This domain is
+# permissible for the "shell user". If you need a process to exec a shell
+# script with differing privilege, define a domain and set up a transition.
+#
+neverallow {
+ domain
+ -adbd
+ -init
+ -runas
+ -zygote
+} shell:process { transition dyntransition };
+
+# Only domains spawned from zygote and runas may have the appdomain attribute.
+neverallow { domain -runas -webview_zygote -zygote } {
+ appdomain -shell userdebug_or_eng(`-su')
+}:process { transition dyntransition };
+
+# Minimize read access to shell- or app-writable symlinks.
+# This is to prevent malicious symlink attacks.
+neverallow {
+ domain
+ -appdomain
+ -installd
+ -uncrypt # TODO: see if we can remove
+} app_data_file:lnk_file read;
+
+neverallow {
+ domain
+ -shell
+ userdebug_or_eng(`-uncrypt')
+ -installd
+} shell_data_file:lnk_file read;
+
+# In addition to the symlink reading restrictions above, restrict
+# write access to shell owned directories. The /data/local/tmp
+# directory is untrustworthy, and non-whitelisted domains should
+# not be trusting any content in those directories.
+neverallow {
+ domain
+ -adbd
+ -dumpstate
+ -installd
+ -init
+ -shell
+ -vold
+} shell_data_file:dir no_w_dir_perms;
+
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -dumpstate
+ -init
+ -installd
+ -system_server # why?
+ userdebug_or_eng(`-uncrypt')
+} shell_data_file:dir { open search };
+
+# Same as above for /data/local/tmp files. We allow shell files
+# to be passed around by file descriptor, but not directly opened.
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -dumpstate
+ -installd
+ userdebug_or_eng(`-uncrypt')
+} shell_data_file:file open;
+
+# servicemanager and vndservicemanager are the only processes which handle the
+# service_manager list request
+neverallow * ~{
+ servicemanager
+ vndservicemanager
+ }:service_manager list;
+
+# hwservicemanager is the only process which handles hw list requests
+neverallow * ~{
+ hwservicemanager
+ }:hwservice_manager list;
+
+# only service_manager_types can be added to service_manager
+# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
+
+# Prevent assigning non property types to properties
+# TODO - rework this: neverallow * ~property_type:property_service set;
+
+# Domain types should never be assigned to any files other
+# than the /proc/pid files associated with a process. The
+# executable file used to enter a domain should be labeled
+# with its own _exec type, not with the domain type.
+# Conventionally, this looks something like:
+# $ cat mydaemon.te
+# type mydaemon, domain;
+# type mydaemon_exec, exec_type, file_type;
+# init_daemon_domain(mydaemon)
+# $ grep mydaemon file_contexts
+# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
+neverallow * domain:file { execute execute_no_trans entrypoint };
+
+# Do not allow access to the generic debugfs label. This is too broad.
+# Instead, if access to part of debugfs is desired, it should have a
+# more specific label.
+# TODO: fix system_server and dumpstate
+neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+
+# Profiles contain untrusted data and profman parses that. We should only run
+# in from installd forked processes.
+neverallow {
+ domain
+ -installd
+ -profman
+} profman_exec:file no_x_file_perms;
+
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, and boot partitions.
+neverallow * ~{ system_file vendor_file rootfs }:system module_load;
+
+# Only allow filesystem caps to be set at build time. Runtime changes
+# to filesystem capabilities are not permitted.
+neverallow * self:global_capability_class_set setfcap;
+
+# Enforce AT_SECURE for executing crash_dump.
+neverallow domain crash_dump:process noatsecure;
+
+# Do not permit non-core domains to register HwBinder services which are
+# guaranteed to be provided by core domains only.
+neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
+
+# Do not permit the registeration of HwBinder services which are guaranteed to
+# be passthrough only (i.e., run in the process of their clients instead of a
+# separate server process).
+neverallow * same_process_hwservice:hwservice_manager add;
+
+# On TREBLE devices, most coredomains should not access vendor_files.
+# TODO(b/71553434): Remove exceptions here.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ -bootanim
+ -crash_dump
+ -init
+ -kernel
+ -perfprofd
+ -ueventd
+ } vendor_file:file { no_w_file_perms no_x_file_perms open };
+')
+
+# Minimize dac_override and dac_read_search.
+# Instead of granting them it is usually better to add the domain to
+# a Unix group or change the permissions of a file.
+neverallow {
+ domain
+ -dnsmasq
+ -dumpstate
+ -init
+ -installd
+ -install_recovery
+ -lmkd
+ -netd
+ -perfprofd
+ -postinstall_dexopt
+ -recovery
+ -sdcardd
+ -tee
+ -ueventd
+ -uncrypt
+ -vendor_init
+ -vold
+ -vold_prepare_subdirs
+ -zygote
+} self:capability dac_override;
+neverallow { domain -traced_probes } self:capability dac_read_search;
+
+# If an already existing file is opened with O_CREAT, the kernel might generate
+# a false report of a create denial. Silence these denials and make sure that
+# inappropriate permissions are not granted.
+
+# These filesystems don't allow files or directories to be created, so the permission
+# to do so should never be granted.
+neverallow domain {
+ proc_type
+ sysfs_type
+}:dir { add_name create link remove_name rename reparent rmdir write };
+
+# cgroupfs directories can be created, but not files within them.
+neverallow domain cgroup:file create;
+
+dontaudit domain proc_type:dir write;
+dontaudit domain sysfs_type:dir write;
+dontaudit domain cgroup:file create;
+
+# These are only needed in permissive mode - in enforcing mode the
+# directory write check fails and so these are never attempted.
+userdebug_or_eng(`
+ dontaudit domain proc_type:dir add_name;
+ dontaudit domain sysfs_type:dir add_name;
+ dontaudit domain proc_type:file create;
+ dontaudit domain sysfs_type:file create;
+')
+
+# Platform must not have access to /mnt/vendor.
+neverallow {
+ coredomain
+ -init
+} mnt_vendor_file:dir *;
diff --git a/prebuilts/api/28.0/public/drmserver.te b/prebuilts/api/28.0/public/drmserver.te
new file mode 100644
index 0000000..f752c13
--- /dev/null
+++ b/prebuilts/api/28.0/public/drmserver.te
@@ -0,0 +1,58 @@
+# drmserver - DRM service
+type drmserver, domain;
+type drmserver_exec, exec_type, file_type;
+
+typeattribute drmserver mlstrustedsubject;
+
+net_domain(drmserver)
+
+# Perform Binder IPC to system server.
+binder_use(drmserver)
+binder_call(drmserver, system_server)
+binder_call(drmserver, appdomain)
+binder_service(drmserver)
+# Inherit or receive open files from system_server.
+allow drmserver system_server:fd use;
+
+# Perform Binder IPC to mediaserver
+binder_call(drmserver, mediaserver)
+
+allow drmserver sdcard_type:dir search;
+allow drmserver drm_data_file:dir create_dir_perms;
+allow drmserver drm_data_file:file create_file_perms;
+allow drmserver tee_device:chr_file rw_file_perms;
+allow drmserver app_data_file:file { read write getattr };
+allow drmserver sdcard_type:file { read write getattr };
+r_dir_file(drmserver, efs_file)
+
+type drmserver_socket, file_type;
+
+# /data/app/tlcd_sock socket file.
+# Clearly, /data/app is the most logical place to create a socket. Not.
+allow drmserver apk_data_file:dir rw_dir_perms;
+allow drmserver drmserver_socket:sock_file create_file_perms;
+# Delete old socket file if present.
+allow drmserver apk_data_file:sock_file unlink;
+
+# After taking a video, drmserver looks at the video file.
+r_dir_file(drmserver, media_rw_data_file)
+
+# Read resources from open apk files passed over Binder.
+allow drmserver apk_data_file:file { read getattr };
+allow drmserver asec_apk_file:file { read getattr };
+allow drmserver ringtone_file:file { read getattr };
+
+# Read /data/data/com.android.providers.telephony files passed over Binder.
+allow drmserver radio_data_file:file { read getattr };
+
+# /oem access
+allow drmserver oemfs:dir search;
+allow drmserver oemfs:file r_file_perms;
+
+add_service(drmserver, drmserver_service)
+allow drmserver permission_service:service_manager find;
+
+selinux_check_access(drmserver)
+
+r_dir_file(drmserver, cgroup)
+r_dir_file(drmserver, system_file)
diff --git a/prebuilts/api/28.0/public/dumpstate.te b/prebuilts/api/28.0/public/dumpstate.te
new file mode 100644
index 0000000..03fc737
--- /dev/null
+++ b/prebuilts/api/28.0/public/dumpstate.te
@@ -0,0 +1,289 @@
+# dumpstate
+type dumpstate, domain, mlstrustedsubject;
+type dumpstate_exec, exec_type, file_type;
+
+net_domain(dumpstate)
+binder_use(dumpstate)
+wakelock_use(dumpstate)
+
+# Allow setting process priority, protect from OOM killer, and dropping
+# privileges by switching UID / GID
+allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
+
+# Allow dumpstate to scan through /proc/pid for all processes
+r_dir_file(dumpstate, domain)
+
+allow dumpstate self:global_capability_class_set {
+ # Send signals to processes
+ kill
+ # Run iptables
+ net_raw
+ net_admin
+};
+
+# Allow executing files on system, such as:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow dumpstate system_file:file execute_no_trans;
+not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
+allow dumpstate toolbox_exec:file rx_file_perms;
+
+# hidl searches for files in /system/lib(64)/hw/
+allow dumpstate system_file:dir r_dir_perms;
+
+# Create and write into /data/anr/
+allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
+allow dumpstate anr_data_file:dir rw_dir_perms;
+allow dumpstate anr_data_file:file create_file_perms;
+
+# Allow reading /data/system/uiderrors.txt
+# TODO: scope this down.
+allow dumpstate system_data_file:file r_file_perms;
+
+# Read dmesg
+allow dumpstate self:global_capability2_class_set syslog;
+allow dumpstate kernel:system syslog_read;
+
+# Read /sys/fs/pstore/console-ramoops
+allow dumpstate pstorefs:dir r_dir_perms;
+allow dumpstate pstorefs:file r_file_perms;
+
+# Get process attributes
+allow dumpstate domain:process getattr;
+
+# Signal java processes to dump their stack
+allow dumpstate { appdomain system_server }:process signal;
+
+# Signal native processes to dump their stack.
+allow dumpstate {
+ # This list comes from native_processes_to_dump in dumputils/dump_utils.c
+ audioserver
+ cameraserver
+ drmserver
+ inputflinger
+ mediadrmserver
+ mediaextractor
+ mediametrics
+ mediaserver
+ sdcardd
+ surfaceflinger
+
+ # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
+ hal_audio_server
+ hal_bluetooth_server
+ hal_camera_server
+ hal_drm_server
+ hal_graphics_composer_server
+ hal_sensors_server
+ hal_vr_server
+ mediacodec # TODO(b/36375899): hal_omx_server
+}:process signal;
+
+# Connect to tombstoned to intercept dumps.
+unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
+
+# Access to /sys
+allow dumpstate sysfs_type:dir r_dir_perms;
+
+allow dumpstate {
+ sysfs_dm
+ sysfs_usb
+ sysfs_zram
+}:file r_file_perms;
+
+# Other random bits of data we want to collect
+allow dumpstate qtaguid_proc:file r_file_perms;
+allow dumpstate debugfs:file r_file_perms;
+
+# df for
+allow dumpstate {
+ block_device
+ cache_file
+ metadata_file
+ rootfs
+ selinuxfs
+ storage_file
+ tmpfs
+}:dir { search getattr };
+allow dumpstate fuse_device:chr_file getattr;
+allow dumpstate { dm_device cache_block_device }:blk_file getattr;
+allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
+
+# Read /dev/cpuctl and /dev/cpuset
+r_dir_file(dumpstate, cgroup)
+
+# Allow dumpstate to make binder calls to any binder service
+binder_call(dumpstate, binderservicedomain)
+binder_call(dumpstate, { appdomain netd wificond })
+
+hal_client_domain(dumpstate, hal_dumpstate)
+hal_client_domain(dumpstate, hal_graphics_allocator)
+# Vibrate the device after we are done collecting the bugreport
+hal_client_domain(dumpstate, hal_vibrator)
+
+# Reading /proc/PID/maps of other processes
+allow dumpstate self:global_capability_class_set sys_ptrace;
+
+# Allow the bugreport service to create a file in
+# /data/data/com.android.shell/files/bugreports/bugreport
+allow dumpstate shell_data_file:dir create_dir_perms;
+allow dumpstate shell_data_file:file create_file_perms;
+
+# Run a shell.
+allow dumpstate shell_exec:file rx_file_perms;
+
+# For running am and similar framework commands.
+# Run /system/bin/app_process.
+allow dumpstate zygote_exec:file rx_file_perms;
+# Dalvik Compiler JIT.
+allow dumpstate ashmem_device:chr_file execute;
+allow dumpstate self:process execmem;
+# For art.
+allow dumpstate dalvikcache_data_file:dir { search getattr };
+allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
+allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
+
+# For Bluetooth
+allow dumpstate bluetooth_data_file:dir search;
+allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
+allow dumpstate bluetooth_logs_data_file:file r_file_perms;
+
+# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
+allow dumpstate gpu_device:chr_file rw_file_perms;
+
+# logd access
+read_logd(dumpstate)
+control_logd(dumpstate)
+read_runtime_log_tags(dumpstate)
+
+# Read files in /proc
+allow dumpstate {
+ proc_buddyinfo
+ proc_cmdline
+ proc_meminfo
+ proc_modules
+ proc_net
+ proc_pipe_conf
+ proc_pagetypeinfo
+ proc_qtaguid_stat
+ proc_version
+ proc_vmallocinfo
+ proc_vmstat
+}:file r_file_perms;
+
+# Read network state info files.
+allow dumpstate net_data_file:dir search;
+allow dumpstate net_data_file:file r_file_perms;
+
+# List sockets via ss.
+allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+# Access /data/tombstones.
+allow dumpstate tombstone_data_file:dir r_dir_perms;
+allow dumpstate tombstone_data_file:file r_file_perms;
+
+# Access /cache/recovery
+allow dumpstate cache_recovery_file:dir r_dir_perms;
+allow dumpstate cache_recovery_file:file r_file_perms;
+
+# Access /data/misc/recovery
+allow dumpstate recovery_data_file:dir r_dir_perms;
+allow dumpstate recovery_data_file:file r_file_perms;
+
+#Access /data/misc/update_engine_log
+allow dumpstate update_engine_log_data_file:dir r_dir_perms;
+allow dumpstate update_engine_log_data_file:file r_file_perms;
+
+# Access /data/misc/profiles/{cur,ref}/
+userdebug_or_eng(`
+ allow dumpstate user_profile_data_file:dir r_dir_perms;
+ allow dumpstate user_profile_data_file:file r_file_perms;
+')
+
+# Access /data/misc/logd
+userdebug_or_eng(`
+ allow dumpstate misc_logd_file:dir r_dir_perms;
+ allow dumpstate misc_logd_file:file r_file_perms;
+')
+
+allow dumpstate {
+ service_manager_type
+ -dumpstate_service
+ -gatekeeper_service
+ -incident_service
+ -virtual_touchpad_service
+ -vold_service
+ -vr_hwc_service
+}:service_manager find;
+# suppress denials for services dumpstate should not be accessing.
+dontaudit dumpstate {
+ dumpstate_service
+ gatekeeper_service
+ incident_service
+ virtual_touchpad_service
+ vold_service
+ vr_hwc_service
+}:service_manager find;
+
+allow dumpstate servicemanager:service_manager list;
+allow dumpstate hwservicemanager:hwservice_manager list;
+
+allow dumpstate devpts:chr_file rw_file_perms;
+
+# Set properties.
+# dumpstate_prop is used to share state with the Shell app.
+set_prop(dumpstate, dumpstate_prop)
+set_prop(dumpstate, exported_dumpstate_prop)
+# dumpstate_options_prop is used to pass extra command-line args.
+set_prop(dumpstate, dumpstate_options_prop)
+
+# Read any system properties
+get_prop(dumpstate, property_type)
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow dumpstate media_rw_data_file:dir getattr;
+allow dumpstate proc_interrupts:file r_file_perms;
+allow dumpstate proc_zoneinfo:file r_file_perms;
+
+# Create a service for talking back to system_server
+add_service(dumpstate, dumpstate_service)
+
+# use /dev/ion for screen capture
+allow dumpstate ion_device:chr_file r_file_perms;
+
+# Allow dumpstate to run top
+allow dumpstate proc_stat:file r_file_perms;
+
+# Allow dumpstate to talk to installd over binder
+binder_call(dumpstate, installd);
+
+# Allow dumpstate to run ip xfrm policy
+allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
+
+# Allow dumpstate to run iotop
+allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4) have a new class for sockets
+allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+# Allow dumpstate to kill vendor dumpstate service by init
+set_prop(dumpstate, ctl_dumpstate_prop)
+
+###
+### neverallow rules
+###
+
+# dumpstate has capability sys_ptrace, but should only use that capability for
+# accessing sensitive /proc/PID files, never for using ptrace attach.
+neverallow dumpstate *:process ptrace;
+
+# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
+neverallow {
+ domain
+ -system_server
+ -shell
+ -traceur_app
+ -dumpstate
+} dumpstate_service:service_manager find;
diff --git a/prebuilts/api/28.0/public/e2fs.te b/prebuilts/api/28.0/public/e2fs.te
new file mode 100644
index 0000000..6fcd0c2
--- /dev/null
+++ b/prebuilts/api/28.0/public/e2fs.te
@@ -0,0 +1,22 @@
+type e2fs, domain, coredomain;
+type e2fs_exec, exec_type, file_type;
+
+allow e2fs devpts:chr_file { read write getattr ioctl };
+
+allow e2fs dev_type:blk_file getattr;
+allow e2fs block_device:dir search;
+allow e2fs userdata_block_device:blk_file rw_file_perms;
+allow e2fs metadata_block_device:blk_file rw_file_perms;
+
+allow e2fs {
+ proc_filesystems
+ proc_mounts
+ proc_swaps
+}:file r_file_perms;
+
+# access /sys/fs/ext4/features
+allow e2fs sysfs_fs_ext4_features:dir search;
+allow e2fs sysfs_fs_ext4_features:file r_file_perms;
+
+# access sselinux context files
+allow e2fs file_contexts_file:file { getattr open read };
diff --git a/prebuilts/api/28.0/public/ephemeral_app.te b/prebuilts/api/28.0/public/ephemeral_app.te
new file mode 100644
index 0000000..dc39a22
--- /dev/null
+++ b/prebuilts/api/28.0/public/ephemeral_app.te
@@ -0,0 +1,14 @@
+###
+### Ephemeral apps.
+###
+### This file defines the security policy for apps with the ephemeral
+### feature.
+###
+### The ephemeral_app domain is a reduced permissions sandbox allowing
+### ephemeral applications to be safely installed and run. Non ephemeral
+### applications may also opt-in to ephemeral to take advantage of the
+### additional security features.
+###
+### PackageManager flags an app as ephemeral at install time.
+
+type ephemeral_app, domain;
diff --git a/prebuilts/api/28.0/public/file.te b/prebuilts/api/28.0/public/file.te
new file mode 100644
index 0000000..ccfec15
--- /dev/null
+++ b/prebuilts/api/28.0/public/file.te
@@ -0,0 +1,411 @@
+# Filesystem types
+type labeledfs, fs_type;
+type pipefs, fs_type;
+type sockfs, fs_type;
+type rootfs, fs_type;
+type proc, fs_type, proc_type;
+# Security-sensitive proc nodes that should not be writable to most.
+type proc_security, fs_type, proc_type;
+type proc_drop_caches, fs_type, proc_type;
+type proc_overcommit_memory, fs_type, proc_type;
+type proc_min_free_order_shift, fs_type, proc_type;
+# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
+type usermodehelper, fs_type, proc_type;
+type sysfs_usermodehelper, fs_type, sysfs_type;
+type qtaguid_proc, fs_type, mlstrustedobject, proc_type;
+type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
+type proc_bluetooth_writable, fs_type, proc_type;
+type proc_abi, fs_type, proc_type;
+type proc_asound, fs_type, proc_type;
+type proc_buddyinfo, fs_type, proc_type;
+type proc_cmdline, fs_type, proc_type;
+type proc_cpuinfo, fs_type, proc_type;
+type proc_dirty, fs_type, proc_type;
+type proc_diskstats, fs_type, proc_type;
+type proc_extra_free_kbytes, fs_type, proc_type;
+type proc_filesystems, fs_type, proc_type;
+type proc_hostname, fs_type, proc_type;
+type proc_hung_task, fs_type, proc_type;
+type proc_interrupts, fs_type, proc_type;
+type proc_iomem, fs_type, proc_type;
+type proc_kmsg, fs_type, proc_type;
+type proc_loadavg, fs_type, proc_type;
+type proc_max_map_count, fs_type, proc_type;
+type proc_meminfo, fs_type, proc_type;
+type proc_misc, fs_type, proc_type;
+type proc_modules, fs_type, proc_type;
+type proc_mounts, fs_type, proc_type;
+type proc_net, fs_type, proc_type;
+type proc_page_cluster, fs_type, proc_type;
+type proc_pagetypeinfo, fs_type, proc_type;
+type proc_panic, fs_type, proc_type;
+type proc_perf, fs_type, proc_type;
+type proc_pid_max, fs_type, proc_type;
+type proc_pipe_conf, fs_type, proc_type;
+type proc_random, fs_type, proc_type;
+type proc_sched, fs_type, proc_type;
+type proc_stat, fs_type, proc_type;
+type proc_swaps, fs_type, proc_type;
+type proc_sysrq, fs_type, proc_type;
+type proc_timer, fs_type, proc_type;
+type proc_tty_drivers, fs_type, proc_type;
+type proc_uid_cputime_showstat, fs_type, proc_type;
+type proc_uid_cputime_removeuid, fs_type, proc_type;
+type proc_uid_io_stats, fs_type, proc_type;
+type proc_uid_procstat_set, fs_type, proc_type;
+type proc_uid_time_in_state, fs_type, proc_type;
+type proc_uid_concurrent_active_time, fs_type, proc_type;
+type proc_uid_concurrent_policy_time, fs_type, proc_type;
+type proc_uid_cpupower, fs_type, proc_type;
+type proc_uptime, fs_type, proc_type;
+type proc_version, fs_type, proc_type;
+type proc_vmallocinfo, fs_type, proc_type;
+type proc_vmstat, fs_type, proc_type;
+type proc_zoneinfo, fs_type, proc_type;
+type selinuxfs, fs_type, mlstrustedobject;
+type cgroup, fs_type, mlstrustedobject;
+type cgroup_bpf, fs_type;
+type sysfs, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_android_usb, fs_type, sysfs_type;
+type sysfs_uio, sysfs_type, fs_type;
+type sysfs_batteryinfo, fs_type, sysfs_type;
+type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_dm, fs_type, sysfs_type;
+type sysfs_dt_firmware_android, fs_type, sysfs_type;
+type sysfs_ipv4, fs_type, sysfs_type;
+type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_leds, fs_type, sysfs_type;
+type sysfs_hwrandom, fs_type, sysfs_type;
+type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_wake_lock, fs_type, sysfs_type;
+type sysfs_mac_address, fs_type, sysfs_type;
+type sysfs_net, fs_type, sysfs_type;
+type sysfs_power, fs_type, sysfs_type;
+type sysfs_rtc, fs_type, sysfs_type;
+type sysfs_switch, fs_type, sysfs_type;
+type sysfs_usb, fs_type, sysfs_type;
+type sysfs_wakeup_reasons, fs_type, sysfs_type;
+type sysfs_fs_ext4_features, sysfs_type, fs_type;
+type fs_bpf, fs_type;
+type configfs, fs_type;
+# /sys/devices/system/cpu
+type sysfs_devices_system_cpu, fs_type, sysfs_type;
+# /sys/module/lowmemorykiller
+type sysfs_lowmemorykiller, fs_type, sysfs_type;
+# /sys/module/wlan/parameters/fwpath
+type sysfs_wlan_fwpath, fs_type, sysfs_type;
+type sysfs_vibrator, fs_type, sysfs_type;
+
+type sysfs_thermal, sysfs_type, fs_type;
+
+type sysfs_zram, fs_type, sysfs_type;
+type sysfs_zram_uevent, fs_type, sysfs_type;
+type inotify, fs_type, mlstrustedobject;
+type devpts, fs_type, mlstrustedobject;
+type tmpfs, fs_type;
+type shm, fs_type;
+type mqueue, fs_type;
+type fuse, sdcard_type, fs_type, mlstrustedobject;
+type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
+type vfat, sdcard_type, fs_type, mlstrustedobject;
+type exfat, sdcard_type, fs_type, mlstrustedobject;
+type debugfs, fs_type, debugfs_type;
+type debugfs_mmc, fs_type, debugfs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing_instances, fs_type, debugfs_type;
+type debugfs_wakeup_sources, fs_type, debugfs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type;
+
+type pstorefs, fs_type;
+type functionfs, fs_type, mlstrustedobject;
+type oemfs, fs_type, contextmount_type;
+type usbfs, fs_type;
+type binfmt_miscfs, fs_type;
+type app_fusefs, fs_type, contextmount_type;
+
+# File types
+type unlabeled, file_type;
+
+# Default type for anything under /system.
+type system_file, file_type;
+
+# Default type for directories search for
+# HAL implementations
+type vendor_hal_file, vendor_file_type, file_type;
+# Default type for under /vendor or /system/vendor
+type vendor_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/app
+type vendor_app_file, vendor_file_type, file_type;
+# Default type for everything under /vendor/etc/
+type vendor_configs_file, vendor_file_type, file_type;
+# Default type for all *same process* HALs.
+# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
+type same_process_hal_file, vendor_file_type, file_type;
+# Default type for vndk-sp libs. /vendor/lib/vndk-sp
+type vndk_sp_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/framework
+type vendor_framework_file, vendor_file_type, file_type;
+# Default type for everything in /vendor/overlay
+type vendor_overlay_file, vendor_file_type, file_type;
+
+# /metadata partition itself
+type metadata_file, file_type;
+# Vold files within /metadata
+type vold_metadata_file, file_type;
+
+# Speedup access for trusted applications to the runtime event tags
+type runtime_event_log_tags_file, file_type;
+# Type for /system/bin/logcat.
+type logcat_exec, exec_type, file_type;
+# /cores for coredumps on userdebug / eng builds
+type coredump_file, file_type;
+# Default type for anything under /data.
+type system_data_file, file_type, data_file_type, core_data_file_type;
+# Default type for anything under /data/vendor{_ce,_de}.
+type vendor_data_file, file_type, data_file_type;
+# Unencrypted data
+type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
+# /data/.layout_version or other installd-created files that
+# are created in a system_data_file directory.
+type install_data_file, file_type, data_file_type, core_data_file_type;
+# /data/drm - DRM plugin data
+type drm_data_file, file_type, data_file_type, core_data_file_type;
+# /data/adb - adb debugging files
+type adb_data_file, file_type, data_file_type, core_data_file_type;
+# /data/anr - ANR traces
+type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/tombstones - core dumps
+type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/vendor/tombstones/wifi - vendor wifi dumps
+type tombstone_wifi_data_file, file_type, data_file_type;
+# /data/app - user-installed apps
+type apk_data_file, file_type, data_file_type, core_data_file_type;
+type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/app-private - forward-locked apps
+type apk_private_data_file, file_type, data_file_type, core_data_file_type;
+type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/dalvik-cache
+type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
+# /data/ota
+type ota_data_file, file_type, data_file_type, core_data_file_type;
+# /data/ota_package
+type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/misc/profiles
+type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/misc/profman
+type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
+# /data/resource-cache
+type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
+# /data/local - writable by shell
+type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/property
+type property_data_file, file_type, data_file_type, core_data_file_type;
+# /data/bootchart
+type bootchart_data_file, file_type, data_file_type, core_data_file_type;
+# /data/system/heapdump
+type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/nativetest
+type nativetest_data_file, file_type, data_file_type, core_data_file_type;
+# /data/system_de/0/ringtones
+type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/preloads
+type preloads_data_file, file_type, data_file_type, core_data_file_type;
+# /data/preloads/media
+type preloads_media_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/dhcp and /data/misc/dhcp-6.8.2
+type dhcp_data_file, file_type, data_file_type, core_data_file_type;
+
+# Mount locations managed by vold
+type mnt_media_rw_file, file_type;
+type mnt_user_file, file_type;
+type mnt_expand_file, file_type;
+type storage_file, file_type;
+
+# Label for storage dirs which are just mount stubs
+type mnt_media_rw_stub_file, file_type;
+type storage_stub_file, file_type;
+
+# Mount location for read-write vendor partitions.
+type mnt_vendor_file, file_type;
+
+# /postinstall: Mount point used by update_engine to run postinstall.
+type postinstall_mnt_dir, file_type;
+# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
+type postinstall_file, file_type;
+
+# /data/misc subdirectories
+type adb_keys_file, file_type, data_file_type, core_data_file_type;
+type audio_data_file, file_type, data_file_type, core_data_file_type;
+type audioserver_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
+type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
+type bootstat_data_file, file_type, data_file_type, core_data_file_type;
+type boottrace_data_file, file_type, data_file_type, core_data_file_type;
+type camera_data_file, file_type, data_file_type, core_data_file_type;
+type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
+type incident_data_file, file_type, data_file_type, core_data_file_type;
+type keychain_data_file, file_type, data_file_type, core_data_file_type;
+type keystore_data_file, file_type, data_file_type, core_data_file_type;
+type media_data_file, file_type, data_file_type, core_data_file_type;
+type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type misc_user_data_file, file_type, data_file_type, core_data_file_type;
+type net_data_file, file_type, data_file_type, core_data_file_type;
+type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
+type nfc_data_file, file_type, data_file_type, core_data_file_type;
+type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type recovery_data_file, file_type, data_file_type, core_data_file_type;
+type shared_relro_file, file_type, data_file_type, core_data_file_type;
+type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
+type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
+type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type vpn_data_file, file_type, data_file_type, core_data_file_type;
+type wifi_data_file, file_type, data_file_type, core_data_file_type;
+type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
+type vold_data_file, file_type, data_file_type, core_data_file_type;
+type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type tee_data_file, file_type, data_file_type;
+type update_engine_data_file, file_type, data_file_type, core_data_file_type;
+type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
+# /data/misc/trace for method traces on userdebug / eng builds
+type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+
+# /data/data subdirectories - app sandboxes
+type app_data_file, file_type, data_file_type, core_data_file_type;
+# /data/data subdirectory for system UID apps.
+type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Compatibility with type name used in Android 4.3 and 4.4.
+# Default type for anything under /cache
+type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for /cache/backup_stage/* (fd interchange with apps)
+type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# type for anything under /cache/backup (local transport storage)
+type cache_private_backup_file, file_type, data_file_type, core_data_file_type;
+# Type for anything under /cache/recovery
+type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Default type for anything under /efs
+type efs_file, file_type;
+# Type for wallpaper file.
+type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for shortcut manager icon file.
+type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Type for user icon file.
+type icon_file, file_type, data_file_type, core_data_file_type;
+# /mnt/asec
+type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# Elements of asec files (/mnt/asec) that are world readable
+type asec_public_file, file_type, data_file_type, core_data_file_type;
+# /data/app-asec
+type asec_image_file, file_type, data_file_type, core_data_file_type;
+# /data/backup and /data/secure/backup
+type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# All devices have bluetooth efs files. But they
+# vary per device, so this type is used in per
+# device policy
+type bluetooth_efs_file, file_type;
+# Type for fingerprint template file
+type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
+# Type for _new_ fingerprint template file
+type fingerprint_vendor_data_file, file_type, data_file_type;
+# Type for appfuse file.
+type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+
+# Socket types
+type adbd_socket, file_type, coredomain_socket;
+type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
+type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
+type dumpstate_socket, file_type, coredomain_socket;
+type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
+type lmkd_socket, file_type, coredomain_socket;
+type logd_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type mdns_socket, file_type, coredomain_socket;
+type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
+type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
+type mtpd_socket, file_type, coredomain_socket;
+type netd_socket, file_type, coredomain_socket;
+type property_socket, file_type, coredomain_socket, mlstrustedobject;
+type racoon_socket, file_type, coredomain_socket;
+type rild_socket, file_type;
+type rild_debug_socket, file_type;
+type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
+type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_java_trace_socket, file_type, mlstrustedobject;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
+type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
+type traced_consumer_socket, file_type, coredomain_socket;
+type uncrypt_socket, file_type, coredomain_socket;
+type wpa_socket, file_type, data_file_type, core_data_file_type;
+type zygote_socket, file_type, coredomain_socket;
+# UART (for GPS) control proc file
+type gps_control, file_type;
+
+# PDX endpoint types
+type pdx_display_dir, pdx_endpoint_dir_type, file_type;
+type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
+type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
+
+pdx_service_socket_types(display_client, pdx_display_dir)
+pdx_service_socket_types(display_manager, pdx_display_dir)
+pdx_service_socket_types(display_screenshot, pdx_display_dir)
+pdx_service_socket_types(display_vsync, pdx_display_dir)
+pdx_service_socket_types(performance_client, pdx_performance_dir)
+pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
+
+# file_contexts files
+type file_contexts_file, file_type;
+
+# mac_permissions file
+type mac_perms_file, file_type;
+
+# property_contexts file
+type property_contexts_file, file_type;
+
+# seapp_contexts file
+type seapp_contexts_file, file_type;
+
+# sepolicy files binary and others
+type sepolicy_file, file_type;
+
+# service_contexts file
+type service_contexts_file, file_type;
+
+# nonplat service_contexts file (only accessible on non full-treble devices)
+type nonplat_service_contexts_file, file_type;
+
+# hwservice_contexts file
+type hwservice_contexts_file, file_type;
+
+# vndservice_contexts file
+type vndservice_contexts_file, file_type;
+
+# Allow files to be created in their appropriate filesystems.
+allow fs_type self:filesystem associate;
+allow cgroup tmpfs:filesystem associate;
+allow cgroup_bpf tmpfs:filesystem associate;
+allow sysfs_type sysfs:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
+allow file_type labeledfs:filesystem associate;
+allow file_type tmpfs:filesystem associate;
+allow file_type rootfs:filesystem associate;
+allow dev_type tmpfs:filesystem associate;
+allow app_fuse_file app_fusefs:filesystem associate;
+allow postinstall_file self:filesystem associate;
+
+# asanwrapper (run a sanitized app_process, to be used with wrap properties)
+with_asan(`type asanwrapper_exec, exec_type, file_type;')
+
+# Deprecated in SDK version 28
+type audiohal_data_file, file_type, data_file_type, core_data_file_type;
+
+# It's a bug to assign the file_type attribute and fs_type attribute
+# to any type. Do not allow it.
+#
+# For example, the following is a bug:
+# type apk_data_file, file_type, data_file_type, fs_type;
+# Should be:
+# type apk_data_file, file_type, data_file_type;
+neverallow fs_type file_type:filesystem associate;
diff --git a/prebuilts/api/28.0/public/fingerprintd.te b/prebuilts/api/28.0/public/fingerprintd.te
new file mode 100644
index 0000000..2dc1107
--- /dev/null
+++ b/prebuilts/api/28.0/public/fingerprintd.te
@@ -0,0 +1,26 @@
+type fingerprintd, domain;
+type fingerprintd_exec, exec_type, file_type;
+
+binder_use(fingerprintd)
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow fingerprintd system_file:dir r_dir_perms;
+
+# need to find KeyStore and add self
+add_service(fingerprintd, fingerprintd_service)
+
+# allow HAL module to read dir contents
+allow fingerprintd fingerprintd_data_file:file { create_file_perms };
+
+# allow HAL module to read/write/unlink contents of this dir
+allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
+
+# Need to add auth tokens to KeyStore
+use_keystore(fingerprintd)
+allow fingerprintd keystore:keystore_key { add_auth };
+
+# For permissions checking
+binder_call(fingerprintd, system_server);
+allow fingerprintd permission_service:service_manager find;
+
+allow fingerprintd ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/28.0/public/fsck.te b/prebuilts/api/28.0/public/fsck.te
new file mode 100644
index 0000000..c5219d8
--- /dev/null
+++ b/prebuilts/api/28.0/public/fsck.te
@@ -0,0 +1,57 @@
+# Any fsck program run by init
+type fsck, domain;
+type fsck_exec, exec_type, file_type;
+
+# /dev/__null__ created by init prior to policy load,
+# open fd inherited by fsck.
+allow fsck tmpfs:chr_file { read write ioctl };
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow fsck devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow fsck vold:fd use;
+allow fsck vold:fifo_file { read write getattr };
+
+# Run fsck on certain block devices
+allow fsck block_device:dir search;
+allow fsck userdata_block_device:blk_file rw_file_perms;
+allow fsck cache_block_device:blk_file rw_file_perms;
+allow fsck dm_device:blk_file rw_file_perms;
+
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck dev_type:blk_file getattr;
+
+allow fsck {
+ proc_mounts
+ proc_swaps
+}:file r_file_perms;
+allow fsck rootfs:dir r_dir_perms;
+
+###
+### neverallow rules
+###
+
+# fsck should never be run on these block devices
+neverallow fsck {
+ boot_block_device
+ frp_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ vold_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from init or vold via fsck binaries
+neverallow { domain -init -vold } fsck:process transition;
+neverallow * fsck:process dyntransition;
+neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/prebuilts/api/28.0/public/fsck_untrusted.te b/prebuilts/api/28.0/public/fsck_untrusted.te
new file mode 100644
index 0000000..8510c94
--- /dev/null
+++ b/prebuilts/api/28.0/public/fsck_untrusted.te
@@ -0,0 +1,49 @@
+# Any fsck program run on untrusted block devices
+type fsck_untrusted, domain;
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow fsck_untrusted vold:fd use;
+allow fsck_untrusted vold:fifo_file { read write getattr };
+
+# Run fsck on vold block devices
+allow fsck_untrusted block_device:dir search;
+allow fsck_untrusted vold_device:blk_file rw_file_perms;
+
+allow fsck_untrusted proc_mounts:file r_file_perms;
+
+# To determine if it is safe to run fsck on a filesystem, e2fsck
+# must first determine if the filesystem is mounted. To do that,
+# e2fsck scans through /proc/mounts and collects all the mounted
+# block devices. With that information, it runs stat() on each block
+# device, comparing the major and minor numbers to the filesystem
+# passed in on the command line. If there is a match, then the filesystem
+# is currently mounted and running fsck is dangerous.
+# Allow stat access to all block devices so that fsck can compare
+# major/minor values.
+allow fsck_untrusted dev_type:blk_file getattr;
+
+###
+### neverallow rules
+###
+
+# Untrusted fsck should never be run on block devices holding sensitive data
+neverallow fsck_untrusted {
+ boot_block_device
+ frp_block_device
+ metadata_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ userdata_block_device
+ cache_block_device
+ dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via fsck binaries
+neverallow { domain -vold } fsck_untrusted:process transition;
+neverallow * fsck_untrusted:process dyntransition;
+neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/prebuilts/api/28.0/public/gatekeeperd.te b/prebuilts/api/28.0/public/gatekeeperd.te
new file mode 100644
index 0000000..2fc3627
--- /dev/null
+++ b/prebuilts/api/28.0/public/gatekeeperd.te
@@ -0,0 +1,39 @@
+type gatekeeperd, domain;
+type gatekeeperd_exec, exec_type, file_type;
+
+# gatekeeperd
+binder_service(gatekeeperd)
+binder_use(gatekeeperd)
+
+### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
+### These rules should eventually be granted only when needed.
+allow gatekeeperd tee_device:chr_file rw_file_perms;
+allow gatekeeperd ion_device:chr_file r_file_perms;
+# Load HAL implementation
+allow gatekeeperd system_file:dir r_dir_perms;
+###
+
+### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
+### These rules should eventually be granted only when needed.
+hal_client_domain(gatekeeperd, hal_gatekeeper)
+###
+
+# need to find KeyStore and add self
+add_service(gatekeeperd, gatekeeper_service)
+
+# Need to add auth tokens to KeyStore
+use_keystore(gatekeeperd)
+allow gatekeeperd keystore:keystore_key { add_auth };
+
+# For permissions checking
+allow gatekeeperd system_server:binder call;
+allow gatekeeperd permission_service:service_manager find;
+
+# for SID file access
+allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
+allow gatekeeperd gatekeeper_data_file:file create_file_perms;
+
+# For hardware properties retrieval
+allow gatekeeperd hardware_properties_service:service_manager find;
+
+r_dir_file(gatekeeperd, cgroup)
diff --git a/prebuilts/api/28.0/public/global_macros b/prebuilts/api/28.0/public/global_macros
new file mode 100644
index 0000000..5dab5ab
--- /dev/null
+++ b/prebuilts/api/28.0/public/global_macros
@@ -0,0 +1,50 @@
+#####################################
+# Common groupings of object classes.
+#
+define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }')
+define(`global_capability_class_set', `{ capability cap_userns }')
+define(`global_capability2_class_set', `{ capability2 cap2_userns }')
+
+define(`devfile_class_set', `{ chr_file blk_file }')
+define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
+define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
+define(`dir_file_class_set', `{ dir file_class_set }')
+
+define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket }')
+define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
+define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket }')
+define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket }')
+
+define(`ipc_class_set', `{ sem msgq shm ipc }')
+
+#####################################
+# Common groupings of permissions.
+#
+define(`x_file_perms', `{ getattr execute execute_no_trans map }')
+define(`r_file_perms', `{ getattr open read ioctl lock map }')
+define(`w_file_perms', `{ open append write lock map }')
+define(`rx_file_perms', `{ r_file_perms x_file_perms }')
+define(`ra_file_perms', `{ r_file_perms append }')
+define(`rw_file_perms', `{ r_file_perms w_file_perms }')
+define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
+define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
+
+define(`r_dir_perms', `{ open getattr read search ioctl lock }')
+define(`w_dir_perms', `{ open search write add_name remove_name lock }')
+define(`ra_dir_perms', `{ r_dir_perms add_name write }')
+define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
+define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
+
+define(`r_ipc_perms', `{ getattr read associate unix_read }')
+define(`w_ipc_perms', `{ write unix_write }')
+define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
+define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
+
+#####################################
+# Common socket permission sets.
+define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown }')
+define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown }')
+define(`create_socket_perms', `{ create rw_socket_perms }')
+define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
+define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
+define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/prebuilts/api/28.0/public/hal_allocator.te b/prebuilts/api/28.0/public/hal_allocator.te
new file mode 100644
index 0000000..646cebd
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_allocator.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server
+binder_call(hal_allocator_client, hal_allocator_server)
+
+add_hwservice(hal_allocator_server, hidl_allocator_hwservice)
+allow hal_allocator_client hidl_allocator_hwservice:hwservice_manager find;
+allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_audio.te b/prebuilts/api/28.0/public/hal_audio.te
new file mode 100644
index 0000000..037066e
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_audio.te
@@ -0,0 +1,38 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_audio_client, hal_audio_server)
+binder_call(hal_audio_server, hal_audio_client)
+
+add_hwservice(hal_audio_server, hal_audio_hwservice)
+allow hal_audio_client hal_audio_hwservice:hwservice_manager find;
+
+allow hal_audio ion_device:chr_file r_file_perms;
+
+r_dir_file(hal_audio, proc)
+r_dir_file(hal_audio, proc_asound)
+allow hal_audio_server audio_device:dir r_dir_perms;
+allow hal_audio_server audio_device:chr_file rw_file_perms;
+
+# Needed to provide debug dump output via dumpsys' pipes.
+allow hal_audio shell:fd use;
+allow hal_audio shell:fifo_file write;
+allow hal_audio dumpstate:fd use;
+allow hal_audio dumpstate:fifo_file write;
+
+# allow hal audio to use vnbinder
+vndbinder_use(hal_audio)
+
+###
+### neverallow rules
+###
+
+# Should never execute any executable without a domain transition
+neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
+
+# Should never need network access.
+# Disallow network sockets.
+neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Only audio HAL may directly access the audio hardware
+neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
+
+get_prop(hal_audio, bluetooth_a2dp_offload_prop)
diff --git a/prebuilts/api/28.0/public/hal_audiocontrol.te b/prebuilts/api/28.0/public/hal_audiocontrol.te
new file mode 100644
index 0000000..438db53
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_audiocontrol.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_audiocontrol_client, hal_audiocontrol_server)
+binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
+
+add_hwservice(hal_audiocontrol_server, hal_audiocontrol_hwservice)
+
+allow hal_audiocontrol_client hal_audiocontrol_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_authsecret.te b/prebuilts/api/28.0/public/hal_authsecret.te
new file mode 100644
index 0000000..81b0c04
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_authsecret.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_authsecret_client, hal_authsecret_server)
+
+add_hwservice(hal_authsecret_server, hal_authsecret_hwservice)
+allow hal_authsecret_client hal_authsecret_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_bluetooth.te b/prebuilts/api/28.0/public/hal_bluetooth.te
new file mode 100644
index 0000000..373dbec
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_bluetooth.te
@@ -0,0 +1,32 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_bluetooth_client, hal_bluetooth_server)
+binder_call(hal_bluetooth_server, hal_bluetooth_client)
+
+add_hwservice(hal_bluetooth_server, hal_bluetooth_hwservice)
+allow hal_bluetooth_client hal_bluetooth_hwservice:hwservice_manager find;
+
+wakelock_use(hal_bluetooth);
+
+# The HAL toggles rfkill to power the chip off/on.
+allow hal_bluetooth self:global_capability_class_set net_admin;
+
+# bluetooth factory file accesses.
+r_dir_file(hal_bluetooth, bluetooth_efs_file)
+
+allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
+
+# sysfs access.
+r_dir_file(hal_bluetooth, sysfs_type)
+allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
+allow hal_bluetooth self:global_capability2_class_set wake_alarm;
+
+# Allow write access to bluetooth-specific properties
+set_prop(hal_bluetooth, bluetooth_a2dp_offload_prop)
+set_prop(hal_bluetooth, bluetooth_prop)
+set_prop(hal_bluetooth, exported_bluetooth_prop)
+
+# /proc access (bluesleep etc.).
+allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
+
+# allow to run with real-time scheduling policy
+allow hal_bluetooth self:global_capability_class_set sys_nice;
diff --git a/prebuilts/api/28.0/public/hal_bootctl.te b/prebuilts/api/28.0/public/hal_bootctl.te
new file mode 100644
index 0000000..181de4a
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_bootctl.te
@@ -0,0 +1,8 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_bootctl_client, hal_bootctl_server)
+binder_call(hal_bootctl_server, hal_bootctl_client)
+
+add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
+allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
+
+dontaudit hal_bootctl self:capability sys_rawio;
diff --git a/prebuilts/api/28.0/public/hal_broadcastradio.te b/prebuilts/api/28.0/public/hal_broadcastradio.te
new file mode 100644
index 0000000..24d4908
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_broadcastradio.te
@@ -0,0 +1,4 @@
+binder_call(hal_broadcastradio_client, hal_broadcastradio_server)
+
+add_hwservice(hal_broadcastradio_server, hal_broadcastradio_hwservice)
+allow hal_broadcastradio_client hal_broadcastradio_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_camera.te b/prebuilts/api/28.0/public/hal_camera.te
new file mode 100644
index 0000000..8fe7442
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_camera.te
@@ -0,0 +1,33 @@
+# HwBinder IPC from clients to server and callbacks
+binder_call(hal_camera_client, hal_camera_server)
+binder_call(hal_camera_server, hal_camera_client)
+
+add_hwservice(hal_camera_server, hal_camera_hwservice)
+allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
+
+allow hal_camera device:dir r_dir_perms;
+allow hal_camera video_device:dir r_dir_perms;
+allow hal_camera video_device:chr_file rw_file_perms;
+allow hal_camera camera_device:chr_file rw_file_perms;
+allow hal_camera ion_device:chr_file rw_file_perms;
+# Both the client and the server need to use the graphics allocator
+allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
+
+# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
+allow hal_camera { appdomain -isolated_app }:fd use;
+allow hal_camera surfaceflinger:fd use;
+allow hal_camera hal_allocator_server:fd use;
+
+###
+### neverallow rules
+###
+
+# hal_camera should never execute any executable without a
+# domain transition
+neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
+
+# hal_camera should never need network access. Disallow network sockets.
+neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Only camera HAL may directly access the camera hardware
+neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/prebuilts/api/28.0/public/hal_cas.te b/prebuilts/api/28.0/public/hal_cas.te
new file mode 100644
index 0000000..7f65358
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_cas.te
@@ -0,0 +1,35 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_cas_client, hal_cas_server)
+binder_call(hal_cas_server, hal_cas_client)
+
+add_hwservice(hal_cas_server, hal_cas_hwservice)
+allow hal_cas_client hal_cas_hwservice:hwservice_manager find;
+allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
+
+# Permit reading device's serial number from system properties
+get_prop(hal_cas_server, serialno_prop)
+
+# Read files already opened under /data
+allow hal_cas system_data_file:file { getattr read };
+
+# Read access to pseudo filesystems
+r_dir_file(hal_cas, cgroup)
+allow hal_cas cgroup:dir { search write };
+allow hal_cas cgroup:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow hal_cas ion_device:chr_file rw_file_perms;
+allow hal_cas hal_graphics_allocator:fd use;
+
+allow hal_cas tee_device:chr_file rw_file_perms;
+
+###
+### neverallow rules
+###
+
+# hal_cas should never execute any executable without a
+# domain transition
+neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/28.0/public/hal_configstore.te b/prebuilts/api/28.0/public/hal_configstore.te
new file mode 100644
index 0000000..c8051e1
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_configstore.te
@@ -0,0 +1,71 @@
+# HwBinder IPC from client to server
+binder_call(hal_configstore_client, hal_configstore_server)
+
+allow hal_configstore_client hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+
+add_hwservice(hal_configstore_server, hal_configstore_ISurfaceFlingerConfigs)
+# As opposed to the rules of most other HALs, the different services exposed by
+# this HAL should be restricted to different clients. Thus, the allow rules for
+# clients are defined in the .te files of the clients.
+
+# hal_configstore runs with a strict seccomp filter. Use crash_dump's
+# fallback path to collect crash data.
+crash_dump_fallback(hal_configstore_server)
+
+###
+### neverallow rules
+###
+
+# Should never execute an executable without a domain transition
+neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;
+
+# Should never need network access. Disallow sockets except for
+# for unix stream/dgram sockets used for logging/debugging.
+neverallow hal_configstore_server domain:{
+ rawip_socket tcp_socket udp_socket
+ netlink_route_socket netlink_selinux_socket
+ socket netlink_socket packet_socket key_socket appletalk_socket
+ netlink_tcpdiag_socket netlink_nflog_socket
+ netlink_xfrm_socket netlink_audit_socket
+ netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
+ netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
+ netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
+ netlink_rdma_socket netlink_crypto_socket
+} *;
+neverallow hal_configstore_server {
+ domain
+ -hal_configstore_server
+ -logd
+ userdebug_or_eng(`-su')
+ -tombstoned
+}:{ unix_dgram_socket unix_stream_socket } *;
+
+# Should never need access to anything on /data
+neverallow hal_configstore_server {
+ data_file_type
+ -anr_data_file # for crash dump collection
+ -tombstone_data_file # for crash dump collection
+ -zoneinfo_data_file # granted to domain
+}:{ file fifo_file sock_file } *;
+
+# Should never need sdcard access
+neverallow hal_configstore_server {
+ sdcard_type
+ fuse sdcardfs vfat exfat # manual expansion for completeness
+}:dir ~getattr;
+neverallow hal_configstore_server {
+ sdcard_type
+ fuse sdcardfs vfat exfat # manual expansion for completeness
+}:file *;
+
+# Do not permit access to service_manager and vndservice_manager
+neverallow hal_configstore_server *:service_manager *;
+
+# No privileged capabilities
+neverallow hal_configstore_server self:capability_class_set *;
+
+# No ptracing other processes
+neverallow hal_configstore_server *:process ptrace;
+
+# no relabeling
+neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };
diff --git a/prebuilts/api/28.0/public/hal_confirmationui.te b/prebuilts/api/28.0/public/hal_confirmationui.te
new file mode 100644
index 0000000..228e864
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_confirmationui.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_confirmationui_client, hal_confirmationui_server)
+
+add_hwservice(hal_confirmationui_server, hal_confirmationui_hwservice)
+allow hal_confirmationui_client hal_confirmationui_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_contexthub.te b/prebuilts/api/28.0/public/hal_contexthub.te
new file mode 100644
index 0000000..f11bfc8
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_contexthub.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_contexthub_client, hal_contexthub_server)
+binder_call(hal_contexthub_server, hal_contexthub_client)
+
+add_hwservice(hal_contexthub_server, hal_contexthub_hwservice)
+allow hal_contexthub_client hal_contexthub_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_drm.te b/prebuilts/api/28.0/public/hal_drm.te
new file mode 100644
index 0000000..a46dd91
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_drm.te
@@ -0,0 +1,53 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_drm_client, hal_drm_server)
+binder_call(hal_drm_server, hal_drm_client)
+
+add_hwservice(hal_drm_server, hal_drm_hwservice)
+allow hal_drm_client hal_drm_hwservice:hwservice_manager find;
+
+allow hal_drm hidl_memory_hwservice:hwservice_manager find;
+
+# Required by Widevine DRM (b/22990512)
+allow hal_drm self:process execmem;
+
+# Permit reading device's serial number from system properties
+get_prop(hal_drm, serialno_prop)
+
+# System file accesses
+allow hal_drm system_file:dir r_dir_perms;
+allow hal_drm system_file:file r_file_perms;
+allow hal_drm system_file:lnk_file r_file_perms;
+
+# Read files already opened under /data
+allow hal_drm system_data_file:file { getattr read };
+
+# Read access to pseudo filesystems
+r_dir_file(hal_drm, cgroup)
+allow hal_drm cgroup:dir { search write };
+allow hal_drm cgroup:file w_file_perms;
+
+# Allow access to ion memory allocation device
+allow hal_drm ion_device:chr_file rw_file_perms;
+allow hal_drm hal_graphics_allocator:fd use;
+
+# Allow access to fds allocated by mediaserver
+allow hal_drm mediaserver:fd use;
+
+allow hal_drm sysfs:file r_file_perms;
+
+allow hal_drm tee_device:chr_file rw_file_perms;
+
+# only allow unprivileged socket ioctl commands
+allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+###
+### neverallow rules
+###
+
+# hal_drm should never execute any executable without a
+# domain transition
+neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/28.0/public/hal_dumpstate.te b/prebuilts/api/28.0/public/hal_dumpstate.te
new file mode 100644
index 0000000..2853567
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_dumpstate.te
@@ -0,0 +1,11 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_dumpstate_client, hal_dumpstate_server)
+binder_call(hal_dumpstate_server, hal_dumpstate_client)
+
+add_hwservice(hal_dumpstate_server, hal_dumpstate_hwservice)
+allow hal_dumpstate_client hal_dumpstate_hwservice:hwservice_manager find;
+
+# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
+allow hal_dumpstate shell_data_file:file write;
+# allow reading /proc/interrupts for all hal impls
+allow hal_dumpstate proc_interrupts:file r_file_perms;
diff --git a/prebuilts/api/28.0/public/hal_evs.te b/prebuilts/api/28.0/public/hal_evs.te
new file mode 100644
index 0000000..710051e
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_evs.te
@@ -0,0 +1,5 @@
+hwbinder_use(hal_evs_client)
+hwbinder_use(hal_evs_server)
+binder_call(hal_evs_client, hal_evs_server)
+binder_call(hal_evs_server, hal_evs_client)
+
diff --git a/prebuilts/api/28.0/public/hal_fingerprint.te b/prebuilts/api/28.0/public/hal_fingerprint.te
new file mode 100644
index 0000000..ebe0b0c
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_fingerprint.te
@@ -0,0 +1,17 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_fingerprint_client, hal_fingerprint_server)
+binder_call(hal_fingerprint_server, hal_fingerprint_client)
+
+add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
+allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
+
+# For memory allocation
+allow hal_fingerprint ion_device:chr_file r_file_perms;
+
+allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
+allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
+
+r_dir_file(hal_fingerprint, cgroup)
+r_dir_file(hal_fingerprint, sysfs)
+
+
diff --git a/prebuilts/api/28.0/public/hal_gatekeeper.te b/prebuilts/api/28.0/public/hal_gatekeeper.te
new file mode 100644
index 0000000..123acf5
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_gatekeeper.te
@@ -0,0 +1,8 @@
+binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
+
+add_hwservice(hal_gatekeeper_server, hal_gatekeeper_hwservice)
+allow hal_gatekeeper_client hal_gatekeeper_hwservice:hwservice_manager find;
+
+# TEE access.
+allow hal_gatekeeper tee_device:chr_file rw_file_perms;
+allow hal_gatekeeper ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/28.0/public/hal_gnss.te b/prebuilts/api/28.0/public/hal_gnss.te
new file mode 100644
index 0000000..b59cd1d
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_gnss.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_gnss_client, hal_gnss_server)
+binder_call(hal_gnss_server, hal_gnss_client)
+
+add_hwservice(hal_gnss_server, hal_gnss_hwservice)
+allow hal_gnss_client hal_gnss_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_graphics_allocator.te b/prebuilts/api/28.0/public/hal_graphics_allocator.te
new file mode 100644
index 0000000..e2b04ae
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_graphics_allocator.te
@@ -0,0 +1,13 @@
+# HwBinder IPC from client to server
+binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
+
+add_hwservice(hal_graphics_allocator_server, hal_graphics_allocator_hwservice)
+allow hal_graphics_allocator_client hal_graphics_allocator_hwservice:hwservice_manager find;
+allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
+
+# GPU device access
+allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
+allow hal_graphics_allocator ion_device:chr_file r_file_perms;
+
+# allow to run with real-time scheduling policy
+allow hal_graphics_allocator self:global_capability_class_set sys_nice;
diff --git a/prebuilts/api/28.0/public/hal_graphics_composer.te b/prebuilts/api/28.0/public/hal_graphics_composer.te
new file mode 100644
index 0000000..2df4612
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_graphics_composer.te
@@ -0,0 +1,26 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
+binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
+
+add_hwservice(hal_graphics_composer_server, hal_graphics_composer_hwservice)
+allow hal_graphics_composer_client hal_graphics_composer_hwservice:hwservice_manager find;
+
+# Coordinate with hal_graphics_mapper
+allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
+
+# GPU device access
+allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
+allow hal_graphics_composer ion_device:chr_file r_file_perms;
+allow hal_graphics_composer hal_graphics_allocator:fd use;
+
+# Access /dev/graphics/fb0.
+allow hal_graphics_composer graphics_device:dir search;
+allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
+
+# Fences
+allow hal_graphics_composer system_server:fd use;
+allow hal_graphics_composer bootanim:fd use;
+allow hal_graphics_composer appdomain:fd use;
+
+# allow self to set SCHED_FIFO
+allow hal_graphics_composer self:global_capability_class_set sys_nice;
diff --git a/prebuilts/api/28.0/public/hal_health.te b/prebuilts/api/28.0/public/hal_health.te
new file mode 100644
index 0000000..c0a0f80
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_health.te
@@ -0,0 +1,30 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_health_client, hal_health_server)
+binder_call(hal_health_server, hal_health_client)
+
+add_hwservice(hal_health_server, hal_health_hwservice)
+allow hal_health_client hal_health_hwservice:hwservice_manager find;
+
+# Read access to system files for HALs in
+# /{system,vendor,odm}/lib[64]/hw/ in order
+# to be able to open the hal implementation .so files
+r_dir_file(hal_health, system_file)
+
+# Common rules for a health service.
+
+# Allow to listen to uevents for updates
+allow hal_health_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Allow to read /sys/class/power_supply directory
+allow hal_health_server sysfs:dir r_dir_perms;
+
+# Allow to read files under /sys/class/power_supply. Implementations typically have symlinks
+# to vendor specific files. Vendors should mark sysfs_batteryinfo on all files read by health
+# HAL service.
+r_dir_file(hal_health_server, sysfs_batteryinfo)
+
+# Allow to wake up to send periodic events
+wakelock_use(hal_health_server)
+
+# Write to /dev/kmsg
+allow hal_health_server kmsg_device:chr_file w_file_perms;
diff --git a/prebuilts/api/28.0/public/hal_ir.te b/prebuilts/api/28.0/public/hal_ir.te
new file mode 100644
index 0000000..b1bfdd8
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_ir.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_ir_client, hal_ir_server)
+binder_call(hal_ir_server, hal_ir_client)
+
+add_hwservice(hal_ir_server, hal_ir_hwservice)
+allow hal_ir_client hal_ir_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_keymaster.te b/prebuilts/api/28.0/public/hal_keymaster.te
new file mode 100644
index 0000000..dc5f6d0
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_keymaster.te
@@ -0,0 +1,8 @@
+# HwBinder IPC from client to server
+binder_call(hal_keymaster_client, hal_keymaster_server)
+
+add_hwservice(hal_keymaster_server, hal_keymaster_hwservice)
+allow hal_keymaster_client hal_keymaster_hwservice:hwservice_manager find;
+
+allow hal_keymaster tee_device:chr_file rw_file_perms;
+allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/28.0/public/hal_light.te b/prebuilts/api/28.0/public/hal_light.te
new file mode 100644
index 0000000..5b93dd1
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_light.te
@@ -0,0 +1,10 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_light_client, hal_light_server)
+binder_call(hal_light_server, hal_light_client)
+
+add_hwservice(hal_light_server, hal_light_hwservice)
+allow hal_light_client hal_light_hwservice:hwservice_manager find;
+
+allow hal_light sysfs_leds:lnk_file read;
+allow hal_light sysfs_leds:file rw_file_perms;
+allow hal_light sysfs_leds:dir r_dir_perms;
diff --git a/prebuilts/api/28.0/public/hal_lowpan.te b/prebuilts/api/28.0/public/hal_lowpan.te
new file mode 100644
index 0000000..af491b1
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_lowpan.te
@@ -0,0 +1,21 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_lowpan_client, hal_lowpan_server)
+binder_call(hal_lowpan_server, hal_lowpan_client)
+
+add_hwservice(hal_lowpan_server, hal_lowpan_hwservice)
+
+# Allow hal_lowpan_client to be able to find the hal_lowpan_server
+allow hal_lowpan_client hal_lowpan_hwservice:hwservice_manager find;
+
+# hal_lowpan domain can write/read to/from lowpan_prop
+set_prop(hal_lowpan_server, lowpan_prop)
+
+# Allow hal_lowpan_server to open lowpan_devices
+allow hal_lowpan_server lowpan_device:chr_file rw_file_perms;
+
+###
+### neverallow rules
+###
+
+# Only LoWPAN HAL may directly access LoWPAN hardware
+neverallow { domain -hal_lowpan_server -init -ueventd } lowpan_device:chr_file ~getattr;
diff --git a/prebuilts/api/28.0/public/hal_memtrack.te b/prebuilts/api/28.0/public/hal_memtrack.te
new file mode 100644
index 0000000..b2cc9cd
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_memtrack.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_memtrack_client, hal_memtrack_server)
+
+add_hwservice(hal_memtrack_server, hal_memtrack_hwservice)
+allow hal_memtrack_client hal_memtrack_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_neuralnetworks.te b/prebuilts/api/28.0/public/hal_neuralnetworks.te
new file mode 100644
index 0000000..c697ac2
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_neuralnetworks.te
@@ -0,0 +1,8 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server)
+binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client)
+
+add_hwservice(hal_neuralnetworks_server, hal_neuralnetworks_hwservice)
+allow hal_neuralnetworks_client hal_neuralnetworks_hwservice:hwservice_manager find;
+allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
+allow hal_neuralnetworks hal_allocator:fd use;
diff --git a/prebuilts/api/28.0/public/hal_neverallows.te b/prebuilts/api/28.0/public/hal_neverallows.te
new file mode 100644
index 0000000..0f05d8a
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_neverallows.te
@@ -0,0 +1,59 @@
+# only HALs responsible for network hardware should have privileged
+# network capabilities
+neverallow {
+ halserverdomain
+ -hal_bluetooth_server
+ -hal_wifi_server
+ -hal_wifi_hostapd_server
+ -hal_wifi_supplicant_server
+ -hal_telephony_server
+} self:global_capability_class_set { net_admin net_raw };
+
+# Unless a HAL's job is to communicate over the network, or control network
+# hardware, it should not be using network sockets.
+# NOTE: HALs for automotive devices have an exemption from this rule because in
+# a car it is common to have external modules and HALs need to communicate to
+# those modules using network. Using this exemption for non-automotive builds
+# will result in CTS failure.
+neverallow {
+ halserverdomain
+ -hal_automotive_socket_exemption
+ -hal_tetheroffload_server
+ -hal_wifi_server
+ -hal_wifi_hostapd_server
+ -hal_wifi_supplicant_server
+ -hal_telephony_server
+} domain:{ tcp_socket udp_socket rawip_socket } *;
+
+###
+# HALs are defined as an attribute and so a given domain could hypothetically
+# have multiple HALs in it (or even all of them) with the subsequent policy of
+# the domain comprised of the union of all the HALs.
+#
+# This is a problem because
+# 1) Security sensitive components should only be accessed by specific HALs.
+# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
+# the platform.
+# 3) The platform cannot reason about defense in depth if there are
+# monolithic domains etc.
+#
+# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
+# its OK for them to share a process its not OK with them to share processes
+# with other hals.
+#
+# The following neverallow rules, in conjuntion with CTS tests, assert that
+# these security principles are adhered to.
+#
+# Do not allow a hal to exec another process without a domain transition.
+# TODO remove exemptions.
+neverallow {
+ halserverdomain
+ -hal_dumpstate_server
+ -hal_telephony_server
+} { file_type fs_type }:file execute_no_trans;
+# Do not allow a process other than init to transition into a HAL domain.
+neverallow { domain -init } halserverdomain:process transition;
+# Only allow transitioning to a domain by running its executable. Do not
+# allow transitioning into a HAL domain by use of seclabel in an
+# init.*.rc script.
+neverallow * halserverdomain:process dyntransition;
diff --git a/prebuilts/api/28.0/public/hal_nfc.te b/prebuilts/api/28.0/public/hal_nfc.te
new file mode 100644
index 0000000..3bcdf5e
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_nfc.te
@@ -0,0 +1,12 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_nfc_client, hal_nfc_server)
+binder_call(hal_nfc_server, hal_nfc_client)
+
+add_hwservice(hal_nfc_server, hal_nfc_hwservice)
+allow hal_nfc_client hal_nfc_hwservice:hwservice_manager find;
+
+# Set NFC properties (used by bcm2079x HAL).
+set_prop(hal_nfc, nfc_prop)
+
+# NFC device access.
+allow hal_nfc nfc_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/28.0/public/hal_oemlock.te b/prebuilts/api/28.0/public/hal_oemlock.te
new file mode 100644
index 0000000..3fb5a18
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_oemlock.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_oemlock_client, hal_oemlock_server)
+
+add_hwservice(hal_oemlock_server, hal_oemlock_hwservice)
+allow hal_oemlock_client hal_oemlock_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_power.te b/prebuilts/api/28.0/public/hal_power.te
new file mode 100644
index 0000000..fcba3d2
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_power.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_power_client, hal_power_server)
+binder_call(hal_power_server, hal_power_client)
+
+add_hwservice(hal_power_server, hal_power_hwservice)
+allow hal_power_client hal_power_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_secure_element.te b/prebuilts/api/28.0/public/hal_secure_element.te
new file mode 100644
index 0000000..e3046d1
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_secure_element.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_secure_element_client, hal_secure_element_server)
+binder_call(hal_secure_element_server, hal_secure_element_client)
+
+add_hwservice(hal_secure_element_server, hal_secure_element_hwservice)
+allow hal_secure_element_client hal_secure_element_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_sensors.te b/prebuilts/api/28.0/public/hal_sensors.te
new file mode 100644
index 0000000..9d7cbe9
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_sensors.te
@@ -0,0 +1,15 @@
+# HwBinder IPC from client to server
+binder_call(hal_sensors_client, hal_sensors_server)
+
+add_hwservice(hal_sensors_server, hal_sensors_hwservice)
+allow hal_sensors_client hal_sensors_hwservice:hwservice_manager find;
+
+# Allow sensor hals to access ashmem memory allocated by apps
+allow hal_sensors { appdomain -isolated_app }:fd use;
+
+# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
+# fd is passed in from framework sensorservice HAL.
+allow hal_sensors hal_allocator:fd use;
+
+# allow to run with real-time scheduling policy
+allow hal_sensors self:global_capability_class_set sys_nice;
diff --git a/prebuilts/api/28.0/public/hal_telephony.te b/prebuilts/api/28.0/public/hal_telephony.te
new file mode 100644
index 0000000..5f8cc41
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_telephony.te
@@ -0,0 +1,46 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_telephony_client, hal_telephony_server)
+binder_call(hal_telephony_server, hal_telephony_client)
+
+add_hwservice(hal_telephony_server, hal_telephony_hwservice)
+allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
+
+allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
+
+allow hal_telephony_server self:netlink_route_socket nlmsg_write;
+allow hal_telephony_server kernel:system module_request;
+allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
+allow hal_telephony_server alarm_device:chr_file rw_file_perms;
+allow hal_telephony_server cgroup:dir create_dir_perms;
+allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
+allow hal_telephony_server radio_device:chr_file rw_file_perms;
+allow hal_telephony_server radio_device:blk_file r_file_perms;
+allow hal_telephony_server mtd_device:dir search;
+allow hal_telephony_server efs_file:dir create_dir_perms;
+allow hal_telephony_server efs_file:file create_file_perms;
+allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
+allow hal_telephony_server bluetooth_efs_file:file r_file_perms;
+allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms;
+
+# property service
+set_prop(hal_telephony_server, radio_prop)
+set_prop(hal_telephony_server, exported_radio_prop)
+set_prop(hal_telephony_server, exported2_radio_prop)
+set_prop(hal_telephony_server, exported3_radio_prop)
+
+allow hal_telephony_server tty_device:chr_file rw_file_perms;
+
+# Allow hal_telephony_server to create and use netlink sockets.
+allow hal_telephony_server self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_telephony_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_telephony_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Access to wake locks
+wakelock_use(hal_telephony_server)
+
+r_dir_file(hal_telephony_server, proc_net)
+r_dir_file(hal_telephony_server, sysfs_type)
+r_dir_file(hal_telephony_server, system_file)
+
+# granting the ioctl permission for hal_telephony_server should be device specific
+allow hal_telephony_server self:socket create_socket_perms_no_ioctl;
diff --git a/prebuilts/api/28.0/public/hal_tetheroffload.te b/prebuilts/api/28.0/public/hal_tetheroffload.te
new file mode 100644
index 0000000..48d67a2
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_tetheroffload.te
@@ -0,0 +1,8 @@
+## HwBinder IPC from client to server, and callbacks
+binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
+binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
+
+allow hal_tetheroffload_client hal_tetheroffload_hwservice:hwservice_manager find;
+
+# allow the client to pass the server already open netlink sockets
+allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/prebuilts/api/28.0/public/hal_thermal.te b/prebuilts/api/28.0/public/hal_thermal.te
new file mode 100644
index 0000000..b1764f1
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_thermal.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_thermal_client, hal_thermal_server)
+binder_call(hal_thermal_server, hal_thermal_client)
+
+add_hwservice(hal_thermal_server, hal_thermal_hwservice)
+allow hal_thermal_client hal_thermal_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_tv_cec.te b/prebuilts/api/28.0/public/hal_tv_cec.te
new file mode 100644
index 0000000..7719cae
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_tv_cec.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_tv_cec_client, hal_tv_cec_server)
+binder_call(hal_tv_cec_server, hal_tv_cec_client)
+
+add_hwservice(hal_tv_cec_server, hal_tv_cec_hwservice)
+allow hal_tv_cec_client hal_tv_cec_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_tv_input.te b/prebuilts/api/28.0/public/hal_tv_input.te
new file mode 100644
index 0000000..31a0067
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_tv_input.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_tv_input_client, hal_tv_input_server)
+binder_call(hal_tv_input_server, hal_tv_input_client)
+
+add_hwservice(hal_tv_input_server, hal_tv_input_hwservice)
+allow hal_tv_input_client hal_tv_input_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_usb.te b/prebuilts/api/28.0/public/hal_usb.te
new file mode 100644
index 0000000..9cfd516
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_usb.te
@@ -0,0 +1,18 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_usb_client, hal_usb_server)
+binder_call(hal_usb_server, hal_usb_client)
+
+add_hwservice(hal_usb_server, hal_usb_hwservice)
+allow hal_usb_client hal_usb_hwservice:hwservice_manager find;
+
+allow hal_usb self:netlink_kobject_uevent_socket create;
+allow hal_usb self:netlink_kobject_uevent_socket setopt;
+allow hal_usb self:netlink_kobject_uevent_socket bind;
+allow hal_usb self:netlink_kobject_uevent_socket read;
+allow hal_usb sysfs:dir open;
+allow hal_usb sysfs:dir read;
+allow hal_usb sysfs:file read;
+allow hal_usb sysfs:file open;
+allow hal_usb sysfs:file write;
+allow hal_usb sysfs:file getattr;
+
diff --git a/prebuilts/api/28.0/public/hal_usb_gadget.te b/prebuilts/api/28.0/public/hal_usb_gadget.te
new file mode 100644
index 0000000..16f4f08
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_usb_gadget.te
@@ -0,0 +1,14 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_usb_gadget_client, hal_usb_gadget_server)
+binder_call(hal_usb_gadget_server, hal_usb_gadget_client)
+
+add_hwservice(hal_usb_gadget_server, hal_usb_gadget_hwservice)
+allow hal_usb_gadget_client hal_usb_gadget_hwservice:hwservice_manager find;
+
+# Configuring usb gadget functions
+allow hal_usb_gadget_server configfs:lnk_file { read create unlink};
+allow hal_usb_gadget_server configfs:dir rw_dir_perms;
+allow hal_usb_gadget_server configfs:file rw_file_perms;
+allow hal_usb_gadget_server functionfs:dir { read search };
+allow hal_usb_gadget_server functionfs:file read;
+
diff --git a/prebuilts/api/28.0/public/hal_vehicle.te b/prebuilts/api/28.0/public/hal_vehicle.te
new file mode 100644
index 0000000..a59f8d2
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_vehicle.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vehicle_client, hal_vehicle_server)
+binder_call(hal_vehicle_server, hal_vehicle_client)
+
+add_hwservice(hal_vehicle_server, hal_vehicle_hwservice)
+
+allow hal_vehicle_client hal_vehicle_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_vibrator.te b/prebuilts/api/28.0/public/hal_vibrator.te
new file mode 100644
index 0000000..9ce34ca
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_vibrator.te
@@ -0,0 +1,9 @@
+# HwBinder IPC from client to server
+binder_call(hal_vibrator_client, hal_vibrator_server)
+
+add_hwservice(hal_vibrator_server, hal_vibrator_hwservice)
+allow hal_vibrator_client hal_vibrator_hwservice:hwservice_manager find;
+
+# vibrator sysfs rw access
+allow hal_vibrator sysfs_vibrator:file rw_file_perms;
+allow hal_vibrator sysfs_vibrator:dir search;
diff --git a/prebuilts/api/28.0/public/hal_vr.te b/prebuilts/api/28.0/public/hal_vr.te
new file mode 100644
index 0000000..3cb392d
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_vr.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vr_client, hal_vr_server)
+binder_call(hal_vr_server, hal_vr_client)
+
+add_hwservice(hal_vr_server, hal_vr_hwservice)
+allow hal_vr_client hal_vr_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_weaver.te b/prebuilts/api/28.0/public/hal_weaver.te
new file mode 100644
index 0000000..b80ba29
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_weaver.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_weaver_client, hal_weaver_server)
+
+add_hwservice(hal_weaver_server, hal_weaver_hwservice)
+allow hal_weaver_client hal_weaver_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/28.0/public/hal_wifi.te b/prebuilts/api/28.0/public/hal_wifi.te
new file mode 100644
index 0000000..7cea7c7
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_wifi.te
@@ -0,0 +1,32 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_wifi_client, hal_wifi_server)
+binder_call(hal_wifi_server, hal_wifi_client)
+
+add_hwservice(hal_wifi_server, hal_wifi_hwservice)
+allow hal_wifi_client hal_wifi_hwservice:hwservice_manager find;
+
+r_dir_file(hal_wifi, proc_net)
+r_dir_file(hal_wifi, sysfs_type)
+
+set_prop(hal_wifi, exported_wifi_prop)
+set_prop(hal_wifi, wifi_prop)
+
+# allow hal wifi set interfaces up and down
+allow hal_wifi self:udp_socket create_socket_perms;
+allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
+
+allow hal_wifi self:global_capability_class_set { net_admin net_raw };
+# allow hal_wifi to speak to nl80211 in the kernel
+allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
+allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
+# hal_wifi writes firmware paths to this file.
+allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
+# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
+allow hal_wifi proc_modules:file { getattr open read };
+
+# allow hal_wifi to write into /data/vendor/tombstones/wifi
+userdebug_or_eng(`
+ allow hal_wifi_server tombstone_wifi_data_file:dir rw_dir_perms;
+ allow hal_wifi_server tombstone_wifi_data_file:file create_file_perms;
+')
diff --git a/prebuilts/api/28.0/public/hal_wifi_hostapd.te b/prebuilts/api/28.0/public/hal_wifi_hostapd.te
new file mode 100644
index 0000000..03a5546
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_wifi_hostapd.te
@@ -0,0 +1,28 @@
+# HwBinder IPC from client to server
+binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
+binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
+
+add_hwservice(hal_wifi_hostapd_server, hal_wifi_hostapd_hwservice)
+allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice:hwservice_manager find;
+
+allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
+
+allow hal_wifi_hostapd_server sysfs_net:dir search;
+
+# Allow hal_wifi_hostapd to access /proc/net/psched
+allow hal_wifi_hostapd_server proc_net:file { getattr open read };
+
+# Various socket permissions.
+allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
+allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
+
+###
+### neverallow rules
+###
+
+# hal_wifi_hostapd should not trust any data from sdcards
+neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
+neverallow hal_wifi_hostapd_server sdcard_type:file *;
diff --git a/prebuilts/api/28.0/public/hal_wifi_offload.te b/prebuilts/api/28.0/public/hal_wifi_offload.te
new file mode 100644
index 0000000..dc0cf5a
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_wifi_offload.te
@@ -0,0 +1,9 @@
+## HwBinder IPC from client to server, and callbacks
+binder_call(hal_wifi_offload_client, hal_wifi_offload_server)
+binder_call(hal_wifi_offload_server, hal_wifi_offload_client)
+
+add_hwservice(hal_wifi_offload_server, hal_wifi_offload_hwservice)
+allow hal_wifi_offload_client hal_wifi_offload_hwservice:hwservice_manager find;
+
+r_dir_file(hal_wifi_offload, proc_net)
+r_dir_file(hal_wifi_offload, sysfs_type)
diff --git a/prebuilts/api/28.0/public/hal_wifi_supplicant.te b/prebuilts/api/28.0/public/hal_wifi_supplicant.te
new file mode 100644
index 0000000..6bf0d32
--- /dev/null
+++ b/prebuilts/api/28.0/public/hal_wifi_supplicant.te
@@ -0,0 +1,29 @@
+# HwBinder IPC from client to server
+binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
+binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
+
+add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
+allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
+
+# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(hal_wifi_supplicant, sysfs_type)
+r_dir_file(hal_wifi_supplicant, proc_net)
+
+allow hal_wifi_supplicant kernel:system module_request;
+allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
+allow hal_wifi_supplicant cgroup:dir create_dir_perms;
+allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
+allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_wifi_supplicant self:packet_socket create_socket_perms;
+allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
+
+###
+### neverallow rules
+###
+
+# wpa_supplicant should not trust any data from sdcards
+neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
+neverallow hal_wifi_supplicant_server sdcard_type:file *;
diff --git a/prebuilts/api/28.0/public/healthd.te b/prebuilts/api/28.0/public/healthd.te
new file mode 100644
index 0000000..8a1d3ec
--- /dev/null
+++ b/prebuilts/api/28.0/public/healthd.te
@@ -0,0 +1,58 @@
+# healthd - battery/charger monitoring service daemon
+type healthd, domain;
+type healthd_exec, exec_type, file_type;
+
+# Write to /dev/kmsg
+allow healthd kmsg_device:chr_file rw_file_perms;
+
+# Read access to pseudo filesystems.
+allow healthd sysfs_type:dir search;
+r_dir_file(healthd, rootfs)
+r_dir_file(healthd, cgroup)
+
+# Read access to system files for passthrough HALs in
+# /{system,vendor,odm}/lib[64]/hw/
+r_dir_file(healthd, system_file)
+
+allow healthd self:global_capability_class_set { sys_tty_config };
+allow healthd self:global_capability_class_set sys_boot;
+
+allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+wakelock_use(healthd)
+
+hal_client_domain(healthd, hal_health)
+
+# Read/write to /sys/power/state
+allow healthd sysfs_power:file rw_file_perms;
+
+# TODO: added to match above sysfs rule. Remove me?
+allow healthd sysfs_usb:file write;
+
+r_dir_file(healthd, sysfs_batteryinfo)
+
+###
+### healthd: charger mode
+###
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow healthd pstorefs:dir r_dir_perms;
+allow healthd pstorefs:file r_file_perms;
+
+allow healthd graphics_device:dir r_dir_perms;
+allow healthd graphics_device:chr_file rw_file_perms;
+allow healthd input_device:dir r_dir_perms;
+allow healthd input_device:chr_file r_file_perms;
+allow healthd tty_device:chr_file rw_file_perms;
+allow healthd ashmem_device:chr_file execute;
+allow healthd self:process execmem;
+allow healthd proc_sysrq:file rw_file_perms;
+
+# Healthd needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(healthd, system_prop)
+set_prop(healthd, exported_system_prop)
+set_prop(healthd, exported2_system_prop)
+set_prop(healthd, exported3_system_prop)
diff --git a/prebuilts/api/28.0/public/hwservice.te b/prebuilts/api/28.0/public/hwservice.te
new file mode 100644
index 0000000..5fba86a
--- /dev/null
+++ b/prebuilts/api/28.0/public/hwservice.te
@@ -0,0 +1,62 @@
+type default_android_hwservice, hwservice_manager_type;
+type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
+type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
+type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_audiocontrol_hwservice, hwservice_manager_type;
+type hal_audio_hwservice, hwservice_manager_type;
+type hal_authsecret_hwservice, hwservice_manager_type;
+type hal_bluetooth_hwservice, hwservice_manager_type;
+type hal_bootctl_hwservice, hwservice_manager_type;
+type hal_broadcastradio_hwservice, hwservice_manager_type;
+type hal_camera_hwservice, hwservice_manager_type;
+type hal_codec2_hwservice, hwservice_manager_type;
+type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_confirmationui_hwservice, hwservice_manager_type;
+type hal_contexthub_hwservice, hwservice_manager_type;
+type hal_drm_hwservice, hwservice_manager_type;
+type hal_cas_hwservice, hwservice_manager_type;
+type hal_dumpstate_hwservice, hwservice_manager_type;
+type hal_evs_hwservice, hwservice_manager_type;
+type hal_fingerprint_hwservice, hwservice_manager_type;
+type hal_gatekeeper_hwservice, hwservice_manager_type;
+type hal_gnss_hwservice, hwservice_manager_type;
+type hal_graphics_allocator_hwservice, hwservice_manager_type;
+type hal_graphics_composer_hwservice, hwservice_manager_type;
+type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_health_hwservice, hwservice_manager_type;
+type hal_ir_hwservice, hwservice_manager_type;
+type hal_keymaster_hwservice, hwservice_manager_type;
+type hal_light_hwservice, hwservice_manager_type;
+type hal_lowpan_hwservice, hwservice_manager_type;
+type hal_memtrack_hwservice, hwservice_manager_type;
+type hal_neuralnetworks_hwservice, hwservice_manager_type;
+type hal_nfc_hwservice, hwservice_manager_type;
+type hal_oemlock_hwservice, hwservice_manager_type;
+type hal_omx_hwservice, hwservice_manager_type;
+type hal_power_hwservice, hwservice_manager_type;
+type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_secure_element_hwservice, hwservice_manager_type;
+type hal_sensors_hwservice, hwservice_manager_type;
+type hal_telephony_hwservice, hwservice_manager_type;
+type hal_tetheroffload_hwservice, hwservice_manager_type;
+type hal_thermal_hwservice, hwservice_manager_type;
+type hal_tv_cec_hwservice, hwservice_manager_type;
+type hal_tv_input_hwservice, hwservice_manager_type;
+type hal_usb_hwservice, hwservice_manager_type;
+type hal_usb_gadget_hwservice, hwservice_manager_type;
+type hal_vehicle_hwservice, hwservice_manager_type;
+type hal_vibrator_hwservice, hwservice_manager_type;
+type hal_vr_hwservice, hwservice_manager_type;
+type hal_weaver_hwservice, hwservice_manager_type;
+type hal_wifi_hwservice, hwservice_manager_type;
+type hal_wifi_hostapd_hwservice, hwservice_manager_type;
+type hal_wifi_offload_hwservice, hwservice_manager_type;
+type hal_wifi_supplicant_hwservice, hwservice_manager_type;
+type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_base_hwservice, hwservice_manager_type;
+type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
+type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice;
+type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice;
+type thermalcallback_hwservice, hwservice_manager_type;
diff --git a/prebuilts/api/28.0/public/hwservicemanager.te b/prebuilts/api/28.0/public/hwservicemanager.te
new file mode 100644
index 0000000..1ffd2a6
--- /dev/null
+++ b/prebuilts/api/28.0/public/hwservicemanager.te
@@ -0,0 +1,22 @@
+# hwservicemanager - the Binder context manager for HAL services
+type hwservicemanager, domain, mlstrustedsubject;
+type hwservicemanager_exec, exec_type, file_type;
+
+# Note that we do not use the binder_* macros here.
+# hwservicemanager provides name service (aka context manager)
+# for hwbinder.
+# Additionally, it initiates binder IPC calls to
+# clients who request service notifications. The permission
+# to do this is granted in the hwbinder_use macro.
+allow hwservicemanager self:binder set_context_mgr;
+
+set_prop(hwservicemanager, hwservicemanager_prop)
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow hwservicemanager system_file:dir r_dir_perms;
+
+# Read hwservice_contexts
+allow hwservicemanager hwservice_contexts_file:file r_file_perms;
+
+# Check SELinux permissions.
+selinux_check_access(hwservicemanager)
diff --git a/prebuilts/api/28.0/public/idmap.te b/prebuilts/api/28.0/public/idmap.te
new file mode 100644
index 0000000..3f336a3
--- /dev/null
+++ b/prebuilts/api/28.0/public/idmap.te
@@ -0,0 +1,20 @@
+# idmap, when executed by installd
+type idmap, domain;
+type idmap_exec, exec_type, file_type;
+
+# Use open file to /data/resource-cache file inherited from installd.
+allow idmap installd:fd use;
+allow idmap resourcecache_data_file:file { getattr read write };
+
+# Ignore reading /proc/<pid>/maps after a fork.
+dontaudit idmap installd:file read;
+
+# Open and read from target and overlay apk files passed by argument.
+allow idmap apk_data_file:file r_file_perms;
+allow idmap apk_data_file:dir search;
+
+# Allow apps access to /vendor/app
+r_dir_file(idmap, vendor_app_file)
+
+# Allow apps access to /vendor/overlay
+r_dir_file(idmap, vendor_overlay_file)
diff --git a/prebuilts/api/28.0/public/incident.te b/prebuilts/api/28.0/public/incident.te
new file mode 100644
index 0000000..ce57bf6
--- /dev/null
+++ b/prebuilts/api/28.0/public/incident.te
@@ -0,0 +1,8 @@
+# The incident command is used to call into the incidentd service to
+# take an incident report (binary, shared bugreport), download incident
+# reports that have already been taken, and monitor for new ones.
+# It doesn't do anything else.
+
+# incident
+type incident, domain;
+
diff --git a/prebuilts/api/28.0/public/incident_helper.te b/prebuilts/api/28.0/public/incident_helper.te
new file mode 100644
index 0000000..bca1018
--- /dev/null
+++ b/prebuilts/api/28.0/public/incident_helper.te
@@ -0,0 +1,5 @@
+# The incident_helper is called by incidentd and
+# can only read/write data from/to incidentd
+
+# incident_helper
+type incident_helper, domain;
diff --git a/prebuilts/api/28.0/public/incidentd.te b/prebuilts/api/28.0/public/incidentd.te
new file mode 100644
index 0000000..b03249c
--- /dev/null
+++ b/prebuilts/api/28.0/public/incidentd.te
@@ -0,0 +1,3 @@
+# incidentd
+type incidentd, domain;
+
diff --git a/prebuilts/api/28.0/public/init.te b/prebuilts/api/28.0/public/init.te
new file mode 100644
index 0000000..dafc06f
--- /dev/null
+++ b/prebuilts/api/28.0/public/init.te
@@ -0,0 +1,509 @@
+# init is its own domain.
+type init, domain, mlstrustedsubject;
+
+# The init domain is entered by execing init.
+type init_exec, exec_type, file_type;
+
+# /dev/__null__ node created by init.
+allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
+
+#
+# init direct restorecon calls.
+#
+# /dev/kmsg
+allow init tmpfs:chr_file relabelfrom;
+allow init kmsg_device:chr_file { write relabelto };
+# /dev/kmsg_debug
+userdebug_or_eng(`
+ allow init kmsg_debug_device:chr_file { write relabelto };
+')
+# /dev/__properties__
+allow init properties_device:dir relabelto;
+allow init properties_serial:file { write relabelto };
+allow init property_type:file { create_file_perms relabelto };
+# /dev/__properties__/property_info
+allow init properties_device:file create_file_perms;
+allow init property_info:file relabelto;
+# /dev/event-log-tags
+allow init device:file relabelfrom;
+allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
+# /dev/socket
+allow init { device socket_device }:dir relabelto;
+# /dev/random, /dev/urandom
+allow init random_device:chr_file relabelto;
+# /dev/device-mapper, /dev/block(/.*)?
+allow init tmpfs:{ chr_file blk_file } relabelfrom;
+allow init tmpfs:blk_file getattr;
+allow init block_device:{ dir blk_file lnk_file } relabelto;
+allow init dm_device:{ chr_file blk_file } relabelto;
+allow init kernel:fd use;
+# restorecon for early mount device symlinks
+allow init tmpfs:lnk_file { getattr read relabelfrom };
+allow init {
+ misc_block_device
+ recovery_block_device
+ system_block_device
+}:{ blk_file lnk_file } relabelto;
+
+# setrlimit
+allow init self:global_capability_class_set sys_resource;
+
+# Remove /dev/.booting, created before initial policy load or restorecon /dev.
+allow init tmpfs:file unlink;
+
+# Access pty created for fsck.
+allow init devpts:chr_file { read write open };
+
+# Create /dev/fscklogs files.
+allow init fscklogs:file create_file_perms;
+
+# Access /dev/__null__ node created prior to initial policy load.
+allow init tmpfs:chr_file write;
+
+# Access /dev/console.
+allow init console_device:chr_file rw_file_perms;
+
+# Access /dev/tty0.
+allow init tty_device:chr_file rw_file_perms;
+
+# Call mount(2).
+allow init self:global_capability_class_set sys_admin;
+
+# Create and mount on directories in /.
+allow init rootfs:dir create_dir_perms;
+allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
+allow init cgroup_bpf:dir { create mounton };
+
+# Mount bpf fs on sys/fs/bpf
+allow init fs_bpf:dir mounton;
+
+# Mount on /dev/usb-ffs/adb.
+allow init device:dir mounton;
+
+# Create and remove symlinks in /.
+allow init rootfs:lnk_file { create unlink };
+
+# Mount debugfs on /sys/kernel/debug.
+allow init sysfs:dir mounton;
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow init tmpfs:dir create_dir_perms;
+allow init tmpfs:dir mounton;
+allow init cgroup:dir create_dir_perms;
+r_dir_file(init, cgroup)
+allow init cpuctl_device:dir { create mounton };
+
+# /config
+allow init configfs:dir mounton;
+allow init configfs:dir create_dir_perms;
+allow init configfs:{ file lnk_file } create_file_perms;
+
+# /metadata
+allow init metadata_file:dir mounton;
+
+# Use tmpfs as /data, used for booting when /data is encrypted
+allow init tmpfs:dir relabelfrom;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow init self:global_capability_class_set dac_override;
+
+# Set system clock.
+allow init self:global_capability_class_set sys_time;
+
+allow init self:global_capability_class_set { sys_rawio mknod };
+
+# Mounting filesystems from block devices.
+allow init dev_type:blk_file r_file_perms;
+
+# Mounting filesystems.
+# Only allow relabelto for types used in context= mount options,
+# which should all be assigned the contextmount_type attribute.
+# This can be done in device-specific policy via type or typeattribute
+# declarations.
+allow init fs_type:filesystem ~relabelto;
+allow init unlabeled:filesystem ~relabelto;
+allow init contextmount_type:filesystem relabelto;
+
+# Allow read-only access to context= mounted filesystems.
+allow init contextmount_type:dir r_dir_perms;
+allow init contextmount_type:notdevfile_class_set r_file_perms;
+
+# restorecon /adb_keys or any other rootfs files and directories to a more
+# specific type.
+allow init rootfs:{ dir file } relabelfrom;
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow init self:global_capability_class_set { chown fowner fsetid };
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -misc_logd_file
+ -nativetest_data_file
+ -system_app_data_file
+ -system_file
+ -vendor_file_type
+}:dir { create search getattr open read setattr ioctl };
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -keystore_data_file
+ -misc_logd_file
+ -nativetest_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -vendor_file_type
+ -vold_data_file
+}:dir { write add_name remove_name rmdir relabelfrom };
+
+allow init {
+ file_type
+ -app_data_file
+ -runtime_event_log_tags_file
+ -exec_type
+ -keystore_data_file
+ -misc_logd_file
+ -nativetest_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -vendor_file_type
+ -vold_data_file
+}:file { create getattr open read write setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -keystore_data_file
+ -misc_logd_file
+ -nativetest_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -vendor_file_type
+ -vold_data_file
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow init {
+ file_type
+ -app_data_file
+ -exec_type
+ -keystore_data_file
+ -misc_logd_file
+ -nativetest_data_file
+ -shell_data_file
+ -system_app_data_file
+ -system_file
+ -vendor_file_type
+ -vold_data_file
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow init cache_file:lnk_file r_file_perms;
+
+allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
+allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init dev_type:dir create_dir_perms;
+allow init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow init debugfs_tracing:file w_file_perms;
+
+# Setup and control wifi event tracing (see wifi-events.rc)
+allow init debugfs_tracing_instances:dir create_dir_perms;
+allow init debugfs_tracing_instances:file w_file_perms;
+allow init debugfs_wifi_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow init {
+ fs_type
+ -contextmount_type
+ -proc
+ -sdcard_type
+ -sysfs_type
+ -rootfs
+}:file { open read setattr };
+allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
+
+# init should not be able to read or open generic devices
+# TODO: auditing to see if this can be deleted entirely
+allow init {
+ dev_type
+ -kmem_device
+ -port_device
+ -device
+ -vndbinder_device
+ }:chr_file { read open };
+auditallow init {
+ dev_type
+ -alarm_device
+ -ashmem_device
+ -binder_device
+ -console_device
+ -device
+ -devpts
+ -dm_device
+ -hwbinder_device
+ -hw_random_device
+ -keychord_device
+ -kmem_device
+ -kmsg_device
+ -null_device
+ -owntty_device
+ -port_device
+ -ptmx_device
+ -random_device
+ -zero_device
+}:chr_file { read open };
+
+# chown/chmod on devices.
+allow init { dev_type -kmem_device -port_device }:chr_file setattr;
+
+# Unlabeled file access for upgrades from 4.2.
+allow init unlabeled:dir { create_dir_perms relabelfrom };
+allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
+
+# Any operation that can modify the kernel ring buffer, e.g. clear
+# or a read that consumes the messages that were read.
+allow init kernel:system syslog_mod;
+allow init self:global_capability2_class_set syslog;
+
+# init access to /proc.
+r_dir_file(init, proc_net)
+
+allow init {
+ proc_cmdline
+ proc_diskstats
+ proc_kmsg # Open /proc/kmsg for logd service.
+ proc_meminfo
+ proc_stat # Read /proc/stat for bootchart.
+ proc_uptime
+ proc_version
+}:file r_file_perms;
+
+allow init {
+ proc_abi
+ proc_dirty
+ proc_hostname
+ proc_hung_task
+ proc_extra_free_kbytes
+ proc_net
+ proc_max_map_count
+ proc_min_free_order_shift
+ proc_overcommit_memory
+ proc_panic
+ proc_page_cluster
+ proc_perf
+ proc_sched
+ proc_sysrq
+}:file w_file_perms;
+
+allow init {
+ proc_security
+}:file rw_file_perms;
+
+# init access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_leds
+ sysfs_power
+}:file w_file_perms;
+
+allow init {
+ sysfs_dt_firmware_android
+}:file r_file_perms;
+
+allow init {
+ sysfs_zram
+}:file rw_file_perms;
+
+# Allow init to write to vibrator/trigger
+allow init sysfs_vibrator:file w_file_perms;
+
+# init chmod/chown access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_devices_system_cpu
+ sysfs_ipv4
+ sysfs_leds
+ sysfs_lowmemorykiller
+ sysfs_power
+ sysfs_vibrator
+ sysfs_wake_lock
+}:file setattr;
+
+# Set usermodehelpers.
+allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
+
+allow init self:global_capability_class_set net_admin;
+
+# Reboot.
+allow init self:global_capability_class_set sys_boot;
+
+# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
+# Init will also walk through the directory as part of a recursive restorecon.
+allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
+allow init misc_logd_file:file { open create getattr setattr write };
+
+# Support "adb shell stop"
+allow init self:global_capability_class_set kill;
+allow init domain:process { getpgid sigkill signal };
+
+# Init creates keystore's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init keystore_data_file:dir { open create read getattr setattr search };
+allow init keystore_data_file:file { getattr };
+
+# Init creates vold's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init vold_data_file:dir { open create read getattr setattr search };
+allow init vold_data_file:file { getattr };
+
+# Init creates /data/local/tmp at boot
+allow init shell_data_file:dir { open create read getattr setattr search };
+allow init shell_data_file:file { getattr };
+
+# Set UID, GID, and adjust capability bounding set for services.
+allow init self:global_capability_class_set { setuid setgid setpcap };
+
+# For bootchart to read the /proc/$pid/cmdline file of each process,
+# we need to have following line to allow init to have access
+# to different domains.
+r_dir_file(init, domain)
+
+# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
+# setexec is for services with seclabel options.
+# setfscreate is for labeling directories and socket files.
+# setsockcreate is for labeling local/unix domain sockets.
+allow init self:process { setexec setfscreate setsockcreate };
+
+# Get file context
+allow init file_contexts_file:file r_file_perms;
+
+# sepolicy access
+allow init sepolicy_file:file r_file_perms;
+
+# Perform SELinux access checks on setting properties.
+selinux_check_access(init)
+
+# Ask the kernel for the new context on services to label their sockets.
+allow init kernel:security compute_create;
+
+# Create sockets for the services.
+allow init domain:unix_stream_socket { create bind setopt };
+allow init domain:unix_dgram_socket { create bind setopt };
+
+# Create /data/property and files within it.
+allow init property_data_file:dir create_dir_perms;
+allow init property_data_file:file create_file_perms;
+
+# Set any property.
+allow init property_type:property_service set;
+
+# Send an SELinux userspace denial to the kernel audit subsystem,
+# so it can be picked up and processed by logd. These denials are
+# generated when an attempt to set a property is denied by policy.
+allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
+allow init self:global_capability_class_set audit_write;
+
+# Run "ifup lo" to bring up the localhost interface
+allow init self:udp_socket { create ioctl };
+# in addition to unpriv ioctls granted to all domains, init also needs:
+allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
+allow init self:global_capability_class_set net_raw;
+
+# This line seems suspect, as it should not really need to
+# set scheduling parameters for a kernel domain task.
+allow init kernel:process setsched;
+
+# swapon() needs write access to swap device
+# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
+allow init swap_block_device:blk_file rw_file_perms;
+
+# Read from /dev/hw_random if present.
+# system/core/init/init.c - mix_hwrng_into_linux_rng_action
+allow init hw_random_device:chr_file r_file_perms;
+
+# Create and access /dev files without a specific type,
+# e.g. /dev/.coldboot_done, /dev/.booting
+# TODO: Move these files into their own type unless they are
+# only ever accessed by init.
+allow init device:file create_file_perms;
+
+# keychord configuration
+allow init self:global_capability_class_set sys_tty_config;
+allow init keychord_device:chr_file rw_file_perms;
+
+# Access device mapper for setting up dm-verity
+allow init dm_device:chr_file rw_file_perms;
+allow init dm_device:blk_file rw_file_perms;
+
+# Access metadata block device for storing dm-verity state
+allow init metadata_block_device:blk_file rw_file_perms;
+
+# Read /sys/fs/pstore/console-ramoops to detect restarts caused
+# by dm-verity detecting corrupted blocks
+allow init pstorefs:dir search;
+allow init pstorefs:file r_file_perms;
+allow init kernel:system syslog_read;
+
+# linux keyring configuration
+allow init init:key { write search setattr };
+
+# Allow init to create /data/unencrypted
+allow init unencrypted_data_file:dir create_dir_perms;
+
+# Allow init to write to /proc/sys/vm/overcommit_memory
+allow init proc_overcommit_memory:file { write };
+
+# Raw writes to misc block device
+allow init misc_block_device:blk_file w_file_perms;
+
+r_dir_file(init, system_file)
+r_dir_file(init, vendor_file_type)
+
+allow init system_data_file:file { getattr read };
+allow init system_data_file:lnk_file r_file_perms;
+
+# For init to be able to run shell scripts from vendor
+allow init vendor_shell_exec:file execute;
+
+# Metadata setup
+allow init vold_metadata_file:dir create_dir_perms;
+allow init vold_metadata_file:file getattr;
+
+###
+### neverallow rules
+###
+
+# The init domain is only entered via an exec based transition from the
+# kernel domain, never via setcon().
+neverallow domain init:process dyntransition;
+neverallow { domain -kernel } init:process transition;
+neverallow init { file_type fs_type -init_exec }:file entrypoint;
+
+# Never read/follow symlinks created by shell or untrusted apps.
+neverallow init shell_data_file:lnk_file read;
+neverallow init app_data_file:lnk_file read;
+
+# init should never execute a program without changing to another domain.
+neverallow init { file_type fs_type }:file execute_no_trans;
+
+# Init never adds or uses services via service_manager.
+neverallow init service_manager_type:service_manager { add find };
+neverallow init servicemanager:service_manager list;
+
+# Init should not be creating subdirectories in /data/local/tmp
+neverallow init shell_data_file:dir { write add_name remove_name };
+
+# Init should not access sysfs node that are not explicitly labeled.
+neverallow init sysfs:file { open read write };
diff --git a/prebuilts/api/28.0/public/inputflinger.te b/prebuilts/api/28.0/public/inputflinger.te
new file mode 100644
index 0000000..e5f12a0
--- /dev/null
+++ b/prebuilts/api/28.0/public/inputflinger.te
@@ -0,0 +1,16 @@
+# inputflinger
+type inputflinger, domain;
+type inputflinger_exec, exec_type, file_type;
+
+binder_use(inputflinger)
+binder_service(inputflinger)
+
+binder_call(inputflinger, system_server)
+
+wakelock_use(inputflinger)
+
+add_service(inputflinger, inputflinger_service)
+allow inputflinger input_device:dir r_dir_perms;
+allow inputflinger input_device:chr_file rw_file_perms;
+
+r_dir_file(inputflinger, cgroup)
diff --git a/prebuilts/api/28.0/public/install_recovery.te b/prebuilts/api/28.0/public/install_recovery.te
new file mode 100644
index 0000000..ab68838
--- /dev/null
+++ b/prebuilts/api/28.0/public/install_recovery.te
@@ -0,0 +1,27 @@
+# service flash_recovery in init.rc
+type install_recovery, domain;
+type install_recovery_exec, exec_type, file_type;
+
+allow install_recovery self:global_capability_class_set dac_override;
+
+# /system/bin/install-recovery.sh is a shell script.
+# Needs to execute /system/bin/sh
+allow install_recovery shell_exec:file rx_file_perms;
+
+# Execute /system/bin/applypatch
+allow install_recovery system_file:file rx_file_perms;
+not_full_treble(`allow install_recovery vendor_file:file rx_file_perms;')
+
+allow install_recovery toolbox_exec:file rx_file_perms;
+
+# Update the recovery block device based off a diff of the boot block device
+allow install_recovery block_device:dir search;
+allow install_recovery boot_block_device:blk_file r_file_perms;
+allow install_recovery recovery_block_device:blk_file rw_file_perms;
+
+# Create and delete /cache/saved.file
+allow install_recovery cache_file:dir rw_dir_perms;
+allow install_recovery cache_file:file create_file_perms;
+
+# Write to /proc/sys/vm/drop_caches
+allow install_recovery proc_drop_caches:file w_file_perms;
diff --git a/prebuilts/api/28.0/public/installd.te b/prebuilts/api/28.0/public/installd.te
new file mode 100644
index 0000000..6aba962
--- /dev/null
+++ b/prebuilts/api/28.0/public/installd.te
@@ -0,0 +1,160 @@
+# installer daemon
+type installd, domain;
+type installd_exec, exec_type, file_type;
+typeattribute installd mlstrustedsubject;
+allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin };
+
+# Allow labeling of files under /data/app/com.example/oat/
+allow installd dalvikcache_data_file:dir relabelto;
+allow installd dalvikcache_data_file:file { relabelto link };
+
+# Allow movement of APK files between volumes
+allow installd apk_data_file:dir { create_dir_perms relabelfrom };
+allow installd apk_data_file:file { create_file_perms relabelfrom link };
+allow installd apk_data_file:lnk_file { create r_file_perms unlink };
+
+allow installd asec_apk_file:file r_file_perms;
+allow installd apk_tmp_file:file { r_file_perms unlink };
+allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
+allow installd oemfs:dir r_dir_perms;
+allow installd oemfs:file r_file_perms;
+allow installd cgroup:dir create_dir_perms;
+allow installd mnt_expand_file:dir { search getattr };
+# Check validity of SELinux context before use.
+selinux_check_context(installd)
+
+r_dir_file(installd, rootfs)
+# Scan through APKs in /system/app and /system/priv-app
+r_dir_file(installd, system_file)
+# Scan through APKs in /vendor/app
+r_dir_file(installd, vendor_app_file)
+# Scan through Runtime Resource Overlay APKs in /vendor/overlay
+r_dir_file(installd, vendor_overlay_file)
+# Get file context
+allow installd file_contexts_file:file r_file_perms;
+# Get seapp_context
+allow installd seapp_contexts_file:file r_file_perms;
+
+# Search /data/app-asec and stat files in it.
+allow installd asec_image_file:dir search;
+allow installd asec_image_file:file getattr;
+
+# Create /data/user and /data/user/0 if necessary.
+# Also required to initially create /data/data subdirectories
+# and lib symlinks before the setfilecon call. May want to
+# move symlink creation after setfilecon in installd.
+allow installd system_data_file:dir create_dir_perms;
+# Also, allow read for lnk_file so that we can process /data/user/0 links when
+# optimizing application code.
+allow installd system_data_file:lnk_file { create getattr read setattr unlink };
+
+# Upgrade /data/media for multi-user if necessary.
+allow installd media_rw_data_file:dir create_dir_perms;
+allow installd media_rw_data_file:file { getattr unlink };
+# restorecon new /data/media directory.
+allow installd system_data_file:dir relabelfrom;
+allow installd media_rw_data_file:dir relabelto;
+
+# Delete /data/media files through sdcardfs, instead of going behind its back
+allow installd tmpfs:dir r_dir_perms;
+allow installd storage_file:dir search;
+allow installd sdcardfs:dir { search open read write remove_name getattr rmdir };
+allow installd sdcardfs:file { getattr unlink };
+
+# Upgrade /data/misc/keychain for multi-user if necessary.
+allow installd misc_user_data_file:dir create_dir_perms;
+allow installd misc_user_data_file:file create_file_perms;
+allow installd keychain_data_file:dir create_dir_perms;
+allow installd keychain_data_file:file {r_file_perms unlink};
+
+# Create /data/.layout_version.* file
+allow installd install_data_file:file create_file_perms;
+
+# Create files under /data/dalvik-cache.
+allow installd dalvikcache_data_file:dir create_dir_perms;
+allow installd dalvikcache_data_file:file create_file_perms;
+allow installd dalvikcache_data_file:lnk_file getattr;
+
+# Create files under /data/resource-cache.
+allow installd resourcecache_data_file:dir rw_dir_perms;
+allow installd resourcecache_data_file:file create_file_perms;
+
+# Upgrade from unlabeled userdata.
+# Just need enough to remove and/or relabel it.
+allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
+allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
+# Read pkg.apk file for input during dexopt.
+allow installd unlabeled:file r_file_perms;
+
+# Upgrade from before system_app_data_file was used for system UID apps.
+# Just need enough to relabel it and to unlink removed package files.
+# Directory access covered by earlier rule above.
+allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
+
+# Manage /data/data subdirectories, including initially labeling them
+# upon creation via setfilecon or running restorecon_recursive,
+# setting owner/mode, creating symlinks within them, and deleting them
+# upon package uninstall.
+# Types extracted from seapp_contexts type= fields.
+allow installd {
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ app_data_file
+}:dir { create_dir_perms relabelfrom relabelto };
+
+allow installd {
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ app_data_file
+}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
+
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_data_file:dir create_dir_perms;
+allow installd user_profile_data_file:file create_file_perms;
+allow installd user_profile_data_file:dir rmdir;
+allow installd user_profile_data_file:file unlink;
+
+# Files created/updated by profman dumps.
+allow installd profman_dump_data_file:dir { search add_name write };
+allow installd profman_dump_data_file:file { create setattr open write };
+
+# Create and use pty created by android_fork_execvp().
+allow installd devpts:chr_file rw_file_perms;
+
+# execute toybox for app relocation
+allow installd toolbox_exec:file rx_file_perms;
+
+# Allow installd to publish a binder service and make binder calls.
+binder_use(installd)
+add_service(installd, installd_service)
+allow installd dumpstate:fifo_file { getattr write };
+
+# Allow installd to call into the system server so it can check permissions.
+binder_call(installd, system_server)
+allow installd permission_service:service_manager find;
+
+# Allow installd to read and write quotas
+allow installd block_device:dir { search };
+allow installd labeledfs:filesystem { quotaget quotamod };
+
+# Allow installd to delete from /data/preloads when trimming data caches
+# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
+allow installd preloads_data_file:file { r_file_perms unlink };
+allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
+allow installd preloads_media_file:file { r_file_perms unlink };
+allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
+
+###
+### Neverallow rules
+###
+
+# only system_server, installd and dumpstate may interact with installd over binder
+neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
+neverallow { domain -system_server -dumpstate } installd:binder call;
+neverallow installd { domain -system_server -servicemanager userdebug_or_eng(`-su') }:binder call;
diff --git a/prebuilts/api/28.0/public/ioctl_defines b/prebuilts/api/28.0/public/ioctl_defines
new file mode 100644
index 0000000..4097fb9
--- /dev/null
+++ b/prebuilts/api/28.0/public/ioctl_defines
@@ -0,0 +1,2694 @@
+define(`FIBMAP', `0x00000001')
+define(`FIGETBSZ', `0x00000002')
+define(`FDCLRPRM', `0x00000241')
+define(`FDMSGON', `0x00000245')
+define(`FDMSGOFF', `0x00000246')
+define(`FDFMTBEG', `0x00000247')
+define(`FDFMTEND', `0x00000249')
+define(`FDSETEMSGTRESH', `0x0000024a')
+define(`FDFLUSH', `0x0000024b')
+define(`FDRESET', `0x00000254')
+define(`FDWERRORCLR', `0x00000256')
+define(`FDRAWCMD', `0x00000258')
+define(`FDTWADDLE', `0x00000259')
+define(`FDEJECT', `0x0000025a')
+define(`HDIO_GETGEO', `0x00000301')
+define(`HDIO_GET_UNMASKINTR', `0x00000302')
+define(`HDIO_GET_MULTCOUNT', `0x00000304')
+define(`HDIO_GET_QDMA', `0x00000305')
+define(`HDIO_SET_XFER', `0x00000306')
+define(`HDIO_OBSOLETE_IDENTITY', `0x00000307')
+define(`HDIO_GET_KEEPSETTINGS', `0x00000308')
+define(`HDIO_GET_32BIT', `0x00000309')
+define(`HDIO_GET_NOWERR', `0x0000030a')
+define(`HDIO_GET_DMA', `0x0000030b')
+define(`HDIO_GET_NICE', `0x0000030c')
+define(`HDIO_GET_IDENTITY', `0x0000030d')
+define(`HDIO_GET_WCACHE', `0x0000030e')
+define(`HDIO_GET_ACOUSTIC', `0x0000030f')
+define(`HDIO_GET_ADDRESS', `0x00000310')
+define(`HDIO_GET_BUSSTATE', `0x0000031a')
+define(`HDIO_TRISTATE_HWIF', `0x0000031b')
+define(`HDIO_DRIVE_RESET', `0x0000031c')
+define(`HDIO_DRIVE_TASKFILE', `0x0000031d')
+define(`HDIO_DRIVE_TASK', `0x0000031e')
+define(`HDIO_DRIVE_CMD', `0x0000031f')
+define(`HDIO_SET_MULTCOUNT', `0x00000321')
+define(`HDIO_SET_UNMASKINTR', `0x00000322')
+define(`HDIO_SET_KEEPSETTINGS', `0x00000323')
+define(`HDIO_SET_32BIT', `0x00000324')
+define(`HDIO_SET_NOWERR', `0x00000325')
+define(`HDIO_SET_DMA', `0x00000326')
+define(`HDIO_SET_PIO_MODE', `0x00000327')
+define(`HDIO_SCAN_HWIF', `0x00000328')
+define(`HDIO_SET_NICE', `0x00000329')
+define(`HDIO_UNREGISTER_HWIF', `0x0000032a')
+define(`HDIO_SET_WCACHE', `0x0000032b')
+define(`HDIO_SET_ACOUSTIC', `0x0000032c')
+define(`HDIO_SET_BUSSTATE', `0x0000032d')
+define(`HDIO_SET_QDMA', `0x0000032e')
+define(`HDIO_SET_ADDRESS', `0x0000032f')
+define(`IOCTL_VMCI_VERSION', `0x0000079f')
+define(`IOCTL_VMCI_INIT_CONTEXT', `0x000007a0')
+define(`IOCTL_VMCI_QUEUEPAIR_SETVA', `0x000007a4')
+define(`IOCTL_VMCI_NOTIFY_RESOURCE', `0x000007a5')
+define(`IOCTL_VMCI_NOTIFICATIONS_RECEIVE', `0x000007a6')
+define(`IOCTL_VMCI_VERSION2', `0x000007a7')
+define(`IOCTL_VMCI_QUEUEPAIR_ALLOC', `0x000007a8')
+define(`IOCTL_VMCI_QUEUEPAIR_SETPAGEFILE', `0x000007a9')
+define(`IOCTL_VMCI_QUEUEPAIR_DETACH', `0x000007aa')
+define(`IOCTL_VMCI_DATAGRAM_SEND', `0x000007ab')
+define(`IOCTL_VMCI_DATAGRAM_RECEIVE', `0x000007ac')
+define(`IOCTL_VMCI_CTX_ADD_NOTIFICATION', `0x000007af')
+define(`IOCTL_VMCI_CTX_REMOVE_NOTIFICATION', `0x000007b0')
+define(`IOCTL_VMCI_CTX_GET_CPT_STATE', `0x000007b1')
+define(`IOCTL_VMCI_CTX_SET_CPT_STATE', `0x000007b2')
+define(`IOCTL_VMCI_GET_CONTEXT_ID', `0x000007b3')
+define(`IOCTL_VMCI_SOCKETS_VERSION', `0x000007b4')
+define(`IOCTL_VMCI_SOCKETS_GET_AF_VALUE', `0x000007b8')
+define(`IOCTL_VMCI_SOCKETS_GET_LOCAL_CID', `0x000007b9')
+define(`IOCTL_VM_SOCKETS_GET_LOCAL_CID', `0x000007b9')
+define(`IOCTL_VMCI_SET_NOTIFY', `0x000007cb')
+define(`RAID_AUTORUN', `0x00000914')
+define(`CLEAR_ARRAY', `0x00000920')
+define(`HOT_REMOVE_DISK', `0x00000922')
+define(`SET_DISK_INFO', `0x00000924')
+define(`WRITE_RAID_INFO', `0x00000925')
+define(`UNPROTECT_ARRAY', `0x00000926')
+define(`PROTECT_ARRAY', `0x00000927')
+define(`HOT_ADD_DISK', `0x00000928')
+define(`SET_DISK_FAULTY', `0x00000929')
+define(`HOT_GENERATE_ERROR', `0x0000092a')
+define(`STOP_ARRAY', `0x00000932')
+define(`STOP_ARRAY_RO', `0x00000933')
+define(`RESTART_ARRAY_RW', `0x00000934')
+define(`BLKROSET', `0x0000125d')
+define(`BLKROGET', `0x0000125e')
+define(`BLKRRPART', `0x0000125f')
+define(`BLKGETSIZE', `0x00001260')
+define(`BLKFLSBUF', `0x00001261')
+define(`BLKRASET', `0x00001262')
+define(`BLKRAGET', `0x00001263')
+define(`BLKFRASET', `0x00001264')
+define(`BLKFRAGET', `0x00001265')
+define(`BLKSECTSET', `0x00001266')
+define(`BLKSECTGET', `0x00001267')
+define(`BLKSSZGET', `0x00001268')
+define(`BLKPG', `0x00001269')
+define(`BLKTRACESTART', `0x00001274')
+define(`BLKTRACESTOP', `0x00001275')
+define(`BLKTRACETEARDOWN', `0x00001276')
+define(`BLKDISCARD', `0x00001277')
+define(`BLKIOMIN', `0x00001278')
+define(`BLKIOOPT', `0x00001279')
+define(`BLKALIGNOFF', `0x0000127a')
+define(`BLKPBSZGET', `0x0000127b')
+define(`BLKDISCARDZEROES', `0x0000127c')
+define(`BLKSECDISCARD', `0x0000127d')
+define(`BLKROTATIONAL', `0x0000127e')
+define(`BLKZEROOUT', `0x0000127f')
+define(`IB_USER_MAD_ENABLE_PKEY', `0x00001b03')
+define(`SG_SET_TIMEOUT', `0x00002201')
+define(`SG_GET_TIMEOUT', `0x00002202')
+define(`SG_EMULATED_HOST', `0x00002203')
+define(`SG_SET_TRANSFORM', `0x00002204')
+define(`SG_GET_TRANSFORM', `0x00002205')
+define(`SG_GET_COMMAND_Q', `0x00002270')
+define(`SG_SET_COMMAND_Q', `0x00002271')
+define(`SG_GET_RESERVED_SIZE', `0x00002272')
+define(`SG_SET_RESERVED_SIZE', `0x00002275')
+define(`SG_GET_SCSI_ID', `0x00002276')
+define(`SG_SET_FORCE_LOW_DMA', `0x00002279')
+define(`SG_GET_LOW_DMA', `0x0000227a')
+define(`SG_SET_FORCE_PACK_ID', `0x0000227b')
+define(`SG_GET_PACK_ID', `0x0000227c')
+define(`SG_GET_NUM_WAITING', `0x0000227d')
+define(`SG_SET_DEBUG', `0x0000227e')
+define(`SG_GET_SG_TABLESIZE', `0x0000227f')
+define(`SG_GET_VERSION_NUM', `0x00002282')
+define(`SG_NEXT_CMD_LEN', `0x00002283')
+define(`SG_SCSI_RESET', `0x00002284')
+define(`SG_IO', `0x00002285')
+define(`SG_GET_REQUEST_TABLE', `0x00002286')
+define(`SG_SET_KEEP_ORPHAN', `0x00002287')
+define(`SG_GET_KEEP_ORPHAN', `0x00002288')
+define(`SG_GET_ACCESS_COUNT', `0x00002289')
+define(`FW_CDEV_IOC_GET_SPEED', `0x00002311')
+define(`PERF_EVENT_IOC_ENABLE', `0x00002400')
+define(`PERF_EVENT_IOC_DISABLE', `0x00002401')
+define(`PERF_EVENT_IOC_REFRESH', `0x00002402')
+define(`PERF_EVENT_IOC_RESET', `0x00002403')
+define(`PERF_EVENT_IOC_SET_OUTPUT', `0x00002405')
+define(`SNAPSHOT_FREEZE', `0x00003301')
+define(`SNAPSHOT_UNFREEZE', `0x00003302')
+define(`SNAPSHOT_ATOMIC_RESTORE', `0x00003304')
+define(`SNAPSHOT_FREE', `0x00003305')
+define(`SNAPSHOT_FREE_SWAP_PAGES', `0x00003309')
+define(`SNAPSHOT_S2RAM', `0x0000330b')
+define(`SNAPSHOT_PLATFORM_SUPPORT', `0x0000330f')
+define(`SNAPSHOT_POWER_OFF', `0x00003310')
+define(`SNAPSHOT_PREF_IMAGE_SIZE', `0x00003312')
+define(`VFIO_GET_API_VERSION', `0x00003b64')
+define(`VFIO_CHECK_EXTENSION', `0x00003b65')
+define(`VFIO_SET_IOMMU', `0x00003b66')
+define(`VFIO_GROUP_GET_STATUS', `0x00003b67')
+define(`VFIO_GROUP_SET_CONTAINER', `0x00003b68')
+define(`VFIO_GROUP_UNSET_CONTAINER', `0x00003b69')
+define(`VFIO_GROUP_GET_DEVICE_FD', `0x00003b6a')
+define(`VFIO_DEVICE_GET_INFO', `0x00003b6b')
+define(`VFIO_DEVICE_GET_REGION_INFO', `0x00003b6c')
+define(`VFIO_DEVICE_GET_IRQ_INFO', `0x00003b6d')
+define(`VFIO_DEVICE_SET_IRQS', `0x00003b6e')
+define(`VFIO_DEVICE_RESET', `0x00003b6f')
+define(`VFIO_DEVICE_GET_PCI_HOT_RESET_INFO', `0x00003b70')
+define(`VFIO_IOMMU_GET_INFO', `0x00003b70')
+define(`VFIO_IOMMU_SPAPR_TCE_GET_INFO', `0x00003b70')
+define(`VFIO_DEVICE_PCI_HOT_RESET', `0x00003b71')
+define(`VFIO_IOMMU_MAP_DMA', `0x00003b71')
+define(`VFIO_IOMMU_UNMAP_DMA', `0x00003b72')
+define(`VFIO_IOMMU_ENABLE', `0x00003b73')
+define(`VFIO_IOMMU_DISABLE', `0x00003b74')
+define(`VFIO_EEH_PE_OP', `0x00003b79')
+define(`AGPIOC_ACQUIRE', `0x00004101')
+define(`APM_IOC_STANDBY', `0x00004101')
+define(`AGPIOC_RELEASE', `0x00004102')
+define(`APM_IOC_SUSPEND', `0x00004102')
+define(`AGPIOC_CHIPSET_FLUSH', `0x0000410a')
+define(`SNDRV_PCM_IOCTL_HW_FREE', `0x00004112')
+define(`SNDRV_PCM_IOCTL_HWSYNC', `0x00004122')
+define(`SNDRV_PCM_IOCTL_PREPARE', `0x00004140')
+define(`SNDRV_PCM_IOCTL_RESET', `0x00004141')
+define(`SNDRV_PCM_IOCTL_START', `0x00004142')
+define(`SNDRV_PCM_IOCTL_DROP', `0x00004143')
+define(`SNDRV_PCM_IOCTL_DRAIN', `0x00004144')
+define(`SNDRV_PCM_IOCTL_RESUME', `0x00004147')
+define(`SNDRV_PCM_IOCTL_XRUN', `0x00004148')
+define(`SNDRV_PCM_IOCTL_UNLINK', `0x00004161')
+define(`IOCTL_XENBUS_BACKEND_EVTCHN', `0x00004200')
+define(`PMU_IOC_SLEEP', `0x00004200')
+define(`IOCTL_XENBUS_BACKEND_SETUP', `0x00004201')
+define(`CCISS_REVALIDVOLS', `0x0000420a')
+define(`CCISS_DEREGDISK', `0x0000420c')
+define(`CCISS_REGNEWD', `0x0000420e')
+define(`CCISS_RESCANDISK', `0x00004210')
+define(`SNDCTL_COPR_RESET', `0x00004300')
+define(`SNDRV_COMPRESS_PAUSE', `0x00004330')
+define(`SNDRV_COMPRESS_RESUME', `0x00004331')
+define(`SNDRV_COMPRESS_START', `0x00004332')
+define(`SNDRV_COMPRESS_STOP', `0x00004333')
+define(`SNDRV_COMPRESS_DRAIN', `0x00004334')
+define(`SNDRV_COMPRESS_NEXT_TRACK', `0x00004335')
+define(`SNDRV_COMPRESS_PARTIAL_DRAIN', `0x00004336')
+define(`IOCTL_EVTCHN_RESET', `0x00004505')
+define(`FBIOGET_VSCREENINFO', `0x00004600')
+define(`FBIOPUT_VSCREENINFO', `0x00004601')
+define(`FBIOGET_FSCREENINFO', `0x00004602')
+define(`FBIOGETCMAP', `0x00004604')
+define(`FBIOPUTCMAP', `0x00004605')
+define(`FBIOPAN_DISPLAY', `0x00004606')
+define(`FBIOGET_CON2FBMAP', `0x0000460f')
+define(`FBIOPUT_CON2FBMAP', `0x00004610')
+define(`FBIOBLANK', `0x00004611')
+define(`FBIO_ALLOC', `0x00004613')
+define(`FBIO_FREE', `0x00004614')
+define(`FBIOGET_GLYPH', `0x00004615')
+define(`FBIOGET_HWCINFO', `0x00004616')
+define(`FBIOPUT_MODEINFO', `0x00004617')
+define(`FBIOGET_DISPINFO', `0x00004618')
+define(`FBIO_WAITEVENT', `0x00004688')
+define(`GSMIOC_DISABLE_NET', `0x00004703')
+define(`HIDIOCAPPLICATION', `0x00004802')
+define(`HIDIOCINITREPORT', `0x00004805')
+define(`SNDRV_SB_CSP_IOCTL_UNLOAD_CODE', `0x00004812')
+define(`SNDRV_SB_CSP_IOCTL_STOP', `0x00004814')
+define(`SNDRV_SB_CSP_IOCTL_PAUSE', `0x00004815')
+define(`SNDRV_SB_CSP_IOCTL_RESTART', `0x00004816')
+define(`SNDRV_DM_FM_IOCTL_RESET', `0x00004821')
+define(`SNDRV_DM_FM_IOCTL_CLEAR_PATCHES', `0x00004840')
+define(`SNDRV_EMU10K1_IOCTL_STOP', `0x00004880')
+define(`SNDRV_EMU10K1_IOCTL_CONTINUE', `0x00004881')
+define(`SNDRV_EMU10K1_IOCTL_ZERO_TRAM_COUNTER', `0x00004882')
+define(`SNDRV_EMUX_IOCTL_RESET_SAMPLES', `0x00004882')
+define(`SNDRV_EMUX_IOCTL_REMOVE_LAST_SAMPLES', `0x00004883')
+define(`SNDRV_FIREWIRE_IOCTL_LOCK', `0x000048f9')
+define(`SNDRV_FIREWIRE_IOCTL_UNLOCK', `0x000048fa')
+define(`IIOCNETAIF', `0x00004901')
+define(`IIOCNETDIF', `0x00004902')
+define(`IIOCNETSCF', `0x00004903')
+define(`IIOCNETGCF', `0x00004904')
+define(`IIOCNETANM', `0x00004905')
+define(`IIOCNETDNM', `0x00004906')
+define(`IIOCNETGNM', `0x00004907')
+define(`IIOCGETSET', `0x00004908')
+define(`IIOCSETSET', `0x00004909')
+define(`IIOCSETVER', `0x0000490a')
+define(`IIOCNETHUP', `0x0000490b')
+define(`IIOCSETGST', `0x0000490c')
+define(`IIOCSETBRJ', `0x0000490d')
+define(`IIOCSIGPRF', `0x0000490e')
+define(`IIOCGETPRF', `0x0000490f')
+define(`IIOCSETPRF', `0x00004910')
+define(`IIOCGETMAP', `0x00004911')
+define(`IIOCSETMAP', `0x00004912')
+define(`IIOCNETASL', `0x00004913')
+define(`IIOCNETDIL', `0x00004914')
+define(`IIOCGETCPS', `0x00004915')
+define(`IIOCGETDVR', `0x00004916')
+define(`IIOCNETLCR', `0x00004917')
+define(`IIOCNETDWRSET', `0x00004918')
+define(`IIOCNETALN', `0x00004920')
+define(`IIOCNETDLN', `0x00004921')
+define(`IIOCNETGPN', `0x00004922')
+define(`IIOCDBGVAR', `0x0000497f')
+define(`IIOCDRVCTL', `0x00004980')
+define(`ION_IOC_TEST_SET_FD', `0x000049f0')
+define(`KIOCSOUND', `0x00004b2f')
+define(`KDMKTONE', `0x00004b30')
+define(`KDGETLED', `0x00004b31')
+define(`KDSETLED', `0x00004b32')
+define(`KDGKBTYPE', `0x00004b33')
+define(`KDADDIO', `0x00004b34')
+define(`KDDELIO', `0x00004b35')
+define(`KDENABIO', `0x00004b36')
+define(`KDDISABIO', `0x00004b37')
+define(`KDSETMODE', `0x00004b3a')
+define(`KDGETMODE', `0x00004b3b')
+define(`KDMAPDISP', `0x00004b3c')
+define(`KDUNMAPDISP', `0x00004b3d')
+define(`GIO_SCRNMAP', `0x00004b40')
+define(`PIO_SCRNMAP', `0x00004b41')
+define(`KDGKBMODE', `0x00004b44')
+define(`KDSKBMODE', `0x00004b45')
+define(`KDGKBENT', `0x00004b46')
+define(`KDSKBENT', `0x00004b47')
+define(`KDGKBSENT', `0x00004b48')
+define(`KDSKBSENT', `0x00004b49')
+define(`KDGKBDIACR', `0x00004b4a')
+define(`KDSKBDIACR', `0x00004b4b')
+define(`KDGETKEYCODE', `0x00004b4c')
+define(`KDSETKEYCODE', `0x00004b4d')
+define(`KDSIGACCEPT', `0x00004b4e')
+define(`KDKBDREP', `0x00004b52')
+define(`GIO_FONT', `0x00004b60')
+define(`PIO_FONT', `0x00004b61')
+define(`KDGKBMETA', `0x00004b62')
+define(`KDSKBMETA', `0x00004b63')
+define(`KDGKBLED', `0x00004b64')
+define(`KDSKBLED', `0x00004b65')
+define(`GIO_UNIMAP', `0x00004b66')
+define(`PIO_UNIMAP', `0x00004b67')
+define(`PIO_UNIMAPCLR', `0x00004b68')
+define(`GIO_UNISCRNMAP', `0x00004b69')
+define(`PIO_UNISCRNMAP', `0x00004b6a')
+define(`GIO_FONTX', `0x00004b6b')
+define(`PIO_FONTX', `0x00004b6c')
+define(`PIO_FONTRESET', `0x00004b6d')
+define(`GIO_CMAP', `0x00004b70')
+define(`PIO_CMAP', `0x00004b71')
+define(`KDFONTOP', `0x00004b72')
+define(`KDGKBDIACRUC', `0x00004bfa')
+define(`KDSKBDIACRUC', `0x00004bfb')
+define(`LOOP_SET_FD', `0x00004c00')
+define(`LOOP_CLR_FD', `0x00004c01')
+define(`LOOP_SET_STATUS', `0x00004c02')
+define(`LOOP_GET_STATUS', `0x00004c03')
+define(`LOOP_SET_STATUS64', `0x00004c04')
+define(`LOOP_GET_STATUS64', `0x00004c05')
+define(`LOOP_CHANGE_FD', `0x00004c06')
+define(`LOOP_SET_CAPACITY', `0x00004c07')
+define(`LOOP_CTL_ADD', `0x00004c80')
+define(`LOOP_CTL_REMOVE', `0x00004c81')
+define(`LOOP_CTL_GET_FREE', `0x00004c82')
+define(`MTDFILEMODE', `0x00004d13')
+define(`NVME_IOCTL_ID', `0x00004e40')
+define(`UBI_IOCVOLRMBLK', `0x00004f08')
+define(`OMAPFB_SYNC_GFX', `0x00004f25')
+define(`OMAPFB_VSYNC', `0x00004f26')
+define(`OMAPFB_WAITFORVSYNC', `0x00004f39')
+define(`OMAPFB_WAITFORGO', `0x00004f3c')
+define(`SNDCTL_DSP_RESET', `0x00005000')
+define(`SNDCTL_DSP_SYNC', `0x00005001')
+define(`SNDCTL_DSP_POST', `0x00005008')
+define(`SNDCTL_DSP_NONBLOCK', `0x0000500e')
+define(`SNDCTL_DSP_SETSYNCRO', `0x00005015')
+define(`SNDCTL_DSP_SETDUPLEX', `0x00005016')
+define(`SNDCTL_SEQ_RESET', `0x00005100')
+define(`SNDCTL_SEQ_SYNC', `0x00005101')
+define(`SNDCTL_SEQ_PANIC', `0x00005111')
+define(`RFKILL_IOCTL_NOINPUT', `0x00005201')
+define(`RNDZAPENTCNT', `0x00005204')
+define(`RNDCLEARPOOL', `0x00005206')
+define(`CDROMPAUSE', `0x00005301')
+define(`CDROMRESUME', `0x00005302')
+define(`CDROMPLAYMSF', `0x00005303')
+define(`CDROMPLAYTRKIND', `0x00005304')
+define(`CDROMREADTOCHDR', `0x00005305')
+define(`CDROMREADTOCENTRY', `0x00005306')
+define(`CDROMSTOP', `0x00005307')
+define(`CDROMSTART', `0x00005308')
+define(`CDROMEJECT', `0x00005309')
+define(`CDROMVOLCTRL', `0x0000530a')
+define(`CDROMSUBCHNL', `0x0000530b')
+define(`CDROMREADMODE2', `0x0000530c')
+define(`CDROMREADMODE1', `0x0000530d')
+define(`CDROMREADAUDIO', `0x0000530e')
+define(`CDROMEJECT_SW', `0x0000530f')
+define(`CDROMMULTISESSION', `0x00005310')
+define(`CDROM_GET_MCN', `0x00005311')
+define(`CDROMRESET', `0x00005312')
+define(`CDROMVOLREAD', `0x00005313')
+define(`CDROMREADRAW', `0x00005314')
+define(`CDROMREADCOOKED', `0x00005315')
+define(`CDROMSEEK', `0x00005316')
+define(`CDROMPLAYBLK', `0x00005317')
+define(`CDROMREADALL', `0x00005318')
+define(`CDROMCLOSETRAY', `0x00005319')
+define(`CDROMGETSPINDOWN', `0x0000531d')
+define(`CDROMSETSPINDOWN', `0x0000531e')
+define(`CDROM_SET_OPTIONS', `0x00005320')
+define(`CDROM_CLEAR_OPTIONS', `0x00005321')
+define(`CDROM_SELECT_SPEED', `0x00005322')
+define(`CDROM_SELECT_DISC', `0x00005323')
+define(`CDROM_MEDIA_CHANGED', `0x00005325')
+define(`CDROM_DRIVE_STATUS', `0x00005326')
+define(`CDROM_DISC_STATUS', `0x00005327')
+define(`CDROM_CHANGER_NSLOTS', `0x00005328')
+define(`CDROM_LOCKDOOR', `0x00005329')
+define(`CDROM_DEBUG', `0x00005330')
+define(`CDROM_GET_CAPABILITY', `0x00005331')
+define(`SCSI_IOCTL_DOORLOCK', `0x00005380')
+define(`SCSI_IOCTL_DOORUNLOCK', `0x00005381')
+define(`CDROMAUDIOBUFSIZ', `0x00005382')
+define(`SCSI_IOCTL_GET_IDLUN', `0x00005382')
+define(`SCSI_IOCTL_PROBE_HOST', `0x00005385')
+define(`SCSI_IOCTL_GET_BUS_NUMBER', `0x00005386')
+define(`SCSI_IOCTL_GET_PCI', `0x00005387')
+define(`DVD_READ_STRUCT', `0x00005390')
+define(`DVD_WRITE_STRUCT', `0x00005391')
+define(`DVD_AUTH', `0x00005392')
+define(`CDROM_SEND_PACKET', `0x00005393')
+define(`CDROM_NEXT_WRITABLE', `0x00005394')
+define(`CDROM_LAST_WRITTEN', `0x00005395')
+define(`TCGETS', ifelse(target_arch, mips, 0x0000540d, 0x00005401))
+define(`SNDCTL_TMR_START', `0x00005402')
+define(`TCSETS', `0x00005402')
+define(`SNDCTL_TMR_STOP', `0x00005403')
+define(`TCSETSW', `0x00005403')
+define(`SNDCTL_TMR_CONTINUE', `0x00005404')
+define(`TCSETSF', `0x00005404')
+define(`TCGETA', `0x00005405')
+define(`TCSETA', `0x00005406')
+define(`TCSETAW', `0x00005407')
+define(`TCSETAF', `0x00005408')
+define(`TCSBRK', `0x00005409')
+define(`TCXONC', `0x0000540a')
+define(`TCFLSH', `0x0000540b')
+define(`TIOCEXCL', `0x0000540c')
+define(`TIOCNXCL', `0x0000540d')
+define(`TIOCSCTTY', ifelse(target_arch, mips, 0x00005480, 0x0000540e))
+define(`TIOCGPGRP', `0x0000540f')
+define(`TIOCSPGRP', `0x00005410')
+define(`TIOCOUTQ', ifelse(target_arch, mips, 0x00007472, 0x00005411))
+define(`TIOCSTI', `0x00005412')
+define(`TIOCGWINSZ', ifelse(target_arch, mips, 0x80087468, 0x00005413))
+define(`TIOCSWINSZ', ifelse(target_arch, mips, 0x40087467, 0x00005414))
+define(`TIOCMGET', `0x00005415')
+define(`TIOCMBIS', `0x00005416')
+define(`TIOCMBIC', `0x00005417')
+define(`TIOCMSET', `0x00005418')
+define(`TIOCGSOFTCAR', `0x00005419')
+define(`TIOCSSOFTCAR', `0x0000541a')
+define(`FIONREAD', ifelse(target_arch, mips, 0x0000467f, 0x0000541b))
+define(`TIOCLINUX', `0x0000541c')
+define(`TIOCCONS', `0x0000541d')
+define(`TIOCGSERIAL', `0x0000541e')
+define(`TIOCSSERIAL', `0x0000541f')
+define(`TIOCPKT', `0x00005420')
+define(`FIONBIO', `0x00005421')
+define(`TIOCNOTTY', `0x00005422')
+define(`TIOCSETD', `0x00005423')
+define(`TIOCGETD', `0x00005424')
+define(`TCSBRKP', `0x00005425')
+define(`TIOCSBRK', `0x00005427')
+define(`TIOCCBRK', `0x00005428')
+define(`TIOCGSID', `0x00005429')
+define(`TIOCGRS485', `0x0000542e')
+define(`TIOCSRS485', `0x0000542f')
+define(`TCGETX', `0x00005432')
+define(`TCSETX', `0x00005433')
+define(`TCSETXF', `0x00005434')
+define(`TCSETXW', `0x00005435')
+define(`TIOCVHANGUP', `0x00005437')
+define(`FIONCLEX', `0x00005450')
+define(`FIOCLEX', ifelse(target_arch, mips, 0x00006601, 0x00005451))
+define(`FIOASYNC', `0x00005452')
+define(`TIOCSERCONFIG', `0x00005453')
+define(`TIOCSERGWILD', `0x00005454')
+define(`TIOCSERSWILD', `0x00005455')
+define(`TIOCGLCKTRMIOS', `0x00005456')
+define(`TIOCSLCKTRMIOS', `0x00005457')
+define(`TIOCSERGSTRUCT', `0x00005458')
+define(`TIOCSERGETLSR', `0x00005459')
+define(`TIOCSERGETMULTI', `0x0000545a')
+define(`TIOCSERSETMULTI', `0x0000545b')
+define(`TIOCMIWAIT', `0x0000545c')
+define(`TIOCGICOUNT', `0x0000545d')
+define(`FIOQSIZE', `0x00005460')
+define(`SNDRV_TIMER_IOCTL_START', `0x000054a0')
+define(`SNDRV_TIMER_IOCTL_STOP', `0x000054a1')
+define(`SNDRV_TIMER_IOCTL_CONTINUE', `0x000054a2')
+define(`SNDRV_TIMER_IOCTL_PAUSE', `0x000054a3')
+define(`UI_DEV_CREATE', `0x00005501')
+define(`UI_DEV_DESTROY', `0x00005502')
+define(`USBDEVFS_DISCARDURB', `0x0000550b')
+define(`USBDEVFS_RESET', `0x00005514')
+define(`USBDEVFS_DISCONNECT', `0x00005516')
+define(`USBDEVFS_CONNECT', `0x00005517')
+define(`VT_OPENQRY', `0x00005600')
+define(`VIDIOC_RESERVED', `0x00005601')
+define(`VT_GETMODE', `0x00005601')
+define(`VT_SETMODE', `0x00005602')
+define(`VT_GETSTATE', `0x00005603')
+define(`VT_SENDSIG', `0x00005604')
+define(`VT_RELDISP', `0x00005605')
+define(`VT_ACTIVATE', `0x00005606')
+define(`VT_WAITACTIVE', `0x00005607')
+define(`VT_DISALLOCATE', `0x00005608')
+define(`VT_RESIZE', `0x00005609')
+define(`VT_RESIZEX', `0x0000560a')
+define(`VT_LOCKSWITCH', `0x0000560b')
+define(`VT_UNLOCKSWITCH', `0x0000560c')
+define(`VT_GETHIFONTMASK', `0x0000560d')
+define(`VT_WAITEVENT', `0x0000560e')
+define(`VT_SETACTIVATE', `0x0000560f')
+define(`VIDIOC_LOG_STATUS', `0x00005646')
+define(`ADV7842_CMD_RAM_TEST', `0x000056c0')
+define(`USBTMC_IOCTL_INDICATOR_PULSE', `0x00005b01')
+define(`USBTMC_IOCTL_CLEAR', `0x00005b02')
+define(`USBTMC_IOCTL_ABORT_BULK_OUT', `0x00005b03')
+define(`USBTMC_IOCTL_ABORT_BULK_IN', `0x00005b04')
+define(`USBTMC_IOCTL_CLEAR_OUT_HALT', `0x00005b06')
+define(`USBTMC_IOCTL_CLEAR_IN_HALT', `0x00005b07')
+define(`ANDROID_ALARM_WAIT', `0x00006101')
+define(`NS_ADJBUFLEV', `0x00006163')
+define(`SIOCSIFATMTCP', `0x00006180')
+define(`ATMTCP_CREATE', `0x0000618e')
+define(`ATMTCP_REMOVE', `0x0000618f')
+define(`ATMLEC_CTRL', `0x000061d0')
+define(`ATMLEC_DATA', `0x000061d1')
+define(`ATMLEC_MCAST', `0x000061d2')
+define(`ATMMPC_CTRL', `0x000061d8')
+define(`ATMMPC_DATA', `0x000061d9')
+define(`SIOCMKCLIP', `0x000061e0')
+define(`ATMARPD_CTRL', `0x000061e1')
+define(`ATMARP_MKIP', `0x000061e2')
+define(`ATMARP_SETENTRY', `0x000061e3')
+define(`ATMARP_ENCAP', `0x000061e5')
+define(`ATMSIGD_CTRL', `0x000061f0')
+define(`BT819_FIFO_RESET_LOW', `0x00006200')
+define(`BT819_FIFO_RESET_HIGH', `0x00006201')
+define(`CM_IOCSRDR', `0x00006303')
+define(`CM_IOCARDOFF', `0x00006304')
+define(`BC_REGISTER_LOOPER', `0x0000630b')
+define(`BC_ENTER_LOOPER', `0x0000630c')
+define(`BC_EXIT_LOOPER', `0x0000630d')
+define(`CHIOINITELEM', `0x00006311')
+define(`DRM_IOCTL_SET_MASTER', `0x0000641e')
+define(`DRM_IOCTL_DROP_MASTER', `0x0000641f')
+define(`DRM_IOCTL_AGP_ACQUIRE', `0x00006430')
+define(`DRM_IOCTL_AGP_RELEASE', `0x00006431')
+define(`DRM_IOCTL_I915_FLUSH', `0x00006441')
+define(`DRM_IOCTL_R128_CCE_START', `0x00006441')
+define(`DRM_IOCTL_RADEON_CP_START', `0x00006441')
+define(`DRM_IOCTL_I915_FLIP', `0x00006442')
+define(`DRM_IOCTL_MGA_RESET', `0x00006442')
+define(`DRM_IOCTL_I810_FLUSH', `0x00006443')
+define(`DRM_IOCTL_MGA_SWAP', `0x00006443')
+define(`DRM_IOCTL_R128_CCE_RESET', `0x00006443')
+define(`DRM_IOCTL_RADEON_CP_RESET', `0x00006443')
+define(`DRM_IOCTL_I810_GETAGE', `0x00006444')
+define(`DRM_IOCTL_R128_CCE_IDLE', `0x00006444')
+define(`DRM_IOCTL_RADEON_CP_IDLE', `0x00006444')
+define(`DRM_IOCTL_RADEON_RESET', `0x00006445')
+define(`DRM_IOCTL_I810_SWAP', `0x00006446')
+define(`DRM_IOCTL_R128_RESET', `0x00006446')
+define(`DRM_IOCTL_R128_SWAP', `0x00006447')
+define(`DRM_IOCTL_RADEON_SWAP', `0x00006447')
+define(`DRM_IOCTL_I810_DOCOPY', `0x00006448')
+define(`DRM_IOCTL_VIA_FLUSH', `0x00006449')
+define(`DRM_IOCTL_I810_FSTATUS', `0x0000644a')
+define(`DRM_IOCTL_I810_OV0FLIP', `0x0000644b')
+define(`DRM_IOCTL_I810_RSTATUS', `0x0000644d')
+define(`DRM_IOCTL_I810_FLIP', `0x0000644e')
+define(`DRM_IOCTL_RADEON_FLIP', `0x00006452')
+define(`DRM_IOCTL_R128_FLIP', `0x00006453')
+define(`DRM_IOCTL_I915_GEM_THROTTLE', `0x00006458')
+define(`DRM_IOCTL_RADEON_CP_RESUME', `0x00006458')
+define(`DRM_IOCTL_I915_GEM_ENTERVT', `0x00006459')
+define(`DRM_IOCTL_I915_GEM_LEAVEVT', `0x0000645a')
+define(`S5P_FIMC_TX_END_NOTIFY', `0x00006500')
+define(`FUNCTIONFS_FIFO_STATUS', `0x00006701')
+define(`GADGETFS_FIFO_STATUS', `0x00006701')
+define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702')
+define(`GADGETFS_FIFO_FLUSH', `0x00006702')
+define(`FUNCTIONFS_CLEAR_HALT', `0x00006703')
+define(`GADGETFS_CLEAR_HALT', `0x00006703')
+define(`FUNCTIONFS_INTERFACE_REVMAP', `0x00006780')
+define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781')
+define(`HPET_IE_ON', `0x00006801')
+define(`HPET_IE_OFF', `0x00006802')
+define(`HPET_EPI', `0x00006804')
+define(`HPET_DPI', `0x00006805')
+define(`LIRC_NOTIFY_DECODE', `0x00006920')
+define(`LIRC_SETUP_START', `0x00006921')
+define(`LIRC_SETUP_END', `0x00006922')
+define(`KYRO_IOCTL_OVERLAY_CREATE', `0x00006b00')
+define(`KYRO_IOCTL_OVERLAY_VIEWPORT_SET', `0x00006b01')
+define(`KYRO_IOCTL_SET_VIDEO_MODE', `0x00006b02')
+define(`KYRO_IOCTL_UVSTRIDE', `0x00006b03')
+define(`KYRO_IOCTL_OVERLAY_OFFSET', `0x00006b04')
+define(`KYRO_IOCTL_STRIDE', `0x00006b05')
+define(`HSC_RESET', `0x00006b10')
+define(`HSC_SET_PM', `0x00006b11')
+define(`HSC_SEND_BREAK', `0x00006b12')
+define(`MMTIMER_GETOFFSET', `0x00006d00')
+define(`MGSL_IOCSTXIDLE', `0x00006d02')
+define(`MGSL_IOCGTXIDLE', `0x00006d03')
+define(`MGSL_IOCTXENABLE', `0x00006d04')
+define(`MMTIMER_GETBITS', `0x00006d04')
+define(`MGSL_IOCRXENABLE', `0x00006d05')
+define(`MGSL_IOCTXABORT', `0x00006d06')
+define(`MMTIMER_MMAPAVAIL', `0x00006d06')
+define(`MGSL_IOCGSTATS', `0x00006d07')
+define(`MGSL_IOCLOOPTXDONE', `0x00006d09')
+define(`MGSL_IOCSIF', `0x00006d0a')
+define(`MGSL_IOCGIF', `0x00006d0b')
+define(`MGSL_IOCCLRMODCOUNT', `0x00006d0f')
+define(`MGSL_IOCSXSYNC', `0x00006d13')
+define(`MGSL_IOCGXSYNC', `0x00006d14')
+define(`MGSL_IOCSXCTRL', `0x00006d15')
+define(`MGSL_IOCGXCTRL', `0x00006d16')
+define(`NCP_IOC_CONN_LOGGED_IN', `0x00006e03')
+define(`AUDIO_STOP', `0x00006f01')
+define(`AUDIO_PLAY', `0x00006f02')
+define(`AUDIO_PAUSE', `0x00006f03')
+define(`AUDIO_CONTINUE', `0x00006f04')
+define(`AUDIO_SELECT_SOURCE', `0x00006f05')
+define(`AUDIO_SET_MUTE', `0x00006f06')
+define(`AUDIO_SET_AV_SYNC', `0x00006f07')
+define(`AUDIO_SET_BYPASS_MODE', `0x00006f08')
+define(`AUDIO_CHANNEL_SELECT', `0x00006f09')
+define(`AUDIO_CLEAR_BUFFER', `0x00006f0c')
+define(`AUDIO_SET_ID', `0x00006f0d')
+define(`AUDIO_SET_STREAMTYPE', `0x00006f0f')
+define(`AUDIO_SET_EXT_ID', `0x00006f10')
+define(`AUDIO_BILINGUAL_CHANNEL_SELECT', `0x00006f14')
+define(`VIDEO_STOP', `0x00006f15')
+define(`VIDEO_PLAY', `0x00006f16')
+define(`VIDEO_FREEZE', `0x00006f17')
+define(`VIDEO_CONTINUE', `0x00006f18')
+define(`VIDEO_SELECT_SOURCE', `0x00006f19')
+define(`VIDEO_SET_BLANK', `0x00006f1a')
+define(`VIDEO_SET_DISPLAY_FORMAT', `0x00006f1d')
+define(`VIDEO_FAST_FORWARD', `0x00006f1f')
+define(`VIDEO_SLOWMOTION', `0x00006f20')
+define(`VIDEO_CLEAR_BUFFER', `0x00006f22')
+define(`VIDEO_SET_ID', `0x00006f23')
+define(`VIDEO_SET_STREAMTYPE', `0x00006f24')
+define(`VIDEO_SET_FORMAT', `0x00006f25')
+define(`VIDEO_SET_SYSTEM', `0x00006f26')
+define(`DMX_START', `0x00006f29')
+define(`DMX_STOP', `0x00006f2a')
+define(`DMX_SET_BUFFER_SIZE', `0x00006f2d')
+define(`NET_REMOVE_IF', `0x00006f35')
+define(`VIDEO_SET_ATTRIBUTES', `0x00006f35')
+define(`FE_DISEQC_RESET_OVERLOAD', `0x00006f3e')
+define(`FE_DISEQC_SEND_BURST', `0x00006f41')
+define(`FE_SET_TONE', `0x00006f42')
+define(`FE_SET_VOLTAGE', `0x00006f43')
+define(`FE_ENABLE_HIGH_LNB_VOLTAGE', `0x00006f44')
+define(`FE_DISHNETWORK_SEND_LEGACY_CMD', `0x00006f50')
+define(`FE_SET_FRONTEND_TUNE_MODE', `0x00006f51')
+define(`CA_RESET', `0x00006f80')
+define(`RTC_AIE_ON', `0x00007001')
+define(`RTC_AIE_OFF', `0x00007002')
+define(`RTC_UIE_ON', `0x00007003')
+define(`PHN_NOT_OH', `0x00007004')
+define(`RTC_UIE_OFF', `0x00007004')
+define(`RTC_PIE_ON', `0x00007005')
+define(`RTC_PIE_OFF', `0x00007006')
+define(`RTC_WIE_ON', `0x0000700f')
+define(`RTC_WIE_OFF', `0x00007010')
+define(`RTC_VL_CLR', `0x00007014')
+define(`NVRAM_INIT', `0x00007040')
+define(`NVRAM_SETCKS', `0x00007041')
+define(`PPCLAIM', `0x0000708b')
+define(`PPRELEASE', `0x0000708c')
+define(`PPYIELD', `0x0000708d')
+define(`PPEXCL', `0x0000708f')
+define(`PHONE_CAPABILITIES', `0x00007180')
+define(`PHONE_RING', `0x00007183')
+define(`PHONE_HOOKSTATE', `0x00007184')
+define(`OLD_PHONE_RING_START', `0x00007187')
+define(`PHONE_RING_STOP', `0x00007188')
+define(`PHONE_REC_START', `0x0000718a')
+define(`PHONE_REC_STOP', `0x0000718b')
+define(`PHONE_REC_LEVEL', `0x0000718f')
+define(`PHONE_PLAY_START', `0x00007191')
+define(`PHONE_PLAY_STOP', `0x00007192')
+define(`PHONE_PLAY_LEVEL', `0x00007195')
+define(`PHONE_GET_TONE_ON_TIME', `0x0000719e')
+define(`PHONE_GET_TONE_OFF_TIME', `0x0000719f')
+define(`PHONE_GET_TONE_STATE', `0x000071a0')
+define(`PHONE_BUSY', `0x000071a1')
+define(`PHONE_RINGBACK', `0x000071a2')
+define(`PHONE_DIALTONE', `0x000071a3')
+define(`PHONE_CPT_STOP', `0x000071a4')
+define(`PHONE_PSTN_GET_STATE', `0x000071a5')
+define(`PHONE_PSTN_LINETEST', `0x000071a8')
+define(`IXJCTL_DSP_RESET', `0x000071c0')
+define(`IXJCTL_DSP_IDLE', `0x000071c5')
+define(`IXJCTL_TESTRAM', `0x000071c6')
+define(`IXJCTL_AEC_STOP', `0x000071cc')
+define(`IXJCTL_AEC_GET_LEVEL', `0x000071cd')
+define(`IXJCTL_PSTN_LINETEST', `0x000071d3')
+define(`IXJCTL_PLAY_CID', `0x000071d7')
+define(`IXJCTL_DRYBUFFER_CLEAR', `0x000071e7')
+define(`BR_OK', `0x00007201')
+define(`BR_DEAD_REPLY', `0x00007205')
+define(`BR_TRANSACTION_COMPLETE', `0x00007206')
+define(`BR_NOOP', `0x0000720c')
+define(`BR_SPAWN_LOOPER', `0x0000720d')
+define(`BR_FINISHED', `0x0000720e')
+define(`BR_FAILED_REPLY', `0x00007211')
+define(`MEYEIOC_STILLCAPT', `0x000076c4')
+define(`ASHMEM_GET_SIZE', `0x00007704')
+define(`ASHMEM_GET_PROT_MASK', `0x00007706')
+define(`ASHMEM_GET_PIN_STATUS', `0x00007709')
+define(`ASHMEM_PURGE_ALL_CACHES', `0x0000770a')
+define(`FIOSETOWN', `0x00008901')
+define(`SIOCSPGRP', `0x00008902')
+define(`FIOGETOWN', `0x00008903')
+define(`SIOCGPGRP', `0x00008904')
+define(`SIOCATMARK', `0x00008905')
+define(`SIOCGSTAMP', `0x00008906')
+define(`SIOCGSTAMPNS', `0x00008907')
+define(`SIOCADDRT', `0x0000890b')
+define(`SIOCDELRT', `0x0000890c')
+define(`SIOCRTMSG', `0x0000890d')
+define(`SIOCGIFNAME', `0x00008910')
+define(`SIOCSIFLINK', `0x00008911')
+define(`SIOCGIFCONF', `0x00008912')
+define(`SIOCGIFFLAGS', `0x00008913')
+define(`SIOCSIFFLAGS', `0x00008914')
+define(`SIOCGIFADDR', `0x00008915')
+define(`SIOCSIFADDR', `0x00008916')
+define(`SIOCGIFDSTADDR', `0x00008917')
+define(`SIOCSIFDSTADDR', `0x00008918')
+define(`SIOCGIFBRDADDR', `0x00008919')
+define(`SIOCSIFBRDADDR', `0x0000891a')
+define(`SIOCGIFNETMASK', `0x0000891b')
+define(`SIOCSIFNETMASK', `0x0000891c')
+define(`SIOCGIFMETRIC', `0x0000891d')
+define(`SIOCSIFMETRIC', `0x0000891e')
+define(`SIOCGIFMEM', `0x0000891f')
+define(`SIOCSIFMEM', `0x00008920')
+define(`SIOCGIFMTU', `0x00008921')
+define(`SIOCSIFMTU', `0x00008922')
+define(`SIOCSIFNAME', `0x00008923')
+define(`SIOCSIFHWADDR', `0x00008924')
+define(`SIOCGIFENCAP', `0x00008925')
+define(`SIOCSIFENCAP', `0x00008926')
+define(`SIOCGIFHWADDR', `0x00008927')
+define(`SIOCGIFSLAVE', `0x00008929')
+define(`SIOCSIFSLAVE', `0x00008930')
+define(`SIOCADDMULTI', `0x00008931')
+define(`SIOCDELMULTI', `0x00008932')
+define(`SIOCGIFINDEX', `0x00008933')
+define(`SIOCSIFPFLAGS', `0x00008934')
+define(`SIOCGIFPFLAGS', `0x00008935')
+define(`SIOCDIFADDR', `0x00008936')
+define(`SIOCSIFHWBROADCAST', `0x00008937')
+define(`SIOCGIFCOUNT', `0x00008938')
+define(`SIOCKILLADDR', `0x00008939')
+define(`SIOCGIFBR', `0x00008940')
+define(`SIOCSIFBR', `0x00008941')
+define(`SIOCGIFTXQLEN', `0x00008942')
+define(`SIOCSIFTXQLEN', `0x00008943')
+define(`SIOCETHTOOL', `0x00008946')
+define(`SIOCGMIIPHY', `0x00008947')
+define(`SIOCGMIIREG', `0x00008948')
+define(`SIOCSMIIREG', `0x00008949')
+define(`SIOCWANDEV', `0x0000894a')
+define(`SIOCOUTQNSD', `0x0000894b')
+define(`SIOCDARP', `0x00008953')
+define(`SIOCGARP', `0x00008954')
+define(`SIOCSARP', `0x00008955')
+define(`SIOCDRARP', `0x00008960')
+define(`SIOCGRARP', `0x00008961')
+define(`SIOCSRARP', `0x00008962')
+define(`SIOCGIFMAP', `0x00008970')
+define(`SIOCSIFMAP', `0x00008971')
+define(`SIOCADDDLCI', `0x00008980')
+define(`SIOCDELDLCI', `0x00008981')
+define(`SIOCGIFVLAN', `0x00008982')
+define(`SIOCSIFVLAN', `0x00008983')
+define(`SIOCBONDENSLAVE', `0x00008990')
+define(`SIOCBONDRELEASE', `0x00008991')
+define(`SIOCBONDSETHWADDR', `0x00008992')
+define(`SIOCBONDSLAVEINFOQUERY', `0x00008993')
+define(`SIOCBONDINFOQUERY', `0x00008994')
+define(`SIOCBONDCHANGEACTIVE', `0x00008995')
+define(`SIOCBRADDBR', `0x000089a0')
+define(`SIOCBRDELBR', `0x000089a1')
+define(`SIOCBRADDIF', `0x000089a2')
+define(`SIOCBRDELIF', `0x000089a3')
+define(`SIOCSHWTSTAMP', `0x000089b0')
+define(`SIOCGHWTSTAMP', `0x000089b1')
+define(`SIOCPROTOPRIVATE', `0x000089e0')
+define(`SIOCPROTOPRIVATE_1', `0x000089e1')
+define(`SIOCPROTOPRIVATE_2', `0x000089e2')
+define(`SIOCPROTOPRIVATE_3', `0x000089e3')
+define(`SIOCPROTOPRIVATE_4', `0x000089e4')
+define(`SIOCPROTOPRIVATE_5', `0x000089e5')
+define(`SIOCPROTOPRIVATE_6', `0x000089e6')
+define(`SIOCPROTOPRIVATE_7', `0x000089e7')
+define(`SIOCPROTOPRIVATE_8', `0x000089e8')
+define(`SIOCPROTOPRIVATE_9', `0x000089e9')
+define(`SIOCPROTOPRIVATE_A', `0x000089ea')
+define(`SIOCPROTOPRIVATE_B', `0x000089eb')
+define(`SIOCPROTOPRIVATE_C', `0x000089ec')
+define(`SIOCPROTOPRIVATE_D', `0x000089ed')
+define(`SIOCPROTOPRIVATE_E', `0x000089ee')
+define(`SIOCPROTOPRIVLAST', `0x000089ef')
+define(`SIOCDEVPRIVATE', `0x000089f0')
+define(`SIOCDEVPRIVATE_1', `0x000089f1')
+define(`SIOCDEVPRIVATE_2', `0x000089f2')
+define(`SIOCDEVPRIVATE_3', `0x000089f3')
+define(`SIOCDEVPRIVATE_4', `0x000089f4')
+define(`SIOCDEVPRIVATE_5', `0x000089f5')
+define(`SIOCDEVPRIVATE_6', `0x000089f6')
+define(`SIOCDEVPRIVATE_7', `0x000089f7')
+define(`SIOCDEVPRIVATE_8', `0x000089f8')
+define(`SIOCDEVPRIVATE_9', `0x000089f9')
+define(`SIOCDEVPRIVATE_A', `0x000089fa')
+define(`SIOCDEVPRIVATE_B', `0x000089fb')
+define(`SIOCDEVPRIVATE_C', `0x000089fc')
+define(`SIOCDEVPRIVATE_D', `0x000089fd')
+define(`SIOCDEVPRIVATE_E', `0x000089fe')
+define(`SIOCDEVPRIVLAST', `0x000089ff')
+define(`SIOCIWFIRST', `0x00008b00')
+define(`SIOCSIWCOMMIT', `0x00008b00')
+define(`SIOCGIWNAME', `0x00008b01')
+define(`SIOCSIWNWID', `0x00008b02')
+define(`SIOCGIWNWID', `0x00008b03')
+define(`SIOCSIWFREQ', `0x00008b04')
+define(`SIOCGIWFREQ', `0x00008b05')
+define(`SIOCSIWMODE', `0x00008b06')
+define(`SIOCGIWMODE', `0x00008b07')
+define(`SIOCSIWSENS', `0x00008b08')
+define(`SIOCGIWSENS', `0x00008b09')
+define(`SIOCSIWRANGE', `0x00008b0a')
+define(`SIOCGIWRANGE', `0x00008b0b')
+define(`SIOCSIWPRIV', `0x00008b0c')
+define(`SIOCGIWPRIV', `0x00008b0d')
+define(`SIOCSIWSTATS', `0x00008b0e')
+define(`SIOCGIWSTATS', `0x00008b0f')
+define(`SIOCSIWSPY', `0x00008b10')
+define(`SIOCGIWSPY', `0x00008b11')
+define(`SIOCSIWTHRSPY', `0x00008b12')
+define(`SIOCGIWTHRSPY', `0x00008b13')
+define(`SIOCSIWAP', `0x00008b14')
+define(`SIOCGIWAP', `0x00008b15')
+define(`SIOCSIWMLME', `0x00008b16')
+define(`SIOCGIWAPLIST', `0x00008b17')
+define(`SIOCSIWSCAN', `0x00008b18')
+define(`SIOCGIWSCAN', `0x00008b19')
+define(`SIOCSIWESSID', `0x00008b1a')
+define(`SIOCGIWESSID', `0x00008b1b')
+define(`SIOCSIWNICKN', `0x00008b1c')
+define(`SIOCGIWNICKN', `0x00008b1d')
+define(`SIOCSIWRATE', `0x00008b20')
+define(`SIOCGIWRATE', `0x00008b21')
+define(`SIOCSIWRTS', `0x00008b22')
+define(`SIOCGIWRTS', `0x00008b23')
+define(`SIOCSIWFRAG', `0x00008b24')
+define(`SIOCGIWFRAG', `0x00008b25')
+define(`SIOCSIWTXPOW', `0x00008b26')
+define(`SIOCGIWTXPOW', `0x00008b27')
+define(`SIOCSIWRETRY', `0x00008b28')
+define(`SIOCGIWRETRY', `0x00008b29')
+define(`SIOCSIWENCODE', `0x00008b2a')
+define(`SIOCGIWENCODE', `0x00008b2b')
+define(`SIOCSIWPOWER', `0x00008b2c')
+define(`SIOCGIWPOWER', `0x00008b2d')
+define(`SIOCSIWGENIE', `0x00008b30')
+define(`SIOCGIWGENIE', `0x00008b31')
+define(`SIOCSIWAUTH', `0x00008b32')
+define(`SIOCGIWAUTH', `0x00008b33')
+define(`SIOCSIWENCODEEXT', `0x00008b34')
+define(`SIOCGIWENCODEEXT', `0x00008b35')
+define(`SIOCSIWPMKSA', `0x00008b36')
+define(`SIOCIWFIRSTPRIV', `0x00008be0')
+define(`SIOCIWFIRSTPRIV_01', `0x00008be1')
+define(`SIOCIWFIRSTPRIV_02', `0x00008be2')
+define(`SIOCIWFIRSTPRIV_03', `0x00008be3')
+define(`SIOCIWFIRSTPRIV_04', `0x00008be4')
+define(`SIOCIWFIRSTPRIV_05', `0x00008be5')
+define(`SIOCIWFIRSTPRIV_06', `0x00008be6')
+define(`SIOCIWFIRSTPRIV_07', `0x00008be7')
+define(`SIOCIWFIRSTPRIV_08', `0x00008be8')
+define(`SIOCIWFIRSTPRIV_09', `0x00008be9')
+define(`SIOCIWFIRSTPRIV_0A', `0x00008bea')
+define(`SIOCIWFIRSTPRIV_0B', `0x00008beb')
+define(`SIOCIWFIRSTPRIV_0C', `0x00008bec')
+define(`SIOCIWFIRSTPRIV_0D', `0x00008bed')
+define(`SIOCIWFIRSTPRIV_0E', `0x00008bee')
+define(`SIOCIWFIRSTPRIV_0F', `0x00008bef')
+define(`SIOCIWFIRSTPRIV_10', `0x00008bf0')
+define(`SIOCIWFIRSTPRIV_11', `0x00008bf1')
+define(`SIOCIWFIRSTPRIV_12', `0x00008bf2')
+define(`SIOCIWFIRSTPRIV_13', `0x00008bf3')
+define(`SIOCIWFIRSTPRIV_14', `0x00008bf4')
+define(`SIOCIWFIRSTPRIV_15', `0x00008bf5')
+define(`SIOCIWFIRSTPRIV_16', `0x00008bf6')
+define(`SIOCIWFIRSTPRIV_17', `0x00008bf7')
+define(`SIOCIWFIRSTPRIV_18', `0x00008bf8')
+define(`SIOCIWFIRSTPRIV_19', `0x00008bf9')
+define(`SIOCIWFIRSTPRIV_1A', `0x00008bfa')
+define(`SIOCIWFIRSTPRIV_1B', `0x00008bfb')
+define(`SIOCIWFIRSTPRIV_1C', `0x00008bfc')
+define(`SIOCIWFIRSTPRIV_1D', `0x00008bfd')
+define(`SIOCIWFIRSTPRIV_1E', `0x00008bfe')
+define(`SIOCIWLASTPRIV', `0x00008bff')
+define(`AUTOFS_IOC_READY', `0x00009360')
+define(`AUTOFS_IOC_FAIL', `0x00009361')
+define(`AUTOFS_IOC_CATATONIC', `0x00009362')
+define(`BTRFS_IOC_TRANS_START', `0x00009406')
+define(`BTRFS_IOC_TRANS_END', `0x00009407')
+define(`BTRFS_IOC_SYNC', `0x00009408')
+define(`BTRFS_IOC_SCRUB_CANCEL', `0x0000941c')
+define(`BTRFS_IOC_QUOTA_RESCAN_WAIT', `0x0000942e')
+define(`NBD_SET_SOCK', `0x0000ab00')
+define(`NBD_SET_BLKSIZE', `0x0000ab01')
+define(`NBD_SET_SIZE', `0x0000ab02')
+define(`NBD_DO_IT', `0x0000ab03')
+define(`NBD_CLEAR_SOCK', `0x0000ab04')
+define(`NBD_CLEAR_QUE', `0x0000ab05')
+define(`NBD_PRINT_DEBUG', `0x0000ab06')
+define(`NBD_SET_SIZE_BLOCKS', `0x0000ab07')
+define(`NBD_DISCONNECT', `0x0000ab08')
+define(`NBD_SET_TIMEOUT', `0x0000ab09')
+define(`NBD_SET_FLAGS', `0x0000ab0a')
+define(`RAW_SETBIND', `0x0000ac00')
+define(`RAW_GETBIND', `0x0000ac01')
+define(`KVM_GET_API_VERSION', `0x0000ae00')
+define(`KVM_CREATE_VM', `0x0000ae01')
+define(`LOGGER_GET_LOG_BUF_SIZE', `0x0000ae01')
+define(`LOGGER_GET_LOG_LEN', `0x0000ae02')
+define(`KVM_CHECK_EXTENSION', `0x0000ae03')
+define(`LOGGER_GET_NEXT_ENTRY_LEN', `0x0000ae03')
+define(`KVM_GET_VCPU_MMAP_SIZE', `0x0000ae04')
+define(`LOGGER_FLUSH_LOG', `0x0000ae04')
+define(`LOGGER_GET_VERSION', `0x0000ae05')
+define(`KVM_S390_ENABLE_SIE', `0x0000ae06')
+define(`LOGGER_SET_VERSION', `0x0000ae06')
+define(`KVM_CREATE_VCPU', `0x0000ae41')
+define(`KVM_SET_NR_MMU_PAGES', `0x0000ae44')
+define(`KVM_GET_NR_MMU_PAGES', `0x0000ae45')
+define(`KVM_SET_TSS_ADDR', `0x0000ae47')
+define(`KVM_CREATE_IRQCHIP', `0x0000ae60')
+define(`KVM_CREATE_PIT', `0x0000ae64')
+define(`KVM_REINJECT_CONTROL', `0x0000ae71')
+define(`KVM_SET_BOOT_CPU_ID', `0x0000ae78')
+define(`KVM_RUN', `0x0000ae80')
+define(`KVM_S390_INITIAL_RESET', `0x0000ae97')
+define(`KVM_NMI', `0x0000ae9a')
+define(`KVM_SET_TSC_KHZ', `0x0000aea2')
+define(`KVM_GET_TSC_KHZ', `0x0000aea3')
+define(`KVM_KVMCLOCK_CTRL', `0x0000aead')
+define(`VHOST_SET_OWNER', `0x0000af01')
+define(`VHOST_RESET_OWNER', `0x0000af02')
+define(`PPPOEIOCDFWD', `0x0000b101')
+define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
+define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
+define(`IOCTL_EVTCHN_UNBIND', `0x00044503')
+define(`IOCTL_EVTCHN_NOTIFY', `0x00044504')
+define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_OWNER', `0x40005344')
+define(`MFB_SET_ALPHA', `0x40014d00')
+define(`MFB_SET_GAMMA', `0x40014d01')
+define(`MFB_SET_BRIGHTNESS', `0x40014d03')
+define(`SPI_IOC_WR_MODE', `0x40016b01')
+define(`SPI_IOC_WR_LSB_FIRST', `0x40016b02')
+define(`SPI_IOC_WR_BITS_PER_WORD', `0x40016b03')
+define(`PPWCONTROL', `0x40017084')
+define(`PPWDATA', `0x40017086')
+define(`PPWCTLONIRQ', `0x40017092')
+define(`PHONE_MAXRINGS', `0x40017185')
+define(`PHONE_PLAY_TONE', `0x4001719b')
+define(`SONYPI_IOCSBRT', `0x40017600')
+define(`SONYPI_IOCSBLUE', `0x40017609')
+define(`SONYPI_IOCSFAN', `0x4001760b')
+define(`ATM_SETBACKEND', `0x400261f2')
+define(`ATM_NEWBACKENDIF', `0x400261f3')
+define(`NCP_IOC_GETMOUNTUID', `0x40026e02')
+define(`AUDIO_SET_ATTRIBUTES', `0x40026f11')
+define(`DMX_ADD_PID', `0x40026f33')
+define(`DMX_REMOVE_PID', `0x40026f34')
+define(`PPFCONTROL', `0x4002708e')
+define(`PHONE_RING_CADENCE', `0x40027186')
+define(`SET_BITMAP_FILE', `0x4004092b')
+define(`IB_USER_MAD_UNREGISTER_AGENT', `0x40041b02')
+define(`FW_CDEV_IOC_DEALLOCATE', `0x40042303')
+define(`FW_CDEV_IOC_INITIATE_BUS_RESET', `0x40042305')
+define(`FW_CDEV_IOC_REMOVE_DESCRIPTOR', `0x40042307')
+define(`FW_CDEV_IOC_STOP_ISO', `0x4004230b')
+define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE', `0x4004230e')
+define(`FW_CDEV_IOC_FLUSH_ISO', `0x40042318')
+define(`BLKI2OSRSTRAT', `0x40043203')
+define(`BLKI2OSWSTRAT', `0x40043204')
+define(`SNAPSHOT_CREATE_IMAGE', `0x40043311')
+define(`PTP_ENABLE_PPS', `0x40043d04')
+define(`SYNC_IOC_WAIT', `0x40043e00')
+define(`SNDRV_PCM_IOCTL_TSTAMP', `0x40044102')
+define(`SNDRV_PCM_IOCTL_TTSTAMP', `0x40044103')
+define(`AGPIOC_DEALLOCATE', `0x40044107')
+define(`SNDRV_PCM_IOCTL_PAUSE', `0x40044145')
+define(`SNDRV_PCM_IOCTL_LINK', `0x40044160')
+define(`CCISS_REGNEWDISK', `0x4004420d')
+define(`EVIOCRMFF', `0x40044581')
+define(`EVIOCGRAB', `0x40044590')
+define(`EVIOCREVOKE', `0x40044591')
+define(`EVIOCSCLOCKID', `0x400445a0')
+define(`FBIOPUT_CONTRAST', `0x40044602')
+define(`FBIPUT_BRIGHTNESS', `0x40044603')
+define(`FBIPUT_COLOR', `0x40044606')
+define(`FBIPUT_HSYNC', `0x40044609')
+define(`FBIPUT_VSYNC', `0x4004460a')
+define(`FBIO_WAITFORVSYNC', `0x40044620')
+define(`SSTFB_SET_VGAPASS', `0x400446dd')
+define(`HIDIOCSFLAG', `0x4004480f')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_SETUP', `0x40044820')
+define(`SNDRV_DM_FM_IOCTL_SET_MODE', `0x40044825')
+define(`SNDRV_DM_FM_IOCTL_SET_CONNECTION', `0x40044826')
+define(`SNDRV_EMU10K1_IOCTL_SINGLE_STEP', `0x40044883')
+define(`SNDRV_EMUX_IOCTL_MEM_AVAIL', `0x40044884')
+define(`HCIDEVUP', `0x400448c9')
+define(`HCIDEVDOWN', `0x400448ca')
+define(`HCIDEVRESET', `0x400448cb')
+define(`HCIDEVRESTAT', `0x400448cc')
+define(`HCISETRAW', `0x400448dc')
+define(`HCISETSCAN', `0x400448dd')
+define(`HCISETAUTH', `0x400448de')
+define(`HCISETENCRYPT', `0x400448df')
+define(`HCISETPTYPE', `0x400448e0')
+define(`HCISETLINKPOL', `0x400448e1')
+define(`HCISETLINKMODE', `0x400448e2')
+define(`HCISETACLMTU', `0x400448e3')
+define(`HCISETSCOMTU', `0x400448e4')
+define(`HCIBLOCKADDR', `0x400448e6')
+define(`HCIUNBLOCKADDR', `0x400448e7')
+define(`MFB_SET_PIXFMT', `0x40044d08')
+define(`OTPGETREGIONCOUNT', `0x40044d0e')
+define(`UBI_IOCEBER', `0x40044f01')
+define(`UBI_IOCEBCH', `0x40044f02')
+define(`UBI_IOCEBUNMAP', `0x40044f04')
+define(`OMAPFB_MIRROR', `0x40044f1f')
+define(`OMAPFB_SET_UPDATE_MODE', `0x40044f28')
+define(`OMAPFB_GET_UPDATE_MODE', `0x40044f2b')
+define(`OMAPFB_LCD_TEST', `0x40044f2d')
+define(`OMAPFB_CTRL_TEST', `0x40044f2e')
+define(`SNDCTL_DSP_SETTRIGGER', `0x40045010')
+define(`SNDCTL_DSP_PROFILE', `0x40045017')
+define(`SNDCTL_DSP_SETSPDIF', `0x40045042')
+define(`SNDCTL_SEQ_PERCMODE', `0x40045106')
+define(`SNDCTL_SEQ_TESTMIDI', `0x40045108')
+define(`SNDCTL_SEQ_RESETSAMPLES', `0x40045109')
+define(`SNDCTL_SEQ_THRESHOLD', `0x4004510d')
+define(`SNDCTL_FM_4OP_ENABLE', `0x4004510f')
+define(`RNDADDTOENTCNT', `0x40045201')
+define(`SAA6588_CMD_CLOSE', `0x40045202')
+define(`RFCOMMCREATEDEV', `0x400452c8')
+define(`RFCOMMRELEASEDEV', `0x400452c9')
+define(`RFCOMMSTEALDLC', `0x400452dc')
+define(`SNDRV_TIMER_IOCTL_TREAD', `0x40045402')
+define(`SNDCTL_TMR_METRONOME', `0x40045407')
+define(`SNDCTL_TMR_SELECT', `0x40045408')
+define(`TIOCSPTLCK', `0x40045431')
+define(`TIOCSIG', `0x40045436')
+define(`TUNSETNOCSUM', `0x400454c8')
+define(`TUNSETDEBUG', `0x400454c9')
+define(`TUNSETIFF', `0x400454ca')
+define(`TUNSETPERSIST', `0x400454cb')
+define(`TUNSETOWNER', `0x400454cc')
+define(`TUNSETLINK', `0x400454cd')
+define(`TUNSETGROUP', `0x400454ce')
+define(`TUNSETOFFLOAD', `0x400454d0')
+define(`TUNSETTXFILTER', `0x400454d1')
+define(`TUNSETSNDBUF', `0x400454d4')
+define(`TUNSETVNETHDRSZ', `0x400454d8')
+define(`TUNSETQUEUE', `0x400454d9')
+define(`TUNSETIFINDEX', `0x400454da')
+define(`TUNSETVNETLE', `0x400454dc')
+define(`USBDEVFS_REAPURB32', `0x4004550c')
+define(`USBDEVFS_REAPURBNDELAY32', `0x4004550d')
+define(`SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE', `0x40045532')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_PREFER_SUBDEVICE', `0x40045542')
+define(`UI_SET_EVBIT', `0x40045564')
+define(`UI_SET_KEYBIT', `0x40045565')
+define(`UI_SET_RELBIT', `0x40045566')
+define(`UI_SET_ABSBIT', `0x40045567')
+define(`UI_SET_MSCBIT', `0x40045568')
+define(`UI_SET_LEDBIT', `0x40045569')
+define(`UI_SET_SNDBIT', `0x4004556a')
+define(`UI_SET_FFBIT', `0x4004556b')
+define(`UI_SET_SWBIT', `0x4004556d')
+define(`UI_SET_PROPBIT', `0x4004556e')
+define(`VIDIOC_OVERLAY', `0x4004560e')
+define(`VIDIOC_STREAMON', `0x40045612')
+define(`VIDIOC_STREAMOFF', `0x40045613')
+define(`VIDIOC_S_PRIORITY', `0x40045644')
+define(`IVTV_IOC_PASSTHROUGH_MODE', `0x400456c1')
+define(`SW_SYNC_IOC_INC', `0x40045701')
+define(`SNDRV_RAWMIDI_IOCTL_DROP', `0x40045730')
+define(`SNDRV_RAWMIDI_IOCTL_DRAIN', `0x40045731')
+define(`SONET_SETFRAMING', `0x40046115')
+define(`ATM_SETSC', `0x400461f1')
+define(`ATM_DROPPARTY', `0x400461f5')
+define(`BINDER_SET_MAX_THREADS', `0x40046205')
+define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
+define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
+define(`BINDER_THREAD_EXIT', `0x40046208')
+define(`BC_ACQUIRE_RESULT', `0x40046302')
+define(`BC_INCREFS', `0x40046304')
+define(`BC_ACQUIRE', `0x40046305')
+define(`CHIOSPICKER', `0x40046305')
+define(`BC_RELEASE', `0x40046306')
+define(`BC_DECREFS', `0x40046307')
+define(`DRM_IOCTL_AUTH_MAGIC', `0x40046411')
+define(`DRM_IOCTL_I915_IRQ_WAIT', `0x40046445')
+define(`DRM_IOCTL_MSM_GEM_CPU_FINI', `0x40046445')
+define(`DRM_IOCTL_RADEON_FULLSCREEN', `0x40046446')
+define(`DRM_IOCTL_MGA_SET_FENCE', `0x4004644a')
+define(`DRM_IOCTL_I915_DESTROY_HEAP', `0x4004644c')
+define(`DRM_IOCTL_I915_SET_VBLANK_PIPE', `0x4004644d')
+define(`DRM_IOCTL_R128_FULLSCREEN', `0x40046450')
+define(`DRM_IOCTL_RADEON_IRQ_WAIT', `0x40046457')
+define(`DRM_IOCTL_RADEON_SURF_FREE', `0x4004645b')
+define(`DRM_IOCTL_I915_GEM_SW_FINISH', `0x40046460')
+define(`VIDIOC_INT_RESET', `0x40046466')
+define(`DRM_IOCTL_NOUVEAU_GEM_CPU_FINI', `0x40046483')
+define(`FS_IOC32_SETFLAGS', `0x40046602')
+define(`LIRC_SET_SEND_MODE', `0x40046911')
+define(`LIRC_SET_REC_MODE', `0x40046912')
+define(`LIRC_SET_SEND_CARRIER', `0x40046913')
+define(`LIRC_SET_REC_CARRIER', `0x40046914')
+define(`LIRC_SET_SEND_DUTY_CYCLE', `0x40046915')
+define(`LIRC_SET_REC_DUTY_CYCLE', `0x40046916')
+define(`LIRC_SET_TRANSMITTER_MASK', `0x40046917')
+define(`LIRC_SET_REC_TIMEOUT', `0x40046918')
+define(`LIRC_SET_REC_TIMEOUT_REPORTS', `0x40046919')
+define(`LIRC_SET_REC_FILTER_PULSE', `0x4004691a')
+define(`LIRC_SET_REC_FILTER_SPACE', `0x4004691b')
+define(`LIRC_SET_REC_FILTER', `0x4004691c')
+define(`LIRC_SET_MEASURE_CARRIER_MODE', `0x4004691d')
+define(`LIRC_SET_REC_DUTY_CYCLE_RANGE', `0x4004691e')
+define(`IPMICTL_SET_MAINTENANCE_MODE_CMD', `0x4004691f')
+define(`LIRC_SET_REC_CARRIER_RANGE', `0x4004691f')
+define(`LIRC_SET_WIDEBAND_RECEIVER', `0x40046923')
+define(`SPI_IOC_WR_MAX_SPEED_HZ', `0x40046b04')
+define(`SPI_IOC_WR_MODE32', `0x40046b05')
+define(`MSMFB_GRP_DISP', `0x40046d01')
+define(`MSMFB_BLIT', `0x40046d02')
+define(`NCP_IOC_SET_SIGN_WANTED', `0x40046e06')
+define(`NCP_IOC_GETDENTRYTTL', `0x40046e0c')
+define(`SISFB_SET_AUTOMAXIMIZE_OLD', `0x40046efa')
+define(`UBI_IOCRMVOL', `0x40046f01')
+define(`DMX_SET_SOURCE', `0x40046f31')
+define(`UBI_IOCDET', `0x40046f41')
+define(`PPSETMODE', `0x40047080')
+define(`PPDATADIR', `0x40047090')
+define(`PPNEGOT', `0x40047091')
+define(`PPSETPHASE', `0x40047094')
+define(`PPSETFLAGS', `0x4004709b')
+define(`PHONE_REC_CODEC', `0x40047189')
+define(`PHONE_REC_DEPTH', `0x4004718c')
+define(`PHONE_FRAME', `0x4004718d')
+define(`PHONE_REC_VOLUME', `0x4004718e')
+define(`PHONE_PLAY_CODEC', `0x40047190')
+define(`PHONE_PLAY_DEPTH', `0x40047193')
+define(`PHONE_PLAY_VOLUME', `0x40047194')
+define(`PHONE_DTMF_OOB', `0x40047199')
+define(`PHONE_SET_TONE_ON_TIME', `0x4004719c')
+define(`PHONE_SET_TONE_OFF_TIME', `0x4004719d')
+define(`PHONE_PSTN_SET_STATE', `0x400471a4')
+define(`PHONE_WINK_DURATION', `0x400471a6')
+define(`PHONE_VAD', `0x400471a9')
+define(`PHONE_WINK', `0x400471aa')
+define(`IXJCTL_GET_FILTER_HIST', `0x400471c8')
+define(`IXJCTL_AEC_START', `0x400471cb')
+define(`IXJCTL_SET_LED', `0x400471ce')
+define(`IXJCTL_MIXER', `0x400471cf')
+define(`IXJCTL_DAA_COEFF_SET', `0x400471d0')
+define(`IXJCTL_PORT', `0x400471d1')
+define(`IXJCTL_DAA_AGAIN', `0x400471d2')
+define(`IXJCTL_POTS_PSTN', `0x400471d5')
+define(`PHONE_REC_VOLUME_LINEAR', `0x400471db')
+define(`PHONE_PLAY_VOLUME_LINEAR', `0x400471dc')
+define(`IXJCTL_HZ', `0x400471e0')
+define(`IXJCTL_RATE', `0x400471e1')
+define(`IXJCTL_DTMF_PRESCALE', `0x400471e8')
+define(`IXJCTL_SC_RXG', `0x400471ea')
+define(`IXJCTL_SC_TXG', `0x400471eb')
+define(`IXJCTL_INTERCOM_START', `0x400471fd')
+define(`IXJCTL_INTERCOM_STOP', `0x400471fe')
+define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
+define(`V4L2_SUBDEV_IR_RX_NOTIFY', `0x40047600')
+define(`V4L2_SUBDEV_IR_TX_NOTIFY', `0x40047601')
+define(`FS_IOC32_SETVERSION', `0x40047602')
+define(`MEYEIOC_QBUF_CAPT', `0x400476c2')
+define(`OSIOCSNETADDR', `0x400489e0')
+define(`SIOCSNETADDR', `0x400489e0')
+define(`AUTOFS_IOC_EXPIRE_MULTI', `0x40049366')
+define(`BTRFS_IOC_CLONE', `0x40049409')
+define(`BTRFS_IOC_BALANCE_CTL', `0x40049421')
+define(`KVM_INTERRUPT', `0x4004ae86')
+define(`KVM_SET_SIGNAL_MASK', `0x4004ae8b')
+define(`KVM_SET_MP_STATE', `0x4004ae99')
+define(`VHOST_SET_LOG_FD', `0x4004af07')
+define(`VHOST_SCSI_GET_ABI_VERSION', `0x4004af42')
+define(`VHOST_SCSI_SET_EVENTS_MISSED', `0x4004af43')
+define(`VHOST_SCSI_GET_EVENTS_MISSED', `0x4004af44')
+define(`SISFB_SET_AUTOMAXIMIZE', `0x4004f303')
+define(`SISFB_SET_TVPOSOFFSET', `0x4004f304')
+define(`SISFB_SET_LOCK', `0x4004f306')
+define(`GIGASET_BRKCHARS', `0x40064702')
+define(`MEYEIOC_S_PARAMS', `0x400676c1')
+define(`FE_DISEQC_SEND_MASTER_CMD', `0x40076f3f')
+define(`BLKBSZSET', `0x40081271')
+define(`FW_CDEV_IOC_RECEIVE_PHY_PACKETS', `0x40082316')
+define(`PERF_EVENT_IOC_PERIOD', `0x40082404')
+define(`PERF_EVENT_IOC_SET_FILTER', `0x40082406')
+define(`FBIO_RADEON_SET_MIRROR', `0x40084004')
+define(`AGPIOC_SETUP', `0x40084103')
+define(`AGPIOC_RESERVE', `0x40084104')
+define(`AGPIOC_PROTECT', `0x40084105')
+define(`AGPIOC_BIND', `0x40084108')
+define(`AGPIOC_UNBIND', `0x40084109')
+define(`SNDRV_PCM_IOCTL_REWIND', `0x40084146')
+define(`SNDRV_PCM_IOCTL_FORWARD', `0x40084149')
+define(`PMU_IOC_SET_BACKLIGHT', `0x40084202')
+define(`CCISS_SETINTINFO', `0x40084203')
+define(`APEI_ERST_CLEAR_RECORD', `0x40084501')
+define(`EVIOCSREP', `0x40084503')
+define(`EVIOCSKEYCODE', `0x40084504')
+define(`SNDRV_SB_CSP_IOCTL_START', `0x40084813')
+define(`SNDRV_HDSP_IOCTL_UPLOAD_FIRMWARE', `0x40084842')
+define(`MEMERASE', `0x40084d02')
+define(`MFB_SET_AOID', `0x40084d04')
+define(`MEMLOCK', `0x40084d05')
+define(`MEMUNLOCK', `0x40084d06')
+define(`MEMGETBADBLOCK', `0x40084d0b')
+define(`MEMSETBADBLOCK', `0x40084d0c')
+define(`UBI_IOCVOLUP', `0x40084f00')
+define(`UBI_IOCEBMAP', `0x40084f03')
+define(`OMAPFB_SETUP_MEM', `0x40084f37')
+define(`OMAPFB_QUERY_MEM', `0x40084f38')
+define(`OMAPFB_SET_TEARSYNC', `0x40084f3e')
+define(`SNDCTL_SEQ_OUTOFBAND', `0x40085112')
+define(`RNDADDENTROPY', `0x40085203')
+define(`TFD_IOC_SET_TICKS', `0x40085400')
+define(`USBDEVFS_REAPURB', `0x4008550c')
+define(`USBDEVFS_REAPURBNDELAY', `0x4008550d')
+define(`USBDEVFS_CONNECTINFO', `0x40085511')
+define(`UI_SET_PHYS', `0x4008556c')
+define(`VIDIOC_S_STD', `0x40085618')
+define(`VPFE_CMD_S_CCDC_RAW_PARAMS', `0x400856c1')
+define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
+define(`CM_IOCSPTS', `0x40086302')
+define(`BC_FREE_BUFFER', `0x40086303')
+define(`BC_ATTEMPT_ACQUIRE', `0x4008630a')
+define(`BC_DEAD_BINDER_DONE', `0x40086310')
+define(`CM_IOSDBGLVL', `0x400863fa')
+define(`DRM_IOCTL_MODESET_CTL', `0x40086408')
+define(`DRM_IOCTL_GEM_CLOSE', `0x40086409')
+define(`DRM_IOCTL_CONTROL', `0x40086414')
+define(`DRM_IOCTL_MOD_CTX', `0x40086422')
+define(`DRM_IOCTL_SWITCH_CTX', `0x40086424')
+define(`DRM_IOCTL_NEW_CTX', `0x40086425')
+define(`DRM_IOCTL_LOCK', `0x4008642a')
+define(`DRM_IOCTL_UNLOCK', `0x4008642b')
+define(`DRM_IOCTL_FINISH', `0x4008642c')
+define(`DRM_IOCTL_AGP_ENABLE', `0x40086432')
+define(`DRM_IOCTL_MGA_FLUSH', `0x40086441')
+define(`DRM_IOCTL_R128_CCE_STOP', `0x40086442')
+define(`DRM_IOCTL_RADEON_CP_STOP', `0x40086442')
+define(`DRM_IOCTL_SAVAGE_BCI_EVENT_WAIT', `0x40086443')
+define(`DRM_IOCTL_OMAP_GEM_CPU_PREP', `0x40086444')
+define(`DRM_IOCTL_QXL_CLIENTCAP', `0x40086445')
+define(`DRM_IOCTL_I915_SETPARAM', `0x40086447')
+define(`DRM_IOCTL_I915_FREE', `0x40086449')
+define(`DRM_IOCTL_RADEON_STIPPLE', `0x4008644c')
+define(`DRM_IOCTL_R128_STIPPLE', `0x4008644d')
+define(`DRM_IOCTL_VIA_BLIT_SYNC', `0x4008644f')
+define(`DRM_IOCTL_RADEON_FREE', `0x40086454')
+define(`DRM_IOCTL_I915_GEM_UNPIN', `0x40086456')
+define(`DRM_IOCTL_RADEON_GEM_WAIT_IDLE', `0x40086464')
+define(`DRM_IOCTL_I915_GEM_CONTEXT_DESTROY', `0x4008646e')
+define(`DRM_IOCTL_I915_GEM_SET_CACHING', `0x4008646f')
+define(`DRM_IOCTL_NOUVEAU_GEM_CPU_PREP', `0x40086482')
+define(`FS_IOC_SETFLAGS', `0x40086602')
+define(`HPET_IRQFREQ', `0x40086806')
+define(`MTIOCTOP', `0x40086d01')
+define(`NCP_IOC_GETMOUNTUID2', `0x40086e02')
+define(`NILFS_IOCTL_DELETE_CHECKPOINT', `0x40086e81')
+define(`NILFS_IOCTL_RESIZE', `0x40086e8b')
+define(`MATROXFB_SET_OUTPUT_CONNECTION', `0x40086ef8')
+define(`MATROXFB_SET_OUTPUT_MODE', `0x40086efa')
+define(`AUDIO_SET_MIXER', `0x40086f0e')
+define(`VIDEO_SET_SPU', `0x40086f32')
+define(`CA_SET_PID', `0x40086f87')
+define(`PHN_SET_REG', `0x40087001')
+define(`PHN_SET_REGS', `0x40087003')
+define(`PHN_SETREG', `0x40087006')
+define(`RTC_IRQP_SET', `0x4008700c')
+define(`RTC_EPOCH_SET', `0x4008700e')
+define(`PPS_SETPARAMS', `0x400870a2')
+define(`PPS_KC_BIND', `0x400870a5')
+define(`SPIOCSTYPE', `0x40087101')
+define(`PHONE_CAPABILITIES_CHECK', `0x40087182')
+define(`PHONE_RING_START', `0x40087187')
+define(`IXJCTL_SET_FILTER', `0x400871c7')
+define(`IXJCTL_INIT_TONE', `0x400871c9')
+define(`IXJCTL_TONE_CADENCE', `0x400871ca')
+define(`IXJCTL_FILTER_CADENCE', `0x400871d6')
+define(`IXJCTL_CIDCW', `0x400871d9')
+define(`IXJCTL_SET_FILTER_RAW', `0x400871dd')
+define(`IXJCTL_SIGCTL', `0x400871e9')
+define(`FS_IOC_SETVERSION', `0x40087602')
+define(`ASHMEM_SET_SIZE', `0x40087703')
+define(`ASHMEM_SET_PROT_MASK', `0x40087705')
+define(`ASHMEM_PIN', `0x40087707')
+define(`ASHMEM_UNPIN', `0x40087708')
+define(`BTRFS_IOC_DEFAULT_SUBVOL', `0x40089413')
+define(`BTRFS_IOC_WAIT_SYNC', `0x40089416')
+define(`BTRFS_IOC_SUBVOL_SETFLAGS', `0x4008941a')
+define(`KVM_SET_IDENTITY_MAP_ADDR', `0x4008ae48')
+define(`KVM_S390_VCPU_FAULT', `0x4008ae52')
+define(`KVM_IRQ_LINE', `0x4008ae61')
+define(`KVM_SET_GSI_ROUTING', `0x4008ae6a')
+define(`KVM_ASSIGN_SET_MSIX_NR', `0x4008ae73')
+define(`KVM_SET_MSRS', `0x4008ae89')
+define(`KVM_SET_CPUID', `0x4008ae8a')
+define(`KVM_SET_CPUID2', `0x4008ae90')
+define(`KVM_SET_VAPIC_ADDR', `0x4008ae93')
+define(`KVM_S390_STORE_STATUS', `0x4008ae95')
+define(`KVM_X86_SETUP_MCE', `0x4008ae9c')
+define(`VHOST_SET_FEATURES', `0x4008af00')
+define(`VHOST_SET_MEM_TABLE', `0x4008af03')
+define(`VHOST_SET_LOG_BASE', `0x4008af04')
+define(`VHOST_SET_VRING_NUM', `0x4008af10')
+define(`VHOST_SET_VRING_BASE', `0x4008af12')
+define(`VHOST_SET_VRING_KICK', `0x4008af20')
+define(`VHOST_SET_VRING_CALL', `0x4008af21')
+define(`VHOST_SET_VRING_ERR', `0x4008af22')
+define(`VHOST_NET_SET_BACKEND', `0x4008af30')
+define(`PPPOEIOCSFWD', `0x4008b100')
+define(`IOW_WRITE', `0x4008c001')
+define(`IOW_READ', `0x4008c002')
+define(`REISERFS_IOC_UNPACK', `0x4008cd01')
+define(`SNDRV_DM_FM_IOCTL_SET_PARAMS', `0x40094824')
+define(`FDFMTTRK', `0x400c0248')
+define(`RUN_ARRAY', `0x400c0930')
+define(`SNAPSHOT_SET_SWAP_AREA', `0x400c330d')
+define(`CAPI_REGISTER', `0x400c4301')
+define(`HIDIOCGREPORT', `0x400c4807')
+define(`HIDIOCSREPORT', `0x400c4808')
+define(`SNDRV_DM_FM_IOCTL_PLAY_NOTE', `0x400c4822')
+define(`MFB_SET_CHROMA_KEY', `0x400c4d01')
+define(`OTPGETREGIONINFO', `0x400c4d0f')
+define(`UI_END_FF_ERASE', `0x400c55cb')
+define(`CHIOPOSITION', `0x400c6303')
+define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
+define(`BC_CLEAR_DEATH_NOTIFICATION', `0x400c630f')
+define(`DRM_IOCTL_I810_VERTEX', `0x400c6441')
+define(`DRM_IOCTL_I810_CLEAR', `0x400c6442')
+define(`DRM_IOCTL_MGA_VERTEX', `0x400c6445')
+define(`DRM_IOCTL_MGA_ILOAD', `0x400c6447')
+define(`DRM_IOCTL_I915_INIT_HEAP', `0x400c644a')
+define(`DRM_IOCTL_RADEON_INIT_HEAP', `0x400c6455')
+define(`DRM_IOCTL_RADEON_SURF_ALLOC', `0x400c645a')
+define(`DRM_IOCTL_I915_GEM_SET_DOMAIN', `0x400c645f')
+define(`I2OEVTREG', `0x400c690a')
+define(`HSC_SET_RX', `0x400c6b13')
+define(`HSC_GET_RX', `0x400c6b14')
+define(`NCP_IOC_GETROOT', `0x400c6e08')
+define(`UBI_IOCRSVOL', `0x400c6f02')
+define(`AUDIO_SET_KARAOKE', `0x400c6f12')
+define(`KVM_CREATE_SPAPR_TCE', `0x400caea8')
+define(`MBXFB_IOCS_REG', `0x400cf404')
+define(`FW_CDEV_IOC_START_ISO', `0x4010230a')
+define(`FW_CDEV_IOC_SET_ISO_CHANNELS', `0x40102317')
+define(`PTP_EXTTS_REQUEST', `0x40103d02')
+define(`CCISS_SETNODENAME', `0x40104205')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_POKE', `0x40104821')
+define(`MTRRIOC_ADD_ENTRY', `0x40104d00')
+define(`MTRRIOC_SET_ENTRY', `0x40104d01')
+define(`MTRRIOC_DEL_ENTRY', `0x40104d02')
+define(`MTRRIOC_KILL_ENTRY', `0x40104d04')
+define(`MTRRIOC_ADD_PAGE_ENTRY', `0x40104d05')
+define(`MTRRIOC_SET_PAGE_ENTRY', `0x40104d06')
+define(`MTRRIOC_DEL_PAGE_ENTRY', `0x40104d07')
+define(`MTRRIOC_KILL_PAGE_ENTRY', `0x40104d09')
+define(`MEMERASE64', `0x40104d14')
+define(`UBI_IOCSETVOLPROP', `0x40104f06')
+define(`OMAPFB_SET_COLOR_KEY', `0x40104f32')
+define(`OMAPFB_GET_COLOR_KEY', `0x40104f33')
+define(`TUNATTACHFILTER', `0x401054d5')
+define(`TUNDETACHFILTER', `0x401054d6')
+define(`ANDROID_ALARM_SET_RTC', `0x40106105')
+define(`IDT77105_GETSTAT', `0x40106132')
+define(`IDT77105_GETSTATZ', `0x40106133')
+define(`ATM_GETSTAT', `0x40106150')
+define(`ATM_GETSTATZ', `0x40106151')
+define(`ATM_GETLOOP', `0x40106152')
+define(`ATM_SETLOOP', `0x40106153')
+define(`ATM_QUERYLOOP', `0x40106154')
+define(`ENI_MEMDUMP', `0x40106160')
+define(`HE_GET_REG', `0x40106160')
+define(`ZATM_GETPOOL', `0x40106161')
+define(`NS_SETBUFLEV', `0x40106162')
+define(`ZATM_GETPOOLZ', `0x40106162')
+define(`ZATM_SETPOOL', `0x40106163')
+define(`ENI_SETMULT', `0x40106167')
+define(`ATM_GETLINKRATE', `0x40106181')
+define(`ATM_GETNAMES', `0x40106183')
+define(`ATM_GETTYPE', `0x40106184')
+define(`ATM_GETESI', `0x40106185')
+define(`ATM_GETADDR', `0x40106186')
+define(`ATM_RSTADDR', `0x40106187')
+define(`ATM_ADDADDR', `0x40106188')
+define(`ATM_DELADDR', `0x40106189')
+define(`ATM_GETCIRANGE', `0x4010618a')
+define(`ATM_SETCIRANGE', `0x4010618b')
+define(`ATM_SETESI', `0x4010618c')
+define(`ATM_SETESIF', `0x4010618d')
+define(`ATM_ADDLECSADDR', `0x4010618e')
+define(`ATM_DELLECSADDR', `0x4010618f')
+define(`ATM_GETLECSADDR', `0x40106190')
+define(`ATM_ADDPARTY', `0x401061f4')
+define(`BC_INCREFS_DONE', `0x40106308')
+define(`CHIOGSTATUS', `0x40106308')
+define(`BC_ACQUIRE_DONE', `0x40106309')
+define(`DRM_IOCTL_SET_CLIENT_CAP', `0x4010640d')
+define(`DRM_IOCTL_SET_UNIQUE', `0x40106410')
+define(`DRM_IOCTL_FREE_BUFS', `0x4010641a')
+define(`DRM_IOCTL_SET_SAREA_CTX', `0x4010641c')
+define(`DRM_IOCTL_AGP_BIND', `0x40106436')
+define(`DRM_IOCTL_AGP_UNBIND', `0x40106437')
+define(`DRM_IOCTL_SG_FREE', `0x40106439')
+define(`DRM_IOCTL_OMAP_SET_PARAM', `0x40106441')
+define(`DRM_IOCTL_QXL_EXECBUFFER', `0x40106442')
+define(`DRM_IOCTL_OMAP_GEM_CPU_FINI', `0x40106445')
+define(`DRM_IOCTL_VIA_DEC_FUTEX', `0x40106445')
+define(`DRM_IOCTL_MGA_INDICES', `0x40106446')
+define(`DRM_IOCTL_I810_COPY', `0x40106447')
+define(`DRM_IOCTL_VIA_CMDBUFFER', `0x40106448')
+define(`DRM_IOCTL_R128_VERTEX', `0x40106449')
+define(`DRM_IOCTL_RADEON_VERTEX', `0x40106449')
+define(`DRM_IOCTL_VIA_PCICMD', `0x4010644a')
+define(`DRM_IOCTL_I915_HWS_ADDR', `0x40106451')
+define(`DRM_IOCTL_I915_GEM_INIT', `0x40106453')
+define(`DRM_IOCTL_SIS_FB_INIT', `0x40106456')
+define(`DRM_IOCTL_RADEON_SETPARAM', `0x40106459')
+define(`TUNER_SET_CONFIG', `0x4010645c')
+define(`HSC_SET_TX', `0x40106b15')
+define(`HSC_GET_TX', `0x40106b16')
+define(`MGSL_IOCSGPIO', `0x40106d10')
+define(`NILFS_IOCTL_CHANGE_CPMODE', `0x40106e80')
+define(`NILFS_IOCTL_SET_ALLOC_RANGE', `0x40106e8c')
+define(`VIDEO_STILLPICTURE', `0x40106f1e')
+define(`VIDEO_SET_HIGHLIGHT', `0x40106f27')
+define(`VIDEO_SET_SPU_PALETTE', `0x40106f33')
+define(`FE_SET_PROPERTY', `0x40106f52')
+define(`CA_SET_DESCR', `0x40106f86')
+define(`PPSETTIME', `0x40107096')
+define(`BTRFS_IOC_QGROUP_CREATE', `0x4010942a')
+define(`GENWQE_WRITE_REG64', `0x4010a51f')
+define(`GENWQE_WRITE_REG32', `0x4010a521')
+define(`GENWQE_WRITE_REG16', `0x4010a523')
+define(`KVM_GET_DIRTY_LOG', `0x4010ae42')
+define(`KVM_REGISTER_COALESCED_MMIO', `0x4010ae67')
+define(`KVM_UNREGISTER_COALESCED_MMIO', `0x4010ae68')
+define(`KVM_ASSIGN_SET_MSIX_ENTRY', `0x4010ae74')
+define(`KVM_S390_INTERRUPT', `0x4010ae94')
+define(`KVM_S390_SET_INITIAL_PSW', `0x4010ae96')
+define(`KVM_DIRTY_TLB', `0x4010aeaa')
+define(`KVM_ARM_SET_DEVICE_ADDR', `0x4010aeab')
+define(`KVM_GET_ONE_REG', `0x4010aeab')
+define(`KVM_SET_ONE_REG', `0x4010aeac')
+define(`SNDRV_DM_FM_IOCTL_SET_VOICE', `0x40124823')
+define(`FDSETMAXERRS', `0x4014024c')
+define(`ADD_NEW_DISK', `0x40140921')
+define(`SNDCTL_COPR_WDATA', `0x40144304')
+define(`SNDCTL_COPR_WCODE', `0x40144305')
+define(`OMAPFB_UPDATE_WINDOW_OLD', `0x40144f2f')
+define(`VIDIOC_S_CROP', `0x4014563c')
+define(`CHIOMOVE', `0x40146301')
+define(`DRM_IOCTL_MGA_CLEAR', `0x40146444')
+define(`DRM_IOCTL_R128_CLEAR', `0x40146448')
+define(`DRM_IOCTL_R128_INDICES', `0x4014644a')
+define(`DRM_IOCTL_RADEON_INDICES', `0x4014644a')
+define(`DMX_SET_PES_FILTER', `0x40146f2c')
+define(`FW_CDEV_IOC_SEND_RESPONSE', `0x40182304')
+define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE_ONCE', `0x4018230f')
+define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE_ONCE', `0x40182310')
+define(`SNDRV_PCM_IOCTL_WRITEI_FRAMES', `0x40184150')
+define(`SNDRV_PCM_IOCTL_WRITEN_FRAMES', `0x40184152')
+define(`HIDIOCSUSAGE', `0x4018480c')
+define(`HIDIOCGCOLLECTIONINDEX', `0x40184810')
+define(`AMDKFD_IOC_UPDATE_QUEUE', `0x40184b07')
+define(`IVTVFB_IOC_DMA_FRAME', `0x401856c0')
+define(`DRM_IOCTL_UPDATE_DRAW', `0x4018643f')
+define(`DRM_IOCTL_QXL_UPDATE_AREA', `0x40186443')
+define(`DRM_IOCTL_MSM_GEM_CPU_PREP', `0x40186444')
+define(`DRM_IOCTL_MSM_WAIT_FENCE', `0x40186447')
+define(`DRM_IOCTL_R128_BLIT', `0x4018644b')
+define(`NILFS_IOCTL_SET_SUINFO', `0x40186e8d')
+define(`UBI_IOCATT', `0x40186f40')
+define(`BTRFS_IOC_QGROUP_ASSIGN', `0x40189429')
+define(`KVM_SET_MEMORY_REGION', `0x4018ae40')
+define(`KVM_S390_UCAS_MAP', `0x4018ae50')
+define(`KVM_S390_UCAS_UNMAP', `0x4018ae51')
+define(`KVM_SET_DEVICE_ATTR', `0x4018aee1')
+define(`KVM_GET_DEVICE_ATTR', `0x4018aee2')
+define(`KVM_HAS_DEVICE_ATTR', `0x4018aee3')
+define(`MBXFB_IOCS_ALPHA', `0x4018f402')
+define(`BR2684_SETFILT', `0x401c6190')
+define(`CHIOEXCHANGE', `0x401c6302')
+define(`FDSETPRM', `0x40200242')
+define(`FDDEFPRM', `0x40200243')
+define(`ION_IOC_TEST_DMA_MAPPING', `0x402049f1')
+define(`ION_IOC_TEST_KERNEL_MAPPING', `0x402049f2')
+define(`AMDKFD_IOC_SET_MEMORY_POLICY', `0x40204b04')
+define(`VIDIOC_SUBSCRIBE_EVENT', `0x4020565a')
+define(`VIDIOC_UNSUBSCRIBE_EVENT', `0x4020565b')
+define(`DRM_IOCTL_MARK_BUFS', `0x40206417')
+define(`DRM_IOCTL_AGP_FREE', `0x40206435')
+define(`DRM_IOCTL_VIA_FREEMEM', `0x40206441')
+define(`DRM_IOCTL_I915_BATCHBUFFER', `0x40206443')
+define(`DRM_IOCTL_SIS_FB_FREE', `0x40206445')
+define(`DRM_IOCTL_RADEON_CLEAR', `0x40206448')
+define(`DRM_IOCTL_I915_CMDBUFFER', `0x4020644b')
+define(`DRM_IOCTL_I810_MC', `0x4020644c')
+define(`DRM_IOCTL_RADEON_CMDBUF', `0x40206450')
+define(`DRM_IOCTL_SIS_AGP_FREE', `0x40206455')
+define(`DRM_IOCTL_I915_GEM_PREAD', `0x4020645c')
+define(`DRM_IOCTL_I915_GEM_PWRITE', `0x4020645d')
+define(`OSD_SEND_CMD', `0x40206fa0')
+define(`RTC_PLL_SET', `0x40207012')
+define(`BTRFS_IOC_CLONE_RANGE', `0x4020940d')
+define(`KVM_SET_MEMORY_ALIAS', `0x4020ae43')
+define(`KVM_SET_USER_MEMORY_REGION', `0x4020ae46')
+define(`KVM_IRQFD', `0x4020ae76')
+define(`KVM_SIGNAL_MSI', `0x4020aea5')
+define(`KVM_PPC_GET_HTAB_FD', `0x4020aeaa')
+define(`KVM_ARM_VCPU_INIT', `0x4020aeae')
+define(`SNDRV_COMPRESS_SET_METADATA', `0x40244314')
+define(`JSIOCSCORR', `0x40246a21')
+define(`FE_SET_FRONTEND', `0x40246f4c')
+define(`RTC_ALM_SET', `0x40247007')
+define(`RTC_SET_TIME', `0x4024700a')
+define(`FW_CDEV_IOC_SEND_REQUEST', `0x40282301')
+define(`FW_CDEV_IOC_SEND_BROADCAST_REQUEST', `0x40282312')
+define(`FW_CDEV_IOC_SEND_STREAM_PACKET', `0x40282313')
+define(`EVIOCSKEYCODE_V2', `0x40284504')
+define(`SNDCTL_FM_LOAD_INSTR', `0x40285107')
+define(`DRM_IOCTL_RM_MAP', `0x4028641b')
+define(`DRM_IOCTL_R128_DEPTH', `0x4028644c')
+define(`DRM_IOCTL_RADEON_VERTEX2', `0x4028644f')
+define(`DRM_IOCTL_I915_GEM_EXECBUFFER', `0x40286454')
+define(`PHN_SETREGS', `0x40287008')
+define(`RTC_WKALM_SET', `0x4028700f')
+define(`VHOST_SET_VRING_ADDR', `0x4028af11')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO', `0x402c5342')
+define(`TCSETS2', `0x402c542b')
+define(`TCSETSW2', `0x402c542c')
+define(`TCSETSF2', `0x402c542d')
+define(`VIDIOC_S_FREQUENCY', `0x402c5639')
+define(`DRM_IOCTL_I915_OVERLAY_PUT_IMAGE', `0x402c6467')
+define(`EVIOCSFF', `0x40304580')
+define(`NVME_IOCTL_SUBMIT_IO', `0x40304e42')
+define(`VIDIOC_S_FBUF', `0x4030560b')
+define(`VIDIOC_S_HW_FREQ_SEEK', `0x40305652')
+define(`CHIOSVOLTAG', `0x40306312')
+define(`DRM_IOCTL_VIA_DMA_BLIT', `0x4030644e')
+define(`MGSL_IOCSPARAMS', `0x40306d00')
+define(`BTRFS_IOC_DEFRAG_RANGE', `0x40309410')
+define(`BTRFS_IOC_SET_FEATURES', `0x40309439')
+define(`KVM_SET_CLOCK', `0x4030ae7b')
+define(`GSMIOC_ENABLE_NET', `0x40344702')
+define(`SNDRV_TIMER_IOCTL_SELECT', `0x40345410')
+define(`VIDIOC_S_AUDIO', `0x40345622')
+define(`VIDIOC_S_AUDOUT', `0x40345632')
+define(`DRM_IOCTL_MGA_BLIT', `0x40346448')
+define(`PTP_PEROUT_REQUEST', `0x40383d03')
+define(`VIDIOC_DBG_S_REGISTER', `0x4038564f')
+define(`DRM_IOCTL_SAVAGE_BCI_CMDBUF', `0x40386441')
+define(`KVM_XEN_HVM_CONFIG', `0x4038ae7a')
+define(`DMX_SET_FILTER', `0x403c6f2b')
+define(`SNDRV_SEQ_IOCTL_REMOVE_EVENTS', `0x4040534e')
+define(`SNDRV_CTL_IOCTL_ELEM_LOCK', `0x40405514')
+define(`SNDRV_CTL_IOCTL_ELEM_UNLOCK', `0x40405515')
+define(`IVTV_IOC_DMA_FRAME', `0x404056c0')
+define(`BC_TRANSACTION', `0x40406300')
+define(`BC_REPLY', `0x40406301')
+define(`DRM_IOCTL_I810_INIT', `0x40406440')
+define(`DRM_IOCTL_I915_GEM_EXECBUFFER2', `0x40406469')
+define(`JSIOCSAXMAP', `0x40406a31')
+define(`BTRFS_IOC_QUOTA_RESCAN', `0x4040942c')
+define(`KVM_ASSIGN_DEV_IRQ', `0x4040ae70')
+define(`KVM_DEASSIGN_PCI_DEVICE', `0x4040ae72')
+define(`KVM_DEASSIGN_DEV_IRQ', `0x4040ae75')
+define(`KVM_CREATE_PIT2', `0x4040ae77')
+define(`KVM_IOEVENTFD', `0x4040ae79')
+define(`KVM_X86_SET_MCE', `0x4040ae9e')
+define(`KVM_SET_VCPU_EVENTS', `0x4040aea0')
+define(`KVM_ASSIGN_SET_INTX_MASK', `0x4040aea4')
+define(`CXL_IOCTL_START_WORK', `0x4040ca00')
+define(`OMAPFB_SETUP_PLANE', `0x40444f34')
+define(`OMAPFB_QUERY_PLANE', `0x40444f35')
+define(`OMAPFB_UPDATE_WINDOW', `0x40444f36')
+define(`VIDIOC_S_MODULATOR', `0x40445637')
+define(`DRM_IOCTL_I915_INIT', `0x40446440')
+define(`SET_ARRAY_INFO', `0x40480923')
+define(`SNDRV_EMU10K1_IOCTL_PCM_POKE', `0x40484830')
+define(`SNDRV_TIMER_IOCTL_GPARAMS', `0x40485404')
+define(`BTRFS_IOC_SEND', `0x40489426')
+define(`KVM_SET_GUEST_DEBUG', `0x4048ae9b')
+define(`GSMIOC_SETCONF', `0x404c4701')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT', `0x404c534a')
+define(`SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT', `0x40505330')
+define(`SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT', `0x40505331')
+define(`SNDRV_TIMER_IOCTL_PARAMS', `0x40505412')
+define(`VIDIOC_S_TUNER', `0x4054561e')
+define(`SNDRV_SEQ_IOCTL_SET_CLIENT_POOL', `0x4058534c')
+define(`PTP_PIN_SETFUNC', `0x40603d07')
+define(`SNDRV_HWDEP_IOCTL_DSP_LOAD', `0x40604803')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER', `0x40605346')
+define(`DRM_IOCTL_SAVAGE_BCI_INIT', `0x40606440')
+define(`UI_END_FF_UPLOAD', `0x406855c9')
+define(`KVM_ENABLE_CAP', `0x4068aea3')
+define(`CHIOGELEM', `0x406c6310')
+define(`KVM_SET_PIT2', `0x4070aea0')
+define(`DRM_IOCTL_R128_INIT', `0x40786440')
+define(`DRM_IOCTL_RADEON_CP_INIT', `0x40786440')
+define(`NILFS_IOCTL_CLEAN_SEGMENTS', `0x40786e88')
+define(`FDSETDRVPRM', `0x40800290')
+define(`UBI_IOCVOLCRBLK', `0x40804f07')
+define(`DRM_IOCTL_MGA_INIT', `0x40806440')
+define(`KVM_PPC_GET_PVINFO', `0x4080aea1')
+define(`KVM_SET_DEBUGREGS', `0x4080aea2')
+define(`KVM_PPC_RTAS_DEFINE_TOKEN', `0x4080aeac')
+define(`SNDRV_COMPRESS_SET_PARAMS', `0x40844312')
+define(`SNDRV_SEQ_IOCTL_DELETE_QUEUE', `0x408c5333')
+define(`VIDIOC_S_JPEGCOMP', `0x408c563e')
+define(`KVM_SET_REGS', `0x4090ae82')
+define(`UBI_IOCMKVOL', `0x40986f00')
+define(`SNDRV_SEQ_IOCTL_DELETE_PORT', `0x40a85321')
+define(`SNDRV_SEQ_IOCTL_SET_PORT_INFO', `0x40a85323')
+define(`SNDRV_SEQ_IOCTL_SET_CLIENT_INFO', `0x40bc5311')
+define(`VHOST_SCSI_SET_ENDPOINT', `0x40e8af40')
+define(`VHOST_SCSI_CLEAR_ENDPOINT', `0x40e8af41')
+define(`ASHMEM_SET_NAME', `0x41007701')
+define(`BTRFS_IOC_SET_FSLABEL', `0x41009432')
+define(`USBDEVFS_GETDRIVER', `0x41045508')
+define(`CA_SEND_MSG', `0x410c6f85')
+define(`KVM_SET_SREGS', `0x4138ae84')
+define(`KVM_SET_XCRS', `0x4188aea7')
+define(`KVM_SET_FPU', `0x41a0ae8d')
+define(`SNDRV_EMU10K1_IOCTL_CODE_POKE', `0x41b04811')
+define(`PTP_SYS_OFFSET', `0x43403d05')
+define(`JSIOCSBTNMAP', `0x44006a33')
+define(`KVM_SET_LAPIC', `0x4400ae8f')
+define(`BTRFS_IOC_SNAP_CREATE', `0x50009401')
+define(`BTRFS_IOC_DEFRAG', `0x50009402')
+define(`BTRFS_IOC_RESIZE', `0x50009403')
+define(`BTRFS_IOC_SCAN_DEV', `0x50009404')
+define(`BTRFS_IOC_ADD_DEV', `0x5000940a')
+define(`BTRFS_IOC_RM_DEV', `0x5000940b')
+define(`BTRFS_IOC_BALANCE', `0x5000940c')
+define(`BTRFS_IOC_SUBVOL_CREATE', `0x5000940e')
+define(`BTRFS_IOC_SNAP_DESTROY', `0x5000940f')
+define(`BTRFS_IOC_SNAP_CREATE_V2', `0x50009417')
+define(`BTRFS_IOC_SUBVOL_CREATE_V2', `0x50009418')
+define(`KVM_SET_XSAVE', `0x5000aea5')
+define(`HIDIOCSUSAGES', `0x501c4814')
+define(`UBI_IOCRNVOL', `0x51106f03')
+define(`SNDRV_SB_CSP_IOCTL_LOAD_CODE', `0x70124811')
+define(`MFB_GET_ALPHA', `0x80014d00')
+define(`MFB_GET_GAMMA', `0x80014d01')
+define(`GADGET_GET_PRINTER_STATUS', `0x80016721')
+define(`JSIOCGAXES', `0x80016a11')
+define(`JSIOCGBUTTONS', `0x80016a12')
+define(`SPI_IOC_RD_MODE', `0x80016b01')
+define(`SPI_IOC_RD_LSB_FIRST', `0x80016b02')
+define(`SPI_IOC_RD_BITS_PER_WORD', `0x80016b03')
+define(`PPRSTATUS', `0x80017081')
+define(`PPRCONTROL', `0x80017083')
+define(`PPRDATA', `0x80017085')
+define(`SONYPI_IOCGBRT', `0x80017600')
+define(`SONYPI_IOCGBATFLAGS', `0x80017607')
+define(`SONYPI_IOCGBLUE', `0x80017608')
+define(`SONYPI_IOCGFAN', `0x8001760a')
+define(`SONYPI_IOCGTEMP', `0x8001760c')
+define(`CAPI_GET_ERRCODE', `0x80024321')
+define(`CAPI_INSTALLED', `0x80024322')
+define(`SNDRV_DM_FM_IOCTL_INFO', `0x80024820')
+define(`IOCTL_WDM_MAX_COMMAND', `0x800248a0')
+define(`IPMICTL_REGISTER_FOR_CMD', `0x8002690e')
+define(`IPMICTL_UNREGISTER_FOR_CMD', `0x8002690f')
+define(`FE_READ_SIGNAL_STRENGTH', `0x80026f47')
+define(`FE_READ_SNR', `0x80026f48')
+define(`SONYPI_IOCGBAT1CAP', `0x80027602')
+define(`SONYPI_IOCGBAT1REM', `0x80027603')
+define(`SONYPI_IOCGBAT2CAP', `0x80027604')
+define(`SONYPI_IOCGBAT2REM', `0x80027605')
+define(`MBXFB_IOCS_PLANEORDER', `0x8002f403')
+define(`BLKI2OGRSTRAT', `0x80043201')
+define(`BLKI2OGWSTRAT', `0x80043202')
+define(`SNDRV_PCM_IOCTL_PVERSION', `0x80044100')
+define(`CCISS_GETHEARTBEAT', `0x80044206')
+define(`CCISS_GETBUSTYPES', `0x80044207')
+define(`CCISS_GETFIRMVER', `0x80044208')
+define(`CCISS_GETDRIVVER', `0x80044209')
+define(`SNDRV_COMPRESS_IOCTL_VERSION', `0x80044300')
+define(`CAPI_GET_FLAGS', `0x80044323')
+define(`CAPI_SET_FLAGS', `0x80044324')
+define(`CAPI_CLR_FLAGS', `0x80044325')
+define(`CAPI_NCCI_OPENCOUNT', `0x80044326')
+define(`CAPI_NCCI_GETUNIT', `0x80044327')
+define(`EVIOCGVERSION', `0x80044501')
+define(`APEI_ERST_GET_RECORD_COUNT', `0x80044502')
+define(`EVIOCGEFFECTS', `0x80044584')
+define(`FBIOGET_CONTRAST', `0x80044601')
+define(`FBIGET_BRIGHTNESS', `0x80044603')
+define(`FBIGET_COLOR', `0x80044605')
+define(`SSTFB_GET_VGAPASS', `0x800446dd')
+define(`SNDRV_HWDEP_IOCTL_PVERSION', `0x80044800')
+define(`HIDIOCGRDESCSIZE', `0x80044801')
+define(`HIDIOCGVERSION', `0x80044801')
+define(`HIDIOCGFLAG', `0x8004480e')
+define(`HDA_IOCTL_PVERSION', `0x80044810')
+define(`SNDRV_EMU10K1_IOCTL_PVERSION', `0x80044840')
+define(`SNDRV_EMUX_IOCTL_VERSION', `0x80044880')
+define(`SNDRV_EMU10K1_IOCTL_DBG_READ', `0x80044884')
+define(`HCIGETDEVLIST', `0x800448d2')
+define(`HCIGETDEVINFO', `0x800448d3')
+define(`HCIGETCONNLIST', `0x800448d4')
+define(`HCIGETCONNINFO', `0x800448d5')
+define(`HCIGETAUTHINFO', `0x800448d7')
+define(`HCIINQUIRY', `0x800448f0')
+define(`ROCCATIOCGREPSIZE', `0x800448f1')
+define(`IMADDTIMER', `0x80044940')
+define(`IMDELTIMER', `0x80044941')
+define(`IMGETVERSION', `0x80044942')
+define(`IMGETCOUNT', `0x80044943')
+define(`IMGETDEVINFO', `0x80044944')
+define(`IMCTRLREQ', `0x80044945')
+define(`IMCLEAR_L2', `0x80044946')
+define(`IMHOLD_L1', `0x80044948')
+define(`MCE_GET_RECORD_LEN', `0x80044d01')
+define(`MCE_GET_LOG_LEN', `0x80044d02')
+define(`MCE_GETCLEAR_FLAGS', `0x80044d03')
+define(`MEMGETREGIONCOUNT', `0x80044d07')
+define(`MFB_GET_PIXFMT', `0x80044d08')
+define(`OTPSELECT', `0x80044d0d')
+define(`OSS_GETVERSION', `0x80044d76')
+define(`UBI_IOCEBISMAP', `0x80044f05')
+define(`SOUND_PCM_READ_RATE', `0x80045002')
+define(`SOUND_PCM_READ_BITS', `0x80045005')
+define(`SOUND_PCM_READ_CHANNELS', `0x80045006')
+define(`SOUND_PCM_READ_FILTER', `0x80045007')
+define(`SNDCTL_DSP_GETFMTS', `0x8004500b')
+define(`SNDCTL_DSP_GETCAPS', `0x8004500f')
+define(`SNDCTL_DSP_GETTRIGGER', `0x80045010')
+define(`SNDCTL_DSP_GETODELAY', `0x80045017')
+define(`SNDCTL_DSP_GETSPDIF', `0x80045043')
+define(`SNDCTL_SEQ_GETOUTCOUNT', `0x80045104')
+define(`SNDCTL_SEQ_GETINCOUNT', `0x80045105')
+define(`SNDCTL_SEQ_NRSYNTHS', `0x8004510a')
+define(`SNDCTL_SEQ_NRMIDIS', `0x8004510b')
+define(`SNDCTL_SEQ_GETTIME', `0x80045113')
+define(`RNDGETENTCNT', `0x80045200')
+define(`SAA6588_CMD_READ', `0x80045203')
+define(`SAA6588_CMD_POLL', `0x80045204')
+define(`RFCOMMGETDEVLIST', `0x800452d2')
+define(`RFCOMMGETDEVINFO', `0x800452d3')
+define(`SNDRV_SEQ_IOCTL_PVERSION', `0x80045300')
+define(`SNDRV_SEQ_IOCTL_CLIENT_ID', `0x80045301')
+define(`SNDRV_TIMER_IOCTL_PVERSION', `0x80045400')
+define(`TIOCGPTN', `0x80045430')
+define(`TIOCGDEV', `0x80045432')
+define(`TIOCGPKT', `0x80045438')
+define(`TIOCGPTLCK', `0x80045439')
+define(`TIOCGEXCL', `0x80045440')
+define(`TUNGETFEATURES', `0x800454cf')
+define(`TUNGETIFF', `0x800454d2')
+define(`TUNGETSNDBUF', `0x800454d3')
+define(`TUNGETVNETHDRSZ', `0x800454d7')
+define(`TUNGETVNETLE', `0x800454dd')
+define(`SNDRV_CTL_IOCTL_PVERSION', `0x80045500')
+define(`USBDEVFS_RESETEP', `0x80045503')
+define(`USBDEVFS_SETCONFIGURATION', `0x80045505')
+define(`USBDEVFS_CLAIMINTERFACE', `0x8004550f')
+define(`USBDEVFS_RELEASEINTERFACE', `0x80045510')
+define(`USBDEVFS_CLEAR_HALT', `0x80045515')
+define(`USBDEVFS_CLAIM_PORT', `0x80045518')
+define(`USBDEVFS_RELEASE_PORT', `0x80045519')
+define(`USBDEVFS_GET_CAPABILITIES', `0x8004551a')
+define(`UI_GET_VERSION', `0x8004552d')
+define(`SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE', `0x80045530')
+define(`SNDRV_CTL_IOCTL_POWER_STATE', `0x800455d1')
+define(`VIDIOC_G_INPUT', `0x80045626')
+define(`VIDIOC_G_OUTPUT', `0x8004562e')
+define(`VIDIOC_G_PRIORITY', `0x80045643')
+define(`SNDRV_RAWMIDI_IOCTL_PVERSION', `0x80045700')
+define(`WDIOC_GETSTATUS', `0x80045701')
+define(`WDIOC_GETBOOTSTATUS', `0x80045702')
+define(`WDIOC_GETTEMP', `0x80045703')
+define(`WDIOC_SETOPTIONS', `0x80045704')
+define(`WDIOC_KEEPALIVE', `0x80045705')
+define(`WDIOC_GETTIMEOUT', `0x80045707')
+define(`WDIOC_GETPRETIMEOUT', `0x80045709')
+define(`WDIOC_GETTIMELEFT', `0x8004570a')
+define(`SONET_GETDIAG', `0x80046114')
+define(`SONET_GETFRAMING', `0x80046116')
+define(`CHIOGPICKER', `0x80046304')
+define(`DRM_IOCTL_GET_MAGIC', `0x80046402')
+define(`DRM_IOCTL_I915_GET_VBLANK_PIPE', `0x8004644e')
+define(`FS_IOC32_GETFLAGS', `0x80046601')
+define(`LIRC_GET_FEATURES', `0x80046900')
+define(`LIRC_GET_SEND_MODE', `0x80046901')
+define(`LIRC_GET_REC_MODE', `0x80046902')
+define(`LIRC_GET_SEND_CARRIER', `0x80046903')
+define(`LIRC_GET_REC_CARRIER', `0x80046904')
+define(`LIRC_GET_SEND_DUTY_CYCLE', `0x80046905')
+define(`LIRC_GET_REC_DUTY_CYCLE', `0x80046906')
+define(`LIRC_GET_REC_RESOLUTION', `0x80046907')
+define(`I2OVALIDATE', `0x80046908')
+define(`LIRC_GET_MIN_TIMEOUT', `0x80046908')
+define(`LIRC_GET_MAX_TIMEOUT', `0x80046909')
+define(`LIRC_GET_MIN_FILTER_PULSE', `0x8004690a')
+define(`LIRC_GET_MAX_FILTER_PULSE', `0x8004690b')
+define(`LIRC_GET_MIN_FILTER_SPACE', `0x8004690c')
+define(`LIRC_GET_MAX_FILTER_SPACE', `0x8004690d')
+define(`LIRC_GET_LENGTH', `0x8004690f')
+define(`IPMICTL_SET_GETS_EVENTS_CMD', `0x80046910')
+define(`IPMICTL_SET_MY_ADDRESS_CMD', `0x80046911')
+define(`IPMICTL_GET_MY_ADDRESS_CMD', `0x80046912')
+define(`IPMICTL_SET_MY_LUN_CMD', `0x80046913')
+define(`IPMICTL_GET_MY_LUN_CMD', `0x80046914')
+define(`IPMICTL_SET_MY_CHANNEL_ADDRESS_CMD', `0x80046918')
+define(`IPMICTL_GET_MY_CHANNEL_ADDRESS_CMD', `0x80046919')
+define(`IPMICTL_SET_MY_CHANNEL_LUN_CMD', `0x8004691a')
+define(`IPMICTL_GET_MY_CHANNEL_LUN_CMD', `0x8004691b')
+define(`IPMICTL_GET_MAINTENANCE_MODE_CMD', `0x8004691e')
+define(`I8K_BIOS_VERSION', `0x80046980')
+define(`I8K_MACHINE_ID', `0x80046981')
+define(`IIO_GET_EVENT_FD_IOCTL', `0x80046990')
+define(`JSIOCGVERSION', `0x80046a01')
+define(`SPI_IOC_RD_MAX_SPEED_HZ', `0x80046b04')
+define(`SPI_IOC_RD_MODE32', `0x80046b05')
+define(`UDF_GETEASIZE', `0x80046c40')
+define(`NCP_IOC_SIGN_WANTED', `0x80046e06')
+define(`NCP_IOC_SETDENTRYTTL', `0x80046e0c')
+define(`SISFB_GET_INFO_OLD', `0x80046ef8')
+define(`SISFB_GET_VBRSTATUS_OLD', `0x80046ef9')
+define(`SISFB_GET_AUTOMAXIMIZE_OLD', `0x80046efa')
+define(`AUDIO_GET_CAPABILITIES', `0x80046f0b')
+define(`VIDEO_GET_CAPABILITIES', `0x80046f21')
+define(`VIDEO_GET_FRAME_RATE', `0x80046f38')
+define(`FE_READ_STATUS', `0x80046f45')
+define(`FE_READ_BER', `0x80046f46')
+define(`FE_READ_UNCORRECTED_BLOCKS', `0x80046f49')
+define(`RTC_VL_READ', `0x80047013')
+define(`PPCLRIRQ', `0x80047093')
+define(`PPGETMODES', `0x80047097')
+define(`PPGETMODE', `0x80047098')
+define(`PPGETPHASE', `0x80047099')
+define(`PPGETFLAGS', `0x8004709a')
+define(`PHONE_DTMF_READY', `0x80047196')
+define(`PHONE_GET_DTMF', `0x80047197')
+define(`PHONE_GET_DTMF_ASCII', `0x80047198')
+define(`PHONE_EXCEPTION', `0x8004719a')
+define(`IXJCTL_CARDTYPE', `0x800471c1')
+define(`IXJCTL_SERIAL', `0x800471c2')
+define(`IXJCTL_DSP_TYPE', `0x800471c3')
+define(`IXJCTL_DSP_VERSION', `0x800471c4')
+define(`IXJCTL_VMWI', `0x800471d8')
+define(`BR_ERROR', `0x80047200')
+define(`BR_ACQUIRE_RESULT', `0x80047204')
+define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
+define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
+define(`FS_IOC32_GETVERSION', `0x80047601')
+define(`MEYEIOC_STILLJCAPT', `0x800476c5')
+define(`OSIOCGNETADDR', `0x800489e1')
+define(`SIOCGNETADDR', `0x800489e1')
+define(`AUTOFS_IOC_PROTOVER', `0x80049363')
+define(`AUTOFS_IOC_PROTOSUBVER', `0x80049367')
+define(`AUTOFS_IOC_ASKUMOUNT', `0x80049370')
+define(`GENWQE_GET_CARD_STATE', `0x8004a524')
+define(`KVM_GET_MP_STATE', `0x8004ae98')
+define(`CXL_IOCTL_GET_PROCESS_ELEMENT', `0x8004ca01')
+define(`SISFB_GET_INFO_SIZE', `0x8004f300')
+define(`SISFB_GET_VBRSTATUS', `0x8004f302')
+define(`SISFB_GET_AUTOMAXIMIZE', `0x8004f303')
+define(`SISFB_GET_TVPOSOFFSET', `0x8004f304')
+define(`SONET_GETFRSENSE', `0x80066117')
+define(`MEYEIOC_G_PARAMS', `0x800676c0')
+define(`BLKBSZGET', `0x80081270')
+define(`BLKGETSIZE64', `0x80081272')
+define(`PERF_EVENT_IOC_ID', `0x80082407')
+define(`SNAPSHOT_GET_IMAGE_SIZE', `0x8008330e')
+define(`SNAPSHOT_AVAIL_SWAP_SIZE', `0x80083313')
+define(`SNAPSHOT_ALLOC_SWAP_PAGE', `0x80083314')
+define(`FBIO_RADEON_GET_MIRROR', `0x80084003')
+define(`AGPIOC_INFO', `0x80084100')
+define(`SNDRV_PCM_IOCTL_DELAY', `0x80084121')
+define(`CCISS_GETPCIINFO', `0x80084201')
+define(`PMU_IOC_GET_BACKLIGHT', `0x80084201')
+define(`CCISS_GETINTINFO', `0x80084202')
+define(`PMU_IOC_GET_MODEL', `0x80084203')
+define(`PMU_IOC_HAS_ADB', `0x80084204')
+define(`PMU_IOC_CAN_SLEEP', `0x80084205')
+define(`PMU_IOC_GRAB_BACKLIGHT', `0x80084206')
+define(`EVIOCGID', `0x80084502')
+define(`EVIOCGREP', `0x80084503')
+define(`EVIOCGKEYCODE', `0x80084504')
+define(`FBIO_GETCONTROL2', `0x80084689')
+define(`HIDIOCGRAWINFO', `0x80084803')
+define(`SNDRV_HDSP_IOCTL_GET_VERSION', `0x80084843')
+define(`SNDRV_HDSPM_IOCTL_GET_MIXER', `0x80084844')
+define(`SNDRV_HDSP_IOCTL_GET_9632_AEB', `0x80084845')
+define(`AMDKFD_IOC_GET_VERSION', `0x80084b01')
+define(`MFB_GET_AOID', `0x80084d04')
+define(`MEMISLOCKED', `0x80084d17')
+define(`RNDGETPOOL', `0x80085202')
+define(`USBDEVFS_SETINTERFACE', `0x80085504')
+define(`USBDEVFS_DISCSIGNAL32', `0x8008550e')
+define(`USBDEVFS_ALLOC_STREAMS', `0x8008551c')
+define(`USBDEVFS_FREE_STREAMS', `0x8008551d')
+define(`VIDIOC_G_STD', `0x80085617')
+define(`VIDIOC_QUERYSTD', `0x8008563f')
+define(`CM_IOCGSTATUS', `0x80086300')
+define(`DRM_IOCTL_I810_OV0INFO', `0x80086449')
+define(`FS_IOC_GETFLAGS', `0x80086601')
+define(`I2OPASSTHRU32', `0x8008690c')
+define(`IPMICTL_SET_TIMING_PARMS_CMD', `0x80086916')
+define(`IPMICTL_GET_TIMING_PARMS_CMD', `0x80086917')
+define(`I8K_POWER_STATUS', `0x80086982')
+define(`I8K_FN_STATUS', `0x80086983')
+define(`I8K_GET_TEMP', `0x80086984')
+define(`UDF_GETEABLOCK', `0x80086c41')
+define(`UDF_GETVOLIDENT', `0x80086c42')
+define(`MMTIMER_GETRES', `0x80086d01')
+define(`MMTIMER_GETFREQ', `0x80086d02')
+define(`MTIOCPOS', `0x80086d03')
+define(`MMTIMER_GETCOUNTER', `0x80086d09')
+define(`NILFS_IOCTL_SYNC', `0x80086e8a')
+define(`MATROXFB_GET_OUTPUT_CONNECTION', `0x80086ef8')
+define(`MATROXFB_GET_AVAILABLE_OUTPUTS', `0x80086ef9')
+define(`MATROXFB_GET_ALL_OUTPUTS', `0x80086efb')
+define(`AUDIO_GET_PTS', `0x80086f13')
+define(`DMX_GET_CAPS', `0x80086f30')
+define(`VIDEO_GET_PTS', `0x80086f39')
+define(`VIDEO_GET_FRAME_COUNT', `0x80086f3a')
+define(`CA_GET_DESCR_INFO', `0x80086f83')
+define(`RTC_IRQP_READ', `0x8008700b')
+define(`RTC_EPOCH_READ', `0x8008700d')
+define(`PPS_GETPARAMS', `0x800870a1')
+define(`PPS_GETCAP', `0x800870a3')
+define(`PHONE_CAPABILITIES_LIST', `0x80087181')
+define(`IXJCTL_CID', `0x800871d4')
+define(`IXJCTL_VERSION', `0x800871da')
+define(`IXJCTL_FRAMES_READ', `0x800871e2')
+define(`IXJCTL_FRAMES_WRITTEN', `0x800871e3')
+define(`IXJCTL_READ_WAIT', `0x800871e4')
+define(`IXJCTL_WRITE_WAIT', `0x800871e5')
+define(`IXJCTL_DRYBUFFER_READ', `0x800871e6')
+define(`BR_DEAD_BINDER', `0x8008720f')
+define(`BR_CLEAR_DEATH_NOTIFICATION_DONE', `0x80087210')
+define(`FS_IOC_GETVERSION', `0x80087601')
+define(`BTRFS_IOC_START_SYNC', `0x80089418')
+define(`BTRFS_IOC_SUBVOL_GETFLAGS', `0x80089419')
+define(`KVM_X86_GET_MCE_CAP_SUPPORTED', `0x8008ae9d')
+define(`KVM_ALLOCATE_RMA', `0x8008aea9')
+define(`VHOST_GET_FEATURES', `0x8008af00')
+define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782')
+define(`DMX_GET_PES_PIDS', `0x800a6f2f')
+define(`RAID_VERSION', `0x800c0910')
+define(`CCISS_GETLUNINFO', `0x800c4211')
+define(`OTPLOCK', `0x800c4d10')
+define(`OMAPFB_GET_CAPS', `0x800c4f2a')
+define(`SNDCTL_DSP_GETIPTR', `0x800c5011')
+define(`SNDCTL_DSP_GETOPTR', `0x800c5012')
+define(`IPMICTL_REGISTER_FOR_CMD_CHANS', `0x800c691c')
+define(`IPMICTL_UNREGISTER_FOR_CMD_CHANS', `0x800c691d')
+define(`NCP_IOC_SETROOT', `0x800c6e08')
+define(`VIDEO_GET_SIZE', `0x800c6f37')
+define(`FE_DISEQC_RECV_SLAVE_REPLY', `0x800c6f40')
+define(`CA_GET_SLOT_INFO', `0x800c6f82')
+define(`FDGETDRVTYP', `0x8010020f')
+define(`FW_CDEV_IOC_GET_CYCLE_TIMER', `0x8010230c')
+define(`CCISS_GETNODENAME', `0x80104204')
+define(`SNDRV_HDSPM_IOCTL_GET_LTC', `0x80104846')
+define(`ECCGETSTATS', `0x80104d12')
+define(`SNDCTL_DSP_GETOSPACE', `0x8010500c')
+define(`SNDCTL_DSP_GETISPACE', `0x8010500d')
+define(`SNDCTL_DSP_MAPINBUF', `0x80105013')
+define(`SNDCTL_DSP_MAPOUTBUF', `0x80105014')
+define(`TUNGETFILTER', `0x801054db')
+define(`USBDEVFS_DISCSIGNAL', `0x8010550e')
+define(`DRM_IOCTL_I915_GEM_GET_APERTURE', `0x80106463')
+define(`I2OPASSTHRU', `0x8010690c')
+define(`MGSL_IOCGGPIO', `0x80106d11')
+define(`NCP_IOC_NCPREQUEST', `0x80106e01')
+define(`NCP_IOC_SETPRIVATEDATA', `0x80106e0a')
+define(`FE_GET_PROPERTY', `0x80106f53')
+define(`CA_GET_CAP', `0x80106f81')
+define(`OSD_GET_CAPABILITY', `0x80106fa1')
+define(`PPGETTIME', `0x80107095')
+define(`BR_INCREFS', `0x80107207')
+define(`BR_ACQUIRE', `0x80107208')
+define(`BR_RELEASE', `0x80107209')
+define(`BR_DECREFS', `0x8010720a')
+define(`GENWQE_READ_REG64', `0x8010a51e')
+define(`GENWQE_READ_REG32', `0x8010a520')
+define(`GENWQE_READ_REG16', `0x8010a522')
+define(`FDGETMAXERRS', `0x8014020e')
+define(`GET_DISK_INFO', `0x80140912')
+define(`SNDRV_COMPRESS_TSTAMP', `0x80144320')
+define(`CHIOGPARAMS', `0x80146306')
+define(`NCP_IOC_LOCKUNLOCK', `0x80146e07')
+define(`VIDEO_GET_STATUS', `0x80146f1b')
+define(`SNDRV_PCM_IOCTL_CHANNEL_INFO', `0x80184132')
+define(`SNDRV_PCM_IOCTL_READI_FRAMES', `0x80184151')
+define(`SNDRV_PCM_IOCTL_READN_FRAMES', `0x80184153')
+define(`SNDRV_HDSPM_IOCTL_GET_CONFIG', `0x80184841')
+define(`IMSETDEVNAME', `0x80184947')
+define(`OMAPFB_MEMORY_READ', `0x80184f3a')
+define(`HPET_INFO', `0x80186803')
+define(`NCP_IOC_SIGN_INIT', `0x80186e05')
+define(`NCP_IOC_SETOBJECTNAME', `0x80186e09')
+define(`NILFS_IOCTL_GET_CPINFO', `0x80186e82')
+define(`NILFS_IOCTL_GET_CPSTAT', `0x80186e83')
+define(`NILFS_IOCTL_GET_SUINFO', `0x80186e84')
+define(`BR_ATTEMPT_ACQUIRE', `0x8018720b')
+define(`BTRFS_IOC_GET_FEATURES', `0x80189439')
+define(`MBXFB_IOCG_ALPHA', `0x8018f401')
+define(`SNDRV_COMPRESS_AVAIL', `0x801c4321')
+define(`HIDIOCGDEVINFO', `0x801c4803')
+define(`FDGETPRM', `0x80200204')
+define(`FBIOGET_VBLANK', `0x80204612')
+define(`SNDRV_HDSPM_IOCTL_GET_STATUS', `0x80204847')
+define(`SNDRV_FIREWIRE_IOCTL_GET_INFO', `0x802048f8')
+define(`MEMGETINFO', `0x80204d01')
+define(`OMAPFB_GET_VRAM_INFO', `0x80204f3d')
+define(`OMAPFB_GET_DISPLAY_INFO', `0x80204f3f')
+define(`I2OGETIOPS', `0x80206900')
+define(`AUDIO_GET_STATUS', `0x80206f0a')
+define(`VIDEO_GET_EVENT', `0x80206f1c')
+define(`RTC_PLL_GET', `0x80207011')
+define(`KVM_ARM_PREFERRED_TARGET', `0x8020aeaf')
+define(`SNDRV_HDSP_IOCTL_GET_CONFIG_INFO', `0x80244841')
+define(`SNDRV_HDSPM_IOCTL_GET_VERSION', `0x80244848')
+define(`SONET_GETSTAT', `0x80246110')
+define(`SONET_GETSTATZ', `0x80246111')
+define(`JSIOCGCORR', `0x80246a22')
+define(`FE_GET_FRONTEND', `0x80246f4d')
+define(`RTC_ALM_READ', `0x80247008')
+define(`RTC_RD_TIME', `0x80247009')
+define(`FDGETFDCSTAT', `0x80280215')
+define(`FDWERRORGET', `0x80280217')
+define(`EVIOCGKEYCODE_V2', `0x80284504')
+define(`SNDRV_SB_CSP_IOCTL_INFO', `0x80284810')
+define(`WDIOC_GETSUPPORT', `0x80285700')
+define(`IPMICTL_SEND_COMMAND', `0x8028690d')
+define(`FE_GET_EVENT', `0x80286f4e')
+define(`RTC_WKALM_RD', `0x80287010')
+define(`IOW_GETINFO', `0x8028c003')
+define(`USBDEVFS_SUBMITURB32', `0x802a550a')
+define(`NCP_IOC_SETCHARSETS', `0x802a6e0b')
+define(`TCGETS2', `0x802c542a')
+define(`SOUND_OLD_MIXER_INFO', `0x80304d65')
+define(`VIDIOC_G_FBUF', `0x8030560a')
+define(`IPMICTL_SEND_COMMAND_SETTIME', `0x80306915')
+define(`MGSL_IOCGPARAMS', `0x80306d01')
+define(`MTIOCGET', `0x80306d02')
+define(`NILFS_IOCTL_GET_SUSTAT', `0x80306e85')
+define(`BTRFS_IOC_QGROUP_LIMIT', `0x8030942b')
+define(`KVM_GET_CLOCK', `0x8030ae7c')
+define(`VIDIOC_G_AUDIO', `0x80345621')
+define(`VIDIOC_G_AUDOUT', `0x80345631')
+define(`USBDEVFS_SUBMITURB', `0x8038550a')
+define(`DRM_IOCTL_AGP_INFO', `0x80386433')
+define(`OMAPFB_GET_OVERLAY_COLORMODE', `0x803c4f3b')
+define(`SNDRV_HWDEP_IOCTL_DSP_STATUS', `0x80404802')
+define(`JSIOCGAXMAP', `0x80406a32')
+define(`BR_TRANSACTION', `0x80407202')
+define(`BR_REPLY', `0x80407203')
+define(`BTRFS_IOC_QUOTA_RESCAN_STATUS', `0x8040942d')
+define(`KVM_ASSIGN_PCI_DEVICE', `0x8040ae69')
+define(`KVM_GET_VCPU_EVENTS', `0x8040ae9f')
+define(`GET_ARRAY_INFO', `0x80480911')
+define(`BTRFS_IOC_GET_SUPPORTED_FEATURES', `0x80489439')
+define(`KVM_SET_PIT', `0x8048ae66')
+define(`GSMIOC_GETCONF', `0x804c4700')
+define(`FDGETDRVSTAT', `0x80500212')
+define(`FDPOLLDRVSTAT', `0x80500213')
+define(`PTP_CLOCK_GETCAPS', `0x80503d01')
+define(`SOUND_MIXER_INFO', `0x805c4d65')
+define(`SNDRV_TIMER_IOCTL_STATUS', `0x80605414')
+define(`VIDIOC_QUERYCAP', `0x80685600')
+define(`I2OEVTGET', `0x8068690b')
+define(`CHIOGVPARAMS', `0x80706313')
+define(`KVM_GET_PIT2', `0x8070ae9f')
+define(`SNDRV_COMPRESS_GET_PARAMS', `0x80784313')
+define(`FDGETDRVPRM', `0x80800211')
+define(`USBDEVFS_HUB_PORTINFO', `0x80805513')
+define(`KVM_GET_DEBUGREGS', `0x8080aea1')
+define(`VIDIOC_QUERY_DV_TIMINGS', `0x80845663')
+define(`VIDIOC_SUBDEV_QUERY_DV_TIMINGS', `0x80845663')
+define(`VIDIOC_DQEVENT', `0x80885659')
+define(`VIDIOC_G_JPEGCOMP', `0x808c563d')
+define(`KVM_GET_REGS', `0x8090ae81')
+define(`SNDRV_PCM_IOCTL_STATUS', `0x80984120')
+define(`FE_GET_INFO', `0x80a86f3d')
+define(`MEMGETOOBSEL', `0x80c84d0a')
+define(`SNDRV_HWDEP_IOCTL_INFO', `0x80dc4801')
+define(`SNDRV_CTL_IOCTL_HWDEP_INFO', `0x80dc5521')
+define(`SNDRV_TIMER_IOCTL_INFO', `0x80e85411')
+define(`DRM_IOCTL_GET_STATS', `0x80f86406')
+define(`ASHMEM_GET_NAME', `0x81007702')
+define(`BTRFS_IOC_GET_FSLABEL', `0x81009431')
+define(`HIDIOCGSTRING', `0x81044804')
+define(`USBDEVFS_DISCONNECT_CLAIM', `0x8108551b')
+define(`SNDRV_RAWMIDI_IOCTL_INFO', `0x810c5701')
+define(`CA_GET_MSG', `0x810c6f84')
+define(`AUTOFS_IOC_EXPIRE', `0x810c9365')
+define(`SISFB_GET_INFO', `0x811cf301')
+define(`SNDRV_PCM_IOCTL_INFO', `0x81204101')
+define(`KVM_GET_SREGS', `0x8138ae83')
+define(`ECCGETLAYOUT', `0x81484d11')
+define(`SNDRV_CTL_IOCTL_CARD_INFO', `0x81785501')
+define(`KVM_GET_XCRS', `0x8188aea6')
+define(`AMDKFD_IOC_GET_PROCESS_APERTURES', `0x81904b06')
+define(`KVM_GET_FPU', `0x81a0ae8c')
+define(`KVM_SET_IRQCHIP', `0x8208ae63')
+define(`VFAT_IOCTL_READDIR_BOTH', `0x82307201')
+define(`VFAT_IOCTL_READDIR_SHORT', `0x82307202')
+define(`KVM_PPC_GET_SMMU_INFO', `0x8250aea6')
+define(`SNDRV_HDSP_IOCTL_GET_PEAK_RMS', `0x83b04840')
+define(`JSIOCGBTNMAP', `0x84006a34')
+define(`BTRFS_IOC_FS_INFO', `0x8400941f')
+define(`BTRFS_IOC_BALANCE_PROGRESS', `0x84009422')
+define(`KVM_GET_LAPIC', `0x8400ae8e')
+define(`VIDEO_GET_NAVI', `0x84046f34')
+define(`SNDRV_EMU10K1_IOCTL_INFO', `0x880c4810')
+define(`VIDIOC_G_ENC_INDEX', `0x8818564c')
+define(`SNDRV_HDSPM_IOCTL_GET_PEAK_RMS', `0x89084842')
+define(`SNDCTL_COPR_RCVMSG', `0x8fa44309')
+define(`GET_BITMAP_FILE', `0x90000915')
+define(`SNDRV_HDSP_IOCTL_GET_MIXER', `0x90004844')
+define(`BTRFS_IOC_DEVICES_READY', `0x90009427')
+define(`KVM_GET_XSAVE', `0x9000aea4')
+define(`HIDIOCGRDESC', `0x90044802')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_OWNER', `0xc0005343')
+define(`GADGET_SET_PRINTER_STATUS', `0xc0016722')
+define(`CAPI_GET_MANUFACTURER', `0xc0044306')
+define(`CAPI_GET_SERIAL', `0xc0044308')
+define(`GIGASET_REDIR', `0xc0044700')
+define(`GIGASET_CONFIG', `0xc0044701')
+define(`ION_IOC_FREE', `0xc0044901')
+define(`SOUND_MIXER_AGC', `0xc0044d67')
+define(`SOUND_MIXER_3DSE', `0xc0044d68')
+define(`SOUND_MIXER_PRIVATE1', `0xc0044d6f')
+define(`SOUND_MIXER_PRIVATE2', `0xc0044d70')
+define(`SOUND_MIXER_PRIVATE3', `0xc0044d71')
+define(`SOUND_MIXER_PRIVATE4', `0xc0044d72')
+define(`SOUND_MIXER_PRIVATE5', `0xc0044d73')
+define(`SNDCTL_DSP_SPEED', `0xc0045002')
+define(`SNDCTL_DSP_STEREO', `0xc0045003')
+define(`SNDCTL_DSP_GETBLKSIZE', `0xc0045004')
+define(`SNDCTL_DSP_SETFMT', `0xc0045005')
+define(`SNDCTL_DSP_CHANNELS', `0xc0045006')
+define(`SOUND_PCM_WRITE_FILTER', `0xc0045007')
+define(`SNDCTL_DSP_SUBDIVIDE', `0xc0045009')
+define(`SNDCTL_DSP_SETFRAGMENT', `0xc004500a')
+define(`SNDCTL_DSP_GETCHANNELMASK', `0xc0045040')
+define(`SNDCTL_DSP_BIND_CHANNEL', `0xc0045041')
+define(`SNDCTL_SEQ_CTRLRATE', `0xc0045103')
+define(`SNDCTL_SYNTH_MEMAVL', `0xc004510e')
+define(`SNDCTL_TMR_TIMEBASE', `0xc0045401')
+define(`SNDCTL_TMR_TEMPO', `0xc0045405')
+define(`SNDCTL_TMR_SOURCE', `0xc0045406')
+define(`SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS', `0xc0045516')
+define(`SNDRV_CTL_IOCTL_HWDEP_NEXT_DEVICE', `0xc0045520')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_NEXT_DEVICE', `0xc0045540')
+define(`SNDRV_CTL_IOCTL_POWER', `0xc00455d0')
+define(`VIDIOC_S_INPUT', `0xc0045627')
+define(`VIDIOC_S_OUTPUT', `0xc004562f')
+define(`WDIOC_SETTIMEOUT', `0xc0045706')
+define(`WDIOC_SETPRETIMEOUT', `0xc0045708')
+define(`FIFREEZE', `0xc0045877')
+define(`FITHAW', `0xc0045878')
+define(`SONET_SETDIAG', `0xc0046112')
+define(`SONET_CLRDIAG', `0xc0046113')
+define(`BINDER_VERSION', `0xc0046209')
+define(`DRM_IOCTL_BLOCK', `0xc0046412')
+define(`DRM_IOCTL_UNBLOCK', `0xc0046413')
+define(`DRM_IOCTL_ADD_DRAW', `0xc0046427')
+define(`DRM_IOCTL_RM_DRAW', `0xc0046428')
+define(`DRM_IOCTL_MGA_WAIT_FENCE', `0xc004644b')
+define(`DRM_IOCTL_MODE_RMFB', `0xc00464af')
+define(`DRM_IOCTL_MODE_DESTROY_DUMB', `0xc00464b4')
+define(`SNDCTL_MIDI_PRETIME', `0xc0046d00')
+define(`SNDCTL_MIDI_MPUMODE', `0xc0046d01')
+define(`MGSL_IOCWAITEVENT', `0xc0046d08')
+define(`TOSH_SMM', `0xc0047490')
+define(`MEYEIOC_SYNC', `0xc00476c3')
+define(`AUTOFS_IOC_SETTIMEOUT32', `0xc0049364')
+define(`KVM_GET_MSR_INDEX_LIST', `0xc004ae02')
+define(`KVM_PPC_ALLOCATE_HTAB', `0xc004aea7')
+define(`NET_ADD_IF', `0xc0066f34')
+define(`NET_GET_IF', `0xc0066f36')
+define(`AGPIOC_ALLOCATE', `0xc0084106')
+define(`HDA_IOCTL_VERB_WRITE', `0xc0084811')
+define(`HDA_IOCTL_GET_WCAP', `0xc0084812')
+define(`ION_IOC_MAP', `0xc0084902')
+define(`ION_IOC_SHARE', `0xc0084904')
+define(`ION_IOC_IMPORT', `0xc0084905')
+define(`ION_IOC_SYNC', `0xc0084907')
+define(`AMDKFD_IOC_DESTROY_QUEUE', `0xc0084b03')
+define(`SNDRV_CTL_IOCTL_TLV_READ', `0xc008551a')
+define(`SNDRV_CTL_IOCTL_TLV_WRITE', `0xc008551b')
+define(`SNDRV_CTL_IOCTL_TLV_COMMAND', `0xc008551c')
+define(`VIDIOC_G_CTRL', `0xc008561b')
+define(`VIDIOC_S_CTRL', `0xc008561c')
+define(`VIDIOC_OMAP3ISP_STAT_EN', `0xc00856c7')
+define(`CM_IOCGATR', `0xc0086301')
+define(`CIOC_KERNEL_VERSION', `0xc008630a')
+define(`DRM_IOCTL_GEM_FLINK', `0xc008640a')
+define(`DRM_IOCTL_ADD_CTX', `0xc0086420')
+define(`DRM_IOCTL_RM_CTX', `0xc0086421')
+define(`DRM_IOCTL_GET_CTX', `0xc0086423')
+define(`DRM_IOCTL_QXL_ALLOC', `0xc0086440')
+define(`DRM_IOCTL_TEGRA_GEM_MMAP', `0xc0086441')
+define(`DRM_IOCTL_SAVAGE_BCI_EVENT_EMIT', `0xc0086442')
+define(`DRM_IOCTL_TEGRA_SYNCPT_READ', `0xc0086442')
+define(`DRM_IOCTL_VIA_AGP_INIT', `0xc0086442')
+define(`DRM_IOCTL_TEGRA_SYNCPT_INCR', `0xc0086443')
+define(`DRM_IOCTL_VIA_FB_INIT', `0xc0086443')
+define(`DRM_IOCTL_I915_IRQ_EMIT', `0xc0086444')
+define(`DRM_IOCTL_TEGRA_GEM_SET_FLAGS', `0xc008644c')
+define(`DRM_IOCTL_TEGRA_GEM_GET_FLAGS', `0xc008644d')
+define(`DRM_IOCTL_RADEON_IRQ_EMIT', `0xc0086456')
+define(`DRM_IOCTL_I915_GEM_BUSY', `0xc0086457')
+define(`DRM_IOCTL_EXYNOS_G2D_GET_VER', `0xc0086460')
+define(`DRM_IOCTL_EXYNOS_G2D_EXEC', `0xc0086462')
+define(`DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID', `0xc0086465')
+define(`DRM_IOCTL_RADEON_GEM_BUSY', `0xc008646a')
+define(`DRM_IOCTL_I915_GEM_CONTEXT_CREATE', `0xc008646d')
+define(`DRM_IOCTL_I915_GEM_GET_CACHING', `0xc0086470')
+define(`DRM_IOCTL_EXYNOS_IPP_CMD_CTRL', `0xc0086473')
+define(`I8K_GET_SPEED', `0xc0086985')
+define(`I8K_GET_FAN', `0xc0086986')
+define(`I8K_SET_FAN', `0xc0086987')
+define(`UDF_RELOCATE_BLOCKS', `0xc0086c43')
+define(`MATROXFB_GET_OUTPUT_MODE', `0xc0086efa')
+define(`PHN_GET_REG', `0xc0087000')
+define(`PHN_GET_REGS', `0xc0087002')
+define(`PHN_GETREG', `0xc0087005')
+define(`PPS_FETCH', `0xc00870a4')
+define(`PHONE_QUERY_CODEC', `0xc00871a7')
+define(`MIC_VIRTIO_ADD_DEVICE', `0xc0087301')
+define(`MIC_VIRTIO_COPY_DESC', `0xc0087302')
+define(`MIC_VIRTIO_CONFIG_CHANGE', `0xc0087305')
+define(`AUTOFS_IOC_SETTIMEOUT', `0xc0089364')
+define(`KVM_GET_SUPPORTED_CPUID', `0xc008ae05')
+define(`KVM_GET_EMULATED_CPUID', `0xc008ae09')
+define(`KVM_IRQ_LINE_STATUS', `0xc008ae67')
+define(`KVM_GET_MSRS', `0xc008ae88')
+define(`KVM_GET_CPUID2', `0xc008ae91')
+define(`KVM_GET_REG_LIST', `0xc008aeb0')
+define(`FSL_HV_IOCTL_PARTITION_RESTART', `0xc008af01')
+define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04')
+define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
+define(`VHOST_GET_VRING_BASE', `0xc008af12')
+define(`HIDIOCGREPORTINFO', `0xc00c4809')
+define(`SNDCTL_SYNTH_REMOVESAMPLE', `0xc00c5116')
+define(`USBDEVFS_IOCTL32', `0xc00c5512')
+define(`UI_BEGIN_FF_ERASE', `0xc00c55ca')
+define(`DRM_IOCTL_PRIME_HANDLE_TO_FD', `0xc00c642d')
+define(`DRM_IOCTL_PRIME_FD_TO_HANDLE', `0xc00c642e')
+define(`DRM_IOCTL_VIA_CMDBUF_SIZE', `0xc00c644b')
+define(`DRM_IOCTL_I915_VBLANK_SWAP', `0xc00c644f')
+define(`DRM_IOCTL_RADEON_GEM_SET_DOMAIN', `0xc00c6463')
+define(`DRM_IOCTL_I915_GEM_MADVISE', `0xc00c6466')
+define(`DRM_IOCTL_RADEON_GEM_SET_TILING', `0xc00c6468')
+define(`DRM_IOCTL_RADEON_GEM_GET_TILING', `0xc00c6469')
+define(`KVM_CREATE_DEVICE', `0xc00caee0')
+define(`FSL_HV_IOCTL_PARTITION_GET_STATUS', `0xc00caf02')
+define(`MBXFB_IOCX_REG', `0xc00cf405')
+define(`CAPI_GET_VERSION', `0xc0104307')
+define(`CAPI_MANUFACTURER_CMD', `0xc0104320')
+define(`GIGASET_VERSION', `0xc0104703')
+define(`IOCTL_MEI_CONNECT_CLIENT', `0xc0104801')
+define(`HIDIOCGCOLLECTIONINFO', `0xc0104811')
+define(`SNDRV_EMU10K1_IOCTL_TRAM_PEEK', `0xc0104822')
+define(`SNDRV_EMUX_IOCTL_LOAD_PATCH', `0xc0104881')
+define(`SNDRV_EMUX_IOCTL_MISC_MODE', `0xc0104884')
+define(`ION_IOC_CUSTOM', `0xc0104906')
+define(`MEMWRITEOOB', `0xc0104d03')
+define(`MEMREADOOB', `0xc0104d04')
+define(`MEMGETREGIONINFO', `0xc0104d08')
+define(`SNDRV_SEQ_IOCTL_RUNNING_MODE', `0xc0105303')
+define(`USBDEVFS_CONTROL32', `0xc0105500')
+define(`USBDEVFS_BULK32', `0xc0105502')
+define(`USBDEVFS_IOCTL', `0xc0105512')
+define(`NS_GETPSTAT', `0xc0106161')
+define(`DRM_IOCTL_GET_UNIQUE', `0xc0106401')
+define(`DRM_IOCTL_IRQ_BUSID', `0xc0106403')
+define(`DRM_IOCTL_SET_VERSION', `0xc0106407')
+define(`DRM_IOCTL_GEM_OPEN', `0xc010640b')
+define(`DRM_IOCTL_GET_CAP', `0xc010640c')
+define(`DRM_IOCTL_INFO_BUFS', `0xc0106418')
+define(`DRM_IOCTL_GET_SAREA_CTX', `0xc010641d')
+define(`DRM_IOCTL_RES_CTX', `0xc0106426')
+define(`DRM_IOCTL_SG_ALLOC', `0xc0106438')
+define(`DRM_IOCTL_EXYNOS_GEM_CREATE', `0xc0106440')
+define(`DRM_IOCTL_MSM_GET_PARAM', `0xc0106440')
+define(`DRM_IOCTL_OMAP_GET_PARAM', `0xc0106440')
+define(`DRM_IOCTL_TEGRA_GEM_CREATE', `0xc0106440')
+define(`DRM_IOCTL_QXL_MAP', `0xc0106441')
+define(`DRM_IOCTL_MSM_GEM_NEW', `0xc0106442')
+define(`DRM_IOCTL_MSM_GEM_INFO', `0xc0106443')
+define(`DRM_IOCTL_OMAP_GEM_NEW', `0xc0106443')
+define(`DRM_IOCTL_EXYNOS_GEM_GET', `0xc0106444')
+define(`DRM_IOCTL_QXL_GETPARAM', `0xc0106444')
+define(`DRM_IOCTL_TEGRA_SYNCPT_WAIT', `0xc0106444')
+define(`DRM_IOCTL_TEGRA_OPEN_CHANNEL', `0xc0106445')
+define(`DRM_IOCTL_I915_GETPARAM', `0xc0106446')
+define(`DRM_IOCTL_TEGRA_CLOSE_CHANNEL', `0xc0106446')
+define(`DRM_IOCTL_EXYNOS_VIDI_CONNECTION', `0xc0106447')
+define(`DRM_IOCTL_TEGRA_GET_SYNCPT', `0xc0106447')
+define(`DRM_IOCTL_MGA_GETPARAM', `0xc0106449')
+define(`DRM_IOCTL_TEGRA_GET_SYNCPT_BASE', `0xc0106449')
+define(`DRM_IOCTL_TEGRA_GEM_SET_TILING', `0xc010644a')
+define(`DRM_IOCTL_TEGRA_GEM_GET_TILING', `0xc010644b')
+define(`DRM_IOCTL_RADEON_INDIRECT', `0xc010644d')
+define(`DRM_IOCTL_R128_INDIRECT', `0xc010644f')
+define(`DRM_IOCTL_RADEON_GETPARAM', `0xc0106451')
+define(`DRM_IOCTL_R128_GETPARAM', `0xc0106452')
+define(`DRM_IOCTL_SIS_AGP_INIT', `0xc0106453')
+define(`DRM_IOCTL_I915_GEM_CREATE', `0xc010645b')
+define(`DRM_IOCTL_I915_GEM_SET_TILING', `0xc0106461')
+define(`DRM_IOCTL_I915_GEM_GET_TILING', `0xc0106462')
+define(`DRM_IOCTL_I915_GEM_MMAP_GTT', `0xc0106464')
+define(`DRM_IOCTL_RADEON_INFO', `0xc0106467')
+define(`DRM_IOCTL_I915_GEM_WAIT', `0xc010646c')
+define(`DRM_IOCTL_RADEON_GEM_OP', `0xc010646c')
+define(`DRM_IOCTL_I915_REG_READ', `0xc0106471')
+define(`DRM_IOCTL_MODE_SETPROPERTY', `0xc01064ab')
+define(`DRM_IOCTL_MODE_GETPROPBLOB', `0xc01064ac')
+define(`DRM_IOCTL_MODE_MAP_DUMB', `0xc01064b3')
+define(`DRM_IOCTL_MODE_GETPLANERESOURCES', `0xc01064b5')
+define(`MGSL_IOCWAITGPIO', `0xc0106d12')
+define(`NCP_IOC_GETPRIVATEDATA', `0xc0106e0a')
+define(`DMX_GET_STC', `0xc0106f32')
+define(`UVCIOC_CTRL_QUERY', `0xc0107521')
+define(`BTRFS_IOC_SPACE_INFO', `0xc0109414')
+define(`BTRFS_IOC_QUOTA_CTL', `0xc0109428')
+define(`FSL_HV_IOCTL_PARTITION_START', `0xc010af03')
+define(`SNDCTL_COPR_RDATA', `0xc0144302')
+define(`SNDCTL_COPR_RCODE', `0xc0144303')
+define(`SNDCTL_COPR_RUN', `0xc0144306')
+define(`SNDCTL_COPR_HALT', `0xc0144307')
+define(`SNDRV_TIMER_IOCTL_NEXT_DEVICE', `0xc0145401')
+define(`VIDIOC_REQBUFS', `0xc0145608')
+define(`VIDIOC_G_CROP', `0xc014563b')
+define(`DRM_IOCTL_I915_GET_SPRITE_COLORKEY', `0xc014646b')
+define(`DRM_IOCTL_I915_SET_SPRITE_COLORKEY', `0xc014646b')
+define(`DRM_IOCTL_MODE_GETENCODER', `0xc01464a6')
+define(`FW_CDEV_IOC_ADD_DESCRIPTOR', `0xc0182306')
+define(`FW_CDEV_IOC_QUEUE_ISO', `0xc0182309')
+define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE', `0xc018230d')
+define(`FW_CDEV_IOC_GET_CYCLE_TIMER2', `0xc0182314')
+define(`FW_CDEV_IOC_SEND_PHY_PACKET', `0xc0182315')
+define(`HIDIOCGUSAGE', `0xc018480b')
+define(`HIDIOCGUCODE', `0xc018480d')
+define(`MTRRIOC_GET_ENTRY', `0xc0184d03')
+define(`MTRRIOC_GET_PAGE_ENTRY', `0xc0184d08')
+define(`MEMWRITEOOB64', `0xc0184d15')
+define(`MEMREADOOB64', `0xc0184d16')
+define(`USBDEVFS_CONTROL', `0xc0185500')
+define(`USBDEVFS_BULK', `0xc0185502')
+define(`PACKET_CTRL_CMD', `0xc0185801')
+define(`FITRIM', `0xc0185879')
+define(`DRM_IOCTL_MAP_BUFS', `0xc0186419')
+define(`DRM_IOCTL_WAIT_VBLANK', `0xc018643a')
+define(`DRM_IOCTL_I810_GETBUF', `0xc0186445')
+define(`DRM_IOCTL_OMAP_GEM_INFO', `0xc0186446')
+define(`DRM_IOCTL_QXL_ALLOC_SURF', `0xc0186446')
+define(`DRM_IOCTL_I915_ALLOC', `0xc0186448')
+define(`DRM_IOCTL_VIA_WAIT_IRQ', `0xc018644d')
+define(`DRM_IOCTL_RADEON_ALLOC', `0xc0186453')
+define(`DRM_IOCTL_I915_GEM_PIN', `0xc0186455')
+define(`DRM_IOCTL_RADEON_GEM_INFO', `0xc018645c')
+define(`DRM_IOCTL_RADEON_GEM_VA', `0xc018646b')
+define(`DRM_IOCTL_RADEON_GEM_USERPTR', `0xc018646d')
+define(`DRM_IOCTL_I915_GET_RESET_STATS', `0xc0186472')
+define(`DRM_IOCTL_I915_GEM_USERPTR', `0xc0186473')
+define(`DRM_IOCTL_MODE_PAGE_FLIP', `0xc01864b0')
+define(`DRM_IOCTL_MODE_DIRTYFB', `0xc01864b1')
+define(`DRM_IOCTL_MODE_OBJ_SETPROPERTY', `0xc01864ba')
+define(`I2OHRTGET', `0xc0186901')
+define(`I2OLCTGET', `0xc0186902')
+define(`NCP_IOC_GETOBJECTNAME', `0xc0186e09')
+define(`NILFS_IOCTL_GET_VINFO', `0xc0186e86')
+define(`NILFS_IOCTL_GET_BDESCS', `0xc0186e87')
+define(`AUTOFS_DEV_IOCTL_VERSION', `0xc0189371')
+define(`AUTOFS_DEV_IOCTL_PROTOVER', `0xc0189372')
+define(`AUTOFS_DEV_IOCTL_PROTOSUBVER', `0xc0189373')
+define(`AUTOFS_DEV_IOCTL_OPENMOUNT', `0xc0189374')
+define(`AUTOFS_DEV_IOCTL_CLOSEMOUNT', `0xc0189375')
+define(`AUTOFS_DEV_IOCTL_READY', `0xc0189376')
+define(`AUTOFS_DEV_IOCTL_FAIL', `0xc0189377')
+define(`AUTOFS_DEV_IOCTL_SETPIPEFD', `0xc0189378')
+define(`AUTOFS_DEV_IOCTL_CATATONIC', `0xc0189379')
+define(`AUTOFS_DEV_IOCTL_TIMEOUT', `0xc018937a')
+define(`AUTOFS_DEV_IOCTL_REQUESTER', `0xc018937b')
+define(`AUTOFS_DEV_IOCTL_EXPIRE', `0xc018937c')
+define(`AUTOFS_DEV_IOCTL_ASKUMOUNT', `0xc018937d')
+define(`AUTOFS_DEV_IOCTL_ISMOUNTPOINT', `0xc018937e')
+define(`BTRFS_IOC_FILE_EXTENT_SAME', `0xc0189436')
+define(`KVM_TRANSLATE', `0xc018ae85')
+define(`IB_USER_MAD_REGISTER_AGENT', `0xc01c1b01')
+define(`SI4713_IOC_MEASURE_RNL', `0xc01c56c0')
+define(`DRM_IOCTL_MODE_CURSOR', `0xc01c64a3')
+define(`DRM_IOCTL_MODE_GETFB', `0xc01c64ad')
+define(`DRM_IOCTL_MODE_ADDFB', `0xc01c64ae')
+define(`FW_CDEV_IOC_ALLOCATE', `0xc0202302')
+define(`FW_CDEV_IOC_CREATE_ISO_CONTEXT', `0xc0202308')
+define(`ION_IOC_ALLOC', `0xc0204900')
+define(`VIDIOC_G_EXT_CTRLS', `0xc0205647')
+define(`VIDIOC_S_EXT_CTRLS', `0xc0205648')
+define(`VIDIOC_TRY_EXT_CTRLS', `0xc0205649')
+define(`VIDIOC_OMAP3ISP_AEWB_CFG', `0xc02056c3')
+define(`X86_IOC_RDMSR_REGS', `0xc02063a0')
+define(`X86_IOC_WRMSR_REGS', `0xc02063a1')
+define(`DRM_IOCTL_ADD_BUFS', `0xc0206416')
+define(`DRM_IOCTL_AGP_ALLOC', `0xc0206434')
+define(`DRM_IOCTL_VIA_ALLOCMEM', `0xc0206440')
+define(`DRM_IOCTL_SIS_FB_ALLOC', `0xc0206444')
+define(`DRM_IOCTL_MSM_GEM_SUBMIT', `0xc0206446')
+define(`DRM_IOCTL_VIA_DMA_INIT', `0xc0206447')
+define(`DRM_IOCTL_MGA_DMA_BOOTSTRAP', `0xc020644c')
+define(`DRM_IOCTL_RADEON_TEXTURE', `0xc020644e')
+define(`DRM_IOCTL_SIS_AGP_ALLOC', `0xc0206454')
+define(`DRM_IOCTL_RADEON_GEM_CREATE', `0xc020645d')
+define(`DRM_IOCTL_I915_GEM_MMAP', `0xc020645e')
+define(`DRM_IOCTL_RADEON_GEM_MMAP', `0xc020645e')
+define(`DRM_IOCTL_RADEON_GEM_PREAD', `0xc0206461')
+define(`DRM_IOCTL_RADEON_GEM_PWRITE', `0xc0206462')
+define(`DRM_IOCTL_RADEON_CS', `0xc0206466')
+define(`DRM_IOCTL_MODE_GETGAMMA', `0xc02064a4')
+define(`DRM_IOCTL_MODE_SETGAMMA', `0xc02064a5')
+define(`DRM_IOCTL_MODE_CREATE_DUMB', `0xc02064b2')
+define(`DRM_IOCTL_MODE_GETPLANE', `0xc02064b6')
+define(`DRM_IOCTL_MODE_OBJ_GETPROPERTIES', `0xc02064b9')
+define(`FS_IOC_FIEMAP', `0xc020660b')
+define(`GENWQE_PIN_MEM', `0xc020a528')
+define(`GENWQE_UNPIN_MEM', `0xc020a529')
+define(`SNDCTL_MIDI_MPUCMD', `0xc0216d02')
+define(`SNDRV_COMPRESS_GET_METADATA', `0xc0244315')
+define(`DRM_IOCTL_MODE_CURSOR2', `0xc02464bb')
+define(`IB_USER_MAD_REGISTER_AGENT2', `0xc0281b04')
+define(`FW_CDEV_IOC_GET_INFO', `0xc0282300')
+define(`SYNC_IOC_MERGE', `0xc0283e01')
+define(`SYNC_IOC_FENCE_INFO', `0xc0283e02')
+define(`AMDKFD_IOC_GET_CLOCK_COUNTERS', `0xc0284b05')
+define(`VIDIOC_G_EDID', `0xc0285628')
+define(`VIDIOC_SUBDEV_G_EDID', `0xc0285628')
+define(`VIDIOC_SUBDEV_S_EDID', `0xc0285629')
+define(`VIDIOC_S_EDID', `0xc0285629')
+define(`VIDIOC_ENCODER_CMD', `0xc028564d')
+define(`VIDIOC_TRY_ENCODER_CMD', `0xc028564e')
+define(`VIDIOC_OMAP3ISP_STAT_REQ', `0xc02856c6')
+define(`SW_SYNC_IOC_CREATE_FENCE', `0xc0285700')
+define(`DRM_IOCTL_GET_MAP', `0xc0286404')
+define(`DRM_IOCTL_GET_CLIENT', `0xc0286405')
+define(`DRM_IOCTL_ADD_MAP', `0xc0286415')
+define(`DRM_IOCTL_VIA_MAP_INIT', `0xc0286444')
+define(`DRM_IOCTL_EXYNOS_G2D_SET_CMDLIST', `0xc0286461')
+define(`DRM_IOCTL_EXYNOS_IPP_QUEUE_BUF', `0xc0286472')
+define(`DRM_IOCTL_NOUVEAU_GEM_INFO', `0xc0286484')
+define(`I2OPARMSET', `0xc0286903')
+define(`I2OPARMGET', `0xc0286904')
+define(`NCP_IOC_GET_FS_INFO', `0xc0286e04')
+define(`PHN_GETREGS', `0xc0287007')
+define(`MEDIA_IOC_ENUM_LINKS', `0xc0287c02')
+define(`KVM_TPR_ACCESS_REPORTING', `0xc028ae92')
+define(`FSL_HV_IOCTL_MEMCPY', `0xc028af05')
+define(`FSL_HV_IOCTL_GETPROP', `0xc028af07')
+define(`FSL_HV_IOCTL_SETPROP', `0xc028af08')
+define(`NCP_IOC_GETCHARSETS', `0xc02a6e0b')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO', `0xc02c5341')
+define(`VIDIOC_QUERYMENU', `0xc02c5625')
+define(`VIDIOC_G_FREQUENCY', `0xc02c5638')
+define(`VIDIOC_CROPCAP', `0xc02c563a')
+define(`VIDIOC_ENUM_FRAMESIZES', `0xc02c564a')
+define(`DRM_IOCTL_I915_OVERLAY_ATTRS', `0xc02c6468')
+define(`MEMWRITE', `0xc0304d18')
+define(`SNDRV_SEQ_IOCTL_SYSTEM_INFO', `0xc0305302')
+define(`VIDIOC_SUBDEV_ENUM_MBUS_CODE', `0xc0305602')
+define(`VIDIOC_SUBDEV_G_FRAME_INTERVAL', `0xc0305615')
+define(`VIDIOC_SUBDEV_S_FRAME_INTERVAL', `0xc0305616')
+define(`VIDIOC_OMAP3ISP_HIST_CFG', `0xc03056c4')
+define(`SNDRV_RAWMIDI_IOCTL_PARAMS', `0xc0305710')
+define(`BINDER_WRITE_READ', `0xc0306201')
+define(`DRM_IOCTL_NOUVEAU_GEM_NEW', `0xc0306480')
+define(`DRM_IOCTL_MODE_SETPLANE', `0xc03064b7')
+define(`I2OSWDL', `0xc0306905')
+define(`I2OSWUL', `0xc0306906')
+define(`I2OSWDEL', `0xc0306907')
+define(`I2OHTML', `0xc0306909')
+define(`IPMICTL_RECEIVE_MSG_TRUNC', `0xc030690b')
+define(`IPMICTL_RECEIVE_MSG', `0xc030690c')
+define(`NCP_IOC_GET_FS_INFO_V2', `0xc0306e04')
+define(`MBXFB_IOCX_OVERLAY', `0xc030f400')
+define(`VIDIOC_ENUMAUDIO', `0xc0345641')
+define(`VIDIOC_ENUMAUDOUT', `0xc0345642')
+define(`VIDIOC_ENUM_FRAMEINTERVALS', `0xc034564b')
+define(`MEDIA_IOC_SETUP_LINK', `0xc0347c03')
+define(`HIDIOCGFIELDINFO', `0xc038480a')
+define(`VIDIOC_SUBDEV_G_CROP', `0xc038563b')
+define(`VIDIOC_SUBDEV_S_CROP', `0xc038563c')
+define(`VIDIOC_DBG_G_REGISTER', `0xc0385650')
+define(`VIDIOC_OMAP3ISP_CCDC_CFG', `0xc03856c1')
+define(`SNDRV_RAWMIDI_IOCTL_STATUS', `0xc0385720')
+define(`BTRFS_IOC_INO_PATHS', `0xc0389423')
+define(`BTRFS_IOC_LOGICAL_INO', `0xc0389424')
+define(`GENWQE_SLU_UPDATE', `0xc038a550')
+define(`GENWQE_SLU_READ', `0xc038a551')
+define(`CAPI_GET_PROFILE', `0xc0404309')
+define(`SNDRV_CTL_IOCTL_ELEM_REMOVE', `0xc0405519')
+define(`VIDIOC_ENUM_FMT', `0xc0405602')
+define(`VIDIOC_EXPBUF', `0xc0405610')
+define(`VIDIOC_SUBDEV_G_SELECTION', `0xc040563d')
+define(`VIDIOC_SUBDEV_S_SELECTION', `0xc040563e')
+define(`VIDIOC_SUBDEV_ENUM_FRAME_SIZE', `0xc040564a')
+define(`VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL', `0xc040564b')
+define(`VIDIOC_G_SELECTION', `0xc040565e')
+define(`VIDIOC_S_SELECTION', `0xc040565f')
+define(`VIDIOC_ENUM_FREQ_BANDS', `0xc0405665')
+define(`DRM_IOCTL_VERSION', `0xc0406400')
+define(`DRM_IOCTL_DMA', `0xc0406429')
+define(`DRM_IOCTL_NOUVEAU_GEM_PUSHBUF', `0xc0406481')
+define(`DRM_IOCTL_MODE_GETRESOURCES', `0xc04064a0')
+define(`DRM_IOCTL_MODE_GETPROPERTY', `0xc04064aa')
+define(`VIDIOC_QUERYCTRL', `0xc0445624')
+define(`VIDIOC_G_MODULATOR', `0xc0445636')
+define(`DRM_IOCTL_MODE_ADDFB2', `0xc04464b8')
+define(`BLKTRACESETUP', `0xc0481273')
+define(`SNDRV_EMU10K1_IOCTL_PCM_PEEK', `0xc0484831')
+define(`NVME_IOCTL_ADMIN_CMD', `0xc0484e41')
+define(`NVME_IOCTL_IO_CMD', `0xc0484e43')
+define(`VIDIOC_ENUMSTD', `0xc0485619')
+define(`VIDIOC_ENUMOUTPUT', `0xc0485630')
+define(`VIDIOC_DECODER_CMD', `0xc0485660')
+define(`VIDIOC_TRY_DECODER_CMD', `0xc0485661')
+define(`DRM_IOCTL_MODE_ATTACHMODE', `0xc04864a8')
+define(`DRM_IOCTL_MODE_DETACHMODE', `0xc04864a9')
+define(`VIDEO_COMMAND', `0xc0486f3b')
+define(`VIDEO_TRY_COMMAND', `0xc0486f3c')
+define(`KVM_GET_PIT', `0xc048ae65')
+define(`MMC_IOC_CMD', `0xc048b300')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT', `0xc04c5349')
+define(`VIDIOC_OMAP3ISP_AF_CFG', `0xc04c56c5')
+define(`SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION', `0xc0505350')
+define(`SNDRV_TIMER_IOCTL_GSTATUS', `0xc0505405')
+define(`SNDRV_CTL_IOCTL_ELEM_LIST', `0xc0505510')
+define(`VIDIOC_ENUMINPUT', `0xc050561a')
+define(`DRM_IOCTL_EXYNOS_IPP_GET_PROPERTY', `0xc0506470')
+define(`DRM_IOCTL_MODE_GETCONNECTOR', `0xc05064a7')
+define(`VIDIOC_G_TUNER', `0xc054561d')
+define(`SISFB_COMMAND', `0xc054f305')
+define(`CCISS_PASSTHRU', `0xc058420b')
+define(`AMDKFD_IOC_CREATE_QUEUE', `0xc0584b02')
+define(`SNDRV_SEQ_IOCTL_GET_CLIENT_POOL', `0xc058534b')
+define(`SNDRV_SEQ_IOCTL_QUERY_SUBS', `0xc058534f')
+define(`VIDIOC_SUBDEV_G_FMT', `0xc0585604')
+define(`VIDIOC_SUBDEV_S_FMT', `0xc0585605')
+define(`VIDIOC_QUERYBUF', `0xc0585609')
+define(`VIDIOC_QBUF', `0xc058560f')
+define(`VIDIOC_DQBUF', `0xc0585611')
+define(`VIDIOC_PREPARE_BUF', `0xc058565d')
+define(`DRM_IOCTL_TEGRA_SUBMIT', `0xc0586448')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS', `0xc05c5340')
+define(`PTP_PIN_GETFUNC', `0xc0603d06')
+define(`CCISS_BIG_PASSTHRU', `0xc0604212')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TIMER', `0xc0605345')
+define(`DRM_IOCTL_EXYNOS_IPP_SET_PROPERTY', `0xc0606471')
+define(`UVCIOC_CTRL_MAP', `0xc0607520')
+define(`FBIO_CURSOR', `0xc0684608')
+define(`UI_BEGIN_FF_UPLOAD', `0xc06855c8')
+define(`DRM_IOCTL_MODE_GETCRTC', `0xc06864a1')
+define(`DRM_IOCTL_MODE_SETCRTC', `0xc06864a2')
+define(`VIDIOC_OMAP3ISP_PRV_CFG', `0xc07056c2')
+define(`BTRFS_IOC_TREE_SEARCH_V2', `0xc0709411')
+define(`SNDCTL_MIDI_INFO', `0xc074510c')
+define(`VIDIOC_G_SLICED_VBI_CAP', `0xc0745645')
+define(`SOUND_MIXER_ACCESS', `0xc0804d66')
+define(`VIDIOC_SUBDEV_S_DV_TIMINGS', `0xc0845657')
+define(`VIDIOC_S_DV_TIMINGS', `0xc0845657')
+define(`VIDIOC_G_DV_TIMINGS', `0xc0845658')
+define(`VIDIOC_SUBDEV_G_DV_TIMINGS', `0xc0845658')
+define(`SNDRV_PCM_IOCTL_SW_PARAMS', `0xc0884113')
+define(`SNDRV_PCM_IOCTL_SYNC_PTR', `0xc0884123')
+define(`SNDCTL_SYNTH_INFO', `0xc08c5102')
+define(`SNDCTL_SYNTH_ID', `0xc08c5114')
+define(`SNDRV_SEQ_IOCTL_CREATE_QUEUE', `0xc08c5332')
+define(`SNDRV_SEQ_IOCTL_GET_QUEUE_INFO', `0xc08c5334')
+define(`SNDRV_SEQ_IOCTL_SET_QUEUE_INFO', `0xc08c5335')
+define(`SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE', `0xc08c5336')
+define(`VIDIOC_DV_TIMINGS_CAP', `0xc0905664')
+define(`VIDIOC_SUBDEV_DV_TIMINGS_CAP', `0xc0905664')
+define(`VIDIOC_ENUM_DV_TIMINGS', `0xc0945662')
+define(`VIDIOC_SUBDEV_ENUM_DV_TIMINGS', `0xc0945662')
+define(`SOUND_MIXER_GETLEVELS', `0xc0a44d74')
+define(`SOUND_MIXER_SETLEVELS', `0xc0a44d75')
+define(`SNDRV_SEQ_IOCTL_CREATE_PORT', `0xc0a85320')
+define(`SNDRV_SEQ_IOCTL_GET_PORT_INFO', `0xc0a85322')
+define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_PORT', `0xc0a85352')
+define(`SNDRV_SEQ_IOCTL_GET_CLIENT_INFO', `0xc0bc5310')
+define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT', `0xc0bc5351')
+define(`SNDRV_COMPRESS_GET_CAPS', `0xc0c44310')
+define(`VIDIOC_DBG_G_CHIP_INFO', `0xc0c85666')
+define(`BTRFS_IOC_SET_RECEIVED_SUBVOL', `0xc0c89425')
+define(`VIDIOC_G_PARM', `0xc0cc5615')
+define(`VIDIOC_S_PARM', `0xc0cc5616')
+define(`VIDIOC_G_FMT', `0xc0d05604')
+define(`VIDIOC_S_FMT', `0xc0d05605')
+define(`VIDIOC_TRY_FMT', `0xc0d05640')
+define(`VIDIOC_QUERY_EXT_CTRL', `0xc0e85667')
+define(`GENWQE_EXECUTE_DDCB', `0xc0e8a532')
+define(`GENWQE_EXECUTE_RAW_DDCB', `0xc0e8a533')
+define(`SNDRV_TIMER_IOCTL_GINFO', `0xc0f85403')
+define(`VIDIOC_CREATE_BUFS', `0xc100565c')
+define(`MEDIA_IOC_DEVICE_INFO', `0xc1007c00')
+define(`MEDIA_IOC_ENUM_ENTITIES', `0xc1007c01')
+define(`SNDRV_CTL_IOCTL_RAWMIDI_INFO', `0xc10c5541')
+define(`SNDRV_CTL_IOCTL_ELEM_INFO', `0xc1105511')
+define(`SNDRV_CTL_IOCTL_ELEM_ADD', `0xc1105517')
+define(`SNDRV_CTL_IOCTL_ELEM_REPLACE', `0xc1105518')
+define(`SNDRV_CTL_IOCTL_PCM_INFO', `0xc1205531')
+define(`DM_VERSION', `0xc138fd00')
+define(`DM_REMOVE_ALL', `0xc138fd01')
+define(`DM_LIST_DEVICES', `0xc138fd02')
+define(`DM_DEV_CREATE', `0xc138fd03')
+define(`DM_DEV_REMOVE', `0xc138fd04')
+define(`DM_DEV_RENAME', `0xc138fd05')
+define(`DM_DEV_SUSPEND', `0xc138fd06')
+define(`DM_DEV_STATUS', `0xc138fd07')
+define(`DM_DEV_WAIT', `0xc138fd08')
+define(`DM_TABLE_LOAD', `0xc138fd09')
+define(`DM_TABLE_CLEAR', `0xc138fd0a')
+define(`DM_TABLE_DEPS', `0xc138fd0b')
+define(`DM_TABLE_STATUS', `0xc138fd0c')
+define(`DM_LIST_VERSIONS', `0xc138fd0d')
+define(`DM_TARGET_MSG', `0xc138fd0e')
+define(`DM_DEV_SET_GEOMETRY', `0xc138fd0f')
+define(`SNDRV_EMU10K1_IOCTL_CODE_PEEK', `0xc1b04812')
+define(`KVM_GET_IRQCHIP', `0xc208ae62')
+define(`SNDRV_PCM_IOCTL_HW_REFINE', `0xc2604110')
+define(`SNDRV_PCM_IOCTL_HW_PARAMS', `0xc2604111')
+define(`VIDIOC_VSP1_LUT_CONFIG', `0xc40056c1')
+define(`BTRFS_IOC_SCRUB', `0xc400941b')
+define(`BTRFS_IOC_SCRUB_PROGRESS', `0xc400941d')
+define(`BTRFS_IOC_BALANCE_V2', `0xc4009420')
+define(`BTRFS_IOC_GET_DEV_STATS', `0xc4089434')
+define(`SNDRV_CTL_IOCTL_ELEM_READ', `0xc4c85512')
+define(`SNDRV_CTL_IOCTL_ELEM_WRITE', `0xc4c85513')
+define(`BTRFS_IOC_DEV_REPLACE', `0xca289435')
+define(`SNDCTL_COPR_SENDMSG', `0xcfa44308')
+define(`SNDCTL_SYNTH_CONTROL', `0xcfa45115')
+define(`SNDCTL_COPR_LOAD', `0xcfb04301')
+define(`BTRFS_IOC_TREE_SEARCH', `0xd0009411')
+define(`BTRFS_IOC_INO_LOOKUP', `0xd0009412')
+define(`BTRFS_IOC_DEV_INFO', `0xd000941e')
+define(`HIDIOCGUSAGES', `0xd01c4813')
+define(`SNDRV_COMPRESS_GET_CODEC_CAPS', `0xeb884311')
+define(`WAN_IOC_ADD_FLT_RULE', `0x00006900')
+define(`WAN_IOC_ADD_FLT_INDEX', `0x00006902')
+define(`PPPIOCGL2TPSTATS', `0x7436')
+define(`PPPIOCGCHAN', `0x7437')
+define(`PPPIOCATTCHAN', `0x7438')
+define(`PPPIOCDISCONN', `0x7439')
+define(`PPPIOCCONNECT', `0x743a')
+define(`PPPIOCSMRRU', `0x743b')
+define(`PPPIOCDETACH', `0x743c')
+define(`PPPIOCATTACH', `0x743d')
+define(`PPPIOCNEWUNIT', `0x743e')
+define(`PPPIOCGIDLE', `0x743f')
+define(`PPPIOCSDEBUG', `0x7440')
+define(`PPPIOCGDEBUG', `0x7441')
+define(`PPPIOCSACTIVE', `0x7446')
+define(`PPPIOCSPASS', `0x7447')
+define(`PPPIOCSNPMODE', `0x744b')
+define(`PPPIOCGNPMODE', `0x744c')
+define(`PPPIOCSCOMPRESS', `0x744d')
+define(`PPPIOCXFERUNIT', `0x744e')
+define(`PPPIOCSXASYNCMAP', `0x744f')
+define(`PPPIOCGXASYNCMAP', `0x7450')
+define(`PPPIOCSMAXCID', `0x7451')
+define(`PPPIOCSMRU', `0x7452')
+define(`PPPIOCGMRU', `0x7453')
+define(`PPPIOCSRASYNCMAP', `0x7454')
+define(`PPPIOCGRASYNCMAP', `0x7455')
+define(`PPPIOCGUNIT', `0x7456')
+define(`PPPIOCSASYNCMAP', `0x7457')
+define(`PPPIOCGASYNCMAP', `0x7458')
+define(`PPPIOCSFLAGS', `0x7459')
+define(`PPPIOCGFLAGS', `0x745a')
+define(`PPPIOCGCALLINFO', `0x7480')
+define(`PPPIOCBUNDLE', `0x7481')
+define(`PPPIOCGMPFLAGS', `0x7482')
+define(`PPPIOCSMPFLAGS', `0x7483')
+define(`PPPIOCSMPMTU', `0x7484')
+define(`PPPIOCSMPMRU', `0x7485')
+define(`PPPIOCGCOMPRESSORS', `0x7486')
+define(`PPPIOCSCOMPRESSOR', `0x7487')
+define(`PPPIOCGIFNAME', `0x7488')
diff --git a/prebuilts/api/28.0/public/ioctl_macros b/prebuilts/api/28.0/public/ioctl_macros
new file mode 100644
index 0000000..f7081d5
--- /dev/null
+++ b/prebuilts/api/28.0/public/ioctl_macros
@@ -0,0 +1,68 @@
+# socket ioctls allowed to unprivileged apps
+define(`unpriv_sock_ioctls', `
+{
+# Socket ioctls for gathering information about the interface
+SIOCGSTAMP SIOCGSTAMPNS
+SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFDSTADDR SIOCGIFBRDADDR
+SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
+# Wireless extension ioctls. Primarily get functions.
+SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
+SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
+SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
+}')
+
+# socket ioctls never allowed to unprivileged apps
+define(`priv_sock_ioctls', `
+{
+# qualcomm rmnet ioctls
+WAN_IOC_ADD_FLT_RULE WAN_IOC_ADD_FLT_INDEX
+# socket ioctls
+SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR
+SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM
+SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP
+SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI
+SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCKILLADDR SIOCGIFBR SIOCSIFBR
+SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV
+SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP
+SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE
+SIOCBONDRELEASE SIOCBONDSETHWADDR SIOCBONDSLAVEINFOQUERY SIOCBONDINFOQUERY
+SIOCBONDCHANGEACTIVE SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF SIOCSHWTSTAMP
+# device and protocol specific ioctls
+SIOCDEVPRIVATE-SIOCDEVPRIVLAST
+SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST
+# Wireless extension ioctls
+SIOCSIWCOMMIT SIOCSIWNWID SIOCSIWFREQ SIOCSIWMODE SIOCSIWSENS SIOCSIWRANGE
+SIOCSIWPRIV SIOCSIWSTATS SIOCSIWSPY SIOCSIWAP SIOCGIWAP SIOCSIWMLME SIOCGIWAPLIST
+SIOCSIWSCAN SIOCGIWSCAN SIOCSIWESSID SIOCGIWESSID SIOCSIWNICKN SIOCGIWNICKN
+SIOCSIWRATE SIOCSIWRTS SIOCSIWFRAG SIOCSIWTXPOW SIOCSIWRETRY SIOCSIWENCODE
+SIOCGIWENCODE SIOCSIWPOWER SIOCSIWGENIE SIOCGIWGENIE SIOCSIWAUTH SIOCGIWAUTH
+SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
+# Dev private ioctl i.e. hardware specific ioctls
+SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
+}')
+
+# commonly used ioctls on unix sockets
+define(`unpriv_unix_sock_ioctls', `{
+ TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
+}')
+
+# commonly used TTY ioctls
+# merge with unpriv_unix_sock_ioctls?
+define(`unpriv_tty_ioctls', `{
+ TIOCOUTQ FIOCLEX TCGETS TCSETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY TCSETSW
+ TCFLSH TIOCSPGRP TIOCGPGRP
+}')
+
+# point to point ioctls
+define(`ppp_ioctls', `{
+PPPIOCGL2TPSTATS PPPIOCGCHAN PPPIOCATTCHAN PPPIOCDISCONN
+PPPIOCCONNECT PPPIOCSMRRU PPPIOCDETACH PPPIOCATTACH
+PPPIOCNEWUNIT PPPIOCGIDLE PPPIOCSDEBUG PPPIOCGDEBUG
+PPPIOCSACTIVE PPPIOCSPASS PPPIOCSNPMODE PPPIOCGNPMODE
+PPPIOCSCOMPRESS PPPIOCXFERUNIT PPPIOCSXASYNCMAP
+PPPIOCGXASYNCMAP PPPIOCSMAXCID PPPIOCSMRU PPPIOCGMRU
+PPPIOCSRASYNCMAP PPPIOCGRASYNCMAP PPPIOCGUNIT PPPIOCSASYNCMAP
+PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO
+PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
+PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
+}')
diff --git a/prebuilts/api/28.0/public/isolated_app.te b/prebuilts/api/28.0/public/isolated_app.te
new file mode 100644
index 0000000..a907dac
--- /dev/null
+++ b/prebuilts/api/28.0/public/isolated_app.te
@@ -0,0 +1,9 @@
+###
+### Services with isolatedProcess=true in their manifest.
+###
+### This file defines the rules for isolated apps. An "isolated
+### app" is an APP with UID between AID_ISOLATED_START (99000)
+### and AID_ISOLATED_END (99999).
+###
+
+type isolated_app, domain;
diff --git a/prebuilts/api/28.0/public/kernel.te b/prebuilts/api/28.0/public/kernel.te
new file mode 100644
index 0000000..b7a351c
--- /dev/null
+++ b/prebuilts/api/28.0/public/kernel.te
@@ -0,0 +1,105 @@
+# Life begins with the kernel.
+type kernel, domain, mlstrustedsubject;
+
+allow kernel self:global_capability_class_set sys_nice;
+
+# Root fs.
+r_dir_file(kernel, rootfs)
+allow kernel proc_cmdline:file r_file_perms;
+
+# Get SELinux enforcing status.
+allow kernel selinuxfs:dir r_dir_perms;
+allow kernel selinuxfs:file r_file_perms;
+
+# Get file contexts during first stage
+allow kernel file_contexts_file:file r_file_perms;
+
+# Allow init relabel itself.
+allow kernel rootfs:file relabelfrom;
+allow kernel init_exec:file relabelto;
+# TODO: investigate why we need this.
+allow kernel init:process share;
+
+# cgroup filesystem initialization prior to setting the cgroup root directory label.
+allow kernel unlabeled:dir search;
+
+# Mount usbfs.
+allow kernel usbfs:filesystem mount;
+allow kernel usbfs:dir search;
+
+# Initial setenforce by init prior to switching to init domain.
+# We use dontaudit instead of allow to prevent a kernel spawned userspace
+# process from turning off SELinux once enabled.
+dontaudit kernel self:security setenforce;
+
+# Write to /proc/1/oom_adj prior to switching to init domain.
+allow kernel self:global_capability_class_set sys_resource;
+
+# Init reboot before switching selinux domains under certain error
+# conditions. Allow it.
+# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
+# remount filesystems read-only. /data is not mounted at this point,
+# so we could ignore this. For now, we allow it.
+allow kernel self:global_capability_class_set sys_boot;
+allow kernel proc_sysrq:file w_file_perms;
+
+# Allow writing to /dev/kmsg which was created prior to loading policy.
+allow kernel tmpfs:chr_file write;
+
+# Set checkreqprot by init.rc prior to switching to init domain.
+allow kernel selinuxfs:file write;
+allow kernel self:security setcheckreqprot;
+
+# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
+allow kernel sdcard_type:file { read write };
+
+# f_mtp driver accesses files from kernel context.
+allow kernel mediaprovider:fd use;
+
+# Allow the kernel to read OBB files from app directories. (b/17428116)
+# Kernel thread "loop0" reads a vold supplied file descriptor.
+# Fixes CTS tests:
+# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
+# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
+allow kernel vold:fd use;
+allow kernel app_data_file:file read;
+allow kernel asec_image_file:file read;
+
+# Allow reading loop device in update_engine_unittests. (b/28319454)
+# and for LTP kernel tests (b/73220071)
+userdebug_or_eng(`
+ allow kernel update_engine_data_file:file read;
+ allow kernel nativetest_data_file:file { read write };
+')
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow kernel media_rw_data_file:dir create_dir_perms;
+allow kernel media_rw_data_file:file create_file_perms;
+
+# Access to /data/misc/vold/virtual_disk.
+allow kernel vold_data_file:file read;
+
+###
+### neverallow rules
+###
+
+# The initial task starts in the kernel domain (assigned via
+# initial_sid_contexts), but nothing ever transitions to it.
+neverallow * kernel:process { transition dyntransition };
+
+# The kernel domain is never entered via an exec, nor should it
+# ever execute a program outside the rootfs without changing to another domain.
+# If you encounter an execute_no_trans denial on the kernel domain, then
+# possible causes include:
+# - The program is a kernel usermodehelper. In this case, define a domain
+# for the program and domain_auto_trans() to it.
+# - You are running an exploit which switched to the init task credentials
+# and is then trying to exec a shell or other program. You lose!
+neverallow kernel *:file { entrypoint execute_no_trans };
+
+# the kernel should not be accessing files owned by other users.
+# Instead of adding dac_{read_search,override}, fix the unix permissions
+# on files being accessed.
+neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
diff --git a/prebuilts/api/28.0/public/keystore.te b/prebuilts/api/28.0/public/keystore.te
new file mode 100644
index 0000000..49355bd
--- /dev/null
+++ b/prebuilts/api/28.0/public/keystore.te
@@ -0,0 +1,35 @@
+type keystore, domain;
+type keystore_exec, exec_type, file_type;
+
+# keystore daemon
+typeattribute keystore mlstrustedsubject;
+binder_use(keystore)
+binder_service(keystore)
+binder_call(keystore, system_server)
+
+allow keystore keystore_data_file:dir create_dir_perms;
+allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
+allow keystore keystore_exec:file { getattr };
+
+add_service(keystore, keystore_service)
+allow keystore sec_key_att_app_id_provider_service:service_manager find;
+allow keystore dropbox_service:service_manager find;
+
+# Check SELinux permissions.
+selinux_check_access(keystore)
+
+r_dir_file(keystore, cgroup)
+
+###
+### Neverallow rules
+###
+### Protect ourself from others
+###
+
+neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow { domain -keystore -init } keystore_data_file:dir *;
+neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
+
+neverallow * keystore:process ptrace;
diff --git a/prebuilts/api/28.0/public/lmkd.te b/prebuilts/api/28.0/public/lmkd.te
new file mode 100644
index 0000000..472946e
--- /dev/null
+++ b/prebuilts/api/28.0/public/lmkd.te
@@ -0,0 +1,52 @@
+# lmkd low memory killer daemon
+type lmkd, domain, mlstrustedsubject;
+type lmkd_exec, exec_type, file_type;
+
+allow lmkd self:global_capability_class_set { dac_override sys_resource kill };
+
+# lmkd locks itself in memory, to prevent it from being
+# swapped out and unable to kill other memory hogs.
+# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
+# b/16236289
+allow lmkd self:global_capability_class_set ipc_lock;
+
+## Open and write to /proc/PID/oom_score_adj
+## TODO: maybe scope this down?
+r_dir_file(lmkd, appdomain)
+allow lmkd appdomain:file write;
+r_dir_file(lmkd, system_server)
+allow lmkd system_server:file write;
+
+## Writes to /sys/module/lowmemorykiller/parameters/minfree
+r_dir_file(lmkd, sysfs_lowmemorykiller)
+allow lmkd sysfs_lowmemorykiller:file w_file_perms;
+
+# Send kill signals
+allow lmkd appdomain:process sigkill;
+
+# Clean up old cgroups
+allow lmkd cgroup:dir { remove_name rmdir };
+
+# Allow to read memcg stats
+allow lmkd cgroup:file r_file_perms;
+
+# Set self to SCHED_FIFO
+allow lmkd self:global_capability_class_set sys_nice;
+
+allow lmkd proc_zoneinfo:file r_file_perms;
+
+# live lock watchdog process allowed to look through /proc/
+allow lmkd domain:dir { search open read };
+allow lmkd domain:file { open read };
+
+# live lock watchdog process allowed to dump process trace and
+# reboot because orderly shutdown may not be possible.
+allow lmkd proc_sysrq:file rw_file_perms;
+
+# Read /proc/meminfo
+allow lmkd proc_meminfo:file r_file_perms;
+
+### neverallow rules
+
+# never honor LD_PRELOAD
+neverallow * lmkd:process noatsecure;
diff --git a/prebuilts/api/28.0/public/logd.te b/prebuilts/api/28.0/public/logd.te
new file mode 100644
index 0000000..817a705
--- /dev/null
+++ b/prebuilts/api/28.0/public/logd.te
@@ -0,0 +1,73 @@
+# android user-space log manager
+type logd, domain, mlstrustedsubject;
+type logd_exec, exec_type, file_type;
+
+# Read access to pseudo filesystems.
+r_dir_file(logd, cgroup)
+r_dir_file(logd, proc_kmsg)
+r_dir_file(logd, proc_meminfo)
+r_dir_file(logd, proc_net)
+
+allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
+allow logd self:global_capability2_class_set syslog;
+allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+allow logd kernel:system syslog_read;
+allow logd kmsg_device:chr_file w_file_perms;
+allow logd system_data_file:{ file lnk_file } r_file_perms;
+allow logd pstorefs:dir search;
+allow logd pstorefs:file r_file_perms;
+userdebug_or_eng(`
+ # Access to /data/misc/logd/event-log-tags
+ allow logd misc_logd_file:dir r_dir_perms;
+ allow logd misc_logd_file:file rw_file_perms;
+')
+allow logd runtime_event_log_tags_file:file rw_file_perms;
+
+# Access device logging gating property
+get_prop(logd, device_logging_prop)
+
+r_dir_file(logd, domain)
+
+allow logd kernel:system syslog_mod;
+
+control_logd(logd)
+read_runtime_log_tags(logd)
+
+allow runtime_event_log_tags_file tmpfs:filesystem associate;
+# Typically harmlessly blindly trying to access via liblog
+# event tag mapping while in the untrusted_app domain.
+# Access for that domain is controlled and gated via the
+# event log tag service (albeit at a performance penalty,
+# expected to be locally cached).
+dontaudit domain runtime_event_log_tags_file:file { open read };
+
+###
+### Neverallow rules
+###
+### logd should NEVER do any of this
+
+# Block device access.
+neverallow logd dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow logd domain:process ptrace;
+
+# ... and nobody may ptrace me (except on userdebug or eng builds)
+neverallow { domain userdebug_or_eng(`-crash_dump') } logd:process ptrace;
+
+# Write to /system.
+neverallow logd system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
+
+# Only init is allowed to enter the logd domain via exec()
+neverallow { domain -init } logd:process transition;
+neverallow * logd:process dyntransition;
+
+# protect the event-log-tags file
+neverallow {
+ domain
+ -init
+ -logd
+} runtime_event_log_tags_file:file no_w_file_perms;
diff --git a/prebuilts/api/28.0/public/logpersist.te b/prebuilts/api/28.0/public/logpersist.te
new file mode 100644
index 0000000..7536cb8
--- /dev/null
+++ b/prebuilts/api/28.0/public/logpersist.te
@@ -0,0 +1,26 @@
+# android debug logging, logpersist domains
+type logpersist, domain;
+
+###
+### Neverallow rules
+###
+### logpersist should NEVER do any of this
+
+# Block device access.
+neverallow logpersist dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow logpersist domain:process ptrace;
+
+# Write to files in /data/data or system files on /data except misc_logd_file
+neverallow logpersist { app_data_file system_data_file }:dir_file_class_set write;
+
+# Only init should be allowed to enter the logpersist domain via exec()
+# Following is a list of debug domains we know that transition to logpersist
+# neverallow_with_undefined_domains {
+# domain
+# -init # goldfish, logcatd, raft
+# -mmi # bat, mtp8996, msmcobalt
+# -system_app # Smith.apk
+# } logpersist:process transition;
+neverallow * logpersist:process dyntransition;
diff --git a/prebuilts/api/28.0/public/mdnsd.te b/prebuilts/api/28.0/public/mdnsd.te
new file mode 100644
index 0000000..ef7b065
--- /dev/null
+++ b/prebuilts/api/28.0/public/mdnsd.te
@@ -0,0 +1,2 @@
+# mdns daemon
+type mdnsd, domain;
diff --git a/prebuilts/api/28.0/public/mediacodec.te b/prebuilts/api/28.0/public/mediacodec.te
new file mode 100644
index 0000000..e5b4a7d
--- /dev/null
+++ b/prebuilts/api/28.0/public/mediacodec.te
@@ -0,0 +1,70 @@
+# mediacodec - audio and video codecs live here
+type mediacodec, domain;
+type mediacodec_exec, exec_type, vendor_file_type, file_type;
+
+typeattribute mediacodec mlstrustedsubject;
+
+# TODO(b/36375899) attributize this domain appropriately as hal_omx
+# and use macro hal_server_domain
+get_prop(mediacodec, hwservicemanager_prop)
+
+# can route /dev/binder traffic to /dev/vndbinder
+vndbinder_use(mediacodec)
+
+not_full_treble(`
+ # on legacy devices, continue to allow /dev/binder traffic
+ binder_use(mediacodec)
+ binder_service(mediacodec)
+ add_service(mediacodec, mediacodec_service)
+ allow mediacodec mediametrics_service:service_manager find;
+ allow mediacodec surfaceflinger_service:service_manager find;
+')
+binder_call(mediacodec, binderservicedomain)
+binder_call(mediacodec, appdomain)
+
+# Allow mediacodec access to composer sync fences
+allow mediacodec hal_graphics_composer:fd use;
+
+allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec video_device:chr_file rw_file_perms;
+allow mediacodec video_device:dir search;
+allow mediacodec ion_device:chr_file rw_file_perms;
+allow mediacodec hal_camera:fd use;
+
+crash_dump_fallback(mediacodec)
+
+add_hwservice(mediacodec, hal_codec2_hwservice)
+add_hwservice(mediacodec, hal_omx_hwservice)
+
+hal_client_domain(mediacodec, hal_allocator)
+
+hal_client_domain(mediacodec, hal_cas)
+
+# allocate and use graphic buffers
+hal_client_domain(mediacodec, hal_graphics_allocator)
+
+# Recieve gralloc buffer FDs from bufferhubd. Note that mediacodec never
+# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
+# between those two: it talks to mediacodec via Binder and talks to bufferhubd
+# via PDX. Thus, there is no need to use pdx_client macro.
+allow mediacodec bufferhubd:fd use;
+
+###
+### neverallow rules
+###
+
+# mediacodec should never execute any executable without a
+# domain transition
+neverallow mediacodec { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediacodec domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/28.0/public/mediadrmserver.te b/prebuilts/api/28.0/public/mediadrmserver.te
new file mode 100644
index 0000000..123cb29
--- /dev/null
+++ b/prebuilts/api/28.0/public/mediadrmserver.te
@@ -0,0 +1,31 @@
+# mediadrmserver - mediadrm daemon
+type mediadrmserver, domain;
+type mediadrmserver_exec, exec_type, file_type;
+
+typeattribute mediadrmserver mlstrustedsubject;
+
+net_domain(mediadrmserver)
+binder_use(mediadrmserver)
+binder_call(mediadrmserver, binderservicedomain)
+binder_call(mediadrmserver, appdomain)
+binder_service(mediadrmserver)
+hal_client_domain(mediadrmserver, hal_drm)
+
+add_service(mediadrmserver, mediadrmserver_service)
+allow mediadrmserver mediaserver_service:service_manager find;
+allow mediadrmserver mediametrics_service:service_manager find;
+allow mediadrmserver processinfo_service:service_manager find;
+allow mediadrmserver surfaceflinger_service:service_manager find;
+allow mediadrmserver system_file:dir r_dir_perms;
+
+binder_call(mediadrmserver, mediacodec)
+###
+### neverallow rules
+###
+
+# mediadrmserver should never execute any executable without a
+# domain transition
+neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/28.0/public/mediaextractor.te b/prebuilts/api/28.0/public/mediaextractor.te
new file mode 100644
index 0000000..b055462
--- /dev/null
+++ b/prebuilts/api/28.0/public/mediaextractor.te
@@ -0,0 +1,74 @@
+# mediaextractor - multimedia daemon
+type mediaextractor, domain;
+type mediaextractor_exec, exec_type, file_type;
+
+typeattribute mediaextractor mlstrustedsubject;
+
+binder_use(mediaextractor)
+binder_call(mediaextractor, binderservicedomain)
+binder_call(mediaextractor, appdomain)
+binder_service(mediaextractor)
+
+add_service(mediaextractor, mediaextractor_service)
+allow mediaextractor mediametrics_service:service_manager find;
+allow mediaextractor hidl_token_hwservice:hwservice_manager find;
+
+allow mediaextractor system_server:fd use;
+
+hal_client_domain(mediaextractor, hal_cas)
+
+r_dir_file(mediaextractor, cgroup)
+allow mediaextractor proc_meminfo:file r_file_perms;
+
+crash_dump_fallback(mediaextractor)
+
+# allow mediaextractor read permissions for file sources
+allow mediaextractor sdcardfs:file { getattr read };
+allow mediaextractor media_rw_data_file:file { getattr read };
+allow mediaextractor app_data_file:file { getattr read };
+
+# Read resources from open apk files passed over Binder
+allow mediaextractor apk_data_file:file { read getattr };
+allow mediaextractor asec_apk_file:file { read getattr };
+allow mediaextractor ringtone_file:file { read getattr };
+
+# scan extractor library directory to dynamically load extractors
+allow mediaextractor system_file:dir { read open };
+
+userdebug_or_eng(`
+ # Allow extractor to add update service.
+ add_service(mediaextractor, mediaextractor_update_service)
+
+ # Allow extractor to load media extractor plugins from update apk.
+ allow mediaextractor apk_data_file:dir search;
+ allow mediaextractor apk_data_file:file { execute open };
+')
+
+###
+### neverallow rules
+###
+
+# mediaextractor should never execute any executable without a
+# domain transition
+neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# mediaextractor should not be opening /data files directly. Any files
+# it touches (with a few exceptions) need to be passed to it via a file
+# descriptor opened outside the process.
+neverallow mediaextractor {
+ data_file_type
+ -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
+ userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
+}:file open;
diff --git a/prebuilts/api/28.0/public/mediametrics.te b/prebuilts/api/28.0/public/mediametrics.te
new file mode 100644
index 0000000..ada90cc
--- /dev/null
+++ b/prebuilts/api/28.0/public/mediametrics.te
@@ -0,0 +1,41 @@
+# mediametrics - daemon for collecting media.metrics data
+type mediametrics, domain;
+type mediametrics_exec, exec_type, file_type;
+
+
+binder_use(mediametrics)
+binder_call(mediametrics, binderservicedomain)
+binder_service(mediametrics)
+
+add_service(mediametrics, mediametrics_service)
+
+allow mediametrics system_server:fd use;
+
+r_dir_file(mediametrics, cgroup)
+allow mediametrics proc_meminfo:file r_file_perms;
+
+# allows interactions with dumpsys to GMScore
+allow mediametrics app_data_file:file write;
+
+# allow access to package manager for uid->apk mapping
+allow mediametrics package_native_service:service_manager find;
+
+###
+### neverallow rules
+###
+
+# mediametrics should never execute any executable without a
+# domain transition
+neverallow mediametrics { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/28.0/public/mediaprovider.te b/prebuilts/api/28.0/public/mediaprovider.te
new file mode 100644
index 0000000..24170a5
--- /dev/null
+++ b/prebuilts/api/28.0/public/mediaprovider.te
@@ -0,0 +1,6 @@
+###
+### A domain for android.process.media, which contains both
+### MediaProvider and DownloadProvider and associated services.
+###
+
+type mediaprovider, domain;
diff --git a/prebuilts/api/28.0/public/mediaserver.te b/prebuilts/api/28.0/public/mediaserver.te
new file mode 100644
index 0000000..f0c94ed
--- /dev/null
+++ b/prebuilts/api/28.0/public/mediaserver.te
@@ -0,0 +1,147 @@
+# mediaserver - multimedia daemon
+type mediaserver, domain;
+type mediaserver_exec, exec_type, file_type;
+
+typeattribute mediaserver mlstrustedsubject;
+
+# TODO(b/36375899): replace with hal_client_domain macro on hal_omx
+typeattribute mediaserver halclientdomain;
+
+net_domain(mediaserver)
+
+r_dir_file(mediaserver, sdcard_type)
+r_dir_file(mediaserver, cgroup)
+
+# stat /proc/self
+allow mediaserver proc:lnk_file getattr;
+
+# open /vendor/lib/mediadrm
+allow mediaserver system_file:dir r_dir_perms;
+
+userdebug_or_eng(`
+ # ptrace to processes in the same domain for memory leak detection
+ allow mediaserver self:process ptrace;
+')
+
+binder_use(mediaserver)
+binder_call(mediaserver, binderservicedomain)
+binder_call(mediaserver, appdomain)
+binder_service(mediaserver)
+
+allow mediaserver media_data_file:dir create_dir_perms;
+allow mediaserver media_data_file:file create_file_perms;
+allow mediaserver app_data_file:dir search;
+allow mediaserver app_data_file:file rw_file_perms;
+allow mediaserver sdcard_type:file write;
+allow mediaserver gpu_device:chr_file rw_file_perms;
+allow mediaserver video_device:dir r_dir_perms;
+allow mediaserver video_device:chr_file rw_file_perms;
+
+set_prop(mediaserver, audio_prop)
+
+# Read resources from open apk files passed over Binder.
+allow mediaserver apk_data_file:file { read getattr };
+allow mediaserver asec_apk_file:file { read getattr };
+allow mediaserver ringtone_file:file { read getattr };
+
+# Read /data/data/com.android.providers.telephony files passed over Binder.
+allow mediaserver radio_data_file:file { read getattr };
+
+# Use pipes passed over Binder from app domains.
+allow mediaserver appdomain:fifo_file { getattr read write };
+
+allow mediaserver rpmsg_device:chr_file rw_file_perms;
+
+# Inter System processes communicate over named pipe (FIFO)
+allow mediaserver system_server:fifo_file r_file_perms;
+
+r_dir_file(mediaserver, media_rw_data_file)
+
+# Grant access to read files on appfuse.
+allow mediaserver app_fuse_file:file { read getattr };
+
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
+allow mediaserver qtaguid_proc:file rw_file_perms;
+allow mediaserver qtaguid_device:chr_file r_file_perms;
+
+# Needed on some devices for playing DRM protected content,
+# but seems expected and appropriate for all devices.
+unix_socket_connect(mediaserver, drmserver, drmserver)
+
+# Needed on some devices for playing audio on paired BT device,
+# but seems appropriate for all devices.
+unix_socket_connect(mediaserver, bluetooth, bluetooth)
+
+add_service(mediaserver, mediaserver_service)
+allow mediaserver activity_service:service_manager find;
+allow mediaserver appops_service:service_manager find;
+allow mediaserver audioserver_service:service_manager find;
+allow mediaserver cameraserver_service:service_manager find;
+allow mediaserver batterystats_service:service_manager find;
+allow mediaserver drmserver_service:service_manager find;
+allow mediaserver mediaextractor_service:service_manager find;
+allow mediaserver mediacodec_service:service_manager find;
+allow mediaserver mediametrics_service:service_manager find;
+allow mediaserver media_session_service:service_manager find;
+allow mediaserver permission_service:service_manager find;
+allow mediaserver power_service:service_manager find;
+allow mediaserver processinfo_service:service_manager find;
+allow mediaserver scheduling_policy_service:service_manager find;
+allow mediaserver surfaceflinger_service:service_manager find;
+
+# for ModDrm/MediaPlayer
+allow mediaserver mediadrmserver_service:service_manager find;
+
+# For interfacing with OMX HAL
+allow mediaserver hidl_token_hwservice:hwservice_manager find;
+
+# /oem access
+allow mediaserver oemfs:dir search;
+allow mediaserver oemfs:file r_file_perms;
+
+use_drmservice(mediaserver)
+allow mediaserver drmserver:drmservice {
+ consumeRights
+ setPlaybackStatus
+ openDecryptSession
+ closeDecryptSession
+ initializeDecryptUnit
+ decrypt
+ finalizeDecryptUnit
+ pread
+};
+
+# only allow unprivileged socket ioctl commands
+allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+# Access to /data/media.
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow mediaserver media_rw_data_file:dir create_dir_perms;
+allow mediaserver media_rw_data_file:file create_file_perms;
+
+# Access to media in /data/preloads
+allow mediaserver preloads_media_file:file { getattr read ioctl };
+
+allow mediaserver ion_device:chr_file r_file_perms;
+allow mediaserver hal_graphics_allocator:fd use;
+allow mediaserver hal_graphics_composer:fd use;
+allow mediaserver hal_camera:fd use;
+
+allow mediaserver system_server:fd use;
+
+hal_client_domain(mediaserver, hal_allocator)
+
+binder_call(mediaserver, mediacodec)
+
+###
+### neverallow rules
+###
+
+# mediaserver should never execute any executable without a
+# domain transition
+neverallow mediaserver { file_type fs_type }:file execute_no_trans;
+
+# do not allow privileged socket ioctl commands
+neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/28.0/public/modprobe.te b/prebuilts/api/28.0/public/modprobe.te
new file mode 100644
index 0000000..1190409
--- /dev/null
+++ b/prebuilts/api/28.0/public/modprobe.te
@@ -0,0 +1,9 @@
+type modprobe, domain;
+
+allow modprobe proc_modules:file r_file_perms;
+allow modprobe self:global_capability_class_set sys_module;
+allow modprobe kernel:key search;
+recovery_only(`
+ allow modprobe rootfs:system module_load;
+ allow modprobe rootfs:file r_file_perms;
+')
diff --git a/prebuilts/api/28.0/public/mtp.te b/prebuilts/api/28.0/public/mtp.te
new file mode 100644
index 0000000..7256bcf
--- /dev/null
+++ b/prebuilts/api/28.0/public/mtp.te
@@ -0,0 +1,11 @@
+# vpn tunneling protocol manager
+type mtp, domain;
+type mtp_exec, exec_type, file_type;
+
+net_domain(mtp)
+
+# pptp policy
+allow mtp self:socket create_socket_perms_no_ioctl;
+allow mtp self:global_capability_class_set net_raw;
+allow mtp ppp:process signal;
+allow mtp vpn_data_file:dir search;
diff --git a/prebuilts/api/28.0/public/net.te b/prebuilts/api/28.0/public/net.te
new file mode 100644
index 0000000..7e00ed8
--- /dev/null
+++ b/prebuilts/api/28.0/public/net.te
@@ -0,0 +1,4 @@
+# Network types
+type node, node_type;
+type netif, netif_type;
+type port, port_type;
diff --git a/prebuilts/api/28.0/public/netd.te b/prebuilts/api/28.0/public/netd.te
new file mode 100644
index 0000000..18113e7
--- /dev/null
+++ b/prebuilts/api/28.0/public/netd.te
@@ -0,0 +1,148 @@
+# network manager
+type netd, domain, mlstrustedsubject;
+type netd_exec, exec_type, file_type;
+
+net_domain(netd)
+# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
+allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
+
+r_dir_file(netd, cgroup)
+
+allow netd system_server:fd use;
+
+allow netd self:global_capability_class_set { net_admin net_raw kill };
+# Note: fsetid is deliberately not included above. fsetid checks are
+# triggered by chmod on a directory or file owned by a group other
+# than one of the groups assigned to the current process to see if
+# the setgid bit should be cleared, regardless of whether the setgid
+# bit was even set. We do not appear to truly need this capability
+# for netd to operate.
+dontaudit netd self:global_capability_class_set fsetid;
+
+allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_route_socket nlmsg_write;
+allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
+allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
+allow netd shell_exec:file rx_file_perms;
+allow netd system_file:file x_file_perms;
+not_full_treble(`allow netd vendor_file:file x_file_perms;')
+allow netd devpts:chr_file rw_file_perms;
+
+# Acquire advisory lock on /system/etc/xtables.lock
+allow netd system_file:file lock;
+
+# Allow netd to write to qtaguid ctrl file. This is the same privilege level that normal apps have
+# TODO: Add proper rules to prevent other process to access qtaguid_proc file after migration
+# complete
+allow netd qtaguid_proc:file rw_file_perms;
+# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
+allow netd qtaguid_device:chr_file r_file_perms;
+
+r_dir_file(netd, proc_net)
+# For /proc/sys/net/ipv[46]/route/flush.
+allow netd proc_net:file rw_file_perms;
+
+# Enables PppController and interface enumeration (among others)
+allow netd sysfs:dir r_dir_perms;
+r_dir_file(netd, sysfs_net)
+
+# Allows setting interface MTU
+allow netd sysfs_net:file w_file_perms;
+
+# TODO: added to match above sysfs rule. Remove me?
+allow netd sysfs_usb:file write;
+
+allow netd fs_bpf:dir create_dir_perms;
+allow netd fs_bpf:file create_file_perms;
+
+# TODO: netd previously thought it needed these permissions to do WiFi related
+# work. However, after all the WiFi stuff is gone, we still need them.
+# Why?
+allow netd self:global_capability_class_set { dac_override chown };
+
+# Needed to update /data/misc/net/rt_tables
+allow netd net_data_file:file create_file_perms;
+allow netd net_data_file:dir rw_dir_perms;
+allow netd self:global_capability_class_set fowner;
+
+# Needed to lock the iptables lock.
+allow netd system_file:file lock;
+
+# Allow netd to spawn dnsmasq in it's own domain
+allow netd dnsmasq:process signal;
+
+# Allow netd to start clatd in its own domain
+allow netd clatd:process signal;
+
+set_prop(netd, ctl_mdnsd_prop)
+set_prop(netd, netd_stable_secret_prop)
+
+# Allow netd to publish a binder service and make binder calls.
+binder_use(netd)
+add_service(netd, netd_service)
+allow netd dumpstate:fifo_file { getattr write };
+
+# Allow netd to call into the system server so it can check permissions.
+allow netd system_server:binder call;
+allow netd permission_service:service_manager find;
+
+# Allow netd to talk to the framework service which collects netd events.
+allow netd netd_listener_service:service_manager find;
+
+# Allow netd to operate on sockets that are passed to it.
+allow netd netdomain:{
+ tcp_socket
+ udp_socket
+ rawip_socket
+ tun_socket
+} { read write getattr setattr getopt setopt };
+allow netd netdomain:fd use;
+
+# give netd permission to read and write netlink xfrm
+allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+
+# give netd permission to use eBPF functionalities
+allow netd self:bpf { map_create map_read map_write };
+
+# Allow netd to register as hal server.
+add_hwservice(netd, system_net_netd_hwservice)
+hwbinder_use(netd)
+get_prop(netd, hwservicemanager_prop)
+
+###
+### Neverallow rules
+###
+### netd should NEVER do any of this
+
+# Block device access.
+neverallow netd dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow netd { domain }:process ptrace;
+
+# Write to /system.
+neverallow netd system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow netd { app_data_file system_data_file }:dir_file_class_set write;
+
+# only system_server and dumpstate may find netd service
+neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
+
+# only netd can create the bpf maps
+neverallow { domain -netd } netd:bpf { map_create };
+
+# apps may not interact with netd over binder.
+neverallow appdomain netd:binder call;
+neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
+
+# persist.netd.stable_secret contains RFC 7217 secret key which should never be
+# leaked to other processes. Make sure it never leaks.
+neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
+
+# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
+# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
+neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
diff --git a/prebuilts/api/28.0/public/netutils_wrapper.te b/prebuilts/api/28.0/public/netutils_wrapper.te
new file mode 100644
index 0000000..c844762
--- /dev/null
+++ b/prebuilts/api/28.0/public/netutils_wrapper.te
@@ -0,0 +1,4 @@
+type netutils_wrapper, domain;
+type netutils_wrapper_exec, exec_type, file_type;
+
+neverallow domain netutils_wrapper_exec:file execute_no_trans;
diff --git a/prebuilts/api/28.0/public/neverallow_macros b/prebuilts/api/28.0/public/neverallow_macros
new file mode 100644
index 0000000..e2b6ed1
--- /dev/null
+++ b/prebuilts/api/28.0/public/neverallow_macros
@@ -0,0 +1,15 @@
+#
+# Common neverallow permissions
+define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
+define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
+define(`no_x_file_perms', `{ execute execute_no_trans }')
+define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
+
+#####################################
+# neverallow_establish_socket_comms(src, dst)
+# neverallow src domain establishing socket connections to dst domain.
+#
+define(`neverallow_establish_socket_comms', `
+ neverallow $1 $2:socket_class_set { connect sendto };
+ neverallow $1 $2:unix_stream_socket connectto;
+')
diff --git a/prebuilts/api/28.0/public/nfc.te b/prebuilts/api/28.0/public/nfc.te
new file mode 100644
index 0000000..e3a03e7
--- /dev/null
+++ b/prebuilts/api/28.0/public/nfc.te
@@ -0,0 +1,2 @@
+# nfc subsystem
+type nfc, domain;
diff --git a/prebuilts/api/28.0/public/otapreopt_chroot.te b/prebuilts/api/28.0/public/otapreopt_chroot.te
new file mode 100644
index 0000000..894363a
--- /dev/null
+++ b/prebuilts/api/28.0/public/otapreopt_chroot.te
@@ -0,0 +1,20 @@
+# otapreopt_chroot executable
+type otapreopt_chroot, domain;
+type otapreopt_chroot_exec, exec_type, file_type;
+
+# Chroot preparation and execution.
+# We need to create an unshared mount namespace, and then mount /data.
+allow otapreopt_chroot postinstall_file:dir { search mounton };
+allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
+
+# This is required to mount /vendor.
+allow otapreopt_chroot block_device:dir search;
+allow otapreopt_chroot labeledfs:filesystem mount;
+# Mounting /vendor can have this side-effect. Ignore denial.
+dontaudit otapreopt_chroot kernel:process setsched;
+
+# Allow otapreopt to use file descriptors from update-engine. It will
+# close them immediately.
+allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot update_engine:fd use;
+allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/prebuilts/api/28.0/public/otapreopt_slot.te b/prebuilts/api/28.0/public/otapreopt_slot.te
new file mode 100644
index 0000000..6551864
--- /dev/null
+++ b/prebuilts/api/28.0/public/otapreopt_slot.te
@@ -0,0 +1,27 @@
+# otapreopt_slot
+#
+# This command set moves the artifact corresponding to the current slot
+# from /data/ota to /data/dalvik-cache.
+
+type otapreopt_slot, domain, mlstrustedsubject;
+type otapreopt_slot_exec, exec_type, file_type;
+
+
+# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
+# the directory afterwards. For logging of aggregate size, we need getattr.
+allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
+allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
+# (du follows symlinks)
+allow otapreopt_slot ota_data_file:lnk_file read;
+
+# Delete old content of the dalvik-cache.
+allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
+allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
+allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
+
+# Allow cppreopts to execute itself using #!/system/bin/sh
+allow otapreopt_slot shell_exec:file rx_file_perms;
+
+# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
+# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
+allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/prebuilts/api/28.0/public/performanced.te b/prebuilts/api/28.0/public/performanced.te
new file mode 100644
index 0000000..248d345
--- /dev/null
+++ b/prebuilts/api/28.0/public/performanced.te
@@ -0,0 +1,30 @@
+# performanced
+type performanced, domain, mlstrustedsubject;
+type performanced_exec, exec_type, file_type;
+
+# Needed to check for app permissions.
+binder_use(performanced)
+binder_call(performanced, system_server)
+allow performanced permission_service:service_manager find;
+
+pdx_server(performanced, performance_client)
+
+# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
+allow performanced self:global_capability_class_set { setuid setgid sys_nice };
+
+# Access /proc to validate we're only affecting threads in the same thread group.
+# Performanced also shields unbound kernel threads. It scans every task in the
+# root cpu set, but only affects the kernel threads.
+r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
+dontaudit performanced domain:dir read;
+allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
+
+# These /proc accesses only show up in permissive mode but they
+# generate a lot of noise in the log.
+userdebug_or_eng(`
+ dontaudit performanced domain:dir open;
+ dontaudit performanced domain:file { open read getattr };
+')
+
+# Access /dev/cpuset/cpuset.cpus
+r_dir_file(performanced, cgroup)
diff --git a/prebuilts/api/28.0/public/perfprofd.te b/prebuilts/api/28.0/public/perfprofd.te
new file mode 100644
index 0000000..f067af5
--- /dev/null
+++ b/prebuilts/api/28.0/public/perfprofd.te
@@ -0,0 +1,119 @@
+# perfprofd - perf profile collection daemon
+type perfprofd, domain;
+type perfprofd_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+
+ typeattribute perfprofd coredomain;
+ typeattribute perfprofd mlstrustedsubject;
+
+ # perfprofd access to sysfs directory structure.
+ allow perfprofd sysfs_type:dir search;
+
+ # perfprofd needs to control CPU hot-plug in order to avoid kernel
+ # perfevents problems in cases where CPU goes on/off during measurement;
+ # this means read access to /sys/devices/system/cpu/possible
+ # and read/write access to /sys/devices/system/cpu/cpu*/online
+ allow perfprofd sysfs_devices_system_cpu:file rw_file_perms;
+
+ # perfprofd checks for the existence of and then invokes simpleperf;
+ # simpleperf retains perfprofd domain after exec
+ allow perfprofd system_file:file rx_file_perms;
+
+ # perfprofd reads a config file from /data/data/com.google.android.gms/files
+ allow perfprofd app_data_file:file r_file_perms;
+ allow perfprofd app_data_file:dir search;
+ allow perfprofd self:global_capability_class_set { dac_override };
+
+ # perfprofd opens a file for writing in /data/misc/perfprofd
+ allow perfprofd perfprofd_data_file:file create_file_perms;
+ allow perfprofd perfprofd_data_file:dir rw_dir_perms;
+
+ # perfprofd uses the system log
+ read_logd(perfprofd);
+ write_logd(perfprofd);
+
+ # perfprofd inspects /sys/power/wake_unlock
+ wakelock_use(perfprofd);
+
+ # perfprofd looks at thermals.
+ allow perfprofd sysfs_thermal:dir r_dir_perms;
+
+ # perfprofd checks power_supply.
+ r_dir_file(perfprofd, sysfs_batteryinfo)
+
+ # simpleperf reads kernel notes.
+ allow perfprofd sysfs_kernel_notes:file r_file_perms;
+
+ # Simpleperf & perfprofd query a range of proc stats.
+ allow perfprofd proc_loadavg:file r_file_perms;
+ allow perfprofd proc_stat:file r_file_perms;
+ allow perfprofd proc_modules:file r_file_perms;
+
+ # simpleperf writes to perf_event_paranoid under /proc.
+ allow perfprofd proc_perf:file write;
+
+ # Simpleperf: kptr_restrict. This would be required to dump kernel symbols.
+ dontaudit perfprofd proc_security:file *;
+
+ # simpleperf uses ioctl() to turn on kernel perf events measurements
+ allow perfprofd self:global_capability_class_set sys_admin;
+
+ # simpleperf needs to examine /proc to collect task/thread info
+ r_dir_file(perfprofd, domain)
+
+ # simpleperf needs to access /proc/<pid>/exec
+ allow perfprofd self:global_capability_class_set { sys_resource sys_ptrace };
+ neverallow perfprofd domain:process ptrace;
+
+ # simpleperf needs open/read any file that turns up in a profile
+ # to see whether it has a build ID
+ allow perfprofd exec_type:file r_file_perms;
+ # App & ART artifacts.
+ r_dir_file(perfprofd, apk_data_file)
+ r_dir_file(perfprofd, dalvikcache_data_file)
+ # Vendor libraries.
+ r_dir_file(perfprofd, vendor_file)
+ # Vendor apps.
+ r_dir_file(perfprofd, vendor_app_file)
+
+ # simpleperf will set security.perf_harden to enable access to perf_event_open()
+ set_prop(perfprofd, shell_prop)
+
+ # simpleperf examines debugfs on startup to collect tracepoint event types
+ r_dir_file(perfprofd, debugfs_tracing)
+ r_dir_file(perfprofd, debugfs_tracing_debug)
+
+ # simpleperf is going to execute "sleep"
+ allow perfprofd toolbox_exec:file rx_file_perms;
+ # simpleperf is going to execute "mv" on a temp file
+ allow perfprofd shell_exec:file rx_file_perms;
+
+ # needed for simpleperf on some kernels
+ allow perfprofd self:global_capability_class_set ipc_lock;
+
+ # simpleperf attempts to put a temp file into /data/local/tmp. Do not allow,
+ # use the fallback cwd code, do not spam the log. But ensure this is correctly
+ # removed at some point. b/70232908.
+ dontaudit perfprofd shell_data_file:dir *;
+ dontaudit perfprofd shell_data_file:file *;
+
+ # Allow perfprofd to publish a binder service and make binder calls.
+ binder_use(perfprofd)
+ add_service(perfprofd, perfprofd_service)
+
+ # Use devpts for streams from cmd.
+ #
+ # This is normally granted to binderservicedomain, but this service
+ # has tighter restrictions on the callers (see below), so must enable
+ # this manually.
+ allow perfprofd devpts:chr_file rw_file_perms;
+
+ # Use socket & pipe supplied by su, for cmd perfprofd dump.
+ allow perfprofd su:unix_stream_socket { read write getattr sendto };
+ allow perfprofd su:fifo_file r_file_perms;
+
+ # Allow perfprofd to submit to dropbox.
+ allow perfprofd dropbox_service:service_manager find;
+ binder_call(perfprofd, system_server)
+')
diff --git a/prebuilts/api/28.0/public/platform_app.te b/prebuilts/api/28.0/public/platform_app.te
new file mode 100644
index 0000000..9b1faf0
--- /dev/null
+++ b/prebuilts/api/28.0/public/platform_app.te
@@ -0,0 +1,5 @@
+###
+### Apps signed with the platform key.
+###
+
+type platform_app, domain;
diff --git a/prebuilts/api/28.0/public/postinstall.te b/prebuilts/api/28.0/public/postinstall.te
new file mode 100644
index 0000000..7fd4dc6
--- /dev/null
+++ b/prebuilts/api/28.0/public/postinstall.te
@@ -0,0 +1,36 @@
+# Domain where the postinstall program runs during the update.
+# Extend the permissions in this domain to allow this program to access other
+# files needed by the specific device on your device's sepolicy directory.
+type postinstall, domain;
+
+# Allow postinstall to write to its stdout/stderr when redirected via pipes to
+# update_engine.
+allow postinstall update_engine_common:fd use;
+allow postinstall update_engine_common:fifo_file rw_file_perms;
+
+# Allow postinstall to read and execute directories and files in the same
+# mounted location.
+allow postinstall postinstall_file:file rx_file_perms;
+allow postinstall postinstall_file:lnk_file r_file_perms;
+allow postinstall postinstall_file:dir r_dir_perms;
+
+# Allow postinstall to execute the shell or other system executables.
+allow postinstall shell_exec:file rx_file_perms;
+allow postinstall system_file:file rx_file_perms;
+allow postinstall toolbox_exec:file rx_file_perms;
+
+#
+# For OTA dexopt.
+#
+
+# Allow postinstall scripts to talk to the system server.
+binder_use(postinstall)
+binder_call(postinstall, system_server)
+
+# Need to talk to the otadexopt service.
+allow postinstall otadexopt_service:service_manager find;
+
+# No domain other than update_engine and recovery (via update_engine_sideload)
+# should transition to postinstall, as it is only meant to run during the
+# update.
+neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
diff --git a/prebuilts/api/28.0/public/postinstall_dexopt.te b/prebuilts/api/28.0/public/postinstall_dexopt.te
new file mode 100644
index 0000000..ffd8bc5
--- /dev/null
+++ b/prebuilts/api/28.0/public/postinstall_dexopt.te
@@ -0,0 +1,59 @@
+# Domain for the otapreopt executable, running under postinstall_dexopt
+#
+# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
+# this is derived and adapted from installd.te.
+
+type postinstall_dexopt, domain;
+
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid };
+
+allow postinstall_dexopt postinstall_file:filesystem getattr;
+allow postinstall_dexopt postinstall_file:dir { getattr search };
+allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
+allow postinstall_dexopt proc_filesystems:file { getattr open read };
+allow postinstall_dexopt tmpfs:file read;
+
+# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
+# here and having to relabel the directory.
+
+# Read app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, apk_data_file)
+# Read vendor app data (APKs) as input to dex2oat.
+r_dir_file(postinstall_dexopt, vendor_app_file)
+# Access to app oat directory.
+r_dir_file(postinstall_dexopt, dalvikcache_data_file)
+
+# Read profile data.
+allow postinstall_dexopt user_profile_data_file:dir { getattr search };
+allow postinstall_dexopt user_profile_data_file:file r_file_perms;
+# Suppress deletion denial (we do not want to update the profile).
+dontaudit postinstall_dexopt user_profile_data_file:file { write };
+
+# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
+allow postinstall_dexopt ota_data_file:dir create_dir_perms;
+allow postinstall_dexopt ota_data_file:file create_file_perms;
+allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
+
+# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
+# TODO: See whether we can apply ota_data_file?
+allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
+allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
+
+# Allow labeling of files under /data/app/com.example/oat/
+# TODO: Restrict to .b suffix?
+allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
+allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
+
+# Check validity of SELinux context before use.
+selinux_check_context(postinstall_dexopt)
+selinux_check_access(postinstall_dexopt)
+
+
+# Postinstall wants to know about our child.
+allow postinstall_dexopt postinstall:process sigchld;
+
+# Allow otapreopt to use file descriptors from otapreopt_chroot.
+# TODO: Probably we can actually close file descriptors...
+allow postinstall_dexopt otapreopt_chroot:fd use;
+
+allow postinstall_dexopt cpuctl_device:dir search;
diff --git a/prebuilts/api/28.0/public/ppp.te b/prebuilts/api/28.0/public/ppp.te
new file mode 100644
index 0000000..9340dee
--- /dev/null
+++ b/prebuilts/api/28.0/public/ppp.te
@@ -0,0 +1,23 @@
+# Point to Point Protocol daemon
+type ppp, domain;
+type ppp_device, dev_type;
+type ppp_exec, exec_type, file_type;
+
+net_domain(ppp)
+
+r_dir_file(ppp, proc_net)
+
+allow ppp mtp:socket rw_socket_perms;
+
+# ioctls needed for VPN.
+allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
+allowxperm ppp mtp:socket ioctl ppp_ioctls;
+
+allow ppp mtp:unix_dgram_socket rw_socket_perms;
+allow ppp ppp_device:chr_file rw_file_perms;
+allow ppp self:global_capability_class_set net_admin;
+allow ppp system_file:file rx_file_perms;
+not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
+allow ppp vpn_data_file:dir w_dir_perms;
+allow ppp vpn_data_file:file create_file_perms;
+allow ppp mtp:fd use;
diff --git a/prebuilts/api/28.0/public/preopt2cachename.te b/prebuilts/api/28.0/public/preopt2cachename.te
new file mode 100644
index 0000000..49df647
--- /dev/null
+++ b/prebuilts/api/28.0/public/preopt2cachename.te
@@ -0,0 +1,13 @@
+# preopt2cachename executable
+#
+# This executable translates names from the preopted versions the build system
+# creates to the names the runtime expects in the data directory.
+type preopt2cachename, domain;
+type preopt2cachename_exec, exec_type, file_type;
+
+# Allow write to stdout.
+allow preopt2cachename cppreopts:fd use;
+allow preopt2cachename cppreopts:fifo_file { getattr read write };
+
+# Allow write to logcat.
+allow preopt2cachename proc_net:file r_file_perms;
diff --git a/prebuilts/api/28.0/public/priv_app.te b/prebuilts/api/28.0/public/priv_app.te
new file mode 100644
index 0000000..0761fc3
--- /dev/null
+++ b/prebuilts/api/28.0/public/priv_app.te
@@ -0,0 +1,5 @@
+###
+### A domain for further sandboxing privileged apps.
+###
+
+type priv_app, domain;
diff --git a/prebuilts/api/28.0/public/profman.te b/prebuilts/api/28.0/public/profman.te
new file mode 100644
index 0000000..4296d1b
--- /dev/null
+++ b/prebuilts/api/28.0/public/profman.te
@@ -0,0 +1,29 @@
+# profman
+type profman, domain;
+type profman_exec, exec_type, file_type;
+
+allow profman user_profile_data_file:file { getattr read write lock };
+
+# Dumping profile info opens the application APK file for pretty printing.
+allow profman asec_apk_file:file { read };
+allow profman apk_data_file:file { getattr read };
+allow profman apk_data_file:dir { getattr read search };
+
+allow profman oemfs:file { read };
+# Reading an APK opens a ZipArchive, which unpack to tmpfs.
+allow profman tmpfs:file { read };
+allow profman profman_dump_data_file:file { write };
+
+allow profman installd:fd use;
+
+# Allow profman to analyze profiles for the secondary dex files. These
+# are application dex files reported back to the framework when using
+# BaseDexClassLoader.
+allow profman app_data_file:file { getattr read write lock };
+allow profman app_data_file:dir { getattr read search };
+
+###
+### neverallow rules
+###
+
+neverallow profman app_data_file:notdevfile_class_set open;
diff --git a/prebuilts/api/28.0/public/property.te b/prebuilts/api/28.0/public/property.te
new file mode 100644
index 0000000..b0397e9
--- /dev/null
+++ b/prebuilts/api/28.0/public/property.te
@@ -0,0 +1,413 @@
+type audio_prop, property_type, core_property_type;
+type boottime_prop, property_type;
+type bluetooth_a2dp_offload_prop, property_type;
+type bluetooth_prop, property_type;
+type bootloader_boot_reason_prop, property_type;
+type config_prop, property_type, core_property_type;
+type cppreopt_prop, property_type, core_property_type;
+type ctl_bootanim_prop, property_type;
+type ctl_bugreport_prop, property_type;
+type ctl_console_prop, property_type;
+type ctl_default_prop, property_type;
+type ctl_dumpstate_prop, property_type;
+type ctl_fuse_prop, property_type;
+type ctl_interface_restart_prop, property_type;
+type ctl_interface_start_prop, property_type;
+type ctl_interface_stop_prop, property_type;
+type ctl_mdnsd_prop, property_type;
+type ctl_restart_prop, property_type;
+type ctl_rildaemon_prop, property_type;
+type ctl_sigstop_prop, property_type;
+type ctl_start_prop, property_type;
+type ctl_stop_prop, property_type;
+type dalvik_prop, property_type, core_property_type;
+type debuggerd_prop, property_type, core_property_type;
+type debug_prop, property_type, core_property_type;
+type default_prop, property_type, core_property_type;
+type device_logging_prop, property_type;
+type dhcp_prop, property_type, core_property_type;
+type dumpstate_options_prop, property_type;
+type dumpstate_prop, property_type, core_property_type;
+type exported_secure_prop, property_type;
+type ffs_prop, property_type, core_property_type;
+type fingerprint_prop, property_type, core_property_type;
+type firstboot_prop, property_type;
+type hwservicemanager_prop, property_type;
+type last_boot_reason_prop, property_type;
+type logd_prop, property_type, core_property_type;
+type logpersistd_logging_prop, property_type;
+type log_prop, property_type, log_property_type;
+type log_tag_prop, property_type, log_property_type;
+type lowpan_prop, property_type;
+type mmc_prop, property_type;
+type net_dns_prop, property_type;
+type net_radio_prop, property_type, core_property_type;
+type netd_stable_secret_prop, property_type;
+type nfc_prop, property_type, core_property_type;
+type overlay_prop, property_type;
+type pan_result_prop, property_type, core_property_type;
+type persist_debug_prop, property_type, core_property_type;
+type persistent_properties_ready_prop, property_type;
+type pm_prop, property_type;
+type powerctl_prop, property_type, core_property_type;
+type radio_prop, property_type, core_property_type;
+type restorecon_prop, property_type, core_property_type;
+type safemode_prop, property_type;
+type serialno_prop, property_type;
+type shell_prop, property_type, core_property_type;
+type system_boot_reason_prop, property_type;
+type system_prop, property_type, core_property_type;
+type system_radio_prop, property_type, core_property_type;
+type test_boot_reason_prop, property_type;
+type traced_enabled_prop, property_type;
+type vold_prop, property_type, core_property_type;
+type wifi_log_prop, property_type, log_property_type;
+type wifi_prop, property_type;
+type vendor_security_patch_level_prop, property_type;
+
+# Properties for whitelisting
+type exported_audio_prop, property_type;
+type exported_bluetooth_prop, property_type;
+type exported_config_prop, property_type;
+type exported_dalvik_prop, property_type;
+type exported_default_prop, property_type;
+type exported_dumpstate_prop, property_type;
+type exported_ffs_prop, property_type;
+type exported_fingerprint_prop, property_type;
+type exported_overlay_prop, property_type;
+type exported_pm_prop, property_type;
+type exported_radio_prop, property_type;
+type exported_system_prop, property_type;
+type exported_system_radio_prop, property_type;
+type exported_vold_prop, property_type;
+type exported_wifi_prop, property_type;
+type exported2_config_prop, property_type;
+type exported2_default_prop, property_type;
+type exported2_radio_prop, property_type;
+type exported2_system_prop, property_type;
+type exported2_vold_prop, property_type;
+type exported3_default_prop, property_type;
+type exported3_radio_prop, property_type;
+type exported3_system_prop, property_type;
+type vendor_default_prop, property_type;
+
+allow property_type tmpfs:filesystem associate;
+
+###
+### Neverallow rules
+###
+
+# core_property_type should not be used for new properties or
+# device specific properties. Properties with this attribute
+# are readable to everyone, which is overly broad and should
+# be avoided.
+# New properties should have appropriate read / write access
+# control rules written.
+
+neverallow * {
+ core_property_type
+ -audio_prop
+ -config_prop
+ -cppreopt_prop
+ -dalvik_prop
+ -debuggerd_prop
+ -debug_prop
+ -default_prop
+ -dhcp_prop
+ -dumpstate_prop
+ -ffs_prop
+ -fingerprint_prop
+ -logd_prop
+ -net_radio_prop
+ -nfc_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -shell_prop
+ -system_prop
+ -system_radio_prop
+ -vold_prop
+}:file no_rw_file_perms;
+
+# sigstop property is only used for debugging; should only be set by su which is permissive
+# for userdebug/eng
+neverallow {
+ domain
+ -init
+ -vendor_init
+} ctl_sigstop_prop:property_service set;
+
+# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+ ctl_bootanim_prop
+ ctl_bugreport_prop
+ ctl_console_prop
+ ctl_default_prop
+ ctl_dumpstate_prop
+ ctl_fuse_prop
+ ctl_mdnsd_prop
+ ctl_rildaemon_prop
+}:property_service set;
+
+compatible_property_only(`
+# Prevent properties from being set
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_init
+ } {
+ core_property_type
+ extended_core_property_type
+ exported_config_prop
+ exported_dalvik_prop
+ exported_default_prop
+ exported_dumpstate_prop
+ exported_ffs_prop
+ exported_fingerprint_prop
+ exported_system_prop
+ exported_system_radio_prop
+ exported_vold_prop
+ exported2_config_prop
+ exported2_default_prop
+ exported2_system_prop
+ exported2_vold_prop
+ exported3_default_prop
+ exported3_system_prop
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_nfc_server
+ } {
+ nfc_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ -vendor_init
+ } {
+ exported_radio_prop
+ exported3_radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ } {
+ exported2_radio_prop
+ radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ } {
+ bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ -vendor_init
+ } {
+ exported_bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi_server
+ -wificond
+ } {
+ wifi_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi_server
+ -wificond
+ -vendor_init
+ } {
+ exported_wifi_prop
+ }:property_service set;
+
+# Prevent properties from being read
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_init
+ } {
+ core_property_type
+ extended_core_property_type
+ exported_dalvik_prop
+ exported_ffs_prop
+ exported_system_radio_prop
+ exported2_config_prop
+ exported2_system_prop
+ exported2_vold_prop
+ exported3_default_prop
+ exported3_system_prop
+ -debug_prop
+ -logd_prop
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_nfc_server
+ } {
+ nfc_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ } {
+ radio_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ } {
+ bluetooth_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi_server
+ -wificond
+ } {
+ wifi_prop
+ }:file no_rw_file_perms;
+')
+
+compatible_property_only(`
+ # Neverallow coredomain to set vendor properties
+ neverallow {
+ coredomain
+ -init
+ -system_writes_vendor_properties_violators
+ } {
+ property_type
+ -audio_prop
+ -bluetooth_a2dp_offload_prop
+ -bluetooth_prop
+ -bootloader_boot_reason_prop
+ -boottime_prop
+ -config_prop
+ -cppreopt_prop
+ -ctl_bootanim_prop
+ -ctl_bugreport_prop
+ -ctl_console_prop
+ -ctl_default_prop
+ -ctl_dumpstate_prop
+ -ctl_fuse_prop
+ -ctl_interface_restart_prop
+ -ctl_interface_start_prop
+ -ctl_interface_stop_prop
+ -ctl_mdnsd_prop
+ -ctl_restart_prop
+ -ctl_rildaemon_prop
+ -ctl_sigstop_prop
+ -ctl_start_prop
+ -ctl_stop_prop
+ -dalvik_prop
+ -debug_prop
+ -debuggerd_prop
+ -default_prop
+ -device_logging_prop
+ -dhcp_prop
+ -dumpstate_options_prop
+ -dumpstate_prop
+ -exported2_config_prop
+ -exported2_default_prop
+ -exported2_radio_prop
+ -exported2_system_prop
+ -exported2_vold_prop
+ -exported3_default_prop
+ -exported3_radio_prop
+ -exported3_system_prop
+ -exported_bluetooth_prop
+ -exported_config_prop
+ -exported_dalvik_prop
+ -exported_default_prop
+ -exported_dumpstate_prop
+ -exported_ffs_prop
+ -exported_fingerprint_prop
+ -exported_overlay_prop
+ -exported_pm_prop
+ -exported_radio_prop
+ -exported_secure_prop
+ -exported_system_prop
+ -exported_system_radio_prop
+ -exported_vold_prop
+ -exported_wifi_prop
+ -extended_core_property_type
+ -ffs_prop
+ -fingerprint_prop
+ -firstboot_prop
+ -hwservicemanager_prop
+ -last_boot_reason_prop
+ -log_prop
+ -log_tag_prop
+ -logd_prop
+ -logpersistd_logging_prop
+ -lowpan_prop
+ -mmc_prop
+ -net_dns_prop
+ -net_radio_prop
+ -netd_stable_secret_prop
+ -nfc_prop
+ -overlay_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -persistent_properties_ready_prop
+ -pm_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -safemode_prop
+ -serialno_prop
+ -shell_prop
+ -system_boot_reason_prop
+ -system_prop
+ -system_radio_prop
+ -test_boot_reason_prop
+ -traced_enabled_prop
+ -vendor_default_prop
+ -vendor_security_patch_level_prop
+ -vold_prop
+ -wifi_log_prop
+ -wifi_prop
+ }:property_service set;
+')
diff --git a/prebuilts/api/28.0/public/property_contexts b/prebuilts/api/28.0/public/property_contexts
new file mode 100644
index 0000000..4f81c1c
--- /dev/null
+++ b/prebuilts/api/28.0/public/property_contexts
@@ -0,0 +1,309 @@
+# vendor-init-readable
+persist.radio.airplane_mode_on u:object_r:exported2_radio_prop:s0 exact int
+
+# vendor-init-settable
+af.fast_track_multiplier u:object_r:exported3_default_prop:s0 exact int
+audio.camerasound.force u:object_r:exported_audio_prop:s0 exact bool
+camera.disable_zsl_mode u:object_r:exported3_default_prop:s0 exact bool
+camera.fifo.disable u:object_r:exported3_default_prop:s0 exact int
+dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.backgroundgctype u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.checkjni u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.dexopt.secondary u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.execution-mode u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.extra-opts u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.gctype u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapgrowthlimit u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapmaxfree u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapminfree u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapsize u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapstartsize u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heaptargetutilization u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.hot-startup-method-samples u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.image-dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.isa.arm.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.arm.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.arm64.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.arm64.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.mips.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.mips.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.mips64.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.mips64.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.unknown.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.unknown.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.x86.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.x86.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.x86_64.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.x86_64.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.jitinitialsize u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.jitmaxsize u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.jitprithreadweight u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.jitthreshold u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.jittransitionweight u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.jniopts u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.lockprof.threshold u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.method-trace u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.method-trace-file u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilebootimage u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.stack-trace-dir u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
+drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool
+keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
+media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
+media.stagefright.cache-params u:object_r:exported3_default_prop:s0 exact string
+persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
+persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
+persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int
+persist.dbg.vt_avail_ovr u:object_r:exported3_default_prop:s0 exact int
+persist.dbg.wfc_avail_ovr u:object_r:exported3_default_prop:s0 exact int
+persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
+persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
+persist.sys.media.avsync u:object_r:exported2_system_prop:s0 exact bool
+persist.sys.hdmi.keep_awake u:object_r:exported2_system_prop:s0 exact bool
+persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
+persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact int
+pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
+ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool
+ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
+ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
+ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
+ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int
+ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool
+ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool
+ro.com.google.clientidbase u:object_r:exported3_default_prop:s0 exact string
+ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string
+ro.config.media_vol_steps u:object_r:exported2_config_prop:s0 exact int
+ro.config.notification_sound u:object_r:exported2_config_prop:s0 exact string
+ro.config.ringtone u:object_r:exported2_config_prop:s0 exact string
+ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
+ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
+ro.crypto.scrypt_params u:object_r:exported2_vold_prop:s0 exact string
+ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
+ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
+ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
+ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
+ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
+ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
+ro.radio.noril u:object_r:exported3_default_prop:s0 exact string
+ro.retaildemo.video_path u:object_r:exported3_default_prop:s0 exact string
+ro.sf.disable_triple_buffer u:object_r:exported3_default_prop:s0 exact bool
+ro.sf.lcd_density u:object_r:exported3_default_prop:s0 exact int
+ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool
+ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
+ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
+ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact int
+ro.url.legal u:object_r:exported3_default_prop:s0 exact string
+ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
+ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
+ro.zygote u:object_r:exported3_default_prop:s0 exact string
+sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
+sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
+sys.usb.ffs.max_read u:object_r:exported_ffs_prop:s0 exact int
+sys.usb.ffs.max_write u:object_r:exported_ffs_prop:s0 exact int
+sys.usb.mtp.device_type u:object_r:exported2_system_prop:s0 exact int
+sys.usb.state u:object_r:exported2_system_prop:s0 exact string
+telephony.lteOnCdmaDevice u:object_r:exported3_default_prop:s0 exact int
+tombstoned.max_tombstone_count u:object_r:exported3_default_prop:s0 exact int
+vold.post_fs_data_done u:object_r:exported2_vold_prop:s0 exact int
+wlan.driver.status u:object_r:exported_wifi_prop:s0 exact enum ok unloaded
+
+# vendor-init-readable|vendor-init-actionable
+dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
+persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
+sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
+sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
+
+# vendor-init-settable|vendor-init-actionable
+persist.sys.zram_enabled u:object_r:exported2_system_prop:s0 exact bool
+sys.usb.config u:object_r:exported_system_radio_prop:s0 exact string
+sys.usb.configfs u:object_r:exported_system_radio_prop:s0 exact int
+
+# public-readable
+aac_drc_boost u:object_r:exported2_default_prop:s0 exact int
+aac_drc_cut u:object_r:exported2_default_prop:s0 exact int
+aac_drc_enc_target_level u:object_r:exported2_default_prop:s0 exact int
+aac_drc_heavy u:object_r:exported2_default_prop:s0 exact int
+aac_drc_reference_level u:object_r:exported2_default_prop:s0 exact int
+ro.aac_drc_effect_type u:object_r:exported2_default_prop:s0 exact int
+drm.64bit.enabled u:object_r:exported2_default_prop:s0 exact bool
+dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
+hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
+init.svc.tombstoned u:object_r:exported2_default_prop:s0 exact string
+libc.debug.malloc.options u:object_r:exported2_default_prop:s0 exact string
+libc.debug.malloc.program u:object_r:exported2_default_prop:s0 exact string
+libc.debug.hooks.enable u:object_r:exported2_default_prop:s0 exact string
+persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
+ro.adb.secure u:object_r:exported_secure_prop:s0 exact int
+ro.arch u:object_r:exported2_default_prop:s0 exact string
+ro.audio.ignore_effects u:object_r:exported2_default_prop:s0 exact bool
+ro.baseband u:object_r:exported2_default_prop:s0 exact string
+ro.boot.avb_version u:object_r:exported2_default_prop:s0 exact string
+ro.boot.baseband u:object_r:exported2_default_prop:s0 exact string
+ro.boot.bootdevice u:object_r:exported2_default_prop:s0 exact string
+ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string
+ro.boot.boottime u:object_r:exported2_default_prop:s0 exact string
+ro.boot.console u:object_r:exported2_default_prop:s0 exact string
+ro.boot.hardware u:object_r:exported2_default_prop:s0 exact string
+ro.boot.hardware.color u:object_r:exported2_default_prop:s0 exact string
+ro.boot.hardware.sku u:object_r:exported2_default_prop:s0 exact string
+ro.boot.keymaster u:object_r:exported2_default_prop:s0 exact string
+ro.boot.mode u:object_r:exported2_default_prop:s0 exact string
+ro.boot.vbmeta.avb_version u:object_r:exported2_default_prop:s0 exact string
+ro.boot.verifiedbootstate u:object_r:exported2_default_prop:s0 exact string
+ro.boot.veritymode u:object_r:exported2_default_prop:s0 exact string
+ro.bootimage.build.date u:object_r:exported2_default_prop:s0 exact string
+ro.bootimage.build.date.utc u:object_r:exported2_default_prop:s0 exact int
+ro.bootimage.build.fingerprint u:object_r:exported2_default_prop:s0 exact string
+ro.bootloader u:object_r:exported2_default_prop:s0 exact string
+ro.build.date u:object_r:exported2_default_prop:s0 exact string
+ro.build.date.utc u:object_r:exported2_default_prop:s0 exact int
+ro.build.description u:object_r:exported2_default_prop:s0 exact string
+ro.build.display.id u:object_r:exported2_default_prop:s0 exact string
+ro.build.fingerprint u:object_r:exported_fingerprint_prop:s0 exact string
+ro.build.host u:object_r:exported2_default_prop:s0 exact string
+ro.build.id u:object_r:exported2_default_prop:s0 exact string
+ro.build.product u:object_r:exported2_default_prop:s0 exact string
+ro.build.system_root_image u:object_r:exported2_default_prop:s0 exact bool
+ro.build.tags u:object_r:exported2_default_prop:s0 exact string
+ro.build.user u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.base_os u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.codename u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.incremental u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.preview_sdk u:object_r:exported2_default_prop:s0 exact int
+ro.build.version.release u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
+ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
+ro.crypto.state u:object_r:exported_vold_prop:s0 exact string
+ro.crypto.type u:object_r:exported_vold_prop:s0 exact string
+ro.debuggable u:object_r:exported2_default_prop:s0 exact int
+ro.hardware u:object_r:exported2_default_prop:s0 exact string
+ro.product.brand u:object_r:exported2_default_prop:s0 exact string
+ro.product.cpu.abi u:object_r:exported2_default_prop:s0 exact string
+ro.product.cpu.abilist u:object_r:exported2_default_prop:s0 exact string
+ro.product.device u:object_r:exported2_default_prop:s0 exact string
+ro.product.manufacturer u:object_r:exported2_default_prop:s0 exact string
+ro.product.model u:object_r:exported2_default_prop:s0 exact string
+ro.product.name u:object_r:exported2_default_prop:s0 exact string
+ro.property_service.version u:object_r:exported2_default_prop:s0 exact int
+ro.revision u:object_r:exported2_default_prop:s0 exact string
+ro.secure u:object_r:exported_secure_prop:s0 exact int
+service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
+sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
+vold.decrypt u:object_r:exported_vold_prop:s0 exact string
+
+# vendor-init-settable|public-readable
+aaudio.hw_burst_min_usec u:object_r:exported_default_prop:s0 exact int
+aaudio.minimum_sleep_usec u:object_r:exported_default_prop:s0 exact int
+aaudio.mixer_bursts u:object_r:exported_default_prop:s0 exact int
+aaudio.mmap_exclusive_policy u:object_r:exported_default_prop:s0 exact int
+aaudio.mmap_policy u:object_r:exported_default_prop:s0 exact int
+aaudio.wakeup_delay_usec u:object_r:exported_default_prop:s0 exact int
+gsm.sim.operator.numeric u:object_r:exported_radio_prop:s0 exact string
+media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
+persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
+rcs.publish.status u:object_r:exported_radio_prop:s0 exact string
+ro.board.platform u:object_r:exported_default_prop:s0 exact string
+ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
+ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
+ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
+ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
+ro.carrier u:object_r:exported_default_prop:s0 exact string
+ro.config.low_ram u:object_r:exported_config_prop:s0 exact bool
+ro.config.vc_call_vol_steps u:object_r:exported_config_prop:s0 exact int
+ro.frp.pst u:object_r:exported_default_prop:s0 exact string
+ro.hardware.activity_recognition u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.a2dp u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.hearing_aid u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.primary u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.usb u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio_policy u:object_r:exported_default_prop:s0 exact string
+ro.hardware.bootctrl u:object_r:exported_default_prop:s0 exact string
+ro.hardware.camera u:object_r:exported_default_prop:s0 exact string
+ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string
+ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string
+ro.hardware.egl u:object_r:exported_default_prop:s0 exact string
+ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.hardware.flp u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gps u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gralloc u:object_r:exported_default_prop:s0 exact string
+ro.hardware.hdmi_cec u:object_r:exported_default_prop:s0 exact string
+ro.hardware.hwcomposer u:object_r:exported_default_prop:s0 exact string
+ro.hardware.input u:object_r:exported_default_prop:s0 exact string
+ro.hardware.keystore u:object_r:exported_default_prop:s0 exact string
+ro.hardware.keystore_desede u:object_r:exported_default_prop:s0 exact string
+ro.hardware.lights u:object_r:exported_default_prop:s0 exact string
+ro.hardware.local_time u:object_r:exported_default_prop:s0 exact string
+ro.hardware.memtrack u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc_nci u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc_tag u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nvram u:object_r:exported_default_prop:s0 exact string
+ro.hardware.power u:object_r:exported_default_prop:s0 exact string
+ro.hardware.radio u:object_r:exported_default_prop:s0 exact string
+ro.hardware.sensors u:object_r:exported_default_prop:s0 exact string
+ro.hardware.sound_trigger u:object_r:exported_default_prop:s0 exact string
+ro.hardware.thermal u:object_r:exported_default_prop:s0 exact string
+ro.hardware.tv_input u:object_r:exported_default_prop:s0 exact string
+ro.hardware.type u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vehicle u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vibrator u:object_r:exported_default_prop:s0 exact string
+ro.hardware.virtual_device u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vulkan u:object_r:exported_default_prop:s0 exact string
+ro.kernel.qemu u:object_r:exported_default_prop:s0 exact int
+ro.kernel.qemu. u:object_r:exported_default_prop:s0
+ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
+ro.odm.build.date u:object_r:exported_default_prop:s0 exact string
+ro.odm.build.date.utc u:object_r:exported_default_prop:s0 exact int
+ro.odm.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.oem.key1 u:object_r:exported_default_prop:s0 exact string
+ro.product.board u:object_r:exported_default_prop:s0 exact string
+ro.product.cpu.abilist32 u:object_r:exported_default_prop:s0 exact string
+ro.product.cpu.abilist64 u:object_r:exported_default_prop:s0 exact string
+ro.product.first_api_level u:object_r:exported_default_prop:s0 exact int
+ro.product.odm.brand u:object_r:exported_default_prop:s0 exact string
+ro.product.odm.device u:object_r:exported_default_prop:s0 exact string
+ro.product.odm.manufacturer u:object_r:exported_default_prop:s0 exact string
+ro.product.odm.model u:object_r:exported_default_prop:s0 exact string
+ro.product.odm.name u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.brand u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.device u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.model u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.name u:object_r:exported_default_prop:s0 exact string
+ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
+ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
+ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.vndk.lite u:object_r:exported_default_prop:s0 exact bool
+ro.vndk.version u:object_r:exported_default_prop:s0 exact string
+ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
+wifi.direct.interface u:object_r:exported_default_prop:s0 exact string
+wifi.interface u:object_r:exported_default_prop:s0 exact string
+
+# vendor-init-actionable|public-readable
+ro.boot.revision u:object_r:exported2_default_prop:s0 exact string
+ro.bootmode u:object_r:exported2_default_prop:s0 exact string
+ro.build.type u:object_r:exported2_default_prop:s0 exact string
+sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
diff --git a/prebuilts/api/28.0/public/racoon.te b/prebuilts/api/28.0/public/racoon.te
new file mode 100644
index 0000000..c759217
--- /dev/null
+++ b/prebuilts/api/28.0/public/racoon.te
@@ -0,0 +1,33 @@
+# IKE key management daemon
+type racoon, domain;
+type racoon_exec, exec_type, file_type;
+
+typeattribute racoon mlstrustedsubject;
+
+net_domain(racoon)
+allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
+
+binder_use(racoon)
+
+allow racoon tun_device:chr_file r_file_perms;
+allow racoon cgroup:dir { add_name create };
+allow racoon kernel:system module_request;
+
+allow racoon self:key_socket create_socket_perms_no_ioctl;
+allow racoon self:tun_socket create_socket_perms_no_ioctl;
+allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
+
+# XXX: should we give ip-up-vpn its own label (currently racoon domain)
+allow racoon system_file:file rx_file_perms;
+not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
+allow racoon vpn_data_file:file create_file_perms;
+allow racoon vpn_data_file:dir w_dir_perms;
+
+use_keystore(racoon)
+
+# Racoon (VPN) has a restricted set of permissions from the default.
+allow racoon keystore:keystore_key {
+ get
+ sign
+ verify
+};
diff --git a/prebuilts/api/28.0/public/radio.te b/prebuilts/api/28.0/public/radio.te
new file mode 100644
index 0000000..8fb5ad6
--- /dev/null
+++ b/prebuilts/api/28.0/public/radio.te
@@ -0,0 +1,41 @@
+# phone subsystem
+type radio, domain, mlstrustedsubject;
+
+net_domain(radio)
+bluetooth_domain(radio)
+binder_service(radio)
+
+# Talks to hal_telephony_server via the rild socket only for devices without full treble
+not_full_treble(`unix_socket_connect(radio, rild, hal_telephony_server)')
+
+# Data file accesses.
+allow radio radio_data_file:dir create_dir_perms;
+allow radio radio_data_file:notdevfile_class_set create_file_perms;
+
+allow radio alarm_device:chr_file rw_file_perms;
+
+allow radio net_data_file:dir search;
+allow radio net_data_file:file r_file_perms;
+
+# Property service
+set_prop(radio, radio_prop)
+set_prop(radio, exported_radio_prop)
+set_prop(radio, exported2_radio_prop)
+set_prop(radio, exported3_radio_prop)
+set_prop(radio, net_radio_prop)
+
+# ctl interface
+set_prop(radio, ctl_rildaemon_prop)
+
+add_service(radio, radio_service)
+allow radio audioserver_service:service_manager find;
+allow radio cameraserver_service:service_manager find;
+allow radio drmserver_service:service_manager find;
+allow radio mediaserver_service:service_manager find;
+allow radio nfc_service:service_manager find;
+allow radio app_api_service:service_manager find;
+allow radio system_api_service:service_manager find;
+
+# Perform HwBinder IPC.
+hwbinder_use(radio)
+hal_client_domain(radio, hal_telephony)
diff --git a/prebuilts/api/28.0/public/recovery.te b/prebuilts/api/28.0/public/recovery.te
new file mode 100644
index 0000000..57ad202
--- /dev/null
+++ b/prebuilts/api/28.0/public/recovery.te
@@ -0,0 +1,161 @@
+# recovery console (used in recovery init.rc for /sbin/recovery)
+
+# Declare the domain unconditionally so we can always reference it
+# in neverallow rules.
+type recovery, domain;
+
+# But the allow rules are only included in the recovery policy.
+# Otherwise recovery is only allowed the domain rules.
+recovery_only(`
+ # Allow recovery to perform an update as update_engine would do.
+ typeattribute recovery update_engine_common;
+ # Recovery can only use HALs in passthrough mode
+ passthrough_hal_client_domain(recovery, hal_bootctl)
+
+ allow recovery self:global_capability_class_set {
+ chown
+ dac_override
+ fowner
+ setuid
+ setgid
+ sys_admin
+ sys_tty_config
+ };
+
+ # Run helpers from / or /system without changing domain.
+ r_dir_file(recovery, rootfs)
+ allow recovery rootfs:file execute_no_trans;
+ allow recovery system_file:file execute_no_trans;
+ allow recovery toolbox_exec:file rx_file_perms;
+
+ # Mount filesystems.
+ allow recovery rootfs:dir mounton;
+ allow recovery fs_type:filesystem ~relabelto;
+ allow recovery unlabeled:filesystem ~relabelto;
+ allow recovery contextmount_type:filesystem relabelto;
+
+ # We may be asked to set an SELinux label for a type not known to the
+ # currently loaded policy. Allow it.
+ allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
+ allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+
+ # Get file contexts
+ allow recovery file_contexts_file:file r_file_perms;
+
+ # Write to /proc/sys/vm/drop_caches
+ allow recovery proc_drop_caches:file w_file_perms;
+
+ # Read /proc/swaps
+ allow recovery proc_swaps:file r_file_perms;
+
+ # Read kernel config through libvintf for OTA matching
+ allow recovery config_gz:file { open read getattr };
+
+ # Write to /sys/class/android_usb/android0/enable.
+ r_dir_file(recovery, sysfs_android_usb)
+ allow recovery sysfs_android_usb:file w_file_perms;
+
+ # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
+ allow recovery sysfs_devices_system_cpu:file w_file_perms;
+
+ allow recovery sysfs_batteryinfo:file r_file_perms;
+
+ # Read /sysfs/fs/ext4/features
+ r_dir_file(recovery, sysfs_fs_ext4_features)
+
+ # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
+ # control backlight brightness.
+ allow recovery sysfs_leds:dir r_dir_perms;
+ allow recovery sysfs_leds:file rw_file_perms;
+ allow recovery sysfs_leds:lnk_file read;
+
+ allow recovery kernel:system syslog_read;
+
+ # Access /dev/usb-ffs/adb/ep0
+ allow recovery functionfs:dir search;
+ allow recovery functionfs:file rw_file_perms;
+
+ # Access to /sys/fs/selinux/policyvers for compatibility check
+ allow recovery selinuxfs:file r_file_perms;
+
+ # Required to e.g. wipe userdata/cache.
+ allow recovery device:dir r_dir_perms;
+ allow recovery block_device:dir r_dir_perms;
+ allow recovery dev_type:blk_file rw_file_perms;
+
+ # GUI
+ allow recovery graphics_device:chr_file rw_file_perms;
+ allow recovery graphics_device:dir r_dir_perms;
+ allow recovery input_device:dir r_dir_perms;
+ allow recovery input_device:chr_file r_file_perms;
+ allow recovery tty_device:chr_file rw_file_perms;
+
+ # Create /tmp/recovery.log and execute /tmp/update_binary.
+ allow recovery tmpfs:file { create_file_perms x_file_perms };
+ allow recovery tmpfs:dir create_dir_perms;
+
+ # Manage files on /cache and /cache/recovery
+ allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
+ allow recovery { cache_file cache_recovery_file }:file create_file_perms;
+
+ # Read /sys/class/thermal/*/temp for thermal info.
+ r_dir_file(recovery, sysfs_thermal)
+
+ # Read files on /oem.
+ r_dir_file(recovery, oemfs);
+
+ # Reboot the device
+ set_prop(recovery, powerctl_prop)
+
+ # Start/stop adbd via ctl.start adbd
+ set_prop(recovery, ctl_default_prop)
+
+ # Read serial number of the device from system properties
+ get_prop(recovery, serialno_prop)
+
+ # Set sys.usb.ffs.ready when starting minadbd for sideload.
+ set_prop(recovery, ffs_prop)
+ set_prop(recovery, exported_ffs_prop)
+
+ # Read ro.boot.bootreason
+ get_prop(recovery, bootloader_boot_reason_prop)
+
+ # Use setfscreatecon() to label files for OTA updates.
+ allow recovery self:process setfscreate;
+
+ # Allow recovery to create a fuse filesystem, and read files from it.
+ allow recovery fuse_device:chr_file rw_file_perms;
+ allow recovery fuse:dir r_dir_perms;
+ allow recovery fuse:file r_file_perms;
+
+ wakelock_use(recovery)
+
+ # This line seems suspect, as it should not really need to
+ # set scheduling parameters for a kernel domain task.
+ allow recovery kernel:process setsched;
+')
+
+###
+### neverallow rules
+###
+
+# Recovery should never touch /data.
+#
+# In particular, if /data is encrypted, it is not accessible
+# to recovery anyway.
+#
+# For now, we only enforce write/execute restrictions, as domain.te
+# contains a number of read-only rules that apply to all
+# domains, including recovery.
+#
+# TODO: tighten this up further.
+neverallow recovery {
+ data_file_type
+ -cache_file
+ -cache_recovery_file
+}:file { no_w_file_perms no_x_file_perms };
+neverallow recovery {
+ data_file_type
+ -cache_file
+ -cache_recovery_file
+}:dir no_w_dir_perms;
diff --git a/prebuilts/api/28.0/public/recovery_persist.te b/prebuilts/api/28.0/public/recovery_persist.te
new file mode 100644
index 0000000..091d300
--- /dev/null
+++ b/prebuilts/api/28.0/public/recovery_persist.te
@@ -0,0 +1,27 @@
+# android recovery persistent log manager
+type recovery_persist, domain;
+type recovery_persist_exec, exec_type, file_type;
+
+allow recovery_persist pstorefs:dir search;
+allow recovery_persist pstorefs:file r_file_perms;
+
+allow recovery_persist recovery_data_file:file create_file_perms;
+allow recovery_persist recovery_data_file:dir create_dir_perms;
+
+###
+### Neverallow rules
+###
+### recovery_persist should NEVER do any of this
+
+# Block device access.
+neverallow recovery_persist dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow recovery_persist domain:process ptrace;
+
+# Write to /system.
+neverallow recovery_persist system_file:dir_file_class_set write;
+
+# Write to files in /data/data
+neverallow recovery_persist { app_data_file system_data_file }:dir_file_class_set write;
+
diff --git a/prebuilts/api/28.0/public/recovery_refresh.te b/prebuilts/api/28.0/public/recovery_refresh.te
new file mode 100644
index 0000000..602ed51
--- /dev/null
+++ b/prebuilts/api/28.0/public/recovery_refresh.te
@@ -0,0 +1,24 @@
+# android recovery refresh log manager
+type recovery_refresh, domain;
+type recovery_refresh_exec, exec_type, file_type;
+
+allow recovery_refresh pstorefs:dir search;
+allow recovery_refresh pstorefs:file r_file_perms;
+# NB: domain inherits write_logd which hands us write to pmsg_device
+
+###
+### Neverallow rules
+###
+### recovery_refresh should NEVER do any of this
+
+# Block device access.
+neverallow recovery_refresh dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow recovery_refresh domain:process ptrace;
+
+# Write to /system.
+neverallow recovery_refresh system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow recovery_refresh { app_data_file system_data_file }:dir_file_class_set write;
diff --git a/prebuilts/api/28.0/public/roles b/prebuilts/api/28.0/public/roles
new file mode 100644
index 0000000..ca92934
--- /dev/null
+++ b/prebuilts/api/28.0/public/roles
@@ -0,0 +1 @@
+role r types domain;
diff --git a/prebuilts/api/28.0/public/runas.te b/prebuilts/api/28.0/public/runas.te
new file mode 100644
index 0000000..053a87f
--- /dev/null
+++ b/prebuilts/api/28.0/public/runas.te
@@ -0,0 +1,42 @@
+type runas, domain, mlstrustedsubject;
+type runas_exec, exec_type, file_type;
+
+allow runas adbd:fd use;
+allow runas adbd:process sigchld;
+allow runas adbd:unix_stream_socket { read write };
+allow runas shell:fd use;
+allow runas shell:fifo_file { read write };
+allow runas shell:unix_stream_socket { read write };
+allow runas devpts:chr_file { read write ioctl };
+allow runas shell_data_file:file { read write };
+
+# run-as reads package information.
+allow runas system_data_file:file r_file_perms;
+allow runas system_data_file:lnk_file getattr;
+
+# The app's data dir may be accessed through a symlink.
+allow runas system_data_file:lnk_file read;
+
+# run-as checks and changes to the app data dir.
+dontaudit runas self:global_capability_class_set dac_override;
+allow runas app_data_file:dir { getattr search };
+
+# run-as switches to the app UID/GID.
+allow runas self:global_capability_class_set { setuid setgid };
+
+# run-as switches to the app security context.
+selinux_check_context(runas) # validate context
+allow runas self:process setcurrent;
+allow runas non_system_app_set:process dyntransition; # setcon
+
+# runas/libselinux needs access to seapp_contexts_file to
+# determine which domain to transition to.
+allow runas seapp_contexts_file:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
+neverallow runas self:global_capability_class_set ~{ setuid setgid };
+neverallow runas self:global_capability2_class_set *;
diff --git a/prebuilts/api/28.0/public/sdcardd.te b/prebuilts/api/28.0/public/sdcardd.te
new file mode 100644
index 0000000..4a88f54
--- /dev/null
+++ b/prebuilts/api/28.0/public/sdcardd.te
@@ -0,0 +1,43 @@
+type sdcardd, domain;
+type sdcardd_exec, exec_type, file_type;
+
+allow sdcardd cgroup:dir create_dir_perms;
+allow sdcardd fuse_device:chr_file rw_file_perms;
+allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
+allow sdcardd sdcardfs:filesystem remount;
+allow sdcardd tmpfs:dir r_dir_perms;
+allow sdcardd mnt_media_rw_file:dir r_dir_perms;
+allow sdcardd storage_file:dir search;
+allow sdcardd storage_stub_file:dir { search mounton };
+allow sdcardd sdcard_type:filesystem { mount unmount };
+allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource };
+
+allow sdcardd sdcard_type:dir create_dir_perms;
+allow sdcardd sdcard_type:file create_file_perms;
+
+allow sdcardd media_rw_data_file:dir create_dir_perms;
+allow sdcardd media_rw_data_file:file create_file_perms;
+
+# Read /data/system/packages.list.
+allow sdcardd system_data_file:file r_file_perms;
+
+# Read /data/.layout_version
+allow sdcardd install_data_file:file r_file_perms;
+
+# Allow stdin/out back to vold
+allow sdcardd vold:fd use;
+allow sdcardd vold:fifo_file { read write getattr };
+
+# Allow running on top of expanded storage
+allow sdcardd mnt_expand_file:dir search;
+
+# access /proc/filesystems
+allow sdcardd proc_filesystems:file r_file_perms;
+
+###
+### neverallow rules
+###
+
+# The sdcard daemon should no longer be started from init
+neverallow init sdcardd_exec:file execute;
+neverallow init sdcardd:process { transition dyntransition };
diff --git a/prebuilts/api/28.0/public/secure_element.te b/prebuilts/api/28.0/public/secure_element.te
new file mode 100644
index 0000000..4ce6714
--- /dev/null
+++ b/prebuilts/api/28.0/public/secure_element.te
@@ -0,0 +1,2 @@
+# secure_element subsystem
+type secure_element, domain;
diff --git a/prebuilts/api/28.0/public/service.te b/prebuilts/api/28.0/public/service.te
new file mode 100644
index 0000000..3526049
--- /dev/null
+++ b/prebuilts/api/28.0/public/service.te
@@ -0,0 +1,161 @@
+type audioserver_service, service_manager_type;
+type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
+type bluetooth_service, service_manager_type;
+type cameraserver_service, service_manager_type;
+type default_android_service, service_manager_type;
+type drmserver_service, service_manager_type;
+type dumpstate_service, service_manager_type;
+type fingerprintd_service, service_manager_type;
+type hal_fingerprint_service, service_manager_type;
+type gatekeeper_service, app_api_service, service_manager_type;
+type gpu_service, service_manager_type;
+type inputflinger_service, service_manager_type;
+type incident_service, service_manager_type;
+type installd_service, service_manager_type;
+type keystore_service, service_manager_type;
+type mediaserver_service, service_manager_type;
+type mediametrics_service, service_manager_type;
+type mediaextractor_service, service_manager_type;
+type mediaextractor_update_service, service_manager_type;
+type mediacodec_service, service_manager_type;
+type mediadrmserver_service, service_manager_type;
+type netd_service, service_manager_type;
+type nfc_service, service_manager_type;
+type perfprofd_service, service_manager_type;
+type radio_service, service_manager_type;
+type secure_element_service, service_manager_type;
+type storaged_service, service_manager_type;
+type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
+type system_app_service, service_manager_type;
+type thermal_service, service_manager_type;
+type update_engine_service, service_manager_type;
+type virtual_touchpad_service, service_manager_type;
+type vold_service, service_manager_type;
+type vr_hwc_service, service_manager_type;
+
+# system_server_services broken down
+type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type battery_service, system_server_service, service_manager_type;
+type binder_calls_stats_service, system_server_service, service_manager_type;
+type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type broadcastradio_service, system_server_service, service_manager_type;
+type cameraproxy_service, system_server_service, service_manager_type;
+type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type contexthub_service, app_api_service, system_server_service, service_manager_type;
+type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
+type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type commontime_management_service, system_server_service, service_manager_type;
+type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
+# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
+type coverage_service, system_server_service, service_manager_type;
+type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
+type dbinfo_service, system_api_service, system_server_service, service_manager_type;
+type device_policy_service, app_api_service, system_server_service, service_manager_type;
+type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type devicestoragemonitor_service, system_server_service, service_manager_type;
+type diskstats_service, system_api_service, system_server_service, service_manager_type;
+type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type netd_listener_service, system_server_service, service_manager_type;
+type network_watchlist_service, system_server_service, service_manager_type;
+type DockObserver_service, system_server_service, service_manager_type;
+type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type lowpan_service, system_api_service, system_server_service, service_manager_type;
+type ethernet_service, app_api_service, system_server_service, service_manager_type;
+type fingerprint_service, app_api_service, system_server_service, service_manager_type;
+type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
+type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type hardware_service, system_server_service, service_manager_type;
+type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
+type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type lock_settings_service, system_api_service, system_server_service, service_manager_type;
+type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type meminfo_service, system_api_service, system_server_service, service_manager_type;
+type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type network_score_service, system_api_service, system_server_service, service_manager_type;
+type network_time_update_service, system_server_service, service_manager_type;
+type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type oem_lock_service, system_api_service, system_server_service, service_manager_type;
+type otadexopt_service, system_server_service, service_manager_type;
+type overlay_service, system_api_service, system_server_service, service_manager_type;
+type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type package_native_service, system_server_service, service_manager_type;
+type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
+type pinner_service, system_server_service, service_manager_type;
+type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type processinfo_service, system_server_service, service_manager_type;
+type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type recovery_service, system_server_service, service_manager_type;
+type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type samplingprofiler_service, system_server_service, service_manager_type;
+type scheduling_policy_service, system_server_service, service_manager_type;
+type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
+type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type serial_service, system_api_service, system_server_service, service_manager_type;
+type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type shortcut_service, app_api_service, system_server_service, service_manager_type;
+type slice_service, app_api_service, system_server_service, service_manager_type;
+type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type system_update_service, system_server_service, service_manager_type;
+type task_service, system_server_service, service_manager_type;
+type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type timezone_service, system_server_service, service_manager_type;
+type trust_service, app_api_service, system_server_service, service_manager_type;
+type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type updatelock_service, system_api_service, system_server_service, service_manager_type;
+type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type usb_service, app_api_service, system_server_service, service_manager_type;
+type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type vr_manager_service, system_server_service, service_manager_type;
+type wallpaper_service, app_api_service, system_server_service, service_manager_type;
+type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type wifip2p_service, app_api_service, system_server_service, service_manager_type;
+type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
+type wifi_service, app_api_service, system_server_service, service_manager_type;
+type wificond_service, service_manager_type;
+type wifiaware_service, app_api_service, system_server_service, service_manager_type;
+type window_service, system_api_service, system_server_service, service_manager_type;
+type wpantund_service, system_api_service, service_manager_type;
diff --git a/prebuilts/api/28.0/public/servicemanager.te b/prebuilts/api/28.0/public/servicemanager.te
new file mode 100644
index 0000000..87e3a22
--- /dev/null
+++ b/prebuilts/api/28.0/public/servicemanager.te
@@ -0,0 +1,25 @@
+# servicemanager - the Binder context manager
+type servicemanager, domain, mlstrustedsubject;
+type servicemanager_exec, exec_type, file_type;
+
+# Note that we do not use the binder_* macros here.
+# servicemanager is unique in that it only provides
+# name service (aka context manager) for Binder.
+# As such, it only ever receives and transfers other references
+# created by other domains. It never passes its own references
+# or initiates a Binder IPC.
+allow servicemanager self:binder set_context_mgr;
+allow servicemanager {
+ domain
+ -init
+ -vendor_init
+ -hwservicemanager
+ -vndservicemanager
+}:binder transfer;
+
+allow servicemanager service_contexts_file:file r_file_perms;
+# nonplat_service_contexts only accessible on non full-treble devices
+not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
+
+# Check SELinux permissions.
+selinux_check_access(servicemanager)
diff --git a/prebuilts/api/28.0/public/sgdisk.te b/prebuilts/api/28.0/public/sgdisk.te
new file mode 100644
index 0000000..ca3096c
--- /dev/null
+++ b/prebuilts/api/28.0/public/sgdisk.te
@@ -0,0 +1,22 @@
+# sgdisk called from vold
+type sgdisk, domain;
+type sgdisk_exec, exec_type, file_type;
+
+# Allowed to read/write low-level partition tables
+allow sgdisk block_device:dir search;
+allow sgdisk vold_device:blk_file rw_file_perms;
+
+# Inherit and use pty created by android_fork_execvp()
+allow sgdisk devpts:chr_file { read write ioctl getattr };
+
+# Allow stdin/out back to vold
+allow sgdisk vold:fd use;
+allow sgdisk vold:fifo_file { read write getattr };
+
+# Used to probe kernel to reload partition tables
+allow sgdisk self:global_capability_class_set sys_admin;
+
+# Only allow entry from vold
+neverallow { domain -vold } sgdisk:process transition;
+neverallow * sgdisk:process dyntransition;
+neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
diff --git a/prebuilts/api/28.0/public/shared_relro.te b/prebuilts/api/28.0/public/shared_relro.te
new file mode 100644
index 0000000..8fe1fea
--- /dev/null
+++ b/prebuilts/api/28.0/public/shared_relro.te
@@ -0,0 +1,10 @@
+# Process which creates/updates shared RELRO files to be used by other apps.
+type shared_relro, domain;
+
+# Grant write access to the shared relro files/directory.
+allow shared_relro shared_relro_file:dir rw_dir_perms;
+allow shared_relro shared_relro_file:file create_file_perms;
+
+# Needs to contact the "webviewupdate" and "activity" services
+allow shared_relro activity_service:service_manager find;
+allow shared_relro webviewupdate_service:service_manager find;
diff --git a/prebuilts/api/28.0/public/shell.te b/prebuilts/api/28.0/public/shell.te
new file mode 100644
index 0000000..307e103
--- /dev/null
+++ b/prebuilts/api/28.0/public/shell.te
@@ -0,0 +1,226 @@
+# Domain for shell processes spawned by ADB or console service.
+type shell, domain, mlstrustedsubject;
+type shell_exec, exec_type, file_type;
+
+# Create and use network sockets.
+net_domain(shell)
+
+# logcat
+read_logd(shell)
+control_logd(shell)
+# logcat -L (directly, or via dumpstate)
+allow shell pstorefs:dir search;
+allow shell pstorefs:file r_file_perms;
+
+# Root fs.
+allow shell rootfs:dir r_dir_perms;
+
+# read files in /data/anr
+allow shell anr_data_file:dir r_dir_perms;
+allow shell anr_data_file:file r_file_perms;
+
+# Access /data/local/tmp.
+allow shell shell_data_file:dir create_dir_perms;
+allow shell shell_data_file:file create_file_perms;
+allow shell shell_data_file:file rx_file_perms;
+allow shell shell_data_file:lnk_file create_file_perms;
+
+# Read and delete from /data/local/traces.
+allow shell trace_data_file:file { r_file_perms unlink };
+allow shell trace_data_file:dir { r_dir_perms remove_name write };
+
+# Access /data/misc/profman.
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
+allow shell profman_dump_data_file:file { unlink r_file_perms };
+
+# Read/execute files in /data/nativetest
+userdebug_or_eng(`
+ allow shell nativetest_data_file:dir r_dir_perms;
+ allow shell nativetest_data_file:file rx_file_perms;
+')
+
+# adb bugreport
+unix_socket_connect(shell, dumpstate, dumpstate)
+
+allow shell devpts:chr_file rw_file_perms;
+allow shell tty_device:chr_file rw_file_perms;
+allow shell console_device:chr_file rw_file_perms;
+allow shell input_device:dir r_dir_perms;
+allow shell input_device:chr_file rw_file_perms;
+r_dir_file(shell, system_file)
+allow shell system_file:file x_file_perms;
+allow shell toolbox_exec:file rx_file_perms;
+allow shell tzdatacheck_exec:file rx_file_perms;
+allow shell shell_exec:file rx_file_perms;
+allow shell zygote_exec:file rx_file_perms;
+
+r_dir_file(shell, apk_data_file)
+
+# Set properties.
+set_prop(shell, shell_prop)
+set_prop(shell, ctl_bugreport_prop)
+set_prop(shell, ctl_dumpstate_prop)
+set_prop(shell, dumpstate_prop)
+set_prop(shell, exported_dumpstate_prop)
+set_prop(shell, debug_prop)
+set_prop(shell, powerctl_prop)
+set_prop(shell, log_tag_prop)
+set_prop(shell, wifi_log_prop)
+# Allow shell to start/stop traced via the persist.traced.enable
+# property (which also takes care of /data/misc initialization).
+set_prop(shell, traced_enabled_prop)
+# adjust is_loggable properties
+userdebug_or_eng(`set_prop(shell, log_prop)')
+# logpersist script
+userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
+
+userdebug_or_eng(`
+ # "systrace --boot" support - allow boottrace service to run
+ allow shell boottrace_data_file:dir rw_dir_perms;
+ allow shell boottrace_data_file:file create_file_perms;
+ set_prop(shell, persist_debug_prop)
+')
+
+# Read device's serial number from system properties
+get_prop(shell, serialno_prop)
+
+# Allow shell to read the vendor security patch level for CTS
+get_prop(shell, vendor_security_patch_level_prop)
+
+# Read state of logging-related properties
+get_prop(shell, device_logging_prop)
+
+# Read state of boot reason properties
+get_prop(shell, bootloader_boot_reason_prop)
+get_prop(shell, last_boot_reason_prop)
+get_prop(shell, system_boot_reason_prop)
+
+# allow shell access to services
+allow shell servicemanager:service_manager list;
+# don't allow shell to access GateKeeper service
+# TODO: why is this so broad? Tightening candidate? It needs at list:
+# - dumpstate_service (so it can receive dumpstate progress updates)
+allow shell {
+ service_manager_type
+ -gatekeeper_service
+ -incident_service
+ -installd_service
+ -netd_service
+ -virtual_touchpad_service
+ -vold_service
+ -vr_hwc_service
+}:service_manager find;
+allow shell dumpstate:binder call;
+
+# allow shell to get information from hwservicemanager
+# for instance, listing hardware services with lshal
+hwbinder_use(shell)
+allow shell hwservicemanager:hwservice_manager list;
+
+# allow shell to look through /proc/ for lsmod, ps, top, netstat.
+r_dir_file(shell, proc_net)
+
+allow shell {
+ proc_asound
+ proc_filesystems
+ proc_interrupts
+ proc_meminfo
+ proc_modules
+ proc_pid_max
+ proc_stat
+ proc_timer
+ proc_uptime
+ proc_version
+ proc_zoneinfo
+}:file r_file_perms;
+
+# allow listing network interfaces under /sys/class/net.
+allow shell sysfs_net:dir r_dir_perms;
+
+r_dir_file(shell, cgroup)
+allow shell domain:dir { search open read getattr };
+allow shell domain:{ file lnk_file } { open read getattr };
+
+# statvfs() of /proc and other labeled filesystems
+# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
+allow shell { proc labeledfs }:filesystem getattr;
+
+# stat() of /dev
+allow shell device:dir getattr;
+
+# allow shell to read /proc/pid/attr/current for ps -Z
+allow shell domain:process getattr;
+
+# Allow pulling the SELinux policy for CTS purposes
+allow shell selinuxfs:dir r_dir_perms;
+allow shell selinuxfs:file r_file_perms;
+
+# enable shell domain to read/write files/dirs for bootchart data
+# User will creates the start and stop file via adb shell
+# and read other files created by init process under /data/bootchart
+allow shell bootchart_data_file:dir rw_dir_perms;
+allow shell bootchart_data_file:file create_file_perms;
+
+# Make sure strace works for the non-privileged shell user
+allow shell self:process ptrace;
+
+# allow shell to get battery info
+allow shell sysfs:dir r_dir_perms;
+allow shell sysfs_batteryinfo:dir r_dir_perms;
+allow shell sysfs_batteryinfo:file r_file_perms;
+
+# Allow access to ion memory allocation device.
+allow shell ion_device:chr_file rw_file_perms;
+
+#
+# filesystem test for insecure chr_file's is done
+# via a host side test
+#
+allow shell dev_type:dir r_dir_perms;
+allow shell dev_type:chr_file getattr;
+
+# /dev/fd is a symlink
+allow shell proc:lnk_file getattr;
+
+#
+# filesystem test for insucre blk_file's is done
+# via hostside test
+#
+allow shell dev_type:blk_file getattr;
+
+# read selinux policy files
+allow shell file_contexts_file:file r_file_perms;
+allow shell property_contexts_file:file r_file_perms;
+allow shell seapp_contexts_file:file r_file_perms;
+allow shell service_contexts_file:file r_file_perms;
+allow shell sepolicy_file:file r_file_perms;
+
+# Allow shell to start up vendor shell
+allow shell vendor_shell_exec:file rx_file_perms;
+
+###
+### Neverallow rules
+###
+
+# Do not allow shell to hard link to any files.
+# In particular, if shell hard links to app data
+# files, installd will not be able to guarantee the deletion
+# of the linked to file. Hard links also contribute to security
+# bugs, so we want to ensure the shell user never has this
+# capability.
+neverallow shell file_type:file link;
+
+# Do not allow privileged socket ioctl commands
+neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+
+# limit shell access to sensitive char drivers to
+# only getattr required for host side test.
+neverallow shell {
+ fuse_device
+ hw_random_device
+ kmem_device
+ port_device
+}:chr_file ~getattr;
+
+# Limit shell to only getattr on blk devices for host side tests.
+neverallow shell dev_type:blk_file ~getattr;
diff --git a/prebuilts/api/28.0/public/slideshow.te b/prebuilts/api/28.0/public/slideshow.te
new file mode 100644
index 0000000..10fbbb8
--- /dev/null
+++ b/prebuilts/api/28.0/public/slideshow.te
@@ -0,0 +1,14 @@
+# slideshow seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type slideshow, domain;
+
+allow slideshow kmsg_device:chr_file rw_file_perms;
+wakelock_use(slideshow)
+allow slideshow device:dir r_dir_perms;
+allow slideshow self:global_capability_class_set sys_tty_config;
+allow slideshow graphics_device:dir r_dir_perms;
+allow slideshow graphics_device:chr_file rw_file_perms;
+allow slideshow input_device:dir r_dir_perms;
+allow slideshow input_device:chr_file r_file_perms;
+allow slideshow tty_device:chr_file rw_file_perms;
+
diff --git a/prebuilts/api/28.0/public/su.te b/prebuilts/api/28.0/public/su.te
new file mode 100644
index 0000000..0312945
--- /dev/null
+++ b/prebuilts/api/28.0/public/su.te
@@ -0,0 +1,100 @@
+# All types must be defined regardless of build variant to ensure
+# policy compilation succeeds with userdebug/user combination at boot
+type su, domain;
+
+# File types must be defined for file_contexts.
+type su_exec, exec_type, file_type;
+
+userdebug_or_eng(`
+ # Domain used for su processes, as well as for adbd and adb shell
+ # after performing an adb root command. The domain definition is
+ # wrapped to ensure that it does not exist at all on -user builds.
+ typeattribute su mlstrustedsubject;
+
+ # Add su to various domains
+ net_domain(su)
+
+ # grant su access to vndbinder
+ vndbinder_use(su)
+
+ dontaudit su self:capability_class_set *;
+ dontaudit su kernel:security *;
+ dontaudit su kernel:system *;
+ dontaudit su self:memprotect *;
+ dontaudit su domain:process *;
+ dontaudit su domain:fd *;
+ dontaudit su domain:dir *;
+ dontaudit su domain:lnk_file *;
+ dontaudit su domain:{ fifo_file file } *;
+ dontaudit su domain:socket_class_set *;
+ dontaudit su domain:ipc_class_set *;
+ dontaudit su domain:key *;
+ dontaudit su fs_type:filesystem *;
+ dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
+ dontaudit su node_type:node *;
+ dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
+ dontaudit su netif_type:netif *;
+ dontaudit su port_type:socket_class_set *;
+ dontaudit su port_type:{ tcp_socket dccp_socket } *;
+ dontaudit su domain:peer *;
+ dontaudit su domain:binder *;
+ dontaudit su property_type:property_service *;
+ dontaudit su property_type:file *;
+ dontaudit su service_manager_type:service_manager *;
+ dontaudit su hwservice_manager_type:hwservice_manager *;
+ dontaudit su vndservice_manager_type:service_manager *;
+ dontaudit su servicemanager:service_manager list;
+ dontaudit su hwservicemanager:hwservice_manager list;
+ dontaudit su vndservicemanager:service_manager list;
+ dontaudit su keystore:keystore_key *;
+ dontaudit su domain:drmservice *;
+ dontaudit su unlabeled:filesystem *;
+ dontaudit su postinstall_file:filesystem *;
+
+ # VTS tests run in the permissive su domain on debug builds, but the HALs
+ # being tested run in enforcing mode. Because hal_foo_server is enforcing
+ # su needs to be declared as hal_foo_client to grant hal_foo_server
+ # permission to interact with it.
+ typeattribute su halclientdomain;
+ typeattribute su hal_allocator_client;
+ typeattribute su hal_audio_client;
+ typeattribute su hal_authsecret_client;
+ typeattribute su hal_bluetooth_client;
+ typeattribute su hal_bootctl_client;
+ typeattribute su hal_camera_client;
+ typeattribute su hal_configstore_client;
+ typeattribute su hal_confirmationui_client;
+ typeattribute su hal_contexthub_client;
+ typeattribute su hal_drm_client;
+ typeattribute su hal_cas_client;
+ typeattribute su hal_dumpstate_client;
+ typeattribute su hal_fingerprint_client;
+ typeattribute su hal_gatekeeper_client;
+ typeattribute su hal_gnss_client;
+ typeattribute su hal_graphics_allocator_client;
+ typeattribute su hal_graphics_composer_client;
+ typeattribute su hal_health_client;
+ typeattribute su hal_ir_client;
+ typeattribute su hal_keymaster_client;
+ typeattribute su hal_light_client;
+ typeattribute su hal_memtrack_client;
+ typeattribute su hal_neuralnetworks_client;
+ typeattribute su hal_nfc_client;
+ typeattribute su hal_oemlock_client;
+ typeattribute su hal_power_client;
+ typeattribute su hal_secure_element_client;
+ typeattribute su hal_sensors_client;
+ typeattribute su hal_telephony_client;
+ typeattribute su hal_tetheroffload_client;
+ typeattribute su hal_thermal_client;
+ typeattribute su hal_tv_cec_client;
+ typeattribute su hal_tv_input_client;
+ typeattribute su hal_usb_client;
+ typeattribute su hal_vibrator_client;
+ typeattribute su hal_vr_client;
+ typeattribute su hal_weaver_client;
+ typeattribute su hal_wifi_client;
+ typeattribute su hal_wifi_hostapd_client;
+ typeattribute su hal_wifi_offload_client;
+ typeattribute su hal_wifi_supplicant_client;
+')
diff --git a/prebuilts/api/28.0/public/surfaceflinger.te b/prebuilts/api/28.0/public/surfaceflinger.te
new file mode 100644
index 0000000..ae00287
--- /dev/null
+++ b/prebuilts/api/28.0/public/surfaceflinger.te
@@ -0,0 +1,2 @@
+# surfaceflinger - display compositor service
+type surfaceflinger, domain;
diff --git a/prebuilts/api/28.0/public/system_app.te b/prebuilts/api/28.0/public/system_app.te
new file mode 100644
index 0000000..023058e
--- /dev/null
+++ b/prebuilts/api/28.0/public/system_app.te
@@ -0,0 +1,7 @@
+###
+### Apps that run with the system UID, e.g. com.android.system.ui,
+### com.android.settings. These are not as privileged as the system
+### server.
+###
+
+type system_app, domain;
diff --git a/prebuilts/api/28.0/public/system_server.te b/prebuilts/api/28.0/public/system_server.te
new file mode 100644
index 0000000..805d617
--- /dev/null
+++ b/prebuilts/api/28.0/public/system_server.te
@@ -0,0 +1,5 @@
+#
+# System Server aka system_server spawned by zygote.
+# Most of the framework services run in this process.
+#
+type system_server, domain;
diff --git a/prebuilts/api/28.0/public/te_macros b/prebuilts/api/28.0/public/te_macros
new file mode 100644
index 0000000..9cfe47c
--- /dev/null
+++ b/prebuilts/api/28.0/public/te_macros
@@ -0,0 +1,597 @@
+#####################################
+# domain_trans(olddomain, type, newdomain)
+# Allow a transition from olddomain to newdomain
+# upon executing a file labeled with type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use domain_auto_trans
+# if that is what you want.
+#
+define(`domain_trans', `
+# Old domain may exec the file and transition to the new domain.
+allow $1 $2:file { getattr open read execute map };
+allow $1 $3:process transition;
+# New domain is entered by executing the file.
+allow $3 $2:file { entrypoint open read execute getattr map };
+# New domain can send SIGCHLD to its caller.
+ifelse($1, `init', `', `allow $3 $1:process sigchld;')
+# Enable AT_SECURE, i.e. libc secure mode.
+dontaudit $1 $3:process noatsecure;
+# XXX dontaudit candidate but requires further study.
+allow $1 $3:process { siginh rlimitinh };
+')
+
+#####################################
+# domain_auto_trans(olddomain, type, newdomain)
+# Automatically transition from olddomain to newdomain
+# upon executing a file labeled with type.
+#
+define(`domain_auto_trans', `
+# Allow the necessary permissions.
+domain_trans($1,$2,$3)
+# Make the transition occur by default.
+type_transition $1 $2:process $3;
+')
+
+#####################################
+# file_type_trans(domain, dir_type, file_type)
+# Allow domain to create a file labeled file_type in a
+# directory labeled dir_type.
+# This only allows the transition; it does not
+# cause it to occur automatically - use file_type_auto_trans
+# if that is what you want.
+#
+define(`file_type_trans', `
+# Allow the domain to add entries to the directory.
+allow $1 $2:dir ra_dir_perms;
+# Allow the domain to create the file.
+allow $1 $3:notdevfile_class_set create_file_perms;
+allow $1 $3:dir create_dir_perms;
+')
+
+#####################################
+# file_type_auto_trans(domain, dir_type, file_type)
+# Automatically label new files with file_type when
+# they are created by domain in directories labeled dir_type.
+#
+define(`file_type_auto_trans', `
+# Allow the necessary permissions.
+file_type_trans($1, $2, $3)
+# Make the transition occur by default.
+type_transition $1 $2:dir $3;
+type_transition $1 $2:notdevfile_class_set $3;
+')
+
+#####################################
+# r_dir_file(domain, type)
+# Allow the specified domain to read directories, files
+# and symbolic links of the specified type.
+define(`r_dir_file', `
+allow $1 $2:dir r_dir_perms;
+allow $1 $2:{ file lnk_file } r_file_perms;
+')
+
+#####################################
+# tmpfs_domain(domain)
+# Define and allow access to a unique type for
+# this domain when creating tmpfs / shmem / ashmem files.
+define(`tmpfs_domain', `
+type $1_tmpfs, file_type;
+type_transition $1 tmpfs:file $1_tmpfs;
+allow $1 $1_tmpfs:file { read write getattr map };
+allow $1 tmpfs:dir { getattr search };
+')
+
+# pdx macros for IPC. pdx is a high-level name which contains transport-specific
+# rules from underlying transport (e.g. UDS-based implementation).
+
+#####################################
+# pdx_service_attributes(service)
+# Defines type attribute used to identify various service-related types.
+define(`pdx_service_attributes', `
+attribute pdx_$1_endpoint_dir_type;
+attribute pdx_$1_endpoint_socket_type;
+attribute pdx_$1_channel_socket_type;
+attribute pdx_$1_server_type;
+')
+
+#####################################
+# pdx_service_socket_types(service, endpoint_dir_t)
+# Define types for endpoint and channel sockets.
+define(`pdx_service_socket_types', `
+typeattribute $2 pdx_$1_endpoint_dir_type;
+type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
+type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
+userdebug_or_eng(`
+dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
+dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
+')
+')
+
+#####################################
+# pdx_server(server_domain, service)
+define(`pdx_server', `
+# Mark the server domain as a PDX server.
+typeattribute $1 pdx_$2_server_type;
+# Allow the init process to create the initial endpoint socket.
+allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
+# Allow the server domain to use the endpoint socket and accept connections on it.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
+# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
+allow $1 self:process setsockcreate;
+# Allow the server domain to create a client channel socket.
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
+# Prevent other processes from claiming to be a server for the same service.
+neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
+')
+
+#####################################
+# pdx_connect(client, service)
+define(`pdx_connect', `
+# Allow client to open the service endpoint file.
+allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
+allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
+# Allow the client to connect to endpoint socket.
+allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
+')
+
+#####################################
+# pdx_use(client, service)
+define(`pdx_use', `
+# Allow the client to use the PDX channel socket.
+# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
+# than we need (e.g. we don"t need "bind" or "connect").
+allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
+# Client needs to use an channel event fd from the server.
+allow $1 pdx_$2_server_type:fd use;
+# Servers may receive sync fences, gralloc buffers, etc, from clients.
+# This could be tightened on a per-server basis, but keeping track of service
+# clients is error prone.
+allow pdx_$2_server_type $1:fd use;
+')
+
+#####################################
+# pdx_client(client, service)
+define(`pdx_client', `
+pdx_connect($1, $2)
+pdx_use($1, $2)
+')
+
+#####################################
+# init_daemon_domain(domain)
+# Set up a transition from init to the daemon domain
+# upon executing its binary.
+define(`init_daemon_domain', `
+domain_auto_trans(init, $1_exec, $1)
+tmpfs_domain($1)
+')
+
+#####################################
+# app_domain(domain)
+# Allow a base set of permissions required for all apps.
+define(`app_domain', `
+typeattribute $1 appdomain;
+# Label ashmem objects with our own unique type.
+tmpfs_domain($1)
+# Map with PROT_EXEC.
+allow $1 $1_tmpfs:file execute;
+neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
+')
+
+#####################################
+# untrusted_app_domain(domain)
+# Allow a base set of permissions required for all untrusted apps.
+define(`untrusted_app_domain', `
+typeattribute $1 untrusted_app_all;
+')
+
+#####################################
+# net_domain(domain)
+# Allow a base set of permissions required for network access.
+define(`net_domain', `
+typeattribute $1 netdomain;
+')
+
+#####################################
+# bluetooth_domain(domain)
+# Allow a base set of permissions required for bluetooth access.
+define(`bluetooth_domain', `
+typeattribute $1 bluetoothdomain;
+')
+
+#####################################
+# hal_attribute(hal_name)
+# Add an attribute for hal implementations along with necessary
+# restrictions.
+define(`hal_attribute', `
+attribute hal_$1;
+expandattribute hal_$1 true;
+attribute hal_$1_client;
+expandattribute hal_$1_client true;
+attribute hal_$1_server;
+expandattribute hal_$1_server false;
+
+neverallow { hal_$1_server -halserverdomain } domain:process fork;
+')
+
+#####################################
+# hal_server_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to offer a
+# HAL implementation of the specified type over HwBinder.
+#
+# For example, default implementation of Foo HAL:
+# type hal_foo_default, domain;
+# hal_server_domain(hal_foo_default, hal_foo)
+#
+define(`hal_server_domain', `
+typeattribute $1 halserverdomain;
+typeattribute $1 $2_server;
+typeattribute $1 $2;
+')
+
+#####################################
+# hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a HAL of the specified type.
+#
+# For example, make some_domain a client of Foo HAL:
+# hal_client_domain(some_domain, hal_foo)
+#
+define(`hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+
+# TODO(b/34170079): Make the inclusion of the rules below conditional also on
+# non-Treble devices. For now, on non-Treble device, always grant clients of a
+# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
+not_full_treble(`
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute map };
+')
+')
+
+#####################################
+# passthrough_hal_client_domain(domain, hal_type)
+# Allow a base set of permissions required for a domain to be a
+# client of a passthrough HAL of the specified type.
+#
+# For example, make some_domain a client of passthrough Foo HAL:
+# passthrough_hal_client_domain(some_domain, hal_foo)
+#
+define(`passthrough_hal_client_domain', `
+typeattribute $1 halclientdomain;
+typeattribute $1 $2_client;
+typeattribute $1 $2;
+# Find passthrough HAL implementations
+allow $2 system_file:dir r_dir_perms;
+allow $2 vendor_file:dir r_dir_perms;
+allow $2 vendor_file:file { read open getattr execute map };
+')
+
+#####################################
+# unix_socket_connect(clientdomain, socket, serverdomain)
+# Allow a local socket connection from clientdomain via
+# socket to serverdomain.
+#
+# Note: If you see denial records that distill to the
+# following allow rules:
+# allow clientdomain property_socket:sock_file write;
+# allow clientdomain init:unix_stream_socket connectto;
+# allow clientdomain something_prop:property_service set;
+#
+# This sequence is indicative of attempting to set a property.
+# use set_prop(sourcedomain, targetproperty)
+#
+define(`unix_socket_connect', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_stream_socket connectto;
+')
+
+#####################################
+# set_prop(sourcedomain, targetproperty)
+# Allows source domain to set the
+# targetproperty.
+#
+define(`set_prop', `
+unix_socket_connect($1, property, init)
+allow $1 $2:property_service set;
+get_prop($1, $2)
+')
+
+#####################################
+# get_prop(sourcedomain, targetproperty)
+# Allows source domain to read the
+# targetproperty.
+#
+define(`get_prop', `
+allow $1 $2:file r_file_perms;
+')
+
+#####################################
+# unix_socket_send(clientdomain, socket, serverdomain)
+# Allow a local socket send from clientdomain via
+# socket to serverdomain.
+define(`unix_socket_send', `
+allow $1 $2_socket:sock_file write;
+allow $1 $3:unix_dgram_socket sendto;
+')
+
+#####################################
+# binder_use(domain)
+# Allow domain to use Binder IPC.
+define(`binder_use', `
+# Call the servicemanager and transfer references to it.
+allow $1 servicemanager:binder { call transfer };
+# servicemanager performs getpidcon on clients.
+allow servicemanager $1:dir search;
+allow servicemanager $1:file { read open };
+allow servicemanager $1:process getattr;
+# rw access to /dev/binder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
+#####################################
+# hwbinder_use(domain)
+# Allow domain to use HwBinder IPC.
+define(`hwbinder_use', `
+# Call the hwservicemanager and transfer references to it.
+allow $1 hwservicemanager:binder { call transfer };
+# Allow hwservicemanager to send out callbacks
+allow hwservicemanager $1:binder { call transfer };
+# hwservicemanager performs getpidcon on clients.
+allow hwservicemanager $1:dir search;
+allow hwservicemanager $1:file { read open };
+allow hwservicemanager $1:process getattr;
+# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
+# all domains in domain.te.
+')
+
+#####################################
+# vndbinder_use(domain)
+# Allow domain to use Binder IPC.
+define(`vndbinder_use', `
+# Talk to the vndbinder device node
+allow $1 vndbinder_device:chr_file rw_file_perms;
+# Call the vndservicemanager and transfer references to it.
+allow $1 vndservicemanager:binder { call transfer };
+# vndservicemanager performs getpidcon on clients.
+allow vndservicemanager $1:dir search;
+allow vndservicemanager $1:file { read open };
+allow vndservicemanager $1:process getattr;
+')
+
+#####################################
+# binder_call(clientdomain, serverdomain)
+# Allow clientdomain to perform binder IPC to serverdomain.
+define(`binder_call', `
+# Call the server domain and optionally transfer references to it.
+allow $1 $2:binder { call transfer };
+# Allow the serverdomain to transfer references to the client on the reply.
+allow $2 $1:binder transfer;
+# Receive and use open files from the server.
+allow $1 $2:fd use;
+')
+
+#####################################
+# binder_service(domain)
+# Mark a domain as being a Binder service domain.
+# Used to allow binder IPC to the various system services.
+define(`binder_service', `
+typeattribute $1 binderservicedomain;
+')
+
+#####################################
+# wakelock_use(domain)
+# Allow domain to manage wake locks
+define(`wakelock_use', `
+# Access /sys/power/wake_lock and /sys/power/wake_unlock
+allow $1 sysfs_wake_lock:file rw_file_perms;
+# Accessing these files requires CAP_BLOCK_SUSPEND
+allow $1 self:global_capability2_class_set block_suspend;
+')
+
+#####################################
+# selinux_check_access(domain)
+# Allow domain to check SELinux permissions via selinuxfs.
+define(`selinux_check_access', `
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
+allow $1 kernel:security compute_av;
+allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
+')
+
+#####################################
+# selinux_check_context(domain)
+# Allow domain to check SELinux contexts via selinuxfs.
+define(`selinux_check_context', `
+r_dir_file($1, selinuxfs)
+allow $1 selinuxfs:file w_file_perms;
+allow $1 kernel:security check_context;
+')
+
+#####################################
+# create_pty(domain)
+# Allow domain to create and use a pty, isolated from any other domain ptys.
+define(`create_pty', `
+# Each domain gets a unique devpts type.
+type $1_devpts, fs_type;
+# Label the pty with the unique type when created.
+type_transition $1 devpts:chr_file $1_devpts;
+# Allow use of the pty after creation.
+allow $1 $1_devpts:chr_file { open getattr read write ioctl };
+allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
+# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
+# allowed to everyone via domain.te.
+')
+
+#####################################
+# Non system_app application set
+#
+define(`non_system_app_set', `{ appdomain -system_app }')
+
+#####################################
+# Recovery only
+# SELinux rules which apply only to recovery mode
+#
+define(`recovery_only', ifelse(target_recovery, `true', $1, ))
+
+#####################################
+# Full TREBLE only
+# SELinux rules which apply only to full TREBLE devices
+#
+define(`full_treble_only', ifelse(target_full_treble, `true', $1,
+ifelse(target_full_treble, `cts',
+# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# Not full TREBLE
+# SELinux rules which apply only to devices which are not full TREBLE devices
+#
+define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
+
+#####################################
+# Compatible property only
+# SELinux rules which apply only to devices with compatible property
+#
+define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
+ifelse(target_compatible_property, `cts',
+# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# Not compatible property
+# SELinux rules which apply only to devices without compatible property
+#
+define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))
+
+#####################################
+# Userdebug or eng builds
+# SELinux rules which apply only to userdebug or eng builds
+#
+define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
+
+#####################################
+# asan builds
+# SELinux rules which apply only to asan builds
+#
+define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
+
+####################################
+# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
+#
+define(`crash_dump_fallback', `
+userdebug_or_eng(`
+ allow $1 su:fifo_file append;
+')
+allow $1 anr_data_file:file append;
+allow $1 dumpstate:fd use;
+allow $1 incidentd:fd use;
+# TODO: Figure out why write is needed.
+allow $1 dumpstate:fifo_file { append write };
+allow $1 incidentd:fifo_file { append write };
+allow $1 system_server:fifo_file { append write };
+allow $1 tombstoned:unix_stream_socket connectto;
+allow $1 tombstoned:fd use;
+allow $1 tombstoned_crash_socket:sock_file write;
+allow $1 tombstone_data_file:file append;
+')
+
+#####################################
+# WITH_DEXPREOPT builds
+# SELinux rules which apply only when pre-opting.
+#
+define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
+
+#####################################
+# write_logd(domain)
+# Ability to write to android log
+# daemon via sockets
+define(`write_logd', `
+unix_socket_send($1, logdw, logd)
+allow $1 pmsg_device:chr_file w_file_perms;
+')
+
+#####################################
+# read_logd(domain)
+# Ability to run logcat and read from android
+# log daemon via sockets
+define(`read_logd', `
+allow $1 logcat_exec:file rx_file_perms;
+unix_socket_connect($1, logdr, logd)
+')
+
+#####################################
+# read_runtime_log_tags(domain)
+# ability to directly map the runtime event log tags
+define(`read_runtime_log_tags', `
+allow $1 runtime_event_log_tags_file:file r_file_perms;
+')
+
+#####################################
+# control_logd(domain)
+# Ability to control
+# android log daemon via sockets
+define(`control_logd', `
+# Group AID_LOG checked by filesystem & logd
+# to permit control commands
+unix_socket_connect($1, logd, logd)
+')
+
+#####################################
+# use_keystore(domain)
+# Ability to use keystore.
+# Keystore is requires the following permissions
+# to call getpidcon.
+define(`use_keystore', `
+ allow keystore $1:dir search;
+ allow keystore $1:file { read open };
+ allow keystore $1:process getattr;
+ allow $1 keystore_service:service_manager find;
+ binder_call($1, keystore)
+ binder_call(keystore, $1)
+')
+
+###########################################
+# use_drmservice(domain)
+# Ability to use DrmService which requires
+# DrmService to call getpidcon.
+define(`use_drmservice', `
+ allow drmserver $1:dir search;
+ allow drmserver $1:file { read open };
+ allow drmserver $1:process getattr;
+')
+
+###########################################
+# add_service(domain, service)
+# Ability for domain to add a service to service_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_service', `
+ allow $1 $2:service_manager { add find };
+ neverallow { domain -$1 } $2:service_manager add;
+')
+
+###########################################
+# add_hwservice(domain, service)
+# Ability for domain to add a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_hwservice', `
+ allow $1 $2:hwservice_manager { add find };
+ allow $1 hidl_base_hwservice:hwservice_manager add;
+ neverallow { domain -$1 } $2:hwservice_manager add;
+')
diff --git a/prebuilts/api/28.0/public/tee.te b/prebuilts/api/28.0/public/tee.te
new file mode 100644
index 0000000..0f9b32d
--- /dev/null
+++ b/prebuilts/api/28.0/public/tee.te
@@ -0,0 +1,11 @@
+##
+# trusted execution environment (tee) daemon
+#
+type tee, domain;
+
+# Device(s) for communicating with the TEE
+type tee_device, dev_type;
+
+allow tee fingerprint_vendor_data_file:dir rw_dir_perms;
+allow tee fingerprint_vendor_data_file:file create_file_perms;
+
diff --git a/prebuilts/api/28.0/public/thermalserviced.te b/prebuilts/api/28.0/public/thermalserviced.te
new file mode 100644
index 0000000..00e0071
--- /dev/null
+++ b/prebuilts/api/28.0/public/thermalserviced.te
@@ -0,0 +1,13 @@
+# thermalserviced -- thermal management services for system and vendor
+type thermalserviced, domain;
+type thermalserviced_exec, exec_type, file_type;
+
+binder_use(thermalserviced)
+binder_service(thermalserviced)
+add_service(thermalserviced, thermal_service)
+
+hwbinder_use(thermalserviced)
+hal_client_domain(thermalserviced, hal_thermal)
+add_hwservice(thermalserviced, thermalcallback_hwservice)
+
+binder_call(thermalserviced, platform_app)
diff --git a/prebuilts/api/28.0/public/tombstoned.te b/prebuilts/api/28.0/public/tombstoned.te
new file mode 100644
index 0000000..0e585b6
--- /dev/null
+++ b/prebuilts/api/28.0/public/tombstoned.te
@@ -0,0 +1,22 @@
+# debugger interface
+type tombstoned, domain, mlstrustedsubject;
+type tombstoned_exec, exec_type, file_type;
+
+# Write to arbitrary pipes given to us.
+allow tombstoned domain:fd use;
+allow tombstoned domain:fifo_file write;
+
+allow tombstoned domain:dir r_dir_perms;
+allow tombstoned domain:file r_file_perms;
+allow tombstoned tombstone_data_file:dir rw_dir_perms;
+allow tombstoned tombstone_data_file:file { create_file_perms link };
+
+# TODO: Remove append / write permissions. They were temporarily
+# granted due to a bug which appears to have been fixed.
+allow tombstoned anr_data_file:file { append write };
+auditallow tombstoned anr_data_file:file { append write };
+
+# Changes for the new stack dumping mechanism. Each trace goes into a
+# separate file, and these files are managed by tombstoned.
+allow tombstoned anr_data_file:dir rw_dir_perms;
+allow tombstoned anr_data_file:file { create getattr open link unlink };
diff --git a/prebuilts/api/28.0/public/toolbox.te b/prebuilts/api/28.0/public/toolbox.te
new file mode 100644
index 0000000..59c3a9c
--- /dev/null
+++ b/prebuilts/api/28.0/public/toolbox.te
@@ -0,0 +1,24 @@
+# Any toolbox command run by init.
+# At present, the only known usage is for running mkswap via fs_mgr.
+# Do NOT use this domain for toolbox when run by any other domain.
+type toolbox, domain;
+type toolbox_exec, exec_type, file_type;
+
+# /dev/__null__ created by init prior to policy load,
+# open fd inherited by fsck.
+allow toolbox tmpfs:chr_file { read write ioctl };
+
+# Inherit and use pty created by android_fork_execvp_ext().
+allow toolbox devpts:chr_file { read write getattr ioctl };
+
+# mkswap-specific.
+# Read/write block devices used for swap partitions.
+# Assign swap_block_device type any such partition in your
+# device/<vendor>/<product>/sepolicy/file_contexts file.
+allow toolbox block_device:dir search;
+allow toolbox swap_block_device:blk_file rw_file_perms;
+
+# Only allow entry from init via the toolbox binary.
+neverallow { domain -init } toolbox:process transition;
+neverallow * toolbox:process dyntransition;
+neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
diff --git a/prebuilts/api/28.0/public/traced_probes.te b/prebuilts/api/28.0/public/traced_probes.te
new file mode 100644
index 0000000..3e587c8
--- /dev/null
+++ b/prebuilts/api/28.0/public/traced_probes.te
@@ -0,0 +1 @@
+type traced_probes, domain, coredomain, mlstrustedsubject;
diff --git a/prebuilts/api/28.0/public/traceur_app.te b/prebuilts/api/28.0/public/traceur_app.te
new file mode 100644
index 0000000..7113fa7
--- /dev/null
+++ b/prebuilts/api/28.0/public/traceur_app.te
@@ -0,0 +1,21 @@
+type traceur_app, domain;
+
+allow traceur_app servicemanager:service_manager list;
+allow traceur_app hwservicemanager:hwservice_manager list;
+
+set_prop(traceur_app, debug_prop)
+
+allow traceur_app {
+ service_manager_type
+ -gatekeeper_service
+ -incident_service
+ -installd_service
+ -netd_service
+ -virtual_touchpad_service
+ -vold_service
+ -vr_hwc_service
+}:service_manager find;
+
+dontaudit traceur_app service_manager_type:service_manager find;
+dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
+dontaudit traceur_app domain:binder call;
diff --git a/prebuilts/api/28.0/public/tzdatacheck.te b/prebuilts/api/28.0/public/tzdatacheck.te
new file mode 100644
index 0000000..6f60c8e2
--- /dev/null
+++ b/prebuilts/api/28.0/public/tzdatacheck.te
@@ -0,0 +1,18 @@
+# The tzdatacheck command run by init.
+type tzdatacheck, domain;
+type tzdatacheck_exec, exec_type, file_type;
+
+allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
+allow tzdatacheck zoneinfo_data_file:file unlink;
+
+# Below are strong assertion that only init, system_server and tzdatacheck
+# can modify the /data time zone rules directories. This is to make it very
+# clear that only these domains should modify the actual time zone rules data.
+# The tzdatacheck binary itself may be executed by shell for tests but it must
+# not be able to modify the real rules.
+# If other users / binaries could modify time zone rules on device this might
+# have negative implications for users (who may get incorrect local times)
+# or break assumptions made / invalidate data held by the components actually
+# responsible for updating time zone rules.
+neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms;
+neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms;
diff --git a/prebuilts/api/28.0/public/ueventd.te b/prebuilts/api/28.0/public/ueventd.te
new file mode 100644
index 0000000..9b9eacb
--- /dev/null
+++ b/prebuilts/api/28.0/public/ueventd.te
@@ -0,0 +1,57 @@
+# ueventd seclabel is specified in init.rc since
+# it lives in the rootfs and has no unique file type.
+type ueventd, domain;
+
+# Write to /dev/kmsg.
+allow ueventd kmsg_device:chr_file rw_file_perms;
+
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd device:file create_file_perms;
+
+r_dir_file(ueventd, rootfs)
+
+# ueventd needs write access to files in /sys to regenerate uevents
+allow ueventd sysfs_type:file w_file_perms;
+r_dir_file(ueventd, sysfs_type)
+allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
+allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
+allow ueventd tmpfs:chr_file rw_file_perms;
+allow ueventd dev_type:dir create_dir_perms;
+allow ueventd dev_type:lnk_file { create unlink };
+allow ueventd dev_type:chr_file { getattr create setattr unlink };
+allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
+allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow ueventd efs_file:dir search;
+allow ueventd efs_file:file r_file_perms;
+
+# Get SELinux enforcing status.
+r_dir_file(ueventd, selinuxfs)
+
+# Access for /vendor/ueventd.rc and /vendor/firmware
+r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
+
+# Get file contexts for new device nodes
+allow ueventd file_contexts_file:file r_file_perms;
+
+# Use setfscreatecon() to label /dev directories and files.
+allow ueventd self:process setfscreate;
+
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
+allow ueventd proc_cmdline:file r_file_perms;
+
+#####
+##### neverallow rules
+#####
+
+# ueventd must never set properties, otherwise deadlocks may occur.
+# https://android-review.googlesource.com/#/c/133120/6/init/devices.cpp@941
+# No writing to the property socket, connecting to init, or setting properties.
+neverallow ueventd property_socket:sock_file write;
+neverallow ueventd init:unix_stream_socket connectto;
+neverallow ueventd property_type:property_service set;
+
+# Restrict ueventd access on block devices to maintenence operations.
+neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
+
+# Only relabelto as we would never want to relabelfrom kmem_device or port_device
+neverallow ueventd { kmem_device port_device }:chr_file ~{ getattr create setattr unlink relabelto };
diff --git a/prebuilts/api/28.0/public/uncrypt.te b/prebuilts/api/28.0/public/uncrypt.te
new file mode 100644
index 0000000..1e48b83
--- /dev/null
+++ b/prebuilts/api/28.0/public/uncrypt.te
@@ -0,0 +1,45 @@
+# uncrypt
+type uncrypt, domain, mlstrustedsubject;
+type uncrypt_exec, exec_type, file_type;
+
+allow uncrypt self:global_capability_class_set dac_override;
+
+# Read OTA zip file from /data/data/com.google.android.gsf/app_download
+r_dir_file(uncrypt, app_data_file)
+
+userdebug_or_eng(`
+ # For debugging, allow /data/local/tmp access
+ r_dir_file(uncrypt, shell_data_file)
+')
+
+# Read /cache/recovery/command
+# Read /cache/recovery/uncrypt_file
+allow uncrypt cache_file:dir search;
+allow uncrypt cache_recovery_file:dir rw_dir_perms;
+allow uncrypt cache_recovery_file:file create_file_perms;
+
+# Read OTA zip file at /data/ota_package/.
+allow uncrypt ota_package_file:dir r_dir_perms;
+allow uncrypt ota_package_file:file r_file_perms;
+
+# Write to /dev/socket/uncrypt
+unix_socket_connect(uncrypt, uncrypt, uncrypt)
+
+# Set a property to reboot the device.
+set_prop(uncrypt, powerctl_prop)
+
+# Raw writes to block device
+allow uncrypt self:global_capability_class_set sys_rawio;
+allow uncrypt misc_block_device:blk_file w_file_perms;
+allow uncrypt block_device:dir r_dir_perms;
+
+# Access userdata block device.
+allow uncrypt userdata_block_device:blk_file w_file_perms;
+
+r_dir_file(uncrypt, rootfs)
+
+# uncrypt reads /proc/cmdline
+allow uncrypt proc_cmdline:file r_file_perms;
+
+# Read files in /sys
+r_dir_file(uncrypt, sysfs_dt_firmware_android)
diff --git a/prebuilts/api/28.0/public/untrusted_app.te b/prebuilts/api/28.0/public/untrusted_app.te
new file mode 100644
index 0000000..5289bf9
--- /dev/null
+++ b/prebuilts/api/28.0/public/untrusted_app.te
@@ -0,0 +1,21 @@
+###
+### Untrusted apps.
+###
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+type untrusted_app, domain;
+type untrusted_app_27, domain;
+type untrusted_app_25, domain;
diff --git a/prebuilts/api/28.0/public/untrusted_v2_app.te b/prebuilts/api/28.0/public/untrusted_v2_app.te
new file mode 100644
index 0000000..ac82f15
--- /dev/null
+++ b/prebuilts/api/28.0/public/untrusted_v2_app.te
@@ -0,0 +1,5 @@
+###
+### Untrusted v2 sandbox apps.
+###
+
+type untrusted_v2_app, domain;
diff --git a/prebuilts/api/28.0/public/update_engine.te b/prebuilts/api/28.0/public/update_engine.te
new file mode 100644
index 0000000..ca73c7e
--- /dev/null
+++ b/prebuilts/api/28.0/public/update_engine.te
@@ -0,0 +1,58 @@
+# Domain for update_engine daemon.
+type update_engine, domain, update_engine_common;
+type update_engine_exec, exec_type, file_type;
+
+net_domain(update_engine);
+
+# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid to tag network
+# sockets.
+allow update_engine qtaguid_proc:file rw_file_perms;
+allow update_engine qtaguid_device:chr_file r_file_perms;
+
+# Following permissions are needed for update_engine.
+allow update_engine self:process { setsched };
+allow update_engine self:global_capability_class_set { fowner sys_admin };
+# Note: fsetid checks are triggered when creating a file in a directory with
+# the setgid bit set to determine if the file should inherit setgid. In this
+# case, setgid on the file is undesirable so we should just suppress the
+# denial.
+dontaudit update_engine self:global_capability_class_set fsetid;
+
+allow update_engine kmsg_device:chr_file w_file_perms;
+allow update_engine update_engine_exec:file rx_file_perms;
+wakelock_use(update_engine);
+
+# Ignore these denials.
+dontaudit update_engine kernel:process setsched;
+dontaudit update_engine self:capability sys_rawio;
+
+# Allow using persistent storage in /data/misc/update_engine.
+allow update_engine update_engine_data_file:dir create_dir_perms;
+allow update_engine update_engine_data_file:file create_file_perms;
+
+# Allow using persistent storage in /data/misc/update_engine_log.
+allow update_engine update_engine_log_data_file:dir create_dir_perms;
+allow update_engine update_engine_log_data_file:file create_file_perms;
+
+# Don't allow kernel module loading, just silence the logs.
+dontaudit update_engine kernel:system module_request;
+
+# Register the service to perform Binder IPC.
+binder_use(update_engine)
+add_service(update_engine, update_engine_service)
+
+# Allow update_engine to call the callback function provided by priv_app.
+binder_call(update_engine, priv_app)
+
+# Read OTA zip file at /data/ota_package/.
+allow update_engine ota_package_file:file r_file_perms;
+allow update_engine ota_package_file:dir r_dir_perms;
+
+# Use Boot Control HAL
+hal_client_domain(update_engine, hal_bootctl)
+
+# access /proc/misc
+allow update_engine proc_misc:file r_file_perms;
+
+# read directories on /system and /vendor
+allow update_engine system_file:dir r_dir_perms;
diff --git a/prebuilts/api/28.0/public/update_engine_common.te b/prebuilts/api/28.0/public/update_engine_common.te
new file mode 100644
index 0000000..eb4cdc1
--- /dev/null
+++ b/prebuilts/api/28.0/public/update_engine_common.te
@@ -0,0 +1,45 @@
+# update_engine payload application permissions. These are shared between the
+# background daemon and the recovery tool to sideload an update.
+
+# Allow update_engine to reach block devices in /dev/block.
+allow update_engine_common block_device:dir search;
+
+# Allow read/write on system and boot partitions.
+allow update_engine_common boot_block_device:blk_file rw_file_perms;
+allow update_engine_common system_block_device:blk_file rw_file_perms;
+
+# Allow to set recovery options in the BCB. Used to trigger factory reset when
+# the update to an older version (channel change) or incompatible version
+# requires it.
+allow update_engine_common misc_block_device:blk_file rw_file_perms;
+
+# read fstab
+allow update_engine_common rootfs:dir getattr;
+allow update_engine_common rootfs:file r_file_perms;
+
+# Allow update_engine_common to mount on the /postinstall directory and reset the
+# labels on the mounted filesystem to postinstall_file.
+allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
+allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
+allow update_engine_common labeledfs:filesystem relabelfrom;
+
+# Allow update_engine_common to read and execute postinstall_file.
+allow update_engine_common postinstall_file:file rx_file_perms;
+allow update_engine_common postinstall_file:lnk_file r_file_perms;
+allow update_engine_common postinstall_file:dir r_dir_perms;
+
+# install update.zip from cache
+r_dir_file(update_engine_common, cache_file)
+
+# A postinstall program is typically a shell script (with a #!), so we allow
+# to execute those.
+allow update_engine_common shell_exec:file rx_file_perms;
+
+# Allow update_engine_common to suspend, resume and kill the postinstall program.
+allow update_engine_common postinstall:process { signal sigstop sigkill };
+
+# access /proc/cmdline
+allow update_engine_common proc_cmdline:file r_file_perms;
+
+# Read files in /sys/firmware/devicetree/base/firmware/android/
+r_dir_file(update_engine_common, sysfs_dt_firmware_android)
diff --git a/prebuilts/api/28.0/public/update_verifier.te b/prebuilts/api/28.0/public/update_verifier.te
new file mode 100644
index 0000000..5d20eca
--- /dev/null
+++ b/prebuilts/api/28.0/public/update_verifier.te
@@ -0,0 +1,31 @@
+# update_verifier
+type update_verifier, domain;
+type update_verifier_exec, exec_type, file_type;
+
+# Allow update_verifier to reach block devices in /dev/block.
+allow update_verifier block_device:dir search;
+
+# Read care map in /data/ota_package/.
+allow update_verifier ota_package_file:dir r_dir_perms;
+allow update_verifier ota_package_file:file r_file_perms;
+
+# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
+allow update_verifier sysfs:dir r_dir_perms;
+
+# Read /sys/block/dm-X/dm/name (which is a symlink to
+# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
+# dm-X and system/vendor partitions.
+allow update_verifier sysfs_dm:dir r_dir_perms;
+allow update_verifier sysfs_dm:file r_file_perms;
+
+# Read all blocks in DM wrapped system partition.
+allow update_verifier dm_device:blk_file r_file_perms;
+
+# Write to kernel message.
+allow update_verifier kmsg_device:chr_file w_file_perms;
+
+# Allow update_verifier to reboot the device.
+set_prop(update_verifier, powerctl_prop)
+
+# Use Boot Control HAL
+hal_client_domain(update_verifier, hal_bootctl)
diff --git a/prebuilts/api/28.0/public/usbd.te b/prebuilts/api/28.0/public/usbd.te
new file mode 100644
index 0000000..98786e0
--- /dev/null
+++ b/prebuilts/api/28.0/public/usbd.te
@@ -0,0 +1,3 @@
+type usbd, domain;
+type usbd_exec, exec_type, file_type;
+
diff --git a/prebuilts/api/28.0/public/vdc.te b/prebuilts/api/28.0/public/vdc.te
new file mode 100644
index 0000000..424bdea
--- /dev/null
+++ b/prebuilts/api/28.0/public/vdc.te
@@ -0,0 +1,20 @@
+# vdc spawned from init for the following services:
+# defaultcrypto
+# encrypt
+#
+# We also transition into this domain from dumpstate, when
+# collecting bug reports.
+
+type vdc, domain;
+type vdc_exec, exec_type, file_type;
+
+# vdc can be invoked with logwrapper, so let it write to pty
+allow vdc devpts:chr_file rw_file_perms;
+
+# vdc writes directly to kmsg during the boot process
+allow vdc kmsg_device:chr_file w_file_perms;
+
+# vdc talks to vold over Binder
+binder_use(vdc)
+binder_call(vdc, vold)
+allow vdc vold_service:service_manager find;
diff --git a/prebuilts/api/28.0/public/vendor_init.te b/prebuilts/api/28.0/public/vendor_init.te
new file mode 100644
index 0000000..4e4b313
--- /dev/null
+++ b/prebuilts/api/28.0/public/vendor_init.te
@@ -0,0 +1,198 @@
+# vendor_init is its own domain.
+type vendor_init, domain, mlstrustedsubject;
+
+# Communication to the main init process
+allow vendor_init init:unix_stream_socket { read write };
+
+# Vendor init shouldn't communicate with any vendor process, nor most system processes.
+neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+
+# Logging to kmsg
+allow vendor_init kmsg_device:chr_file { open write };
+
+# Mount on /dev/usb-ffs/adb.
+allow vendor_init device:dir mounton;
+
+# Create and remove symlinks in /.
+allow vendor_init rootfs:lnk_file { create unlink };
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow vendor_init cgroup:dir create_dir_perms;
+
+# /config
+allow vendor_init configfs:dir mounton;
+allow vendor_init configfs:dir create_dir_perms;
+allow vendor_init configfs:{ file lnk_file } create_file_perms;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow vendor_init self:global_capability_class_set dac_override;
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow vendor_init self:global_capability_class_set { chown fowner fsetid };
+
+# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
+allow vendor_init unencrypted_data_file:dir search;
+allow vendor_init unencrypted_data_file:file r_file_perms;
+
+allow vendor_init system_data_file:dir getattr;
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -system_file
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -runtime_event_log_tags_file
+ -system_file
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+}:file { create getattr open read write setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -system_file
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -system_file
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -system_file
+ -vendor_file_type
+ -vold_metadata_file
+}:dir_file_class_set relabelto;
+
+allow vendor_init dev_type:dir create_dir_perms;
+allow vendor_init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow vendor_init debugfs_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow vendor_init {
+ fs_type
+ -contextmount_type
+ -sdcard_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+}:file { open read setattr };
+
+allow vendor_init {
+ fs_type
+ -contextmount_type
+ -sdcard_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+}:dir { open read setattr search };
+
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+ dev_type
+ -kmem_device
+ -port_device
+ -lowpan_device
+ -hw_random_device
+}:chr_file setattr;
+
+allow vendor_init dev_type:blk_file getattr;
+
+# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+r_dir_file(vendor_init, proc_net)
+allow vendor_init proc_net:file w_file_perms;
+allow vendor_init self:global_capability_class_set net_admin;
+
+# Write to /proc/sys/vm/page-cluster
+allow vendor_init proc_page_cluster:file w_file_perms;
+
+# Write to sysfs nodes.
+allow vendor_init sysfs_type:dir r_dir_perms;
+allow vendor_init sysfs_type:lnk_file read;
+allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
+
+# setfscreatecon() for labeling directories and socket files.
+allow vendor_init self:process { setfscreate };
+
+r_dir_file(vendor_init, vendor_file_type)
+
+# Vendor init can read properties
+allow vendor_init serialno_prop:file { getattr open read };
+
+# Vendor init can perform operations on trusted and security Extended Attributes
+allow vendor_init self:global_capability_class_set sys_admin;
+
+# Raw writes to misc block device
+allow vendor_init misc_block_device:blk_file w_file_perms;
+
+not_compatible_property(`
+ set_prop(vendor_init, {
+ property_type
+ -restorecon_prop
+ -netd_stable_secret_prop
+ -firstboot_prop
+ -pm_prop
+ -system_boot_reason_prop
+ -bootloader_boot_reason_prop
+ -last_boot_reason_prop
+ })
+')
+
+set_prop(vendor_init, bluetooth_a2dp_offload_prop)
+set_prop(vendor_init, debug_prop)
+set_prop(vendor_init, exported_audio_prop)
+set_prop(vendor_init, exported_bluetooth_prop)
+set_prop(vendor_init, exported_config_prop)
+set_prop(vendor_init, exported_dalvik_prop)
+set_prop(vendor_init, exported_default_prop)
+set_prop(vendor_init, exported_ffs_prop)
+set_prop(vendor_init, exported_overlay_prop)
+set_prop(vendor_init, exported_pm_prop)
+set_prop(vendor_init, exported_radio_prop)
+set_prop(vendor_init, exported_system_radio_prop)
+set_prop(vendor_init, exported_wifi_prop)
+set_prop(vendor_init, exported2_config_prop)
+set_prop(vendor_init, exported2_system_prop)
+set_prop(vendor_init, exported2_vold_prop)
+set_prop(vendor_init, exported3_default_prop)
+set_prop(vendor_init, exported3_radio_prop)
+set_prop(vendor_init, logd_prop)
+set_prop(vendor_init, log_tag_prop)
+set_prop(vendor_init, log_prop)
+set_prop(vendor_init, serialno_prop)
+set_prop(vendor_init, vendor_default_prop)
+set_prop(vendor_init, vendor_security_patch_level_prop)
+set_prop(vendor_init, wifi_log_prop)
+
+get_prop(vendor_init, exported2_radio_prop)
+get_prop(vendor_init, exported3_system_prop)
diff --git a/prebuilts/api/28.0/public/vendor_shell.te b/prebuilts/api/28.0/public/vendor_shell.te
new file mode 100644
index 0000000..7d30acb
--- /dev/null
+++ b/prebuilts/api/28.0/public/vendor_shell.te
@@ -0,0 +1,19 @@
+type vendor_shell, domain;
+type vendor_shell_exec, exec_type, vendor_file_type, file_type;
+
+allow vendor_shell vendor_shell_exec:file rx_file_perms;
+allow vendor_shell vendor_toolbox_exec:file rx_file_perms;
+
+# Use fd from shell when vendor_shell is started from shell
+allow vendor_shell shell:fd use;
+
+# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh`
+allow vendor_shell adbd:fd use;
+allow vendor_shell adbd:process sigchld;
+allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write };
+
+allow vendor_shell devpts:chr_file rw_file_perms;
+allow vendor_shell tty_device:chr_file rw_file_perms;
+allow vendor_shell console_device:chr_file rw_file_perms;
+allow vendor_shell input_device:dir r_dir_perms;
+allow vendor_shell input_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/28.0/public/vendor_toolbox.te b/prebuilts/api/28.0/public/vendor_toolbox.te
new file mode 100644
index 0000000..eb292ca
--- /dev/null
+++ b/prebuilts/api/28.0/public/vendor_toolbox.te
@@ -0,0 +1,16 @@
+# Toolbox installation for vendor binaries / scripts
+# Non-vendor processes are not allowed to execute the binary
+# and is always executed without transition.
+type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
+
+# Do not allow domains to transition to vendor toolbox
+# or read, execute the vendor_toolbox file.
+full_treble_only(`
+ # Do not allow non-vendor domains to transition
+ # to vendor toolbox except for the whitelisted domains.
+ neverallow {
+ coredomain
+ -init
+ -modprobe
+ } vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
+')
diff --git a/prebuilts/api/28.0/public/virtual_touchpad.te b/prebuilts/api/28.0/public/virtual_touchpad.te
new file mode 100644
index 0000000..c2800e3
--- /dev/null
+++ b/prebuilts/api/28.0/public/virtual_touchpad.te
@@ -0,0 +1,16 @@
+type virtual_touchpad, domain;
+type virtual_touchpad_exec, exec_type, file_type;
+
+binder_use(virtual_touchpad)
+binder_service(virtual_touchpad)
+add_service(virtual_touchpad, virtual_touchpad_service)
+
+# Needed to check app permissions.
+binder_call(virtual_touchpad, system_server)
+
+# Requires access to /dev/uinput to create and feed the virtual device.
+allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
+
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow virtual_touchpad permission_service:service_manager find;
diff --git a/prebuilts/api/28.0/public/vndservice.te b/prebuilts/api/28.0/public/vndservice.te
new file mode 100644
index 0000000..0d309bf
--- /dev/null
+++ b/prebuilts/api/28.0/public/vndservice.te
@@ -0,0 +1 @@
+type default_android_vndservice, vndservice_manager_type;
diff --git a/prebuilts/api/28.0/public/vndservicemanager.te b/prebuilts/api/28.0/public/vndservicemanager.te
new file mode 100644
index 0000000..6b9f73d
--- /dev/null
+++ b/prebuilts/api/28.0/public/vndservicemanager.te
@@ -0,0 +1,2 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager, domain;
diff --git a/prebuilts/api/28.0/public/vold.te b/prebuilts/api/28.0/public/vold.te
new file mode 100644
index 0000000..131f555
--- /dev/null
+++ b/prebuilts/api/28.0/public/vold.te
@@ -0,0 +1,269 @@
+# volume manager
+type vold, domain;
+type vold_exec, exec_type, file_type;
+
+# Read already opened /cache files.
+allow vold cache_file:dir r_dir_perms;
+allow vold cache_file:file { getattr read };
+allow vold cache_file:lnk_file r_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(vold, proc_net)
+r_dir_file(vold, sysfs_type)
+# XXX Label sysfs files with a specific type?
+allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
+allow vold sysfs_dm:file w_file_perms;
+allow vold sysfs_usb:file w_file_perms;
+allow vold sysfs_zram_uevent:file w_file_perms;
+
+r_dir_file(vold, rootfs)
+r_dir_file(vold, metadata_file)
+allow vold {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_cmdline
+ proc_drop_caches
+ proc_filesystems
+ proc_meminfo
+ proc_mounts
+}:file r_file_perms;
+
+#Get file contexts
+allow vold file_contexts_file:file r_file_perms;
+
+# Allow us to jump into execution domains of above tools
+allow vold self:process setexec;
+
+# For sgdisk launched through popen()
+allow vold shell_exec:file rx_file_perms;
+
+# For formatting adoptable storage devices
+allow vold e2fs_exec:file rx_file_perms;
+
+typeattribute vold mlstrustedsubject;
+allow vold self:process setfscreate;
+allow vold system_file:file x_file_perms;
+not_full_treble(`allow vold vendor_file:file x_file_perms;')
+allow vold block_device:dir create_dir_perms;
+allow vold device:dir write;
+allow vold devpts:chr_file rw_file_perms;
+allow vold rootfs:dir mounton;
+allow vold sdcard_type:dir mounton; # TODO: deprecated in M
+allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
+allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
+allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
+
+# Manage locations where storage is mounted
+allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
+allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
+
+# Access to storage that backs emulated FUSE daemons for migration optimization
+allow vold media_rw_data_file:dir create_dir_perms;
+allow vold media_rw_data_file:file create_file_perms;
+
+# Allow mounting of storage devices
+allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
+
+# Manage per-user primary symlinks
+allow vold mnt_user_file:dir create_dir_perms;
+allow vold mnt_user_file:lnk_file create_file_perms;
+
+# Allow to create and mount expanded storage
+allow vold mnt_expand_file:dir { create_dir_perms mounton };
+allow vold apk_data_file:dir { create getattr setattr };
+allow vold shell_data_file:dir { create getattr setattr };
+
+allow vold tmpfs:filesystem { mount unmount };
+allow vold tmpfs:dir create_dir_perms;
+allow vold tmpfs:dir mounton;
+allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
+allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow vold app_data_file:dir search;
+allow vold app_data_file:file rw_file_perms;
+allow vold loop_control_device:chr_file rw_file_perms;
+allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
+allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
+allow vold dm_device:chr_file rw_file_perms;
+allow vold dm_device:blk_file rw_file_perms;
+# For vold Process::killProcessesWithOpenFiles function.
+allow vold domain:dir r_dir_perms;
+allow vold domain:{ file lnk_file } r_file_perms;
+allow vold domain:process { signal sigkill };
+allow vold self:global_capability_class_set { sys_ptrace kill };
+
+allow vold kmsg_device:chr_file rw_file_perms;
+
+# Run fsck in the fsck domain.
+allow vold fsck_exec:file { r_file_perms execute };
+
+# Log fsck results
+allow vold fscklogs:dir rw_dir_perms;
+allow vold fscklogs:file create_file_perms;
+
+#
+# Rules to support encrypted fs support.
+#
+
+# Unmount and mount the fs.
+allow vold labeledfs:filesystem { mount unmount };
+
+# Access /efs/userdata_footer.
+# XXX Split into a separate type?
+allow vold efs_file:file rw_file_perms;
+
+# Create and mount on /data/tmp_mnt and management of expansion mounts
+allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
+allow vold system_data_file:lnk_file getattr;
+
+# Vold create users in /data/vendor_{ce,de}/[0-9]+
+allow vold vendor_data_file:dir create_dir_perms;
+
+# for secdiscard
+allow vold system_data_file:file read;
+
+# Set scheduling policy of kernel processes
+allow vold kernel:process setsched;
+
+# Property Service
+set_prop(vold, vold_prop)
+set_prop(vold, exported_vold_prop)
+set_prop(vold, exported2_vold_prop)
+set_prop(vold, powerctl_prop)
+set_prop(vold, ctl_fuse_prop)
+set_prop(vold, restorecon_prop)
+
+# ASEC
+allow vold asec_image_file:file create_file_perms;
+allow vold asec_image_file:dir rw_dir_perms;
+allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
+allow vold asec_public_file:dir { relabelto setattr };
+allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
+allow vold asec_public_file:file { relabelto setattr };
+# restorecon files in asec containers created on 4.2 or earlier.
+allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
+allow vold unlabeled:file { r_file_perms setattr relabelfrom };
+
+# Handle wake locks (used for device encryption)
+wakelock_use(vold)
+
+# Allow vold to publish a binder service and make binder calls.
+binder_use(vold)
+add_service(vold, vold_service)
+
+# Allow vold to call into the system server so it can check permissions.
+binder_call(vold, system_server)
+allow vold permission_service:service_manager find;
+
+# talk to batteryservice
+binder_call(vold, healthd)
+
+# talk to keymaster
+hal_client_domain(vold, hal_keymaster)
+
+# Access userdata block device.
+allow vold userdata_block_device:blk_file rw_file_perms;
+
+# Access metadata block device used for encryption meta-data.
+allow vold metadata_block_device:blk_file rw_file_perms;
+
+# Allow vold to manipulate /data/unencrypted
+allow vold unencrypted_data_file:{ file } create_file_perms;
+allow vold unencrypted_data_file:dir create_dir_perms;
+
+# Write to /proc/sys/vm/drop_caches
+allow vold proc_drop_caches:file w_file_perms;
+
+# Give vold a place where only vold can store files; everyone else is off limits
+allow vold vold_data_file:dir create_dir_perms;
+allow vold vold_data_file:file create_file_perms;
+
+# And a similar place in the metadata partition
+allow vold vold_metadata_file:dir create_dir_perms;
+allow vold vold_metadata_file:file create_file_perms;
+
+# linux keyring configuration
+allow vold init:key { write search setattr };
+allow vold vold:key { write search setattr };
+
+# vold temporarily changes its priority when running benchmarks
+allow vold self:global_capability_class_set sys_nice;
+
+# vold needs to chroot into app namespaces to remount when runtime permissions change
+allow vold self:global_capability_class_set sys_chroot;
+allow vold storage_file:dir mounton;
+
+# For AppFuse.
+allow vold fuse_device:chr_file rw_file_perms;
+allow vold fuse:filesystem { relabelfrom };
+allow vold app_fusefs:filesystem { relabelfrom relabelto };
+allow vold app_fusefs:filesystem { mount unmount };
+
+# MoveTask.cpp executes cp and rm
+allow vold toolbox_exec:file rx_file_perms;
+
+# Prepare profile dir for users.
+allow vold user_profile_data_file:dir create_dir_perms;
+
+# Raw writes to misc block device
+allow vold misc_block_device:blk_file w_file_perms;
+
+neverallow {
+ domain
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+
+neverallow {
+ domain
+ -init
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:dir *;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -vold
+} vold_metadata_file:dir *;
+
+neverallow {
+ domain
+ -kernel
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -vold
+ -vold_prepare_subdirs
+} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -kernel
+ -vendor_init
+ -vold
+ -vold_prepare_subdirs
+} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
+
+neverallow { domain -vold -init } restorecon_prop:property_service set;
+
+# Only system_server and vdc can interact with vold over binder
+neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
+neverallow vold {
+ domain
+ -hal_keymaster_server
+ -healthd
+ -hwservicemanager
+ -servicemanager
+ -system_server
+ userdebug_or_eng(`-su')
+}:binder call;
+
+neverallow vold fsck_exec:file execute_no_trans;
+neverallow { domain -init } vold:process { transition dyntransition };
+neverallow vold *:process ptrace;
+neverallow vold *:rawip_socket *;
diff --git a/prebuilts/api/28.0/public/vold_prepare_subdirs.te b/prebuilts/api/28.0/public/vold_prepare_subdirs.te
new file mode 100644
index 0000000..6405d2d
--- /dev/null
+++ b/prebuilts/api/28.0/public/vold_prepare_subdirs.te
@@ -0,0 +1,6 @@
+# SELinux directory creation and labelling for vold-managed directories
+
+type vold_prepare_subdirs, domain;
+type vold_prepare_subdirs_exec, exec_type, file_type;
+
+typeattribute vold_prepare_subdirs coredomain;
diff --git a/prebuilts/api/28.0/public/vr_hwc.te b/prebuilts/api/28.0/public/vr_hwc.te
new file mode 100644
index 0000000..c05dd63
--- /dev/null
+++ b/prebuilts/api/28.0/public/vr_hwc.te
@@ -0,0 +1,31 @@
+type vr_hwc, domain;
+type vr_hwc_exec, exec_type, file_type;
+
+# Get buffer metadata.
+hal_client_domain(vr_hwc, hal_graphics_allocator)
+
+binder_use(vr_hwc)
+binder_service(vr_hwc)
+
+binder_call(vr_hwc, surfaceflinger)
+# Needed to check for app permissions.
+binder_call(vr_hwc, system_server)
+
+add_service(vr_hwc, vr_hwc_service)
+
+# Hosts the VR HWC implementation and provides a simple Binder interface for VR
+# Window Manager to receive the layers/buffers.
+hwbinder_use(vr_hwc)
+
+# Load vendor libraries.
+allow vr_hwc system_file:dir r_dir_perms;
+
+allow vr_hwc ion_device:chr_file r_file_perms;
+
+# Allow connection to VR DisplayClient to get the primary display metadata
+# (ie: size).
+pdx_client(vr_hwc, display_client)
+
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow vr_hwc permission_service:service_manager find;
diff --git a/prebuilts/api/28.0/public/watchdogd.te b/prebuilts/api/28.0/public/watchdogd.te
new file mode 100644
index 0000000..00292a9
--- /dev/null
+++ b/prebuilts/api/28.0/public/watchdogd.te
@@ -0,0 +1,4 @@
+# watchdogd seclabel is specified in init.<board>.rc
+type watchdogd, domain;
+allow watchdogd watchdog_device:chr_file rw_file_perms;
+allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/28.0/public/webview_zygote.te b/prebuilts/api/28.0/public/webview_zygote.te
new file mode 100644
index 0000000..5d19b32
--- /dev/null
+++ b/prebuilts/api/28.0/public/webview_zygote.te
@@ -0,0 +1,5 @@
+# webview_zygote is an auxiliary zygote process that is used to spawn
+# isolated_app processes for rendering untrusted web content.
+
+type webview_zygote, domain;
+type webview_zygote_exec, exec_type, file_type;
diff --git a/prebuilts/api/28.0/public/wificond.te b/prebuilts/api/28.0/public/wificond.te
new file mode 100644
index 0000000..9e4dc7d
--- /dev/null
+++ b/prebuilts/api/28.0/public/wificond.te
@@ -0,0 +1,31 @@
+# wificond
+type wificond, domain;
+type wificond_exec, exec_type, file_type;
+
+binder_use(wificond)
+binder_call(wificond, system_server)
+
+add_service(wificond, wificond_service)
+
+set_prop(wificond, exported_wifi_prop)
+set_prop(wificond, wifi_prop)
+set_prop(wificond, ctl_default_prop)
+
+# create sockets to set interfaces up and down
+allow wificond self:udp_socket create_socket_perms;
+# setting interface state up/down is a privileged ioctl
+allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
+allow wificond self:global_capability_class_set { net_admin net_raw };
+# allow wificond to speak to nl80211 in the kernel
+allow wificond self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
+allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+r_dir_file(wificond, proc_net)
+
+# allow wificond to check permission for dumping logs
+allow wificond permission_service:service_manager find;
+
+# dumpstate support
+allow wificond dumpstate:fd use;
+allow wificond dumpstate:fifo_file write;
diff --git a/prebuilts/api/28.0/public/wpantund.te b/prebuilts/api/28.0/public/wpantund.te
new file mode 100644
index 0000000..b317236
--- /dev/null
+++ b/prebuilts/api/28.0/public/wpantund.te
@@ -0,0 +1,29 @@
+type wpantund, domain;
+type wpantund_exec, exec_type, file_type;
+
+hal_client_domain(wpantund, hal_lowpan)
+net_domain(wpantund)
+
+binder_use(wpantund)
+binder_call(wpantund, system_server)
+
+# wpantund needs to be able to check in with the lowpan_service
+allow wpantund lowpan_service:service_manager find;
+
+# Allow wpantund to call any callbacks that have been registered with it.
+# Generally, only privileged apps are able to register callbacks with
+# wpantund, so we are limiting the scope for callbacks to only privileged
+# apps. We also add shell to allow the command-line utility `lowpanctl`
+# to work properly from `adb shell`.
+allow wpantund {priv_app shell}:binder call;
+
+# create sockets to set interfaces up and down, add multicast groups, etc.
+allow wpantund self:udp_socket create_socket_perms;
+
+# setting interface state up/down and changing MTU are privileged ioctls
+allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
+
+# Allow us to bring up a TUN network interface.
+allow wpantund tun_device:chr_file rw_file_perms;
+allow wpantund self:global_capability_class_set { net_admin net_raw };
+allow wpantund self:tun_socket create;
diff --git a/prebuilts/api/28.0/public/zygote.te b/prebuilts/api/28.0/public/zygote.te
new file mode 100644
index 0000000..83c42ef
--- /dev/null
+++ b/prebuilts/api/28.0/public/zygote.te
@@ -0,0 +1,3 @@
+# zygote
+type zygote, domain;
+type zygote_exec, exec_type, file_type;
diff --git a/private/access_vectors b/private/access_vectors
index 14e1712..898c884 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -282,6 +282,15 @@
class unix_dgram_socket
inherits socket
+class bpf
+{
+ map_create
+ map_read
+ map_write
+ prog_load
+ prog_run
+}
+
#
# Define the access vector interpretation for process-related objects
#
diff --git a/private/adbd.te b/private/adbd.te
index 47a6cbd..77c0d73 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -17,10 +17,10 @@
allow adbd shell:process { noatsecure signal };
# Set UID and GID to shell. Set supplementary groups.
-allow adbd self:capability { setuid setgid };
+allow adbd self:global_capability_class_set { setuid setgid };
# Drop capabilities from bounding set on user builds.
-allow adbd self:capability setpcap;
+allow adbd self:global_capability_class_set setpcap;
# Create and use network sockets.
net_domain(adbd)
@@ -36,6 +36,10 @@
allow adbd shell_data_file:dir create_dir_perms;
allow adbd shell_data_file:file create_file_perms;
+# adb pull /data/local/traces/*
+allow adbd trace_data_file:dir r_dir_perms;
+allow adbd trace_data_file:file r_file_perms;
+
# adb pull /data/misc/profman.
allow adbd profman_dump_data_file:dir r_dir_perms;
allow adbd profman_dump_data_file:file r_file_perms;
@@ -55,6 +59,7 @@
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
set_prop(adbd, ffs_prop)
+set_prop(adbd, exported_ffs_prop)
# Access device logging gating property
get_prop(adbd, device_logging_prop)
diff --git a/private/app.te b/private/app.te
index 9251ed9..f3e1e2a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -1,542 +1,7 @@
-###
-### Domain for all zygote spawned apps
-###
-### This file is the base policy for all zygote spawned apps.
-### Other policy files, such as isolated_app.te, untrusted_app.te, etc
-### extend from this policy. Only policies which should apply to ALL
-### zygote spawned apps should be added here.
-###
-
# TODO: deal with tmpfs_domain pub/priv split properly
# Read system properties managed by zygote.
allow appdomain zygote_tmpfs:file read;
-# WebView and other application-specific JIT compilers
-allow appdomain self:process execmem;
-
-allow appdomain ashmem_device:chr_file execute;
-
-# Receive and use open file descriptors inherited from zygote.
-allow appdomain zygote:fd use;
-
-# gdbserver for ndk-gdb reads the zygote.
-# valgrind needs mmap exec for zygote
-allow appdomain zygote_exec:file rx_file_perms;
-
-# Notify zygote of death;
-allow appdomain zygote:process sigchld;
-
-# Place process into foreground / background
-allow appdomain cgroup:dir { search write };
-allow appdomain cgroup:file rw_file_perms;
-
-# Read /data/dalvik-cache.
-allow appdomain dalvikcache_data_file:dir { search getattr };
-allow appdomain dalvikcache_data_file:file r_file_perms;
-
-# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
-
-# Search /storage/emulated tmpfs mount.
-allow appdomain tmpfs:dir r_dir_perms;
-
-# Notify zygote of the wrapped process PID when using --invoke-with.
-allow appdomain zygote:fifo_file write;
-
-userdebug_or_eng(`
- # Allow apps to create and write method traces in /data/misc/trace.
- allow appdomain method_trace_data_file:dir w_dir_perms;
- allow appdomain method_trace_data_file:file { create w_file_perms };
-')
-
-# Notify shell and adbd of death when spawned via runas for ndk-gdb.
-allow appdomain shell:process sigchld;
-allow appdomain adbd:process sigchld;
-
-# child shell or gdbserver pty access for runas.
-allow appdomain devpts:chr_file { getattr read write ioctl };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow appdomain system_server:fd use;
-allow appdomain system_server:fifo_file rw_file_perms;
-allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
-
-# Communication with other apps via fifos
-allow appdomain appdomain:fifo_file rw_file_perms;
-
-# Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# App sandbox file accesses.
-allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
-
-# Traverse into expanded storage
-allow appdomain mnt_expand_file:dir r_dir_perms;
-
-# Keychain and user-trusted credentials
-r_dir_file(appdomain, keychain_data_file)
-allow appdomain misc_user_data_file:dir r_dir_perms;
-allow appdomain misc_user_data_file:file r_file_perms;
-
-# TextClassifier
-r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
-
-# Access to OEM provided data and apps
-allow appdomain oemfs:dir r_dir_perms;
-allow appdomain oemfs:file rx_file_perms;
-
-# Execute the shell or other system executables.
-allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app -untrusted_v2_app } system_file:file x_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
-
-# Renderscript needs the ability to read directories on /system
-allow appdomain system_file:dir r_dir_perms;
-allow appdomain system_file:lnk_file { getattr open read };
-# Renderscript specific permissions to open /system/vendor/lib64.
-not_full_treble(`
- allow appdomain vendor_file_type:dir r_dir_perms;
- allow appdomain vendor_file_type:lnk_file { getattr open read };
-')
-
-full_treble_only(`
- # For looking up Renderscript vendor drivers
- allow { appdomain -isolated_app } vendor_file:dir { open read };
-')
-
-# Allow apps access to /vendor/app except for privileged
-# apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
-allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(appdomain, vendor_overlay_file)
-
-# Allow apps access to /vendor/framework
-# for vendor provided libraries.
-r_dir_file(appdomain, vendor_framework_file)
-
-# Execute dex2oat when apps call dexclassloader
-allow appdomain dex2oat_exec:file rx_file_perms;
-
-# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write };
-
-# Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write };
-
-# Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read };
-
-# Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read };
-
-# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
-#
-# TODO: All of these permissions except for anr_data_file:file append can be
-# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
-# and the rules below.
-allow appdomain anr_data_file:dir search;
-allow appdomain anr_data_file:file { open append };
-
-# New stack dumping scheme : request an output FD from tombstoned via a unix
-# domain socket.
-#
-# Allow apps to connect and write to the tombstoned java trace socket in
-# order to dump their traces. Also allow them to append traces to pipes
-# created by dumptrace. (Also see the rules below where they are given
-# additional permissions to dumpstate pipes for other aspects of bug report
-# creation).
-unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
-allow appdomain tombstoned:fd use;
-allow appdomain dumpstate:fifo_file append;
-
-# Allow apps to send dump information to dumpstate
-allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
-allow appdomain dumpstate:fifo_file { write getattr };
-allow appdomain shell_data_file:file { write getattr };
-
-# Write profiles /data/misc/profiles
-allow appdomain user_profile_data_file:dir { search write add_name };
-allow appdomain user_profile_data_file:file create_file_perms;
-
-# Send heap dumps to system_server via an already open file descriptor
-# % adb shell am set-watch-heap com.android.systemui 1048576
-# % adb shell dumpsys procstats --start-testing
-# debuggable builds only.
-userdebug_or_eng(`
- allow appdomain heapdump_data_file:file append;
-')
-
-# Write to /proc/net/xt_qtaguid/ctrl file.
-allow appdomain qtaguid_proc:file rw_file_perms;
-# read /proc/net/xt_qtguid/stats
-r_dir_file({ appdomain -ephemeral_app}, proc_net)
-# Everybody can read the xt_qtaguid resource tracking misc dev.
-# So allow all apps to read from /dev/xt_qtaguid.
-allow appdomain qtaguid_device:chr_file r_file_perms;
-
-# Grant GPU access to all processes started by Zygote.
-# They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(appdomain)
-# Perform binder IPC to binder services.
-binder_call(appdomain, binderservicedomain)
-# Perform binder IPC to other apps.
-binder_call(appdomain, appdomain)
-# Perform binder IPC to ephemeral apps.
-binder_call(appdomain, ephemeral_app)
-
-# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
-# as OMX HAL
-hwbinder_use({ appdomain -isolated_app })
-allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
-allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
-
-# Talk with graphics composer fences
-allow appdomain hal_graphics_composer:fd use;
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
-
-# Backup ability for every app. BMS opens and passes the fd
-# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr };
-allow appdomain cache_backup_file:file { read write getattr };
-allow appdomain cache_backup_file:dir getattr;
-# Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read };
-
-# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
-
-# Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
-
-# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } fuse:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } fuse:file create_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcardfs:file create_file_perms;
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } { media_rw_data_file vfat }:file create_file_perms;
-
-# Access OBBs (vfat images) mounted by vold (b/17633509)
-# File write access allowed for FDs returned through Storage Access Framework
-allow { appdomain -isolated_app -ephemeral_app } vfat:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } vfat:file rw_file_perms;
-
-# Allow apps to use the USB Accessory interface.
-# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-#
-# USB devices are first opened by the system server (USBDeviceManagerService)
-# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
-
-# For art.
-allow appdomain dalvikcache_data_file:file execute;
-allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
-
-# Allow any app to read shared RELRO files.
-allow appdomain shared_relro_file:dir search;
-allow appdomain shared_relro_file:file r_file_perms;
-
-# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
-
-# /data/resource-cache
-allow appdomain resourcecache_data_file:file r_file_perms;
-allow appdomain resourcecache_data_file:dir r_dir_perms;
-
-# logd access
-read_logd(appdomain)
-control_logd({ appdomain -ephemeral_app untrusted_v2_app })
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-
-use_keystore({ appdomain -isolated_app -ephemeral_app })
-
-allow appdomain console_device:chr_file { read write };
-
-# only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
-# TODO is write really necessary ?
-auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
-
-# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
-get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
-
-# Allow app access to mediacodec (IOMX HAL)
-binder_call({ appdomain -isolated_app }, mediacodec)
-
-# Allow AAudio apps to use shared memory file descriptors from the HAL
-allow { appdomain -isolated_app } hal_audio:fd use;
-
-# Allow app to access shared memory created by camera HAL1
-allow { appdomain -isolated_app } hal_camera:fd use;
-
-# RenderScript always-passthrough HAL
-allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
-
-# TODO: switch to meminfo service
-allow appdomain proc_meminfo:file r_file_perms;
-
-# For app fuse.
-allow appdomain app_fuse_file:file { getattr read append write };
-
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
-# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
-
-###
-### CTS-specific rules
-###
-
-# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
-# testRunAsHasCorrectCapabilities
-allow appdomain runas_exec:file getattr;
-# Others are either allowed elsewhere or not desired.
-
-# Apps receive an open tun fd from the framework for
-# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow appdomain adbd:unix_stream_socket connectto;
-allow appdomain adbd:fd use;
-allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-allow appdomain cache_file:dir getattr;
-
-# Allow apps to run with asanwrapper.
-with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
-
-###
-### Neverallow rules
-###
-### These are things that Android apps should NEVER be able to do
-###
-
-# Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability *;
-neverallow { appdomain -bluetooth } self:capability2 *;
-
-# Block device access.
-neverallow appdomain dev_type:blk_file { read write };
-
-# Access to any of the following character devices.
-neverallow appdomain {
- audio_device
- camera_device
- dm_device
- radio_device
- rpmsg_device
- video_device
-}:chr_file { read write };
-
-# Note: Try expanding list of app domains in the future.
-neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
-
-neverallow { appdomain -nfc } nfc_device:chr_file
- { read write };
-neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
- { read write };
-neverallow appdomain tee_device:chr_file { read write };
-
-# Privileged netlink socket interfaces.
-neverallow appdomain
- domain:{
- netlink_tcpdiag_socket
- netlink_nflog_socket
- netlink_xfrm_socket
- netlink_audit_socket
- netlink_dnrt_socket
- } *;
-
-# These messages are broadcast messages from the kernel to userspace.
-# Do not allow the writing of netlink messages, which has been a source
-# of rooting vulns in the past.
-neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
-
-# Sockets under /dev/socket that are not specifically typed.
-neverallow appdomain socket_device:sock_file write;
-
-# Unix domain sockets.
-neverallow appdomain adbd_socket:sock_file write;
-neverallow { appdomain -radio } rild_socket:sock_file write;
-neverallow appdomain vold_socket:sock_file write;
-neverallow appdomain zygote_socket:sock_file write;
-
-# ptrace access to non-app domains.
-neverallow appdomain { domain -appdomain }:process ptrace;
-
-# Write access to /proc/pid entries for any non-app domain.
-neverallow appdomain { domain -appdomain }:file write;
-
-# signal access to non-app domains.
-# sigchld allowed for parent death notification.
-# signull allowed for kill(pid, 0) existence test.
-# All others prohibited.
-neverallow appdomain { domain -appdomain }:process
- { sigkill sigstop signal };
-
-# Transition to a non-app domain.
-# Exception for the shell and su domains, can transition to runas, etc.
-# Exception for crash_dump.
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
- { transition };
-neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
- { dyntransition };
-
-# Write to rootfs.
-neverallow appdomain rootfs:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to /system.
-neverallow appdomain system_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to entrypoint executables.
-neverallow appdomain exec_type:file
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to system-owned parts of /data.
-# This is the default type for anything under /data not otherwise
-# specified in file_contexts. Define a different type for portions
-# that should be writable by apps.
-neverallow appdomain system_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to various other parts of /data.
-neverallow appdomain drm_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_private_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_private_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -shell }
- shell_data_file:dir_file_class_set
- { create setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -bluetooth }
- bluetooth_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- keystore_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- systemkeys_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- wifi_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- dhcp_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# access tmp apk files
-neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
- { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
-
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
-
-# Access to factory files.
-neverallow appdomain efs_file:dir_file_class_set write;
-neverallow { appdomain -shell } efs_file:dir_file_class_set read;
-
-# Write to various pseudo file systems.
-neverallow { appdomain -bluetooth -nfc }
- sysfs:dir_file_class_set write;
-neverallow appdomain
- proc:dir_file_class_set write;
-
-# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
-
-# SELinux is not an API for apps to use
-neverallow { appdomain -shell } *:security { compute_av check_context };
-neverallow { appdomain -shell } *:netlink_selinux_socket *;
-
-# Ability to perform any filesystem operation other than statfs(2).
-# i.e. no mount(2), unmount(2), etc.
-neverallow appdomain fs_type:filesystem ~getattr;
-
-# prevent creation/manipulation of globally readable symlinks
-neverallow appdomain {
- apk_data_file
- cache_file
- cache_recovery_file
- dev_type
- rootfs
- system_file
- tmpfs
-}:lnk_file no_w_file_perms;
-
-# Blacklist app domains not allowed to execute from /data
-neverallow {
- bluetooth
- isolated_app
- nfc
- radio
- shared_relro
- system_app
-} {
- data_file_type
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
-# Applications should use the activity model for receiving events
-neverallow {
- appdomain
- -shell # bugreport
-} input_device:chr_file ~getattr;
-
-# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
-# neverallow rules for access to Bluetooth-related data files are above.
-neverallow {
- appdomain
- -bluetooth
- -system_app
-} bluetooth_prop:file create_file_perms;
+neverallow appdomain system_server:udp_socket {
+ accept append bind create ioctl listen lock name_bind
+ relabelfrom relabelto setattr shutdown };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index a3d7d49..8d9ccd6 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -8,6 +8,7 @@
mediaprovider
untrusted_app
untrusted_app_25
+ untrusted_app_27
untrusted_app_all
untrusted_v2_app
}')
@@ -36,6 +37,10 @@
neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
+# net.dns properties are not a public API. Temporarily exempt pre-Oreo apps,
+# but otherwise disallow untrusted apps from reading this property.
+neverallow { all_untrusted_apps -untrusted_app_25 } net_dns_prop:file read;
+
# Do not allow untrusted apps to be assigned mlstrustedsubject.
# This would undermine the per-user isolation model being
# enforced via levelFrom=user in seapp_contexts and the mls
@@ -57,6 +62,12 @@
# Do not allow untrusted apps to access network MAC address file
neverallow all_untrusted_apps sysfs_mac_address:file no_rw_file_perms;
+# Do not allow any write access to files in /sys
+neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
+
+# Apps may never access the default sysfs label.
+neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
+
# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
# ioctl permission, or 3. disallow the socket class.
neverallowxperm all_untrusted_apps domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
@@ -82,9 +93,7 @@
# application un-installation.
neverallow { all_untrusted_apps -mediaprovider } {
fs_type
- -fuse # sdcard
- -sdcardfs # sdcard
- -vfat
+ -sdcard_type
file_type
-app_data_file # The apps sandbox itself
-media_rw_data_file # Internal storage. Known that apps can
@@ -108,7 +117,21 @@
# Avoid reads from generically labeled /proc files
# Create a more specific label if needed
-neverallow all_untrusted_apps proc:file { no_rw_file_perms no_x_file_perms };
+neverallow all_untrusted_apps {
+ proc
+ proc_asound
+ proc_filesystems
+ proc_kmsg
+ proc_loadavg
+ proc_mounts
+ proc_pagetypeinfo
+ proc_stat
+ proc_swaps
+ proc_uptime
+ proc_version
+ proc_vmallocinfo
+ proc_vmstat
+}:file { no_rw_file_perms no_x_file_perms };
# Avoid all access to kernel configuration
neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
@@ -150,14 +173,17 @@
# by surfaceflinger Binder service, which apps are permitted to access
# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
# Binder service which apps were permitted to access.
+# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
neverallow all_untrusted_apps {
hwservice_manager_type
-same_process_hwservice
-coredomain_hwservice
+ -hal_codec2_hwservice
-hal_configstore_ISurfaceFlingerConfigs
-hal_graphics_allocator_hwservice
-hal_omx_hwservice
-hal_cas_hwservice
+ -hal_neuralnetworks_hwservice
-untrusted_app_visible_hwservice
}:hwservice_manager find;
@@ -165,9 +191,11 @@
neverallow all_untrusted_apps {
default_android_hwservice
hal_audio_hwservice
+ hal_authsecret_hwservice
hal_bluetooth_hwservice
hal_bootctl_hwservice
hal_camera_hwservice
+ hal_confirmationui_hwservice
hal_contexthub_hwservice
hal_drm_hwservice
hal_dumpstate_hwservice
@@ -180,10 +208,10 @@
hal_keymaster_hwservice
hal_light_hwservice
hal_memtrack_hwservice
- hal_neuralnetworks_hwservice
hal_nfc_hwservice
hal_oemlock_hwservice
hal_power_hwservice
+ hal_secure_element_hwservice
hal_sensors_hwservice
hal_telephony_hwservice
hal_thermal_hwservice
@@ -224,7 +252,11 @@
-hal_configstore_server
-hal_graphics_allocator_server
-hal_cas_server
+ -hal_neuralnetworks_server
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
-untrusted_app_visible_halserver
}:binder { call transfer };
')
+
+# Untrusted apps are not allowed to find mediaextractor update service.
+neverallow all_untrusted_apps mediaextractor_update_service:service_manager find;
diff --git a/private/atrace.te b/private/atrace.te
index 5de9f99..630935d 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -1,27 +1,46 @@
-# Domain for atrace process spawned by boottrace service.
+# Domain for atrace process.
+# It is spawned either by traced_probes or by init for the boottrace service.
+type atrace, domain, coredomain;
type atrace_exec, exec_type, file_type;
-userdebug_or_eng(`
- type atrace, domain, coredomain, domain_deprecated;
+# boottrace services uses /data/misc/boottrace/categories
+allow atrace boottrace_data_file:dir search;
+allow atrace boottrace_data_file:file r_file_perms;
+# Allow atrace to access tracefs.
+allow atrace debugfs_tracing:dir r_dir_perms;
+allow atrace debugfs_tracing:file rw_file_perms;
+allow atrace debugfs_trace_marker:file getattr;
+
+# atrace sets debug.atrace.* properties
+set_prop(atrace, debug_prop)
+
+# atrace pokes all the binder-enabled processes at startup with a
+# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
+
+binder_use(atrace)
+allow atrace healthd:binder call;
+allow atrace surfaceflinger:binder call;
+get_prop(atrace, hwservicemanager_prop)
+
+allow atrace {
+ service_manager_type
+ -incident_service
+ -netd_service
+ -stats_service
+ -dumpstate_service
+ -installd_service
+ -vold_service
+}:service_manager { find };
+allow atrace servicemanager:service_manager list;
+
+userdebug_or_eng(`
+ # atrace is generally invoked as a standalone binary from shell or perf
+ # daemons like Perfetto traced_probes. However, in userdebug builds, there is
+ # a further option to run atrace as an init daemon for boot tracing.
init_daemon_domain(atrace)
- # boottrace services uses /data/misc/boottrace/categories
- allow atrace boottrace_data_file:dir search;
- allow atrace boottrace_data_file:file r_file_perms;
-
- # Allow atrace to access tracefs.
- allow atrace debugfs_tracing:dir r_dir_perms;
- allow atrace debugfs_tracing:file rw_file_perms;
+ allow atrace debugfs_tracing_debug:dir r_dir_perms;
allow atrace debugfs_tracing_debug:file rw_file_perms;
- allow atrace debugfs_trace_marker:file getattr;
-
- # atrace sets debug.atrace.* properties
- set_prop(atrace, debug_prop)
-
- # atrace pokes all the binder-enabled processes at startup.
- binder_use(atrace)
- allow atrace healthd:binder call;
- allow atrace surfaceflinger:binder call;
')
diff --git a/private/audioserver.te b/private/audioserver.te
index 9119daa..1d4223f 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -29,11 +29,18 @@
')
add_service(audioserver, audioserver_service)
+allow audioserver activity_service:service_manager find;
allow audioserver appops_service:service_manager find;
allow audioserver batterystats_service:service_manager find;
allow audioserver permission_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
+allow audioserver mediametrics_service:service_manager find;
+
+# Allow read/write access to bluetooth-specific properties
+set_prop(audioserver, bluetooth_a2dp_offload_prop)
+set_prop(audioserver, bluetooth_prop)
+set_prop(audioserver, exported_bluetooth_prop)
# Grant access to audio files to audioserver
allow audioserver audio_data_file:dir ra_dir_perms;
@@ -42,9 +49,24 @@
# allow access to ALSA MMAP FDs for AAudio API
allow audioserver audio_device:chr_file { read write };
+not_full_treble(`allow audioserver audio_device:dir r_dir_perms;')
+not_full_treble(`allow audioserver audio_device:chr_file rw_file_perms;')
+
# For A2DP bridge which is loaded directly into audioserver
unix_socket_connect(audioserver, bluetooth, bluetooth)
+# Allow shell commands from ADB and shell for CTS testing/dumping
+allow audioserver adbd:fd use;
+allow audioserver adbd:unix_stream_socket { read write };
+allow audioserver shell:fifo_file { read write };
+
+# Allow shell commands from ADB for CTS testing/dumping
+userdebug_or_eng(`
+ allow audioserver su:fd use;
+ allow audioserver su:fifo_file { read write };
+ allow audioserver su:unix_stream_socket { read write };
+')
+
###
### neverallow rules
###
diff --git a/private/blank_screen.te b/private/blank_screen.te
new file mode 100644
index 0000000..43d273b
--- /dev/null
+++ b/private/blank_screen.te
@@ -0,0 +1,6 @@
+type blank_screen, domain, coredomain;
+type blank_screen_exec, exec_type, file_type;
+
+init_daemon_domain(blank_screen)
+
+hal_client_domain(blank_screen, hal_light)
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 451d27a..d419855 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -22,12 +22,12 @@
# Socket creation under /data/misc/bluedroid.
allow bluetooth bluetooth_socket:sock_file create_file_perms;
-allow bluetooth self:capability net_admin;
-allow bluetooth self:capability2 wake_alarm;
+allow bluetooth self:global_capability_class_set net_admin;
+allow bluetooth self:global_capability2_class_set wake_alarm;
# tethering
allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
-allow bluetooth self:capability { net_admin net_raw net_bind_service };
+allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
allow bluetooth tun_device:chr_file rw_file_perms;
allow bluetooth efs_file:dir search;
@@ -39,7 +39,9 @@
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
# Allow write access to bluetooth specific properties
+set_prop(bluetooth, bluetooth_a2dp_offload_prop)
set_prop(bluetooth, bluetooth_prop)
+set_prop(bluetooth, exported_bluetooth_prop)
set_prop(bluetooth, pan_result_prop)
allow bluetooth audioserver_service:service_manager find;
@@ -47,7 +49,6 @@
allow bluetooth drmserver_service:service_manager find;
allow bluetooth mediaserver_service:service_manager find;
allow bluetooth radio_service:service_manager find;
-allow bluetooth surfaceflinger_service:service_manager find;
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
@@ -57,11 +58,14 @@
allow bluetooth shell_data_file:file read;
# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
-allow bluetooth self:capability sys_nice;
+allow bluetooth self:global_capability_class_set sys_nice;
hal_client_domain(bluetooth, hal_bluetooth)
hal_client_domain(bluetooth, hal_telephony)
+# Bluetooth A2DP offload requires binding with audio HAL
+hal_client_domain(bluetooth, hal_audio)
+
read_runtime_log_tags(bluetooth)
###
@@ -72,5 +76,5 @@
# Superuser capabilities.
# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
-neverallow bluetooth self:capability ~{ net_admin net_raw net_bind_service sys_nice};
-neverallow bluetooth self:capability2 ~{ wake_alarm block_suspend };
+neverallow bluetooth self:global_capability_class_set ~{ net_admin net_raw net_bind_service sys_nice};
+neverallow bluetooth self:global_capability2_class_set ~{ wake_alarm block_suspend };
diff --git a/private/bootanim.te b/private/bootanim.te
index 8c9f6c7..20ff193 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -1,3 +1,6 @@
typeattribute bootanim coredomain;
init_daemon_domain(bootanim)
+
+# b/68864350
+dontaudit bootanim unlabeled:dir search;
diff --git a/private/bpfloader.te b/private/bpfloader.te
new file mode 100644
index 0000000..4e8ec2b
--- /dev/null
+++ b/private/bpfloader.te
@@ -0,0 +1,30 @@
+# bpf program loader
+type bpfloader, domain;
+type bpfloader_exec, exec_type, file_type;
+typeattribute bpfloader coredomain;
+
+# Process need CAP_NET_ADMIN to run bpf programs as cgroup filter
+allow bpfloader self:global_capability_class_set net_admin;
+
+r_dir_file(bpfloader, cgroup_bpf)
+
+# These permission is required for pin bpf program for netd.
+allow bpfloader fs_bpf:dir create_dir_perms;
+allow bpfloader fs_bpf:file create_file_perms;
+allow bpfloader devpts:chr_file { read write };
+
+allow bpfloader netd:fd use;
+
+# Use pinned bpf map files from netd.
+allow bpfloader netd:bpf { map_read map_write };
+allow bpfloader self:bpf { prog_load prog_run };
+
+# Neverallow rules
+neverallow { domain -bpfloader } *:bpf prog_load;
+neverallow { domain -bpfloader -netd -netutils_wrapper} *:bpf prog_run;
+neverallow { domain -netd -bpfloader } bpfloader_exec:file { execute execute_no_trans };
+neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
+# only system_server, netd and bpfloader can read/write the bpf maps
+neverallow { domain -system_server -netd -bpfloader} netd:bpf { map_read map_write };
+
+dontaudit bpfloader self:capability sys_admin;
diff --git a/private/bug_map b/private/bug_map
new file mode 100644
index 0000000..5c551c8
--- /dev/null
+++ b/private/bug_map
@@ -0,0 +1,45 @@
+cppreopts cppreopts capability 79414024
+dexoptanalyzer apk_data_file file 77853712
+dexoptanalyzer app_data_file file 77853712
+dexoptanalyzer app_data_file lnk_file 77853712
+dexoptanalyzer system_data_file lnk_file 77853712
+dnsmasq netd fifo_file 77868789
+dnsmasq netd unix_stream_socket 77868789
+init app_data_file file 77873135
+init cache_file blk_file 77873135
+init logpersist file 77873135
+init nativetest_data_file dir 77873135
+init pstorefs dir 77873135
+init shell_data_file dir 77873135
+init shell_data_file file 77873135
+init shell_data_file lnk_file 77873135
+init shell_data_file sock_file 77873135
+init system_data_file chr_file 77873135
+mediaextractor app_data_file file 77923736
+mediaextractor radio_data_file file 77923736
+mediaprovider cache_file blk_file 77925342
+mediaprovider mnt_media_rw_file dir 77925342
+mediaprovider shell_data_file dir 77925342
+netd priv_app unix_stream_socket 77870037
+netd untrusted_app unix_stream_socket 77870037
+netd untrusted_app_25 unix_stream_socket 77870037
+netd untrusted_app_27 unix_stream_socket 77870037
+otapreopt_chroot postinstall_file lnk_file 75287236
+platform_app nfc_data_file dir 74331887
+postinstall postinstall capability 77958490
+postinstall_dexopt postinstall_dexopt capability 77958490
+postinstall_dexopt user_profile_data_file file 77958490
+priv_app system_data_file dir 72811052
+profman apk_data_file dir 77922323
+radio statsdw_socket sock_file 78456764
+statsd hal_health_default binder 77919007
+storaged storaged capability 77634061
+surfaceflinger mediacodec binder 77924251
+system_server crash_dump process 73128755
+system_server logd_socket sock_file 64734187
+system_server sdcardfs file 77856826
+system_server zygote process 77856826
+untrusted_app_25 system_data_file dir 72550646
+untrusted_app_27 system_data_file dir 72550646
+usbd usbd capability 72472544
+zygote untrusted_app_25 process 77925912
diff --git a/private/clatd.te b/private/clatd.te
index c09398d..5ba0fc5 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -1,2 +1 @@
typeattribute clatd coredomain;
-typeattribute clatd domain_deprecated;
diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index 40bec84..0478a56 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -1,6 +1,3 @@
-;; private attributes removed from public types
-(typeattributeset domain_deprecated (bluetooth_26_0))
-
;; attributes removed from current policy
(typeattribute hal_wifi_keystore)
(typeattribute hal_wifi_keystore_client)
@@ -10,8 +7,12 @@
(type asan_reboot_prop)
(type log_device)
(type mediacasserver_service)
+(type reboot_data_file)
(type tracing_shell_writable)
(type tracing_shell_writable_debug)
+(type vold_socket)
+(type webview_zygote_socket)
+(type rild)
(typeattributeset accessibility_service_26_0 (accessibility_service))
(typeattributeset account_service_26_0 (account_service))
@@ -117,7 +118,7 @@
(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop))
+(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
@@ -125,7 +126,10 @@
(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
(typeattributeset dalvik_prop_26_0 (dalvik_prop))
(typeattributeset dbinfo_service_26_0 (dbinfo_service))
-(typeattributeset debugfs_26_0 (debugfs))
+(typeattributeset debugfs_26_0
+ ( debugfs
+ debugfs_wakeup_sources
+ ))
(typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
(typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
@@ -136,7 +140,8 @@
(typeattributeset default_android_hwservice_26_0 (default_android_hwservice))
(typeattributeset default_android_service_26_0 (default_android_service))
(typeattributeset default_android_vndservice_26_0 (default_android_vndservice))
-(typeattributeset default_prop_26_0 (default_prop))
+(typeattributeset default_prop_26_0
+ ( default_prop pm_prop))
(typeattributeset device_26_0 (device))
(typeattributeset device_identifiers_service_26_0 (device_identifiers_service))
(typeattributeset deviceidle_service_26_0 (deviceidle_service))
@@ -449,7 +454,39 @@
(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
(typeattributeset print_service_26_0 (print_service))
(typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0 (proc proc_uid_time_in_state))
+(typeattributeset proc_26_0
+ ( proc
+ proc_abi
+ proc_asound
+ proc_buddyinfo
+ proc_cmdline
+ proc_dirty
+ proc_diskstats
+ proc_extra_free_kbytes
+ proc_filesystems
+ proc_hostname
+ proc_hung_task
+ proc_kmsg
+ proc_loadavg
+ proc_max_map_count
+ proc_min_free_order_shift
+ proc_mounts
+ proc_page_cluster
+ proc_pagetypeinfo
+ proc_panic
+ proc_pid_max
+ proc_pipe_conf
+ proc_random
+ proc_sched
+ proc_swaps
+ proc_uid_time_in_state
+ proc_uid_concurrent_active_time
+ proc_uid_concurrent_policy_time
+ proc_uid_cpupower
+ proc_uptime
+ proc_version
+ proc_vmallocinfo
+ proc_vmstat))
(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
@@ -459,7 +496,9 @@
(typeattributeset proc_meminfo_26_0 (proc_meminfo))
(typeattributeset proc_misc_26_0 (proc_misc))
(typeattributeset proc_modules_26_0 (proc_modules))
-(typeattributeset proc_net_26_0 (proc_net))
+(typeattributeset proc_net_26_0
+ ( proc_net
+ proc_qtaguid_stat))
(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
(typeattributeset proc_perf_26_0 (proc_perf))
(typeattributeset proc_security_26_0 (proc_security))
@@ -566,7 +605,18 @@
(typeattributeset surfaceflinger_26_0 (surfaceflinger))
(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
(typeattributeset swap_block_device_26_0 (swap_block_device))
-(typeattributeset sysfs_26_0 (sysfs))
+(typeattributeset sysfs_26_0
+ ( sysfs
+ sysfs_android_usb
+ sysfs_dm
+ sysfs_dt_firmware_android
+ sysfs_ipv4
+ sysfs_kernel_notes
+ sysfs_net
+ sysfs_power
+ sysfs_rtc
+ sysfs_switch
+ sysfs_wakeup_reasons))
(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
@@ -587,7 +637,9 @@
(typeattributeset system_app_data_file_26_0 (system_app_data_file))
(typeattributeset system_app_service_26_0 (system_app_service))
(typeattributeset system_block_device_26_0 (system_block_device))
-(typeattributeset system_data_file_26_0 (system_data_file))
+(typeattributeset system_data_file_26_0
+ ( system_data_file
+ vendor_data_file))
(typeattributeset system_file_26_0 (system_file))
(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
@@ -630,7 +682,9 @@
(typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file))
(typeattributeset unlabeled_26_0 (unlabeled))
(typeattributeset untrusted_app_25_26_0 (untrusted_app_25))
-(typeattributeset untrusted_app_26_0 (untrusted_app))
+(typeattributeset untrusted_app_26_0
+ ( untrusted_app
+ untrusted_app_27))
(typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app))
(typeattributeset update_engine_26_0 (update_engine))
(typeattributeset update_engine_data_file_26_0 (update_engine_data_file))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 9e1eb97..4e0aae2 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -4,31 +4,155 @@
(typeattribute new_objects)
(typeattributeset new_objects
( adbd_exec
+ atrace
+ binder_calls_stats_service
+ bootloader_boot_reason_prop
+ blank_screen
+ blank_screen_exec
+ blank_screen_tmpfs
+ bluetooth_a2dp_offload_prop
+ bpfloader
+ bpfloader_exec
broadcastradio_service
+ cgroup_bpf
+ crossprofileapps_service
+ ctl_interface_restart_prop
+ ctl_interface_start_prop
+ ctl_interface_stop_prop
+ ctl_sigstop_prop
e2fs
e2fs_exec
+ exfat
+ exported_audio_prop
+ exported_bluetooth_prop
+ exported_config_prop
+ exported_dalvik_prop
+ exported_default_prop
+ exported_dumpstate_prop
+ exported_ffs_prop
+ exported_fingerprint_prop
+ exported_overlay_prop
+ exported_pm_prop
+ exported_radio_prop
+ exported_secure_prop
+ exported_system_prop
+ exported_system_radio_prop
+ exported_vold_prop
+ exported_wifi_prop
+ exported2_config_prop
+ exported2_default_prop
+ exported2_radio_prop
+ exported2_system_prop
+ exported2_vold_prop
+ exported3_default_prop
+ exported3_radio_prop
+ exported3_system_prop
+ fingerprint_vendor_data_file
+ fs_bpf
+ hal_audiocontrol_hwservice
+ hal_authsecret_hwservice
hal_broadcastradio_hwservice
hal_cas_hwservice
+ hal_codec2_hwservice
+ hal_confirmationui_hwservice
+ hal_evs_hwservice
+ hal_lowpan_hwservice
hal_neuralnetworks_hwservice
+ hal_secure_element_hwservice
hal_tetheroffload_hwservice
+ hal_wifi_hostapd_hwservice
+ hal_usb_gadget_hwservice
+ hal_vehicle_hwservice
hal_wifi_offload_hwservice
+ incident_helper
+ incident_helper_exec
kmsg_debug_device
+ last_boot_reason_prop
+ lowpan_device
+ lowpan_prop
+ lowpan_service
+ mediaextractor_update_service
mediaprovider_tmpfs
+ metadata_file
+ mnt_vendor_file
netd_stable_secret_prop
+ network_watchlist_data_file
+ network_watchlist_service
package_native_service
+ perfetto
+ perfetto_exec
+ perfetto_tmpfs
+ perfetto_traces_data_file
+ perfprofd_service
+ property_info
+ secure_element
+ secure_element_device
+ secure_element_tmpfs
+ secure_element_service
+ slice_service
+ stats
+ stats_data_file
+ stats_exec
+ stats_service
+ statsd
+ statsd_exec
+ statsd_tmpfs
+ statsdw
+ statsdw_socket
+ statscompanion_service
+ storaged_data_file
sysfs_fs_ext4_features
+ system_boot_reason_prop
system_net_netd_hwservice
+ system_update_service
+ test_boot_reason_prop
thermal_service
thermalcallback_hwservice
thermalserviced
thermalserviced_exec
thermalserviced_tmpfs
timezone_service
- tombstoned_java_trace_socket))
+ tombstoned_java_trace_socket
+ tombstone_wifi_data_file
+ trace_data_file
+ traceur_app
+ traceur_app_tmpfs
+ traced
+ traced_consumer_socket
+ traced_enabled_prop
+ traced_exec
+ traced_probes
+ traced_probes_exec
+ traced_probes_tmpfs
+ traced_producer_socket
+ traced_tmpfs
+ untrusted_app_all_devpts
+ update_engine_log_data_file
+ vendor_default_prop
+ vendor_security_patch_level_prop
+ usbd
+ usbd_exec
+ usbd_tmpfs
+ vendor_init
+ vendor_shell
+ vold_metadata_file
+ vold_prepare_subdirs
+ vold_prepare_subdirs_exec
+ vold_service
+ wait_for_keymaster
+ wait_for_keymaster_exec
+ wait_for_keymaster_tmpfs
+ wpantund
+ wpantund_exec
+ wpantund_service
+ wpantund_tmpfs
+ wm_trace_data_file))
;; private_objects - a collection of types that were labeled differently in
;; older policy, but that should not remain accessible to vendor policy.
;; Thus, these types are also not mapped, but recorded for checkapi tests
(typeattribute priv_objects)
(typeattributeset priv_objects
- ( adbd_tmpfs ))
+ ( adbd_tmpfs
+ untrusted_app_27_tmpfs
+ ))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
new file mode 100644
index 0000000..dbe3e88
--- /dev/null
+++ b/private/compat/27.0/27.0.cil
@@ -0,0 +1,1484 @@
+;; types removed from current policy
+(type webview_zygote_socket)
+(type reboot_data_file)
+(type vold_socket)
+(type rild)
+
+(expandtypeattribute (accessibility_service_27_0) true)
+(expandtypeattribute (account_service_27_0) true)
+(expandtypeattribute (activity_service_27_0) true)
+(expandtypeattribute (adbd_27_0) true)
+(expandtypeattribute (adb_data_file_27_0) true)
+(expandtypeattribute (adbd_exec_27_0) true)
+(expandtypeattribute (adbd_socket_27_0) true)
+(expandtypeattribute (adb_keys_file_27_0) true)
+(expandtypeattribute (alarm_device_27_0) true)
+(expandtypeattribute (alarm_service_27_0) true)
+(expandtypeattribute (anr_data_file_27_0) true)
+(expandtypeattribute (apk_data_file_27_0) true)
+(expandtypeattribute (apk_private_data_file_27_0) true)
+(expandtypeattribute (apk_private_tmp_file_27_0) true)
+(expandtypeattribute (apk_tmp_file_27_0) true)
+(expandtypeattribute (app_data_file_27_0) true)
+(expandtypeattribute (app_fuse_file_27_0) true)
+(expandtypeattribute (app_fusefs_27_0) true)
+(expandtypeattribute (appops_service_27_0) true)
+(expandtypeattribute (appwidget_service_27_0) true)
+(expandtypeattribute (asec_apk_file_27_0) true)
+(expandtypeattribute (asec_image_file_27_0) true)
+(expandtypeattribute (asec_public_file_27_0) true)
+(expandtypeattribute (ashmem_device_27_0) true)
+(expandtypeattribute (assetatlas_service_27_0) true)
+(expandtypeattribute (audio_data_file_27_0) true)
+(expandtypeattribute (audio_device_27_0) true)
+(expandtypeattribute (audiohal_data_file_27_0) true)
+(expandtypeattribute (audio_prop_27_0) true)
+(expandtypeattribute (audio_seq_device_27_0) true)
+(expandtypeattribute (audioserver_27_0) true)
+(expandtypeattribute (audioserver_data_file_27_0) true)
+(expandtypeattribute (audioserver_service_27_0) true)
+(expandtypeattribute (audio_service_27_0) true)
+(expandtypeattribute (audio_timer_device_27_0) true)
+(expandtypeattribute (autofill_service_27_0) true)
+(expandtypeattribute (backup_data_file_27_0) true)
+(expandtypeattribute (backup_service_27_0) true)
+(expandtypeattribute (batteryproperties_service_27_0) true)
+(expandtypeattribute (battery_service_27_0) true)
+(expandtypeattribute (batterystats_service_27_0) true)
+(expandtypeattribute (binder_device_27_0) true)
+(expandtypeattribute (binfmt_miscfs_27_0) true)
+(expandtypeattribute (blkid_27_0) true)
+(expandtypeattribute (blkid_untrusted_27_0) true)
+(expandtypeattribute (block_device_27_0) true)
+(expandtypeattribute (bluetooth_27_0) true)
+(expandtypeattribute (bluetooth_data_file_27_0) true)
+(expandtypeattribute (bluetooth_efs_file_27_0) true)
+(expandtypeattribute (bluetooth_logs_data_file_27_0) true)
+(expandtypeattribute (bluetooth_manager_service_27_0) true)
+(expandtypeattribute (bluetooth_prop_27_0) true)
+(expandtypeattribute (bluetooth_service_27_0) true)
+(expandtypeattribute (bluetooth_socket_27_0) true)
+(expandtypeattribute (bootanim_27_0) true)
+(expandtypeattribute (bootanim_exec_27_0) true)
+(expandtypeattribute (boot_block_device_27_0) true)
+(expandtypeattribute (bootchart_data_file_27_0) true)
+(expandtypeattribute (bootstat_27_0) true)
+(expandtypeattribute (bootstat_data_file_27_0) true)
+(expandtypeattribute (bootstat_exec_27_0) true)
+(expandtypeattribute (boottime_prop_27_0) true)
+(expandtypeattribute (boottrace_data_file_27_0) true)
+(expandtypeattribute (broadcastradio_service_27_0) true)
+(expandtypeattribute (bufferhubd_27_0) true)
+(expandtypeattribute (bufferhubd_exec_27_0) true)
+(expandtypeattribute (cache_backup_file_27_0) true)
+(expandtypeattribute (cache_block_device_27_0) true)
+(expandtypeattribute (cache_file_27_0) true)
+(expandtypeattribute (cache_private_backup_file_27_0) true)
+(expandtypeattribute (cache_recovery_file_27_0) true)
+(expandtypeattribute (camera_data_file_27_0) true)
+(expandtypeattribute (camera_device_27_0) true)
+(expandtypeattribute (cameraproxy_service_27_0) true)
+(expandtypeattribute (cameraserver_27_0) true)
+(expandtypeattribute (cameraserver_exec_27_0) true)
+(expandtypeattribute (cameraserver_service_27_0) true)
+(expandtypeattribute (cgroup_27_0) true)
+(expandtypeattribute (charger_27_0) true)
+(expandtypeattribute (clatd_27_0) true)
+(expandtypeattribute (clatd_exec_27_0) true)
+(expandtypeattribute (clipboard_service_27_0) true)
+(expandtypeattribute (commontime_management_service_27_0) true)
+(expandtypeattribute (companion_device_service_27_0) true)
+(expandtypeattribute (configfs_27_0) true)
+(expandtypeattribute (config_prop_27_0) true)
+(expandtypeattribute (connectivity_service_27_0) true)
+(expandtypeattribute (connmetrics_service_27_0) true)
+(expandtypeattribute (console_device_27_0) true)
+(expandtypeattribute (consumer_ir_service_27_0) true)
+(expandtypeattribute (content_service_27_0) true)
+(expandtypeattribute (contexthub_service_27_0) true)
+(expandtypeattribute (coredump_file_27_0) true)
+(expandtypeattribute (country_detector_service_27_0) true)
+(expandtypeattribute (coverage_service_27_0) true)
+(expandtypeattribute (cppreopt_prop_27_0) true)
+(expandtypeattribute (cppreopts_27_0) true)
+(expandtypeattribute (cppreopts_exec_27_0) true)
+(expandtypeattribute (cpuctl_device_27_0) true)
+(expandtypeattribute (cpuinfo_service_27_0) true)
+(expandtypeattribute (crash_dump_27_0) true)
+(expandtypeattribute (crash_dump_exec_27_0) true)
+(expandtypeattribute (ctl_bootanim_prop_27_0) true)
+(expandtypeattribute (ctl_bugreport_prop_27_0) true)
+(expandtypeattribute (ctl_console_prop_27_0) true)
+(expandtypeattribute (ctl_default_prop_27_0) true)
+(expandtypeattribute (ctl_dumpstate_prop_27_0) true)
+(expandtypeattribute (ctl_fuse_prop_27_0) true)
+(expandtypeattribute (ctl_mdnsd_prop_27_0) true)
+(expandtypeattribute (ctl_rildaemon_prop_27_0) true)
+(expandtypeattribute (dalvikcache_data_file_27_0) true)
+(expandtypeattribute (dalvik_prop_27_0) true)
+(expandtypeattribute (dbinfo_service_27_0) true)
+(expandtypeattribute (debugfs_27_0) true)
+(expandtypeattribute (debugfs_mmc_27_0) true)
+(expandtypeattribute (debugfs_trace_marker_27_0) true)
+(expandtypeattribute (debugfs_tracing_27_0) true)
+(expandtypeattribute (debugfs_tracing_debug_27_0) true)
+(expandtypeattribute (debugfs_tracing_instances_27_0) true)
+(expandtypeattribute (debugfs_wifi_tracing_27_0) true)
+(expandtypeattribute (debuggerd_prop_27_0) true)
+(expandtypeattribute (debug_prop_27_0) true)
+(expandtypeattribute (default_android_hwservice_27_0) true)
+(expandtypeattribute (default_android_service_27_0) true)
+(expandtypeattribute (default_android_vndservice_27_0) true)
+(expandtypeattribute (default_prop_27_0) true)
+(expandtypeattribute (device_27_0) true)
+(expandtypeattribute (device_identifiers_service_27_0) true)
+(expandtypeattribute (deviceidle_service_27_0) true)
+(expandtypeattribute (device_logging_prop_27_0) true)
+(expandtypeattribute (device_policy_service_27_0) true)
+(expandtypeattribute (devicestoragemonitor_service_27_0) true)
+(expandtypeattribute (devpts_27_0) true)
+(expandtypeattribute (dex2oat_27_0) true)
+(expandtypeattribute (dex2oat_exec_27_0) true)
+(expandtypeattribute (dhcp_27_0) true)
+(expandtypeattribute (dhcp_data_file_27_0) true)
+(expandtypeattribute (dhcp_exec_27_0) true)
+(expandtypeattribute (dhcp_prop_27_0) true)
+(expandtypeattribute (diskstats_service_27_0) true)
+(expandtypeattribute (display_service_27_0) true)
+(expandtypeattribute (dm_device_27_0) true)
+(expandtypeattribute (dnsmasq_27_0) true)
+(expandtypeattribute (dnsmasq_exec_27_0) true)
+(expandtypeattribute (dnsproxyd_socket_27_0) true)
+(expandtypeattribute (DockObserver_service_27_0) true)
+(expandtypeattribute (dreams_service_27_0) true)
+(expandtypeattribute (drm_data_file_27_0) true)
+(expandtypeattribute (drmserver_27_0) true)
+(expandtypeattribute (drmserver_exec_27_0) true)
+(expandtypeattribute (drmserver_service_27_0) true)
+(expandtypeattribute (drmserver_socket_27_0) true)
+(expandtypeattribute (dropbox_service_27_0) true)
+(expandtypeattribute (dumpstate_27_0) true)
+(expandtypeattribute (dumpstate_exec_27_0) true)
+(expandtypeattribute (dumpstate_options_prop_27_0) true)
+(expandtypeattribute (dumpstate_prop_27_0) true)
+(expandtypeattribute (dumpstate_service_27_0) true)
+(expandtypeattribute (dumpstate_socket_27_0) true)
+(expandtypeattribute (e2fs_27_0) true)
+(expandtypeattribute (e2fs_exec_27_0) true)
+(expandtypeattribute (efs_file_27_0) true)
+(expandtypeattribute (ephemeral_app_27_0) true)
+(expandtypeattribute (ethernet_service_27_0) true)
+(expandtypeattribute (ffs_prop_27_0) true)
+(expandtypeattribute (file_contexts_file_27_0) true)
+(expandtypeattribute (fingerprintd_27_0) true)
+(expandtypeattribute (fingerprintd_data_file_27_0) true)
+(expandtypeattribute (fingerprintd_exec_27_0) true)
+(expandtypeattribute (fingerprintd_service_27_0) true)
+(expandtypeattribute (fingerprint_prop_27_0) true)
+(expandtypeattribute (fingerprint_service_27_0) true)
+(expandtypeattribute (firstboot_prop_27_0) true)
+(expandtypeattribute (font_service_27_0) true)
+(expandtypeattribute (frp_block_device_27_0) true)
+(expandtypeattribute (fsck_27_0) true)
+(expandtypeattribute (fsck_exec_27_0) true)
+(expandtypeattribute (fscklogs_27_0) true)
+(expandtypeattribute (fsck_untrusted_27_0) true)
+(expandtypeattribute (full_device_27_0) true)
+(expandtypeattribute (functionfs_27_0) true)
+(expandtypeattribute (fuse_27_0) true)
+(expandtypeattribute (fuse_device_27_0) true)
+(expandtypeattribute (fwk_display_hwservice_27_0) true)
+(expandtypeattribute (fwk_scheduler_hwservice_27_0) true)
+(expandtypeattribute (fwk_sensor_hwservice_27_0) true)
+(expandtypeattribute (fwmarkd_socket_27_0) true)
+(expandtypeattribute (gatekeeperd_27_0) true)
+(expandtypeattribute (gatekeeper_data_file_27_0) true)
+(expandtypeattribute (gatekeeperd_exec_27_0) true)
+(expandtypeattribute (gatekeeper_service_27_0) true)
+(expandtypeattribute (gfxinfo_service_27_0) true)
+(expandtypeattribute (gps_control_27_0) true)
+(expandtypeattribute (gpu_device_27_0) true)
+(expandtypeattribute (gpu_service_27_0) true)
+(expandtypeattribute (graphics_device_27_0) true)
+(expandtypeattribute (graphicsstats_service_27_0) true)
+(expandtypeattribute (hal_audio_hwservice_27_0) true)
+(expandtypeattribute (hal_bluetooth_hwservice_27_0) true)
+(expandtypeattribute (hal_bootctl_hwservice_27_0) true)
+(expandtypeattribute (hal_broadcastradio_hwservice_27_0) true)
+(expandtypeattribute (hal_camera_hwservice_27_0) true)
+(expandtypeattribute (hal_cas_hwservice_27_0) true)
+(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_27_0) true)
+(expandtypeattribute (hal_contexthub_hwservice_27_0) true)
+(expandtypeattribute (hal_drm_hwservice_27_0) true)
+(expandtypeattribute (hal_dumpstate_hwservice_27_0) true)
+(expandtypeattribute (hal_fingerprint_hwservice_27_0) true)
+(expandtypeattribute (hal_fingerprint_service_27_0) true)
+(expandtypeattribute (hal_gatekeeper_hwservice_27_0) true)
+(expandtypeattribute (hal_gnss_hwservice_27_0) true)
+(expandtypeattribute (hal_graphics_allocator_hwservice_27_0) true)
+(expandtypeattribute (hal_graphics_composer_hwservice_27_0) true)
+(expandtypeattribute (hal_graphics_mapper_hwservice_27_0) true)
+(expandtypeattribute (hal_health_hwservice_27_0) true)
+(expandtypeattribute (hal_ir_hwservice_27_0) true)
+(expandtypeattribute (hal_keymaster_hwservice_27_0) true)
+(expandtypeattribute (hal_light_hwservice_27_0) true)
+(expandtypeattribute (hal_memtrack_hwservice_27_0) true)
+(expandtypeattribute (hal_neuralnetworks_hwservice_27_0) true)
+(expandtypeattribute (hal_nfc_hwservice_27_0) true)
+(expandtypeattribute (hal_oemlock_hwservice_27_0) true)
+(expandtypeattribute (hal_omx_hwservice_27_0) true)
+(expandtypeattribute (hal_power_hwservice_27_0) true)
+(expandtypeattribute (hal_renderscript_hwservice_27_0) true)
+(expandtypeattribute (hal_sensors_hwservice_27_0) true)
+(expandtypeattribute (hal_telephony_hwservice_27_0) true)
+(expandtypeattribute (hal_tetheroffload_hwservice_27_0) true)
+(expandtypeattribute (hal_thermal_hwservice_27_0) true)
+(expandtypeattribute (hal_tv_cec_hwservice_27_0) true)
+(expandtypeattribute (hal_tv_input_hwservice_27_0) true)
+(expandtypeattribute (hal_usb_hwservice_27_0) true)
+(expandtypeattribute (hal_vibrator_hwservice_27_0) true)
+(expandtypeattribute (hal_vr_hwservice_27_0) true)
+(expandtypeattribute (hal_weaver_hwservice_27_0) true)
+(expandtypeattribute (hal_wifi_hwservice_27_0) true)
+(expandtypeattribute (hal_wifi_offload_hwservice_27_0) true)
+(expandtypeattribute (hal_wifi_supplicant_hwservice_27_0) true)
+(expandtypeattribute (hardware_properties_service_27_0) true)
+(expandtypeattribute (hardware_service_27_0) true)
+(expandtypeattribute (hci_attach_dev_27_0) true)
+(expandtypeattribute (hdmi_control_service_27_0) true)
+(expandtypeattribute (healthd_27_0) true)
+(expandtypeattribute (healthd_exec_27_0) true)
+(expandtypeattribute (heapdump_data_file_27_0) true)
+(expandtypeattribute (hidl_allocator_hwservice_27_0) true)
+(expandtypeattribute (hidl_base_hwservice_27_0) true)
+(expandtypeattribute (hidl_manager_hwservice_27_0) true)
+(expandtypeattribute (hidl_memory_hwservice_27_0) true)
+(expandtypeattribute (hidl_token_hwservice_27_0) true)
+(expandtypeattribute (hwbinder_device_27_0) true)
+(expandtypeattribute (hw_random_device_27_0) true)
+(expandtypeattribute (hwservice_contexts_file_27_0) true)
+(expandtypeattribute (hwservicemanager_27_0) true)
+(expandtypeattribute (hwservicemanager_exec_27_0) true)
+(expandtypeattribute (hwservicemanager_prop_27_0) true)
+(expandtypeattribute (i2c_device_27_0) true)
+(expandtypeattribute (icon_file_27_0) true)
+(expandtypeattribute (idmap_27_0) true)
+(expandtypeattribute (idmap_exec_27_0) true)
+(expandtypeattribute (iio_device_27_0) true)
+(expandtypeattribute (imms_service_27_0) true)
+(expandtypeattribute (incident_27_0) true)
+(expandtypeattribute (incidentd_27_0) true)
+(expandtypeattribute (incident_data_file_27_0) true)
+(expandtypeattribute (incident_service_27_0) true)
+(expandtypeattribute (init_27_0) true)
+(expandtypeattribute (init_exec_27_0) true)
+(expandtypeattribute (inotify_27_0) true)
+(expandtypeattribute (input_device_27_0) true)
+(expandtypeattribute (inputflinger_27_0) true)
+(expandtypeattribute (inputflinger_exec_27_0) true)
+(expandtypeattribute (inputflinger_service_27_0) true)
+(expandtypeattribute (input_method_service_27_0) true)
+(expandtypeattribute (input_service_27_0) true)
+(expandtypeattribute (installd_27_0) true)
+(expandtypeattribute (install_data_file_27_0) true)
+(expandtypeattribute (installd_exec_27_0) true)
+(expandtypeattribute (installd_service_27_0) true)
+(expandtypeattribute (install_recovery_27_0) true)
+(expandtypeattribute (install_recovery_exec_27_0) true)
+(expandtypeattribute (ion_device_27_0) true)
+(expandtypeattribute (IProxyService_service_27_0) true)
+(expandtypeattribute (ipsec_service_27_0) true)
+(expandtypeattribute (isolated_app_27_0) true)
+(expandtypeattribute (jobscheduler_service_27_0) true)
+(expandtypeattribute (kernel_27_0) true)
+(expandtypeattribute (keychain_data_file_27_0) true)
+(expandtypeattribute (keychord_device_27_0) true)
+(expandtypeattribute (keystore_27_0) true)
+(expandtypeattribute (keystore_data_file_27_0) true)
+(expandtypeattribute (keystore_exec_27_0) true)
+(expandtypeattribute (keystore_service_27_0) true)
+(expandtypeattribute (kmem_device_27_0) true)
+(expandtypeattribute (kmsg_debug_device_27_0) true)
+(expandtypeattribute (kmsg_device_27_0) true)
+(expandtypeattribute (labeledfs_27_0) true)
+(expandtypeattribute (launcherapps_service_27_0) true)
+(expandtypeattribute (lmkd_27_0) true)
+(expandtypeattribute (lmkd_exec_27_0) true)
+(expandtypeattribute (lmkd_socket_27_0) true)
+(expandtypeattribute (location_service_27_0) true)
+(expandtypeattribute (lock_settings_service_27_0) true)
+(expandtypeattribute (logcat_exec_27_0) true)
+(expandtypeattribute (logd_27_0) true)
+(expandtypeattribute (logd_exec_27_0) true)
+(expandtypeattribute (logd_prop_27_0) true)
+(expandtypeattribute (logdr_socket_27_0) true)
+(expandtypeattribute (logd_socket_27_0) true)
+(expandtypeattribute (logdw_socket_27_0) true)
+(expandtypeattribute (logpersist_27_0) true)
+(expandtypeattribute (logpersistd_logging_prop_27_0) true)
+(expandtypeattribute (log_prop_27_0) true)
+(expandtypeattribute (log_tag_prop_27_0) true)
+(expandtypeattribute (loop_control_device_27_0) true)
+(expandtypeattribute (loop_device_27_0) true)
+(expandtypeattribute (mac_perms_file_27_0) true)
+(expandtypeattribute (mdnsd_27_0) true)
+(expandtypeattribute (mdnsd_socket_27_0) true)
+(expandtypeattribute (mdns_socket_27_0) true)
+(expandtypeattribute (mediacodec_27_0) true)
+(expandtypeattribute (mediacodec_exec_27_0) true)
+(expandtypeattribute (mediacodec_service_27_0) true)
+(expandtypeattribute (media_data_file_27_0) true)
+(expandtypeattribute (mediadrmserver_27_0) true)
+(expandtypeattribute (mediadrmserver_exec_27_0) true)
+(expandtypeattribute (mediadrmserver_service_27_0) true)
+(expandtypeattribute (mediaextractor_27_0) true)
+(expandtypeattribute (mediaextractor_exec_27_0) true)
+(expandtypeattribute (mediaextractor_service_27_0) true)
+(expandtypeattribute (mediametrics_27_0) true)
+(expandtypeattribute (mediametrics_exec_27_0) true)
+(expandtypeattribute (mediametrics_service_27_0) true)
+(expandtypeattribute (media_projection_service_27_0) true)
+(expandtypeattribute (mediaprovider_27_0) true)
+(expandtypeattribute (media_router_service_27_0) true)
+(expandtypeattribute (media_rw_data_file_27_0) true)
+(expandtypeattribute (mediaserver_27_0) true)
+(expandtypeattribute (mediaserver_exec_27_0) true)
+(expandtypeattribute (mediaserver_service_27_0) true)
+(expandtypeattribute (media_session_service_27_0) true)
+(expandtypeattribute (meminfo_service_27_0) true)
+(expandtypeattribute (metadata_block_device_27_0) true)
+(expandtypeattribute (method_trace_data_file_27_0) true)
+(expandtypeattribute (midi_service_27_0) true)
+(expandtypeattribute (misc_block_device_27_0) true)
+(expandtypeattribute (misc_logd_file_27_0) true)
+(expandtypeattribute (misc_user_data_file_27_0) true)
+(expandtypeattribute (mmc_prop_27_0) true)
+(expandtypeattribute (mnt_expand_file_27_0) true)
+(expandtypeattribute (mnt_media_rw_file_27_0) true)
+(expandtypeattribute (mnt_media_rw_stub_file_27_0) true)
+(expandtypeattribute (mnt_user_file_27_0) true)
+(expandtypeattribute (modprobe_27_0) true)
+(expandtypeattribute (mount_service_27_0) true)
+(expandtypeattribute (mqueue_27_0) true)
+(expandtypeattribute (mtd_device_27_0) true)
+(expandtypeattribute (mtp_27_0) true)
+(expandtypeattribute (mtp_device_27_0) true)
+(expandtypeattribute (mtpd_socket_27_0) true)
+(expandtypeattribute (mtp_exec_27_0) true)
+(expandtypeattribute (nativetest_data_file_27_0) true)
+(expandtypeattribute (netd_27_0) true)
+(expandtypeattribute (net_data_file_27_0) true)
+(expandtypeattribute (netd_exec_27_0) true)
+(expandtypeattribute (netd_listener_service_27_0) true)
+(expandtypeattribute (net_dns_prop_27_0) true)
+(expandtypeattribute (netd_service_27_0) true)
+(expandtypeattribute (netd_socket_27_0) true)
+(expandtypeattribute (netd_stable_secret_prop_27_0) true)
+(expandtypeattribute (netif_27_0) true)
+(expandtypeattribute (netpolicy_service_27_0) true)
+(expandtypeattribute (net_radio_prop_27_0) true)
+(expandtypeattribute (netstats_service_27_0) true)
+(expandtypeattribute (netutils_wrapper_27_0) true)
+(expandtypeattribute (netutils_wrapper_exec_27_0) true)
+(expandtypeattribute (network_management_service_27_0) true)
+(expandtypeattribute (network_score_service_27_0) true)
+(expandtypeattribute (network_time_update_service_27_0) true)
+(expandtypeattribute (nfc_27_0) true)
+(expandtypeattribute (nfc_data_file_27_0) true)
+(expandtypeattribute (nfc_device_27_0) true)
+(expandtypeattribute (nfc_prop_27_0) true)
+(expandtypeattribute (nfc_service_27_0) true)
+(expandtypeattribute (node_27_0) true)
+(expandtypeattribute (nonplat_service_contexts_file_27_0) true)
+(expandtypeattribute (notification_service_27_0) true)
+(expandtypeattribute (null_device_27_0) true)
+(expandtypeattribute (oemfs_27_0) true)
+(expandtypeattribute (oem_lock_service_27_0) true)
+(expandtypeattribute (ota_data_file_27_0) true)
+(expandtypeattribute (otadexopt_service_27_0) true)
+(expandtypeattribute (ota_package_file_27_0) true)
+(expandtypeattribute (otapreopt_chroot_27_0) true)
+(expandtypeattribute (otapreopt_chroot_exec_27_0) true)
+(expandtypeattribute (otapreopt_slot_27_0) true)
+(expandtypeattribute (otapreopt_slot_exec_27_0) true)
+(expandtypeattribute (overlay_prop_27_0) true)
+(expandtypeattribute (overlay_service_27_0) true)
+(expandtypeattribute (owntty_device_27_0) true)
+(expandtypeattribute (package_native_service_27_0) true)
+(expandtypeattribute (package_service_27_0) true)
+(expandtypeattribute (pan_result_prop_27_0) true)
+(expandtypeattribute (pdx_bufferhub_client_channel_socket_27_0) true)
+(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_27_0) true)
+(expandtypeattribute (pdx_bufferhub_dir_27_0) true)
+(expandtypeattribute (pdx_display_client_channel_socket_27_0) true)
+(expandtypeattribute (pdx_display_client_endpoint_socket_27_0) true)
+(expandtypeattribute (pdx_display_dir_27_0) true)
+(expandtypeattribute (pdx_display_manager_channel_socket_27_0) true)
+(expandtypeattribute (pdx_display_manager_endpoint_socket_27_0) true)
+(expandtypeattribute (pdx_display_screenshot_channel_socket_27_0) true)
+(expandtypeattribute (pdx_display_screenshot_endpoint_socket_27_0) true)
+(expandtypeattribute (pdx_display_vsync_channel_socket_27_0) true)
+(expandtypeattribute (pdx_display_vsync_endpoint_socket_27_0) true)
+(expandtypeattribute (pdx_performance_client_channel_socket_27_0) true)
+(expandtypeattribute (pdx_performance_client_endpoint_socket_27_0) true)
+(expandtypeattribute (pdx_performance_dir_27_0) true)
+(expandtypeattribute (performanced_27_0) true)
+(expandtypeattribute (performanced_exec_27_0) true)
+(expandtypeattribute (perfprofd_27_0) true)
+(expandtypeattribute (perfprofd_data_file_27_0) true)
+(expandtypeattribute (perfprofd_exec_27_0) true)
+(expandtypeattribute (permission_service_27_0) true)
+(expandtypeattribute (persist_debug_prop_27_0) true)
+(expandtypeattribute (persistent_data_block_service_27_0) true)
+(expandtypeattribute (persistent_properties_ready_prop_27_0) true)
+(expandtypeattribute (pinner_service_27_0) true)
+(expandtypeattribute (pipefs_27_0) true)
+(expandtypeattribute (platform_app_27_0) true)
+(expandtypeattribute (pmsg_device_27_0) true)
+(expandtypeattribute (port_27_0) true)
+(expandtypeattribute (port_device_27_0) true)
+(expandtypeattribute (postinstall_27_0) true)
+(expandtypeattribute (postinstall_dexopt_27_0) true)
+(expandtypeattribute (postinstall_file_27_0) true)
+(expandtypeattribute (postinstall_mnt_dir_27_0) true)
+(expandtypeattribute (powerctl_prop_27_0) true)
+(expandtypeattribute (power_service_27_0) true)
+(expandtypeattribute (ppp_27_0) true)
+(expandtypeattribute (ppp_device_27_0) true)
+(expandtypeattribute (ppp_exec_27_0) true)
+(expandtypeattribute (preloads_data_file_27_0) true)
+(expandtypeattribute (preloads_media_file_27_0) true)
+(expandtypeattribute (preopt2cachename_27_0) true)
+(expandtypeattribute (preopt2cachename_exec_27_0) true)
+(expandtypeattribute (print_service_27_0) true)
+(expandtypeattribute (priv_app_27_0) true)
+(expandtypeattribute (proc_27_0) true)
+(expandtypeattribute (proc_bluetooth_writable_27_0) true)
+(expandtypeattribute (proc_cpuinfo_27_0) true)
+(expandtypeattribute (proc_drop_caches_27_0) true)
+(expandtypeattribute (processinfo_service_27_0) true)
+(expandtypeattribute (proc_interrupts_27_0) true)
+(expandtypeattribute (proc_iomem_27_0) true)
+(expandtypeattribute (proc_meminfo_27_0) true)
+(expandtypeattribute (proc_misc_27_0) true)
+(expandtypeattribute (proc_modules_27_0) true)
+(expandtypeattribute (proc_net_27_0) true)
+(expandtypeattribute (proc_overcommit_memory_27_0) true)
+(expandtypeattribute (proc_perf_27_0) true)
+(expandtypeattribute (proc_security_27_0) true)
+(expandtypeattribute (proc_stat_27_0) true)
+(expandtypeattribute (procstats_service_27_0) true)
+(expandtypeattribute (proc_sysrq_27_0) true)
+(expandtypeattribute (proc_timer_27_0) true)
+(expandtypeattribute (proc_tty_drivers_27_0) true)
+(expandtypeattribute (proc_uid_cputime_removeuid_27_0) true)
+(expandtypeattribute (proc_uid_cputime_showstat_27_0) true)
+(expandtypeattribute (proc_uid_io_stats_27_0) true)
+(expandtypeattribute (proc_uid_procstat_set_27_0) true)
+(expandtypeattribute (proc_uid_time_in_state_27_0) true)
+(expandtypeattribute (proc_zoneinfo_27_0) true)
+(expandtypeattribute (profman_27_0) true)
+(expandtypeattribute (profman_dump_data_file_27_0) true)
+(expandtypeattribute (profman_exec_27_0) true)
+(expandtypeattribute (properties_device_27_0) true)
+(expandtypeattribute (properties_serial_27_0) true)
+(expandtypeattribute (property_contexts_file_27_0) true)
+(expandtypeattribute (property_data_file_27_0) true)
+(expandtypeattribute (property_socket_27_0) true)
+(expandtypeattribute (pstorefs_27_0) true)
+(expandtypeattribute (ptmx_device_27_0) true)
+(expandtypeattribute (qtaguid_device_27_0) true)
+(expandtypeattribute (qtaguid_proc_27_0) true)
+(expandtypeattribute (racoon_27_0) true)
+(expandtypeattribute (racoon_exec_27_0) true)
+(expandtypeattribute (racoon_socket_27_0) true)
+(expandtypeattribute (radio_27_0) true)
+(expandtypeattribute (radio_data_file_27_0) true)
+(expandtypeattribute (radio_device_27_0) true)
+(expandtypeattribute (radio_prop_27_0) true)
+(expandtypeattribute (radio_service_27_0) true)
+(expandtypeattribute (ram_device_27_0) true)
+(expandtypeattribute (random_device_27_0) true)
+(expandtypeattribute (reboot_data_file_27_0) true)
+(expandtypeattribute (recovery_27_0) true)
+(expandtypeattribute (recovery_block_device_27_0) true)
+(expandtypeattribute (recovery_data_file_27_0) true)
+(expandtypeattribute (recovery_persist_27_0) true)
+(expandtypeattribute (recovery_persist_exec_27_0) true)
+(expandtypeattribute (recovery_refresh_27_0) true)
+(expandtypeattribute (recovery_refresh_exec_27_0) true)
+(expandtypeattribute (recovery_service_27_0) true)
+(expandtypeattribute (registry_service_27_0) true)
+(expandtypeattribute (resourcecache_data_file_27_0) true)
+(expandtypeattribute (restorecon_prop_27_0) true)
+(expandtypeattribute (restrictions_service_27_0) true)
+(expandtypeattribute (rild_27_0) true)
+(expandtypeattribute (rild_debug_socket_27_0) true)
+(expandtypeattribute (rild_socket_27_0) true)
+(expandtypeattribute (ringtone_file_27_0) true)
+(expandtypeattribute (root_block_device_27_0) true)
+(expandtypeattribute (rootfs_27_0) true)
+(expandtypeattribute (rpmsg_device_27_0) true)
+(expandtypeattribute (rtc_device_27_0) true)
+(expandtypeattribute (rttmanager_service_27_0) true)
+(expandtypeattribute (runas_27_0) true)
+(expandtypeattribute (runas_exec_27_0) true)
+(expandtypeattribute (runtime_event_log_tags_file_27_0) true)
+(expandtypeattribute (safemode_prop_27_0) true)
+(expandtypeattribute (same_process_hal_file_27_0) true)
+(expandtypeattribute (samplingprofiler_service_27_0) true)
+(expandtypeattribute (scheduling_policy_service_27_0) true)
+(expandtypeattribute (sdcardd_27_0) true)
+(expandtypeattribute (sdcardd_exec_27_0) true)
+(expandtypeattribute (sdcardfs_27_0) true)
+(expandtypeattribute (seapp_contexts_file_27_0) true)
+(expandtypeattribute (search_service_27_0) true)
+(expandtypeattribute (sec_key_att_app_id_provider_service_27_0) true)
+(expandtypeattribute (selinuxfs_27_0) true)
+(expandtypeattribute (sensors_device_27_0) true)
+(expandtypeattribute (sensorservice_service_27_0) true)
+(expandtypeattribute (sepolicy_file_27_0) true)
+(expandtypeattribute (serial_device_27_0) true)
+(expandtypeattribute (serialno_prop_27_0) true)
+(expandtypeattribute (serial_service_27_0) true)
+(expandtypeattribute (service_contexts_file_27_0) true)
+(expandtypeattribute (servicediscovery_service_27_0) true)
+(expandtypeattribute (servicemanager_27_0) true)
+(expandtypeattribute (servicemanager_exec_27_0) true)
+(expandtypeattribute (settings_service_27_0) true)
+(expandtypeattribute (sgdisk_27_0) true)
+(expandtypeattribute (sgdisk_exec_27_0) true)
+(expandtypeattribute (shared_relro_27_0) true)
+(expandtypeattribute (shared_relro_file_27_0) true)
+(expandtypeattribute (shell_27_0) true)
+(expandtypeattribute (shell_data_file_27_0) true)
+(expandtypeattribute (shell_exec_27_0) true)
+(expandtypeattribute (shell_prop_27_0) true)
+(expandtypeattribute (shm_27_0) true)
+(expandtypeattribute (shortcut_manager_icons_27_0) true)
+(expandtypeattribute (shortcut_service_27_0) true)
+(expandtypeattribute (slideshow_27_0) true)
+(expandtypeattribute (socket_device_27_0) true)
+(expandtypeattribute (sockfs_27_0) true)
+(expandtypeattribute (statusbar_service_27_0) true)
+(expandtypeattribute (storaged_service_27_0) true)
+(expandtypeattribute (storage_file_27_0) true)
+(expandtypeattribute (storagestats_service_27_0) true)
+(expandtypeattribute (storage_stub_file_27_0) true)
+(expandtypeattribute (su_27_0) true)
+(expandtypeattribute (su_exec_27_0) true)
+(expandtypeattribute (surfaceflinger_27_0) true)
+(expandtypeattribute (surfaceflinger_service_27_0) true)
+(expandtypeattribute (swap_block_device_27_0) true)
+(expandtypeattribute (sysfs_27_0) true)
+(expandtypeattribute (sysfs_batteryinfo_27_0) true)
+(expandtypeattribute (sysfs_bluetooth_writable_27_0) true)
+(expandtypeattribute (sysfs_devices_system_cpu_27_0) true)
+(expandtypeattribute (sysfs_fs_ext4_features_27_0) true)
+(expandtypeattribute (sysfs_hwrandom_27_0) true)
+(expandtypeattribute (sysfs_leds_27_0) true)
+(expandtypeattribute (sysfs_lowmemorykiller_27_0) true)
+(expandtypeattribute (sysfs_mac_address_27_0) true)
+(expandtypeattribute (sysfs_nfc_power_writable_27_0) true)
+(expandtypeattribute (sysfs_thermal_27_0) true)
+(expandtypeattribute (sysfs_uio_27_0) true)
+(expandtypeattribute (sysfs_usb_27_0) true)
+(expandtypeattribute (sysfs_usermodehelper_27_0) true)
+(expandtypeattribute (sysfs_vibrator_27_0) true)
+(expandtypeattribute (sysfs_wake_lock_27_0) true)
+(expandtypeattribute (sysfs_wlan_fwpath_27_0) true)
+(expandtypeattribute (sysfs_zram_27_0) true)
+(expandtypeattribute (sysfs_zram_uevent_27_0) true)
+(expandtypeattribute (system_app_27_0) true)
+(expandtypeattribute (system_app_data_file_27_0) true)
+(expandtypeattribute (system_app_service_27_0) true)
+(expandtypeattribute (system_block_device_27_0) true)
+(expandtypeattribute (system_data_file_27_0) true)
+(expandtypeattribute (system_file_27_0) true)
+(expandtypeattribute (systemkeys_data_file_27_0) true)
+(expandtypeattribute (system_ndebug_socket_27_0) true)
+(expandtypeattribute (system_net_netd_hwservice_27_0) true)
+(expandtypeattribute (system_prop_27_0) true)
+(expandtypeattribute (system_radio_prop_27_0) true)
+(expandtypeattribute (system_server_27_0) true)
+(expandtypeattribute (system_wifi_keystore_hwservice_27_0) true)
+(expandtypeattribute (system_wpa_socket_27_0) true)
+(expandtypeattribute (task_service_27_0) true)
+(expandtypeattribute (tee_27_0) true)
+(expandtypeattribute (tee_data_file_27_0) true)
+(expandtypeattribute (tee_device_27_0) true)
+(expandtypeattribute (telecom_service_27_0) true)
+(expandtypeattribute (textclassification_service_27_0) true)
+(expandtypeattribute (textclassifier_data_file_27_0) true)
+(expandtypeattribute (textservices_service_27_0) true)
+(expandtypeattribute (thermalcallback_hwservice_27_0) true)
+(expandtypeattribute (thermal_service_27_0) true)
+(expandtypeattribute (thermalserviced_27_0) true)
+(expandtypeattribute (thermalserviced_exec_27_0) true)
+(expandtypeattribute (timezone_service_27_0) true)
+(expandtypeattribute (tmpfs_27_0) true)
+(expandtypeattribute (tombstoned_27_0) true)
+(expandtypeattribute (tombstone_data_file_27_0) true)
+(expandtypeattribute (tombstoned_crash_socket_27_0) true)
+(expandtypeattribute (tombstoned_exec_27_0) true)
+(expandtypeattribute (tombstoned_intercept_socket_27_0) true)
+(expandtypeattribute (tombstoned_java_trace_socket_27_0) true)
+(expandtypeattribute (toolbox_27_0) true)
+(expandtypeattribute (toolbox_exec_27_0) true)
+(expandtypeattribute (trust_service_27_0) true)
+(expandtypeattribute (tty_device_27_0) true)
+(expandtypeattribute (tun_device_27_0) true)
+(expandtypeattribute (tv_input_service_27_0) true)
+(expandtypeattribute (tzdatacheck_27_0) true)
+(expandtypeattribute (tzdatacheck_exec_27_0) true)
+(expandtypeattribute (ueventd_27_0) true)
+(expandtypeattribute (uhid_device_27_0) true)
+(expandtypeattribute (uimode_service_27_0) true)
+(expandtypeattribute (uio_device_27_0) true)
+(expandtypeattribute (uncrypt_27_0) true)
+(expandtypeattribute (uncrypt_exec_27_0) true)
+(expandtypeattribute (uncrypt_socket_27_0) true)
+(expandtypeattribute (unencrypted_data_file_27_0) true)
+(expandtypeattribute (unlabeled_27_0) true)
+(expandtypeattribute (untrusted_app_25_27_0) true)
+(expandtypeattribute (untrusted_app_27_0) true)
+(expandtypeattribute (untrusted_v2_app_27_0) true)
+(expandtypeattribute (update_engine_27_0) true)
+(expandtypeattribute (update_engine_data_file_27_0) true)
+(expandtypeattribute (update_engine_exec_27_0) true)
+(expandtypeattribute (update_engine_service_27_0) true)
+(expandtypeattribute (updatelock_service_27_0) true)
+(expandtypeattribute (update_verifier_27_0) true)
+(expandtypeattribute (update_verifier_exec_27_0) true)
+(expandtypeattribute (usagestats_service_27_0) true)
+(expandtypeattribute (usbaccessory_device_27_0) true)
+(expandtypeattribute (usb_device_27_0) true)
+(expandtypeattribute (usbfs_27_0) true)
+(expandtypeattribute (usb_service_27_0) true)
+(expandtypeattribute (userdata_block_device_27_0) true)
+(expandtypeattribute (usermodehelper_27_0) true)
+(expandtypeattribute (user_profile_data_file_27_0) true)
+(expandtypeattribute (user_service_27_0) true)
+(expandtypeattribute (vcs_device_27_0) true)
+(expandtypeattribute (vdc_27_0) true)
+(expandtypeattribute (vdc_exec_27_0) true)
+(expandtypeattribute (vendor_app_file_27_0) true)
+(expandtypeattribute (vendor_configs_file_27_0) true)
+(expandtypeattribute (vendor_file_27_0) true)
+(expandtypeattribute (vendor_framework_file_27_0) true)
+(expandtypeattribute (vendor_hal_file_27_0) true)
+(expandtypeattribute (vendor_overlay_file_27_0) true)
+(expandtypeattribute (vendor_shell_exec_27_0) true)
+(expandtypeattribute (vendor_toolbox_exec_27_0) true)
+(expandtypeattribute (vfat_27_0) true)
+(expandtypeattribute (vibrator_service_27_0) true)
+(expandtypeattribute (video_device_27_0) true)
+(expandtypeattribute (virtual_touchpad_27_0) true)
+(expandtypeattribute (virtual_touchpad_exec_27_0) true)
+(expandtypeattribute (virtual_touchpad_service_27_0) true)
+(expandtypeattribute (vndbinder_device_27_0) true)
+(expandtypeattribute (vndk_sp_file_27_0) true)
+(expandtypeattribute (vndservice_contexts_file_27_0) true)
+(expandtypeattribute (vndservicemanager_27_0) true)
+(expandtypeattribute (voiceinteraction_service_27_0) true)
+(expandtypeattribute (vold_27_0) true)
+(expandtypeattribute (vold_data_file_27_0) true)
+(expandtypeattribute (vold_device_27_0) true)
+(expandtypeattribute (vold_exec_27_0) true)
+(expandtypeattribute (vold_prop_27_0) true)
+(expandtypeattribute (vold_socket_27_0) true)
+(expandtypeattribute (vpn_data_file_27_0) true)
+(expandtypeattribute (vr_hwc_27_0) true)
+(expandtypeattribute (vr_hwc_exec_27_0) true)
+(expandtypeattribute (vr_hwc_service_27_0) true)
+(expandtypeattribute (vr_manager_service_27_0) true)
+(expandtypeattribute (wallpaper_file_27_0) true)
+(expandtypeattribute (wallpaper_service_27_0) true)
+(expandtypeattribute (watchdogd_27_0) true)
+(expandtypeattribute (watchdog_device_27_0) true)
+(expandtypeattribute (webviewupdate_service_27_0) true)
+(expandtypeattribute (webview_zygote_27_0) true)
+(expandtypeattribute (webview_zygote_exec_27_0) true)
+(expandtypeattribute (webview_zygote_socket_27_0) true)
+(expandtypeattribute (wifiaware_service_27_0) true)
+(expandtypeattribute (wificond_27_0) true)
+(expandtypeattribute (wificond_exec_27_0) true)
+(expandtypeattribute (wificond_service_27_0) true)
+(expandtypeattribute (wifi_data_file_27_0) true)
+(expandtypeattribute (wifi_log_prop_27_0) true)
+(expandtypeattribute (wifip2p_service_27_0) true)
+(expandtypeattribute (wifi_prop_27_0) true)
+(expandtypeattribute (wifiscanner_service_27_0) true)
+(expandtypeattribute (wifi_service_27_0) true)
+(expandtypeattribute (window_service_27_0) true)
+(expandtypeattribute (wpa_socket_27_0) true)
+(expandtypeattribute (zero_device_27_0) true)
+(expandtypeattribute (zoneinfo_data_file_27_0) true)
+(expandtypeattribute (zygote_27_0) true)
+(expandtypeattribute (zygote_exec_27_0) true)
+(expandtypeattribute (zygote_socket_27_0) true)
+(typeattributeset accessibility_service_27_0 (accessibility_service))
+(typeattributeset account_service_27_0 (account_service))
+(typeattributeset activity_service_27_0 (activity_service))
+(typeattributeset adbd_27_0 (adbd))
+(typeattributeset adb_data_file_27_0 (adb_data_file))
+(typeattributeset adbd_exec_27_0 (adbd_exec))
+(typeattributeset adbd_socket_27_0 (adbd_socket))
+(typeattributeset adb_keys_file_27_0 (adb_keys_file))
+(typeattributeset alarm_device_27_0 (alarm_device))
+(typeattributeset alarm_service_27_0 (alarm_service))
+(typeattributeset anr_data_file_27_0 (anr_data_file))
+(typeattributeset apk_data_file_27_0 (apk_data_file))
+(typeattributeset apk_private_data_file_27_0 (apk_private_data_file))
+(typeattributeset apk_private_tmp_file_27_0 (apk_private_tmp_file))
+(typeattributeset apk_tmp_file_27_0 (apk_tmp_file))
+(typeattributeset app_data_file_27_0 (app_data_file))
+(typeattributeset app_fuse_file_27_0 (app_fuse_file))
+(typeattributeset app_fusefs_27_0 (app_fusefs))
+(typeattributeset appops_service_27_0 (appops_service))
+(typeattributeset appwidget_service_27_0 (appwidget_service))
+(typeattributeset asec_apk_file_27_0 (asec_apk_file))
+(typeattributeset asec_image_file_27_0 (asec_image_file))
+(typeattributeset asec_public_file_27_0 (asec_public_file))
+(typeattributeset ashmem_device_27_0 (ashmem_device))
+(typeattributeset assetatlas_service_27_0 (assetatlas_service))
+(typeattributeset audio_data_file_27_0 (audio_data_file))
+(typeattributeset audio_device_27_0 (audio_device))
+(typeattributeset audiohal_data_file_27_0 (audiohal_data_file))
+(typeattributeset audio_prop_27_0 (audio_prop))
+(typeattributeset audio_seq_device_27_0 (audio_seq_device))
+(typeattributeset audioserver_27_0 (audioserver))
+(typeattributeset audioserver_data_file_27_0 (audioserver_data_file))
+(typeattributeset audioserver_service_27_0 (audioserver_service))
+(typeattributeset audio_service_27_0 (audio_service))
+(typeattributeset audio_timer_device_27_0 (audio_timer_device))
+(typeattributeset autofill_service_27_0 (autofill_service))
+(typeattributeset backup_data_file_27_0 (backup_data_file))
+(typeattributeset backup_service_27_0 (backup_service))
+(typeattributeset batteryproperties_service_27_0 (batteryproperties_service))
+(typeattributeset battery_service_27_0 (battery_service))
+(typeattributeset batterystats_service_27_0 (batterystats_service))
+(typeattributeset binder_device_27_0 (binder_device))
+(typeattributeset binfmt_miscfs_27_0 (binfmt_miscfs))
+(typeattributeset blkid_27_0 (blkid))
+(typeattributeset blkid_untrusted_27_0 (blkid_untrusted))
+(typeattributeset block_device_27_0 (block_device))
+(typeattributeset bluetooth_27_0 (bluetooth))
+(typeattributeset bluetooth_data_file_27_0 (bluetooth_data_file))
+(typeattributeset bluetooth_efs_file_27_0 (bluetooth_efs_file))
+(typeattributeset bluetooth_logs_data_file_27_0 (bluetooth_logs_data_file))
+(typeattributeset bluetooth_manager_service_27_0 (bluetooth_manager_service))
+(typeattributeset bluetooth_prop_27_0 (bluetooth_prop))
+(typeattributeset bluetooth_service_27_0 (bluetooth_service))
+(typeattributeset bluetooth_socket_27_0 (bluetooth_socket))
+(typeattributeset bootanim_27_0 (bootanim))
+(typeattributeset bootanim_exec_27_0 (bootanim_exec))
+(typeattributeset boot_block_device_27_0 (boot_block_device))
+(typeattributeset bootchart_data_file_27_0 (bootchart_data_file))
+(typeattributeset bootstat_27_0 (bootstat))
+(typeattributeset bootstat_data_file_27_0 (bootstat_data_file))
+(typeattributeset bootstat_exec_27_0 (bootstat_exec))
+(typeattributeset boottime_prop_27_0 (boottime_prop))
+(typeattributeset boottrace_data_file_27_0 (boottrace_data_file))
+(typeattributeset broadcastradio_service_27_0 (broadcastradio_service))
+(typeattributeset bufferhubd_27_0 (bufferhubd))
+(typeattributeset bufferhubd_exec_27_0 (bufferhubd_exec))
+(typeattributeset cache_backup_file_27_0 (cache_backup_file))
+(typeattributeset cache_block_device_27_0 (cache_block_device))
+(typeattributeset cache_file_27_0 (cache_file))
+(typeattributeset cache_private_backup_file_27_0 (cache_private_backup_file))
+(typeattributeset cache_recovery_file_27_0 (cache_recovery_file))
+(typeattributeset camera_data_file_27_0 (camera_data_file))
+(typeattributeset camera_device_27_0 (camera_device))
+(typeattributeset cameraproxy_service_27_0 (cameraproxy_service))
+(typeattributeset cameraserver_27_0 (cameraserver))
+(typeattributeset cameraserver_exec_27_0 (cameraserver_exec))
+(typeattributeset cameraserver_service_27_0 (cameraserver_service))
+(typeattributeset cgroup_27_0 (cgroup))
+(typeattributeset charger_27_0 (charger))
+(typeattributeset clatd_27_0 (clatd))
+(typeattributeset clatd_exec_27_0 (clatd_exec))
+(typeattributeset clipboard_service_27_0 (clipboard_service))
+(typeattributeset commontime_management_service_27_0 (commontime_management_service))
+(typeattributeset companion_device_service_27_0 (companion_device_service))
+(typeattributeset configfs_27_0 (configfs))
+(typeattributeset config_prop_27_0 (config_prop))
+(typeattributeset connectivity_service_27_0 (connectivity_service))
+(typeattributeset connmetrics_service_27_0 (connmetrics_service))
+(typeattributeset console_device_27_0 (console_device))
+(typeattributeset consumer_ir_service_27_0 (consumer_ir_service))
+(typeattributeset content_service_27_0 (content_service))
+(typeattributeset contexthub_service_27_0 (contexthub_service))
+(typeattributeset coredump_file_27_0 (coredump_file))
+(typeattributeset country_detector_service_27_0 (country_detector_service))
+(typeattributeset coverage_service_27_0 (coverage_service))
+(typeattributeset cppreopt_prop_27_0 (cppreopt_prop))
+(typeattributeset cppreopts_27_0 (cppreopts))
+(typeattributeset cppreopts_exec_27_0 (cppreopts_exec))
+(typeattributeset cpuctl_device_27_0 (cpuctl_device))
+(typeattributeset cpuinfo_service_27_0 (cpuinfo_service))
+(typeattributeset crash_dump_27_0 (crash_dump))
+(typeattributeset crash_dump_exec_27_0 (crash_dump_exec))
+(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
+(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
+(typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
+(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
+(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
+(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
+(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
+(typeattributeset ctl_rildaemon_prop_27_0 (ctl_rildaemon_prop))
+(typeattributeset dalvikcache_data_file_27_0 (dalvikcache_data_file))
+(typeattributeset dalvik_prop_27_0 (dalvik_prop))
+(typeattributeset dbinfo_service_27_0 (dbinfo_service))
+(typeattributeset debugfs_27_0
+ ( debugfs
+ debugfs_wakeup_sources))
+(typeattributeset debugfs_mmc_27_0 (debugfs_mmc))
+(typeattributeset debugfs_trace_marker_27_0 (debugfs_trace_marker))
+(typeattributeset debugfs_tracing_27_0 (debugfs_tracing))
+(typeattributeset debugfs_tracing_debug_27_0 (debugfs_tracing_debug))
+(typeattributeset debugfs_tracing_instances_27_0 (debugfs_tracing_instances))
+(typeattributeset debugfs_wifi_tracing_27_0 (debugfs_wifi_tracing))
+(typeattributeset debuggerd_prop_27_0 (debuggerd_prop))
+(typeattributeset debug_prop_27_0 (debug_prop))
+(typeattributeset default_android_hwservice_27_0 (default_android_hwservice))
+(typeattributeset default_android_service_27_0 (default_android_service))
+(typeattributeset default_android_vndservice_27_0 (default_android_vndservice))
+(typeattributeset default_prop_27_0
+ ( default_prop
+ pm_prop))
+(typeattributeset device_27_0 (device))
+(typeattributeset device_identifiers_service_27_0 (device_identifiers_service))
+(typeattributeset deviceidle_service_27_0 (deviceidle_service))
+(typeattributeset device_logging_prop_27_0 (device_logging_prop))
+(typeattributeset device_policy_service_27_0 (device_policy_service))
+(typeattributeset devicestoragemonitor_service_27_0 (devicestoragemonitor_service))
+(typeattributeset devpts_27_0 (devpts))
+(typeattributeset dex2oat_27_0 (dex2oat))
+(typeattributeset dex2oat_exec_27_0 (dex2oat_exec))
+(typeattributeset dhcp_27_0 (dhcp))
+(typeattributeset dhcp_data_file_27_0 (dhcp_data_file))
+(typeattributeset dhcp_exec_27_0 (dhcp_exec))
+(typeattributeset dhcp_prop_27_0 (dhcp_prop))
+(typeattributeset diskstats_service_27_0 (diskstats_service))
+(typeattributeset display_service_27_0 (display_service))
+(typeattributeset dm_device_27_0 (dm_device))
+(typeattributeset dnsmasq_27_0 (dnsmasq))
+(typeattributeset dnsmasq_exec_27_0 (dnsmasq_exec))
+(typeattributeset dnsproxyd_socket_27_0 (dnsproxyd_socket))
+(typeattributeset DockObserver_service_27_0 (DockObserver_service))
+(typeattributeset dreams_service_27_0 (dreams_service))
+(typeattributeset drm_data_file_27_0 (drm_data_file))
+(typeattributeset drmserver_27_0 (drmserver))
+(typeattributeset drmserver_exec_27_0 (drmserver_exec))
+(typeattributeset drmserver_service_27_0 (drmserver_service))
+(typeattributeset drmserver_socket_27_0 (drmserver_socket))
+(typeattributeset dropbox_service_27_0 (dropbox_service))
+(typeattributeset dumpstate_27_0 (dumpstate))
+(typeattributeset dumpstate_exec_27_0 (dumpstate_exec))
+(typeattributeset dumpstate_options_prop_27_0 (dumpstate_options_prop))
+(typeattributeset dumpstate_prop_27_0 (dumpstate_prop))
+(typeattributeset dumpstate_service_27_0 (dumpstate_service))
+(typeattributeset dumpstate_socket_27_0 (dumpstate_socket))
+(typeattributeset e2fs_27_0 (e2fs))
+(typeattributeset e2fs_exec_27_0 (e2fs_exec))
+(typeattributeset efs_file_27_0 (efs_file))
+(typeattributeset ephemeral_app_27_0 (ephemeral_app))
+(typeattributeset ethernet_service_27_0 (ethernet_service))
+(typeattributeset ffs_prop_27_0 (ffs_prop))
+(typeattributeset file_contexts_file_27_0 (file_contexts_file))
+(typeattributeset fingerprintd_27_0 (fingerprintd))
+(typeattributeset fingerprintd_data_file_27_0 (fingerprintd_data_file))
+(typeattributeset fingerprintd_exec_27_0 (fingerprintd_exec))
+(typeattributeset fingerprintd_service_27_0 (fingerprintd_service))
+(typeattributeset fingerprint_prop_27_0 (fingerprint_prop))
+(typeattributeset fingerprint_service_27_0 (fingerprint_service))
+(typeattributeset firstboot_prop_27_0 (firstboot_prop))
+(typeattributeset font_service_27_0 (font_service))
+(typeattributeset frp_block_device_27_0 (frp_block_device))
+(typeattributeset fsck_27_0 (fsck))
+(typeattributeset fsck_exec_27_0 (fsck_exec))
+(typeattributeset fscklogs_27_0 (fscklogs))
+(typeattributeset fsck_untrusted_27_0 (fsck_untrusted))
+(typeattributeset full_device_27_0 (full_device))
+(typeattributeset functionfs_27_0 (functionfs))
+(typeattributeset fuse_27_0 (fuse))
+(typeattributeset fuse_device_27_0 (fuse_device))
+(typeattributeset fwk_display_hwservice_27_0 (fwk_display_hwservice))
+(typeattributeset fwk_scheduler_hwservice_27_0 (fwk_scheduler_hwservice))
+(typeattributeset fwk_sensor_hwservice_27_0 (fwk_sensor_hwservice))
+(typeattributeset fwmarkd_socket_27_0 (fwmarkd_socket))
+(typeattributeset gatekeeperd_27_0 (gatekeeperd))
+(typeattributeset gatekeeper_data_file_27_0 (gatekeeper_data_file))
+(typeattributeset gatekeeperd_exec_27_0 (gatekeeperd_exec))
+(typeattributeset gatekeeper_service_27_0 (gatekeeper_service))
+(typeattributeset gfxinfo_service_27_0 (gfxinfo_service))
+(typeattributeset gps_control_27_0 (gps_control))
+(typeattributeset gpu_device_27_0 (gpu_device))
+(typeattributeset gpu_service_27_0 (gpu_service))
+(typeattributeset graphics_device_27_0 (graphics_device))
+(typeattributeset graphicsstats_service_27_0 (graphicsstats_service))
+(typeattributeset hal_audio_hwservice_27_0 (hal_audio_hwservice))
+(typeattributeset hal_bluetooth_hwservice_27_0 (hal_bluetooth_hwservice))
+(typeattributeset hal_bootctl_hwservice_27_0 (hal_bootctl_hwservice))
+(typeattributeset hal_broadcastradio_hwservice_27_0 (hal_broadcastradio_hwservice))
+(typeattributeset hal_camera_hwservice_27_0 (hal_camera_hwservice))
+(typeattributeset hal_cas_hwservice_27_0 (hal_cas_hwservice))
+(typeattributeset hal_configstore_ISurfaceFlingerConfigs_27_0 (hal_configstore_ISurfaceFlingerConfigs))
+(typeattributeset hal_contexthub_hwservice_27_0 (hal_contexthub_hwservice))
+(typeattributeset hal_drm_hwservice_27_0 (hal_drm_hwservice))
+(typeattributeset hal_dumpstate_hwservice_27_0 (hal_dumpstate_hwservice))
+(typeattributeset hal_fingerprint_hwservice_27_0 (hal_fingerprint_hwservice))
+(typeattributeset hal_fingerprint_service_27_0 (hal_fingerprint_service))
+(typeattributeset hal_gatekeeper_hwservice_27_0 (hal_gatekeeper_hwservice))
+(typeattributeset hal_gnss_hwservice_27_0 (hal_gnss_hwservice))
+(typeattributeset hal_graphics_allocator_hwservice_27_0 (hal_graphics_allocator_hwservice))
+(typeattributeset hal_graphics_composer_hwservice_27_0 (hal_graphics_composer_hwservice))
+(typeattributeset hal_graphics_mapper_hwservice_27_0 (hal_graphics_mapper_hwservice))
+(typeattributeset hal_health_hwservice_27_0 (hal_health_hwservice))
+(typeattributeset hal_ir_hwservice_27_0 (hal_ir_hwservice))
+(typeattributeset hal_keymaster_hwservice_27_0 (hal_keymaster_hwservice))
+(typeattributeset hal_light_hwservice_27_0 (hal_light_hwservice))
+(typeattributeset hal_memtrack_hwservice_27_0 (hal_memtrack_hwservice))
+(typeattributeset hal_neuralnetworks_hwservice_27_0 (hal_neuralnetworks_hwservice))
+(typeattributeset hal_nfc_hwservice_27_0 (hal_nfc_hwservice))
+(typeattributeset hal_oemlock_hwservice_27_0 (hal_oemlock_hwservice))
+(typeattributeset hal_omx_hwservice_27_0 (hal_omx_hwservice))
+(typeattributeset hal_power_hwservice_27_0 (hal_power_hwservice))
+(typeattributeset hal_renderscript_hwservice_27_0 (hal_renderscript_hwservice))
+(typeattributeset hal_sensors_hwservice_27_0 (hal_sensors_hwservice))
+(typeattributeset hal_telephony_hwservice_27_0 (hal_telephony_hwservice))
+(typeattributeset hal_tetheroffload_hwservice_27_0 (hal_tetheroffload_hwservice))
+(typeattributeset hal_thermal_hwservice_27_0 (hal_thermal_hwservice))
+(typeattributeset hal_tv_cec_hwservice_27_0 (hal_tv_cec_hwservice))
+(typeattributeset hal_tv_input_hwservice_27_0 (hal_tv_input_hwservice))
+(typeattributeset hal_usb_hwservice_27_0 (hal_usb_hwservice))
+(typeattributeset hal_vibrator_hwservice_27_0 (hal_vibrator_hwservice))
+(typeattributeset hal_vr_hwservice_27_0 (hal_vr_hwservice))
+(typeattributeset hal_weaver_hwservice_27_0 (hal_weaver_hwservice))
+(typeattributeset hal_wifi_hwservice_27_0 (hal_wifi_hwservice))
+(typeattributeset hal_wifi_offload_hwservice_27_0 (hal_wifi_offload_hwservice))
+(typeattributeset hal_wifi_supplicant_hwservice_27_0 (hal_wifi_supplicant_hwservice))
+(typeattributeset hardware_properties_service_27_0 (hardware_properties_service))
+(typeattributeset hardware_service_27_0 (hardware_service))
+(typeattributeset hci_attach_dev_27_0 (hci_attach_dev))
+(typeattributeset hdmi_control_service_27_0 (hdmi_control_service))
+(typeattributeset healthd_27_0 (healthd))
+(typeattributeset healthd_exec_27_0 (healthd_exec))
+(typeattributeset heapdump_data_file_27_0 (heapdump_data_file))
+(typeattributeset hidl_allocator_hwservice_27_0 (hidl_allocator_hwservice))
+(typeattributeset hidl_base_hwservice_27_0 (hidl_base_hwservice))
+(typeattributeset hidl_manager_hwservice_27_0 (hidl_manager_hwservice))
+(typeattributeset hidl_memory_hwservice_27_0 (hidl_memory_hwservice))
+(typeattributeset hidl_token_hwservice_27_0 (hidl_token_hwservice))
+(typeattributeset hwbinder_device_27_0 (hwbinder_device))
+(typeattributeset hw_random_device_27_0 (hw_random_device))
+(typeattributeset hwservice_contexts_file_27_0 (hwservice_contexts_file))
+(typeattributeset hwservicemanager_27_0 (hwservicemanager))
+(typeattributeset hwservicemanager_exec_27_0 (hwservicemanager_exec))
+(typeattributeset hwservicemanager_prop_27_0 (hwservicemanager_prop))
+(typeattributeset i2c_device_27_0 (i2c_device))
+(typeattributeset icon_file_27_0 (icon_file))
+(typeattributeset idmap_27_0 (idmap))
+(typeattributeset idmap_exec_27_0 (idmap_exec))
+(typeattributeset iio_device_27_0 (iio_device))
+(typeattributeset imms_service_27_0 (imms_service))
+(typeattributeset incident_27_0 (incident))
+(typeattributeset incidentd_27_0 (incidentd))
+(typeattributeset incident_data_file_27_0 (incident_data_file))
+(typeattributeset incident_service_27_0 (incident_service))
+(typeattributeset init_27_0 (init))
+(typeattributeset init_exec_27_0 (init_exec))
+(typeattributeset inotify_27_0 (inotify))
+(typeattributeset input_device_27_0 (input_device))
+(typeattributeset inputflinger_27_0 (inputflinger))
+(typeattributeset inputflinger_exec_27_0 (inputflinger_exec))
+(typeattributeset inputflinger_service_27_0 (inputflinger_service))
+(typeattributeset input_method_service_27_0 (input_method_service))
+(typeattributeset input_service_27_0 (input_service))
+(typeattributeset installd_27_0 (installd))
+(typeattributeset install_data_file_27_0 (install_data_file))
+(typeattributeset installd_exec_27_0 (installd_exec))
+(typeattributeset installd_service_27_0 (installd_service))
+(typeattributeset install_recovery_27_0 (install_recovery))
+(typeattributeset install_recovery_exec_27_0 (install_recovery_exec))
+(typeattributeset ion_device_27_0 (ion_device))
+(typeattributeset IProxyService_service_27_0 (IProxyService_service))
+(typeattributeset ipsec_service_27_0 (ipsec_service))
+(typeattributeset isolated_app_27_0 (isolated_app))
+(typeattributeset jobscheduler_service_27_0 (jobscheduler_service))
+(typeattributeset kernel_27_0 (kernel))
+(typeattributeset keychain_data_file_27_0 (keychain_data_file))
+(typeattributeset keychord_device_27_0 (keychord_device))
+(typeattributeset keystore_27_0 (keystore))
+(typeattributeset keystore_data_file_27_0 (keystore_data_file))
+(typeattributeset keystore_exec_27_0 (keystore_exec))
+(typeattributeset keystore_service_27_0 (keystore_service))
+(typeattributeset kmem_device_27_0 (kmem_device))
+(typeattributeset kmsg_debug_device_27_0 (kmsg_debug_device))
+(typeattributeset kmsg_device_27_0 (kmsg_device))
+(typeattributeset labeledfs_27_0 (labeledfs))
+(typeattributeset launcherapps_service_27_0 (launcherapps_service))
+(typeattributeset lmkd_27_0 (lmkd))
+(typeattributeset lmkd_exec_27_0 (lmkd_exec))
+(typeattributeset lmkd_socket_27_0 (lmkd_socket))
+(typeattributeset location_service_27_0 (location_service))
+(typeattributeset lock_settings_service_27_0 (lock_settings_service))
+(typeattributeset logcat_exec_27_0 (logcat_exec))
+(typeattributeset logd_27_0 (logd))
+(typeattributeset logd_exec_27_0 (logd_exec))
+(typeattributeset logd_prop_27_0 (logd_prop))
+(typeattributeset logdr_socket_27_0 (logdr_socket))
+(typeattributeset logd_socket_27_0 (logd_socket))
+(typeattributeset logdw_socket_27_0 (logdw_socket))
+(typeattributeset logpersist_27_0 (logpersist))
+(typeattributeset logpersistd_logging_prop_27_0 (logpersistd_logging_prop))
+(typeattributeset log_prop_27_0 (log_prop))
+(typeattributeset log_tag_prop_27_0 (log_tag_prop))
+(typeattributeset loop_control_device_27_0 (loop_control_device))
+(typeattributeset loop_device_27_0 (loop_device))
+(typeattributeset mac_perms_file_27_0 (mac_perms_file))
+(typeattributeset mdnsd_27_0 (mdnsd))
+(typeattributeset mdnsd_socket_27_0 (mdnsd_socket))
+(typeattributeset mdns_socket_27_0 (mdns_socket))
+(typeattributeset mediacodec_27_0 (mediacodec))
+(typeattributeset mediacodec_exec_27_0 (mediacodec_exec))
+(typeattributeset mediacodec_service_27_0 (mediacodec_service))
+(typeattributeset media_data_file_27_0 (media_data_file))
+(typeattributeset mediadrmserver_27_0 (mediadrmserver))
+(typeattributeset mediadrmserver_exec_27_0 (mediadrmserver_exec))
+(typeattributeset mediadrmserver_service_27_0 (mediadrmserver_service))
+(typeattributeset mediaextractor_27_0 (mediaextractor))
+(typeattributeset mediaextractor_exec_27_0 (mediaextractor_exec))
+(typeattributeset mediaextractor_service_27_0 (mediaextractor_service))
+(typeattributeset mediametrics_27_0 (mediametrics))
+(typeattributeset mediametrics_exec_27_0 (mediametrics_exec))
+(typeattributeset mediametrics_service_27_0 (mediametrics_service))
+(typeattributeset media_projection_service_27_0 (media_projection_service))
+(typeattributeset mediaprovider_27_0 (mediaprovider))
+(typeattributeset media_router_service_27_0 (media_router_service))
+(typeattributeset media_rw_data_file_27_0 (media_rw_data_file))
+(typeattributeset mediaserver_27_0 (mediaserver))
+(typeattributeset mediaserver_exec_27_0 (mediaserver_exec))
+(typeattributeset mediaserver_service_27_0 (mediaserver_service))
+(typeattributeset media_session_service_27_0 (media_session_service))
+(typeattributeset meminfo_service_27_0 (meminfo_service))
+(typeattributeset metadata_block_device_27_0 (metadata_block_device))
+(typeattributeset method_trace_data_file_27_0 (method_trace_data_file))
+(typeattributeset midi_service_27_0 (midi_service))
+(typeattributeset misc_block_device_27_0 (misc_block_device))
+(typeattributeset misc_logd_file_27_0 (misc_logd_file))
+(typeattributeset misc_user_data_file_27_0 (misc_user_data_file))
+(typeattributeset mmc_prop_27_0 (mmc_prop))
+(typeattributeset mnt_expand_file_27_0 (mnt_expand_file))
+(typeattributeset mnt_media_rw_file_27_0 (mnt_media_rw_file))
+(typeattributeset mnt_media_rw_stub_file_27_0 (mnt_media_rw_stub_file))
+(typeattributeset mnt_user_file_27_0 (mnt_user_file))
+(typeattributeset modprobe_27_0 (modprobe))
+(typeattributeset mount_service_27_0 (mount_service))
+(typeattributeset mqueue_27_0 (mqueue))
+(typeattributeset mtd_device_27_0 (mtd_device))
+(typeattributeset mtp_27_0 (mtp))
+(typeattributeset mtp_device_27_0 (mtp_device))
+(typeattributeset mtpd_socket_27_0 (mtpd_socket))
+(typeattributeset mtp_exec_27_0 (mtp_exec))
+(typeattributeset nativetest_data_file_27_0 (nativetest_data_file))
+(typeattributeset netd_27_0 (netd))
+(typeattributeset net_data_file_27_0 (net_data_file))
+(typeattributeset netd_exec_27_0 (netd_exec))
+(typeattributeset netd_listener_service_27_0 (netd_listener_service))
+(typeattributeset net_dns_prop_27_0 (net_dns_prop))
+(typeattributeset netd_service_27_0 (netd_service))
+(typeattributeset netd_socket_27_0 (netd_socket))
+(typeattributeset netd_stable_secret_prop_27_0 (netd_stable_secret_prop))
+(typeattributeset netif_27_0 (netif))
+(typeattributeset netpolicy_service_27_0 (netpolicy_service))
+(typeattributeset net_radio_prop_27_0 (net_radio_prop))
+(typeattributeset netstats_service_27_0 (netstats_service))
+(typeattributeset netutils_wrapper_27_0 (netutils_wrapper))
+(typeattributeset netutils_wrapper_exec_27_0 (netutils_wrapper_exec))
+(typeattributeset network_management_service_27_0 (network_management_service))
+(typeattributeset network_score_service_27_0 (network_score_service))
+(typeattributeset network_time_update_service_27_0 (network_time_update_service))
+(typeattributeset nfc_27_0 (nfc))
+(typeattributeset nfc_data_file_27_0 (nfc_data_file))
+(typeattributeset nfc_device_27_0 (nfc_device))
+(typeattributeset nfc_prop_27_0 (nfc_prop))
+(typeattributeset nfc_service_27_0 (nfc_service))
+(typeattributeset node_27_0 (node))
+(typeattributeset nonplat_service_contexts_file_27_0 (nonplat_service_contexts_file))
+(typeattributeset notification_service_27_0 (notification_service))
+(typeattributeset null_device_27_0 (null_device))
+(typeattributeset oemfs_27_0 (oemfs))
+(typeattributeset oem_lock_service_27_0 (oem_lock_service))
+(typeattributeset ota_data_file_27_0 (ota_data_file))
+(typeattributeset otadexopt_service_27_0 (otadexopt_service))
+(typeattributeset ota_package_file_27_0 (ota_package_file))
+(typeattributeset otapreopt_chroot_27_0 (otapreopt_chroot))
+(typeattributeset otapreopt_chroot_exec_27_0 (otapreopt_chroot_exec))
+(typeattributeset otapreopt_slot_27_0 (otapreopt_slot))
+(typeattributeset otapreopt_slot_exec_27_0 (otapreopt_slot_exec))
+(typeattributeset overlay_prop_27_0 (overlay_prop))
+(typeattributeset overlay_service_27_0 (overlay_service))
+(typeattributeset owntty_device_27_0 (owntty_device))
+(typeattributeset package_native_service_27_0 (package_native_service))
+(typeattributeset package_service_27_0 (package_service))
+(typeattributeset pan_result_prop_27_0 (pan_result_prop))
+(typeattributeset pdx_bufferhub_client_channel_socket_27_0 (pdx_bufferhub_client_channel_socket))
+(typeattributeset pdx_bufferhub_client_endpoint_socket_27_0 (pdx_bufferhub_client_endpoint_socket))
+(typeattributeset pdx_bufferhub_dir_27_0 (pdx_bufferhub_dir))
+(typeattributeset pdx_display_client_channel_socket_27_0 (pdx_display_client_channel_socket))
+(typeattributeset pdx_display_client_endpoint_socket_27_0 (pdx_display_client_endpoint_socket))
+(typeattributeset pdx_display_dir_27_0 (pdx_display_dir))
+(typeattributeset pdx_display_manager_channel_socket_27_0 (pdx_display_manager_channel_socket))
+(typeattributeset pdx_display_manager_endpoint_socket_27_0 (pdx_display_manager_endpoint_socket))
+(typeattributeset pdx_display_screenshot_channel_socket_27_0 (pdx_display_screenshot_channel_socket))
+(typeattributeset pdx_display_screenshot_endpoint_socket_27_0 (pdx_display_screenshot_endpoint_socket))
+(typeattributeset pdx_display_vsync_channel_socket_27_0 (pdx_display_vsync_channel_socket))
+(typeattributeset pdx_display_vsync_endpoint_socket_27_0 (pdx_display_vsync_endpoint_socket))
+(typeattributeset pdx_performance_client_channel_socket_27_0 (pdx_performance_client_channel_socket))
+(typeattributeset pdx_performance_client_endpoint_socket_27_0 (pdx_performance_client_endpoint_socket))
+(typeattributeset pdx_performance_dir_27_0 (pdx_performance_dir))
+(typeattributeset performanced_27_0 (performanced))
+(typeattributeset performanced_exec_27_0 (performanced_exec))
+(typeattributeset perfprofd_27_0 (perfprofd))
+(typeattributeset perfprofd_data_file_27_0 (perfprofd_data_file))
+(typeattributeset perfprofd_exec_27_0 (perfprofd_exec))
+(typeattributeset permission_service_27_0 (permission_service))
+(typeattributeset persist_debug_prop_27_0 (persist_debug_prop))
+(typeattributeset persistent_data_block_service_27_0 (persistent_data_block_service))
+(typeattributeset persistent_properties_ready_prop_27_0 (persistent_properties_ready_prop))
+(typeattributeset pinner_service_27_0 (pinner_service))
+(typeattributeset pipefs_27_0 (pipefs))
+(typeattributeset platform_app_27_0 (platform_app))
+(typeattributeset pmsg_device_27_0 (pmsg_device))
+(typeattributeset port_27_0 (port))
+(typeattributeset port_device_27_0 (port_device))
+(typeattributeset postinstall_27_0 (postinstall))
+(typeattributeset postinstall_dexopt_27_0 (postinstall_dexopt))
+(typeattributeset postinstall_file_27_0 (postinstall_file))
+(typeattributeset postinstall_mnt_dir_27_0 (postinstall_mnt_dir))
+(typeattributeset powerctl_prop_27_0 (powerctl_prop))
+(typeattributeset power_service_27_0 (power_service))
+(typeattributeset ppp_27_0 (ppp))
+(typeattributeset ppp_device_27_0 (ppp_device))
+(typeattributeset ppp_exec_27_0 (ppp_exec))
+(typeattributeset preloads_data_file_27_0 (preloads_data_file))
+(typeattributeset preloads_media_file_27_0 (preloads_media_file))
+(typeattributeset preopt2cachename_27_0 (preopt2cachename))
+(typeattributeset preopt2cachename_exec_27_0 (preopt2cachename_exec))
+(typeattributeset print_service_27_0 (print_service))
+(typeattributeset priv_app_27_0 (priv_app))
+(typeattributeset proc_27_0
+ ( proc
+ proc_abi
+ proc_asound
+ proc_buddyinfo
+ proc_cmdline
+ proc_dirty
+ proc_diskstats
+ proc_extra_free_kbytes
+ proc_filesystems
+ proc_hostname
+ proc_hung_task
+ proc_kmsg
+ proc_loadavg
+ proc_max_map_count
+ proc_min_free_order_shift
+ proc_mounts
+ proc_page_cluster
+ proc_pagetypeinfo
+ proc_panic
+ proc_pid_max
+ proc_pipe_conf
+ proc_random
+ proc_sched
+ proc_swaps
+ proc_uid_concurrent_active_time
+ proc_uid_concurrent_policy_time
+ proc_uid_cpupower
+ proc_uptime
+ proc_version
+ proc_vmallocinfo
+ proc_vmstat))
+(typeattributeset proc_bluetooth_writable_27_0 (proc_bluetooth_writable))
+(typeattributeset proc_cpuinfo_27_0 (proc_cpuinfo))
+(typeattributeset proc_drop_caches_27_0 (proc_drop_caches))
+(typeattributeset processinfo_service_27_0 (processinfo_service))
+(typeattributeset proc_interrupts_27_0 (proc_interrupts))
+(typeattributeset proc_iomem_27_0 (proc_iomem))
+(typeattributeset proc_meminfo_27_0 (proc_meminfo))
+(typeattributeset proc_misc_27_0 (proc_misc))
+(typeattributeset proc_modules_27_0 (proc_modules))
+(typeattributeset proc_net_27_0
+ ( proc_net
+ proc_qtaguid_stat))
+(typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
+(typeattributeset proc_perf_27_0 (proc_perf))
+(typeattributeset proc_security_27_0 (proc_security))
+(typeattributeset proc_stat_27_0 (proc_stat))
+(typeattributeset procstats_service_27_0 (procstats_service))
+(typeattributeset proc_sysrq_27_0 (proc_sysrq))
+(typeattributeset proc_timer_27_0 (proc_timer))
+(typeattributeset proc_tty_drivers_27_0 (proc_tty_drivers))
+(typeattributeset proc_uid_cputime_removeuid_27_0 (proc_uid_cputime_removeuid))
+(typeattributeset proc_uid_cputime_showstat_27_0 (proc_uid_cputime_showstat))
+(typeattributeset proc_uid_io_stats_27_0 (proc_uid_io_stats))
+(typeattributeset proc_uid_procstat_set_27_0 (proc_uid_procstat_set))
+(typeattributeset proc_uid_time_in_state_27_0 (proc_uid_time_in_state))
+(typeattributeset proc_zoneinfo_27_0 (proc_zoneinfo))
+(typeattributeset profman_27_0 (profman))
+(typeattributeset profman_dump_data_file_27_0 (profman_dump_data_file))
+(typeattributeset profman_exec_27_0 (profman_exec))
+(typeattributeset properties_device_27_0 (properties_device))
+(typeattributeset properties_serial_27_0 (properties_serial))
+(typeattributeset property_contexts_file_27_0 (property_contexts_file))
+(typeattributeset property_data_file_27_0 (property_data_file))
+(typeattributeset property_socket_27_0 (property_socket))
+(typeattributeset pstorefs_27_0 (pstorefs))
+(typeattributeset ptmx_device_27_0 (ptmx_device))
+(typeattributeset qtaguid_device_27_0 (qtaguid_device))
+(typeattributeset qtaguid_proc_27_0 (qtaguid_proc))
+(typeattributeset racoon_27_0 (racoon))
+(typeattributeset racoon_exec_27_0 (racoon_exec))
+(typeattributeset racoon_socket_27_0 (racoon_socket))
+(typeattributeset radio_27_0 (radio))
+(typeattributeset radio_data_file_27_0 (radio_data_file))
+(typeattributeset radio_device_27_0 (radio_device))
+(typeattributeset radio_prop_27_0 (radio_prop))
+(typeattributeset radio_service_27_0 (radio_service))
+(typeattributeset ram_device_27_0 (ram_device))
+(typeattributeset random_device_27_0 (random_device))
+(typeattributeset reboot_data_file_27_0 (reboot_data_file))
+(typeattributeset recovery_27_0 (recovery))
+(typeattributeset recovery_block_device_27_0 (recovery_block_device))
+(typeattributeset recovery_data_file_27_0 (recovery_data_file))
+(typeattributeset recovery_persist_27_0 (recovery_persist))
+(typeattributeset recovery_persist_exec_27_0 (recovery_persist_exec))
+(typeattributeset recovery_refresh_27_0 (recovery_refresh))
+(typeattributeset recovery_refresh_exec_27_0 (recovery_refresh_exec))
+(typeattributeset recovery_service_27_0 (recovery_service))
+(typeattributeset registry_service_27_0 (registry_service))
+(typeattributeset resourcecache_data_file_27_0 (resourcecache_data_file))
+(typeattributeset restorecon_prop_27_0 (restorecon_prop))
+(typeattributeset restrictions_service_27_0 (restrictions_service))
+(typeattributeset rild_27_0 (rild))
+(typeattributeset rild_debug_socket_27_0 (rild_debug_socket))
+(typeattributeset rild_socket_27_0 (rild_socket))
+(typeattributeset ringtone_file_27_0 (ringtone_file))
+(typeattributeset root_block_device_27_0 (root_block_device))
+(typeattributeset rootfs_27_0 (rootfs))
+(typeattributeset rpmsg_device_27_0 (rpmsg_device))
+(typeattributeset rtc_device_27_0 (rtc_device))
+(typeattributeset rttmanager_service_27_0 (rttmanager_service))
+(typeattributeset runas_27_0 (runas))
+(typeattributeset runas_exec_27_0 (runas_exec))
+(typeattributeset runtime_event_log_tags_file_27_0 (runtime_event_log_tags_file))
+(typeattributeset safemode_prop_27_0 (safemode_prop))
+(typeattributeset same_process_hal_file_27_0 (same_process_hal_file))
+(typeattributeset samplingprofiler_service_27_0 (samplingprofiler_service))
+(typeattributeset scheduling_policy_service_27_0 (scheduling_policy_service))
+(typeattributeset sdcardd_27_0 (sdcardd))
+(typeattributeset sdcardd_exec_27_0 (sdcardd_exec))
+(typeattributeset sdcardfs_27_0 (sdcardfs))
+(typeattributeset seapp_contexts_file_27_0 (seapp_contexts_file))
+(typeattributeset search_service_27_0 (search_service))
+(typeattributeset sec_key_att_app_id_provider_service_27_0 (sec_key_att_app_id_provider_service))
+(typeattributeset selinuxfs_27_0 (selinuxfs))
+(typeattributeset sensors_device_27_0 (sensors_device))
+(typeattributeset sensorservice_service_27_0 (sensorservice_service))
+(typeattributeset sepolicy_file_27_0 (sepolicy_file))
+(typeattributeset serial_device_27_0 (serial_device))
+(typeattributeset serialno_prop_27_0 (serialno_prop))
+(typeattributeset serial_service_27_0 (serial_service))
+(typeattributeset service_contexts_file_27_0 (service_contexts_file))
+(typeattributeset servicediscovery_service_27_0 (servicediscovery_service))
+(typeattributeset servicemanager_27_0 (servicemanager))
+(typeattributeset servicemanager_exec_27_0 (servicemanager_exec))
+(typeattributeset settings_service_27_0 (settings_service))
+(typeattributeset sgdisk_27_0 (sgdisk))
+(typeattributeset sgdisk_exec_27_0 (sgdisk_exec))
+(typeattributeset shared_relro_27_0 (shared_relro))
+(typeattributeset shared_relro_file_27_0 (shared_relro_file))
+(typeattributeset shell_27_0 (shell))
+(typeattributeset shell_data_file_27_0 (shell_data_file))
+(typeattributeset shell_exec_27_0 (shell_exec))
+(typeattributeset shell_prop_27_0 (shell_prop))
+(typeattributeset shm_27_0 (shm))
+(typeattributeset shortcut_manager_icons_27_0 (shortcut_manager_icons))
+(typeattributeset shortcut_service_27_0 (shortcut_service))
+(typeattributeset slideshow_27_0 (slideshow))
+(typeattributeset socket_device_27_0 (socket_device))
+(typeattributeset sockfs_27_0 (sockfs))
+(typeattributeset statusbar_service_27_0 (statusbar_service))
+(typeattributeset storaged_service_27_0 (storaged_service))
+(typeattributeset storage_file_27_0 (storage_file))
+(typeattributeset storagestats_service_27_0 (storagestats_service))
+(typeattributeset storage_stub_file_27_0 (storage_stub_file))
+(typeattributeset su_27_0 (su))
+(typeattributeset su_exec_27_0 (su_exec))
+(typeattributeset surfaceflinger_27_0 (surfaceflinger))
+(typeattributeset surfaceflinger_service_27_0 (surfaceflinger_service))
+(typeattributeset swap_block_device_27_0 (swap_block_device))
+(typeattributeset sysfs_27_0
+ ( sysfs
+ sysfs_android_usb
+ sysfs_dm
+ sysfs_dt_firmware_android
+ sysfs_ipv4
+ sysfs_kernel_notes
+ sysfs_net
+ sysfs_power
+ sysfs_rtc
+ sysfs_switch
+ sysfs_wakeup_reasons))
+(typeattributeset sysfs_batteryinfo_27_0 (sysfs_batteryinfo))
+(typeattributeset sysfs_bluetooth_writable_27_0 (sysfs_bluetooth_writable))
+(typeattributeset sysfs_devices_system_cpu_27_0 (sysfs_devices_system_cpu))
+(typeattributeset sysfs_fs_ext4_features_27_0 (sysfs_fs_ext4_features))
+(typeattributeset sysfs_hwrandom_27_0 (sysfs_hwrandom))
+(typeattributeset sysfs_leds_27_0 (sysfs_leds))
+(typeattributeset sysfs_lowmemorykiller_27_0 (sysfs_lowmemorykiller))
+(typeattributeset sysfs_mac_address_27_0 (sysfs_mac_address))
+(typeattributeset sysfs_nfc_power_writable_27_0 (sysfs_nfc_power_writable))
+(typeattributeset sysfs_thermal_27_0 (sysfs_thermal))
+(typeattributeset sysfs_uio_27_0 (sysfs_uio))
+(typeattributeset sysfs_usb_27_0 (sysfs_usb))
+(typeattributeset sysfs_usermodehelper_27_0 (sysfs_usermodehelper))
+(typeattributeset sysfs_vibrator_27_0 (sysfs_vibrator))
+(typeattributeset sysfs_wake_lock_27_0 (sysfs_wake_lock))
+(typeattributeset sysfs_wlan_fwpath_27_0 (sysfs_wlan_fwpath))
+(typeattributeset sysfs_zram_27_0 (sysfs_zram))
+(typeattributeset sysfs_zram_uevent_27_0 (sysfs_zram_uevent))
+(typeattributeset system_app_27_0 (system_app))
+(typeattributeset system_app_data_file_27_0 (system_app_data_file))
+(typeattributeset system_app_service_27_0 (system_app_service))
+(typeattributeset system_block_device_27_0 (system_block_device))
+(typeattributeset system_data_file_27_0
+ ( system_data_file
+ vendor_data_file))
+(typeattributeset system_file_27_0 (system_file))
+(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
+(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
+(typeattributeset system_net_netd_hwservice_27_0 (system_net_netd_hwservice))
+(typeattributeset system_prop_27_0 (system_prop))
+(typeattributeset system_radio_prop_27_0 (system_radio_prop))
+(typeattributeset system_server_27_0 (system_server))
+(typeattributeset system_wifi_keystore_hwservice_27_0 (system_wifi_keystore_hwservice))
+(typeattributeset system_wpa_socket_27_0 (system_wpa_socket))
+(typeattributeset task_service_27_0 (task_service))
+(typeattributeset tee_27_0 (tee))
+(typeattributeset tee_data_file_27_0 (tee_data_file))
+(typeattributeset tee_device_27_0 (tee_device))
+(typeattributeset telecom_service_27_0 (telecom_service))
+(typeattributeset textclassification_service_27_0 (textclassification_service))
+(typeattributeset textclassifier_data_file_27_0 (textclassifier_data_file))
+(typeattributeset textservices_service_27_0 (textservices_service))
+(typeattributeset thermalcallback_hwservice_27_0 (thermalcallback_hwservice))
+(typeattributeset thermal_service_27_0 (thermal_service))
+(typeattributeset thermalserviced_27_0 (thermalserviced))
+(typeattributeset thermalserviced_exec_27_0 (thermalserviced_exec))
+(typeattributeset timezone_service_27_0 (timezone_service))
+(typeattributeset tmpfs_27_0 (tmpfs))
+(typeattributeset tombstoned_27_0 (tombstoned))
+(typeattributeset tombstone_data_file_27_0 (tombstone_data_file))
+(typeattributeset tombstoned_crash_socket_27_0 (tombstoned_crash_socket))
+(typeattributeset tombstoned_exec_27_0 (tombstoned_exec))
+(typeattributeset tombstoned_intercept_socket_27_0 (tombstoned_intercept_socket))
+(typeattributeset tombstoned_java_trace_socket_27_0 (tombstoned_java_trace_socket))
+(typeattributeset toolbox_27_0 (toolbox))
+(typeattributeset toolbox_exec_27_0 (toolbox_exec))
+(typeattributeset trust_service_27_0 (trust_service))
+(typeattributeset tty_device_27_0 (tty_device))
+(typeattributeset tun_device_27_0 (tun_device))
+(typeattributeset tv_input_service_27_0 (tv_input_service))
+(typeattributeset tzdatacheck_27_0 (tzdatacheck))
+(typeattributeset tzdatacheck_exec_27_0 (tzdatacheck_exec))
+(typeattributeset ueventd_27_0 (ueventd))
+(typeattributeset uhid_device_27_0 (uhid_device))
+(typeattributeset uimode_service_27_0 (uimode_service))
+(typeattributeset uio_device_27_0 (uio_device))
+(typeattributeset uncrypt_27_0 (uncrypt))
+(typeattributeset uncrypt_exec_27_0 (uncrypt_exec))
+(typeattributeset uncrypt_socket_27_0 (uncrypt_socket))
+(typeattributeset unencrypted_data_file_27_0 (unencrypted_data_file))
+(typeattributeset unlabeled_27_0 (unlabeled))
+(typeattributeset untrusted_app_25_27_0 (untrusted_app_25))
+(typeattributeset untrusted_app_27_0
+ ( untrusted_app
+ untrusted_app_27))
+(typeattributeset untrusted_v2_app_27_0 (untrusted_v2_app))
+(typeattributeset update_engine_27_0 (update_engine))
+(typeattributeset update_engine_data_file_27_0 (update_engine_data_file))
+(typeattributeset update_engine_exec_27_0 (update_engine_exec))
+(typeattributeset update_engine_service_27_0 (update_engine_service))
+(typeattributeset updatelock_service_27_0 (updatelock_service))
+(typeattributeset update_verifier_27_0 (update_verifier))
+(typeattributeset update_verifier_exec_27_0 (update_verifier_exec))
+(typeattributeset usagestats_service_27_0 (usagestats_service))
+(typeattributeset usbaccessory_device_27_0 (usbaccessory_device))
+(typeattributeset usb_device_27_0 (usb_device))
+(typeattributeset usbfs_27_0 (usbfs))
+(typeattributeset usb_service_27_0 (usb_service))
+(typeattributeset userdata_block_device_27_0 (userdata_block_device))
+(typeattributeset usermodehelper_27_0 (usermodehelper))
+(typeattributeset user_profile_data_file_27_0 (user_profile_data_file))
+(typeattributeset user_service_27_0 (user_service))
+(typeattributeset vcs_device_27_0 (vcs_device))
+(typeattributeset vdc_27_0 (vdc))
+(typeattributeset vdc_exec_27_0 (vdc_exec))
+(typeattributeset vendor_app_file_27_0 (vendor_app_file))
+(typeattributeset vendor_configs_file_27_0 (vendor_configs_file))
+(typeattributeset vendor_file_27_0 (vendor_file))
+(typeattributeset vendor_framework_file_27_0 (vendor_framework_file))
+(typeattributeset vendor_hal_file_27_0 (vendor_hal_file))
+(typeattributeset vendor_overlay_file_27_0 (vendor_overlay_file))
+(typeattributeset vendor_shell_exec_27_0 (vendor_shell_exec))
+(typeattributeset vendor_toolbox_exec_27_0 (vendor_toolbox_exec))
+(typeattributeset vfat_27_0 (vfat))
+(typeattributeset vibrator_service_27_0 (vibrator_service))
+(typeattributeset video_device_27_0 (video_device))
+(typeattributeset virtual_touchpad_27_0 (virtual_touchpad))
+(typeattributeset virtual_touchpad_exec_27_0 (virtual_touchpad_exec))
+(typeattributeset virtual_touchpad_service_27_0 (virtual_touchpad_service))
+(typeattributeset vndbinder_device_27_0 (vndbinder_device))
+(typeattributeset vndk_sp_file_27_0 (vndk_sp_file))
+(typeattributeset vndservice_contexts_file_27_0 (vndservice_contexts_file))
+(typeattributeset vndservicemanager_27_0 (vndservicemanager))
+(typeattributeset voiceinteraction_service_27_0 (voiceinteraction_service))
+(typeattributeset vold_27_0 (vold))
+(typeattributeset vold_data_file_27_0 (vold_data_file))
+(typeattributeset vold_device_27_0 (vold_device))
+(typeattributeset vold_exec_27_0 (vold_exec))
+(typeattributeset vold_prop_27_0 (vold_prop))
+(typeattributeset vold_socket_27_0 (vold_socket))
+(typeattributeset vpn_data_file_27_0 (vpn_data_file))
+(typeattributeset vr_hwc_27_0 (vr_hwc))
+(typeattributeset vr_hwc_exec_27_0 (vr_hwc_exec))
+(typeattributeset vr_hwc_service_27_0 (vr_hwc_service))
+(typeattributeset vr_manager_service_27_0 (vr_manager_service))
+(typeattributeset wallpaper_file_27_0 (wallpaper_file))
+(typeattributeset wallpaper_service_27_0 (wallpaper_service))
+(typeattributeset watchdogd_27_0 (watchdogd))
+(typeattributeset watchdog_device_27_0 (watchdog_device))
+(typeattributeset webviewupdate_service_27_0 (webviewupdate_service))
+(typeattributeset webview_zygote_27_0 (webview_zygote))
+(typeattributeset webview_zygote_exec_27_0 (webview_zygote_exec))
+(typeattributeset webview_zygote_socket_27_0 (webview_zygote_socket))
+(typeattributeset wifiaware_service_27_0 (wifiaware_service))
+(typeattributeset wificond_27_0 (wificond))
+(typeattributeset wificond_exec_27_0 (wificond_exec))
+(typeattributeset wificond_service_27_0 (wificond_service))
+(typeattributeset wifi_data_file_27_0 (wifi_data_file))
+(typeattributeset wifi_log_prop_27_0 (wifi_log_prop))
+(typeattributeset wifip2p_service_27_0 (wifip2p_service))
+(typeattributeset wifi_prop_27_0 (wifi_prop))
+(typeattributeset wifiscanner_service_27_0 (wifiscanner_service))
+(typeattributeset wifi_service_27_0 (wifi_service))
+(typeattributeset window_service_27_0 (window_service))
+(typeattributeset wpa_socket_27_0 (wpa_socket))
+(typeattributeset zero_device_27_0 (zero_device))
+(typeattributeset zoneinfo_data_file_27_0 (zoneinfo_data_file))
+(typeattributeset zygote_27_0 (zygote))
+(typeattributeset zygote_exec_27_0 (zygote_exec))
+(typeattributeset zygote_socket_27_0 (zygote_socket))
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
new file mode 100644
index 0000000..747478c
--- /dev/null
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -0,0 +1,133 @@
+;; new_objects - a collection of types that have been introduced that have no
+;; analogue in older policy. Thus, we do not need to map these types to
+;; previous ones. Add here to pass checkapi tests.
+(typeattribute new_objects)
+(typeattributeset new_objects
+ ( atrace
+ binder_calls_stats_service
+ blank_screen
+ blank_screen_exec
+ blank_screen_tmpfs
+ bootloader_boot_reason_prop
+ bluetooth_a2dp_offload_prop
+ bpfloader
+ bpfloader_exec
+ cgroup_bpf
+ crossprofileapps_service
+ ctl_interface_restart_prop
+ ctl_interface_start_prop
+ ctl_interface_stop_prop
+ ctl_sigstop_prop
+ exfat
+ exported2_config_prop
+ exported2_default_prop
+ exported2_radio_prop
+ exported2_system_prop
+ exported2_vold_prop
+ exported3_default_prop
+ exported3_radio_prop
+ exported3_system_prop
+ exported_audio_prop
+ exported_bluetooth_prop
+ exported_config_prop
+ exported_dalvik_prop
+ exported_default_prop
+ exported_dumpstate_prop
+ exported_ffs_prop
+ exported_fingerprint_prop
+ exported_overlay_prop
+ exported_pm_prop
+ exported_radio_prop
+ exported_secure_prop
+ exported_system_prop
+ exported_system_radio_prop
+ exported_vold_prop
+ exported_wifi_prop
+ fingerprint_vendor_data_file
+ fs_bpf
+ hal_audiocontrol_hwservice
+ hal_authsecret_hwservice
+ hal_codec2_hwservice
+ hal_confirmationui_hwservice
+ hal_evs_hwservice
+ hal_lowpan_hwservice
+ hal_secure_element_hwservice
+ hal_usb_gadget_hwservice
+ hal_vehicle_hwservice
+ hal_wifi_hostapd_hwservice
+ incident_helper
+ incident_helper_exec
+ last_boot_reason_prop
+ lowpan_device
+ lowpan_prop
+ lowpan_service
+ mediaextractor_update_service
+ metadata_file
+ mnt_vendor_file
+ network_watchlist_data_file
+ network_watchlist_service
+ perfetto
+ perfetto_exec
+ perfetto_tmpfs
+ perfetto_traces_data_file
+ perfprofd_service
+ property_info
+ secure_element
+ secure_element_device
+ secure_element_service
+ secure_element_tmpfs
+ slice_service
+ stats
+ stats_data_file
+ stats_exec
+ stats_service
+ statscompanion_service
+ statsd
+ statsd_exec
+ statsd_tmpfs
+ statsdw
+ statsdw_socket
+ storaged_data_file
+ system_boot_reason_prop
+ system_update_service
+ test_boot_reason_prop
+ tombstone_wifi_data_file
+ trace_data_file
+ traced
+ traced_consumer_socket
+ traced_enabled_prop
+ traced_exec
+ traced_probes
+ traced_probes_exec
+ traced_probes_tmpfs
+ traced_producer_socket
+ traced_tmpfs
+ traceur_app
+ traceur_app_tmpfs
+ untrusted_app_all_devpts
+ update_engine_log_data_file
+ usbd
+ usbd_exec
+ usbd_tmpfs
+ vendor_default_prop
+ vendor_init
+ vendor_security_patch_level_prop
+ vendor_shell
+ vold_metadata_file
+ vold_prepare_subdirs
+ vold_prepare_subdirs_exec
+ vold_service
+ wait_for_keymaster
+ wait_for_keymaster_exec
+ wait_for_keymaster_tmpfs
+ wm_trace_data_file
+ wpantund
+ wpantund_exec
+ wpantund_service
+ wpantund_tmpfs))
+
+;; private_objects - a collection of types that were labeled differently in
+;; older policy, but that should not remain accessible to vendor policy.
+;; Thus, these types are also not mapped, but recorded for checkapi tests
+(typeattribute priv_objects)
+(typeattributeset priv_objects (untrusted_app_27_tmpfs))
diff --git a/private/coredomain.te b/private/coredomain.te
new file mode 100644
index 0000000..23224c3
--- /dev/null
+++ b/private/coredomain.te
@@ -0,0 +1,15 @@
+get_prop(coredomain, pm_prop)
+get_prop(coredomain, exported_pm_prop)
+
+full_treble_only(`
+neverallow {
+ coredomain
+
+ # for chowning
+ -init
+
+ # generic access to sysfs_type
+ -ueventd
+ -vold
+} sysfs_leds:file *;
+')
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 56693fd..c3d2ed5 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -2,11 +2,13 @@
allow crash_dump {
domain
+ -bpfloader
-crash_dump
-init
-kernel
-keystore
-logd
-ueventd
+ -vendor_init
-vold
}:process { ptrace signal sigchld sigstop sigkill };
diff --git a/private/dex2oat.te b/private/dex2oat.te
index 89c3970..fd45484 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -1,2 +1 @@
typeattribute dex2oat coredomain;
-typeattribute dex2oat domain_deprecated;
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 1c23f57..dfc81b8 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -20,7 +20,7 @@
# Allow reading secondary dex files that were reported by the app to the
# package manager.
allow dexoptanalyzer app_data_file:dir { getattr search };
-allow dexoptanalyzer app_data_file:file r_file_perms;
+allow dexoptanalyzer app_data_file:file { getattr read };
# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
# "dontaudit...audit_access" policy line to suppress the audit access without
# suppressing denial on actual access.
diff --git a/private/dhcp.te b/private/dhcp.te
index 6a6a139..b2f8ac7 100644
--- a/private/dhcp.te
+++ b/private/dhcp.te
@@ -1,5 +1,4 @@
typeattribute dhcp coredomain;
-typeattribute dhcp domain_deprecated;
init_daemon_domain(dhcp)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
diff --git a/private/domain.te b/private/domain.te
index d37a0bd..fb6ba4f 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -9,10 +9,110 @@
domain
-vold
-dumpstate
+ userdebug_or_eng(`-incidentd')
-storaged
-system_server
userdebug_or_eng(`-perfprofd')
-} self:capability sys_ptrace;
+} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app } *:keystore_key gen_unique_id;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ userdebug_or_eng(`-domain')
+} debugfs_tracing_debug:file no_rw_file_perms;
+
+# Core domains are not permitted to use kernel interfaces which are not
+# explicitly labeled.
+# TODO(b/65643247): Apply these neverallow rules to all coredomain.
+full_treble_only(`
+ # /proc
+ neverallow {
+ coredomain
+ -vold
+ } proc:file no_rw_file_perms;
+
+ # /sys
+ neverallow {
+ coredomain
+ -init
+ -ueventd
+ -vold
+ } sysfs:file no_rw_file_perms;
+
+ # /dev
+ neverallow {
+ coredomain
+ -fsck
+ -init
+ -ueventd
+ } device:{ blk_file file } no_rw_file_perms;
+
+ # debugfs
+ neverallow {
+ coredomain
+ -dumpstate
+ -init
+ -system_server
+ } debugfs:file no_rw_file_perms;
+
+ # tracefs
+ neverallow {
+ coredomain
+ -atrace
+ -dumpstate
+ -init
+ userdebug_or_eng(`-perfprofd')
+ -traced_probes
+ -shell
+ -traceur_app
+ } debugfs_tracing:file no_rw_file_perms;
+
+ # inotifyfs
+ neverallow {
+ coredomain
+ -init
+ } inotify:file no_rw_file_perms;
+
+ # pstorefs
+ neverallow {
+ coredomain
+ -bootstat
+ -charger
+ -dumpstate
+ -healthd
+ userdebug_or_eng(`-incidentd')
+ -init
+ -logd
+ -logpersist
+ -recovery_persist
+ -recovery_refresh
+ -shell
+ -system_server
+ } pstorefs:file no_rw_file_perms;
+
+ # configfs
+ neverallow {
+ coredomain
+ -init
+ -system_server
+ } configfs:file no_rw_file_perms;
+
+ # functionfs
+ neverallow {
+ coredomain
+ -adbd
+ -init
+ -mediaprovider
+ -system_server
+ } functionfs:file no_rw_file_perms;
+
+ # usbfs and binfmt_miscfs
+ neverallow {
+ coredomain
+ -init
+ }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
+')
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 0fe2adf..2c2a62f 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -1,5 +1,4 @@
typeattribute dumpstate coredomain;
-typeattribute dumpstate domain_deprecated;
init_daemon_domain(dumpstate)
@@ -15,12 +14,34 @@
# systrace support - allow atrace to run
allow dumpstate debugfs_tracing:dir r_dir_perms;
allow dumpstate debugfs_tracing:file rw_file_perms;
+allow dumpstate debugfs_tracing_debug:dir r_dir_perms;
allow dumpstate debugfs_trace_marker:file getattr;
allow dumpstate atrace_exec:file rx_file_perms;
allow dumpstate storaged_exec:file rx_file_perms;
+# /data/misc/wmtrace for wm traces
+userdebug_or_eng(`
+ allow dumpstate wm_trace_data_file:dir r_dir_perms;
+ allow dumpstate wm_trace_data_file:file r_file_perms;
+')
+
# Allow dumpstate to make binder calls to storaged service
binder_call(dumpstate, storaged)
+# Allow dumpstate to make binder calls to statsd
+binder_call(dumpstate, statsd)
+
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
+
+# Signal native processes to dump their stack.
+allow dumpstate {
+ statsd
+}:process signal;
+
+# For collecting bugreports.
+allow dumpstate debugfs_wakeup_sources:file r_file_perms;
+allow dumpstate dev_type:blk_file getattr;
+allow dumpstate webview_zygote:process signal;
+dontaudit dumpstate perfprofd:binder call;
+dontaudit dumpstate update_engine:binder call;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 872892b..75a6317 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -31,10 +31,21 @@
allow ephemeral_app mediacodec_service:service_manager find;
allow ephemeral_app mediametrics_service:service_manager find;
allow ephemeral_app mediadrmserver_service:service_manager find;
-allow ephemeral_app surfaceflinger_service:service_manager find;
+allow ephemeral_app drmserver_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+allow ephemeral_app traced:fd use;
+allow ephemeral_app traced_tmpfs:file { read write getattr map };
+unix_socket_connect(ephemeral_app, traced_producer, traced)
+
+# allow ephemeral apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow ephemeral_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
###
### neverallow rules
###
diff --git a/private/file.te b/private/file.te
index da5f9ad..58ee0de 100644
--- a/private/file.te
+++ b/private/file.te
@@ -1,7 +1,16 @@
-# Compatibility with type names used in vanilla Android 4.3 and 4.4.
-typealias audio_data_file alias audio_firmware_file;
-typealias app_data_file alias platform_app_data_file;
-typealias app_data_file alias download_file;
-
# /proc/config.gz
-type config_gz, fs_type;
+type config_gz, fs_type, proc_type;
+
+# /data/misc/stats-data, /data/misc/stats-service
+type stats_data_file, file_type, data_file_type, core_data_file_type;
+
+type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
+
+# /data/misc/storaged
+type storaged_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/wmtrace for wm traces
+type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
+
+# /data/misc/perfetto-traces for perfetto traces
+type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index 5369758..564e45c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -28,16 +28,17 @@
/mnt u:object_r:tmpfs:s0
/postinstall u:object_r:postinstall_mnt_dir:s0
/proc u:object_r:rootfs:s0
-/root u:object_r:rootfs:s0
/sys u:object_r:sysfs:s0
# Symlinks
+/bin u:object_r:rootfs:s0
/bugreports u:object_r:rootfs:s0
/d u:object_r:rootfs:s0
/etc u:object_r:rootfs:s0
/sdcard u:object_r:rootfs:s0
# SELinux policy files
+/vendor_file_contexts u:object_r:file_contexts_file:s0
/nonplat_file_contexts u:object_r:file_contexts_file:s0
/plat_file_contexts u:object_r:file_contexts_file:s0
/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
@@ -45,14 +46,20 @@
/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/plat_property_contexts u:object_r:property_contexts_file:s0
/nonplat_property_contexts u:object_r:property_contexts_file:s0
+/vendor_property_contexts u:object_r:property_contexts_file:s0
/seapp_contexts u:object_r:seapp_contexts_file:s0
/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
+/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0
/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/sepolicy u:object_r:sepolicy_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
+# Use nonplat_service_contexts_file to allow servicemanager to read it
+# on non full-treble devices.
+/vendor_service_contexts u:object_r:nonplat_service_contexts_file:s0
/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/vendor_hwservice_contexts u:object_r:hwservice_contexts_file:s0
/vndservice_contexts u:object_r:vndservice_contexts_file:s0
##########################
@@ -118,7 +125,6 @@
/dev/snd/audio_seq_device u:object_r:audio_seq_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/cryptd u:object_r:vold_socket:s0
/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
@@ -126,6 +132,7 @@
/dev/socket/logd u:object_r:logd_socket:s0
/dev/socket/logdr u:object_r:logdr_socket:s0
/dev/socket/logdw u:object_r:logdw_socket:s0
+/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
/dev/socket/mtpd u:object_r:mtpd_socket:s0
@@ -146,9 +153,9 @@
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
+/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
+/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
-/dev/socket/vold u:object_r:vold_socket:s0
-/dev/socket/webview_zygote u:object_r:webview_zygote_socket:s0
/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
/dev/socket/zygote u:object_r:zygote_socket:s0
@@ -164,6 +171,7 @@
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
+/dev/v4l-touch[0-9]* u:object_r:input_device:s0
/dev/vcs[0-9a-z]* u:object_r:vcs_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
@@ -171,16 +179,19 @@
/dev/xt_qtaguid u:object_r:qtaguid_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
+/dev/__properties__/property_info u:object_r:property_info:s0
#############################
# System files
#
/system(/.*)? u:object_r:system_file:s0
/system/bin/atrace u:object_r:atrace_exec:s0
+/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
-/system/bin/make_f2fs -- u:object_r:fsck_exec:s0
+/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
+/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
/system/bin/tune2fs -- u:object_r:fsck_exec:s0
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
@@ -202,6 +213,7 @@
/system/bin/dumpstate u:object_r:dumpstate_exec:s0
/system/bin/incident u:object_r:incident_exec:s0
/system/bin/incidentd u:object_r:incidentd_exec:s0
+/system/bin/incident_helper u:object_r:incident_helper_exec:s0
/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
/system/bin/vold u:object_r:vold_exec:s0
/system/bin/netd u:object_r:netd_exec:s0
@@ -231,13 +243,17 @@
/system/bin/pppd u:object_r:ppp_exec:s0
/system/bin/racoon u:object_r:racoon_exec:s0
/system/xbin/su u:object_r:su_exec:s0
-/system/xbin/perfprofd u:object_r:perfprofd_exec:s0
+/system/bin/perfprofd u:object_r:perfprofd_exec:s0
/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
/system/bin/healthd u:object_r:healthd_exec:s0
/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
+/system/bin/usbd u:object_r:usbd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
+/system/bin/perfetto u:object_r:perfetto_exec:s0
+/system/bin/traced u:object_r:traced_exec:s0
+/system/bin/traced_probes u:object_r:traced_probes_exec:s0
/system/bin/uncrypt u:object_r:uncrypt_exec:s0
/system/bin/update_verifier u:object_r:update_verifier_exec:s0
/system/bin/logwrapper u:object_r:system_file:s0
@@ -246,10 +262,10 @@
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
/system/bin/install-recovery.sh u:object_r:install_recovery_exec:s0
/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
-/system/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
+/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
# patchoat executable has (essentially) the same requirements as dex2oat.
/system/bin/patchoat(d)? u:object_r:dex2oat_exec:s0
-/system/bin/profman u:object_r:profman_exec:s0
+/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/sgdisk u:object_r:sgdisk_exec:s0
/system/bin/blkid u:object_r:blkid_exec:s0
/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
@@ -258,8 +274,7 @@
/system/bin/bspatch u:object_r:update_engine_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/thermalserviced u:object_r:thermalserviced_exec:s0
-/system/bin/webview_zygote32 u:object_r:webview_zygote_exec:s0
-/system/bin/webview_zygote64 u:object_r:webview_zygote_exec:s0
+/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
@@ -273,6 +288,11 @@
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
+/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
+/system/bin/stats u:object_r:stats_exec:s0
+/system/bin/statsd u:object_r:statsd_exec:s0
+/system/bin/bpfloader u:object_r:bpfloader_exec:s0
+/system/bin/wait_for_keymaster u:object_r:wait_for_keymaster_exec:s0
#############################
# Vendor files
@@ -280,39 +300,56 @@
/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0
/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
+/(vendor|system/vendor)/bin/toolbox u:object_r:vendor_toolbox_exec:s0
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
-# TODO: b/36790901 move this to /vendor/etc
/(vendor|system/vendor)/manifest.xml u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/compatibility_matrix.xml u:object_r:vendor_configs_file:s0
+/(vendor|system/vendor)/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
+/(vendor|system/vendor)/priv-app(/.*)? u:object_r:vendor_app_file:s0
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
-/vendor/etc/selinux/nonplat_mac_permissions.xml u:object_r:mac_perms_file:s0
-/vendor/etc/selinux/nonplat_property_contexts u:object_r:property_contexts_file:s0
-/vendor/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-/vendor/etc/selinux/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/vendor/etc/selinux/nonplat_file_contexts u:object_r:file_contexts_file:s0
-/vendor/etc/selinux/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/vendor/etc/selinux/nonplat_sepolicy.cil u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
-/vendor/etc/selinux/vndservice_contexts u:object_r:vndservice_contexts_file:s0
-
#############################
# OEM and ODM files
#
-/odm(/.*)? u:object_r:system_file:s0
+/(odm|vendor/odm)(/.*)? u:object_r:vendor_file:s0
+/(odm|vendor/odm)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
+/(odm|vendor/odm)/lib(64)?/hw u:object_r:vendor_hal_file:s0
+/(odm|vendor/odm)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
+/(odm|vendor/odm)/bin/sh u:object_r:vendor_shell_exec:s0
+/(odm|vendor/odm)/etc(/.*)? u:object_r:vendor_configs_file:s0
+/(odm|vendor/odm)/app(/.*)? u:object_r:vendor_app_file:s0
+/(odm|vendor/odm)/priv-app(/.*)? u:object_r:vendor_app_file:s0
+/(odm|vendor/odm)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
+/(odm|vendor/odm)/framework(/.*)? u:object_r:vendor_framework_file:s0
+
/oem(/.*)? u:object_r:oemfs:s0
+# The precompiled monolithic sepolicy will be under /odm only when
+# BOARD_USES_ODMIMAGE is true: a separate odm.img is built.
+/odm/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
+/odm/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
+
+/(odm|vendor/odm)/etc/selinux/odm_sepolicy.cil u:object_r:sepolicy_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_file_contexts u:object_r:file_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_mac_permissions.xml u:object_r:mac_perms_file:s0
+
+#############################
+# Product files
+#
+/(product|system/product)(/.*)? u:object_r:system_file:s0
#############################
# Data files
@@ -340,7 +377,10 @@
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
+/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
+/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
+/data/local/traces(/.*)? u:object_r:trace_data_file:s0
/data/media(/.*)? u:object_r:media_rw_data_file:s0
/data/mediadrm(/.*)? u:object_r:media_data_file:s0
/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
@@ -352,6 +392,7 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
+/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
@@ -363,6 +404,7 @@
/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
+/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/dhcp-6.8.2(/.*)? u:object_r:dhcp_data_file:s0
/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
@@ -372,10 +414,13 @@
/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
-/data/misc/reboot(/.*)? u:object_r:reboot_data_file:s0
+/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
+/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
+/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
+/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
@@ -387,17 +432,29 @@
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
+/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
+/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
# TODO(calin) label profile reference differently so that only
# profman run as a special user can write to them
/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
+/data/vendor(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_ce(/.*)? u:object_r:vendor_data_file:s0
+/data/vendor_de(/.*)? u:object_r:vendor_data_file:s0
+
+# storaged proto files
+/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
+/data/misc_ce/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
# Fingerprint data
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
+# Fingerprint vendor data file
+/data/vendor_de/[0-9]+/fpdata(/.*)? u:object_r:fingerprint_vendor_data_file:s0
+
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
@@ -433,6 +490,10 @@
# User icon files
/data/system/users/[0-9]+/photo.png u:object_r:icon_file:s0
+# vold per-user data
+/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
+/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
+
#############################
# efs files
#
@@ -456,6 +517,12 @@
/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
#############################
+# Metadata files
+#
+/metadata(/.*)? u:object_r:metadata_file:s0
+/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
+
+#############################
# asec containers
/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
@@ -468,3 +535,7 @@
/mnt/user(/.*)? u:object_r:mnt_user_file:s0
/mnt/runtime(/.*)? u:object_r:storage_file:s0
/storage(/.*)? u:object_r:storage_file:s0
+
+#############################
+# mount point for read-write vendor partitions
+/mnt/vendor(/.*)? u:object_r:mnt_vendor_file:s0
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index 0401ffe..17ee9d7 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -2,6 +2,8 @@
/data/asan/system/lib64(/.*)? u:object_r:system_file:s0
/data/asan/vendor/lib(/.*)? u:object_r:system_file:s0
/data/asan/vendor/lib64(/.*)? u:object_r:system_file:s0
+/data/asan/odm/lib(/.*)? u:object_r:system_file:s0
+/data/asan/odm/lib64(/.*)? u:object_r:system_file:s0
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
/system/bin/asan/app_process u:object_r:zygote_exec:s0
diff --git a/private/fingerprintd.te b/private/fingerprintd.te
index 0c1dfaa..eb73ef8 100644
--- a/private/fingerprintd.te
+++ b/private/fingerprintd.te
@@ -1,4 +1,3 @@
typeattribute fingerprintd coredomain;
-typeattribute fingerprintd domain_deprecated;
init_daemon_domain(fingerprintd)
diff --git a/private/fsck.te b/private/fsck.te
index e846797..f8e09b6 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -1,4 +1,5 @@
typeattribute fsck coredomain;
-typeattribute fsck domain_deprecated;
init_daemon_domain(fsck)
+
+allow fsck metadata_block_device:blk_file rw_file_perms;
diff --git a/private/fsck_untrusted.te b/private/fsck_untrusted.te
index 2a1a39f..9a57bf0 100644
--- a/private/fsck_untrusted.te
+++ b/private/fsck_untrusted.te
@@ -1,2 +1 @@
typeattribute fsck_untrusted coredomain;
-typeattribute fsck_untrusted domain_deprecated;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index e77a39b..7e2ea50 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -2,121 +2,243 @@
genfscon rootfs / u:object_r:rootfs:s0
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
+genfscon proc /asound u:object_r:proc_asound:s0
+genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
+genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /diskstats u:object_r:proc_diskstats:s0
+genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
+genfscon proc /kmsg u:object_r:proc_kmsg:s0
+genfscon proc /loadavg u:object_r:proc_loadavg:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /misc u:object_r:proc_misc:s0
genfscon proc /modules u:object_r:proc_modules:s0
+genfscon proc /mounts u:object_r:proc_mounts:s0
genfscon proc /net u:object_r:proc_net:s0
genfscon proc /net/xt_qtaguid/ctrl u:object_r:qtaguid_proc:s0
+genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
+genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
genfscon proc /softirqs u:object_r:proc_timer:s0
genfscon proc /stat u:object_r:proc_stat:s0
+genfscon proc /swaps u:object_r:proc_swaps:s0
genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
+genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
+genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
+genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/hung_task_timeout_secs u:object_r:proc_hung_task:s0
genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
+genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0
genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0
+genfscon proc /sys/kernel/pid_max u:object_r:proc_pid_max:s0
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/random u:object_r:proc_random:s0
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
+genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
+genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
genfscon proc /sys/net u:object_r:proc_net:s0
+genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
+genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
+genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
+genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
+genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
genfscon proc /timer_list u:object_r:proc_timer:s0
genfscon proc /timer_stats u:object_r:proc_timer:s0
genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
+genfscon proc /uid/ u:object_r:proc_uid_time_in_state:s0
genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
+genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
+genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
+genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
+genfscon proc /uptime u:object_r:proc_uptime:s0
+genfscon proc /version u:object_r:proc_version:s0
+genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
+genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
+genfscon cgroup2 / u:object_r:cgroup_bpf:s0
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
+genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
+genfscon sysfs /class/net u:object_r:sysfs_net:s0
+genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
+genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
+genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
+genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
+genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
+genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
+genfscon sysfs /power/state u:object_r:sysfs_power:s0
+genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
+genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
+genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
+genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
+genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
-genfscon debugfs /tracing u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0
+genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0
+genfscon tracefs /trace u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0
+genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0
+
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
+genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
-genfscon debugfs /tracing/events/sync/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/regulator/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/pagecache/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/irq/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ipi/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_end/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_end/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/workqueue/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/regulator/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/pagecache/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing_debug:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sync/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/workqueue/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/regulator/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/pagecache/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/irq/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ipi/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_write_begin/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/f2fs/f2fs_write_end/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_da_write_begin/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_da_write_end/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_sync_file_enter/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/ext4/ext4_sync_file_exit/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/block/block_rq_issue/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /events/block/block_rq_complete/enable u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/workqueue/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/regulator/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/pagecache/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/irq/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing_debug:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
+
+genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
+genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
+genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
+genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
+genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
+
+genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
+genfscon exfat / u:object_r:exfat:s0
genfscon debugfs / u:object_r:debugfs:s0
-genfscon tracefs / u:object_r:debugfs_tracing:s0
genfscon fuse / u:object_r:fuse:s0
genfscon configfs / u:object_r:configfs:s0
genfscon sdcardfs / u:object_r:sdcardfs:s0
+genfscon esdfs / u:object_r:sdcardfs:s0
genfscon pstore / u:object_r:pstorefs:s0
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+genfscon bpf / u:object_r:fs_bpf:s0
diff --git a/private/healthd.te b/private/healthd.te
index 0693a3a..20d0791 100644
--- a/private/healthd.te
+++ b/private/healthd.te
@@ -2,5 +2,5 @@
init_daemon_domain(healthd)
-# Allow callback to storaged batteryproperties listener
-binder_call(healthd, storaged)
+# Allow healthd to serve health HAL
+hal_server_domain(healthd, hal_health)
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index e304495..c75c0a5 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -3,12 +3,19 @@
android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
+android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0
+android.hardware.automotive.audiocontrol::IAudioControl u:object_r:hal_audiocontrol_hwservice:s0
+android.hardware.automotive.evs::IEvsEnumerator u:object_r:hal_evs_hwservice:s0
+android.hardware.automotive.vehicle::IVehicle u:object_r:hal_vehicle_hwservice:s0
android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
+android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0
android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
+android.hardware.broadcastradio::IBroadcastRadio u:object_r:hal_broadcastradio_hwservice:s0
android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
@@ -23,6 +30,7 @@
android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
+android.hardware.lowpan::ILowpanDevice u:object_r:hal_lowpan_hwservice:s0
android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
@@ -30,21 +38,27 @@
android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
+android.hardware.radio.config::IRadioConfig u:object_r:hal_telephony_hwservice:s0
android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
+android.hardware.secure_element::ISecureElement u:object_r:hal_secure_element_hwservice:s0
android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
+android.hardware.tetheroffload.config::IOffloadConfig u:object_r:hal_tetheroffload_hwservice:s0
+android.hardware.tetheroffload.control::IOffloadControl u:object_r:hal_tetheroffload_hwservice:s0
android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
android.hardware.thermal::IThermalCallback u:object_r:thermalcallback_hwservice:s0
android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
+android.hardware.usb.gadget::IUsbGadget u:object_r:hal_usb_gadget_hwservice:s0
android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
+android.hardware.wifi.hostapd::IHostapd u:object_r:hal_wifi_hostapd_hwservice:s0
android.hardware.wifi.offload::IOffload u:object_r:hal_wifi_offload_hwservice:s0
android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index a43eb02..0705cc7 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -4,3 +4,5 @@
add_hwservice(hwservicemanager, hidl_manager_hwservice)
add_hwservice(hwservicemanager, hidl_token_hwservice)
+
+set_prop(hwservicemanager, ctl_interface_start_prop)
diff --git a/private/incident.te b/private/incident.te
index b910dde..1844898 100644
--- a/private/incident.te
+++ b/private/incident.te
@@ -8,6 +8,9 @@
# allow incident access to stdout from its parent shell.
allow incident shell:fd use;
+# allow incident be able to output data for CTS to fetch.
+allow incident devpts:chr_file { read write };
+
# allow incident to communicate use, read and write over the adb
# connection.
allow incident adbd:fd use;
@@ -23,3 +26,5 @@
binder_call(incident, incidentd)
allow incident incidentd:fifo_file write;
+# only allow incident being called by shell
+neverallow { domain -su -shell -incident } incident_exec:file { execute execute_no_trans };
diff --git a/private/incident_helper.te b/private/incident_helper.te
new file mode 100644
index 0000000..e1e3fc8
--- /dev/null
+++ b/private/incident_helper.te
@@ -0,0 +1,14 @@
+typeattribute incident_helper coredomain;
+
+type incident_helper_exec, exec_type, file_type;
+
+# switch to incident_helper domain for incident_helper command
+domain_auto_trans(incidentd, incident_helper_exec, incident_helper)
+
+# use pipe to transmit data from/to incidentd/incident_helper for parsing
+allow incident_helper { shell incident incidentd }:fd use;
+allow incident_helper { shell incident incidentd }:fifo_file { getattr read write };
+allow incident_helper incidentd:unix_stream_socket { read write };
+
+# only allow incidentd and shell to call incident_helper
+neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };
diff --git a/private/incidentd.te b/private/incidentd.te
index efd23bd..6b248f1 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -1,21 +1,16 @@
typeattribute incidentd coredomain;
+typeattribute incidentd mlstrustedsubject;
init_daemon_domain(incidentd)
type incidentd_exec, exec_type, file_type;
binder_use(incidentd)
wakelock_use(incidentd)
-# Allow setting process priority, protect from OOM killer, and dropping
-# privileges by switching UID / GID
-# TODO allow incidentd self:capability { setuid setgid sys_resource };
-
# Allow incidentd to scan through /proc/pid for all processes
r_dir_file(incidentd, domain)
-allow incidentd self:capability {
- # Send signals to processes
- kill
-};
+# Allow incidentd to kill incident_helper when timeout
+allow incidentd incident_helper:process sigkill;
# Allow executing files on system, such as:
# /system/bin/toolbox
@@ -24,45 +19,99 @@
allow incidentd system_file:file execute_no_trans;
allow incidentd toolbox_exec:file rx_file_perms;
+# section id 2001, allow reading /proc/pagetypeinfo
+allow incidentd proc_pagetypeinfo:file r_file_perms;
+
+# section id 2002, allow reading /d/wakeup_sources
+allow incidentd debugfs_wakeup_sources:file r_file_perms;
+
+# section id 2003, allow executing top
+allow incidentd proc_meminfo:file { open read };
+
+# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
+allow incidentd sysfs_devices_system_cpu:file r_file_perms;
+
+# section id 2005, allow reading ps dump in full
+allow incidentd domain:process getattr;
+
+# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
+allow incidentd sysfs_batteryinfo:dir { search };
+allow incidentd sysfs_batteryinfo:file r_file_perms;
+
+# section id 2007, allow reading LAST_KMSG /sys/fs/pstore/console-ramoops
+userdebug_or_eng(`allow incidentd pstorefs:dir search');
+userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
+
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms;
allow incidentd incident_data_file:file create_file_perms;
-# Get process attributes
-# TODO allow incidentd domain:process getattr;
+# Enable incidentd to get stack traces.
+binder_use(incidentd)
+hwbinder_use(incidentd)
+allow incidentd hwservicemanager:hwservice_manager { list };
+get_prop(incidentd, hwservicemanager_prop)
+allow incidentd hidl_manager_hwservice:hwservice_manager { find };
+
+# Read files in /proc
+allow incidentd {
+ proc_cmdline
+ proc_pipe_conf
+ proc_stat
+}:file r_file_perms;
# Signal java processes to dump their stack and get the results
-# TODO allow incidentd { appdomain ephemeral_app system_server }:process signal;
-# TODO allow incidentd anr_data_file:dir rw_dir_perms;
-# TODO allow incidentd anr_data_file:file create_file_perms;
+allow incidentd { appdomain ephemeral_app system_server }:process signal;
# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in incidentd/utils.c
allow incidentd {
+ # This list comes from native_processes_to_dump in dumputils/dump_utils.cpp
audioserver
cameraserver
drmserver
inputflinger
- mediacodec
mediadrmserver
mediaextractor
+ mediametrics
mediaserver
sdcardd
+ statsd
surfaceflinger
+
+ # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.cpp
+ hal_audio_server
+ hal_bluetooth_server
+ hal_camera_server
+ hal_graphics_composer_server
+ hal_sensors_server
+ hal_vr_server
+ mediacodec # TODO(b/36375899): hal_omx_server
}:process signal;
# Allow incidentd to make binder calls to any binder service
-binder_call(incidentd, binderservicedomain)
+binder_call(incidentd, system_server)
binder_call(incidentd, appdomain)
# Reading /proc/PID/maps of other processes
-# TODO allow incidentd self:capability sys_ptrace;
+userdebug_or_eng(`allow incidentd self:global_capability_class_set { sys_ptrace }');
+# incidentd has capability sys_ptrace, but should only use that capability for
+# accessing sensitive /proc/PID files, never for using ptrace attach.
+neverallow incidentd *:process ptrace;
+
+allow incidentd self:global_capability_class_set {
+ # Send signals to processes
+ kill
+};
+
+# Connect to tombstoned to intercept dumps.
+unix_socket_connect(incidentd, tombstoned_intercept, tombstoned)
# Run a shell.
allow incidentd shell_exec:file rx_file_perms;
# logd access - work to be done is a PII safe log (possibly an event log?)
-# TODO read_logd(incidentd)
+userdebug_or_eng(`read_logd(incidentd)')
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
@@ -88,7 +137,14 @@
###
# only system_server, system_app and incident command can find the incident service
-neverallow { domain -system_server -system_app -incident -incidentd } incident_service:service_manager find;
+neverallow {
+ domain
+ -incident
+ -incidentd
+ -statsd
+ -system_app
+ -system_server
+} incident_service:service_manager find;
# only incidentd and the other root services in limited circumstances
# can get to the files in /data/misc/incidents
diff --git a/private/init.te b/private/init.te
index 5c23f66..e9959d3 100644
--- a/private/init.te
+++ b/private/init.te
@@ -14,13 +14,9 @@
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
domain_trans(init, init_exec, watchdogd)
+domain_trans(init, init_exec, vendor_init)
domain_trans(init, { rootfs toolbox_exec }, modprobe)
# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
userdebug_or_eng(`
domain_auto_trans(init, logcat_exec, logpersist)
')
-
-# Creating files on sysfs is impossible so this isn't a threat
-# Sometimes we have to write to non-existent files to avoid conditional
-# init behavior. See b/35303861 for an example.
-dontaudit init sysfs:dir write;
diff --git a/private/installd.te b/private/installd.te
index d726e7d..0553716 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -1,5 +1,4 @@
typeattribute installd coredomain;
-typeattribute installd domain_deprecated;
init_daemon_domain(installd)
@@ -17,3 +16,7 @@
# Create /data/.layout_version.* file
type_transition installd system_data_file:file install_data_file;
+
+# For collecting bugreports.
+allow installd dumpstate:fd use;
+allow installd dumpstate:fifo_file r_file_perms;
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 37935c3..a6276b3 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -27,12 +27,9 @@
# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
# by other processes. Open should never be allowed, and is blocked by
# neverallow rules below.
-# TODO: consider removing write/append. We want to limit isolated_apps
-# ability to mutate files of any type.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock };
-auditallow isolated_app { sdcard_type media_rw_data_file }:file { write append };
# For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the
@@ -50,6 +47,12 @@
# suppress denials to /data/local/tmp
dontaudit isolated_app shell_data_file:dir search;
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+allow isolated_app traced:fd use;
+allow isolated_app traced_tmpfs:file { read write getattr map };
+unix_socket_connect(isolated_app, traced_producer, traced)
+
#####
##### Neverallow
#####
@@ -105,4 +108,12 @@
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
# Restrict the webview_zygote control socket.
-neverallow isolated_app webview_zygote_socket:sock_file write;
+neverallow isolated_app webview_zygote:sock_file write;
+
+# Limit the /sys files which isolated_app can access. This is important
+# for controlling isolated_app attack surface.
+neverallow isolated_app {
+ sysfs_type
+ -sysfs_devices_system_cpu
+ -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
+}:file no_rw_file_perms;
diff --git a/private/keystore.te b/private/keystore.te
index 1e56338..7f71028 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -1,11 +1,19 @@
typeattribute keystore coredomain;
-typeattribute keystore domain_deprecated;
init_daemon_domain(keystore)
# talk to keymaster
hal_client_domain(keystore, hal_keymaster)
+# talk to confirmationui
+hal_client_domain(keystore, hal_confirmationui)
+
+# This is used for the ConfirmationUI async callback.
+allow keystore platform_app:binder call;
+
# Offer the Wifi Keystore HwBinder service
typeattribute keystore wifi_keystore_service_server;
add_hwservice(keystore, system_wifi_keystore_hwservice)
+
+# Allow to check whether security logging is enabled.
+get_prop(keystore, device_logging_prop)
diff --git a/private/logpersist.te b/private/logpersist.te
index 70e3198..8cdbd2d 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -8,7 +8,7 @@
allow logpersist misc_logd_file:file create_file_perms;
allow logpersist misc_logd_file:dir rw_dir_perms;
- allow logpersist self:capability sys_nice;
+ allow logpersist self:global_capability_class_set sys_nice;
allow logpersist pstorefs:dir search;
allow logpersist pstorefs:file r_file_perms;
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 63f56c8..f5c9f69 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -14,12 +14,19 @@
allow mediaprovider cache_file:file create_file_perms;
# /cache is a symlink to /data/cache on some devices. Allow reading the link.
allow mediaprovider cache_file:lnk_file r_file_perms;
+# mediaprovider searches through /cache looking for orphans
+# Ignore denials to /cache/recovery and /cache/backup.
+dontaudit mediaprovider cache_private_backup_file:dir getattr;
+dontaudit mediaprovider cache_recovery_file:dir getattr;
+
+# Access external sdcards through /mnt/media_rw
+allow mediaprovider { mnt_media_rw_file }:dir search;
allow mediaprovider app_api_service:service_manager find;
allow mediaprovider audioserver_service:service_manager find;
allow mediaprovider drmserver_service:service_manager find;
+allow mediaprovider mediaextractor_service:service_manager find;
allow mediaprovider mediaserver_service:service_manager find;
-allow mediaprovider surfaceflinger_service:service_manager find;
# Allow MediaProvider to read/write cached ringtones (opened by system).
allow mediaprovider ringtone_file:file { getattr read write };
@@ -33,3 +40,4 @@
# MtpServer sets sys.usb.ffs.mtp.ready
set_prop(mediaprovider, ffs_prop)
+set_prop(mediaprovider, exported_ffs_prop)
diff --git a/private/mediaserver.te b/private/mediaserver.te
index a9b85be..a5fa9e1 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -7,4 +7,5 @@
# TODO(b/36375899): Remove this once OMX HAL is attributized and mediaserver is marked as a client
# of OMX HAL.
+allow mediaserver hal_codec2_hwservice:hwservice_manager find;
allow mediaserver hal_omx_hwservice:hwservice_manager find;
diff --git a/private/mls b/private/mls
index a561de1..3b8ee3f 100644
--- a/private/mls
+++ b/private/mls
@@ -53,11 +53,11 @@
# Only constrain open, not read/write.
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
-# Subject must be equivalent to object unless the subject is trusted.
+# Subject must dominate object unless the subject is trusted.
mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
- (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+ (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file lnk_file sock_file } { open setattr unlink link rename }
- (t2 != app_data_file or l1 eq l2 or t1 == mlstrustedsubject);
+ (t2 != app_data_file or l1 dom l2 or t1 == mlstrustedsubject);
#
# Constraints for file types other than app data files.
diff --git a/private/mtp.te b/private/mtp.te
index 3cfda0b..732e111 100644
--- a/private/mtp.te
+++ b/private/mtp.te
@@ -1,4 +1,3 @@
typeattribute mtp coredomain;
-typeattribute mtp domain_deprecated;
init_daemon_domain(mtp)
diff --git a/private/netd.te b/private/netd.te
index 3a824af..281105d 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -1,5 +1,4 @@
typeattribute netd coredomain;
-typeattribute netd domain_deprecated;
init_daemon_domain(netd)
@@ -8,3 +7,9 @@
# Allow netd to start clatd in its own domain
domain_auto_trans(netd, clatd_exec, clatd)
+
+# Allow netd to start bpfloader_exec in its own domain
+domain_auto_trans(netd, bpfloader_exec, bpfloader)
+
+# give netd permission to setup iptables rule with xt_bpf
+allow netd bpfloader:bpf prog_run;
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index f7fe32a..ea58814 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -3,13 +3,13 @@
r_dir_file(netutils_wrapper, system_file);
# For netutils (ip, iptables, tc)
-allow netutils_wrapper self:capability net_raw;
+allow netutils_wrapper self:global_capability_class_set net_raw;
allow netutils_wrapper system_file:file { execute execute_no_trans };
allow netutils_wrapper proc_net:file { open read getattr };
allow netutils_wrapper self:rawip_socket create_socket_perms;
allow netutils_wrapper self:udp_socket create_socket_perms;
-allow netutils_wrapper self:capability net_admin;
+allow netutils_wrapper self:global_capability_class_set net_admin;
# ip utils need everything but ioctl
allow netutils_wrapper self:netlink_route_socket ~ioctl;
allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
@@ -18,6 +18,13 @@
allow netutils_wrapper netd_socket:sock_file { open getattr read write append };
allow netutils_wrapper netd:unix_stream_socket { read getattr connectto };
+# For vendor code that update the iptables rules at runtime. They need to reload
+# the whole chain including the xt_bpf rules. They need to access to the pinned
+# program when reloading the rule.
+allow netutils_wrapper fs_bpf:dir search;
+allow netutils_wrapper fs_bpf:file { read write };
+allow netutils_wrapper bpfloader:bpf prog_run;
+
# For /data/misc/net access to ndc and ip
r_dir_file(netutils_wrapper, net_data_file)
@@ -26,3 +33,9 @@
-coredomain
-appdomain
}, netutils_wrapper_exec, netutils_wrapper)
+
+# suppress spurious denials
+dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
+
+# netutils wrapper may only use the following capabilities.
+neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
diff --git a/private/nfc.te b/private/nfc.te
index b41558c..5e85672 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -21,10 +21,10 @@
allow nfc mediaserver_service:service_manager find;
allow nfc radio_service:service_manager find;
-allow nfc surfaceflinger_service:service_manager find;
allow nfc app_api_service:service_manager find;
allow nfc system_api_service:service_manager find;
allow nfc vr_manager_service:service_manager find;
+allow nfc secure_element_service:service_manager find;
set_prop(nfc, nfc_prop);
diff --git a/private/perfetto.te b/private/perfetto.te
new file mode 100644
index 0000000..9ac5d87
--- /dev/null
+++ b/private/perfetto.te
@@ -0,0 +1,68 @@
+# Perfetto command-line client. Can be used only from the domains that are
+# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# This command line client accesses the privileged socket of the traced
+# daemon.
+
+type perfetto, domain, coredomain;
+type perfetto_exec, exec_type, file_type;
+
+tmpfs_domain(perfetto);
+
+# Allow to access traced's privileged consumer socket.
+unix_socket_connect(perfetto, traced_consumer, traced)
+
+# Allow to write and unlink traces into /data/misc/perfetto-traces.
+allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
+allow perfetto perfetto_traces_data_file:file create_file_perms;
+
+# Allow to access binder to pass the traces to Dropbox.
+binder_use(perfetto)
+binder_call(perfetto, system_server)
+allow perfetto dropbox_service:service_manager find;
+
+# Allow statsd and shell to pipe the trace config to perfetto on stdin and to
+# print out on stdout/stderr.
+allow perfetto statsd:fd use;
+allow perfetto statsd:fifo_file { getattr read write };
+allow perfetto shell:fd use;
+allow perfetto shell:fifo_file { getattr read write };
+
+# Allow to communicate use, read and write over the adb connection.
+allow perfetto adbd:fd use;
+allow perfetto adbd:unix_stream_socket { read write };
+
+# allow adbd to reap perfetto
+allow perfetto adbd:process { sigchld };
+
+# Allow to access /dev/pts when launched in an adb shell.
+allow perfetto devpts:chr_file rw_file_perms;
+
+###
+### Neverallow rules
+###
+### perfetto should NEVER do any of this
+
+# Disallow mapping executable memory (execstack and exec are already disallowed
+# globally in domain.te).
+neverallow perfetto self:process execmem;
+
+# Block device access.
+neverallow perfetto dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow perfetto domain:process ptrace;
+
+# Disallows access to other /data files.
+neverallow perfetto {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+ # neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+ -perfetto_traces_data_file
+}:dir *;
+neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
+neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
+neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
+neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:file ~write;
diff --git a/private/perfprofd.te b/private/perfprofd.te
index a655f1d..4da5410 100644
--- a/private/perfprofd.te
+++ b/private/perfprofd.te
@@ -1,5 +1,8 @@
userdebug_or_eng(`
typeattribute perfprofd coredomain;
- typeattribute perfprofd domain_deprecated;
init_daemon_domain(perfprofd)
')
+
+# Only servicemanager, statsd, su and systemserver can communicate.
+neverallow { domain userdebug_or_eng(`-statsd') } perfprofd:binder call;
+neverallow perfprofd { domain userdebug_or_eng(`-servicemanager -statsd -su -system_server') }:binder call;
diff --git a/private/platform_app.te b/private/platform_app.te
index 2aa7dc9..6d6ec98 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -3,7 +3,6 @@
###
typeattribute platform_app coredomain;
-typeattribute platform_app domain_deprecated;
app_domain(platform_app)
@@ -35,12 +34,17 @@
# Direct access to vold-mounted storage under /mnt/media_rw
# This is a performance optimization that allows platform apps to bypass the FUSE layer
allow platform_app mnt_media_rw_file:dir r_dir_perms;
-allow platform_app vfat:dir create_dir_perms;
-allow platform_app vfat:file create_file_perms;
+allow platform_app sdcard_type:dir create_dir_perms;
+allow platform_app sdcard_type:file create_file_perms;
# com.android.systemui
allow platform_app rootfs:dir getattr;
+# com.android.captiveportallogin reads /proc/vmstat
+allow platform_app {
+ proc_vmstat
+}:file r_file_perms;
+
allow platform_app audioserver_service:service_manager find;
allow platform_app cameraserver_service:service_manager find;
allow platform_app drmserver_service:service_manager find;
@@ -51,7 +55,7 @@
allow platform_app mediadrmserver_service:service_manager find;
allow platform_app persistent_data_block_service:service_manager find;
allow platform_app radio_service:service_manager find;
-allow platform_app surfaceflinger_service:service_manager find;
+allow platform_app thermal_service:service_manager find;
allow platform_app timezone_service:service_manager find;
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
@@ -65,6 +69,14 @@
read_runtime_log_tags(platform_app)
+# allow platform apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow platform_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# allow platform apps to connect to the property service
+set_prop(platform_app, test_boot_reason_prop)
+
###
### Neverallow rules
###
diff --git a/private/ppp.te b/private/ppp.te
index 9b301f4..968b221 100644
--- a/private/ppp.te
+++ b/private/ppp.te
@@ -1,4 +1,3 @@
typeattribute ppp coredomain;
-typeattribute ppp domain_deprecated;
domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/private/priv_app.te b/private/priv_app.te
index 60fb411..9ff8d09 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -21,22 +21,23 @@
# to their sandbox directory and then dlopen().
allow priv_app app_data_file:file execute;
+allow priv_app app_api_service:service_manager find;
allow priv_app audioserver_service:service_manager find;
allow priv_app cameraserver_service:service_manager find;
allow priv_app drmserver_service:service_manager find;
allow priv_app mediacodec_service:service_manager find;
-allow priv_app mediametrics_service:service_manager find;
allow priv_app mediadrmserver_service:service_manager find;
allow priv_app mediaextractor_service:service_manager find;
+allow priv_app mediametrics_service:service_manager find;
allow priv_app mediaserver_service:service_manager find;
+allow priv_app network_watchlist_service:service_manager find;
allow priv_app nfc_service:service_manager find;
allow priv_app oem_lock_service:service_manager find;
-allow priv_app radio_service:service_manager find;
-allow priv_app surfaceflinger_service:service_manager find;
-allow priv_app app_api_service:service_manager find;
-allow priv_app system_api_service:service_manager find;
allow priv_app persistent_data_block_service:service_manager find;
+allow priv_app radio_service:service_manager find;
allow priv_app recovery_service:service_manager find;
+allow priv_app stats_service:service_manager find;
+allow priv_app system_api_service:service_manager find;
# Write to /cache.
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
@@ -57,6 +58,9 @@
allow priv_app shell_data_file:file r_file_perms;
allow priv_app shell_data_file:dir r_dir_perms;
+# Allow traceur to pass file descriptors through a content provider to betterbug
+allow priv_app trace_data_file:file { getattr read };
+
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
@@ -76,9 +80,17 @@
allow priv_app vold:fd use;
allow priv_app fuse_device:chr_file { read write };
-# /sys and /proc access
-r_dir_file(priv_app, sysfs_type)
-r_dir_file(priv_app, proc)
+# /proc access
+allow priv_app {
+ proc_vmstat
+}:file r_file_perms;
+
+allow priv_app sysfs_type:dir search;
+# Read access to /sys/class/net/wlan*/address
+r_dir_file(priv_app, sysfs_net)
+# Read access to /sys/block/zram*/mm_stat
+r_dir_file(priv_app, sysfs_zram)
+
r_dir_file(priv_app, rootfs)
# Allow GMS core to open kernel config for OTA matching through libvintf
@@ -95,6 +107,13 @@
binder_call(priv_app, storaged)
allow priv_app storaged_service:service_manager find;
+# Allow GMS core to access system_update_service (e.g. to publish pending
+# system update info).
+allow priv_app system_update_service:service_manager find;
+
+# Allow GMS core to communicate with statsd.
+binder_call(priv_app, statsd)
+
# Allow Phone to read/write cached ringtones (opened by system).
allow priv_app ringtone_file:file { getattr read write };
@@ -112,8 +131,31 @@
read_runtime_log_tags(priv_app)
-# suppress denials when safetynet scans /system
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+allow priv_app traced:fd use;
+allow priv_app traced_tmpfs:file { read write getattr map };
+unix_socket_connect(priv_app, traced_producer, traced)
+
+# suppress denials for non-API accesses.
dontaudit priv_app exec_type:file getattr;
+dontaudit priv_app device:dir read;
+dontaudit priv_app fs_bpf:dir search;
+dontaudit priv_app net_dns_prop:file read;
+dontaudit priv_app proc:file read;
+dontaudit priv_app proc_interrupts:file read;
+dontaudit priv_app proc_modules:file read;
+dontaudit priv_app proc_stat:file read;
+dontaudit priv_app proc_version:file read;
+dontaudit priv_app sysfs:dir read;
+dontaudit priv_app sysfs_android_usb:file read;
+dontaudit priv_app wifi_prop:file read;
+dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
+
+# allow privileged apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow priv_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
###
### neverallow rules
@@ -157,3 +199,8 @@
# bugs, so we want to ensure priv_app never has this
# capability.
neverallow priv_app file_type:file link;
+
+# priv apps should not be able to open trace data files, they should depend
+# upon traceur to pass a file descriptor which they can then read
+neverallow priv_app trace_data_file:dir *;
+neverallow priv_app trace_data_file:file { no_w_file_perms open };
diff --git a/private/property_contexts b/private/property_contexts
index 8eb2f28..32be0b3 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -45,6 +45,7 @@
persist.bluetooth. u:object_r:bluetooth_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
persist.logd. u:object_r:logd_prop:s0
+ro.logd. u:object_r:logd_prop:s0
persist.logd.security u:object_r:device_logging_prop:s0
persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
logd.logpersistd u:object_r:logpersistd_logging_prop:s0
@@ -58,6 +59,7 @@
persist.service. u:object_r:system_prop:s0
persist.service.bdroid. u:object_r:bluetooth_prop:s0
persist.security. u:object_r:system_prop:s0
+persist.traced.enable u:object_r:traced_enabled_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
@@ -65,6 +67,11 @@
ro.boot.btmacaddr u:object_r:bluetooth_prop:s0
ro.boot.serialno u:object_r:serialno_prop:s0
ro.bt. u:object_r:bluetooth_prop:s0
+ro.boot.bootreason u:object_r:bootloader_boot_reason_prop:s0
+persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0
+sys.boot.reason u:object_r:system_boot_reason_prop:s0
+pm. u:object_r:pm_prop:s0
+test.sys.boot.reason u:object_r:test_boot_reason_prop:s0
# Boolean property set by system server upon boot indicating
# if device owner is provisioned.
@@ -88,6 +95,7 @@
# ctl properties
ctl.bootanim u:object_r:ctl_bootanim_prop:s0
+ctl.android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
@@ -96,6 +104,16 @@
ctl.console u:object_r:ctl_console_prop:s0
ctl. u:object_r:ctl_default_prop:s0
+# Don't allow blind access to all services
+ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
+ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
+ctl.start$ u:object_r:ctl_start_prop:s0
+ctl.stop$ u:object_r:ctl_stop_prop:s0
+ctl.restart$ u:object_r:ctl_restart_prop:s0
+ctl.interface_start$ u:object_r:ctl_interface_start_prop:s0
+ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0
+ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0
+
# NFC properties
nfc. u:object_r:nfc_prop:s0
@@ -110,5 +128,20 @@
# Shared between system server and wificond
wlan. u:object_r:wifi_prop:s0
+# Lowpan properties
+lowpan. u:object_r:lowpan_prop:s0
+ro.lowpan. u:object_r:lowpan_prop:s0
+
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
+
+# Common default properties for vendor and odm.
+init.svc.odm. u:object_r:vendor_default_prop:s0
+init.svc.vendor. u:object_r:vendor_default_prop:s0
+ro.hardware. u:object_r:vendor_default_prop:s0
+ro.odm. u:object_r:vendor_default_prop:s0
+ro.vendor. u:object_r:vendor_default_prop:s0
+odm. u:object_r:vendor_default_prop:s0
+persist.odm. u:object_r:vendor_default_prop:s0
+persist.vendor. u:object_r:vendor_default_prop:s0
+vendor. u:object_r:vendor_default_prop:s0
diff --git a/private/radio.te b/private/radio.te
index 83b5b41..b4f5390 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,5 +1,4 @@
typeattribute radio coredomain;
-typeattribute radio domain_deprecated;
app_domain(radio)
diff --git a/private/recovery.te b/private/recovery.te
index b7b2847..2a7fdc7 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -1,2 +1 @@
typeattribute recovery coredomain;
-typeattribute recovery domain_deprecated;
diff --git a/private/runas.te b/private/runas.te
index 73a91ff..ef31aac 100644
--- a/private/runas.te
+++ b/private/runas.te
@@ -1,5 +1,4 @@
typeattribute runas coredomain;
-typeattribute runas domain_deprecated;
# ndk-gdb invokes adb shell run-as.
domain_auto_trans(shell, runas_exec, runas)
diff --git a/private/sdcardd.te b/private/sdcardd.te
index ac6bb4e..126d643 100644
--- a/private/sdcardd.te
+++ b/private/sdcardd.te
@@ -1,4 +1,3 @@
typeattribute sdcardd coredomain;
-typeattribute sdcardd domain_deprecated;
type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index a97fc70..c21d49f 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -91,20 +91,28 @@
# uid's can be in shell domain
neverallow user=shell domain=((?!shell).)*
+# only the package named com.android.shell can run in the shell domain
+neverallow domain=shell name=((?!com\.android\.shell).)*
+neverallow user=shell name=((?!com\.android\.shell).)*
+
# Ephemeral Apps must run in the ephemeral_app domain
neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
isSystemServer=true domain=system_server
+user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
user=shared_relro domain=shared_relro
-user=shell seinfo=platform domain=shell type=shell_data_file
-user=_isolated domain=isolated_app levelFrom=user
+user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
+user=webview_zygote seinfo=webview_zygote domain=webview_zygote
+user=_isolated domain=isolated_app levelFrom=all
user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
-user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=user
+user=_app isV2App=true isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user
-user=_app minTargetSdkVersion=26 domain=untrusted_app type=app_data_file levelFrom=user
+user=_app minTargetSdkVersion=28 domain=untrusted_app type=app_data_file levelFrom=all
+user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
diff --git a/private/secure_element.te b/private/secure_element.te
new file mode 100644
index 0000000..57f512b
--- /dev/null
+++ b/private/secure_element.te
@@ -0,0 +1,14 @@
+# secure element subsystem
+typeattribute secure_element coredomain;
+app_domain(secure_element)
+
+binder_service(secure_element)
+add_service(secure_element, secure_element_service)
+
+allow secure_element app_api_service:service_manager find;
+hal_client_domain(secure_element, hal_secure_element)
+
+# already open bugreport file descriptors may be shared with
+# the secure element process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow secure_element shell_data_file:file read;
diff --git a/private/security_classes b/private/security_classes
index 2cfc768..251b721 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -35,6 +35,7 @@
class key_socket
class unix_stream_socket
class unix_dgram_socket
+class bpf
# sysv-ipc-related classes
class sem
diff --git a/private/service.te b/private/service.te
new file mode 100644
index 0000000..3fec882
--- /dev/null
+++ b/private/service.te
@@ -0,0 +1,2 @@
+type stats_service, service_manager_type;
+type statscompanion_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index a82243f..5ec45a2 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -14,6 +14,7 @@
batteryproperties u:object_r:batteryproperties_service:s0
batterystats u:object_r:batterystats_service:s0
battery u:object_r:battery_service:s0
+binder_calls_stats u:object_r:binder_calls_stats_service:s0
bluetooth_manager u:object_r:bluetooth_manager_service:s0
bluetooth u:object_r:bluetooth_service:s0
broadcastradio u:object_r:broadcastradio_service:s0
@@ -32,21 +33,24 @@
country_detector u:object_r:country_detector_service:s0
coverage u:object_r:coverage_service:s0
cpuinfo u:object_r:cpuinfo_service:s0
+crossprofileapps u:object_r:crossprofileapps_service:s0
dbinfo u:object_r:dbinfo_service:s0
device_policy u:object_r:device_policy_service:s0
device_identifiers u:object_r:device_identifiers_service:s0
deviceidle u:object_r:deviceidle_service:s0
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
diskstats u:object_r:diskstats_service:s0
-display.qservice u:object_r:surfaceflinger_service:s0
display u:object_r:display_service:s0
netd_listener u:object_r:netd_listener_service:s0
+network_watchlist u:object_r:network_watchlist_service:s0
DockObserver u:object_r:DockObserver_service:s0
dreams u:object_r:dreams_service:s0
drm.drmManager u:object_r:drmserver_service:s0
dropbox u:object_r:dropbox_service:s0
dumpstate u:object_r:dumpstate_service:s0
econtroller u:object_r:radio_service:s0
+euicc_card_controller u:object_r:radio_service:s0
+lowpan u:object_r:lowpan_service:s0
ethernet u:object_r:ethernet_service:s0
fingerprint u:object_r:fingerprint_service:s0
font u:object_r:font_service:s0
@@ -85,6 +89,7 @@
media.player u:object_r:mediaserver_service:s0
media.metrics u:object_r:mediametrics_service:s0
media.extractor u:object_r:mediaextractor_service:s0
+media.extractor.update u:object_r:mediaextractor_update_service:s0
media.codec u:object_r:mediacodec_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
@@ -109,6 +114,7 @@
overlay u:object_r:overlay_service:s0
package u:object_r:package_service:s0
package_native u:object_r:package_native_service:s0
+perfprofd u:object_r:perfprofd_service:s0
permission u:object_r:permission_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
phone_msim u:object_r:radio_service:s0
@@ -129,6 +135,7 @@
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
search u:object_r:search_service:s0
+secure_element u:object_r:secure_element_service:s0
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
sensorservice u:object_r:sensorservice_service:s0
serial u:object_r:serial_service:s0
@@ -139,11 +146,16 @@
simphonebook2 u:object_r:radio_service:s0
simphonebook u:object_r:radio_service:s0
sip u:object_r:radio_service:s0
+slice u:object_r:slice_service:s0
+stats u:object_r:stats_service:s0
+statscompanion u:object_r:statscompanion_service:s0
soundtrigger u:object_r:voiceinteraction_service:s0
statusbar u:object_r:statusbar_service:s0
storaged u:object_r:storaged_service:s0
+storaged_pri u:object_r:storaged_service:s0
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
+system_update u:object_r:system_update_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
telephony.registry u:object_r:registry_service:s0
@@ -161,6 +173,7 @@
vibrator u:object_r:vibrator_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
+vold u:object_r:vold_service:s0
vr_hwc u:object_r:vr_hwc_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
@@ -170,5 +183,6 @@
wifi u:object_r:wifi_service:s0
wificond u:object_r:wificond_service:s0
wifiaware u:object_r:wifiaware_service:s0
+wifirtt u:object_r:rttmanager_service:s0
window u:object_r:window_service:s0
* u:object_r:default_android_service:s0
diff --git a/private/shared_relro.te b/private/shared_relro.te
index 8d06294..02f7206 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -1,5 +1,4 @@
typeattribute shared_relro coredomain;
-typeattribute shared_relro domain_deprecated;
# The shared relro process is a Java program forked from the zygote, so it
# inherits from app to get basic permissions it needs to run.
diff --git a/private/shell.te b/private/shell.te
index 5299532..130a130 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -4,18 +4,19 @@
allow shell uhid_device:chr_file rw_file_perms;
# systrace support - allow atrace to run
+allow shell debugfs_tracing_debug:dir r_dir_perms;
allow shell debugfs_tracing:dir r_dir_perms;
allow shell debugfs_tracing:file rw_file_perms;
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;
-# read config.gz for CTS purposes
-allow shell config_gz:file r_file_perms;
-
userdebug_or_eng(`
allow shell debugfs_tracing_debug:file rw_file_perms;
')
+# read config.gz for CTS purposes
+allow shell config_gz:file r_file_perms;
+
# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)
@@ -26,3 +27,27 @@
# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)
+
+# Control Perfetto traced and obtain traces from it.
+# Needed for Studio and debugging.
+unix_socket_connect(shell, traced_consumer, traced)
+
+# Allow shell binaries to write trace data to Perfetto. Used for testing and
+# cmdline utils.
+allow shell traced:fd use;
+allow shell traced_tmpfs:file { read write getattr map };
+unix_socket_connect(shell, traced_producer, traced)
+
+domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
+
+# Allow shell binaries to exec the perfetto cmdline util and have that
+# transition into its own domain, so that it behaves consistently to
+# when exec()-d by statsd.
+domain_auto_trans(shell, perfetto_exec, perfetto)
+
+# Allow shell to run adb shell cmd stats commands. Needed for CTS.
+binder_call(shell, statsd);
+
+# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
+allow shell perfetto_traces_data_file:dir rw_dir_perms;
+allow shell perfetto_traces_data_file:file r_file_perms;
diff --git a/private/stats.te b/private/stats.te
new file mode 100644
index 0000000..be8cfbd
--- /dev/null
+++ b/private/stats.te
@@ -0,0 +1,25 @@
+type stats, domain;
+typeattribute stats coredomain;
+type stats_exec, exec_type, file_type;
+
+# switch to stats domain for stats command
+domain_auto_trans(shell, stats_exec, stats)
+
+# allow stats access to stdout from its parent shell.
+allow stats shell:fd use;
+
+# allow stats to communicate use, read and write over the adb
+# connection.
+allow stats adbd:fd use;
+allow stats adbd:unix_stream_socket { read write };
+
+# allow adbd to reap stats
+allow stats adbd:process { sigchld };
+
+# Allow the stats command to talk to the statsd over the binder, and get
+# back the stats report data from a ParcelFileDescriptor.
+binder_use(stats)
+allow stats stats_service:service_manager find;
+binder_call(stats, statsd)
+allow stats statsd:fifo_file write;
+
diff --git a/private/statsd.te b/private/statsd.te
new file mode 100644
index 0000000..74b89c2
--- /dev/null
+++ b/private/statsd.te
@@ -0,0 +1,116 @@
+type statsd, domain, mlstrustedsubject;
+typeattribute statsd coredomain;
+
+init_daemon_domain(statsd)
+
+type statsd_exec, exec_type, file_type;
+binder_use(statsd)
+
+# Allow statsd to scan through /proc/pid for all processes.
+r_dir_file(statsd, domain)
+
+# Allow executing files on system, such as running a shell or running:
+# /system/bin/toolbox
+# /system/bin/logcat
+# /system/bin/dumpsys
+allow statsd devpts:chr_file { getattr ioctl read write };
+allow statsd shell_exec:file rx_file_perms;
+allow statsd system_file:file execute_no_trans;
+allow statsd toolbox_exec:file rx_file_perms;
+
+userdebug_or_eng(`
+ allow statsd su:fifo_file read;
+')
+
+# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
+allow statsd stats_data_file:dir create_dir_perms;
+allow statsd stats_data_file:file create_file_perms;
+
+# Allow statsd to make binder calls to any binder service.
+binder_call(statsd, appdomain)
+binder_call(statsd, healthd)
+binder_call(statsd, incidentd)
+userdebug_or_eng(`
+ binder_call(statsd, perfprofd)
+')
+binder_call(statsd, statscompanion_service)
+binder_call(statsd, system_server)
+
+# Allow logd access.
+read_logd(statsd)
+control_logd(statsd)
+
+# Allow to exec the perfetto cmdline client and pass it the trace config on
+# stdint through a pipe. It allows statsd to capture traces and hand them
+# to Android dropbox.
+allow statsd perfetto_exec:file rx_file_perms;
+domain_auto_trans(statsd, perfetto_exec, perfetto)
+
+# Grant statsd with permissions to register the services.
+allow statsd {
+ app_api_service
+ incident_service
+ statscompanion_service
+ system_api_service
+}:service_manager find;
+
+# Grant statsd to access health hal to access battery metrics.
+allow statsd hal_health_hwservice:hwservice_manager find;
+
+# Only statsd can publish the binder service.
+add_service(statsd, stats_service)
+
+# Allow pipes from (and only from) stats.
+allow statsd stats:fd use;
+allow statsd stats:fifo_file write;
+
+# Allow statsd to send dump info to dumpstate
+allow statsd dumpstate:fd use;
+allow statsd dumpstate:fifo_file { getattr write };
+
+# Allow statsd to call back to stats with status updates.
+binder_call(statsd, stats)
+
+# Allow access to with hardware layer and process stats.
+allow statsd proc_uid_cputime_showstat:file { getattr open read };
+hal_client_domain(statsd, hal_health)
+hal_client_domain(statsd, hal_power)
+hal_client_domain(statsd, hal_thermal)
+
+# Allow 'adb shell cmd' to upload configs and download output.
+allow statsd adbd:fd use;
+allow statsd adbd:unix_stream_socket { getattr read write };
+allow statsd shell:fifo_file { getattr read };
+
+unix_socket_send(bluetooth, statsdw, statsd)
+unix_socket_send(bootstat, statsdw, statsd)
+unix_socket_send(lmkd, statsdw, statsd)
+unix_socket_send(platform_app, statsdw, statsd)
+unix_socket_send(radio, statsdw, statsd)
+unix_socket_send(statsd, statsdw, statsd)
+unix_socket_send(system_server, statsdw, statsd)
+
+###
+### neverallow rules
+###
+
+# Only system_server, system_app, traceur_app, and stats command can find the stats service.
+neverallow {
+ domain
+ -dumpstate
+ -priv_app
+ -shell
+ -stats
+ -statsd
+ -system_app
+ -system_server
+ -traceur_app
+} stats_service:service_manager find;
+
+# Only statsd and the other root services in limited circumstances.
+# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
+# Other services are prohibitted from accessing the file.
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
+
+# Limited access to the directory itself.
+neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
diff --git a/private/storaged.te b/private/storaged.te
index 20377e0..8ad872f 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -5,7 +5,6 @@
init_daemon_domain(storaged)
# Read access to pseudo filesystems
-r_dir_file(storaged, sysfs_type)
r_dir_file(storaged, proc_net)
r_dir_file(storaged, domain)
@@ -15,6 +14,10 @@
# Read /data/system/packages.list
allow storaged system_data_file:file r_file_perms;
+# Store storaged proto file
+allow storaged storaged_data_file:dir rw_dir_perms;
+allow storaged storaged_data_file:file create_file_perms;
+
userdebug_or_eng(`
# Read access to debugfs
allow storaged debugfs_mmc:dir search;
@@ -36,9 +39,7 @@
binder_use(storaged)
binder_call(storaged, system_server)
-# use batteryproperties service
-allow storaged batteryproperties_service:service_manager find;
-binder_call(storaged, healthd)
+hal_client_domain(storaged, hal_health)
# Implements a dumpsys interface.
allow storaged dumpstate:fd use;
@@ -48,7 +49,10 @@
# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
# running as root. See b/35323867 #3.
-dontaudit storaged self:capability dac_override;
+dontaudit storaged self:global_capability_class_set dac_override;
+
+# For collecting bugreports.
+allow storaged dumpstate:fifo_file write;
###
### neverallow
diff --git a/private/su.te b/private/su.te
index d42bf61..16e47bb 100644
--- a/private/su.te
+++ b/private/su.te
@@ -13,7 +13,10 @@
# Put the incident command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, incident_exec, incident)
-# su is also permissive to permit setenforce.
+ # Put the perfetto command into its domain so it is the same on user, userdebug and eng.
+ domain_auto_trans(su, perfetto_exec, perfetto)
+
+ # su is also permissive to permit setenforce.
permissive su;
app_domain(su)
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index b33035e..e2f1a07 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -14,6 +14,7 @@
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
hal_client_domain(surfaceflinger, hal_configstore)
+hal_client_domain(surfaceflinger, hal_power)
allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
# Perform Binder IPC.
@@ -46,12 +47,21 @@
# Set properties.
set_prop(surfaceflinger, system_prop)
+set_prop(surfaceflinger, exported_system_prop)
+set_prop(surfaceflinger, exported2_system_prop)
+set_prop(surfaceflinger, exported3_system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
allow surfaceflinger app_data_file:file { read write };
+# Allow writing surface traces to /data/misc/wmtrace.
+userdebug_or_eng(`
+ allow surfaceflinger wm_trace_data_file:dir rw_dir_perms;
+ allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
+')
+
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
@@ -81,10 +91,9 @@
# allow self to set SCHED_FIFO
-allow surfaceflinger self:capability sys_nice;
+allow surfaceflinger self:global_capability_class_set sys_nice;
allow surfaceflinger proc_meminfo:file r_file_perms;
r_dir_file(surfaceflinger, cgroup)
-r_dir_file(surfaceflinger, sysfs_type)
r_dir_file(surfaceflinger, system_file)
allow surfaceflinger tmpfs:dir r_dir_perms;
allow surfaceflinger system_server:fd use;
@@ -107,3 +116,6 @@
# Do not allow accessing SDcard files as unsafe ejection could
# cause the kernel to kill the process.
neverallow surfaceflinger sdcard_type:file rw_file_perms;
+
+# b/68864350
+dontaudit surfaceflinger unlabeled:dir search;
diff --git a/private/system_app.te b/private/system_app.te
index 4741479..eb7e050 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -5,7 +5,6 @@
###
typeattribute system_app coredomain;
-typeattribute system_app domain_deprecated;
app_domain(system_app)
net_domain(system_app)
@@ -32,16 +31,23 @@
allow system_app icon_file:file r_file_perms;
# Write to properties
+set_prop(system_app, bluetooth_a2dp_offload_prop)
set_prop(system_app, bluetooth_prop)
set_prop(system_app, debug_prop)
set_prop(system_app, system_prop)
+set_prop(system_app, exported_bluetooth_prop)
+set_prop(system_app, exported_system_prop)
+set_prop(system_app, exported2_system_prop)
+set_prop(system_app, exported3_system_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
set_prop(system_app, system_radio_prop)
+set_prop(system_app, exported_system_radio_prop)
set_prop(system_app, log_tag_prop)
userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
auditallow system_app net_radio_prop:property_service set;
auditallow system_app system_radio_prop:property_service set;
+auditallow system_app exported_system_radio_prop:property_service set;
# ctl interface
set_prop(system_app, ctl_default_prop)
@@ -54,12 +60,32 @@
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
+# Allow system apps (like Settings) to interact with statsd
+binder_call(system_app, statsd)
+
# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)
allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
+allow system_app {
+ service_manager_type
+ -dumpstate_service
+ -installd_service
+ -netd_service
+ -virtual_touchpad_service
+ -vold_service
+ -vr_hwc_service
+}:service_manager find;
+# suppress denials for services system_app should not be accessing.
+dontaudit system_app {
+ dumpstate_service
+ installd_service
+ netd_service
+ virtual_touchpad_service
+ vold_service
+ vr_hwc_service
+}:service_manager find;
allow system_app keystore:keystore_key {
get_state
@@ -81,11 +107,19 @@
user_changed
};
-# /sys access
-r_dir_file(system_app, sysfs_type)
+# settings app reads /proc/version
+allow system_app {
+ proc_version
+}:file r_file_perms;
control_logd(system_app)
read_runtime_log_tags(system_app)
+get_prop(system_app, device_logging_prop)
+
+# allow system apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow system_app system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
###
### Neverallow rules
diff --git a/private/system_server.te b/private/system_server.te
index 40c5382..fa84c32 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -4,7 +4,6 @@
#
typeattribute system_server coredomain;
-typeattribute system_server domain_deprecated;
typeattribute system_server mlstrustedsubject;
# Define a type for tmpfs-backed ashmem regions.
@@ -30,10 +29,6 @@
# ptrace to processes in the same domain for debugging crashes.
allow system_server self:process ptrace;
-# Read and delete last_reboot_reason file
-allow system_server reboot_data_file:file { rename r_file_perms unlink };
-allow system_server reboot_data_file:dir { write search open remove_name };
-
# Child of the zygote.
allow system_server zygote:fd use;
allow system_server zygote:process sigchld;
@@ -41,6 +36,7 @@
# May kill zygote on crashes.
allow system_server zygote:process sigkill;
allow system_server crash_dump:process sigkill;
+allow system_server webview_zygote:process sigkill;
# Read /system/bin/app_process.
allow system_server zygote_exec:file r_file_perms;
@@ -57,7 +53,7 @@
# These are the capabilities assigned by the zygote to the
# system server.
-allow system_server self:capability {
+allow system_server self:global_capability_class_set {
ipc_lock
kill
net_admin
@@ -77,7 +73,7 @@
allow system_server kernel:system module_request;
# Allow alarmtimers to be set
-allow system_server self:capability2 wake_alarm;
+allow system_server self:global_capability2_class_set wake_alarm;
# Create and share netlink_netfilter_sockets for tetheroffload.
allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
@@ -109,13 +105,18 @@
allow system_server audioserver:process { getsched setsched };
allow system_server hal_audio:process { getsched setsched };
allow system_server hal_bluetooth:process { getsched setsched };
+allow system_server mediacodec:process { getsched setsched };
allow system_server cameraserver:process { getsched setsched };
allow system_server hal_camera:process { getsched setsched };
allow system_server mediaserver:process { getsched setsched };
allow system_server bootanim:process { getsched setsched };
-# Allow system_server to write to cameraserver's /proc/<pid>/timerslack_ns
+# Allow system_server to write to /proc/<pid>/timerslack_ns
+allow system_server appdomain:file w_file_perms;
+allow system_server audioserver:file w_file_perms;
+allow system_server mediacodec:file w_file_perms;
allow system_server cameraserver:file w_file_perms;
+allow system_server hal_audio_server:file w_file_perms;
# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
# within system_server to keep track of memory and CPU usage for
@@ -127,26 +128,22 @@
allow system_server qtaguid_proc:file rw_file_perms;
allow system_server qtaguid_device:chr_file rw_file_perms;
-# Read /proc/uid_cputime/show_uid_stat.
-allow system_server proc_uid_cputime_showstat:file r_file_perms;
-
# Write /proc/uid_cputime/remove_uid_range.
allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
# Write /proc/uid_procstat/set.
allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
-# Read /proc/uid_time_in_state.
-allow system_server proc_uid_time_in_state:file r_file_perms;
-
# Write to /proc/sysrq-trigger.
allow system_server proc_sysrq:file rw_file_perms;
-# Read /proc/stat for CPU usage statistics
-allow system_server proc_stat:file r_file_perms;
-
# Read /sys/kernel/debug/wakeup_sources.
allow system_server debugfs:file r_file_perms;
+allow system_server debugfs_wakeup_sources:file r_file_perms;
+
+# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
+allow system_server stats_data_file:dir { open read remove_name search write };
+allow system_server stats_data_file:file unlink;
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
@@ -162,8 +159,6 @@
unix_socket_connect(system_server, lmkd, lmkd)
unix_socket_connect(system_server, mtpd, mtp)
unix_socket_connect(system_server, netd, netd)
-unix_socket_connect(system_server, vold, vold)
-unix_socket_connect(system_server, webview_zygote, webview_zygote)
unix_socket_connect(system_server, zygote, zygote)
unix_socket_connect(system_server, racoon, racoon)
unix_socket_connect(system_server, uncrypt, uncrypt)
@@ -171,6 +166,9 @@
# Communicate over a socket created by surfaceflinger.
allow system_server surfaceflinger:unix_stream_socket { read write setopt };
+# Communicate over a socket created by webview_zygote.
+allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
+
# Perform Binder IPC.
binder_use(system_server)
binder_call(system_server, appdomain)
@@ -181,22 +179,29 @@
binder_call(system_server, installd)
binder_call(system_server, incidentd)
binder_call(system_server, netd)
+binder_call(system_server, statsd)
+binder_call(system_server, storaged)
+binder_call(system_server, vold)
binder_call(system_server, wificond)
+binder_call(system_server, wpantund)
binder_service(system_server)
# Use HALs
hal_client_domain(system_server, hal_allocator)
+hal_client_domain(system_server, hal_authsecret)
hal_client_domain(system_server, hal_broadcastradio)
hal_client_domain(system_server, hal_configstore)
hal_client_domain(system_server, hal_contexthub)
hal_client_domain(system_server, hal_fingerprint)
hal_client_domain(system_server, hal_gnss)
hal_client_domain(system_server, hal_graphics_allocator)
+hal_client_domain(system_server, hal_health)
hal_client_domain(system_server, hal_ir)
hal_client_domain(system_server, hal_light)
hal_client_domain(system_server, hal_memtrack)
hal_client_domain(system_server, hal_neuralnetworks)
hal_client_domain(system_server, hal_oemlock)
+allow system_server hal_codec2_hwservice:hwservice_manager find;
allow system_server hal_omx_hwservice:hwservice_manager find;
allow system_server hidl_token_hwservice:hwservice_manager find;
hal_client_domain(system_server, hal_power)
@@ -206,10 +211,12 @@
hal_client_domain(system_server, hal_tv_cec)
hal_client_domain(system_server, hal_tv_input)
hal_client_domain(system_server, hal_usb)
+hal_client_domain(system_server, hal_usb_gadget)
hal_client_domain(system_server, hal_vibrator)
hal_client_domain(system_server, hal_vr)
hal_client_domain(system_server, hal_weaver)
hal_client_domain(system_server, hal_wifi)
+hal_client_domain(system_server, hal_wifi_hostapd)
hal_client_domain(system_server, hal_wifi_offload)
hal_client_domain(system_server, hal_wifi_supplicant)
@@ -245,6 +252,7 @@
mediaserver
mediametrics
sdcardd
+ statsd
surfaceflinger
# This list comes from HAL_INTERFACES_OF_INTEREST in
@@ -275,11 +283,22 @@
# Check SELinux permissions.
selinux_check_access(system_server)
-# XXX Label sysfs files with a specific type?
-allow system_server sysfs:file rw_file_perms;
+allow system_server sysfs_type:dir search;
+
+r_dir_file(system_server, sysfs_android_usb)
+allow system_server sysfs_android_usb:file w_file_perms;
+
+r_dir_file(system_server, sysfs_ipv4)
+allow system_server sysfs_ipv4:file w_file_perms;
+
+r_dir_file(system_server, sysfs_rtc)
+r_dir_file(system_server, sysfs_switch)
+r_dir_file(system_server, sysfs_wakeup_reasons)
+
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
-allow system_server sysfs_devices_system_cpu:file w_file_perms;
allow system_server sysfs_mac_address:file r_file_perms;
+allow system_server sysfs_power:dir search;
+allow system_server sysfs_power:file rw_file_perms;
allow system_server sysfs_thermal:dir search;
allow system_server sysfs_thermal:file r_file_perms;
@@ -325,10 +344,9 @@
allow system_server apk_tmp_file:dir create_dir_perms;
allow system_server apk_tmp_file:file create_file_perms;
-# Access /vendor/app
+# Access /vendor/{app,framework,overlay}
r_dir_file(system_server, vendor_app_file)
-
-# Access /vendor/app
+r_dir_file(system_server, vendor_framework_file)
r_dir_file(system_server, vendor_overlay_file)
# Manage /data/app-private.
@@ -356,15 +374,27 @@
#
# Allow system_server to connect and write to the tombstoned java trace socket in
# order to dump its traces. Also allow the system server to write its traces to
-# dumpstate during bugreport capture.
+# dumpstate during bugreport capture and incidentd during incident collection.
unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
allow system_server tombstoned:fd use;
allow system_server dumpstate:fifo_file append;
+allow system_server incidentd:fifo_file append;
# Read /data/misc/incidents - only read. The fd will be sent over binder,
# with no DAC access to it, for dropbox to read.
allow system_server incident_data_file:file read;
+# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
+# binder.
+allow system_server perfetto_traces_data_file:file read;
+allow system_server perfetto:fd use;
+
+# Allow dropbox to read /data/misc/perfprofd. Only the fd is sent over binder.
+userdebug_or_eng(`
+ allow system_server perfprofd_data_file:file read;
+ allow system_server perfprofd:fd use;
+')
+
# Manage /data/backup.
allow system_server backup_data_file:dir create_dir_perms;
allow system_server backup_data_file:file create_file_perms;
@@ -377,6 +407,10 @@
allow system_server adb_keys_file:dir create_dir_perms;
allow system_server adb_keys_file:file create_file_perms;
+# Manage /data/misc/network_watchlist
+allow system_server network_watchlist_data_file:dir create_dir_perms;
+allow system_server network_watchlist_data_file:file create_file_perms;
+
# Manage /data/misc/sms.
# TODO: Split into a separate type?
allow system_server radio_data_file:dir create_dir_perms;
@@ -460,17 +494,25 @@
# Property Service write
set_prop(system_server, system_prop)
+set_prop(system_server, exported_system_prop)
+set_prop(system_server, exported2_system_prop)
+set_prop(system_server, exported3_system_prop)
set_prop(system_server, safemode_prop)
set_prop(system_server, dhcp_prop)
set_prop(system_server, net_radio_prop)
set_prop(system_server, net_dns_prop)
set_prop(system_server, system_radio_prop)
+set_prop(system_server, exported_system_radio_prop)
set_prop(system_server, debug_prop)
set_prop(system_server, powerctl_prop)
set_prop(system_server, fingerprint_prop)
+set_prop(system_server, exported_fingerprint_prop)
set_prop(system_server, device_logging_prop)
set_prop(system_server, dumpstate_options_prop)
set_prop(system_server, overlay_prop)
+set_prop(system_server, exported_overlay_prop)
+set_prop(system_server, pm_prop)
+set_prop(system_server, exported_pm_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
@@ -480,6 +522,11 @@
# cppreopt property
set_prop(system_server, cppreopt_prop)
+# BootReceiver to read ro.boot.bootreason
+get_prop(system_server, bootloader_boot_reason_prop)
+# PowerManager to read persist.sys.boot.reason
+get_prop(system_server, last_boot_reason_prop)
+
# Collect metrics on boot time created by init
get_prop(system_server, boottime_prop)
@@ -489,6 +536,10 @@
# Read/write the property which keeps track of whether this is the first start of system_server
set_prop(system_server, firstboot_prop)
+# Audio service in system server can read exported audio properties,
+# such as camera shutter enforcement
+get_prop(system_server, exported_audio_prop)
+
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -571,9 +622,14 @@
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
+allow system_server stats_service:service_manager find;
+allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
+allow system_server vold_service:service_manager find;
allow system_server wificond_service:service_manager find;
+add_service(system_server, batteryproperties_service)
+
allow system_server keystore:keystore_key {
get_state
get
@@ -632,6 +688,10 @@
# Allow system server to read dmesg
allow system_server kernel:system syslog_read;
+
+ # Allow writing and removing window traces in /data/misc/wmtrace.
+ allow system_server wm_trace_data_file:dir rw_dir_perms;
+ allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
')
# For AppFuse.
@@ -642,7 +702,7 @@
# For configuring sdcardfs
allow system_server configfs:dir { create_dir_perms };
-allow system_server configfs:file { getattr open unlink write };
+allow system_server configfs:file { getattr open create unlink write };
# Connect to adbd and use a socket transferred from it.
# Used for e.g. jdwp.
@@ -671,18 +731,27 @@
r_dir_file(system_server, cgroup)
allow system_server ion_device:chr_file r_file_perms;
-r_dir_file(system_server, proc)
-r_dir_file(system_server, proc_meminfo)
+r_dir_file(system_server, proc_asound)
r_dir_file(system_server, proc_net)
-r_dir_file(system_server, rootfs)
-r_dir_file(system_server, sysfs_type)
+r_dir_file(system_server, proc_qtaguid_stat)
+allow system_server {
+ proc_loadavg
+ proc_meminfo
+ proc_pagetypeinfo
+ proc_pipe_conf
+ proc_stat
+ proc_uid_cputime_showstat
+ proc_uid_time_in_state
+ proc_uid_concurrent_active_time
+ proc_uid_concurrent_policy_time
+ proc_version
+ proc_vmallocinfo
+}:file r_file_perms;
-### Rules needed when Light HAL runs inside system_server process.
-### These rules should eventually be granted only when needed.
-allow system_server sysfs_leds:lnk_file read;
-allow system_server sysfs_leds:file rw_file_perms;
-allow system_server sysfs_leds:dir r_dir_perms;
-###
+allow system_server proc_uid_time_in_state:dir r_dir_perms;
+allow system_server proc_uid_cpupower:file r_file_perms;
+
+r_dir_file(system_server, rootfs)
# Allow WifiService to start, stop, and read wifi-specific trace events.
allow system_server debugfs_tracing_instances:dir search;
@@ -697,6 +766,38 @@
allow system_server zygote_exec:file rx_file_perms;
')
+# allow system_server to read the eBPF maps that stores the traffic stats information amd clean up
+# the map after snapshot is recorded
+allow system_server fs_bpf:dir search;
+allow system_server fs_bpf:file read;
+allow system_server netd:bpf map_read;
+
+# ART Profiles.
+# Allow system_server to open profile snapshots for read.
+# System server never reads the actual content. It passes the descriptor to
+# to privileged apps which acquire the permissions to inspect the profiles.
+allow system_server user_profile_data_file:dir { getattr search };
+allow system_server user_profile_data_file:file { getattr open read };
+
+# System server may dump profile data for debuggable apps in the /data/misc/profman.
+# As such it needs to be able create files but it should never read from them.
+allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
+allow system_server profman_dump_data_file:dir w_dir_perms;
+
+# On userdebug build we may profile system server. Allow it to write and create its own profile.
+userdebug_or_eng(`
+ allow system_server user_profile_data_file:file create_file_perms;
+')
+
+userdebug_or_eng(`
+ # Allow system server to notify mediaextractor of the plugin update.
+ allow system_server mediaextractor_update_service:service_manager find;
+')
+
+# UsbDeviceManager uses /dev/usb-ffs
+allow system_server functionfs:dir search;
+allow system_server functionfs:file rw_file_perms;
+
###
### Neverallow rules
###
@@ -740,11 +841,8 @@
neverallow system_server dex2oat_exec:file no_x_file_perms;
# system_server should never execute or load executable shared libraries
-# in /data except for /data/dalvik-cache files.
-neverallow system_server {
- data_file_type
- -dalvikcache_data_file #mapping with PROT_EXEC
-}:file no_x_file_perms;
+# in /data
+neverallow system_server data_file_type:file no_x_file_perms;
# The only block device system_server should be accessing is
# the frp_block_device. This helps avoid a system_server to root
@@ -767,5 +865,4 @@
# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
# file read access. However, that is now unnecessary (b/34951864)
-# This neverallow can be removed after b/34951864 is fixed.
-neverallow system_server system_server:capability sys_resource;
+neverallow system_server system_server:global_capability_class_set sys_resource;
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 974f328..7f9d315 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -31,3 +31,8 @@
; Unfortunately, we can't currently express this in module policy language:
; typeattribute hal_camera hal_allocator_client;
(typeattributeset hal_allocator_client (hal_camera))
+
+; Apps, except isolated apps, are clients of Neuralnetworks HAL
+; Unfortunately, we can't currently express this in module policy language:
+; typeattribute { appdomain -isolated_app } hal_neuralnetworks_client;
+(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))
diff --git a/private/traced.te b/private/traced.te
new file mode 100644
index 0000000..49edc51
--- /dev/null
+++ b/private/traced.te
@@ -0,0 +1,60 @@
+# Perfetto user-space tracing daemon (unprivileged)
+type traced, domain, coredomain, mlstrustedsubject;
+type traced_exec, exec_type, file_type;
+
+# Allow init to exec the daemon.
+init_daemon_domain(traced)
+
+# Allow apps in other MLS contexts (for multi-user) to access
+# share memory buffers created by traced.
+typeattribute traced_tmpfs mlstrustedobject;
+
+# Allow traced to start with a lower scheduling class and change
+# class accordingly to what defined in the config provided by
+# the privileged process that controls it.
+allow traced self:global_capability_class_set { sys_nice };
+
+# Allow to pass a file descriptor for the output trace from "perfetto" (the
+# cmdline client) and other shell binaries to traced and let traced write
+# directly into that (rather than returning the trace contents over the socket).
+allow traced perfetto:fd use;
+allow traced shell:fd use;
+allow traced perfetto_traces_data_file:file { read write };
+
+###
+### Neverallow rules
+###
+### traced should NEVER do any of this
+
+# Disallow mapping executable memory (execstack and exec are already disallowed
+# globally in domain.te).
+neverallow traced self:process execmem;
+
+# Block device access.
+neverallow traced dev_type:blk_file { read write };
+
+# ptrace any other process
+neverallow traced domain:process ptrace;
+
+# Disallows access to /data files, still allowing to write to file descriptors
+# passed through the socket.
+neverallow traced {
+ data_file_type
+ -system_data_file
+ # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+ # subsequent neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+}:dir *;
+neverallow traced { system_data_file }:dir ~{ getattr search };
+neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
+neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
+neverallow traced {
+ data_file_type
+ -zoneinfo_data_file
+ -perfetto_traces_data_file
+}:file ~write;
+
+# Only init is allowed to enter the traced domain via exec()
+neverallow { domain -init } traced:process transition;
+neverallow * traced:process dyntransition;
diff --git a/private/traced_probes.te b/private/traced_probes.te
new file mode 100644
index 0000000..5d80f7e
--- /dev/null
+++ b/private/traced_probes.te
@@ -0,0 +1,99 @@
+# Perfetto tracing probes, has tracefs access.
+type traced_probes_exec, exec_type, file_type;
+
+# Allow init to exec the daemon.
+init_daemon_domain(traced_probes)
+
+# Write trace data to the Perfetto traced damon. This requires connecting to its
+# producer socket and obtaining a (per-process) tmpfs fd.
+allow traced_probes traced:fd use;
+allow traced_probes traced_tmpfs:file { read write getattr map };
+unix_socket_connect(traced_probes, traced_producer, traced)
+
+# Allow traced_probes to access tracefs.
+allow traced_probes debugfs_tracing:dir r_dir_perms;
+allow traced_probes debugfs_tracing:file rw_file_perms;
+allow traced_probes debugfs_trace_marker:file getattr;
+
+# TODO(primiano): temporarily I/O tracing categories are still
+# userdebug only until we nail down the blacklist/whitelist.
+userdebug_or_eng(`
+allow traced_probes debugfs_tracing_debug:file rw_file_perms;
+')
+
+# Allow traced_probes to start with a higher scheduling class and then downgrade
+# itself.
+allow traced_probes self:global_capability_class_set { sys_nice };
+
+# Allow procfs access
+r_dir_file(traced_probes, domain)
+
+# Allow to log to kernel dmesg when starting / stopping ftrace.
+allow traced_probes kmsg_device:chr_file write;
+
+# Allow traced_probes to list the system partition.
+allow traced_probes system_file:dir { open read };
+
+# Allow traced_probes to list some of the data partition.
+allow traced_probes self:capability dac_read_search;
+
+allow traced_probes apk_data_file:dir { getattr open read search };
+allow traced_probes dalvikcache_data_file:dir { getattr open read search };
+userdebug_or_eng(`
+allow traced_probes system_data_file:dir { getattr open read search };
+')
+allow traced_probes system_app_data_file:dir { getattr open read search };
+allow traced_probes backup_data_file:dir { getattr open read search };
+allow traced_probes bootstat_data_file:dir { getattr open read search };
+allow traced_probes update_engine_data_file:dir { getattr open read search };
+allow traced_probes update_engine_log_data_file:dir { getattr open read search };
+allow traced_probes user_profile_data_file:dir { getattr open read search };
+
+# Allow traced_probes to run atrace. atrace pokes at system services to enable
+# their userspace TRACE macros.
+domain_auto_trans(traced_probes, atrace_exec, atrace);
+
+# This is needed for: path="/system/bin/linker64"
+# scontext=u:r:atrace:s0 tcontext=u:r:traced_probes:s0 tclass=fd
+allow atrace traced_probes:fd use;
+
+###
+### Neverallow rules
+###
+### traced_probes should NEVER do any of this
+
+# Disallow mapping executable memory (execstack and exec are already disallowed
+# globally in domain.te).
+neverallow traced_probes self:process execmem;
+
+# Block device access.
+neverallow traced_probes dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow traced_probes domain:process ptrace;
+
+# Disallows access to /data files.
+neverallow traced_probes {
+ data_file_type
+ -apk_data_file
+ -dalvikcache_data_file
+ -system_data_file
+ -system_app_data_file
+ -backup_data_file
+ -bootstat_data_file
+ -update_engine_data_file
+ -update_engine_log_data_file
+ -user_profile_data_file
+ # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
+ # subsequent neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ -zoneinfo_data_file
+}:dir *;
+neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
+neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
+neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
+neverallow traced_probes { data_file_type -zoneinfo_data_file }:file *;
+
+# Only init is allowed to enter the traced_probes domain via exec()
+neverallow { domain -init } traced_probes:process transition;
+neverallow * traced_probes:process dyntransition;
diff --git a/private/traceur_app.te b/private/traceur_app.te
new file mode 100644
index 0000000..a3c435c
--- /dev/null
+++ b/private/traceur_app.te
@@ -0,0 +1,15 @@
+typeattribute traceur_app coredomain;
+
+app_domain(traceur_app);
+allow traceur_app debugfs_tracing:file rw_file_perms;
+allow traceur_app debugfs_tracing_debug:dir r_dir_perms;
+
+userdebug_or_eng(`
+ allow traceur_app debugfs_tracing_debug:file rw_file_perms;
+')
+
+allow traceur_app trace_data_file:file create_file_perms;
+allow traceur_app trace_data_file:dir rw_dir_perms;
+allow traceur_app atrace_exec:file rx_file_perms;
+
+dontaudit traceur_app debugfs_tracing_debug:file audit_access;
diff --git a/private/ueventd.te b/private/ueventd.te
index 0df587f..1bd6773 100644
--- a/private/ueventd.te
+++ b/private/ueventd.te
@@ -1,4 +1,3 @@
typeattribute ueventd coredomain;
-typeattribute ueventd domain_deprecated;
tmpfs_domain(ueventd)
diff --git a/private/uncrypt.te b/private/uncrypt.te
index fde686b..e4e9224 100644
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
@@ -1,4 +1,3 @@
typeattribute uncrypt coredomain;
-typeattribute uncrypt domain_deprecated;
init_daemon_domain(uncrypt)
diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 93a73f1..c15fa22 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -23,15 +23,3 @@
untrusted_app_domain(untrusted_app)
net_domain(untrusted_app)
bluetooth_domain(untrusted_app)
-
-# allow untrusted apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow untrusted_app system_server:udp_socket { connect getattr read recvfrom sendto write };
-
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app)
-
-neverallow untrusted_app system_server:udp_socket {
- accept append bind create getopt ioctl listen lock name_bind
- relabelfrom relabelto setattr setopt shutdown };
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 3fa79ef..ba2c1e1 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -26,10 +26,6 @@
net_domain(untrusted_app_25)
bluetooth_domain(untrusted_app_25)
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app_25)
-
# b/34115651 - net.dns* properties read
# This will go away in a future Android release
get_prop(untrusted_app_25, net_dns_prop)
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
new file mode 100644
index 0000000..79c7762
--- /dev/null
+++ b/private/untrusted_app_27.te
@@ -0,0 +1,28 @@
+###
+### Untrusted_27.
+###
+### This file defines the rules for untrusted apps running with
+### 25 < targetSdkVersion <= 27.
+###
+### This file defines the rules for untrusted apps.
+### Apps are labeled based on mac_permissions.xml (maps signer and
+### optionally package name to seinfo value) and seapp_contexts (maps UID
+### and optionally seinfo value to domain for process and type for data
+### directory). The untrusted_app_27 domain is the default assignment in
+### seapp_contexts for any app with UID between APP_AID (10000)
+### and AID_ISOLATED_START (99000) if the app has no specific seinfo
+### value as determined from mac_permissions.xml. In current AOSP, this
+### domain is assigned to all non-system apps as well as to any system apps
+### that are not signed by the platform key. To move
+### a system app into a specific domain, add a signer entry for it to
+### mac_permissions.xml and assign it one of the pre-existing seinfo values
+### or define and use a new seinfo value in both mac_permissions.xml and
+### seapp_contexts.
+###
+
+typeattribute untrusted_app_27 coredomain;
+
+app_domain(untrusted_app_27)
+untrusted_app_domain(untrusted_app_27)
+net_domain(untrusted_app_27)
+bluetooth_domain(untrusted_app_27)
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index cce589e..6cf1668 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -41,6 +41,15 @@
allow untrusted_app_all shell_data_file:file r_file_perms;
allow untrusted_app_all shell_data_file:dir r_dir_perms;
+# Allow traceur to pass file descriptors through a content provider to untrusted apps
+# for the purpose of sharing files through e.g. gmail
+allow untrusted_app_all trace_data_file:file { getattr read };
+
+# untrusted apps should not be able to open trace data files, they should depend
+# upon traceur to pass a file descriptor
+neverallow untrusted_app_all trace_data_file:dir *;
+neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
+
# Allow to read staged apks.
allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
@@ -75,7 +84,6 @@
allow untrusted_app_all mediadrmserver_service:service_manager find;
allow untrusted_app_all nfc_service:service_manager find;
allow untrusted_app_all radio_service:service_manager find;
-allow untrusted_app_all surfaceflinger_service:service_manager find;
allow untrusted_app_all app_api_service:service_manager find;
allow untrusted_app_all vr_manager_service:service_manager find;
@@ -106,3 +114,27 @@
allow untrusted_app_all vendor_app_file:dir { open getattr read search };
allow untrusted_app_all vendor_app_file:file { open getattr read execute };
allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+allow untrusted_app_all traced:fd use;
+allow untrusted_app_all traced_tmpfs:file { read write getattr map };
+unix_socket_connect(untrusted_app_all, traced_producer, traced)
+
+# allow untrusted apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow untrusted_app_all system_server:udp_socket {
+ connect getattr read recvfrom sendto write getopt setopt };
+
+# Allow the allocation and use of ptys
+# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
+create_pty(untrusted_app_all)
+
+# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
+dontaudit untrusted_app_all net_dns_prop:file read;
+
+# These have been disallowed since Android O.
+# For P, we assume that apps are safely handling the denial.
+dontaudit untrusted_app_all proc_stat:file read;
+dontaudit untrusted_app_all proc_vmstat:file read;
+dontaudit untrusted_app_all proc_uptime:file read;
diff --git a/private/untrusted_v2_app.te b/private/untrusted_v2_app.te
index 7ed3881..8f4bceb 100644
--- a/private/untrusted_v2_app.te
+++ b/private/untrusted_v2_app.te
@@ -34,9 +34,14 @@
allow untrusted_v2_app mediadrmserver_service:service_manager find;
allow untrusted_v2_app nfc_service:service_manager find;
allow untrusted_v2_app radio_service:service_manager find;
-allow untrusted_v2_app surfaceflinger_service:service_manager find;
# TODO: potentially provide a tighter list of services here
allow untrusted_v2_app app_api_service:service_manager find;
# gdbserver for ndk-gdb ptrace attaches to app process.
allow untrusted_v2_app self:process ptrace;
+
+# Write app-specific trace data to the Perfetto traced damon. This requires
+# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
+allow untrusted_v2_app traced:fd use;
+allow untrusted_v2_app traced_tmpfs:file { read write getattr map };
+unix_socket_connect(untrusted_v2_app, traced_producer, traced)
diff --git a/private/update_engine.te b/private/update_engine.te
index f460272..5af7db6 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -1,4 +1,3 @@
typeattribute update_engine coredomain;
-typeattribute update_engine domain_deprecated;
init_daemon_domain(update_engine);
diff --git a/private/usbd.te b/private/usbd.te
new file mode 100644
index 0000000..13a0ad7
--- /dev/null
+++ b/private/usbd.te
@@ -0,0 +1,12 @@
+typeattribute usbd coredomain;
+
+init_daemon_domain(usbd)
+
+# Access usb gadget hal
+hal_client_domain(usbd, hal_usb_gadget)
+
+# Access persist.sys.usb.config
+get_prop(usbd, system_prop)
+
+# start adbd during boot if adb is enabled
+set_prop(usbd, ctl_default_prop)
diff --git a/private/vendor_init.te b/private/vendor_init.te
new file mode 100644
index 0000000..50efc22
--- /dev/null
+++ b/private/vendor_init.te
@@ -0,0 +1,4 @@
+# Creating files on sysfs is impossible so this isn't a threat
+# Sometimes we have to write to non-existent files to avoid conditional
+# init behavior. See b/35303861 for an example.
+dontaudit vendor_init sysfs:dir write;
diff --git a/private/vold.te b/private/vold.te
index f2416f8..a6d1001 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -1,5 +1,4 @@
typeattribute vold coredomain;
-typeattribute vold domain_deprecated;
init_daemon_domain(vold)
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
new file mode 100644
index 0000000..0a11558
--- /dev/null
+++ b/private/vold_prepare_subdirs.te
@@ -0,0 +1,26 @@
+domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
+
+allow vold_prepare_subdirs system_file:file execute_no_trans;
+allow vold_prepare_subdirs shell_exec:file rx_file_perms;
+allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
+allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
+allow vold_prepare_subdirs vold:fd use;
+allow vold_prepare_subdirs vold:fifo_file { read write };
+allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override fowner };
+allow vold_prepare_subdirs self:process setfscreate;
+allow vold_prepare_subdirs {
+ system_data_file
+ vendor_data_file
+}:dir { open read write add_name remove_name rmdir relabelfrom };
+allow vold_prepare_subdirs {
+ fingerprint_vendor_data_file
+ storaged_data_file
+ vold_data_file
+}:dir { create_dir_perms relabelto };
+allow vold_prepare_subdirs {
+ fingerprint_vendor_data_file
+ storaged_data_file
+ system_data_file
+ vold_data_file
+}:file { getattr unlink };
diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
new file mode 100644
index 0000000..8b8dd29
--- /dev/null
+++ b/private/wait_for_keymaster.te
@@ -0,0 +1,9 @@
+# wait_for_keymaster service
+type wait_for_keymaster, domain, coredomain;
+type wait_for_keymaster_exec, exec_type, file_type;
+
+init_daemon_domain(wait_for_keymaster)
+
+hal_client_domain(wait_for_keymaster, hal_keymaster)
+
+allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 3c5403b..55b268a 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -6,9 +6,9 @@
# The webview_zygote needs to be able to transition domains.
typeattribute webview_zygote mlstrustedsubject;
-# When init launches the WebView zygote's executable, transition the
-# resulting process into webview_zygote domain.
-init_daemon_domain(webview_zygote)
+# Allow access to temporary files, which is normally permitted through
+# a domain macro.
+tmpfs_domain(webview_zygote);
# Allow reading/executing installed binaries to enable preloading the
# installed WebView implementation.
@@ -20,9 +20,9 @@
allow webview_zygote shared_relro_file:file r_file_perms;
# Set the UID/GID of the process.
-allow webview_zygote self:capability { setgid setuid };
+allow webview_zygote self:global_capability_class_set { setgid setuid };
# Drop capabilities from bounding set.
-allow webview_zygote self:capability setpcap;
+allow webview_zygote self:global_capability_class_set setpcap;
# Switch SELinux context to app domains.
allow webview_zygote self:process setcurrent;
allow webview_zygote isolated_app:process dyntransition;
@@ -47,6 +47,10 @@
# Suppress denials to storage. Webview zygote should not be accessing.
dontaudit webview_zygote mnt_expand_file:dir getattr;
+# TODO (b/72957399) remove this when webview_zygote is reparented to
+# app_process zygote
+dontaudit webview_zygote dex2oat_exec:file execute;
+
# Get seapp_contexts
allow webview_zygote seapp_contexts_file:file r_file_perms;
# Check validity of SELinux context before use.
@@ -54,6 +58,18 @@
# Check SELinux permissions.
selinux_check_access(webview_zygote)
+# Directory listing in /system.
+allow webview_zygote system_file:dir r_dir_perms;
+
+# Read system properties managed by zygote.
+allow webview_zygote zygote_tmpfs:file read;
+# Child of zygote.
+allow webview_zygote zygote:fd use;
+allow webview_zygote zygote:process sigchld;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(webview_zygote, vendor_overlay_file)
+
#####
##### Neverallow
#####
@@ -68,9 +84,9 @@
# Having said that, exec() above is not allowed.
neverallow webview_zygote *:file execute_no_trans;
-# The only way to enter this domain is for init to exec() us.
-neverallow { domain -init } webview_zygote:process transition;
-neverallow * webview_zygote:process dyntransition;
+# The only way to enter this domain is for the zygote to fork a new
+# webview_zygote child.
+neverallow { domain -zygote } webview_zygote:process dyntransition;
# Disallow write access to properties.
neverallow webview_zygote property_socket:sock_file write;
@@ -117,4 +133,8 @@
# Do not allow access to Bluetooth-related system properties.
# neverallow rules for Bluetooth-related data files are listed above.
-neverallow webview_zygote bluetooth_prop:file create_file_perms;
+neverallow webview_zygote {
+ bluetooth_a2dp_offload_prop
+ bluetooth_prop
+ exported_bluetooth_prop
+}:file create_file_perms;
diff --git a/private/wpantund.te b/private/wpantund.te
new file mode 100644
index 0000000..e91662c
--- /dev/null
+++ b/private/wpantund.te
@@ -0,0 +1,3 @@
+typeattribute wpantund coredomain;
+
+init_daemon_domain(wpantund)
diff --git a/private/zygote.te b/private/zygote.te
index daabbc0..2dcbdf1 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -1,6 +1,5 @@
# zygote
typeattribute zygote coredomain;
-typeattribute zygote domain_deprecated;
typeattribute zygote mlstrustedsubject;
init_daemon_domain(zygote)
@@ -8,15 +7,16 @@
read_runtime_log_tags(zygote)
# Override DAC on files and switch uid/gid.
-allow zygote self:capability { dac_override setgid setuid fowner chown };
+allow zygote self:global_capability_class_set { dac_override setgid setuid fowner chown };
# Drop capabilities from bounding set.
-allow zygote self:capability setpcap;
+allow zygote self:global_capability_class_set setpcap;
# Switch SELinux context to app domains.
allow zygote self:process setcurrent;
allow zygote system_server:process dyntransition;
allow zygote appdomain:process dyntransition;
+allow zygote webview_zygote:process dyntransition;
# Allow zygote to read app /proc/pid dirs (b/10455872).
allow zygote appdomain:dir { getattr search };
@@ -25,6 +25,7 @@
# Move children into the peer process group.
allow zygote system_server:process { getpgid setpgid };
allow zygote appdomain:process { getpgid setpgid };
+allow zygote webview_zygote:process { getpgid setpgid };
# Read system data.
allow zygote system_data_file:dir r_dir_perms;
@@ -57,7 +58,7 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
-allow zygote self:capability sys_admin;
+allow zygote self:global_capability_class_set sys_admin;
# Allow zygote to stat the files that it opens. The zygote must
# be able to inspect them so that it can reopen them on fork
@@ -111,6 +112,7 @@
# Let the zygote access overlays so it can initialize the AssetManager.
get_prop(zygote, overlay_prop)
+get_prop(zygote, exported_overlay_prop)
###
### neverallow rules
@@ -121,8 +123,8 @@
# written on appdomain are applied to all app processes.
# This is achieved by ensuring that it is impossible for zygote to
# setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server.
-neverallow zygote ~{ appdomain system_server }:process dyntransition;
+# with appdomain plus system_server and webview_zygote.
+neverallow zygote ~{ appdomain system_server webview_zygote }:process dyntransition;
# Zygote should never execute anything from /data except for /data/dalvik-cache files.
neverallow zygote {
@@ -131,4 +133,8 @@
}:file no_x_file_perms;
# Do not allow access to Bluetooth-related system properties and files
-neverallow zygote bluetooth_prop:file create_file_perms;
+neverallow zygote {
+ bluetooth_a2dp_offload_prop
+ bluetooth_prop
+ exported_bluetooth_prop
+}:file create_file_perms;
diff --git a/public/app.te b/public/app.te
new file mode 100644
index 0000000..439c1f8
--- /dev/null
+++ b/public/app.te
@@ -0,0 +1,572 @@
+###
+### Domain for all zygote spawned apps
+###
+### This file is the base policy for all zygote spawned apps.
+### Other policy files, such as isolated_app.te, untrusted_app.te, etc
+### extend from this policy. Only policies which should apply to ALL
+### zygote spawned apps should be added here.
+###
+
+# WebView and other application-specific JIT compilers
+allow appdomain self:process execmem;
+
+allow appdomain ashmem_device:chr_file execute;
+
+# Receive and use open file descriptors inherited from zygote.
+allow appdomain zygote:fd use;
+
+# gdbserver for ndk-gdb reads the zygote.
+# valgrind needs mmap exec for zygote
+allow appdomain zygote_exec:file rx_file_perms;
+
+# Notify zygote of death;
+allow appdomain zygote:process sigchld;
+
+# Place process into foreground / background
+allow appdomain cgroup:dir { search write };
+allow appdomain cgroup:file rw_file_perms;
+
+# Read /data/dalvik-cache.
+allow appdomain dalvikcache_data_file:dir { search getattr };
+allow appdomain dalvikcache_data_file:file r_file_perms;
+
+# Read the /sdcard and /mnt/sdcard symlinks
+allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
+allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
+
+# Search /storage/emulated tmpfs mount.
+allow appdomain tmpfs:dir r_dir_perms;
+
+# Notify zygote of the wrapped process PID when using --invoke-with.
+allow appdomain zygote:fifo_file write;
+
+userdebug_or_eng(`
+ # Allow apps to create and write method traces in /data/misc/trace.
+ allow appdomain method_trace_data_file:dir w_dir_perms;
+ allow appdomain method_trace_data_file:file { create w_file_perms };
+')
+
+# Notify shell and adbd of death when spawned via runas for ndk-gdb.
+allow appdomain shell:process sigchld;
+allow appdomain adbd:process sigchld;
+
+# child shell or gdbserver pty access for runas.
+allow appdomain devpts:chr_file { getattr read write ioctl };
+
+# Use pipes and sockets provided by system_server via binder or local socket.
+allow appdomain system_server:fd use;
+allow appdomain system_server:fifo_file rw_file_perms;
+allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
+allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
+
+# Communication with other apps via fifos
+allow appdomain appdomain:fifo_file rw_file_perms;
+
+# Communicate with surfaceflinger.
+allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
+
+# App sandbox file accesses.
+allow { appdomain -isolated_app } app_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app } app_data_file:notdevfile_class_set create_file_perms;
+
+# Traverse into expanded storage
+allow appdomain mnt_expand_file:dir r_dir_perms;
+
+# Keychain and user-trusted credentials
+r_dir_file(appdomain, keychain_data_file)
+allow appdomain misc_user_data_file:dir r_dir_perms;
+allow appdomain misc_user_data_file:file r_file_perms;
+
+# TextClassifier
+r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
+
+# Access to OEM provided data and apps
+allow appdomain oemfs:dir r_dir_perms;
+allow appdomain oemfs:file rx_file_perms;
+
+# Execute the shell or other system executables.
+allow { appdomain -ephemeral_app -untrusted_v2_app } shell_exec:file rx_file_perms;
+allow { appdomain -ephemeral_app -untrusted_v2_app } toolbox_exec:file rx_file_perms;
+allow { appdomain -untrusted_v2_app } system_file:file x_file_perms;
+not_full_treble(`allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_file:file x_file_perms;')
+
+# Renderscript needs the ability to read directories on /system
+allow appdomain system_file:dir r_dir_perms;
+allow appdomain system_file:lnk_file { getattr open read };
+# Renderscript specific permissions to open /system/vendor/lib64.
+not_full_treble(`
+ allow appdomain vendor_file_type:dir r_dir_perms;
+ allow appdomain vendor_file_type:lnk_file { getattr open read };
+')
+
+full_treble_only(`
+ # For looking up Renderscript vendor drivers
+ allow { appdomain -isolated_app } vendor_file:dir { open read };
+')
+
+# Allow apps access to /vendor/app except for privileged
+# apps which cannot be in /vendor.
+r_dir_file({ appdomain -ephemeral_app -untrusted_v2_app }, vendor_app_file)
+allow { appdomain -ephemeral_app -untrusted_v2_app } vendor_app_file:file execute;
+
+# Allow apps access to /vendor/overlay
+r_dir_file(appdomain, vendor_overlay_file)
+
+# Allow apps access to /vendor/framework
+# for vendor provided libraries.
+r_dir_file(appdomain, vendor_framework_file)
+
+# Execute dex2oat when apps call dexclassloader
+allow appdomain dex2oat_exec:file rx_file_perms;
+
+# Read/write wallpaper file (opened by system).
+allow appdomain wallpaper_file:file { getattr read write };
+
+# Read/write cached ringtones (opened by system).
+allow appdomain ringtone_file:file { getattr read write };
+
+# Read ShortcutManager icon files (opened by system).
+allow appdomain shortcut_manager_icons:file { getattr read };
+
+# Read icon file (opened by system).
+allow appdomain icon_file:file { getattr read };
+
+# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
+#
+# TODO: All of these permissions except for anr_data_file:file append can be
+# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
+# and the rules below.
+allow appdomain anr_data_file:dir search;
+allow appdomain anr_data_file:file { open append };
+
+# New stack dumping scheme : request an output FD from tombstoned via a unix
+# domain socket.
+#
+# Allow apps to connect and write to the tombstoned java trace socket in
+# order to dump their traces. Also allow them to append traces to pipes
+# created by dumptrace. (Also see the rules below where they are given
+# additional permissions to dumpstate pipes for other aspects of bug report
+# creation).
+unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
+allow appdomain tombstoned:fd use;
+allow appdomain dumpstate:fifo_file append;
+allow appdomain incidentd:fifo_file append;
+
+# Allow apps to send dump information to dumpstate
+allow appdomain dumpstate:fd use;
+allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
+allow appdomain dumpstate:fifo_file { write getattr };
+allow appdomain shell_data_file:file { write getattr };
+
+# Allow apps to send dump information to incidentd
+allow appdomain incidentd:fd use;
+allow appdomain incidentd:fifo_file { write getattr };
+
+# Write profiles /data/misc/profiles
+allow appdomain user_profile_data_file:dir { search write add_name };
+allow appdomain user_profile_data_file:file create_file_perms;
+
+# Send heap dumps to system_server via an already open file descriptor
+# % adb shell am set-watch-heap com.android.systemui 1048576
+# % adb shell dumpsys procstats --start-testing
+# debuggable builds only.
+userdebug_or_eng(`
+ allow appdomain heapdump_data_file:file append;
+')
+
+# Write to /proc/net/xt_qtaguid/ctrl file.
+allow {
+ untrusted_app_25
+ untrusted_app_27
+ priv_app
+ system_app
+ platform_app
+ shell
+} qtaguid_proc:file rw_file_perms;
+r_dir_file({ appdomain -ephemeral_app -isolated_app }, proc_net)
+# read /proc/net/xt_qtguid/*stat* to per-app network data usage.
+# Exclude isolated app which may not use network sockets.
+r_dir_file({
+ untrusted_app_25
+ untrusted_app_27
+ priv_app
+ system_app
+ platform_app
+ shell
+}, proc_qtaguid_stat)
+# Everybody can read the xt_qtaguid resource tracking misc dev.
+# So allow all apps to read from /dev/xt_qtaguid.
+allow {
+ untrusted_app_25
+ untrusted_app_27
+ priv_app
+ system_app
+ platform_app
+ shell
+} qtaguid_device:chr_file r_file_perms;
+
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
+
+# Use the Binder.
+binder_use(appdomain)
+# Perform binder IPC to binder services.
+binder_call(appdomain, binderservicedomain)
+# Perform binder IPC to other apps.
+binder_call(appdomain, appdomain)
+# Perform binder IPC to ephemeral apps.
+binder_call(appdomain, ephemeral_app)
+
+# TODO(b/36375899): Replace this with hal_client_domain once mediacodec is properly attributized
+# as OMX HAL
+hwbinder_use({ appdomain -isolated_app })
+allow { appdomain -isolated_app } hal_codec2_hwservice:hwservice_manager find;
+allow { appdomain -isolated_app } hal_omx_hwservice:hwservice_manager find;
+allow { appdomain -isolated_app } hidl_token_hwservice:hwservice_manager find;
+
+# Talk with graphics composer fences
+allow appdomain hal_graphics_composer:fd use;
+
+# Already connected, unnamed sockets being passed over some other IPC
+# hence no sock_file or connectto permission. This appears to be how
+# Chrome works, may need to be updated as more apps using isolated services
+# are examined.
+allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
+
+# Backup ability for every app. BMS opens and passes the fd
+# to any app that has backup ability. Hence, no open permissions here.
+allow appdomain backup_data_file:file { read write getattr };
+allow appdomain cache_backup_file:file { read write getattr };
+allow appdomain cache_backup_file:dir getattr;
+# Backup ability using 'adb backup'
+allow appdomain system_data_file:lnk_file r_file_perms;
+allow appdomain system_data_file:file { getattr read };
+
+# Allow read/stat of /data/media files passed by Binder or local socket IPC.
+allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
+
+# Read and write /data/data/com.android.providers.telephony files passed over Binder.
+allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
+
+# Allow access to external storage; we have several visible mount points under /storage
+# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
+allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
+
+# Read/write visible storage
+allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
+# This should be removed if sdcardfs is modified to alter the secontext for its
+# accesses to the underlying FS.
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
+
+# Allow apps to use the USB Accessory interface.
+# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
+#
+# USB devices are first opened by the system server (USBDeviceManagerService)
+# and the file descriptor is passed to the right Activity via binder.
+allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
+allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
+
+# For art.
+allow appdomain dalvikcache_data_file:file execute;
+allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
+
+# Allow any app to read shared RELRO files.
+allow appdomain shared_relro_file:dir search;
+allow appdomain shared_relro_file:file r_file_perms;
+
+# Allow apps to read/execute installed binaries
+allow appdomain apk_data_file:dir r_dir_perms;
+allow appdomain apk_data_file:file rx_file_perms;
+
+# /data/resource-cache
+allow appdomain resourcecache_data_file:file r_file_perms;
+allow appdomain resourcecache_data_file:dir r_dir_perms;
+
+# logd access
+read_logd(appdomain)
+control_logd({ appdomain -ephemeral_app untrusted_v2_app })
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
+allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
+
+use_keystore({ appdomain -isolated_app -ephemeral_app })
+
+allow appdomain console_device:chr_file { read write };
+
+# only allow unprivileged socket ioctl commands
+allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
+ ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
+
+allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
+# TODO is write really necessary ?
+auditallow { appdomain userdebug_or_eng(`-su') } ion_device:chr_file { write append };
+
+# TODO(b/36375899) replace with hal_client_domain for mediacodec (hal_omx)
+get_prop({ appdomain -isolated_app }, hwservicemanager_prop);
+
+# Allow app access to mediacodec (IOMX HAL)
+binder_call({ appdomain -isolated_app }, mediacodec)
+
+# Allow AAudio apps to use shared memory file descriptors from the HAL
+allow { appdomain -isolated_app } hal_audio:fd use;
+
+# Allow app to access shared memory created by camera HAL1
+allow { appdomain -isolated_app } hal_camera:fd use;
+
+# RenderScript always-passthrough HAL
+allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
+
+# TODO: switch to meminfo service
+allow appdomain proc_meminfo:file r_file_perms;
+
+# For app fuse.
+allow appdomain app_fuse_file:file { getattr read append write };
+
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
+pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
+# Apps do not directly open the IPC socket for bufferhubd.
+pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
+
+###
+### CTS-specific rules
+###
+
+# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
+# testRunAsHasCorrectCapabilities
+allow appdomain runas_exec:file getattr;
+# Others are either allowed elsewhere or not desired.
+
+# Apps receive an open tun fd from the framework for
+# device traffic. Do not allow untrusted app to directly open tun_device
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr ioctl append };
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow appdomain adbd:unix_stream_socket connectto;
+allow appdomain adbd:fd use;
+allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+allow appdomain cache_file:dir getattr;
+
+# Allow apps to run with asanwrapper.
+with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
+
+###
+### Neverallow rules
+###
+### These are things that Android apps should NEVER be able to do
+###
+
+# Superuser capabilities.
+# bluetooth requires net_admin and wake_alarm.
+neverallow { appdomain -bluetooth } self:capability_class_set *;
+
+# Block device access.
+neverallow appdomain dev_type:blk_file { read write };
+
+# Access to any of the following character devices.
+neverallow appdomain {
+ audio_device
+ camera_device
+ dm_device
+ radio_device
+ rpmsg_device
+ video_device
+}:chr_file { read write };
+
+# Note: Try expanding list of app domains in the future.
+neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
+
+neverallow { appdomain -nfc } nfc_device:chr_file
+ { read write };
+neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
+ { read write };
+neverallow appdomain tee_device:chr_file { read write };
+
+# Privileged netlink socket interfaces.
+neverallow appdomain
+ domain:{
+ netlink_tcpdiag_socket
+ netlink_nflog_socket
+ netlink_xfrm_socket
+ netlink_audit_socket
+ netlink_dnrt_socket
+ } *;
+
+# These messages are broadcast messages from the kernel to userspace.
+# Do not allow the writing of netlink messages, which has been a source
+# of rooting vulns in the past.
+neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
+
+# Sockets under /dev/socket that are not specifically typed.
+neverallow appdomain socket_device:sock_file write;
+
+# Unix domain sockets.
+neverallow appdomain adbd_socket:sock_file write;
+neverallow { appdomain -radio } rild_socket:sock_file write;
+neverallow appdomain zygote_socket:sock_file write;
+
+# ptrace access to non-app domains.
+neverallow appdomain { domain -appdomain }:process ptrace;
+
+# Read or write access to /proc/pid entries for any non-app domain.
+# A different form of hidepid=2 like protections
+neverallow appdomain { domain -appdomain }:file no_w_file_perms;
+neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
+
+# signal access to non-app domains.
+# sigchld allowed for parent death notification.
+# signull allowed for kill(pid, 0) existence test.
+# All others prohibited.
+neverallow appdomain { domain -appdomain }:process
+ { sigkill sigstop signal };
+
+# Transition to a non-app domain.
+# Exception for the shell and su domains, can transition to runas, etc.
+# Exception for crash_dump.
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain -crash_dump }:process
+ { transition };
+neverallow { appdomain -shell userdebug_or_eng(`-su') } { domain -appdomain }:process
+ { dyntransition };
+
+# Write to rootfs.
+neverallow appdomain rootfs:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to /system.
+neverallow appdomain system_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to entrypoint executables.
+neverallow appdomain exec_type:file
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to system-owned parts of /data.
+# This is the default type for anything under /data not otherwise
+# specified in file_contexts. Define a different type for portions
+# that should be writable by apps.
+neverallow appdomain system_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# Write to various other parts of /data.
+neverallow appdomain drm_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_private_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -platform_app }
+ apk_private_tmp_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -shell }
+ shell_data_file:dir_file_class_set
+ { create setattr relabelfrom relabelto append unlink link rename };
+neverallow { appdomain -bluetooth }
+ bluetooth_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ keystore_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ systemkeys_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ wifi_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+neverallow appdomain
+ dhcp_data_file:dir_file_class_set
+ { create write setattr relabelfrom relabelto append unlink link rename };
+
+# access tmp apk files
+neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
+ { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
+
+neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
+neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
+
+# Access to factory files.
+neverallow appdomain efs_file:dir_file_class_set write;
+neverallow { appdomain -shell } efs_file:dir_file_class_set read;
+
+# Write to various pseudo file systems.
+neverallow { appdomain -bluetooth -nfc }
+ sysfs:dir_file_class_set write;
+neverallow appdomain
+ proc:dir_file_class_set write;
+
+# Access to syslog(2) or /proc/kmsg.
+neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
+
+# SELinux is not an API for apps to use
+neverallow { appdomain -shell } *:security { compute_av check_context };
+neverallow { appdomain -shell } *:netlink_selinux_socket *;
+
+# Ability to perform any filesystem operation other than statfs(2).
+# i.e. no mount(2), unmount(2), etc.
+neverallow appdomain fs_type:filesystem ~getattr;
+
+# prevent creation/manipulation of globally readable symlinks
+neverallow appdomain {
+ apk_data_file
+ cache_file
+ cache_recovery_file
+ dev_type
+ rootfs
+ system_file
+ tmpfs
+}:lnk_file no_w_file_perms;
+
+# Blacklist app domains not allowed to execute from /data
+neverallow {
+ bluetooth
+ isolated_app
+ nfc
+ radio
+ shared_relro
+ system_app
+} {
+ data_file_type
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
+# Applications should use the activity model for receiving events
+neverallow {
+ appdomain
+ -shell # bugreport
+} input_device:chr_file ~getattr;
+
+# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
+# neverallow rules for access to Bluetooth-related data files are above.
+neverallow {
+ appdomain
+ -bluetooth
+ -system_app
+} { bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
+
+# Apps cannot access proc_uid_time_in_state
+neverallow appdomain proc_uid_time_in_state:file *;
+
+# Apps cannot access proc_uid_concurrent_active_time
+neverallow appdomain proc_uid_concurrent_active_time:file *;
+
+# Apps cannot access proc_uid_concurrent_policy_time
+neverallow appdomain proc_uid_concurrent_policy_time:file *;
+
+# Apps cannot access proc_uid_cpupower
+neverallow appdomain proc_uid_cpupower:file *;
diff --git a/public/attributes b/public/attributes
index fa8a6a6..0c7ca2e 100644
--- a/public/attributes
+++ b/public/attributes
@@ -32,10 +32,15 @@
expandattribute data_file_type false;
# All types in /data, not in /data/vendor
attribute core_data_file_type;
+expandattribute core_data_file_type false;
# All types in /vendor
attribute vendor_file_type;
-# All types use for sysfs files.
+# All types used for procfs files.
+attribute proc_type;
+expandattribute proc_type false;
+
+# All types used for sysfs files.
attribute sysfs_type;
# All types use for debugfs files.
@@ -65,6 +70,11 @@
# All properties used to configure log filtering.
attribute log_property_type;
+# All properties that are not specific to device but are added from
+# outside of AOSP. (e.g. OEM-specific properties)
+# These properties are not accessible from device-specific domains
+attribute extended_core_property_type;
+
# All service_manager types created by system_server
attribute system_server_service;
@@ -130,6 +140,7 @@
# All socket devices owned by core domain components
attribute coredomain_socket;
+expandattribute coredomain_socket false;
# All vendor domains which violate the requirement of not using Binder
# TODO(b/35870313): Remove this once there are no violations
@@ -148,6 +159,24 @@
attribute vendor_executes_system_violators;
expandattribute vendor_executes_system_violators false;
+# All domains which violate the requirement of not sharing files by path
+# between between vendor and core domains.
+# TODO(b/34980020)
+attribute data_between_core_and_vendor_violators;
+expandattribute data_between_core_and_vendor_violators false;
+
+# All system domains which violate the requirement of not executing vendor
+# binaries/libraries.
+# TODO(b/62041836)
+attribute system_executes_vendor_violators;
+expandattribute system_executes_vendor_violators false;
+
+# All system domains which violate the requirement of not writing vendor
+# properties.
+# TODO(b/78598545): Remove this once there are no violations
+attribute system_writes_vendor_properties_violators;
+expandattribute system_writes_vendor_properties_violators false;
+
# hwservices that are accessible from untrusted applications
# WARNING: Use of this attribute should be avoided unless
# absolutely necessary. It is a temporary allowance to aid the
@@ -189,235 +218,87 @@
attribute halclientdomain;
expandattribute halclientdomain true;
-# HALs
-attribute hal_allocator;
-expandattribute hal_allocator true;
-attribute hal_allocator_client;
-expandattribute hal_allocator_client true;
-attribute hal_allocator_server;
-expandattribute hal_allocator_server false;
+# Exempt for halserverdomain to access sockets. Only builds for automotive
+# device types are allowed to use this attribute (enforced by CTS).
+# Unlike phone, in a car many modules are external from Android perspective and
+# HALs should be able to communicate with those devices through sockets.
+attribute hal_automotive_socket_exemption;
+
+# TODO(b/72757373): Use hal_attribute macro once expandattribute value conflicts
+# can be resolve.
attribute hal_audio;
-expandattribute hal_audio false;
attribute hal_audio_client;
expandattribute hal_audio_client true;
attribute hal_audio_server;
expandattribute hal_audio_server false;
-attribute hal_bluetooth;
-expandattribute hal_bluetooth true;
-attribute hal_bluetooth_client;
-expandattribute hal_bluetooth_client true;
-attribute hal_bluetooth_server;
-expandattribute hal_bluetooth_server false;
+
attribute hal_bootctl;
-expandattribute hal_bootctl false;
attribute hal_bootctl_client;
expandattribute hal_bootctl_client true;
attribute hal_bootctl_server;
expandattribute hal_bootctl_server false;
-attribute hal_broadcastradio;
-expandattribute hal_broadcastradio true;
-attribute hal_broadcastradio_client;
-expandattribute hal_broadcastradio_client true;
-attribute hal_broadcastradio_server;
-expandattribute hal_broadcastradio_server false;
+
attribute hal_camera;
-expandattribute hal_camera false;
attribute hal_camera_client;
expandattribute hal_camera_client true;
attribute hal_camera_server;
expandattribute hal_camera_server false;
-attribute hal_configstore;
-expandattribute hal_configstore true;
-attribute hal_configstore_client;
-expandattribute hal_configstore_client true;
-attribute hal_configstore_server;
-expandattribute hal_configstore_server false;
-attribute hal_contexthub;
-expandattribute hal_contexthub true;
-attribute hal_contexthub_client;
-expandattribute hal_contexthub_client true;
-attribute hal_contexthub_server;
-expandattribute hal_contexthub_server false;
+
attribute hal_drm;
-expandattribute hal_drm false;
attribute hal_drm_client;
expandattribute hal_drm_client true;
attribute hal_drm_server;
expandattribute hal_drm_server false;
+
attribute hal_cas;
-expandattribute hal_cas false;
attribute hal_cas_client;
expandattribute hal_cas_client true;
attribute hal_cas_server;
expandattribute hal_cas_server false;
-attribute hal_dumpstate;
-expandattribute hal_dumpstate true;
-attribute hal_dumpstate_client;
-expandattribute hal_dumpstate_client true;
-attribute hal_dumpstate_server;
-expandattribute hal_dumpstate_server false;
-attribute hal_fingerprint;
-expandattribute hal_fingerprint true;
-attribute hal_fingerprint_client;
-expandattribute hal_fingerprint_client true;
-attribute hal_fingerprint_server;
-expandattribute hal_fingerprint_server false;
-attribute hal_gatekeeper;
-expandattribute hal_gatekeeper true;
-attribute hal_gatekeeper_client;
-expandattribute hal_gatekeeper_client true;
-attribute hal_gatekeeper_server;
-expandattribute hal_gatekeeper_server false;
-attribute hal_gnss;
-expandattribute hal_gnss true;
-attribute hal_gnss_client;
-expandattribute hal_gnss_client true;
-attribute hal_gnss_server;
-expandattribute hal_gnss_server false;
-attribute hal_graphics_allocator;
-expandattribute hal_graphics_allocator true;
-attribute hal_graphics_allocator_client;
-expandattribute hal_graphics_allocator_client true;
-attribute hal_graphics_allocator_server;
-expandattribute hal_graphics_allocator_server false;
-attribute hal_graphics_composer;
-expandattribute hal_graphics_composer true;
-attribute hal_graphics_composer_client;
-expandattribute hal_graphics_composer_client true;
-attribute hal_graphics_composer_server;
-expandattribute hal_graphics_composer_server false;
-attribute hal_health;
-expandattribute hal_health true;
-attribute hal_health_client;
-expandattribute hal_health_client true;
-attribute hal_health_server;
-expandattribute hal_health_server false;
-attribute hal_ir;
-expandattribute hal_ir true;
-attribute hal_ir_client;
-expandattribute hal_ir_client true;
-attribute hal_ir_server;
-expandattribute hal_ir_server false;
-attribute hal_keymaster;
-expandattribute hal_keymaster true;
-attribute hal_keymaster_client;
-expandattribute hal_keymaster_client true;
-attribute hal_keymaster_server;
-expandattribute hal_keymaster_server false;
-attribute hal_light;
-expandattribute hal_light true;
-attribute hal_light_client;
-expandattribute hal_light_client true;
-attribute hal_light_server;
-expandattribute hal_light_server false;
-attribute hal_memtrack;
-expandattribute hal_memtrack true;
-attribute hal_memtrack_client;
-expandattribute hal_memtrack_client true;
-attribute hal_memtrack_server;
-expandattribute hal_memtrack_server false;
-attribute hal_neuralnetworks;
-expandattribute hal_neuralnetworks true;
-attribute hal_neuralnetworks_client;
-expandattribute hal_neuralnetworks_client true;
-attribute hal_neuralnetworks_server;
-expandattribute hal_neuralnetworks_server false;
-attribute hal_nfc;
-expandattribute hal_nfc true;
-attribute hal_nfc_client;
-expandattribute hal_nfc_client true;
-attribute hal_nfc_server;
-expandattribute hal_nfc_server false;
-attribute hal_oemlock;
-expandattribute hal_oemlock true;
-attribute hal_oemlock_client;
-expandattribute hal_oemlock_client true;
-attribute hal_oemlock_server;
-expandattribute hal_oemlock_server false;
-attribute hal_power;
-expandattribute hal_power true;
-attribute hal_power_client;
-expandattribute hal_power_client true;
-attribute hal_power_server;
-expandattribute hal_power_server false;
-attribute hal_sensors;
-expandattribute hal_sensors true;
-attribute hal_sensors_client;
-expandattribute hal_sensors_client true;
-attribute hal_sensors_server;
-expandattribute hal_sensors_server false;
-attribute hal_telephony;
-expandattribute hal_telephony true;
-attribute hal_telephony_client;
-expandattribute hal_telephony_client true;
-attribute hal_telephony_server;
-expandattribute hal_telephony_server false;
-attribute hal_tetheroffload;
-expandattribute hal_tetheroffload true;
-attribute hal_tetheroffload_client;
-expandattribute hal_tetheroffload_client true;
-attribute hal_tetheroffload_server;
-expandattribute hal_tetheroffload_server false;
-attribute hal_thermal;
-expandattribute hal_thermal true;
-attribute hal_thermal_client;
-expandattribute hal_thermal_client true;
-attribute hal_thermal_server;
-expandattribute hal_thermal_server false;
-attribute hal_tv_cec;
-expandattribute hal_tv_cec true;
-attribute hal_tv_cec_client;
-expandattribute hal_tv_cec_client true;
-attribute hal_tv_cec_server;
-expandattribute hal_tv_cec_server false;
-attribute hal_tv_input;
-expandattribute hal_tv_input true;
-attribute hal_tv_input_client;
-expandattribute hal_tv_input_client true;
-attribute hal_tv_input_server;
-expandattribute hal_tv_input_server false;
-attribute hal_usb;
-expandattribute hal_usb true;
-attribute hal_usb_client;
-expandattribute hal_usb_client true;
-attribute hal_usb_server;
-expandattribute hal_usb_server false;
-attribute hal_vibrator;
-expandattribute hal_vibrator true;
-attribute hal_vibrator_client;
-expandattribute hal_vibrator_client true;
-attribute hal_vibrator_server;
-expandattribute hal_vibrator_server false;
-attribute hal_vr;
-expandattribute hal_vr true;
-attribute hal_vr_client;
-expandattribute hal_vr_client true;
-attribute hal_vr_server;
-expandattribute hal_vr_server false;
-attribute hal_weaver;
-expandattribute hal_weaver true;
-attribute hal_weaver_client;
-expandattribute hal_weaver_client true;
-attribute hal_weaver_server;
-expandattribute hal_weaver_server false;
-attribute hal_wifi;
-expandattribute hal_wifi true;
-attribute hal_wifi_client;
-expandattribute hal_wifi_client true;
-attribute hal_wifi_server;
-expandattribute hal_wifi_server false;
-attribute hal_wifi_offload;
-expandattribute hal_wifi_offload true;
-attribute hal_wifi_offload_client;
-expandattribute hal_wifi_offload_client true;
-attribute hal_wifi_offload_server;
-expandattribute hal_wifi_offload_server false;
-attribute hal_wifi_supplicant;
-expandattribute hal_wifi_supplicant true;
-attribute hal_wifi_supplicant_client;
-expandattribute hal_wifi_supplicant_client true;
-attribute hal_wifi_supplicant_server;
-expandattribute hal_wifi_supplicant_server false;
+
+# HALs
+hal_attribute(allocator);
+hal_attribute(audiocontrol);
+hal_attribute(authsecret);
+hal_attribute(bluetooth);
+hal_attribute(broadcastradio);
+hal_attribute(configstore);
+hal_attribute(confirmationui);
+hal_attribute(contexthub);
+hal_attribute(dumpstate);
+hal_attribute(evs);
+hal_attribute(fingerprint);
+hal_attribute(gatekeeper);
+hal_attribute(gnss);
+hal_attribute(graphics_allocator);
+hal_attribute(graphics_composer);
+hal_attribute(health);
+hal_attribute(ir);
+hal_attribute(keymaster);
+hal_attribute(light);
+hal_attribute(lowpan);
+hal_attribute(memtrack);
+hal_attribute(neuralnetworks);
+hal_attribute(nfc);
+hal_attribute(oemlock);
+hal_attribute(power);
+hal_attribute(secure_element);
+hal_attribute(sensors);
+hal_attribute(telephony);
+hal_attribute(tetheroffload);
+hal_attribute(thermal);
+hal_attribute(tv_cec);
+hal_attribute(tv_input);
+hal_attribute(usb);
+hal_attribute(usb_gadget);
+hal_attribute(vehicle);
+hal_attribute(vibrator);
+hal_attribute(vr);
+hal_attribute(weaver);
+hal_attribute(wifi);
+hal_attribute(wifi_hostapd);
+hal_attribute(wifi_offload);
+hal_attribute(wifi_supplicant);
# HwBinder services offered across the core-vendor boundary
#
diff --git a/public/bootanim.te b/public/bootanim.te
index 1a265f9..3260227 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -32,10 +32,11 @@
allow bootanim hal_graphics_composer:fd use;
# Read access to pseudo filesystems.
-r_dir_file(bootanim, proc)
allow bootanim proc_meminfo:file r_file_perms;
-r_dir_file(bootanim, sysfs)
-r_dir_file(bootanim, cgroup)
# System file accesses.
allow bootanim system_file:dir r_dir_perms;
+
+# Read ro.boot.bootreason b/30654343
+get_prop(bootanim, bootloader_boot_reason_prop)
+
diff --git a/public/bootstat.te b/public/bootstat.te
index f5c7268..7ba0238 100644
--- a/public/bootstat.te
+++ b/public/bootstat.te
@@ -8,8 +8,50 @@
allow bootstat bootstat_data_file:dir rw_dir_perms;
allow bootstat bootstat_data_file:file create_file_perms;
-# Read access to pseudo filesystems (for /proc/uptime).
-r_dir_file(bootstat, proc)
-
# Collect metrics on boot time created by init
get_prop(bootstat, boottime_prop)
+
+# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
+set_prop(bootstat, bootloader_boot_reason_prop)
+set_prop(bootstat, system_boot_reason_prop)
+set_prop(bootstat, last_boot_reason_prop)
+
+# ToDo: TBI move access for the following to a system health HAL
+
+# Allow access to /sys/fs/pstore/ and syslog
+allow bootstat pstorefs:dir search;
+allow bootstat pstorefs:file r_file_perms;
+allow bootstat kernel:system syslog_read;
+
+# Allow access to reading the logs to read aspects of system health
+read_logd(bootstat)
+
+# ToDo: end
+
+neverallow {
+ domain
+ -bootanim
+ -bootstat
+ -dumpstate
+ -init
+ -recovery
+ -shell
+ -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
+# ... and refine, as these components should not set the last boot reason
+neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
+
+neverallow {
+ domain
+ -bootstat
+ -init
+ -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
+# ... and refine ... for a ro propertly no less ... keep this _tight_
+neverallow system_server bootloader_boot_reason_prop:property_service set;
+
+neverallow {
+ domain
+ -bootstat
+ -init
+} system_boot_reason_prop:property_service set;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 0dd4a80..3fdca53 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -17,6 +17,8 @@
allow cameraserver hal_graphics_composer:fd use;
add_service(cameraserver, cameraserver_service)
+
+allow cameraserver activity_service:service_manager find;
allow cameraserver appops_service:service_manager find;
allow cameraserver audioserver_service:service_manager find;
allow cameraserver batterystats_service:service_manager find;
@@ -47,3 +49,17 @@
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Allow shell commands from ADB for CTS testing/dumping
+allow cameraserver adbd:fd use;
+allow cameraserver adbd:unix_stream_socket { read write };
+allow cameraserver shell:fd use;
+allow cameraserver shell:unix_stream_socket { read write };
+allow cameraserver shell:fifo_file { read write };
+
+# Allow shell commands from ADB for CTS testing/dumping
+userdebug_or_eng(`
+ allow cameraserver su:fd use;
+ allow cameraserver su:fifo_file { read write };
+ allow cameraserver su:unix_stream_socket { read write };
+')
diff --git a/public/charger.te b/public/charger.te
index 4b20d1d..7145548 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -6,22 +6,23 @@
allow charger kmsg_device:chr_file rw_file_perms;
# Read access to pseudo filesystems.
-r_dir_file(charger, sysfs_type)
r_dir_file(charger, rootfs)
r_dir_file(charger, cgroup)
-allow charger self:capability { sys_tty_config };
-allow charger self:capability sys_boot;
+# Allow to read /sys/class/power_supply directory
+allow charger sysfs_type:dir r_dir_perms;
+
+allow charger self:global_capability_class_set { sys_tty_config };
+allow charger self:global_capability_class_set sys_boot;
wakelock_use(charger)
allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-# Write to /sys/power/state
-# TODO: Split into a separate type?
-allow charger sysfs:file write;
+# Read/write to /sys/power/state
+allow charger sysfs_power:file rw_file_perms;
-allow charger sysfs_batteryinfo:file r_file_perms;
+r_dir_file(charger, sysfs_batteryinfo)
# Read /sys/fs/pstore/console-ramoops
# Don't worry about overly broad permissions for now, as there's
@@ -39,3 +40,6 @@
# charger needs to tell init to continue the boot
# process when running in charger mode.
set_prop(charger, system_prop)
+set_prop(charger, exported_system_prop)
+set_prop(charger, exported2_system_prop)
+set_prop(charger, exported3_system_prop)
diff --git a/public/clatd.te b/public/clatd.te
index 212b76e..ee44abf 100644
--- a/public/clatd.te
+++ b/public/clatd.te
@@ -17,7 +17,7 @@
allow clatd netd:unix_stream_socket { read write };
allow clatd netd:unix_dgram_socket { read write };
-allow clatd self:capability { net_admin net_raw setuid setgid };
+allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
@@ -26,7 +26,7 @@
# so we permit any requests we see from clatd asking for this capability.
# See https://android-review.googlesource.com/127940 and
# https://b.corp.google.com/issues/21736319
-allow clatd self:capability ipc_lock;
+allow clatd self:global_capability_class_set ipc_lock;
allow clatd self:netlink_route_socket nlmsg_write;
allow clatd self:{ packet_socket rawip_socket tun_socket } create_socket_perms_no_ioctl;
diff --git a/public/cppreopts.te b/public/cppreopts.te
index 8cbf801..fb9855e 100644
--- a/public/cppreopts.te
+++ b/public/cppreopts.te
@@ -9,7 +9,7 @@
# Allow cppreopts copy files into the dalvik-cache
allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
-allow cppreopts dalvikcache_data_file:file { create getattr open read rename write };
+allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
# Allow cppreopts to execute itself using #!/system/bin/sh
allow cppreopts shell_exec:file rx_file_perms;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index e81bbd1..cd1e5a8 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -3,7 +3,7 @@
# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
# which will result in an audit log even when it's allowed to trace.
-dontaudit crash_dump self:capability { sys_ptrace };
+dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
userdebug_or_eng(`
allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
@@ -15,9 +15,11 @@
# Use inherited file descriptors
allow crash_dump domain:fd use;
-# Write to the IPC pipe inherited from crashing processes.
+# Read/write IPC pipes inherited from crashing processes.
+allow crash_dump domain:fifo_file { read write };
+
# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
-allow crash_dump domain:fifo_file { write append };
+allow crash_dump domain:fifo_file { append };
r_dir_file(crash_dump, domain)
allow crash_dump exec_type:file r_file_perms;
@@ -46,6 +48,14 @@
read_logd(crash_dump)
+# Crash dump is not intended to access the following data types. Since these
+# are WAI, suppress the denials to clean up the logs.
+dontaudit crash_dump {
+ core_data_file_type
+ vendor_file_type
+}:dir search;
+dontaudit crash_dump system_data_file:file read;
+
###
### neverallow assertions
###
diff --git a/public/device.te b/public/device.te
index 475948d..231c839 100644
--- a/public/device.te
+++ b/public/device.te
@@ -30,6 +30,7 @@
type input_device, dev_type;
type kmem_device, dev_type;
type port_device, dev_type;
+type lowpan_device, dev_type;
type mtd_device, dev_type;
type mtp_device, dev_type, mlstrustedobject;
type nfc_device, dev_type;
@@ -38,6 +39,7 @@
type kmsg_debug_device, dev_type;
type null_device, dev_type, mlstrustedobject;
type random_device, dev_type, mlstrustedobject;
+type secure_element_device, dev_type;
type sensors_device, dev_type;
type serial_device, dev_type;
type socket_device, dev_type;
@@ -58,6 +60,7 @@
type usb_device, dev_type, mlstrustedobject;
type properties_device, dev_type;
type properties_serial, dev_type;
+type property_info, dev_type;
type i2c_device, dev_type;
# All devices have a uart for the hci
diff --git a/public/dex2oat.te b/public/dex2oat.te
index 47f3bcb..608ba79 100644
--- a/public/dex2oat.te
+++ b/public/dex2oat.te
@@ -44,7 +44,7 @@
allow dex2oat postinstall_file:dir { getattr search };
allow dex2oat postinstall_file:filesystem getattr;
-allow dex2oat postinstall_file:lnk_file read;
+allow dex2oat postinstall_file:lnk_file { getattr read };
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
diff --git a/public/dhcp.te b/public/dhcp.te
index 2b54b7f..1f1ef2b 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -4,7 +4,7 @@
net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
-allow dhcp self:capability { setgid setuid net_admin net_raw net_bind_service };
+allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket create_socket_perms_no_ioctl;
allow dhcp self:netlink_route_socket nlmsg_write;
allow dhcp shell_exec:file rx_file_perms;
diff --git a/public/dnsmasq.te b/public/dnsmasq.te
index ccac69a..3aaefd3 100644
--- a/public/dnsmasq.te
+++ b/public/dnsmasq.te
@@ -6,9 +6,9 @@
allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
# TODO: Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:capability dac_override;
+allow dnsmasq self:global_capability_class_set dac_override;
-allow dnsmasq self:capability { net_admin net_raw net_bind_service setgid setuid };
+allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
allow dnsmasq dhcp_data_file:dir w_dir_perms;
allow dnsmasq dhcp_data_file:file create_file_perms;
diff --git a/public/domain.te b/public/domain.te
index f5c72cc..e9337b6 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -33,13 +33,11 @@
allow domain init:fd use;
userdebug_or_eng(`
- # Same as adbd rules above, except allow su to do the same thing
- allow domain su:unix_stream_socket connectto;
allow domain su:fd use;
- allow domain su:unix_stream_socket { getattr getopt read write shutdown };
+ allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown };
+ allow domain su:unix_dgram_socket sendto;
allow { domain -init } su:binder { call transfer };
- allow { domain -init } su:fd use;
# Running something like "pm dump com.android.bluetooth" requires
# fifo writes
@@ -79,12 +77,69 @@
allow domain ptmx_device:chr_file rw_file_perms;
allow domain alarm_device:chr_file r_file_perms;
allow domain random_device:chr_file rw_file_perms;
+allow domain proc_random:dir r_dir_perms;
+allow domain proc_random:file r_file_perms;
allow domain properties_device:dir { search getattr };
allow domain properties_serial:file r_file_perms;
+allow domain property_info:file r_file_perms;
# For now, everyone can access core property files
# Device specific properties are not granted by default
-get_prop(domain, core_property_type)
+not_compatible_property(`
+ get_prop(domain, core_property_type)
+ get_prop(domain, exported_dalvik_prop)
+ get_prop(domain, exported_ffs_prop)
+ get_prop(domain, exported_system_radio_prop)
+ get_prop(domain, exported2_config_prop)
+ get_prop(domain, exported2_radio_prop)
+ get_prop(domain, exported2_system_prop)
+ get_prop(domain, exported2_vold_prop)
+ get_prop(domain, exported3_default_prop)
+ get_prop(domain, exported3_radio_prop)
+ get_prop(domain, exported3_system_prop)
+ get_prop(domain, vendor_default_prop)
+')
+compatible_property_only(`
+ get_prop({coredomain appdomain shell}, core_property_type)
+ get_prop({coredomain appdomain shell}, exported_dalvik_prop)
+ get_prop({coredomain appdomain shell}, exported_ffs_prop)
+ get_prop({coredomain appdomain shell}, exported_system_radio_prop)
+ get_prop({coredomain appdomain shell}, exported2_config_prop)
+ get_prop({coredomain appdomain shell}, exported2_radio_prop)
+ get_prop({coredomain appdomain shell}, exported2_system_prop)
+ get_prop({coredomain appdomain shell}, exported2_vold_prop)
+ get_prop({coredomain appdomain shell}, exported3_default_prop)
+ get_prop({coredomain appdomain shell}, exported3_radio_prop)
+ get_prop({coredomain appdomain shell}, exported3_system_prop)
+ userdebug_or_eng(`
+ get_prop(su, core_property_type)
+ get_prop(su, exported_dalvik_prop)
+ get_prop(su, exported_ffs_prop)
+ get_prop(su, exported_system_radio_prop)
+ get_prop(su, exported2_config_prop)
+ get_prop(su, exported2_radio_prop)
+ get_prop(su, exported2_system_prop)
+ get_prop(su, exported2_vold_prop)
+ get_prop(su, exported3_default_prop)
+ get_prop(su, exported3_radio_prop)
+ get_prop(su, exported3_system_prop)
+ ')
+ get_prop({domain -coredomain -appdomain}, vendor_default_prop)
+')
+
+# Public readable properties
+get_prop(domain, debug_prop)
+get_prop(domain, exported_config_prop)
+get_prop(domain, exported_default_prop)
+get_prop(domain, exported_dumpstate_prop)
+get_prop(domain, exported_fingerprint_prop)
+get_prop(domain, exported_radio_prop)
+get_prop(domain, exported_secure_prop)
+get_prop(domain, exported_system_prop)
+get_prop(domain, exported_vold_prop)
+get_prop(domain, exported2_default_prop)
+get_prop(domain, logd_prop)
+
# Let everyone read log properties, so that liblog can avoid sending unloggable
# messages to logd.
get_prop(domain, log_property_type)
@@ -129,8 +184,9 @@
allow domain vendor_configs_file:file { read open getattr };
full_treble_only(`
- # Allow all domains to be able to follow /system/vendor symlink
- allow domain vendor_file:lnk_file { getattr open read };
+ # Allow all domains to be able to follow /system/vendor and/or
+ # /vendor/odm symlinks.
+ allow domain vendor_file_type:lnk_file { getattr open read };
# This is required to be able to search & read /vendor/lib64
# in order to lookup vendor libraries. The execute permission
@@ -148,7 +204,8 @@
# libc references /data/misc/zoneinfo for timezone related information
# This directory is considered to be a VNDK-stable
-r_dir_file(domain, zoneinfo_data_file)
+allow domain zoneinfo_data_file:file r_file_perms;
+allow domain zoneinfo_data_file:dir r_dir_perms;
# Lots of processes access current CPU information
r_dir_file(domain, sysfs_devices_system_cpu)
@@ -156,11 +213,15 @@
r_dir_file(domain, sysfs_usb);
# files under /data.
-not_full_treble(`allow domain system_data_file:dir getattr;')
+not_full_treble(`
+ allow domain system_data_file:dir getattr;
+')
allow { coredomain appdomain } system_data_file:dir getattr;
# /data has the label system_data_file. Vendor components need the search
# permission on system_data_file for path traversal to /data/vendor.
allow domain system_data_file:dir search;
+# TODO restrict this to non-coredomain
+allow domain vendor_data_file:dir { getattr search };
# required by the dynamic linker
allow domain proc:lnk_file { getattr read };
@@ -189,6 +250,7 @@
# The reason behind this is documented in b/6513400
allow domain debugfs:dir search;
allow domain debugfs_tracing:dir search;
+allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file w_file_perms;
# Filesystem access.
@@ -229,12 +291,16 @@
# All socket ioctls must be restricted to a whitelist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
+# b/68014825 and https://android-review.googlesource.com/516535
+# rfc6093 says that processes should not use the TCP urgent mechanism
+neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
+
# TIOCSTI is only ever used for exploits. Block it.
# b/33073072, b/7530569
# http://www.openwall.com/lists/oss-security/2016/09/26/14
neverallowxperm * devpts:chr_file ioctl TIOCSTI;
-# Do not allow any domain other than init or recovery to create unlabeled files.
+# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
# Limit device node creation to these whitelisted domains.
@@ -244,7 +310,7 @@
-init
-ueventd
-vold
-} self:capability mknod;
+} self:global_capability_class_set mknod;
# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
neverallow {
@@ -257,16 +323,18 @@
-healthd
-uncrypt
-tee
-} self:capability sys_rawio;
+} self:global_capability_class_set sys_rawio;
# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
neverallow * self:memprotect mmap_zero;
# No domain needs mac_override as it is unused by SELinux.
-neverallow * self:capability2 mac_override;
+neverallow * self:global_capability2_class_set mac_override;
-# Only recovery needs mac_admin to set contexts not defined in current policy.
-neverallow { domain -recovery } self:capability2 mac_admin;
+# Disallow attempts to set contexts not defined in current policy
+# This helps guarantee that unknown or dangerous contents will not ever
+# be set.
+neverallow * self:global_capability2_class_set mac_admin;
# Once the policy has been loaded there shall be none to modify the policy.
# It is sealed.
@@ -295,6 +363,14 @@
-system_server
-ueventd
} hw_random_device:chr_file *;
+# b/78174219 b/64114943
+neverallow {
+ domain
+ -init
+ -shell # stat of /dev, getattr only
+ -vendor_init
+ -ueventd
+} keychord_device:chr_file *;
# Ensure that all entrypoint executables are in exec_type or postinstall_file.
neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
@@ -318,7 +394,7 @@
# security-sensitive proc settings.
neverallow { domain -init } usermodehelper:file { append write };
neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
-neverallow { domain -init } proc_security:file { append open read write };
+neverallow { domain -init -vendor_init } proc_security:file { append open read write };
# No domain should be allowed to ptrace init.
neverallow * init:process ptrace;
@@ -326,6 +402,7 @@
# Init can't do anything with binder calls. If this neverallow rule is being
# triggered, it's probably due to a service with no SELinux domain.
neverallow * init:binder *;
+neverallow * vendor_init:binder *;
# Don't allow raw read/write/open access to block_device
# Rather force a relabel to a more specific type
@@ -358,6 +435,7 @@
userdebug_or_eng(`-su')
-webview_zygote
-zygote
+ userdebug_or_eng(`-mediaextractor')
} {
file_type
-system_file
@@ -369,8 +447,10 @@
neverallow {
domain
-appdomain # for oemfs
+ -bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
} { fs_type -rootfs }:file execute;
+
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
@@ -385,6 +465,9 @@
-apk_data_file
}:file no_x_file_perms;
+# The test files and executables MUST not be accessible to any domain
+neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
+neverallow domain nativetest_data_file:dir no_w_dir_perms;
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
# Only the init property service should write to /data/property and /dev/__properties__
@@ -394,10 +477,12 @@
neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
-# Only recovery should be doing writes to /system & /vendor
+# Nobody should be doing writes to /system & /vendor
+# These partitions are intended to be read-only and must never be
+# modified. Doing so would violate important Android security guarantees
+# and invalidate dm-verity signatures.
neverallow {
domain
- -recovery
with_asan(`-asan_extract')
} {
system_file
@@ -405,7 +490,7 @@
exec_type
}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-neverallow { domain -recovery -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
+neverallow { domain -kernel with_asan(`-asan_extract') } { system_file vendor_file_type exec_type }:dir_file_class_set relabelto;
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
@@ -421,7 +506,7 @@
# Ensure that context mount types are not writable, to ensure that
# the write to /system restriction above is not bypassed via context=
# mount to another type.
-neverallow { domain -recovery } contextmount_type:dir_file_class_set
+neverallow * contextmount_type:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
# Do not allow service_manager add for default service labels.
@@ -444,8 +529,27 @@
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
-neverallow { domain -init } default_prop:property_service set;
-neverallow { domain -init } mmc_prop:property_service set;
+neverallow { domain -init -vendor_init } default_prop:property_service set;
+neverallow { domain -init -vendor_init } mmc_prop:property_service set;
+
+compatible_property_only(`
+ neverallow { domain -init } default_prop:property_service set;
+ neverallow { domain -init } mmc_prop:property_service set;
+ neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
+ neverallow { domain -init } exported_secure_prop:property_service set;
+ neverallow { domain -init } exported2_default_prop:property_service set;
+ neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
+ neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
+')
+
+# Only core domains are allowed to access package_manager properties
+neverallow { domain -init -system_server } pm_prop:property_service set;
+neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
+
+compatible_property_only(`
+ neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
+ neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
+')
# Do not allow reading device's serial number from system properties except form
# a few whitelisted domains.
@@ -453,17 +557,18 @@
domain
-adbd
-dumpstate
- -hal_drm
- -hal_cas
+ -hal_drm_server
+ -hal_cas_server
-init
-mediadrmserver
-recovery
-shell
-system_server
+ -vendor_init
} serialno_prop:file r_file_perms;
# Do not allow reading the last boot timestamp from system properties
-neverallow { domain -init -system_server } firstboot_prop:file r_file_perms;
+neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
neverallow {
domain
@@ -477,14 +582,20 @@
# The metadata block device is set aside for device encryption and
# verified boot metadata. It may be reset at will and should not
# be used by other domains.
-neverallow { domain -init -recovery -vold } metadata_block_device:blk_file
- { append link rename write open read ioctl lock };
+neverallow {
+ domain
+ -init
+ -recovery
+ -vold
+ -e2fs
+ -fsck
+} metadata_block_device:blk_file { append link rename write open read ioctl lock };
# No domain other than recovery and update_engine can write to system partition(s).
-neverallow { domain -recovery -update_engine } system_block_device:blk_file write;
+neverallow { domain -recovery -update_engine } system_block_device:blk_file { write append };
# No domains other than install_recovery or recovery can write to recovery.
-neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file write;
+neverallow { domain -install_recovery -recovery } recovery_block_device:blk_file { write append };
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
@@ -493,10 +604,11 @@
neverallow {
domain
userdebug_or_eng(`-domain') # exclude debuggable builds
- -hal_bootctl
+ -hal_bootctl_server
-init
-uncrypt
-update_engine
+ -vendor_init
-vold
-recovery
-ueventd
@@ -522,12 +634,16 @@
-appdomain
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} binder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
neverallow {
domain
-coredomain
-appdomain # restrictions for vendor apps are declared lower down
-binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
} service_manager_type:service_manager find;
+')
+full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
neverallow {
@@ -547,11 +663,12 @@
-mediaserver_service
-nfc_service
-radio_service
- -surfaceflinger_service
-virtual_touchpad_service
-vr_hwc_service
-vr_manager_service
}:service_manager find;
+')
+full_treble_only(`
neverallow {
domain
-coredomain
@@ -568,12 +685,18 @@
userdebug_or_eng(`-su')
-ueventd # uevent is granted create for this device, but we still neverallow I/O below
} vndbinder_device:chr_file rw_file_perms;
+')
+full_treble_only(`
neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
+')
+full_treble_only(`
neverallow {
coredomain
-shell
userdebug_or_eng(`-su')
} vndservice_manager_type:service_manager *;
+')
+full_treble_only(`
neverallow {
coredomain
-shell
@@ -583,7 +706,6 @@
# On full TREBLE devices, socket communications between core components and vendor components are
# not permitted.
-full_treble_only(`
# Most general rules first, more specific rules below.
# Core domains are not permitted to initiate communications to vendor domain sockets.
@@ -591,6 +713,7 @@
# to obtain an already established socket via some public/official/stable API and then exchange
# data with its peer over that socket. The wire format in this scenario is dicatated by the API
# and thus does not break the core-vendor separation.
+full_treble_only(`
neverallow_establish_socket_comms({
coredomain
-init
@@ -600,7 +723,9 @@
-coredomain
-socket_between_core_and_vendor_violators
});
+')
# Vendor domains are not permitted to initiate communications to core domain sockets
+full_treble_only(`
neverallow_establish_socket_comms({
domain
-coredomain
@@ -616,26 +741,34 @@
-incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
-tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
});
+')
# Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+full_treble_only(`
neverallow_establish_socket_comms({
domain
-coredomain
-netdomain
-socket_between_core_and_vendor_violators
}, netd);
+')
# Vendor domains are not permitted to initiate create/open sockets owned by core domains
+full_treble_only(`
neverallow {
domain
-coredomain
-appdomain # appdomain restrictions below
+ -data_between_core_and_vendor_violators # b/70393317
-socket_between_core_and_vendor_violators
+ -vendor_init
} {
coredomain_socket
core_data_file_type
unlabeled # used only by core domains
}:sock_file ~{ append getattr ioctl read write };
+')
+full_treble_only(`
neverallow {
appdomain
-coredomain
@@ -647,8 +780,10 @@
-pdx_endpoint_socket_type # used by VR layer
-pdx_channel_socket_type # used by VR layer
}:sock_file ~{ append getattr ioctl read write };
+')
# Core domains are not permitted to create/open sockets owned by vendor domains
+full_treble_only(`
neverallow {
coredomain
-init
@@ -663,6 +798,135 @@
}:sock_file ~{ append getattr ioctl read write };
')
+# On TREBLE devices, vendor and system components are only allowed to share
+# files by passing open FDs over hwbinder. Ban all directory access and all file
+# accesses other than what can be applied to an open FD such as
+# ioctl/stat/read/write/append. This is enforced by segregating /data.
+# Vendor domains may directly access file in /data/vendor by path, but may only
+# access files outside of /data/vendor via an open FD passed over hwbinder.
+# Likewise, core domains may only directly access files outside /data/vendor by
+# path and files in /data/vendor by open FD.
+full_treble_only(`
+ # only coredomains may only access core_data_file_type, particularly not
+ # /data/vendor
+ neverallow {
+ coredomain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -data_between_core_and_vendor_violators
+ -init
+ -vold_prepare_subdirs
+ } {
+ data_file_type
+ -core_data_file_type
+ }:file_class_set ~{ append getattr ioctl read write };
+')
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -data_between_core_and_vendor_violators
+ -init
+ -vold_prepare_subdirs
+ } {
+ data_file_type
+ -core_data_file_type
+ # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
+ # neverallow. Currently only getattr and search are allowed.
+ -vendor_data_file
+ }:dir *;
+
+')
+full_treble_only(`
+ # vendor domains may only access files in /data/vendor, never core_data_file_types
+ neverallow {
+ domain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -vendor_init
+ } {
+ core_data_file_type
+ # libc includes functions like mktime and localtime which attempt to access
+ # files in /data/misc/zoneinfo/tzdata file. These functions are considered
+ # vndk-stable and thus must be allowed for all processes.
+ -zoneinfo_data_file
+ }:file_class_set ~{ append getattr ioctl read write };
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -zoneinfo_data_file
+ }:file_class_set ~{ append getattr ioctl read write };
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
+')
+full_treble_only(`
+ # vendor domains may only access dirs in /data/vendor, never core_data_file_types
+ neverallow {
+ domain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -coredomain
+ -data_between_core_and_vendor_violators
+ -vendor_init
+ } {
+ core_data_file_type
+ -system_data_file # default label for files on /data. Covered below...
+ -vendor_data_file
+ -zoneinfo_data_file
+ }:dir *;
+ neverallow {
+ vendor_init
+ -data_between_core_and_vendor_violators
+ } {
+ core_data_file_type
+ -unencrypted_data_file
+ -system_data_file
+ -vendor_data_file
+ -zoneinfo_data_file
+ }:dir *;
+ # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
+ # The vendor init binary lives on the system partition so there is not a concern with stability.
+ neverallow vendor_init unencrypted_data_file:dir ~search;
+')
+full_treble_only(`
+ # vendor domains may only access dirs in /data/vendor, never core_data_file_types
+ neverallow {
+ domain
+ -appdomain # TODO(b/34980020) remove exemption for appdomain
+ -coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ } {
+ system_data_file # default label for files on /data. Covered below
+ }:dir ~{ getattr search };
+')
+
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ -vold # vold creates per-user storage for both system and vendor
+ -vold_prepare_subdirs
+ } {
+ vendor_data_file # default label for files on /data. Covered below
+ }:dir ~{ getattr search };
+')
+
+full_treble_only(`
+ # coredomains may not access dirs in /data/vendor.
+ neverallow {
+ coredomain
+ -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
+ -init
+ } {
+ vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
+ }:file_class_set ~{ append getattr ioctl read write };
+')
+
# On TREBLE devices, a limited set of files in /vendor are accessible to
# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`
@@ -674,10 +938,13 @@
-idmap
-init
-installd
+ userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
} vendor_app_file:dir { open read getattr search };
+')
+full_treble_only(`
neverallow {
coredomain
-appdomain
@@ -685,10 +952,13 @@
-idmap
-init
-installd
+ userdebug_or_eng(`-perfprofd')
-postinstall_dexopt
-system_server
- } vendor_app_file:{ file lnk_file } r_file_perms;
+ } vendor_app_file:file r_file_perms;
+')
+full_treble_only(`
# Limit access to /vendor/overlay
neverallow {
coredomain
@@ -697,9 +967,12 @@
-init
-installd
-system_server
+ -webview_zygote
-zygote
} vendor_overlay_file:dir { getattr open read search };
+')
+full_treble_only(`
neverallow {
coredomain
-appdomain
@@ -707,24 +980,30 @@
-init
-installd
-system_server
+ -webview_zygote
-zygote
- } vendor_overlay_file:{ file lnk_file } r_file_perms;
+ } vendor_overlay_file:file r_file_perms;
+')
+full_treble_only(`
# Non-vendor domains are not allowed to file execute shell
# from vendor
neverallow {
coredomain
-init
+ -shell
} vendor_shell_exec:file { execute execute_no_trans };
+')
+full_treble_only(`
# Do not allow vendor components to execute files from system
# except for the ones whitelist here.
neverallow {
domain
-coredomain
-appdomain
- -rild
-vendor_executes_system_violators
+ -vendor_init
} {
exec_type
-vendor_file_type
@@ -733,6 +1012,30 @@
}:file { entrypoint execute execute_no_trans };
')
+full_treble_only(`
+ # Do not allow system components to execute files from vendor
+ # except for the ones whitelisted here.
+ neverallow {
+ coredomain
+ -init
+ -shell
+ -system_executes_vendor_violators
+ } {
+ vendor_file_type
+ -same_process_hal_file
+ -vndk_sp_file
+ -vendor_app_file
+ }:file execute;
+')
+
+full_treble_only(`
+ neverallow {
+ coredomain
+ -shell
+ -system_executes_vendor_violators
+ } vendor_file_type:file execute_no_trans;
+')
+
# Only authorized processes should be writing to files in /data/dalvik-cache
neverallow {
domain
@@ -761,13 +1064,14 @@
neverallow { domain -system_server } zygote_socket:sock_file write;
neverallow { domain -system_server -webview_zygote } webview_zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } webview_zygote_socket:sock_file write;
+neverallow { domain -system_server } webview_zygote:sock_file write;
neverallow {
domain
-tombstoned
-crash_dump
-dumpstate
+ -incidentd
-system_server
# Processes that can't exec crash_dump
@@ -775,10 +1079,10 @@
-mediaextractor
} tombstoned_crash_socket:unix_stream_socket connectto;
-# Never allow anyone except dumpstate or the system server to connect or write to
+# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
# the tombstoned intercept socket.
-neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:sock_file write;
-neverallow { domain -dumpstate -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
+neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
+neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
# Android does not support System V IPCs.
#
@@ -852,6 +1156,7 @@
-system_app
-init
-installd # for relabelfrom and unlink, check for this in explicit neverallow
+ -vold_prepare_subdirs # For unlink
with_asan(`-asan_extract')
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
@@ -864,6 +1169,9 @@
-appdomain # finer-grained rules for appdomain are listed below
-system_server #populate com.android.providers.settings/databases/settings.db.
-installd # creation of app sandbox
+ -traced_probes # resolve inodes for i/o tracing.
+ # only needs open and read, the rest is neverallow in
+ # traced_probes.te.
} system_app_data_file:dir_file_class_set { create unlink open };
neverallow {
isolated_app
@@ -950,7 +1258,6 @@
userdebug_or_eng(`-uncrypt')
} shell_data_file:file open;
-
# servicemanager and vndservicemanager are the only processes which handle the
# service_manager list request
neverallow * ~{
@@ -986,7 +1293,7 @@
# Instead, if access to part of debugfs is desired, it should have a
# more specific label.
# TODO: fix system_server and dumpstate
-neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+neverallow { domain -init -vendor_init -system_server -dumpstate } debugfs:file no_rw_file_perms;
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
@@ -1001,12 +1308,9 @@
# vendor, and boot partitions.
neverallow * ~{ system_file vendor_file rootfs }:system module_load;
-# Only allow filesystem caps to be set at build time or
-# during upgrade by recovery.
-neverallow {
- domain
- -recovery
-} self:capability setfcap;
+# Only allow filesystem caps to be set at build time. Runtime changes
+# to filesystem capabilities are not permitted.
+neverallow * self:global_capability_class_set setfcap;
# Enforce AT_SECURE for executing crash_dump.
neverallow domain crash_dump:process noatsecure;
@@ -1019,3 +1323,77 @@
# be passthrough only (i.e., run in the process of their clients instead of a
# separate server process).
neverallow * same_process_hwservice:hwservice_manager add;
+
+# On TREBLE devices, most coredomains should not access vendor_files.
+# TODO(b/71553434): Remove exceptions here.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ -bootanim
+ -crash_dump
+ -init
+ -kernel
+ -perfprofd
+ -ueventd
+ } vendor_file:file { no_w_file_perms no_x_file_perms open };
+')
+
+# Minimize dac_override and dac_read_search.
+# Instead of granting them it is usually better to add the domain to
+# a Unix group or change the permissions of a file.
+neverallow {
+ domain
+ -dnsmasq
+ -dumpstate
+ -init
+ -installd
+ -install_recovery
+ -lmkd
+ -netd
+ -perfprofd
+ -postinstall_dexopt
+ -recovery
+ -sdcardd
+ -tee
+ -ueventd
+ -uncrypt
+ -vendor_init
+ -vold
+ -vold_prepare_subdirs
+ -zygote
+} self:capability dac_override;
+neverallow { domain -traced_probes } self:capability dac_read_search;
+
+# If an already existing file is opened with O_CREAT, the kernel might generate
+# a false report of a create denial. Silence these denials and make sure that
+# inappropriate permissions are not granted.
+
+# These filesystems don't allow files or directories to be created, so the permission
+# to do so should never be granted.
+neverallow domain {
+ proc_type
+ sysfs_type
+}:dir { add_name create link remove_name rename reparent rmdir write };
+
+# cgroupfs directories can be created, but not files within them.
+neverallow domain cgroup:file create;
+
+dontaudit domain proc_type:dir write;
+dontaudit domain sysfs_type:dir write;
+dontaudit domain cgroup:file create;
+
+# These are only needed in permissive mode - in enforcing mode the
+# directory write check fails and so these are never attempted.
+userdebug_or_eng(`
+ dontaudit domain proc_type:dir add_name;
+ dontaudit domain sysfs_type:dir add_name;
+ dontaudit domain proc_type:file create;
+ dontaudit domain sysfs_type:file create;
+')
+
+# Platform must not have access to /mnt/vendor.
+neverallow {
+ coredomain
+ -init
+} mnt_vendor_file:dir *;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index f6d6a0a..03fc737 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -8,12 +8,12 @@
# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
-allow dumpstate self:capability { setuid setgid sys_resource };
+allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
# Allow dumpstate to scan through /proc/pid for all processes
r_dir_file(dumpstate, domain)
-allow dumpstate self:capability {
+allow dumpstate self:global_capability_class_set {
# Send signals to processes
kill
# Run iptables
@@ -33,7 +33,7 @@
allow dumpstate system_file:dir r_dir_perms;
# Create and write into /data/anr/
-allow dumpstate self:capability { dac_override chown fowner fsetid };
+allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
allow dumpstate anr_data_file:dir rw_dir_perms;
allow dumpstate anr_data_file:file create_file_perms;
@@ -42,7 +42,7 @@
allow dumpstate system_data_file:file r_file_perms;
# Read dmesg
-allow dumpstate self:capability2 syslog;
+allow dumpstate self:global_capability2_class_set syslog;
allow dumpstate kernel:system syslog_read;
# Read /sys/fs/pstore/console-ramoops
@@ -57,21 +57,23 @@
# Signal native processes to dump their stack.
allow dumpstate {
- # This list comes from native_processes_to_dump in dumpstate/utils.c
+ # This list comes from native_processes_to_dump in dumputils/dump_utils.c
audioserver
cameraserver
drmserver
inputflinger
mediadrmserver
mediaextractor
+ mediametrics
mediaserver
sdcardd
surfaceflinger
- # This list comes from hal_interfaces_to_dump in dumpstate/utils.c
+ # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
hal_bluetooth_server
hal_camera_server
+ hal_drm_server
hal_graphics_composer_server
hal_sensors_server
hal_vr_server
@@ -81,8 +83,14 @@
# Connect to tombstoned to intercept dumps.
unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
-# TODO: added to match above sysfs rule. Remove me?
-allow dumpstate sysfs_usb:file w_file_perms;
+# Access to /sys
+allow dumpstate sysfs_type:dir r_dir_perms;
+
+allow dumpstate {
+ sysfs_dm
+ sysfs_usb
+ sysfs_zram
+}:file r_file_perms;
# Other random bits of data we want to collect
allow dumpstate qtaguid_proc:file r_file_perms;
@@ -92,6 +100,7 @@
allow dumpstate {
block_device
cache_file
+ metadata_file
rootfs
selinuxfs
storage_file
@@ -112,11 +121,9 @@
hal_client_domain(dumpstate, hal_graphics_allocator)
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
-# For passthrough mode:
-allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
# Reading /proc/PID/maps of other processes
-allow dumpstate self:capability sys_ptrace;
+allow dumpstate self:global_capability_class_set sys_ptrace;
# Allow the bugreport service to create a file in
# /data/data/com.android.shell/files/bugreports/bugreport
@@ -151,9 +158,19 @@
read_runtime_log_tags(dumpstate)
# Read files in /proc
-allow dumpstate proc_meminfo:file r_file_perms;
-allow dumpstate proc_net:file r_file_perms;
-r_dir_file(dumpstate, proc)
+allow dumpstate {
+ proc_buddyinfo
+ proc_cmdline
+ proc_meminfo
+ proc_modules
+ proc_net
+ proc_pipe_conf
+ proc_pagetypeinfo
+ proc_qtaguid_stat
+ proc_version
+ proc_vmallocinfo
+ proc_vmstat
+}:file r_file_perms;
# Read network state info files.
allow dumpstate net_data_file:dir search;
@@ -174,6 +191,10 @@
allow dumpstate recovery_data_file:dir r_dir_perms;
allow dumpstate recovery_data_file:file r_file_perms;
+#Access /data/misc/update_engine_log
+allow dumpstate update_engine_log_data_file:dir r_dir_perms;
+allow dumpstate update_engine_log_data_file:file r_file_perms;
+
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
allow dumpstate user_profile_data_file:dir r_dir_perms;
@@ -186,7 +207,25 @@
allow dumpstate misc_logd_file:file r_file_perms;
')
-allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
+allow dumpstate {
+ service_manager_type
+ -dumpstate_service
+ -gatekeeper_service
+ -incident_service
+ -virtual_touchpad_service
+ -vold_service
+ -vr_hwc_service
+}:service_manager find;
+# suppress denials for services dumpstate should not be accessing.
+dontaudit dumpstate {
+ dumpstate_service
+ gatekeeper_service
+ incident_service
+ virtual_touchpad_service
+ vold_service
+ vr_hwc_service
+}:service_manager find;
+
allow dumpstate servicemanager:service_manager list;
allow dumpstate hwservicemanager:hwservice_manager list;
@@ -195,14 +234,12 @@
# Set properties.
# dumpstate_prop is used to share state with the Shell app.
set_prop(dumpstate, dumpstate_prop)
+set_prop(dumpstate, exported_dumpstate_prop)
# dumpstate_options_prop is used to pass extra command-line args.
set_prop(dumpstate, dumpstate_options_prop)
-# Read device's serial number from system properties
-get_prop(dumpstate, serialno_prop)
-
-# Read state of logging-related properties
-get_prop(dumpstate, device_logging_prop)
+# Read any system properties
+get_prop(dumpstate, property_type)
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
@@ -217,23 +254,23 @@
# use /dev/ion for screen capture
allow dumpstate ion_device:chr_file r_file_perms;
-# read default labeled files in /sys
-r_dir_file(dumpstate, sysfs)
-
# Allow dumpstate to run top
allow dumpstate proc_stat:file r_file_perms;
-# Allow dumpstate to read backlight details
-allow dumpstate sysfs_leds:lnk_file r_file_perms;
-allow dumpstate sysfs_leds:file r_file_perms;
-allow dumpstate sysfs_leds:dir search;
-
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
# Allow dumpstate to run ip xfrm policy
allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
+# Allow dumpstate to run iotop
+allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
+# newer kernels (e.g. 4.4) have a new class for sockets
+allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+# Allow dumpstate to kill vendor dumpstate service by init
+set_prop(dumpstate, ctl_dumpstate_prop)
+
###
### neverallow rules
###
@@ -242,9 +279,11 @@
# accessing sensitive /proc/PID files, never for using ptrace attach.
neverallow dumpstate *:process ptrace;
-# only system_server, dumpstate and shell can find the dumpstate service
-neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;
-
-# Dumpstate should not be writing to any generically labeled sysfs files.
-# Create a specific label for the file type
-neverallow dumpstate sysfs:file no_w_file_perms;
+# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
+neverallow {
+ domain
+ -system_server
+ -shell
+ -traceur_app
+ -dumpstate
+} dumpstate_service:service_manager find;
diff --git a/public/e2fs.te b/public/e2fs.te
index 30a815a..6fcd0c2 100644
--- a/public/e2fs.te
+++ b/public/e2fs.te
@@ -1,14 +1,21 @@
type e2fs, domain, coredomain;
type e2fs_exec, exec_type, file_type;
-allow e2fs block_device:blk_file getattr;
+allow e2fs devpts:chr_file { read write getattr ioctl };
+
+allow e2fs dev_type:blk_file getattr;
allow e2fs block_device:dir search;
allow e2fs userdata_block_device:blk_file rw_file_perms;
+allow e2fs metadata_block_device:blk_file rw_file_perms;
-# access /proc/filesystems
-allow e2fs proc:file r_file_perms;
+allow e2fs {
+ proc_filesystems
+ proc_mounts
+ proc_swaps
+}:file r_file_perms;
# access /sys/fs/ext4/features
+allow e2fs sysfs_fs_ext4_features:dir search;
allow e2fs sysfs_fs_ext4_features:file r_file_perms;
# access sselinux context files
diff --git a/public/file.te b/public/file.te
index bcdc461..ccfec15 100644
--- a/public/file.te
+++ b/public/file.te
@@ -3,47 +3,90 @@
type pipefs, fs_type;
type sockfs, fs_type;
type rootfs, fs_type;
-type proc, fs_type;
+type proc, fs_type, proc_type;
# Security-sensitive proc nodes that should not be writable to most.
-type proc_security, fs_type;
-type proc_drop_caches, fs_type;
-type proc_overcommit_memory, fs_type;
+type proc_security, fs_type, proc_type;
+type proc_drop_caches, fs_type, proc_type;
+type proc_overcommit_memory, fs_type, proc_type;
+type proc_min_free_order_shift, fs_type, proc_type;
# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
-type usermodehelper, fs_type;
+type usermodehelper, fs_type, proc_type;
type sysfs_usermodehelper, fs_type, sysfs_type;
-type qtaguid_proc, fs_type, mlstrustedobject;
-type proc_bluetooth_writable, fs_type;
-type proc_cpuinfo, fs_type;
-type proc_interrupts, fs_type;
-type proc_iomem, fs_type;
-type proc_meminfo, fs_type;
-type proc_misc, fs_type;
-type proc_modules, fs_type;
-type proc_net, fs_type;
-type proc_perf, fs_type;
-type proc_stat, fs_type;
-type proc_sysrq, fs_type;
-type proc_timer, fs_type;
-type proc_tty_drivers, fs_type;
-type proc_uid_cputime_showstat, fs_type;
-type proc_uid_cputime_removeuid, fs_type;
-type proc_uid_io_stats, fs_type;
-type proc_uid_procstat_set, fs_type;
-type proc_uid_time_in_state, fs_type;
-type proc_zoneinfo, fs_type;
+type qtaguid_proc, fs_type, mlstrustedobject, proc_type;
+type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
+type proc_bluetooth_writable, fs_type, proc_type;
+type proc_abi, fs_type, proc_type;
+type proc_asound, fs_type, proc_type;
+type proc_buddyinfo, fs_type, proc_type;
+type proc_cmdline, fs_type, proc_type;
+type proc_cpuinfo, fs_type, proc_type;
+type proc_dirty, fs_type, proc_type;
+type proc_diskstats, fs_type, proc_type;
+type proc_extra_free_kbytes, fs_type, proc_type;
+type proc_filesystems, fs_type, proc_type;
+type proc_hostname, fs_type, proc_type;
+type proc_hung_task, fs_type, proc_type;
+type proc_interrupts, fs_type, proc_type;
+type proc_iomem, fs_type, proc_type;
+type proc_kmsg, fs_type, proc_type;
+type proc_loadavg, fs_type, proc_type;
+type proc_max_map_count, fs_type, proc_type;
+type proc_meminfo, fs_type, proc_type;
+type proc_misc, fs_type, proc_type;
+type proc_modules, fs_type, proc_type;
+type proc_mounts, fs_type, proc_type;
+type proc_net, fs_type, proc_type;
+type proc_page_cluster, fs_type, proc_type;
+type proc_pagetypeinfo, fs_type, proc_type;
+type proc_panic, fs_type, proc_type;
+type proc_perf, fs_type, proc_type;
+type proc_pid_max, fs_type, proc_type;
+type proc_pipe_conf, fs_type, proc_type;
+type proc_random, fs_type, proc_type;
+type proc_sched, fs_type, proc_type;
+type proc_stat, fs_type, proc_type;
+type proc_swaps, fs_type, proc_type;
+type proc_sysrq, fs_type, proc_type;
+type proc_timer, fs_type, proc_type;
+type proc_tty_drivers, fs_type, proc_type;
+type proc_uid_cputime_showstat, fs_type, proc_type;
+type proc_uid_cputime_removeuid, fs_type, proc_type;
+type proc_uid_io_stats, fs_type, proc_type;
+type proc_uid_procstat_set, fs_type, proc_type;
+type proc_uid_time_in_state, fs_type, proc_type;
+type proc_uid_concurrent_active_time, fs_type, proc_type;
+type proc_uid_concurrent_policy_time, fs_type, proc_type;
+type proc_uid_cpupower, fs_type, proc_type;
+type proc_uptime, fs_type, proc_type;
+type proc_version, fs_type, proc_type;
+type proc_vmallocinfo, fs_type, proc_type;
+type proc_vmstat, fs_type, proc_type;
+type proc_zoneinfo, fs_type, proc_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
+type cgroup_bpf, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_dm, fs_type, sysfs_type;
+type sysfs_dt_firmware_android, fs_type, sysfs_type;
+type sysfs_ipv4, fs_type, sysfs_type;
+type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
type sysfs_leds, fs_type, sysfs_type;
type sysfs_hwrandom, fs_type, sysfs_type;
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
type sysfs_wake_lock, fs_type, sysfs_type;
type sysfs_mac_address, fs_type, sysfs_type;
-type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
+type sysfs_net, fs_type, sysfs_type;
+type sysfs_power, fs_type, sysfs_type;
+type sysfs_rtc, fs_type, sysfs_type;
+type sysfs_switch, fs_type, sysfs_type;
+type sysfs_usb, fs_type, sysfs_type;
+type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
+type fs_bpf, fs_type;
type configfs, fs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
@@ -65,12 +108,14 @@
type fuse, sdcard_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
+type exfat, sdcard_type, fs_type, mlstrustedobject;
type debugfs, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
-type debugfs_tracing, fs_type, debugfs_type;
-type debugfs_tracing_debug, fs_type, debugfs_type;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
type debugfs_tracing_instances, fs_type, debugfs_type;
+type debugfs_wakeup_sources, fs_type, debugfs_type;
type debugfs_wifi_tracing, fs_type, debugfs_type;
type pstorefs, fs_type;
@@ -105,6 +150,11 @@
# Default type for everything in /vendor/overlay
type vendor_overlay_file, vendor_file_type, file_type;
+# /metadata partition itself
+type metadata_file, file_type;
+# Vold files within /metadata
+type vold_metadata_file, file_type;
+
# Speedup access for trusted applications to the runtime event tags
type runtime_event_log_tags_file, file_type;
# Type for /system/bin/logcat.
@@ -113,6 +163,8 @@
type coredump_file, file_type;
# Default type for anything under /data.
type system_data_file, file_type, data_file_type, core_data_file_type;
+# Default type for anything under /data/vendor{_ce,_de}.
+type vendor_data_file, file_type, data_file_type;
# Unencrypted data
type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
# /data/.layout_version or other installd-created files that
@@ -126,6 +178,8 @@
type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/tombstones - core dumps
type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /data/vendor/tombstones/wifi - vendor wifi dumps
+type tombstone_wifi_data_file, file_type, data_file_type;
# /data/app - user-installed apps
type apk_data_file, file_type, data_file_type, core_data_file_type;
type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
@@ -173,6 +227,9 @@
type mnt_media_rw_stub_file, file_type;
type storage_stub_file, file_type;
+# Mount location for read-write vendor partitions.
+type mnt_vendor_file, file_type;
+
# /postinstall: Mount point used by update_engine to run postinstall.
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
@@ -181,7 +238,6 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
-type audiohal_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
@@ -196,13 +252,14 @@
type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type misc_user_data_file, file_type, data_file_type, core_data_file_type;
type net_data_file, file_type, data_file_type, core_data_file_type;
+type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
type nfc_data_file, file_type, data_file_type, core_data_file_type;
type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type reboot_data_file, file_type, data_file_type, core_data_file_type;
type recovery_data_file, file_type, data_file_type, core_data_file_type;
type shared_relro_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
+type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type vpn_data_file, file_type, data_file_type, core_data_file_type;
type wifi_data_file, file_type, data_file_type, core_data_file_type;
type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
@@ -210,6 +267,7 @@
type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type tee_data_file, file_type, data_file_type;
type update_engine_data_file, file_type, data_file_type, core_data_file_type;
+type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
@@ -219,13 +277,13 @@
type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
# Default type for anything under /cache
-type cache_file, file_type, data_file_type, mlstrustedobject;
+type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Type for /cache/backup_stage/* (fd interchange with apps)
-type cache_backup_file, file_type, data_file_type, mlstrustedobject;
+type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# type for anything under /cache/backup (local transport storage)
-type cache_private_backup_file, file_type, data_file_type;
+type cache_private_backup_file, file_type, data_file_type, core_data_file_type;
# Type for anything under /cache/recovery
-type cache_recovery_file, file_type, data_file_type, mlstrustedobject;
+type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Default type for anything under /efs
type efs_file, file_type;
# Type for wallpaper file.
@@ -248,12 +306,14 @@
type bluetooth_efs_file, file_type;
# Type for fingerprint template file
type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
+# Type for _new_ fingerprint template file
+type fingerprint_vendor_data_file, file_type, data_file_type;
# Type for appfuse file.
type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Socket types
type adbd_socket, file_type, coredomain_socket;
-type bluetooth_socket, file_type, data_file_type, coredomain_socket;
+type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
type dumpstate_socket, file_type, coredomain_socket;
type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
@@ -263,22 +323,22 @@
type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
type mdns_socket, file_type, coredomain_socket;
type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
-type misc_logd_file, coredomain_socket, file_type, data_file_type;
+type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
type mtpd_socket, file_type, coredomain_socket;
type netd_socket, file_type, coredomain_socket;
type property_socket, file_type, coredomain_socket, mlstrustedobject;
type racoon_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
-type system_wpa_socket, file_type, data_file_type, coredomain_socket;
-type system_ndebug_socket, file_type, data_file_type, coredomain_socket, mlstrustedobject;
+type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
+type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
type tombstoned_java_trace_socket, file_type, mlstrustedobject;
type tombstoned_intercept_socket, file_type, coredomain_socket;
+type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
+type traced_consumer_socket, file_type, coredomain_socket;
type uncrypt_socket, file_type, coredomain_socket;
-type vold_socket, file_type, coredomain_socket;
-type webview_zygote_socket, file_type, coredomain_socket;
-type wpa_socket, file_type, data_file_type;
+type wpa_socket, file_type, data_file_type, core_data_file_type;
type zygote_socket, file_type, coredomain_socket;
# UART (for GPS) control proc file
type gps_control, file_type;
@@ -325,8 +385,9 @@
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
+allow cgroup_bpf tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
-allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
+allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow file_type labeledfs:filesystem associate;
allow file_type tmpfs:filesystem associate;
allow file_type rootfs:filesystem associate;
@@ -337,6 +398,9 @@
# asanwrapper (run a sanitized app_process, to be used with wrap properties)
with_asan(`type asanwrapper_exec, exec_type, file_type;')
+# Deprecated in SDK version 28
+type audiohal_data_file, file_type, data_file_type, core_data_file_type;
+
# It's a bug to assign the file_type attribute and fs_type attribute
# to any type. Do not allow it.
#
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index 5dd18a3..2dc1107 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -23,6 +23,4 @@
binder_call(fingerprintd, system_server);
allow fingerprintd permission_service:service_manager find;
-r_dir_file(fingerprintd, cgroup)
-r_dir_file(fingerprintd, sysfs_type)
allow fingerprintd ion_device:chr_file r_file_perms;
diff --git a/public/fsck.te b/public/fsck.te
index b682a87..c5219d8 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -30,7 +30,10 @@
# major/minor values.
allow fsck dev_type:blk_file getattr;
-r_dir_file(fsck, proc)
+allow fsck {
+ proc_mounts
+ proc_swaps
+}:file r_file_perms;
allow fsck rootfs:dir r_dir_perms;
###
@@ -41,7 +44,6 @@
neverallow fsck {
boot_block_device
frp_block_device
- metadata_block_device
recovery_block_device
root_block_device
swap_block_device
diff --git a/public/fsck_untrusted.te b/public/fsck_untrusted.te
index e2aceb8..8510c94 100644
--- a/public/fsck_untrusted.te
+++ b/public/fsck_untrusted.te
@@ -12,7 +12,7 @@
allow fsck_untrusted block_device:dir search;
allow fsck_untrusted vold_device:blk_file rw_file_perms;
-r_dir_file(fsck_untrusted, proc)
+allow fsck_untrusted proc_mounts:file r_file_perms;
# To determine if it is safe to run fsck on a filesystem, e2fsck
# must first determine if the filesystem is mounted. To do that,
diff --git a/public/global_macros b/public/global_macros
index bcfb686..5dab5ab 100644
--- a/public/global_macros
+++ b/public/global_macros
@@ -1,7 +1,9 @@
#####################################
# Common groupings of object classes.
#
-define(`capability_class_set', `{ capability capability2 }')
+define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }')
+define(`global_capability_class_set', `{ capability cap_userns }')
+define(`global_capability2_class_set', `{ capability2 cap2_userns }')
define(`devfile_class_set', `{ chr_file blk_file }')
define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
diff --git a/public/hal_audio.te b/public/hal_audio.te
index 33330bf..037066e 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -7,15 +7,10 @@
allow hal_audio ion_device:chr_file r_file_perms;
-userdebug_or_eng(`
- # used for pcm capture for debug.
- allow hal_audio audiohal_data_file:dir create_dir_perms;
- allow hal_audio audiohal_data_file:file create_file_perms;
-')
-
r_dir_file(hal_audio, proc)
-allow hal_audio audio_device:dir r_dir_perms;
-allow hal_audio audio_device:chr_file rw_file_perms;
+r_dir_file(hal_audio, proc_asound)
+allow hal_audio_server audio_device:dir r_dir_perms;
+allow hal_audio_server audio_device:chr_file rw_file_perms;
# Needed to provide debug dump output via dumpsys' pipes.
allow hal_audio shell:fd use;
@@ -23,16 +18,21 @@
allow hal_audio dumpstate:fd use;
allow hal_audio dumpstate:fifo_file write;
+# allow hal audio to use vnbinder
+vndbinder_use(hal_audio)
+
###
### neverallow rules
###
# Should never execute any executable without a domain transition
-neverallow hal_audio { file_type fs_type }:file execute_no_trans;
+neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
# Should never need network access.
# Disallow network sockets.
-neverallow hal_audio domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_audio_server domain:{ tcp_socket udp_socket rawip_socket } *;
# Only audio HAL may directly access the audio hardware
neverallow { halserverdomain -hal_audio_server } audio_device:chr_file *;
+
+get_prop(hal_audio, bluetooth_a2dp_offload_prop)
diff --git a/public/hal_audiocontrol.te b/public/hal_audiocontrol.te
new file mode 100644
index 0000000..438db53
--- /dev/null
+++ b/public/hal_audiocontrol.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_audiocontrol_client, hal_audiocontrol_server)
+binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
+
+add_hwservice(hal_audiocontrol_server, hal_audiocontrol_hwservice)
+
+allow hal_audiocontrol_client hal_audiocontrol_hwservice:hwservice_manager find;
diff --git a/public/hal_authsecret.te b/public/hal_authsecret.te
new file mode 100644
index 0000000..81b0c04
--- /dev/null
+++ b/public/hal_authsecret.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_authsecret_client, hal_authsecret_server)
+
+add_hwservice(hal_authsecret_server, hal_authsecret_hwservice)
+allow hal_authsecret_client hal_authsecret_hwservice:hwservice_manager find;
diff --git a/public/hal_bluetooth.te b/public/hal_bluetooth.te
index 2394e2e..373dbec 100644
--- a/public/hal_bluetooth.te
+++ b/public/hal_bluetooth.te
@@ -8,7 +8,7 @@
wakelock_use(hal_bluetooth);
# The HAL toggles rfkill to power the chip off/on.
-allow hal_bluetooth self:capability net_admin;
+allow hal_bluetooth self:global_capability_class_set net_admin;
# bluetooth factory file accesses.
r_dir_file(hal_bluetooth, bluetooth_efs_file)
@@ -18,13 +18,15 @@
# sysfs access.
r_dir_file(hal_bluetooth, sysfs_type)
allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
-allow hal_bluetooth self:capability2 wake_alarm;
+allow hal_bluetooth self:global_capability2_class_set wake_alarm;
# Allow write access to bluetooth-specific properties
+set_prop(hal_bluetooth, bluetooth_a2dp_offload_prop)
set_prop(hal_bluetooth, bluetooth_prop)
+set_prop(hal_bluetooth, exported_bluetooth_prop)
# /proc access (bluesleep etc.).
allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
# allow to run with real-time scheduling policy
-allow hal_bluetooth self:capability sys_nice;
+allow hal_bluetooth self:global_capability_class_set sys_nice;
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index 8b240b1..181de4a 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -4,3 +4,5 @@
add_hwservice(hal_bootctl_server, hal_bootctl_hwservice)
allow hal_bootctl_client hal_bootctl_hwservice:hwservice_manager find;
+
+dontaudit hal_bootctl self:capability sys_rawio;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 413a057..8fe7442 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -5,10 +5,7 @@
add_hwservice(hal_camera_server, hal_camera_hwservice)
allow hal_camera_client hal_camera_hwservice:hwservice_manager find;
-# access /data/misc/camera
-allow hal_camera camera_data_file:dir create_dir_perms;
-allow hal_camera camera_data_file:file create_file_perms;
-
+allow hal_camera device:dir r_dir_perms;
allow hal_camera video_device:dir r_dir_perms;
allow hal_camera video_device:chr_file rw_file_perms;
allow hal_camera camera_device:chr_file rw_file_perms;
@@ -27,10 +24,10 @@
# hal_camera should never execute any executable without a
# domain transition
-neverallow hal_camera { file_type fs_type }:file execute_no_trans;
+neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
# hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
# Only camera HAL may directly access the camera hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/public/hal_cas.te b/public/hal_cas.te
index fd5d63b..7f65358 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -7,12 +7,10 @@
allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
# Permit reading device's serial number from system properties
-get_prop(hal_cas, serialno_prop)
+get_prop(hal_cas_server, serialno_prop)
# Read files already opened under /data
-allow hal_cas system_data_file:dir { search getattr };
allow hal_cas system_data_file:file { getattr read };
-allow hal_cas system_data_file:lnk_file r_file_perms;
# Read access to pseudo filesystems
r_dir_file(hal_cas, cgroup)
@@ -31,7 +29,7 @@
# hal_cas should never execute any executable without a
# domain transition
-neverallow hal_cas { file_type fs_type }:file execute_no_trans;
+neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
-neverallowxperm hal_cas domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/hal_configstore.te b/public/hal_configstore.te
index d5f2ef6..c8051e1 100644
--- a/public/hal_configstore.te
+++ b/public/hal_configstore.te
@@ -49,7 +49,14 @@
}:{ file fifo_file sock_file } *;
# Should never need sdcard access
-neverallow hal_configstore_server { fuse sdcardfs vfat }:file *;
+neverallow hal_configstore_server {
+ sdcard_type
+ fuse sdcardfs vfat exfat # manual expansion for completeness
+}:dir ~getattr;
+neverallow hal_configstore_server {
+ sdcard_type
+ fuse sdcardfs vfat exfat # manual expansion for completeness
+}:file *;
# Do not permit access to service_manager and vndservice_manager
neverallow hal_configstore_server *:service_manager *;
diff --git a/public/hal_confirmationui.te b/public/hal_confirmationui.te
new file mode 100644
index 0000000..228e864
--- /dev/null
+++ b/public/hal_confirmationui.te
@@ -0,0 +1,5 @@
+# HwBinder IPC from client to server
+binder_call(hal_confirmationui_client, hal_confirmationui_server)
+
+add_hwservice(hal_confirmationui_server, hal_confirmationui_hwservice)
+allow hal_confirmationui_client hal_confirmationui_hwservice:hwservice_manager find;
diff --git a/public/hal_drm.te b/public/hal_drm.te
index 5a6bf5c..a46dd91 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -19,9 +19,7 @@
allow hal_drm system_file:lnk_file r_file_perms;
# Read files already opened under /data
-allow hal_drm system_data_file:dir { search getattr };
allow hal_drm system_data_file:file { getattr read };
-allow hal_drm system_data_file:lnk_file r_file_perms;
# Read access to pseudo filesystems
r_dir_file(hal_drm, cgroup)
@@ -35,11 +33,6 @@
# Allow access to fds allocated by mediaserver
allow hal_drm mediaserver:fd use;
-# Allow access to app_data and media_data_files
-allow hal_drm media_data_file:dir create_dir_perms;
-allow hal_drm media_data_file:file create_file_perms;
-allow hal_drm media_data_file:file { getattr read };
-
allow hal_drm sysfs:file r_file_perms;
allow hal_drm tee_device:chr_file rw_file_perms;
@@ -54,7 +47,7 @@
# hal_drm should never execute any executable without a
# domain transition
-neverallow hal_drm { file_type fs_type }:file execute_no_trans;
+neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;
# do not allow privileged socket ioctl commands
-neverallowxperm hal_drm domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
+neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/public/hal_evs.te b/public/hal_evs.te
new file mode 100644
index 0000000..710051e
--- /dev/null
+++ b/public/hal_evs.te
@@ -0,0 +1,5 @@
+hwbinder_use(hal_evs_client)
+hwbinder_use(hal_evs_server)
+binder_call(hal_evs_client, hal_evs_server)
+binder_call(hal_evs_server, hal_evs_client)
+
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index bef9f55..ebe0b0c 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -5,14 +5,13 @@
add_hwservice(hal_fingerprint_server, hal_fingerprint_hwservice)
allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
-# allow HAL module to read dir contents
-allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
-
-# allow HAL module to read/write/unlink contents of this dir
-allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
-
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
+allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
+allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
+
r_dir_file(hal_fingerprint, cgroup)
r_dir_file(hal_fingerprint, sysfs)
+
+
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index f56e8f6..e2b04ae 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -10,4 +10,4 @@
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
# allow to run with real-time scheduling policy
-allow hal_graphics_allocator self:capability sys_nice;
+allow hal_graphics_allocator self:global_capability_class_set sys_nice;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 287037c..2df4612 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -23,4 +23,4 @@
allow hal_graphics_composer appdomain:fd use;
# allow self to set SCHED_FIFO
-allow hal_graphics_composer self:capability sys_nice;
+allow hal_graphics_composer self:global_capability_class_set sys_nice;
diff --git a/public/hal_health.te b/public/hal_health.te
index c19c5f1..c0a0f80 100644
--- a/public/hal_health.te
+++ b/public/hal_health.te
@@ -9,3 +9,22 @@
# /{system,vendor,odm}/lib[64]/hw/ in order
# to be able to open the hal implementation .so files
r_dir_file(hal_health, system_file)
+
+# Common rules for a health service.
+
+# Allow to listen to uevents for updates
+allow hal_health_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Allow to read /sys/class/power_supply directory
+allow hal_health_server sysfs:dir r_dir_perms;
+
+# Allow to read files under /sys/class/power_supply. Implementations typically have symlinks
+# to vendor specific files. Vendors should mark sysfs_batteryinfo on all files read by health
+# HAL service.
+r_dir_file(hal_health_server, sysfs_batteryinfo)
+
+# Allow to wake up to send periodic events
+wakelock_use(hal_health_server)
+
+# Write to /dev/kmsg
+allow hal_health_server kmsg_device:chr_file w_file_perms;
diff --git a/public/hal_lowpan.te b/public/hal_lowpan.te
new file mode 100644
index 0000000..af491b1
--- /dev/null
+++ b/public/hal_lowpan.te
@@ -0,0 +1,21 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_lowpan_client, hal_lowpan_server)
+binder_call(hal_lowpan_server, hal_lowpan_client)
+
+add_hwservice(hal_lowpan_server, hal_lowpan_hwservice)
+
+# Allow hal_lowpan_client to be able to find the hal_lowpan_server
+allow hal_lowpan_client hal_lowpan_hwservice:hwservice_manager find;
+
+# hal_lowpan domain can write/read to/from lowpan_prop
+set_prop(hal_lowpan_server, lowpan_prop)
+
+# Allow hal_lowpan_server to open lowpan_devices
+allow hal_lowpan_server lowpan_device:chr_file rw_file_perms;
+
+###
+### neverallow rules
+###
+
+# Only LoWPAN HAL may directly access LoWPAN hardware
+neverallow { domain -hal_lowpan_server -init -ueventd } lowpan_device:chr_file ~getattr;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 036e1d2..0f05d8a 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -4,18 +4,25 @@
halserverdomain
-hal_bluetooth_server
-hal_wifi_server
+ -hal_wifi_hostapd_server
-hal_wifi_supplicant_server
- -rild
-} self:capability { net_admin net_raw };
+ -hal_telephony_server
+} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
# hardware, it should not be using network sockets.
+# NOTE: HALs for automotive devices have an exemption from this rule because in
+# a car it is common to have external modules and HALs need to communicate to
+# those modules using network. Using this exemption for non-automotive builds
+# will result in CTS failure.
neverallow {
halserverdomain
+ -hal_automotive_socket_exemption
-hal_tetheroffload_server
-hal_wifi_server
+ -hal_wifi_hostapd_server
-hal_wifi_supplicant_server
- -rild
+ -hal_telephony_server
} domain:{ tcp_socket udp_socket rawip_socket } *;
###
@@ -42,7 +49,7 @@
neverallow {
halserverdomain
-hal_dumpstate_server
- -rild
+ -hal_telephony_server
} { file_type fs_type }:file execute_no_trans;
# Do not allow a process other than init to transition into a HAL domain.
neverallow { domain -init } halserverdomain:process transition;
diff --git a/public/hal_nfc.te b/public/hal_nfc.te
index a027c48..3bcdf5e 100644
--- a/public/hal_nfc.te
+++ b/public/hal_nfc.te
@@ -10,7 +10,3 @@
# NFC device access.
allow hal_nfc nfc_device:chr_file rw_file_perms;
-
-# Data file accesses.
-allow hal_nfc nfc_data_file:dir create_dir_perms;
-allow hal_nfc nfc_data_file:{ file lnk_file fifo_file } create_file_perms;
diff --git a/public/hal_secure_element.te b/public/hal_secure_element.te
new file mode 100644
index 0000000..e3046d1
--- /dev/null
+++ b/public/hal_secure_element.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_secure_element_client, hal_secure_element_server)
+binder_call(hal_secure_element_server, hal_secure_element_client)
+
+add_hwservice(hal_secure_element_server, hal_secure_element_hwservice)
+allow hal_secure_element_client hal_secure_element_hwservice:hwservice_manager find;
diff --git a/public/hal_sensors.te b/public/hal_sensors.te
index 068c93b..9d7cbe9 100644
--- a/public/hal_sensors.te
+++ b/public/hal_sensors.te
@@ -12,4 +12,4 @@
allow hal_sensors hal_allocator:fd use;
# allow to run with real-time scheduling policy
-allow hal_sensors self:capability sys_nice;
+allow hal_sensors self:global_capability_class_set sys_nice;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index 41cfd4b..5f8cc41 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -5,3 +5,42 @@
add_hwservice(hal_telephony_server, hal_telephony_hwservice)
allow hal_telephony_client hal_telephony_hwservice:hwservice_manager find;
+allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
+
+allow hal_telephony_server self:netlink_route_socket nlmsg_write;
+allow hal_telephony_server kernel:system module_request;
+allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
+allow hal_telephony_server alarm_device:chr_file rw_file_perms;
+allow hal_telephony_server cgroup:dir create_dir_perms;
+allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
+allow hal_telephony_server radio_device:chr_file rw_file_perms;
+allow hal_telephony_server radio_device:blk_file r_file_perms;
+allow hal_telephony_server mtd_device:dir search;
+allow hal_telephony_server efs_file:dir create_dir_perms;
+allow hal_telephony_server efs_file:file create_file_perms;
+allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
+allow hal_telephony_server bluetooth_efs_file:file r_file_perms;
+allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms;
+
+# property service
+set_prop(hal_telephony_server, radio_prop)
+set_prop(hal_telephony_server, exported_radio_prop)
+set_prop(hal_telephony_server, exported2_radio_prop)
+set_prop(hal_telephony_server, exported3_radio_prop)
+
+allow hal_telephony_server tty_device:chr_file rw_file_perms;
+
+# Allow hal_telephony_server to create and use netlink sockets.
+allow hal_telephony_server self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_telephony_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_telephony_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Access to wake locks
+wakelock_use(hal_telephony_server)
+
+r_dir_file(hal_telephony_server, proc_net)
+r_dir_file(hal_telephony_server, sysfs_type)
+r_dir_file(hal_telephony_server, system_file)
+
+# granting the ioctl permission for hal_telephony_server should be device specific
+allow hal_telephony_server self:socket create_socket_perms_no_ioctl;
diff --git a/public/hal_usb_gadget.te b/public/hal_usb_gadget.te
new file mode 100644
index 0000000..16f4f08
--- /dev/null
+++ b/public/hal_usb_gadget.te
@@ -0,0 +1,14 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_usb_gadget_client, hal_usb_gadget_server)
+binder_call(hal_usb_gadget_server, hal_usb_gadget_client)
+
+add_hwservice(hal_usb_gadget_server, hal_usb_gadget_hwservice)
+allow hal_usb_gadget_client hal_usb_gadget_hwservice:hwservice_manager find;
+
+# Configuring usb gadget functions
+allow hal_usb_gadget_server configfs:lnk_file { read create unlink};
+allow hal_usb_gadget_server configfs:dir rw_dir_perms;
+allow hal_usb_gadget_server configfs:file rw_file_perms;
+allow hal_usb_gadget_server functionfs:dir { read search };
+allow hal_usb_gadget_server functionfs:file read;
+
diff --git a/public/hal_vehicle.te b/public/hal_vehicle.te
new file mode 100644
index 0000000..a59f8d2
--- /dev/null
+++ b/public/hal_vehicle.te
@@ -0,0 +1,7 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_vehicle_client, hal_vehicle_server)
+binder_call(hal_vehicle_server, hal_vehicle_client)
+
+add_hwservice(hal_vehicle_server, hal_vehicle_hwservice)
+
+allow hal_vehicle_client hal_vehicle_hwservice:hwservice_manager find;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index c8612d7..9ce34ca 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -6,3 +6,4 @@
# vibrator sysfs rw access
allow hal_vibrator sysfs_vibrator:file rw_file_perms;
+allow hal_vibrator sysfs_vibrator:dir search;
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index e267731..7cea7c7 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -8,13 +8,14 @@
r_dir_file(hal_wifi, proc_net)
r_dir_file(hal_wifi, sysfs_type)
+set_prop(hal_wifi, exported_wifi_prop)
set_prop(hal_wifi, wifi_prop)
# allow hal wifi set interfaces up and down
allow hal_wifi self:udp_socket create_socket_perms;
-allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS };
+allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
-allow hal_wifi self:capability { net_admin net_raw };
+allow hal_wifi self:global_capability_class_set { net_admin net_raw };
# allow hal_wifi to speak to nl80211 in the kernel
allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
@@ -22,4 +23,10 @@
# hal_wifi writes firmware paths to this file.
allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
-allow hal_wifi proc_modules:file { getattr open read };
\ No newline at end of file
+allow hal_wifi proc_modules:file { getattr open read };
+
+# allow hal_wifi to write into /data/vendor/tombstones/wifi
+userdebug_or_eng(`
+ allow hal_wifi_server tombstone_wifi_data_file:dir rw_dir_perms;
+ allow hal_wifi_server tombstone_wifi_data_file:file create_file_perms;
+')
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
new file mode 100644
index 0000000..03a5546
--- /dev/null
+++ b/public/hal_wifi_hostapd.te
@@ -0,0 +1,28 @@
+# HwBinder IPC from client to server
+binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
+binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
+
+add_hwservice(hal_wifi_hostapd_server, hal_wifi_hostapd_hwservice)
+allow hal_wifi_hostapd_client hal_wifi_hostapd_hwservice:hwservice_manager find;
+
+allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
+
+allow hal_wifi_hostapd_server sysfs_net:dir search;
+
+# Allow hal_wifi_hostapd to access /proc/net/psched
+allow hal_wifi_hostapd_server proc_net:file { getattr open read };
+
+# Various socket permissions.
+allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
+allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
+allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
+
+###
+### neverallow rules
+###
+
+# hal_wifi_hostapd should not trust any data from sdcards
+neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
+neverallow hal_wifi_hostapd_server sdcard_type:file *;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 0f2540e..6bf0d32 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -12,25 +12,13 @@
r_dir_file(hal_wifi_supplicant, proc_net)
allow hal_wifi_supplicant kernel:system module_request;
-allow hal_wifi_supplicant self:capability { setuid net_admin setgid net_raw };
+allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:packet_socket create_socket_perms;
allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
-allow hal_wifi_supplicant wifi_data_file:dir create_dir_perms;
-allow hal_wifi_supplicant wifi_data_file:file create_file_perms;
-
-# Create a socket for receiving info from wpa
-allow hal_wifi_supplicant wpa_socket:dir create_dir_perms;
-allow hal_wifi_supplicant wpa_socket:sock_file create_file_perms;
-
-# Allow wpa_cli to work. wpa_cli creates a socket in
-# /data/misc/wifi/sockets which hal_wifi_supplicant supplicant communicates with.
-userdebug_or_eng(`
- unix_socket_send(hal_wifi_supplicant, wpa, su)
-')
###
### neverallow rules
diff --git a/public/healthd.te b/public/healthd.te
index c0a7bec..8a1d3ec 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -6,7 +6,7 @@
allow healthd kmsg_device:chr_file rw_file_perms;
# Read access to pseudo filesystems.
-r_dir_file(healthd, sysfs_type)
+allow healthd sysfs_type:dir search;
r_dir_file(healthd, rootfs)
r_dir_file(healthd, cgroup)
@@ -14,28 +14,22 @@
# /{system,vendor,odm}/lib[64]/hw/
r_dir_file(healthd, system_file)
-allow healthd self:capability { sys_tty_config };
-allow healthd self:capability sys_boot;
+allow healthd self:global_capability_class_set { sys_tty_config };
+allow healthd self:global_capability_class_set sys_boot;
allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
wakelock_use(healthd)
-binder_use(healthd)
-binder_service(healthd)
-binder_call(healthd, system_server)
hal_client_domain(healthd, hal_health)
-# Write to state file.
-# TODO: Split into a separate type?
-allow healthd sysfs:file write;
+# Read/write to /sys/power/state
+allow healthd sysfs_power:file rw_file_perms;
# TODO: added to match above sysfs rule. Remove me?
allow healthd sysfs_usb:file write;
-allow healthd sysfs_batteryinfo:file r_file_perms;
-
-r_dir_file(healthd, sysfs_type)
+r_dir_file(healthd, sysfs_batteryinfo)
###
### healthd: charger mode
@@ -56,8 +50,9 @@
allow healthd self:process execmem;
allow healthd proc_sysrq:file rw_file_perms;
-add_service(healthd, batteryproperties_service)
-
# Healthd needs to tell init to continue the boot
# process when running in charger mode.
set_prop(healthd, system_prop)
+set_prop(healthd, exported_system_prop)
+set_prop(healthd, exported2_system_prop)
+set_prop(healthd, exported3_system_prop)
diff --git a/public/hwservice.te b/public/hwservice.te
index 97b9b8d..5fba86a 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -2,16 +2,21 @@
type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice;
type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice;
+type hal_audiocontrol_hwservice, hwservice_manager_type;
type hal_audio_hwservice, hwservice_manager_type;
+type hal_authsecret_hwservice, hwservice_manager_type;
type hal_bluetooth_hwservice, hwservice_manager_type;
type hal_bootctl_hwservice, hwservice_manager_type;
type hal_broadcastradio_hwservice, hwservice_manager_type;
type hal_camera_hwservice, hwservice_manager_type;
+type hal_codec2_hwservice, hwservice_manager_type;
type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
+type hal_confirmationui_hwservice, hwservice_manager_type;
type hal_contexthub_hwservice, hwservice_manager_type;
type hal_drm_hwservice, hwservice_manager_type;
type hal_cas_hwservice, hwservice_manager_type;
type hal_dumpstate_hwservice, hwservice_manager_type;
+type hal_evs_hwservice, hwservice_manager_type;
type hal_fingerprint_hwservice, hwservice_manager_type;
type hal_gatekeeper_hwservice, hwservice_manager_type;
type hal_gnss_hwservice, hwservice_manager_type;
@@ -22,6 +27,7 @@
type hal_ir_hwservice, hwservice_manager_type;
type hal_keymaster_hwservice, hwservice_manager_type;
type hal_light_hwservice, hwservice_manager_type;
+type hal_lowpan_hwservice, hwservice_manager_type;
type hal_memtrack_hwservice, hwservice_manager_type;
type hal_neuralnetworks_hwservice, hwservice_manager_type;
type hal_nfc_hwservice, hwservice_manager_type;
@@ -29,6 +35,7 @@
type hal_omx_hwservice, hwservice_manager_type;
type hal_power_hwservice, hwservice_manager_type;
type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
+type hal_secure_element_hwservice, hwservice_manager_type;
type hal_sensors_hwservice, hwservice_manager_type;
type hal_telephony_hwservice, hwservice_manager_type;
type hal_tetheroffload_hwservice, hwservice_manager_type;
@@ -36,10 +43,13 @@
type hal_tv_cec_hwservice, hwservice_manager_type;
type hal_tv_input_hwservice, hwservice_manager_type;
type hal_usb_hwservice, hwservice_manager_type;
+type hal_usb_gadget_hwservice, hwservice_manager_type;
+type hal_vehicle_hwservice, hwservice_manager_type;
type hal_vibrator_hwservice, hwservice_manager_type;
type hal_vr_hwservice, hwservice_manager_type;
type hal_weaver_hwservice, hwservice_manager_type;
type hal_wifi_hwservice, hwservice_manager_type;
+type hal_wifi_hostapd_hwservice, hwservice_manager_type;
type hal_wifi_offload_hwservice, hwservice_manager_type;
type hal_wifi_supplicant_hwservice, hwservice_manager_type;
type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
diff --git a/public/idmap.te b/public/idmap.te
index 1c32f8f..3f336a3 100644
--- a/public/idmap.te
+++ b/public/idmap.te
@@ -6,6 +6,9 @@
allow idmap installd:fd use;
allow idmap resourcecache_data_file:file { getattr read write };
+# Ignore reading /proc/<pid>/maps after a fork.
+dontaudit idmap installd:file read;
+
# Open and read from target and overlay apk files passed by argument.
allow idmap apk_data_file:file r_file_perms;
allow idmap apk_data_file:dir search;
diff --git a/public/incident_helper.te b/public/incident_helper.te
new file mode 100644
index 0000000..bca1018
--- /dev/null
+++ b/public/incident_helper.te
@@ -0,0 +1,5 @@
+# The incident_helper is called by incidentd and
+# can only read/write data from/to incidentd
+
+# incident_helper
+type incident_helper, domain;
diff --git a/public/init.te b/public/init.te
index e6162a9..dafc06f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -21,9 +21,12 @@
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
allow init property_type:file { create_file_perms relabelto };
+# /dev/__properties__/property_info
+allow init properties_device:file create_file_perms;
+allow init property_info:file relabelto;
# /dev/event-log-tags
allow init device:file relabelfrom;
-allow init runtime_event_log_tags_file:file { open write setattr relabelto };
+allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket
allow init { device socket_device }:dir relabelto;
# /dev/random, /dev/urandom
@@ -36,10 +39,14 @@
allow init kernel:fd use;
# restorecon for early mount device symlinks
allow init tmpfs:lnk_file { getattr read relabelfrom };
-allow init system_block_device:{ blk_file lnk_file } relabelto;
+allow init {
+ misc_block_device
+ recovery_block_device
+ system_block_device
+}:{ blk_file lnk_file } relabelto;
# setrlimit
-allow init self:capability sys_resource;
+allow init self:global_capability_class_set sys_resource;
# Remove /dev/.booting, created before initial policy load or restorecon /dev.
allow init tmpfs:file unlink;
@@ -60,11 +67,15 @@
allow init tty_device:chr_file rw_file_perms;
# Call mount(2).
-allow init self:capability sys_admin;
+allow init self:global_capability_class_set sys_admin;
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
+allow init cgroup_bpf:dir { create mounton };
+
+# Mount bpf fs on sys/fs/bpf
+allow init fs_bpf:dir mounton;
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
@@ -87,16 +98,19 @@
allow init configfs:dir create_dir_perms;
allow init configfs:{ file lnk_file } create_file_perms;
+# /metadata
+allow init metadata_file:dir mounton;
+
# Use tmpfs as /data, used for booting when /data is encrypted
allow init tmpfs:dir relabelfrom;
# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:capability dac_override;
+allow init self:global_capability_class_set dac_override;
# Set system clock.
-allow init self:capability sys_time;
+allow init self:global_capability_class_set sys_time;
-allow init self:capability { sys_rawio mknod };
+allow init self:global_capability_class_set { sys_rawio mknod };
# Mounting filesystems from block devices.
allow init dev_type:blk_file r_file_perms;
@@ -123,13 +137,14 @@
# system/core/init.rc requires at least cache_file and data_file_type.
# init.<board>.rc files often include device-specific types, so
# we just allow all file types except /system files here.
-allow init self:capability { chown fowner fsetid };
+allow init self:global_capability_class_set { chown fowner fsetid };
allow init {
file_type
-app_data_file
-exec_type
-misc_logd_file
+ -nativetest_data_file
-system_app_data_file
-system_file
-vendor_file_type
@@ -141,6 +156,7 @@
-exec_type
-keystore_data_file
-misc_logd_file
+ -nativetest_data_file
-shell_data_file
-system_app_data_file
-system_file
@@ -155,6 +171,7 @@
-exec_type
-keystore_data_file
-misc_logd_file
+ -nativetest_data_file
-shell_data_file
-system_app_data_file
-system_file
@@ -168,6 +185,7 @@
-exec_type
-keystore_data_file
-misc_logd_file
+ -nativetest_data_file
-shell_data_file
-system_app_data_file
-system_file
@@ -181,6 +199,7 @@
-exec_type
-keystore_data_file
-misc_logd_file
+ -nativetest_data_file
-shell_data_file
-system_app_data_file
-system_file
@@ -191,7 +210,7 @@
allow init cache_file:lnk_file r_file_perms;
allow init { file_type -system_file -vendor_file_type -exec_type }:dir_file_class_set relabelto;
-allow init { sysfs debugfs debugfs_tracing }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;
@@ -205,7 +224,14 @@
allow init debugfs_wifi_tracing:file w_file_perms;
# chown/chmod on pseudo files.
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:file { open read setattr };
+allow init {
+ fs_type
+ -contextmount_type
+ -proc
+ -sdcard_type
+ -sysfs_type
+ -rootfs
+}:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
# init should not be able to read or open generic devices
@@ -249,34 +275,79 @@
# Any operation that can modify the kernel ring buffer, e.g. clear
# or a read that consumes the messages that were read.
allow init kernel:system syslog_mod;
-allow init self:capability2 syslog;
+allow init self:global_capability2_class_set syslog;
-# Set usermodehelpers and /proc security settings.
-allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
-allow init proc_security:file rw_file_perms;
-
-# Write to /proc/sys/kernel/panic_on_oops.
-r_dir_file(init, proc)
-allow init proc:file w_file_perms;
-
-# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+# init access to /proc.
r_dir_file(init, proc_net)
-allow init proc_net:file w_file_perms;
-allow init self:capability net_admin;
-# Write to /proc/sysrq-trigger.
-allow init proc_sysrq:file w_file_perms;
+allow init {
+ proc_cmdline
+ proc_diskstats
+ proc_kmsg # Open /proc/kmsg for logd service.
+ proc_meminfo
+ proc_stat # Read /proc/stat for bootchart.
+ proc_uptime
+ proc_version
+}:file r_file_perms;
-# Read /proc/stat for bootchart.
-allow init proc_stat:file r_file_perms;
+allow init {
+ proc_abi
+ proc_dirty
+ proc_hostname
+ proc_hung_task
+ proc_extra_free_kbytes
+ proc_net
+ proc_max_map_count
+ proc_min_free_order_shift
+ proc_overcommit_memory
+ proc_panic
+ proc_page_cluster
+ proc_perf
+ proc_sched
+ proc_sysrq
+}:file w_file_perms;
+
+allow init {
+ proc_security
+}:file rw_file_perms;
+
+# init access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_leds
+ sysfs_power
+}:file w_file_perms;
+
+allow init {
+ sysfs_dt_firmware_android
+}:file r_file_perms;
+
+allow init {
+ sysfs_zram
+}:file rw_file_perms;
+
+# Allow init to write to vibrator/trigger
+allow init sysfs_vibrator:file w_file_perms;
+
+# init chmod/chown access to /sys files.
+allow init {
+ sysfs_android_usb
+ sysfs_devices_system_cpu
+ sysfs_ipv4
+ sysfs_leds
+ sysfs_lowmemorykiller
+ sysfs_power
+ sysfs_vibrator
+ sysfs_wake_lock
+}:file setattr;
+
+# Set usermodehelpers.
+allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
+
+allow init self:global_capability_class_set net_admin;
# Reboot.
-allow init self:capability sys_boot;
-
-# Write to sysfs nodes.
-allow init sysfs_type:dir r_dir_perms;
-allow init sysfs_type:lnk_file read;
-allow init sysfs_type:file rw_file_perms;
+allow init self:global_capability_class_set sys_boot;
# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
# Init will also walk through the directory as part of a recursive restorecon.
@@ -284,7 +355,7 @@
allow init misc_logd_file:file { open create getattr setattr write };
# Support "adb shell stop"
-allow init self:capability kill;
+allow init self:global_capability_class_set kill;
allow init domain:process { getpgid sigkill signal };
# Init creates keystore's directory on boot, and walks through
@@ -302,7 +373,7 @@
allow init shell_data_file:file { getattr };
# Set UID, GID, and adjust capability bounding set for services.
-allow init self:capability { setuid setgid setpcap };
+allow init self:global_capability_class_set { setuid setgid setpcap };
# For bootchart to read the /proc/$pid/cmdline file of each process,
# we need to have following line to allow init to have access
@@ -342,13 +413,13 @@
# so it can be picked up and processed by logd. These denials are
# generated when an attempt to set a property is denied by policy.
allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
-allow init self:capability audit_write;
+allow init self:global_capability_class_set audit_write;
# Run "ifup lo" to bring up the localhost interface
allow init self:udp_socket { create ioctl };
# in addition to unpriv ioctls granted to all domains, init also needs:
allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
-allow init self:capability net_raw;
+allow init self:global_capability_class_set net_raw;
# This line seems suspect, as it should not really need to
# set scheduling parameters for a kernel domain task.
@@ -369,7 +440,7 @@
allow init device:file create_file_perms;
# keychord configuration
-allow init self:capability sys_tty_config;
+allow init self:global_capability_class_set sys_tty_config;
allow init keychord_device:chr_file rw_file_perms;
# Access device mapper for setting up dm-verity
@@ -394,14 +465,11 @@
# Allow init to write to /proc/sys/vm/overcommit_memory
allow init proc_overcommit_memory:file { write };
-unix_socket_connect(init, vold, vold)
-
# Raw writes to misc block device
allow init misc_block_device:blk_file w_file_perms;
r_dir_file(init, system_file)
r_dir_file(init, vendor_file_type)
-allow init proc_meminfo:file r_file_perms;
allow init system_data_file:file { getattr read };
allow init system_data_file:lnk_file r_file_perms;
@@ -409,6 +477,10 @@
# For init to be able to run shell scripts from vendor
allow init vendor_shell_exec:file execute;
+# Metadata setup
+allow init vold_metadata_file:dir create_dir_perms;
+allow init vold_metadata_file:file getattr;
+
###
### neverallow rules
###
@@ -432,3 +504,6 @@
# Init should not be creating subdirectories in /data/local/tmp
neverallow init shell_data_file:dir { write add_name remove_name };
+
+# Init should not access sysfs node that are not explicitly labeled.
+neverallow init sysfs:file { open read write };
diff --git a/public/install_recovery.te b/public/install_recovery.te
index 2115663..ab68838 100644
--- a/public/install_recovery.te
+++ b/public/install_recovery.te
@@ -2,7 +2,7 @@
type install_recovery, domain;
type install_recovery_exec, exec_type, file_type;
-allow install_recovery self:capability dac_override;
+allow install_recovery self:global_capability_class_set dac_override;
# /system/bin/install-recovery.sh is a shell script.
# Needs to execute /system/bin/sh
diff --git a/public/installd.te b/public/installd.te
index 939a481..6aba962 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -2,7 +2,7 @@
type installd, domain;
type installd_exec, exec_type, file_type;
typeattribute installd mlstrustedsubject;
-allow installd self:capability { chown dac_override fowner fsetid setgid setuid sys_admin };
+allow installd self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid sys_admin };
# Allow labeling of files under /data/app/com.example/oat/
allow installd dalvikcache_data_file:dir relabelto;
@@ -19,7 +19,6 @@
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;
-allow installd cgroup:{ file lnk_file } create_file_perms;
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)
@@ -45,7 +44,9 @@
# and lib symlinks before the setfilecon call. May want to
# move symlink creation after setfilecon in installd.
allow installd system_data_file:dir create_dir_perms;
-allow installd system_data_file:lnk_file { create setattr unlink };
+# Also, allow read for lnk_file so that we can process /data/user/0 links when
+# optimizing application code.
+allow installd system_data_file:lnk_file { create getattr read setattr unlink };
# Upgrade /data/media for multi-user if necessary.
allow installd media_rw_data_file:dir create_dir_perms;
diff --git a/public/ioctl_defines b/public/ioctl_defines
index a1cd0b9..4097fb9 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -405,7 +405,7 @@
define(`TCFLSH', `0x0000540b')
define(`TIOCEXCL', `0x0000540c')
define(`TIOCNXCL', `0x0000540d')
-define(`TIOCSCTTY', `0x0000540e')
+define(`TIOCSCTTY', ifelse(target_arch, mips, 0x00005480, 0x0000540e))
define(`TIOCGPGRP', `0x0000540f')
define(`TIOCSPGRP', `0x00005410')
define(`TIOCOUTQ', ifelse(target_arch, mips, 0x00007472, 0x00005411))
diff --git a/public/kernel.te b/public/kernel.te
index 7f5d224..b7a351c 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -1,11 +1,11 @@
# Life begins with the kernel.
type kernel, domain, mlstrustedsubject;
-allow kernel self:capability sys_nice;
+allow kernel self:global_capability_class_set sys_nice;
# Root fs.
r_dir_file(kernel, rootfs)
-r_dir_file(kernel, proc)
+allow kernel proc_cmdline:file r_file_perms;
# Get SELinux enforcing status.
allow kernel selinuxfs:dir r_dir_perms;
@@ -33,14 +33,14 @@
dontaudit kernel self:security setenforce;
# Write to /proc/1/oom_adj prior to switching to init domain.
-allow kernel self:capability sys_resource;
+allow kernel self:global_capability_class_set sys_resource;
# Init reboot before switching selinux domains under certain error
# conditions. Allow it.
# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
# remount filesystems read-only. /data is not mounted at this point,
# so we could ignore this. For now, we allow it.
-allow kernel self:capability sys_boot;
+allow kernel self:global_capability_class_set sys_boot;
allow kernel proc_sysrq:file w_file_perms;
# Allow writing to /dev/kmsg which was created prior to loading policy.
@@ -66,9 +66,10 @@
allow kernel asec_image_file:file read;
# Allow reading loop device in update_engine_unittests. (b/28319454)
+# and for LTP kernel tests (b/73220071)
userdebug_or_eng(`
allow kernel update_engine_data_file:file read;
- allow kernel nativetest_data_file:file read;
+ allow kernel nativetest_data_file:file { read write };
')
# Access to /data/media.
@@ -101,4 +102,4 @@
# the kernel should not be accessing files owned by other users.
# Instead of adding dac_{read_search,override}, fix the unix permissions
# on files being accessed.
-neverallow kernel self:capability { dac_override dac_read_search };
+neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
diff --git a/public/keystore.te b/public/keystore.te
index ee5e675..49355bd 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -13,6 +13,7 @@
add_service(keystore, keystore_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
+allow keystore dropbox_service:service_manager find;
# Check SELinux permissions.
selinux_check_access(keystore)
diff --git a/public/lmkd.te b/public/lmkd.te
index 208720c..472946e 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -2,13 +2,13 @@
type lmkd, domain, mlstrustedsubject;
type lmkd_exec, exec_type, file_type;
-allow lmkd self:capability { dac_override sys_resource kill };
+allow lmkd self:global_capability_class_set { dac_override sys_resource kill };
# lmkd locks itself in memory, to prevent it from being
# swapped out and unable to kill other memory hogs.
# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
# b/16236289
-allow lmkd self:capability ipc_lock;
+allow lmkd self:global_capability_class_set ipc_lock;
## Open and write to /proc/PID/oom_score_adj
## TODO: maybe scope this down?
@@ -18,7 +18,7 @@
allow lmkd system_server:file write;
## Writes to /sys/module/lowmemorykiller/parameters/minfree
-r_dir_file(lmkd, sysfs_type)
+r_dir_file(lmkd, sysfs_lowmemorykiller)
allow lmkd sysfs_lowmemorykiller:file w_file_perms;
# Send kill signals
@@ -31,10 +31,21 @@
allow lmkd cgroup:file r_file_perms;
# Set self to SCHED_FIFO
-allow lmkd self:capability sys_nice;
+allow lmkd self:global_capability_class_set sys_nice;
allow lmkd proc_zoneinfo:file r_file_perms;
+# live lock watchdog process allowed to look through /proc/
+allow lmkd domain:dir { search open read };
+allow lmkd domain:file { open read };
+
+# live lock watchdog process allowed to dump process trace and
+# reboot because orderly shutdown may not be possible.
+allow lmkd proc_sysrq:file rw_file_perms;
+
+# Read /proc/meminfo
+allow lmkd proc_meminfo:file r_file_perms;
+
### neverallow rules
# never honor LD_PRELOAD
diff --git a/public/logd.te b/public/logd.te
index 62bff97..817a705 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -4,12 +4,12 @@
# Read access to pseudo filesystems.
r_dir_file(logd, cgroup)
-r_dir_file(logd, proc)
+r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
r_dir_file(logd, proc_net)
-allow logd self:capability { setuid setgid setpcap sys_nice audit_control };
-allow logd self:capability2 syslog;
+allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
+allow logd self:global_capability2_class_set syslog;
allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file w_file_perms;
diff --git a/public/mediacodec.te b/public/mediacodec.te
index bcccbb8..e5b4a7d 100644
--- a/public/mediacodec.te
+++ b/public/mediacodec.te
@@ -33,6 +33,7 @@
crash_dump_fallback(mediacodec)
+add_hwservice(mediacodec, hal_codec2_hwservice)
add_hwservice(mediacodec, hal_omx_hwservice)
hal_client_domain(mediacodec, hal_allocator)
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 05e65bf..b055462 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -23,6 +23,7 @@
crash_dump_fallback(mediaextractor)
# allow mediaextractor read permissions for file sources
+allow mediaextractor sdcardfs:file { getattr read };
allow mediaextractor media_rw_data_file:file { getattr read };
allow mediaextractor app_data_file:file { getattr read };
@@ -31,6 +32,18 @@
allow mediaextractor asec_apk_file:file { read getattr };
allow mediaextractor ringtone_file:file { read getattr };
+# scan extractor library directory to dynamically load extractors
+allow mediaextractor system_file:dir { read open };
+
+userdebug_or_eng(`
+ # Allow extractor to add update service.
+ add_service(mediaextractor, mediaextractor_update_service)
+
+ # Allow extractor to load media extractor plugins from update apk.
+ allow mediaextractor apk_data_file:dir search;
+ allow mediaextractor apk_data_file:file { execute open };
+')
+
###
### neverallow rules
###
@@ -50,3 +63,12 @@
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# mediaextractor should not be opening /data files directly. Any files
+# it touches (with a few exceptions) need to be passed to it via a file
+# descriptor opened outside the process.
+neverallow mediaextractor {
+ data_file_type
+ -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
+ userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
+}:file open;
diff --git a/public/mediaserver.te b/public/mediaserver.te
index 6efaf0f..f0c94ed 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -39,9 +39,6 @@
set_prop(mediaserver, audio_prop)
-# XXX Label with a specific type?
-allow mediaserver sysfs:file r_file_perms;
-
# Read resources from open apk files passed over Binder.
allow mediaserver apk_data_file:file { read getattr };
allow mediaserver asec_apk_file:file { read getattr };
diff --git a/public/modprobe.te b/public/modprobe.te
index 3ed320e..1190409 100644
--- a/public/modprobe.te
+++ b/public/modprobe.te
@@ -1,11 +1,9 @@
type modprobe, domain;
allow modprobe proc_modules:file r_file_perms;
-allow modprobe self:capability sys_module;
+allow modprobe self:global_capability_class_set sys_module;
allow modprobe kernel:key search;
recovery_only(`
allow modprobe rootfs:system module_load;
allow modprobe rootfs:file r_file_perms;
')
-allow modprobe { system_file }:system module_load;
-r_dir_file(modprobe, { system_file })
diff --git a/public/mtp.te b/public/mtp.te
index a776240..7256bcf 100644
--- a/public/mtp.te
+++ b/public/mtp.te
@@ -6,6 +6,6 @@
# pptp policy
allow mtp self:socket create_socket_perms_no_ioctl;
-allow mtp self:capability net_raw;
+allow mtp self:global_capability_class_set net_raw;
allow mtp ppp:process signal;
allow mtp vpn_data_file:dir search;
diff --git a/public/netd.te b/public/netd.te
index aa99da2..18113e7 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -7,16 +7,17 @@
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
+
allow netd system_server:fd use;
-allow netd self:capability { net_admin net_raw kill };
+allow netd self:global_capability_class_set { net_admin net_raw kill };
# Note: fsetid is deliberately not included above. fsetid checks are
# triggered by chmod on a directory or file owned by a group other
# than one of the groups assigned to the current process to see if
# the setgid bit should be cleared, regardless of whether the setgid
# bit was even set. We do not appear to truly need this capability
# for netd to operate.
-dontaudit netd self:capability fsetid;
+dontaudit netd self:global_capability_class_set fsetid;
allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow netd self:netlink_route_socket nlmsg_write;
@@ -33,27 +34,39 @@
# Acquire advisory lock on /system/etc/xtables.lock
allow netd system_file:file lock;
+# Allow netd to write to qtaguid ctrl file. This is the same privilege level that normal apps have
+# TODO: Add proper rules to prevent other process to access qtaguid_proc file after migration
+# complete
+allow netd qtaguid_proc:file rw_file_perms;
+# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
+allow netd qtaguid_device:chr_file r_file_perms;
+
r_dir_file(netd, proc_net)
# For /proc/sys/net/ipv[46]/route/flush.
allow netd proc_net:file rw_file_perms;
# Enables PppController and interface enumeration (among others)
-r_dir_file(netd, sysfs_type)
+allow netd sysfs:dir r_dir_perms;
+r_dir_file(netd, sysfs_net)
+
# Allows setting interface MTU
-allow netd sysfs:file write;
+allow netd sysfs_net:file w_file_perms;
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
+allow netd fs_bpf:dir create_dir_perms;
+allow netd fs_bpf:file create_file_perms;
+
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?
-allow netd self:capability { dac_override chown };
+allow netd self:global_capability_class_set { dac_override chown };
# Needed to update /data/misc/net/rt_tables
allow netd net_data_file:file create_file_perms;
allow netd net_data_file:dir rw_dir_perms;
-allow netd self:capability fowner;
+allow netd self:global_capability_class_set fowner;
# Needed to lock the iptables lock.
allow netd system_file:file lock;
@@ -91,6 +104,9 @@
# give netd permission to read and write netlink xfrm
allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
+# give netd permission to use eBPF functionalities
+allow netd self:bpf { map_create map_read map_write };
+
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
hwbinder_use(netd)
@@ -116,13 +132,16 @@
# only system_server and dumpstate may find netd service
neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
+# only netd can create the bpf maps
+neverallow { domain -netd } netd:bpf { map_create };
+
# apps may not interact with netd over binder.
neverallow appdomain netd:binder call;
neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
# persist.netd.stable_secret contains RFC 7217 secret key which should never be
# leaked to other processes. Make sure it never leaks.
-neverallow { domain -netd -init } netd_stable_secret_prop:file r_file_perms;
+neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
index c071f44..894363a 100644
--- a/public/otapreopt_chroot.te
+++ b/public/otapreopt_chroot.te
@@ -5,7 +5,7 @@
# Chroot preparation and execution.
# We need to create an unshared mount namespace, and then mount /data.
allow otapreopt_chroot postinstall_file:dir { search mounton };
-allow otapreopt_chroot self:capability { sys_admin sys_chroot };
+allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
# This is required to mount /vendor.
allow otapreopt_chroot block_device:dir search;
diff --git a/public/performanced.te b/public/performanced.te
index 9bf813e..248d345 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -10,7 +10,7 @@
pdx_server(performanced, performance_client)
# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
-allow performanced self:capability { setuid setgid sys_nice };
+allow performanced self:global_capability_class_set { setuid setgid sys_nice };
# Access /proc to validate we're only affecting threads in the same thread group.
# Performanced also shields unbound kernel threads. It scans every task in the
@@ -19,5 +19,12 @@
dontaudit performanced domain:dir read;
allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
+# These /proc accesses only show up in permissive mode but they
+# generate a lot of noise in the log.
+userdebug_or_eng(`
+ dontaudit performanced domain:dir open;
+ dontaudit performanced domain:file { open read getattr };
+')
+
# Access /dev/cpuset/cpuset.cpus
r_dir_file(performanced, cgroup)
diff --git a/public/perfprofd.te b/public/perfprofd.te
index bfb8693..f067af5 100644
--- a/public/perfprofd.te
+++ b/public/perfprofd.te
@@ -7,6 +7,9 @@
typeattribute perfprofd coredomain;
typeattribute perfprofd mlstrustedsubject;
+ # perfprofd access to sysfs directory structure.
+ allow perfprofd sysfs_type:dir search;
+
# perfprofd needs to control CPU hot-plug in order to avoid kernel
# perfevents problems in cases where CPU goes on/off during measurement;
# this means read access to /sys/devices/system/cpu/possible
@@ -20,7 +23,7 @@
# perfprofd reads a config file from /data/data/com.google.android.gms/files
allow perfprofd app_data_file:file r_file_perms;
allow perfprofd app_data_file:dir search;
- allow perfprofd self:capability { dac_override };
+ allow perfprofd self:global_capability_class_set { dac_override };
# perfprofd opens a file for writing in /data/misc/perfprofd
allow perfprofd perfprofd_data_file:file create_file_perms;
@@ -33,27 +36,84 @@
# perfprofd inspects /sys/power/wake_unlock
wakelock_use(perfprofd);
+ # perfprofd looks at thermals.
+ allow perfprofd sysfs_thermal:dir r_dir_perms;
+
+ # perfprofd checks power_supply.
+ r_dir_file(perfprofd, sysfs_batteryinfo)
+
+ # simpleperf reads kernel notes.
+ allow perfprofd sysfs_kernel_notes:file r_file_perms;
+
+ # Simpleperf & perfprofd query a range of proc stats.
+ allow perfprofd proc_loadavg:file r_file_perms;
+ allow perfprofd proc_stat:file r_file_perms;
+ allow perfprofd proc_modules:file r_file_perms;
+
+ # simpleperf writes to perf_event_paranoid under /proc.
+ allow perfprofd proc_perf:file write;
+
+ # Simpleperf: kptr_restrict. This would be required to dump kernel symbols.
+ dontaudit perfprofd proc_security:file *;
+
# simpleperf uses ioctl() to turn on kernel perf events measurements
- allow perfprofd self:capability sys_admin;
+ allow perfprofd self:global_capability_class_set sys_admin;
# simpleperf needs to examine /proc to collect task/thread info
r_dir_file(perfprofd, domain)
# simpleperf needs to access /proc/<pid>/exec
- allow perfprofd self:capability { sys_resource sys_ptrace };
+ allow perfprofd self:global_capability_class_set { sys_resource sys_ptrace };
neverallow perfprofd domain:process ptrace;
# simpleperf needs open/read any file that turns up in a profile
# to see whether it has a build ID
allow perfprofd exec_type:file r_file_perms;
+ # App & ART artifacts.
+ r_dir_file(perfprofd, apk_data_file)
+ r_dir_file(perfprofd, dalvikcache_data_file)
+ # Vendor libraries.
+ r_dir_file(perfprofd, vendor_file)
+ # Vendor apps.
+ r_dir_file(perfprofd, vendor_app_file)
+
+ # simpleperf will set security.perf_harden to enable access to perf_event_open()
+ set_prop(perfprofd, shell_prop)
# simpleperf examines debugfs on startup to collect tracepoint event types
- allow perfprofd debugfs_tracing:file r_file_perms;
+ r_dir_file(perfprofd, debugfs_tracing)
+ r_dir_file(perfprofd, debugfs_tracing_debug)
# simpleperf is going to execute "sleep"
allow perfprofd toolbox_exec:file rx_file_perms;
+ # simpleperf is going to execute "mv" on a temp file
+ allow perfprofd shell_exec:file rx_file_perms;
# needed for simpleperf on some kernels
- allow perfprofd self:capability ipc_lock;
+ allow perfprofd self:global_capability_class_set ipc_lock;
+ # simpleperf attempts to put a temp file into /data/local/tmp. Do not allow,
+ # use the fallback cwd code, do not spam the log. But ensure this is correctly
+ # removed at some point. b/70232908.
+ dontaudit perfprofd shell_data_file:dir *;
+ dontaudit perfprofd shell_data_file:file *;
+
+ # Allow perfprofd to publish a binder service and make binder calls.
+ binder_use(perfprofd)
+ add_service(perfprofd, perfprofd_service)
+
+ # Use devpts for streams from cmd.
+ #
+ # This is normally granted to binderservicedomain, but this service
+ # has tighter restrictions on the callers (see below), so must enable
+ # this manually.
+ allow perfprofd devpts:chr_file rw_file_perms;
+
+ # Use socket & pipe supplied by su, for cmd perfprofd dump.
+ allow perfprofd su:unix_stream_socket { read write getattr sendto };
+ allow perfprofd su:fifo_file r_file_perms;
+
+ # Allow perfprofd to submit to dropbox.
+ allow perfprofd dropbox_service:service_manager find;
+ binder_call(perfprofd, system_server)
')
diff --git a/public/postinstall_dexopt.te b/public/postinstall_dexopt.te
index 0ce617b..ffd8bc5 100644
--- a/public/postinstall_dexopt.te
+++ b/public/postinstall_dexopt.te
@@ -5,12 +5,12 @@
type postinstall_dexopt, domain;
-allow postinstall_dexopt self:capability { chown dac_override fowner setgid setuid };
+allow postinstall_dexopt self:global_capability_class_set { chown dac_override fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr search };
-allow postinstall_dexopt postinstall_file:lnk_file read;
-allow postinstall_dexopt proc:file { getattr open read };
+allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
+allow postinstall_dexopt proc_filesystems:file { getattr open read };
allow postinstall_dexopt tmpfs:file read;
# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
@@ -26,6 +26,8 @@
# Read profile data.
allow postinstall_dexopt user_profile_data_file:dir { getattr search };
allow postinstall_dexopt user_profile_data_file:file r_file_perms;
+# Suppress deletion denial (we do not want to update the profile).
+dontaudit postinstall_dexopt user_profile_data_file:file { write };
# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
allow postinstall_dexopt ota_data_file:dir create_dir_perms;
diff --git a/public/ppp.te b/public/ppp.te
index 04e17f5..9340dee 100644
--- a/public/ppp.te
+++ b/public/ppp.te
@@ -15,7 +15,7 @@
allow ppp mtp:unix_dgram_socket rw_socket_perms;
allow ppp ppp_device:chr_file rw_file_perms;
-allow ppp self:capability net_admin;
+allow ppp self:global_capability_class_set net_admin;
allow ppp system_file:file rx_file_perms;
not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
allow ppp vpn_data_file:dir w_dir_perms;
diff --git a/public/profman.te b/public/profman.te
index a5c18b5..4296d1b 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -6,7 +6,9 @@
# Dumping profile info opens the application APK file for pretty printing.
allow profman asec_apk_file:file { read };
-allow profman apk_data_file:file { read };
+allow profman apk_data_file:file { getattr read };
+allow profman apk_data_file:dir { getattr read search };
+
allow profman oemfs:file { read };
# Reading an APK opens a ZipArchive, which unpack to tmpfs.
allow profman tmpfs:file { read };
@@ -18,6 +20,7 @@
# are application dex files reported back to the framework when using
# BaseDexClassLoader.
allow profman app_data_file:file { getattr read write lock };
+allow profman app_data_file:dir { getattr read search };
###
### neverallow rules
diff --git a/public/property.te b/public/property.te
index 95efcaa..b0397e9 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,6 +1,8 @@
type audio_prop, property_type, core_property_type;
type boottime_prop, property_type;
+type bluetooth_a2dp_offload_prop, property_type;
type bluetooth_prop, property_type;
+type bootloader_boot_reason_prop, property_type;
type config_prop, property_type, core_property_type;
type cppreopt_prop, property_type, core_property_type;
type ctl_bootanim_prop, property_type;
@@ -9,8 +11,15 @@
type ctl_default_prop, property_type;
type ctl_dumpstate_prop, property_type;
type ctl_fuse_prop, property_type;
+type ctl_interface_restart_prop, property_type;
+type ctl_interface_start_prop, property_type;
+type ctl_interface_stop_prop, property_type;
type ctl_mdnsd_prop, property_type;
+type ctl_restart_prop, property_type;
type ctl_rildaemon_prop, property_type;
+type ctl_sigstop_prop, property_type;
+type ctl_start_prop, property_type;
+type ctl_stop_prop, property_type;
type dalvik_prop, property_type, core_property_type;
type debuggerd_prop, property_type, core_property_type;
type debug_prop, property_type, core_property_type;
@@ -19,14 +28,17 @@
type dhcp_prop, property_type, core_property_type;
type dumpstate_options_prop, property_type;
type dumpstate_prop, property_type, core_property_type;
+type exported_secure_prop, property_type;
type ffs_prop, property_type, core_property_type;
type fingerprint_prop, property_type, core_property_type;
type firstboot_prop, property_type;
type hwservicemanager_prop, property_type;
+type last_boot_reason_prop, property_type;
type logd_prop, property_type, core_property_type;
type logpersistd_logging_prop, property_type;
type log_prop, property_type, log_property_type;
type log_tag_prop, property_type, log_property_type;
+type lowpan_prop, property_type;
type mmc_prop, property_type;
type net_dns_prop, property_type;
type net_radio_prop, property_type, core_property_type;
@@ -36,17 +48,48 @@
type pan_result_prop, property_type, core_property_type;
type persist_debug_prop, property_type, core_property_type;
type persistent_properties_ready_prop, property_type;
+type pm_prop, property_type;
type powerctl_prop, property_type, core_property_type;
type radio_prop, property_type, core_property_type;
type restorecon_prop, property_type, core_property_type;
type safemode_prop, property_type;
type serialno_prop, property_type;
type shell_prop, property_type, core_property_type;
+type system_boot_reason_prop, property_type;
type system_prop, property_type, core_property_type;
type system_radio_prop, property_type, core_property_type;
+type test_boot_reason_prop, property_type;
+type traced_enabled_prop, property_type;
type vold_prop, property_type, core_property_type;
type wifi_log_prop, property_type, log_property_type;
type wifi_prop, property_type;
+type vendor_security_patch_level_prop, property_type;
+
+# Properties for whitelisting
+type exported_audio_prop, property_type;
+type exported_bluetooth_prop, property_type;
+type exported_config_prop, property_type;
+type exported_dalvik_prop, property_type;
+type exported_default_prop, property_type;
+type exported_dumpstate_prop, property_type;
+type exported_ffs_prop, property_type;
+type exported_fingerprint_prop, property_type;
+type exported_overlay_prop, property_type;
+type exported_pm_prop, property_type;
+type exported_radio_prop, property_type;
+type exported_system_prop, property_type;
+type exported_system_radio_prop, property_type;
+type exported_vold_prop, property_type;
+type exported_wifi_prop, property_type;
+type exported2_config_prop, property_type;
+type exported2_default_prop, property_type;
+type exported2_radio_prop, property_type;
+type exported2_system_prop, property_type;
+type exported2_vold_prop, property_type;
+type exported3_default_prop, property_type;
+type exported3_radio_prop, property_type;
+type exported3_system_prop, property_type;
+type vendor_default_prop, property_type;
allow property_type tmpfs:filesystem associate;
@@ -87,3 +130,284 @@
-system_radio_prop
-vold_prop
}:file no_rw_file_perms;
+
+# sigstop property is only used for debugging; should only be set by su which is permissive
+# for userdebug/eng
+neverallow {
+ domain
+ -init
+ -vendor_init
+} ctl_sigstop_prop:property_service set;
+
+# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+ ctl_bootanim_prop
+ ctl_bugreport_prop
+ ctl_console_prop
+ ctl_default_prop
+ ctl_dumpstate_prop
+ ctl_fuse_prop
+ ctl_mdnsd_prop
+ ctl_rildaemon_prop
+}:property_service set;
+
+compatible_property_only(`
+# Prevent properties from being set
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_init
+ } {
+ core_property_type
+ extended_core_property_type
+ exported_config_prop
+ exported_dalvik_prop
+ exported_default_prop
+ exported_dumpstate_prop
+ exported_ffs_prop
+ exported_fingerprint_prop
+ exported_system_prop
+ exported_system_radio_prop
+ exported_vold_prop
+ exported2_config_prop
+ exported2_default_prop
+ exported2_system_prop
+ exported2_vold_prop
+ exported3_default_prop
+ exported3_system_prop
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_nfc_server
+ } {
+ nfc_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ -vendor_init
+ } {
+ exported_radio_prop
+ exported3_radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ } {
+ exported2_radio_prop
+ radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ } {
+ bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ -vendor_init
+ } {
+ exported_bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi_server
+ -wificond
+ } {
+ wifi_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi_server
+ -wificond
+ -vendor_init
+ } {
+ exported_wifi_prop
+ }:property_service set;
+
+# Prevent properties from being read
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_init
+ } {
+ core_property_type
+ extended_core_property_type
+ exported_dalvik_prop
+ exported_ffs_prop
+ exported_system_radio_prop
+ exported2_config_prop
+ exported2_system_prop
+ exported2_vold_prop
+ exported3_default_prop
+ exported3_system_prop
+ -debug_prop
+ -logd_prop
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_nfc_server
+ } {
+ nfc_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ } {
+ radio_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ } {
+ bluetooth_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi_server
+ -wificond
+ } {
+ wifi_prop
+ }:file no_rw_file_perms;
+')
+
+compatible_property_only(`
+ # Neverallow coredomain to set vendor properties
+ neverallow {
+ coredomain
+ -init
+ -system_writes_vendor_properties_violators
+ } {
+ property_type
+ -audio_prop
+ -bluetooth_a2dp_offload_prop
+ -bluetooth_prop
+ -bootloader_boot_reason_prop
+ -boottime_prop
+ -config_prop
+ -cppreopt_prop
+ -ctl_bootanim_prop
+ -ctl_bugreport_prop
+ -ctl_console_prop
+ -ctl_default_prop
+ -ctl_dumpstate_prop
+ -ctl_fuse_prop
+ -ctl_interface_restart_prop
+ -ctl_interface_start_prop
+ -ctl_interface_stop_prop
+ -ctl_mdnsd_prop
+ -ctl_restart_prop
+ -ctl_rildaemon_prop
+ -ctl_sigstop_prop
+ -ctl_start_prop
+ -ctl_stop_prop
+ -dalvik_prop
+ -debug_prop
+ -debuggerd_prop
+ -default_prop
+ -device_logging_prop
+ -dhcp_prop
+ -dumpstate_options_prop
+ -dumpstate_prop
+ -exported2_config_prop
+ -exported2_default_prop
+ -exported2_radio_prop
+ -exported2_system_prop
+ -exported2_vold_prop
+ -exported3_default_prop
+ -exported3_radio_prop
+ -exported3_system_prop
+ -exported_bluetooth_prop
+ -exported_config_prop
+ -exported_dalvik_prop
+ -exported_default_prop
+ -exported_dumpstate_prop
+ -exported_ffs_prop
+ -exported_fingerprint_prop
+ -exported_overlay_prop
+ -exported_pm_prop
+ -exported_radio_prop
+ -exported_secure_prop
+ -exported_system_prop
+ -exported_system_radio_prop
+ -exported_vold_prop
+ -exported_wifi_prop
+ -extended_core_property_type
+ -ffs_prop
+ -fingerprint_prop
+ -firstboot_prop
+ -hwservicemanager_prop
+ -last_boot_reason_prop
+ -log_prop
+ -log_tag_prop
+ -logd_prop
+ -logpersistd_logging_prop
+ -lowpan_prop
+ -mmc_prop
+ -net_dns_prop
+ -net_radio_prop
+ -netd_stable_secret_prop
+ -nfc_prop
+ -overlay_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -persistent_properties_ready_prop
+ -pm_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -safemode_prop
+ -serialno_prop
+ -shell_prop
+ -system_boot_reason_prop
+ -system_prop
+ -system_radio_prop
+ -test_boot_reason_prop
+ -traced_enabled_prop
+ -vendor_default_prop
+ -vendor_security_patch_level_prop
+ -vold_prop
+ -wifi_log_prop
+ -wifi_prop
+ }:property_service set;
+')
diff --git a/public/property_contexts b/public/property_contexts
new file mode 100644
index 0000000..4f81c1c
--- /dev/null
+++ b/public/property_contexts
@@ -0,0 +1,309 @@
+# vendor-init-readable
+persist.radio.airplane_mode_on u:object_r:exported2_radio_prop:s0 exact int
+
+# vendor-init-settable
+af.fast_track_multiplier u:object_r:exported3_default_prop:s0 exact int
+audio.camerasound.force u:object_r:exported_audio_prop:s0 exact bool
+camera.disable_zsl_mode u:object_r:exported3_default_prop:s0 exact bool
+camera.fifo.disable u:object_r:exported3_default_prop:s0 exact int
+dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.backgroundgctype u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.checkjni u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.dexopt.secondary u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.execution-mode u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.extra-opts u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.gctype u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapgrowthlimit u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapmaxfree u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapminfree u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapsize u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapstartsize u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heaptargetutilization u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.hot-startup-method-samples u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.image-dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.isa.arm.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.arm.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.arm64.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.arm64.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.mips.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.mips.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.mips64.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.mips64.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.unknown.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.unknown.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.x86.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.x86.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.x86_64.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.x86_64.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.jitinitialsize u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.jitmaxsize u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.jitprithreadweight u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.jitthreshold u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.jittransitionweight u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.jniopts u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.lockprof.threshold u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.method-trace u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.method-trace-file u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilebootimage u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.stack-trace-dir u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
+drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool
+keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
+media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
+media.stagefright.cache-params u:object_r:exported3_default_prop:s0 exact string
+persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
+persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
+persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int
+persist.dbg.vt_avail_ovr u:object_r:exported3_default_prop:s0 exact int
+persist.dbg.wfc_avail_ovr u:object_r:exported3_default_prop:s0 exact int
+persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
+persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
+persist.sys.media.avsync u:object_r:exported2_system_prop:s0 exact bool
+persist.sys.hdmi.keep_awake u:object_r:exported2_system_prop:s0 exact bool
+persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
+persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact int
+pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
+ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool
+ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
+ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
+ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
+ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int
+ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool
+ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool
+ro.com.google.clientidbase u:object_r:exported3_default_prop:s0 exact string
+ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string
+ro.config.media_vol_steps u:object_r:exported2_config_prop:s0 exact int
+ro.config.notification_sound u:object_r:exported2_config_prop:s0 exact string
+ro.config.ringtone u:object_r:exported2_config_prop:s0 exact string
+ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
+ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
+ro.crypto.scrypt_params u:object_r:exported2_vold_prop:s0 exact string
+ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
+ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
+ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
+ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
+ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
+ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
+ro.radio.noril u:object_r:exported3_default_prop:s0 exact string
+ro.retaildemo.video_path u:object_r:exported3_default_prop:s0 exact string
+ro.sf.disable_triple_buffer u:object_r:exported3_default_prop:s0 exact bool
+ro.sf.lcd_density u:object_r:exported3_default_prop:s0 exact int
+ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool
+ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
+ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
+ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact int
+ro.url.legal u:object_r:exported3_default_prop:s0 exact string
+ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
+ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
+ro.zygote u:object_r:exported3_default_prop:s0 exact string
+sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
+sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
+sys.usb.ffs.max_read u:object_r:exported_ffs_prop:s0 exact int
+sys.usb.ffs.max_write u:object_r:exported_ffs_prop:s0 exact int
+sys.usb.mtp.device_type u:object_r:exported2_system_prop:s0 exact int
+sys.usb.state u:object_r:exported2_system_prop:s0 exact string
+telephony.lteOnCdmaDevice u:object_r:exported3_default_prop:s0 exact int
+tombstoned.max_tombstone_count u:object_r:exported3_default_prop:s0 exact int
+vold.post_fs_data_done u:object_r:exported2_vold_prop:s0 exact int
+wlan.driver.status u:object_r:exported_wifi_prop:s0 exact enum ok unloaded
+
+# vendor-init-readable|vendor-init-actionable
+dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
+persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
+sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
+sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
+
+# vendor-init-settable|vendor-init-actionable
+persist.sys.zram_enabled u:object_r:exported2_system_prop:s0 exact bool
+sys.usb.config u:object_r:exported_system_radio_prop:s0 exact string
+sys.usb.configfs u:object_r:exported_system_radio_prop:s0 exact int
+
+# public-readable
+aac_drc_boost u:object_r:exported2_default_prop:s0 exact int
+aac_drc_cut u:object_r:exported2_default_prop:s0 exact int
+aac_drc_enc_target_level u:object_r:exported2_default_prop:s0 exact int
+aac_drc_heavy u:object_r:exported2_default_prop:s0 exact int
+aac_drc_reference_level u:object_r:exported2_default_prop:s0 exact int
+ro.aac_drc_effect_type u:object_r:exported2_default_prop:s0 exact int
+drm.64bit.enabled u:object_r:exported2_default_prop:s0 exact bool
+dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
+hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
+init.svc.tombstoned u:object_r:exported2_default_prop:s0 exact string
+libc.debug.malloc.options u:object_r:exported2_default_prop:s0 exact string
+libc.debug.malloc.program u:object_r:exported2_default_prop:s0 exact string
+libc.debug.hooks.enable u:object_r:exported2_default_prop:s0 exact string
+persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
+ro.adb.secure u:object_r:exported_secure_prop:s0 exact int
+ro.arch u:object_r:exported2_default_prop:s0 exact string
+ro.audio.ignore_effects u:object_r:exported2_default_prop:s0 exact bool
+ro.baseband u:object_r:exported2_default_prop:s0 exact string
+ro.boot.avb_version u:object_r:exported2_default_prop:s0 exact string
+ro.boot.baseband u:object_r:exported2_default_prop:s0 exact string
+ro.boot.bootdevice u:object_r:exported2_default_prop:s0 exact string
+ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string
+ro.boot.boottime u:object_r:exported2_default_prop:s0 exact string
+ro.boot.console u:object_r:exported2_default_prop:s0 exact string
+ro.boot.hardware u:object_r:exported2_default_prop:s0 exact string
+ro.boot.hardware.color u:object_r:exported2_default_prop:s0 exact string
+ro.boot.hardware.sku u:object_r:exported2_default_prop:s0 exact string
+ro.boot.keymaster u:object_r:exported2_default_prop:s0 exact string
+ro.boot.mode u:object_r:exported2_default_prop:s0 exact string
+ro.boot.vbmeta.avb_version u:object_r:exported2_default_prop:s0 exact string
+ro.boot.verifiedbootstate u:object_r:exported2_default_prop:s0 exact string
+ro.boot.veritymode u:object_r:exported2_default_prop:s0 exact string
+ro.bootimage.build.date u:object_r:exported2_default_prop:s0 exact string
+ro.bootimage.build.date.utc u:object_r:exported2_default_prop:s0 exact int
+ro.bootimage.build.fingerprint u:object_r:exported2_default_prop:s0 exact string
+ro.bootloader u:object_r:exported2_default_prop:s0 exact string
+ro.build.date u:object_r:exported2_default_prop:s0 exact string
+ro.build.date.utc u:object_r:exported2_default_prop:s0 exact int
+ro.build.description u:object_r:exported2_default_prop:s0 exact string
+ro.build.display.id u:object_r:exported2_default_prop:s0 exact string
+ro.build.fingerprint u:object_r:exported_fingerprint_prop:s0 exact string
+ro.build.host u:object_r:exported2_default_prop:s0 exact string
+ro.build.id u:object_r:exported2_default_prop:s0 exact string
+ro.build.product u:object_r:exported2_default_prop:s0 exact string
+ro.build.system_root_image u:object_r:exported2_default_prop:s0 exact bool
+ro.build.tags u:object_r:exported2_default_prop:s0 exact string
+ro.build.user u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.base_os u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.codename u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.incremental u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.preview_sdk u:object_r:exported2_default_prop:s0 exact int
+ro.build.version.release u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
+ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
+ro.crypto.state u:object_r:exported_vold_prop:s0 exact string
+ro.crypto.type u:object_r:exported_vold_prop:s0 exact string
+ro.debuggable u:object_r:exported2_default_prop:s0 exact int
+ro.hardware u:object_r:exported2_default_prop:s0 exact string
+ro.product.brand u:object_r:exported2_default_prop:s0 exact string
+ro.product.cpu.abi u:object_r:exported2_default_prop:s0 exact string
+ro.product.cpu.abilist u:object_r:exported2_default_prop:s0 exact string
+ro.product.device u:object_r:exported2_default_prop:s0 exact string
+ro.product.manufacturer u:object_r:exported2_default_prop:s0 exact string
+ro.product.model u:object_r:exported2_default_prop:s0 exact string
+ro.product.name u:object_r:exported2_default_prop:s0 exact string
+ro.property_service.version u:object_r:exported2_default_prop:s0 exact int
+ro.revision u:object_r:exported2_default_prop:s0 exact string
+ro.secure u:object_r:exported_secure_prop:s0 exact int
+service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
+sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
+vold.decrypt u:object_r:exported_vold_prop:s0 exact string
+
+# vendor-init-settable|public-readable
+aaudio.hw_burst_min_usec u:object_r:exported_default_prop:s0 exact int
+aaudio.minimum_sleep_usec u:object_r:exported_default_prop:s0 exact int
+aaudio.mixer_bursts u:object_r:exported_default_prop:s0 exact int
+aaudio.mmap_exclusive_policy u:object_r:exported_default_prop:s0 exact int
+aaudio.mmap_policy u:object_r:exported_default_prop:s0 exact int
+aaudio.wakeup_delay_usec u:object_r:exported_default_prop:s0 exact int
+gsm.sim.operator.numeric u:object_r:exported_radio_prop:s0 exact string
+media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
+persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
+rcs.publish.status u:object_r:exported_radio_prop:s0 exact string
+ro.board.platform u:object_r:exported_default_prop:s0 exact string
+ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
+ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
+ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
+ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
+ro.carrier u:object_r:exported_default_prop:s0 exact string
+ro.config.low_ram u:object_r:exported_config_prop:s0 exact bool
+ro.config.vc_call_vol_steps u:object_r:exported_config_prop:s0 exact int
+ro.frp.pst u:object_r:exported_default_prop:s0 exact string
+ro.hardware.activity_recognition u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.a2dp u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.hearing_aid u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.primary u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.usb u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio_policy u:object_r:exported_default_prop:s0 exact string
+ro.hardware.bootctrl u:object_r:exported_default_prop:s0 exact string
+ro.hardware.camera u:object_r:exported_default_prop:s0 exact string
+ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string
+ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string
+ro.hardware.egl u:object_r:exported_default_prop:s0 exact string
+ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.hardware.flp u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gps u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gralloc u:object_r:exported_default_prop:s0 exact string
+ro.hardware.hdmi_cec u:object_r:exported_default_prop:s0 exact string
+ro.hardware.hwcomposer u:object_r:exported_default_prop:s0 exact string
+ro.hardware.input u:object_r:exported_default_prop:s0 exact string
+ro.hardware.keystore u:object_r:exported_default_prop:s0 exact string
+ro.hardware.keystore_desede u:object_r:exported_default_prop:s0 exact string
+ro.hardware.lights u:object_r:exported_default_prop:s0 exact string
+ro.hardware.local_time u:object_r:exported_default_prop:s0 exact string
+ro.hardware.memtrack u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc_nci u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc_tag u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nvram u:object_r:exported_default_prop:s0 exact string
+ro.hardware.power u:object_r:exported_default_prop:s0 exact string
+ro.hardware.radio u:object_r:exported_default_prop:s0 exact string
+ro.hardware.sensors u:object_r:exported_default_prop:s0 exact string
+ro.hardware.sound_trigger u:object_r:exported_default_prop:s0 exact string
+ro.hardware.thermal u:object_r:exported_default_prop:s0 exact string
+ro.hardware.tv_input u:object_r:exported_default_prop:s0 exact string
+ro.hardware.type u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vehicle u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vibrator u:object_r:exported_default_prop:s0 exact string
+ro.hardware.virtual_device u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vulkan u:object_r:exported_default_prop:s0 exact string
+ro.kernel.qemu u:object_r:exported_default_prop:s0 exact int
+ro.kernel.qemu. u:object_r:exported_default_prop:s0
+ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
+ro.odm.build.date u:object_r:exported_default_prop:s0 exact string
+ro.odm.build.date.utc u:object_r:exported_default_prop:s0 exact int
+ro.odm.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.oem.key1 u:object_r:exported_default_prop:s0 exact string
+ro.product.board u:object_r:exported_default_prop:s0 exact string
+ro.product.cpu.abilist32 u:object_r:exported_default_prop:s0 exact string
+ro.product.cpu.abilist64 u:object_r:exported_default_prop:s0 exact string
+ro.product.first_api_level u:object_r:exported_default_prop:s0 exact int
+ro.product.odm.brand u:object_r:exported_default_prop:s0 exact string
+ro.product.odm.device u:object_r:exported_default_prop:s0 exact string
+ro.product.odm.manufacturer u:object_r:exported_default_prop:s0 exact string
+ro.product.odm.model u:object_r:exported_default_prop:s0 exact string
+ro.product.odm.name u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.brand u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.device u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.model u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.name u:object_r:exported_default_prop:s0 exact string
+ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
+ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
+ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.vndk.lite u:object_r:exported_default_prop:s0 exact bool
+ro.vndk.version u:object_r:exported_default_prop:s0 exact string
+ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
+wifi.direct.interface u:object_r:exported_default_prop:s0 exact string
+wifi.interface u:object_r:exported_default_prop:s0 exact string
+
+# vendor-init-actionable|public-readable
+ro.boot.revision u:object_r:exported2_default_prop:s0 exact string
+ro.bootmode u:object_r:exported2_default_prop:s0 exact string
+ro.build.type u:object_r:exported2_default_prop:s0 exact string
+sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
diff --git a/public/racoon.te b/public/racoon.te
index 00744d8..c759217 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -15,7 +15,7 @@
allow racoon self:key_socket create_socket_perms_no_ioctl;
allow racoon self:tun_socket create_socket_perms_no_ioctl;
-allow racoon self:capability { net_admin net_bind_service net_raw };
+allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
# XXX: should we give ip-up-vpn its own label (currently racoon domain)
allow racoon system_file:file rx_file_perms;
diff --git a/public/radio.te b/public/radio.te
index 6f29a70..8fb5ad6 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -5,8 +5,8 @@
bluetooth_domain(radio)
binder_service(radio)
-# Talks to rild via the rild socket only for devices without full treble
-not_full_treble(`unix_socket_connect(radio, rild, rild)')
+# Talks to hal_telephony_server via the rild socket only for devices without full treble
+not_full_treble(`unix_socket_connect(radio, rild, hal_telephony_server)')
# Data file accesses.
allow radio radio_data_file:dir create_dir_perms;
@@ -19,6 +19,9 @@
# Property service
set_prop(radio, radio_prop)
+set_prop(radio, exported_radio_prop)
+set_prop(radio, exported2_radio_prop)
+set_prop(radio, exported3_radio_prop)
set_prop(radio, net_radio_prop)
# ctl interface
@@ -30,7 +33,6 @@
allow radio drmserver_service:service_manager find;
allow radio mediaserver_service:service_manager find;
allow radio nfc_service:service_manager find;
-allow radio surfaceflinger_service:service_manager find;
allow radio app_api_service:service_manager find;
allow radio system_api_service:service_manager find;
diff --git a/public/recovery.te b/public/recovery.te
index fe0b20e..57ad202 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -12,10 +12,15 @@
# Recovery can only use HALs in passthrough mode
passthrough_hal_client_domain(recovery, hal_bootctl)
- allow recovery self:capability { chown dac_override fowner fsetid setfcap setuid setgid sys_admin sys_tty_config };
-
- # Set security contexts on files that are not known to the loaded policy.
- allow recovery self:capability2 mac_admin;
+ allow recovery self:global_capability_class_set {
+ chown
+ dac_override
+ fowner
+ setuid
+ setgid
+ sys_admin
+ sys_tty_config
+ };
# Run helpers from / or /system without changing domain.
r_dir_file(recovery, rootfs)
@@ -29,42 +34,35 @@
allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto;
- # Create and relabel files and directories under /system.
- allow recovery exec_type:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery { system_file }:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery system_file:dir { create_dir_perms relabelfrom relabelto };
-
# We may be asked to set an SELinux label for a type not known to the
# currently loaded policy. Allow it.
allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
+
# Get file contexts
allow recovery file_contexts_file:file r_file_perms;
- # 0eb17d944704b3eb140bb9dded299d3be3aed77e in build/ added SELinux
- # support to OTAs. However, that code has a bug. When an update occurs,
- # some directories are inappropriately labeled as exec_type. This is
- # only transient, and subsequent steps in the OTA script correct this
- # mistake. New devices are moving to block based OTAs, so this is not
- # worth fixing. b/15575013
- allow recovery exec_type:dir { create_dir_perms relabelfrom relabelto };
-
# Write to /proc/sys/vm/drop_caches
allow recovery proc_drop_caches:file w_file_perms;
+ # Read /proc/swaps
+ allow recovery proc_swaps:file r_file_perms;
+
# Read kernel config through libvintf for OTA matching
allow recovery config_gz:file { open read getattr };
# Write to /sys/class/android_usb/android0/enable.
- # TODO: create more specific label?
- r_dir_file(recovery, sysfs)
- allow recovery sysfs:file w_file_perms;
+ r_dir_file(recovery, sysfs_android_usb)
+ allow recovery sysfs_android_usb:file w_file_perms;
# Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
allow recovery sysfs_devices_system_cpu:file w_file_perms;
allow recovery sysfs_batteryinfo:file r_file_perms;
+ # Read /sysfs/fs/ext4/features
+ r_dir_file(recovery, sysfs_fs_ext4_features)
+
# Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
# control backlight brightness.
allow recovery sysfs_leds:dir r_dir_perms;
@@ -117,6 +115,10 @@
# Set sys.usb.ffs.ready when starting minadbd for sideload.
set_prop(recovery, ffs_prop)
+ set_prop(recovery, exported_ffs_prop)
+
+ # Read ro.boot.bootreason
+ get_prop(recovery, bootloader_boot_reason_prop)
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
diff --git a/public/runas.te b/public/runas.te
index 12c4181..053a87f 100644
--- a/public/runas.te
+++ b/public/runas.te
@@ -12,13 +12,17 @@
# run-as reads package information.
allow runas system_data_file:file r_file_perms;
+allow runas system_data_file:lnk_file getattr;
+
+# The app's data dir may be accessed through a symlink.
+allow runas system_data_file:lnk_file read;
# run-as checks and changes to the app data dir.
-dontaudit runas self:capability dac_override;
+dontaudit runas self:global_capability_class_set dac_override;
allow runas app_data_file:dir { getattr search };
# run-as switches to the app UID/GID.
-allow runas self:capability { setuid setgid };
+allow runas self:global_capability_class_set { setuid setgid };
# run-as switches to the app security context.
selinux_check_context(runas) # validate context
@@ -34,5 +38,5 @@
###
# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow runas self:capability ~{ setuid setgid };
-neverallow runas self:capability2 *;
+neverallow runas self:global_capability_class_set ~{ setuid setgid };
+neverallow runas self:global_capability2_class_set *;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index 47a2f80..4a88f54 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -10,7 +10,7 @@
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
allow sdcardd sdcard_type:filesystem { mount unmount };
-allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
+allow sdcardd self:global_capability_class_set { setuid setgid dac_override sys_admin sys_resource };
allow sdcardd sdcard_type:dir create_dir_perms;
allow sdcardd sdcard_type:file create_file_perms;
@@ -32,7 +32,7 @@
allow sdcardd mnt_expand_file:dir search;
# access /proc/filesystems
-allow sdcardd proc:file r_file_perms;
+allow sdcardd proc_filesystems:file r_file_perms;
###
### neverallow rules
diff --git a/public/secure_element.te b/public/secure_element.te
new file mode 100644
index 0000000..4ce6714
--- /dev/null
+++ b/public/secure_element.te
@@ -0,0 +1,2 @@
+# secure_element subsystem
+type secure_element, domain;
diff --git a/public/service.te b/public/service.te
index e97b864..3526049 100644
--- a/public/service.te
+++ b/public/service.te
@@ -16,17 +16,21 @@
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
type mediaextractor_service, service_manager_type;
+type mediaextractor_update_service, service_manager_type;
type mediacodec_service, service_manager_type;
type mediadrmserver_service, service_manager_type;
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
+type perfprofd_service, service_manager_type;
type radio_service, service_manager_type;
+type secure_element_service, service_manager_type;
type storaged_service, service_manager_type;
-type surfaceflinger_service, service_manager_type;
+type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
type thermal_service, service_manager_type;
type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
+type vold_service, service_manager_type;
type vr_hwc_service, service_manager_type;
# system_server_services broken down
@@ -42,11 +46,13 @@
type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type battery_service, system_server_service, service_manager_type;
+type binder_calls_stats_service, system_server_service, service_manager_type;
type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type broadcastradio_service, system_server_service, service_manager_type;
type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type contexthub_service, app_api_service, system_server_service, service_manager_type;
+type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type commontime_management_service, system_server_service, service_manager_type;
type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -68,9 +74,11 @@
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netd_listener_service, system_server_service, service_manager_type;
+type network_watchlist_service, system_server_service, service_manager_type;
type DockObserver_service, system_server_service, service_manager_type;
type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type lowpan_service, system_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
@@ -123,8 +131,10 @@
type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type shortcut_service, app_api_service, system_server_service, service_manager_type;
+type slice_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type system_update_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -148,3 +158,4 @@
type wificond_service, service_manager_type;
type wifiaware_service, app_api_service, system_server_service, service_manager_type;
type window_service, system_api_service, system_server_service, service_manager_type;
+type wpantund_service, system_api_service, service_manager_type;
diff --git a/public/servicemanager.te b/public/servicemanager.te
index c7cd738..87e3a22 100644
--- a/public/servicemanager.te
+++ b/public/servicemanager.te
@@ -12,6 +12,7 @@
allow servicemanager {
domain
-init
+ -vendor_init
-hwservicemanager
-vndservicemanager
}:binder transfer;
diff --git a/public/sgdisk.te b/public/sgdisk.te
index 3007398..ca3096c 100644
--- a/public/sgdisk.te
+++ b/public/sgdisk.te
@@ -14,7 +14,7 @@
allow sgdisk vold:fifo_file { read write getattr };
# Used to probe kernel to reload partition tables
-allow sgdisk self:capability sys_admin;
+allow sgdisk self:global_capability_class_set sys_admin;
# Only allow entry from vold
neverallow { domain -vold } sgdisk:process transition;
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 91cf44d..8fe1fea 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -6,4 +6,5 @@
allow shared_relro shared_relro_file:file create_file_perms;
# Needs to contact the "webviewupdate" and "activity" services
+allow shared_relro activity_service:service_manager find;
allow shared_relro webviewupdate_service:service_manager find;
diff --git a/public/shell.te b/public/shell.te
index 9540cca..307e103 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -25,9 +25,13 @@
allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms;
+# Read and delete from /data/local/traces.
+allow shell trace_data_file:file { r_file_perms unlink };
+allow shell trace_data_file:dir { r_dir_perms remove_name write };
+
# Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { search getattr write remove_name };
-allow shell profman_dump_data_file:file { getattr unlink };
+allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
+allow shell profman_dump_data_file:file { unlink r_file_perms };
# Read/execute files in /data/nativetest
userdebug_or_eng(`
@@ -57,10 +61,14 @@
set_prop(shell, ctl_bugreport_prop)
set_prop(shell, ctl_dumpstate_prop)
set_prop(shell, dumpstate_prop)
+set_prop(shell, exported_dumpstate_prop)
set_prop(shell, debug_prop)
set_prop(shell, powerctl_prop)
set_prop(shell, log_tag_prop)
set_prop(shell, wifi_log_prop)
+# Allow shell to start/stop traced via the persist.traced.enable
+# property (which also takes care of /data/misc initialization).
+set_prop(shell, traced_enabled_prop)
# adjust is_loggable properties
userdebug_or_eng(`set_prop(shell, log_prop)')
# logpersist script
@@ -76,15 +84,32 @@
# Read device's serial number from system properties
get_prop(shell, serialno_prop)
+# Allow shell to read the vendor security patch level for CTS
+get_prop(shell, vendor_security_patch_level_prop)
+
# Read state of logging-related properties
get_prop(shell, device_logging_prop)
+# Read state of boot reason properties
+get_prop(shell, bootloader_boot_reason_prop)
+get_prop(shell, last_boot_reason_prop)
+get_prop(shell, system_boot_reason_prop)
+
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
# TODO: why is this so broad? Tightening candidate? It needs at list:
# - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
+allow shell {
+ service_manager_type
+ -gatekeeper_service
+ -incident_service
+ -installd_service
+ -netd_service
+ -virtual_touchpad_service
+ -vold_service
+ -vr_hwc_service
+}:service_manager find;
allow shell dumpstate:binder call;
# allow shell to get information from hwservicemanager
@@ -92,14 +117,26 @@
hwbinder_use(shell)
allow shell hwservicemanager:hwservice_manager list;
-# allow shell to look through /proc/ for ps, top, netstat
-r_dir_file(shell, proc)
+# allow shell to look through /proc/ for lsmod, ps, top, netstat.
r_dir_file(shell, proc_net)
-allow shell proc_interrupts:file r_file_perms;
-allow shell proc_meminfo:file r_file_perms;
-allow shell proc_stat:file r_file_perms;
-allow shell proc_timer:file r_file_perms;
-allow shell proc_zoneinfo:file r_file_perms;
+
+allow shell {
+ proc_asound
+ proc_filesystems
+ proc_interrupts
+ proc_meminfo
+ proc_modules
+ proc_pid_max
+ proc_stat
+ proc_timer
+ proc_uptime
+ proc_version
+ proc_zoneinfo
+}:file r_file_perms;
+
+# allow listing network interfaces under /sys/class/net.
+allow shell sysfs_net:dir r_dir_perms;
+
r_dir_file(shell, cgroup)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
@@ -128,8 +165,9 @@
allow shell self:process ptrace;
# allow shell to get battery info
-allow shell sysfs_batteryinfo:file r_file_perms;
allow shell sysfs:dir r_dir_perms;
+allow shell sysfs_batteryinfo:dir r_dir_perms;
+allow shell sysfs_batteryinfo:file r_file_perms;
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
@@ -157,6 +195,9 @@
allow shell service_contexts_file:file r_file_perms;
allow shell sepolicy_file:file r_file_perms;
+# Allow shell to start up vendor shell
+allow shell vendor_shell_exec:file rx_file_perms;
+
###
### Neverallow rules
###
diff --git a/public/slideshow.te b/public/slideshow.te
index 86d4bff..10fbbb8 100644
--- a/public/slideshow.te
+++ b/public/slideshow.te
@@ -5,7 +5,7 @@
allow slideshow kmsg_device:chr_file rw_file_perms;
wakelock_use(slideshow)
allow slideshow device:dir r_dir_perms;
-allow slideshow self:capability sys_tty_config;
+allow slideshow self:global_capability_class_set sys_tty_config;
allow slideshow graphics_device:dir r_dir_perms;
allow slideshow graphics_device:chr_file rw_file_perms;
allow slideshow input_device:dir r_dir_perms;
diff --git a/public/su.te b/public/su.te
index 8ddd162..0312945 100644
--- a/public/su.te
+++ b/public/su.te
@@ -50,4 +50,51 @@
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su postinstall_file:filesystem *;
+
+ # VTS tests run in the permissive su domain on debug builds, but the HALs
+ # being tested run in enforcing mode. Because hal_foo_server is enforcing
+ # su needs to be declared as hal_foo_client to grant hal_foo_server
+ # permission to interact with it.
+ typeattribute su halclientdomain;
+ typeattribute su hal_allocator_client;
+ typeattribute su hal_audio_client;
+ typeattribute su hal_authsecret_client;
+ typeattribute su hal_bluetooth_client;
+ typeattribute su hal_bootctl_client;
+ typeattribute su hal_camera_client;
+ typeattribute su hal_configstore_client;
+ typeattribute su hal_confirmationui_client;
+ typeattribute su hal_contexthub_client;
+ typeattribute su hal_drm_client;
+ typeattribute su hal_cas_client;
+ typeattribute su hal_dumpstate_client;
+ typeattribute su hal_fingerprint_client;
+ typeattribute su hal_gatekeeper_client;
+ typeattribute su hal_gnss_client;
+ typeattribute su hal_graphics_allocator_client;
+ typeattribute su hal_graphics_composer_client;
+ typeattribute su hal_health_client;
+ typeattribute su hal_ir_client;
+ typeattribute su hal_keymaster_client;
+ typeattribute su hal_light_client;
+ typeattribute su hal_memtrack_client;
+ typeattribute su hal_neuralnetworks_client;
+ typeattribute su hal_nfc_client;
+ typeattribute su hal_oemlock_client;
+ typeattribute su hal_power_client;
+ typeattribute su hal_secure_element_client;
+ typeattribute su hal_sensors_client;
+ typeattribute su hal_telephony_client;
+ typeattribute su hal_tetheroffload_client;
+ typeattribute su hal_thermal_client;
+ typeattribute su hal_tv_cec_client;
+ typeattribute su hal_tv_input_client;
+ typeattribute su hal_usb_client;
+ typeattribute su hal_vibrator_client;
+ typeattribute su hal_vr_client;
+ typeattribute su hal_weaver_client;
+ typeattribute su hal_wifi_client;
+ typeattribute su hal_wifi_hostapd_client;
+ typeattribute su hal_wifi_offload_client;
+ typeattribute su hal_wifi_supplicant_client;
')
diff --git a/public/te_macros b/public/te_macros
index cac977b..9cfe47c 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -77,7 +77,7 @@
define(`tmpfs_domain', `
type $1_tmpfs, file_type;
type_transition $1 tmpfs:file $1_tmpfs;
-allow $1 $1_tmpfs:file { read write getattr };
+allow $1 $1_tmpfs:file { read write getattr map };
allow $1 tmpfs:dir { getattr search };
')
@@ -176,6 +176,8 @@
tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
+neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
')
#####################################
@@ -200,6 +202,21 @@
')
#####################################
+# hal_attribute(hal_name)
+# Add an attribute for hal implementations along with necessary
+# restrictions.
+define(`hal_attribute', `
+attribute hal_$1;
+expandattribute hal_$1 true;
+attribute hal_$1_client;
+expandattribute hal_$1_client true;
+attribute hal_$1_server;
+expandattribute hal_$1_server false;
+
+neverallow { hal_$1_server -halserverdomain } domain:process fork;
+')
+
+#####################################
# hal_server_domain(domain, hal_type)
# Allow a base set of permissions required for a domain to offer a
# HAL implementation of the specified type over HwBinder.
@@ -271,15 +288,6 @@
# use set_prop(sourcedomain, targetproperty)
#
define(`unix_socket_connect', `
-ifelse($2, `property', `
- ifelse($3,`init', `
- print(`deprecated: unix_socket_connect($1, $2, $3) Please use set_prop($1, <property name>) instead.')
- ')
-')
-__unix_socket_connect__($1, $2, $3)
-')
-
-define(`__unix_socket_connect__', `
allow $1 $2_socket:sock_file write;
allow $1 $3:unix_stream_socket connectto;
')
@@ -290,7 +298,7 @@
# targetproperty.
#
define(`set_prop', `
-__unix_socket_connect__($1, property, init)
+unix_socket_connect($1, property, init)
allow $1 $2:property_service set;
get_prop($1, $2)
')
@@ -384,7 +392,7 @@
# Access /sys/power/wake_lock and /sys/power/wake_unlock
allow $1 sysfs_wake_lock:file rw_file_perms;
# Accessing these files requires CAP_BLOCK_SUSPEND
-allow $1 self:capability2 block_suspend;
+allow $1 self:global_capability2_class_set block_suspend;
')
#####################################
@@ -454,18 +462,29 @@
define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
#####################################
+# Compatible property only
+# SELinux rules which apply only to devices with compatible property
+#
+define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
+ifelse(target_compatible_property, `cts',
+# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
+$1
+# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
+, )))
+
+#####################################
+# Not compatible property
+# SELinux rules which apply only to devices without compatible property
+#
+define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))
+
+#####################################
# Userdebug or eng builds
# SELinux rules which apply only to userdebug or eng builds
#
define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
#####################################
-# User builds
-# SELinux rules which apply only to user builds
-#
-define(`userbuild', ifelse(target_build_variant, `user', $1, ))
-
-#####################################
# asan builds
# SELinux rules which apply only to asan builds
#
@@ -480,8 +499,10 @@
')
allow $1 anr_data_file:file append;
allow $1 dumpstate:fd use;
+allow $1 incidentd:fd use;
# TODO: Figure out why write is needed.
allow $1 dumpstate:fifo_file { append write };
+allow $1 incidentd:fifo_file { append write };
allow $1 system_server:fifo_file { append write };
allow $1 tombstoned:unix_stream_socket connectto;
allow $1 tombstoned:fd use;
@@ -541,6 +562,7 @@
allow keystore $1:process getattr;
allow $1 keystore_service:service_manager find;
binder_call($1, keystore)
+ binder_call(keystore, $1)
')
###########################################
@@ -573,9 +595,3 @@
allow $1 hidl_base_hwservice:hwservice_manager add;
neverallow { domain -$1 } $2:hwservice_manager add;
')
-
-##########################################
-# print a message with a trailing newline
-# print(`args')
-define(`print', `errprint(`m4: '__file__: __line__`: $*
-')')
diff --git a/public/tee.te b/public/tee.te
index f023d5c..0f9b32d 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -5,3 +5,7 @@
# Device(s) for communicating with the TEE
type tee_device, dev_type;
+
+allow tee fingerprint_vendor_data_file:dir rw_dir_perms;
+allow tee fingerprint_vendor_data_file:file create_file_perms;
+
diff --git a/public/thermalserviced.te b/public/thermalserviced.te
index 5b6025c..00e0071 100644
--- a/public/thermalserviced.te
+++ b/public/thermalserviced.te
@@ -9,3 +9,5 @@
hwbinder_use(thermalserviced)
hal_client_domain(thermalserviced, hal_thermal)
add_hwservice(thermalserviced, thermalcallback_hwservice)
+
+binder_call(thermalserviced, platform_app)
diff --git a/public/tombstoned.te b/public/tombstoned.te
index cf3ddcb..0e585b6 100644
--- a/public/tombstoned.te
+++ b/public/tombstoned.te
@@ -9,7 +9,7 @@
allow tombstoned domain:dir r_dir_perms;
allow tombstoned domain:file r_file_perms;
allow tombstoned tombstone_data_file:dir rw_dir_perms;
-allow tombstoned tombstone_data_file:file create_file_perms;
+allow tombstoned tombstone_data_file:file { create_file_perms link };
# TODO: Remove append / write permissions. They were temporarily
# granted due to a bug which appears to have been fixed.
@@ -19,4 +19,4 @@
# Changes for the new stack dumping mechanism. Each trace goes into a
# separate file, and these files are managed by tombstoned.
allow tombstoned anr_data_file:dir rw_dir_perms;
-allow tombstoned anr_data_file:file { getattr open create };
+allow tombstoned anr_data_file:file { create getattr open link unlink };
diff --git a/public/traced_probes.te b/public/traced_probes.te
new file mode 100644
index 0000000..3e587c8
--- /dev/null
+++ b/public/traced_probes.te
@@ -0,0 +1 @@
+type traced_probes, domain, coredomain, mlstrustedsubject;
diff --git a/public/traceur_app.te b/public/traceur_app.te
new file mode 100644
index 0000000..7113fa7
--- /dev/null
+++ b/public/traceur_app.te
@@ -0,0 +1,21 @@
+type traceur_app, domain;
+
+allow traceur_app servicemanager:service_manager list;
+allow traceur_app hwservicemanager:hwservice_manager list;
+
+set_prop(traceur_app, debug_prop)
+
+allow traceur_app {
+ service_manager_type
+ -gatekeeper_service
+ -incident_service
+ -installd_service
+ -netd_service
+ -virtual_touchpad_service
+ -vold_service
+ -vr_hwc_service
+}:service_manager find;
+
+dontaudit traceur_app service_manager_type:service_manager find;
+dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
+dontaudit traceur_app domain:binder call;
diff --git a/public/ueventd.te b/public/ueventd.te
index 212087e..9b9eacb 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -5,7 +5,7 @@
# Write to /dev/kmsg.
allow ueventd kmsg_device:chr_file rw_file_perms;
-allow ueventd self:capability { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
+allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override fowner };
allow ueventd device:file create_file_perms;
r_dir_file(ueventd, rootfs)
@@ -36,6 +36,9 @@
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
+allow ueventd proc_cmdline:file r_file_perms;
+
#####
##### neverallow rules
#####
diff --git a/public/uncrypt.te b/public/uncrypt.te
index d10eb39..1e48b83 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -2,7 +2,7 @@
type uncrypt, domain, mlstrustedsubject;
type uncrypt_exec, exec_type, file_type;
-allow uncrypt self:capability dac_override;
+allow uncrypt self:global_capability_class_set dac_override;
# Read OTA zip file from /data/data/com.google.android.gsf/app_download
r_dir_file(uncrypt, app_data_file)
@@ -29,7 +29,7 @@
set_prop(uncrypt, powerctl_prop)
# Raw writes to block device
-allow uncrypt self:capability sys_rawio;
+allow uncrypt self:global_capability_class_set sys_rawio;
allow uncrypt misc_block_device:blk_file w_file_perms;
allow uncrypt block_device:dir r_dir_perms;
@@ -37,3 +37,9 @@
allow uncrypt userdata_block_device:blk_file w_file_perms;
r_dir_file(uncrypt, rootfs)
+
+# uncrypt reads /proc/cmdline
+allow uncrypt proc_cmdline:file r_file_perms;
+
+# Read files in /sys
+r_dir_file(uncrypt, sysfs_dt_firmware_android)
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 6f29396..5289bf9 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -17,3 +17,5 @@
###
type untrusted_app, domain;
+type untrusted_app_27, domain;
+type untrusted_app_25, domain;
diff --git a/public/update_engine.te b/public/update_engine.te
index b8f0035..ca73c7e 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -11,17 +11,28 @@
# Following permissions are needed for update_engine.
allow update_engine self:process { setsched };
-allow update_engine self:capability { fowner sys_admin };
+allow update_engine self:global_capability_class_set { fowner sys_admin };
+# Note: fsetid checks are triggered when creating a file in a directory with
+# the setgid bit set to determine if the file should inherit setgid. In this
+# case, setgid on the file is undesirable so we should just suppress the
+# denial.
+dontaudit update_engine self:global_capability_class_set fsetid;
+
allow update_engine kmsg_device:chr_file w_file_perms;
allow update_engine update_engine_exec:file rx_file_perms;
wakelock_use(update_engine);
# Ignore these denials.
dontaudit update_engine kernel:process setsched;
+dontaudit update_engine self:capability sys_rawio;
# Allow using persistent storage in /data/misc/update_engine.
-allow update_engine update_engine_data_file:dir { create_dir_perms };
-allow update_engine update_engine_data_file:file { create_file_perms };
+allow update_engine update_engine_data_file:dir create_dir_perms;
+allow update_engine update_engine_data_file:file create_file_perms;
+
+# Allow using persistent storage in /data/misc/update_engine_log.
+allow update_engine update_engine_log_data_file:dir create_dir_perms;
+allow update_engine update_engine_log_data_file:file create_file_perms;
# Don't allow kernel module loading, just silence the logs.
dontaudit update_engine kernel:system module_request;
@@ -39,3 +50,9 @@
# Use Boot Control HAL
hal_client_domain(update_engine, hal_bootctl)
+
+# access /proc/misc
+allow update_engine proc_misc:file r_file_perms;
+
+# read directories on /system and /vendor
+allow update_engine system_file:dir r_dir_perms;
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index e9bf24f..eb4cdc1 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -38,11 +38,8 @@
# Allow update_engine_common to suspend, resume and kill the postinstall program.
allow update_engine_common postinstall:process { signal sigstop sigkill };
-# access /proc/misc
-# Access is also granted to proc:file, but it is likely unneeded
-# due to the more specific grant to proc_misc immediately below.
-allow update_engine proc:file r_file_perms; # delete candidate
-allow update_engine proc_misc:file r_file_perms;
+# access /proc/cmdline
+allow update_engine_common proc_cmdline:file r_file_perms;
-# read directories on /system and /vendor
-allow update_engine system_file:dir r_dir_perms;
+# Read files in /sys/firmware/devicetree/base/firmware/android/
+r_dir_file(update_engine_common, sysfs_dt_firmware_android)
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 4d4e1f9..5d20eca 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -9,9 +9,21 @@
allow update_verifier ota_package_file:dir r_dir_perms;
allow update_verifier ota_package_file:file r_file_perms;
-# Read all blocks in dm wrapped system partition.
+# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
+allow update_verifier sysfs:dir r_dir_perms;
+
+# Read /sys/block/dm-X/dm/name (which is a symlink to
+# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
+# dm-X and system/vendor partitions.
+allow update_verifier sysfs_dm:dir r_dir_perms;
+allow update_verifier sysfs_dm:file r_file_perms;
+
+# Read all blocks in DM wrapped system partition.
allow update_verifier dm_device:blk_file r_file_perms;
+# Write to kernel message.
+allow update_verifier kmsg_device:chr_file w_file_perms;
+
# Allow update_verifier to reboot the device.
set_prop(update_verifier, powerctl_prop)
diff --git a/public/usbd.te b/public/usbd.te
new file mode 100644
index 0000000..98786e0
--- /dev/null
+++ b/public/usbd.te
@@ -0,0 +1,3 @@
+type usbd, domain;
+type usbd_exec, exec_type, file_type;
+
diff --git a/public/vdc.te b/public/vdc.te
index 53d7bbe..424bdea 100644
--- a/public/vdc.te
+++ b/public/vdc.te
@@ -8,20 +8,13 @@
type vdc, domain;
type vdc_exec, exec_type, file_type;
-unix_socket_connect(vdc, vold, vold)
-
-# vdc sends information back to dumpstate when "adb bugreport" is used
-allow vdc dumpstate:fd use;
-allow vdc dumpstate:unix_stream_socket { read write getattr };
-
-# vdc information is written to shell owned bugreport files
-allow vdc shell_data_file:file { write getattr };
-
-# Why?
-allow vdc dumpstate:unix_dgram_socket { read write };
-
# vdc can be invoked with logwrapper, so let it write to pty
allow vdc devpts:chr_file rw_file_perms;
# vdc writes directly to kmsg during the boot process
allow vdc kmsg_device:chr_file w_file_perms;
+
+# vdc talks to vold over Binder
+binder_use(vdc)
+binder_call(vdc, vold)
+allow vdc vold_service:service_manager find;
diff --git a/public/vendor_init.te b/public/vendor_init.te
new file mode 100644
index 0000000..4e4b313
--- /dev/null
+++ b/public/vendor_init.te
@@ -0,0 +1,198 @@
+# vendor_init is its own domain.
+type vendor_init, domain, mlstrustedsubject;
+
+# Communication to the main init process
+allow vendor_init init:unix_stream_socket { read write };
+
+# Vendor init shouldn't communicate with any vendor process, nor most system processes.
+neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
+
+# Logging to kmsg
+allow vendor_init kmsg_device:chr_file { open write };
+
+# Mount on /dev/usb-ffs/adb.
+allow vendor_init device:dir mounton;
+
+# Create and remove symlinks in /.
+allow vendor_init rootfs:lnk_file { create unlink };
+
+# Create cgroups mount points in tmpfs and mount cgroups on them.
+allow vendor_init cgroup:dir create_dir_perms;
+
+# /config
+allow vendor_init configfs:dir mounton;
+allow vendor_init configfs:dir create_dir_perms;
+allow vendor_init configfs:{ file lnk_file } create_file_perms;
+
+# Create directories under /dev/cpuctl after chowning it to system.
+allow vendor_init self:global_capability_class_set dac_override;
+
+# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
+# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
+# system/core/init.rc requires at least cache_file and data_file_type.
+# init.<board>.rc files often include device-specific types, so
+# we just allow all file types except /system files here.
+allow vendor_init self:global_capability_class_set { chown fowner fsetid };
+
+# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
+allow vendor_init unencrypted_data_file:dir search;
+allow vendor_init unencrypted_data_file:file r_file_perms;
+
+allow vendor_init system_data_file:dir getattr;
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -system_file
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -runtime_event_log_tags_file
+ -system_file
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+}:file { create getattr open read write setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -system_file
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -system_file
+ -unlabeled
+ -vendor_file_type
+ -vold_metadata_file
+}:lnk_file { create getattr setattr relabelfrom unlink };
+
+allow vendor_init {
+ file_type
+ -core_data_file_type
+ -exec_type
+ -system_file
+ -vendor_file_type
+ -vold_metadata_file
+}:dir_file_class_set relabelto;
+
+allow vendor_init dev_type:dir create_dir_perms;
+allow vendor_init dev_type:lnk_file create;
+
+# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
+allow vendor_init debugfs_tracing:file w_file_perms;
+
+# chown/chmod on pseudo files.
+allow vendor_init {
+ fs_type
+ -contextmount_type
+ -sdcard_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+}:file { open read setattr };
+
+allow vendor_init {
+ fs_type
+ -contextmount_type
+ -sdcard_type
+ -rootfs
+ -proc_uid_time_in_state
+ -proc_uid_concurrent_active_time
+ -proc_uid_concurrent_policy_time
+}:dir { open read setattr search };
+
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+ dev_type
+ -kmem_device
+ -port_device
+ -lowpan_device
+ -hw_random_device
+}:chr_file setattr;
+
+allow vendor_init dev_type:blk_file getattr;
+
+# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
+r_dir_file(vendor_init, proc_net)
+allow vendor_init proc_net:file w_file_perms;
+allow vendor_init self:global_capability_class_set net_admin;
+
+# Write to /proc/sys/vm/page-cluster
+allow vendor_init proc_page_cluster:file w_file_perms;
+
+# Write to sysfs nodes.
+allow vendor_init sysfs_type:dir r_dir_perms;
+allow vendor_init sysfs_type:lnk_file read;
+allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
+
+# setfscreatecon() for labeling directories and socket files.
+allow vendor_init self:process { setfscreate };
+
+r_dir_file(vendor_init, vendor_file_type)
+
+# Vendor init can read properties
+allow vendor_init serialno_prop:file { getattr open read };
+
+# Vendor init can perform operations on trusted and security Extended Attributes
+allow vendor_init self:global_capability_class_set sys_admin;
+
+# Raw writes to misc block device
+allow vendor_init misc_block_device:blk_file w_file_perms;
+
+not_compatible_property(`
+ set_prop(vendor_init, {
+ property_type
+ -restorecon_prop
+ -netd_stable_secret_prop
+ -firstboot_prop
+ -pm_prop
+ -system_boot_reason_prop
+ -bootloader_boot_reason_prop
+ -last_boot_reason_prop
+ })
+')
+
+set_prop(vendor_init, bluetooth_a2dp_offload_prop)
+set_prop(vendor_init, debug_prop)
+set_prop(vendor_init, exported_audio_prop)
+set_prop(vendor_init, exported_bluetooth_prop)
+set_prop(vendor_init, exported_config_prop)
+set_prop(vendor_init, exported_dalvik_prop)
+set_prop(vendor_init, exported_default_prop)
+set_prop(vendor_init, exported_ffs_prop)
+set_prop(vendor_init, exported_overlay_prop)
+set_prop(vendor_init, exported_pm_prop)
+set_prop(vendor_init, exported_radio_prop)
+set_prop(vendor_init, exported_system_radio_prop)
+set_prop(vendor_init, exported_wifi_prop)
+set_prop(vendor_init, exported2_config_prop)
+set_prop(vendor_init, exported2_system_prop)
+set_prop(vendor_init, exported2_vold_prop)
+set_prop(vendor_init, exported3_default_prop)
+set_prop(vendor_init, exported3_radio_prop)
+set_prop(vendor_init, logd_prop)
+set_prop(vendor_init, log_tag_prop)
+set_prop(vendor_init, log_prop)
+set_prop(vendor_init, serialno_prop)
+set_prop(vendor_init, vendor_default_prop)
+set_prop(vendor_init, vendor_security_patch_level_prop)
+set_prop(vendor_init, wifi_log_prop)
+
+get_prop(vendor_init, exported2_radio_prop)
+get_prop(vendor_init, exported3_system_prop)
diff --git a/public/vendor_shell.te b/public/vendor_shell.te
index b330542..7d30acb 100644
--- a/public/vendor_shell.te
+++ b/public/vendor_shell.te
@@ -1,4 +1,19 @@
-# vendor shell MUST never run as interactive or login shell.
-# vendor shell CAN never be traisitioned to by any process, so it is
-# only intended by shell script interpreter.
+type vendor_shell, domain;
type vendor_shell_exec, exec_type, vendor_file_type, file_type;
+
+allow vendor_shell vendor_shell_exec:file rx_file_perms;
+allow vendor_shell vendor_toolbox_exec:file rx_file_perms;
+
+# Use fd from shell when vendor_shell is started from shell
+allow vendor_shell shell:fd use;
+
+# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh`
+allow vendor_shell adbd:fd use;
+allow vendor_shell adbd:process sigchld;
+allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write };
+
+allow vendor_shell devpts:chr_file rw_file_perms;
+allow vendor_shell tty_device:chr_file rw_file_perms;
+allow vendor_shell console_device:chr_file rw_file_perms;
+allow vendor_shell input_device:dir r_dir_perms;
+allow vendor_shell input_device:chr_file rw_file_perms;
diff --git a/public/vold.te b/public/vold.te
index 836db5f..131f555 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -8,16 +8,24 @@
allow vold cache_file:lnk_file r_file_perms;
# Read access to pseudo filesystems.
-r_dir_file(vold, proc)
r_dir_file(vold, proc_net)
r_dir_file(vold, sysfs_type)
# XXX Label sysfs files with a specific type?
-allow vold sysfs:file w_file_perms;
+allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
+allow vold sysfs_dm:file w_file_perms;
allow vold sysfs_usb:file w_file_perms;
allow vold sysfs_zram_uevent:file w_file_perms;
r_dir_file(vold, rootfs)
-allow vold proc_meminfo:file r_file_perms;
+r_dir_file(vold, metadata_file)
+allow vold {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_cmdline
+ proc_drop_caches
+ proc_filesystems
+ proc_meminfo
+ proc_mounts
+}:file r_file_perms;
#Get file contexts
allow vold file_contexts_file:file r_file_perms;
@@ -67,7 +75,7 @@
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
-allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
+allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;
@@ -80,10 +88,7 @@
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
allow vold domain:process { signal sigkill };
-allow vold self:capability { sys_ptrace kill };
-
-# XXX Label sysfs files with a specific type?
-allow vold sysfs:file rw_file_perms;
+allow vold self:global_capability_class_set { sys_ptrace kill };
allow vold kmsg_device:chr_file rw_file_perms;
@@ -107,12 +112,21 @@
# Create and mount on /data/tmp_mnt and management of expansion mounts
allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
+allow vold system_data_file:lnk_file getattr;
+
+# Vold create users in /data/vendor_{ce,de}/[0-9]+
+allow vold vendor_data_file:dir create_dir_perms;
+
+# for secdiscard
+allow vold system_data_file:file read;
# Set scheduling policy of kernel processes
allow vold kernel:process setsched;
# Property Service
set_prop(vold, vold_prop)
+set_prop(vold, exported_vold_prop)
+set_prop(vold, exported2_vold_prop)
set_prop(vold, powerctl_prop)
set_prop(vold, ctl_fuse_prop)
set_prop(vold, restorecon_prop)
@@ -131,8 +145,15 @@
# Handle wake locks (used for device encryption)
wakelock_use(vold)
-# talk to batteryservice
+# Allow vold to publish a binder service and make binder calls.
binder_use(vold)
+add_service(vold, vold_service)
+
+# Allow vold to call into the system server so it can check permissions.
+binder_call(vold, system_server)
+allow vold permission_service:service_manager find;
+
+# talk to batteryservice
binder_call(vold, healthd)
# talk to keymaster
@@ -155,15 +176,19 @@
allow vold vold_data_file:dir create_dir_perms;
allow vold vold_data_file:file create_file_perms;
+# And a similar place in the metadata partition
+allow vold vold_metadata_file:dir create_dir_perms;
+allow vold vold_metadata_file:file create_file_perms;
+
# linux keyring configuration
allow vold init:key { write search setattr };
allow vold vold:key { write search setattr };
# vold temporarily changes its priority when running benchmarks
-allow vold self:capability sys_nice;
+allow vold self:global_capability_class_set sys_nice;
# vold needs to chroot into app namespaces to remount when runtime permissions change
-allow vold self:capability sys_chroot;
+allow vold self:global_capability_class_set sys_chroot;
allow vold storage_file:dir mounton;
# For AppFuse.
@@ -181,10 +206,64 @@
# Raw writes to misc block device
allow vold misc_block_device:blk_file w_file_perms;
-neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -vold -kernel } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
-neverallow { domain -vold -init } vold_data_file:dir *;
-neverallow { domain -vold -init -kernel } vold_data_file:notdevfile_class_set *;
+neverallow {
+ domain
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
+
+neverallow {
+ domain
+ -init
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:dir *;
+
+neverallow {
+ domain
+ -init
+ -vendor_init
+ -vold
+} vold_metadata_file:dir *;
+
+neverallow {
+ domain
+ -kernel
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -vold
+ -vold_prepare_subdirs
+} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -kernel
+ -vendor_init
+ -vold
+ -vold_prepare_subdirs
+} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
+
neverallow { domain -vold -init } restorecon_prop:property_service set;
+# Only system_server and vdc can interact with vold over binder
+neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
+neverallow vold {
+ domain
+ -hal_keymaster_server
+ -healthd
+ -hwservicemanager
+ -servicemanager
+ -system_server
+ userdebug_or_eng(`-su')
+}:binder call;
+
neverallow vold fsck_exec:file execute_no_trans;
+neverallow { domain -init } vold:process { transition dyntransition };
+neverallow vold *:process ptrace;
+neverallow vold *:rawip_socket *;
diff --git a/public/vold_prepare_subdirs.te b/public/vold_prepare_subdirs.te
new file mode 100644
index 0000000..6405d2d
--- /dev/null
+++ b/public/vold_prepare_subdirs.te
@@ -0,0 +1,6 @@
+# SELinux directory creation and labelling for vold-managed directories
+
+type vold_prepare_subdirs, domain;
+type vold_prepare_subdirs_exec, exec_type, file_type;
+
+typeattribute vold_prepare_subdirs coredomain;
diff --git a/public/wificond.te b/public/wificond.te
index c91053e..9e4dc7d 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -7,14 +7,15 @@
add_service(wificond, wificond_service)
+set_prop(wificond, exported_wifi_prop)
set_prop(wificond, wifi_prop)
set_prop(wificond, ctl_default_prop)
# create sockets to set interfaces up and down
allow wificond self:udp_socket create_socket_perms;
# setting interface state up/down is a privileged ioctl
-allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS };
-allow wificond self:capability { net_admin net_raw };
+allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
+allow wificond self:global_capability_class_set { net_admin net_raw };
# allow wificond to speak to nl80211 in the kernel
allow wificond self:netlink_socket create_socket_perms_no_ioctl;
# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
@@ -22,11 +23,6 @@
r_dir_file(wificond, proc_net)
-# wificond writes out configuration files for wpa_supplicant/hostapd.
-# wificond also reads pid files out of this directory
-allow wificond wifi_data_file:dir rw_dir_perms;
-allow wificond wifi_data_file:file create_file_perms;
-
# allow wificond to check permission for dumping logs
allow wificond permission_service:service_manager find;
diff --git a/public/wpantund.te b/public/wpantund.te
new file mode 100644
index 0000000..b317236
--- /dev/null
+++ b/public/wpantund.te
@@ -0,0 +1,29 @@
+type wpantund, domain;
+type wpantund_exec, exec_type, file_type;
+
+hal_client_domain(wpantund, hal_lowpan)
+net_domain(wpantund)
+
+binder_use(wpantund)
+binder_call(wpantund, system_server)
+
+# wpantund needs to be able to check in with the lowpan_service
+allow wpantund lowpan_service:service_manager find;
+
+# Allow wpantund to call any callbacks that have been registered with it.
+# Generally, only privileged apps are able to register callbacks with
+# wpantund, so we are limiting the scope for callbacks to only privileged
+# apps. We also add shell to allow the command-line utility `lowpanctl`
+# to work properly from `adb shell`.
+allow wpantund {priv_app shell}:binder call;
+
+# create sockets to set interfaces up and down, add multicast groups, etc.
+allow wpantund self:udp_socket create_socket_perms;
+
+# setting interface state up/down and changing MTU are privileged ioctls
+allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
+
+# Allow us to bring up a TUN network interface.
+allow wpantund tun_device:chr_file rw_file_perms;
+allow wpantund self:global_capability_class_set { net_admin net_raw };
+allow wpantund self:tun_socket create;
diff --git a/tests/Android.bp b/tests/Android.bp
index 19aca9c..abb5e35 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -1,34 +1,65 @@
cc_library_host_shared {
name: "libsepolwrap",
srcs: ["sepol_wrap.cpp"],
- shared_libs: ["libbase", "libsepol"],
cflags: ["-Wall", "-Werror",],
export_include_dirs: ["include"],
+
+ // libsepolwrap gets loaded from the system python, which does not have the
+ // ASAN runtime. So turn off sanitization for ourself, and use static
+ // libraries, since the shared libraries will use ASAN.
+ static_libs: [
+ "libbase",
+ "libsepol",
+ ],
+ stl: "libc++_static",
+ sanitize: {
+ never: true,
+ },
}
-cc_prebuilt_binary {
- name: "mini_parser.py",
- srcs: ["mini_parser.py"],
- host_supported: true,
+python_defaults {
+ name: "py2_only",
+ version: {
+ py2: {
+ embedded_launcher: true,
+ enabled: true,
+ },
+ py3: {
+ enabled: false,
+ },
+ },
}
-cc_prebuilt_binary {
- name: "policy.py",
- srcs: ["policy.py"],
- host_supported: true,
+python_binary_host {
+ name: "treble_sepolicy_tests",
+ srcs: [
+ "FcSort.py",
+ "mini_parser.py",
+ "policy.py",
+ "treble_sepolicy_tests.py",
+ ],
required: ["libsepolwrap"],
+ defaults: ["py2_only"],
}
-cc_prebuilt_binary {
- name: "treble_sepolicy_tests.py",
- srcs: ["treble_sepolicy_tests.py"],
- host_supported: true,
- required: ["mini_parser.py", "policy.py"],
+python_binary_host {
+ name: "sepolicy_tests",
+ srcs: [
+ "FcSort.py",
+ "policy.py",
+ "sepolicy_tests.py",
+ ],
+ required: ["libsepolwrap"],
+ defaults: ["py2_only"],
}
-cc_prebuilt_binary {
- name: "sepolicy_tests.py",
- srcs: ["sepolicy_tests.py"],
- host_supported: true,
- required: ["policy.py"],
+python_binary_host {
+ name: "searchpolicy",
+ srcs: [
+ "FcSort.py",
+ "policy.py",
+ "searchpolicy.py",
+ ],
+ required: ["libsepolwrap"],
+ defaults: ["py2_only"],
}
diff --git a/tests/FcSort.py b/tests/FcSort.py
new file mode 100755
index 0000000..7cf1998
--- /dev/null
+++ b/tests/FcSort.py
@@ -0,0 +1,125 @@
+#!/usr/bin/env python
+import sys
+import os
+
+class FileContextsNode:
+ path = None
+ fileType = None
+ context = None
+ Type = None
+ meta = None
+ stemLen = None
+ strLen = None
+ Type = None
+ def __init__(self, path, fileType, context, meta, stemLen, strLen):
+ self.path = path
+ self.fileType = fileType
+ self.context = context
+ self.meta = meta
+ self.stemLen = stemLen
+ self.strlen = strLen
+ self.Type = context.split(":")[2]
+
+metaChars = frozenset(['.', '^', '$', '?', '*', '+', '|', '[', '(', '{'])
+escapedMetaChars = frozenset(['\.', '\^', '\$', '\?', '\*', '\+', '\|', '\[', '\(', '\{'])
+
+def getStemLen(path):
+ global metaChars
+ stemLen = 0
+ i = 0
+ while i < len(path):
+ if path[i] == "\\":
+ i += 1
+ elif path[i] in metaChars:
+ break
+ stemLen += 1
+ i += 1
+ return stemLen
+
+
+def getIsMeta(path):
+ global metaChars
+ global escapedMetaChars
+ metaCharsCount = 0
+ escapedMetaCharsCount = 0
+ for c in metaChars:
+ if c in path:
+ metaCharsCount += 1
+ for c in escapedMetaChars:
+ if c in path:
+ escapedMetaCharsCount += 1
+ return metaCharsCount > escapedMetaCharsCount
+
+def CreateNode(line):
+ global metaChars
+ if (len(line) == 0) or (line[0] == '#'):
+ return None
+
+ split = line.split()
+ path = split[0].strip()
+ context = split[-1].strip()
+ fileType = None
+ if len(split) == 3:
+ fileType = split[1].strip()
+ meta = getIsMeta(path)
+ stemLen = getStemLen(path)
+ strLen = len(path.replace("\\", ""))
+
+ return FileContextsNode(path, fileType, context, meta, stemLen, strLen)
+
+def ReadFileContexts(files):
+ fc = []
+ for f in files:
+ fd = open(f)
+ for line in fd:
+ node = CreateNode(line.strip())
+ if node != None:
+ fc.append(node)
+ return fc
+
+# Comparator function for list.sort() based off of fc_sort.c
+# Compares two FileContextNodes a and b and returns 1 if a is more
+# specific or -1 if b is more specific.
+def compare(a, b):
+ # The regex without metachars is more specific
+ if a.meta and not b.meta:
+ return -1
+ if b.meta and not a.meta:
+ return 1
+
+ # The regex with longer stemlen (regex before any meta characters) is more specific.
+ if a.stemLen < b.stemLen:
+ return -1
+ if b.stemLen < a.stemLen:
+ return 1
+
+ # The regex with longer string length is more specific
+ if a.strLen < b.strLen:
+ return -1
+ if b.strLen < a.strLen:
+ return 1
+
+ # A regex with a fileType defined (e.g. file, dir) is more specific.
+ if a.fileType is None and b.fileType is not None:
+ return -1
+ if b.fileType is None and a.fileType is not None:
+ return 1
+
+ # Regexes are equally specific.
+ return 0
+
+def FcSort(files):
+ for f in files:
+ if not os.path.exists(f):
+ sys.exit("Error: File_contexts file " + f + " does not exist\n")
+
+ Fc = ReadFileContexts(files)
+ Fc.sort(cmp=compare)
+
+ return Fc
+
+if __name__ == '__main__':
+ if len(sys.argv) < 2:
+ sys.exit("Usage: fc_sort.py <file_contexts 1> <file_contexts 2> <file_contexts 3>")
+
+ FcSorted = FcSort(sys.argv[1:])
diff --git a/tests/include/sepol_wrap.h b/tests/include/sepol_wrap.h
index 5615913..0be2c17 100644
--- a/tests/include/sepol_wrap.h
+++ b/tests/include/sepol_wrap.h
@@ -9,9 +9,15 @@
void *init_avtab(void *policydbp);
void *init_cond_avtab(void *policydbp);
void destroy_avtab(void *avtab_iterp);
+void *init_expanded_avtab(void *policydbp);
+void *init_expanded_cond_avtab(void *policydbp);
+void destroy_expanded_avtab(void *avtab_iterp);
int get_type(char *out, size_t max_size, void *policydbp, void *type_iterp);
void *init_type_iter(void *policydbp, const char *type, bool is_attr);
void destroy_type_iter(void *type_iterp);
+void *init_genfs_iter(void *policydbp);
+int get_genfs(char *out, size_t max_size, void *policydbp, void *genfs_iterp);
+void destroy_genfs_iter(void *genfs_iterp);
#ifdef __cplusplus
}
diff --git a/tests/mini_parser.py b/tests/mini_parser.py
index fbeaff8..5dfda06 100644
--- a/tests/mini_parser.py
+++ b/tests/mini_parser.py
@@ -77,6 +77,9 @@
self._parseTypeattribute(stmt)
elif re.match(r"typeattributeset\s+.+", stmt):
self._parseTypeattributeset(stmt)
+ elif re.match(r"expandtypeattribute\s+.+", stmt):
+ # To silence the build warnings.
+ pass
else:
m = re.match(r"(\w+)\s+.+", stmt)
ret = "Warning: Unknown statement type (" + m.group(1) + ") in "
diff --git a/tests/policy.py b/tests/policy.py
index b8a3621..90e387f 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -2,6 +2,8 @@
import re
import os
import sys
+import platform
+import FcSort
###
# Check whether the regex will match a file path starting with the provided
@@ -41,12 +43,45 @@
self.rule = rule
class Policy:
- __Rules = None
+ __ExpandedRules = set()
+ __Rules = set()
__FcDict = None
+ __FcSorted = None
+ __GenfsDict = None
__libsepolwrap = None
__policydbP = None
__BUFSIZE = 2048
+ def AssertPathTypesDoNotHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr):
+ # Query policy for the types associated with Attr
+ TypesPol = self.QueryTypeAttribute(Attr, True)
+ # Search file_contexts to find types associated with input paths.
+ TypesFc = self.__GetTypesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ violators = TypesFc.intersection(TypesPol)
+ ret = ""
+ if len(violators) > 0:
+ ret += "The following types on "
+ ret += " ".join(str(x) for x in sorted(MatchPrefix))
+ ret += " must not be associated with the "
+ ret += "\"" + Attr + "\" attribute: "
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ return ret
+
+ # Check that all types for "filesystem" have "attribute" associated with them
+ # for types labeled in genfs_contexts.
+ def AssertGenfsFilesystemTypesHaveAttr(self, Filesystem, Attr):
+ TypesPol = self.QueryTypeAttribute(Attr, True)
+ TypesGenfs = self.__GenfsDict[Filesystem]
+ violators = TypesGenfs.difference(TypesPol)
+
+ ret = ""
+ if len(violators) > 0:
+ ret += "The following types in " + Filesystem
+ ret += " must be associated with the "
+ ret += "\"" + Attr + "\" attribute: "
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ return ret
+
# Check that path prefixes that match MatchPrefix, and do not Match
# DoNotMatchPrefix have the attribute Attr.
# For example assert that all types in /sys, and not in /sys/kernel/debugfs
@@ -97,6 +132,50 @@
self.__libsepolwrap.destroy_type_iter(TypeIterP)
return TypeAttr
+ def __TERuleMatch(self, Rule, **kwargs):
+ # Match source type
+ if ("scontext" in kwargs and
+ len(kwargs['scontext']) > 0 and
+ Rule.sctx not in kwargs['scontext']):
+ return False
+ # Match target type
+ if ("tcontext" in kwargs and
+ len(kwargs['tcontext']) > 0 and
+ Rule.tctx not in kwargs['tcontext']):
+ return False
+ # Match target class
+ if ("tclass" in kwargs and
+ len(kwargs['tclass']) > 0 and
+ not bool(set([Rule.tclass]) & kwargs['tclass'])):
+ return False
+ # Match any perms
+ if ("perms" in kwargs and
+ len(kwargs['perms']) > 0 and
+ not bool(Rule.perms & kwargs['perms'])):
+ return False
+ return True
+
+ # resolve a type to its attributes or
+ # resolve an attribute to its types and attributes
+ # For example if scontext is the domain attribute, then we need to
+ # include all types with the domain attribute such as untrusted_app and
+ # priv_app and all the attributes of those types such as appdomain.
+ def ResolveTypeAttribute(self, Type):
+ types = self.GetAllTypes(False)
+ attributes = self.GetAllTypes(True)
+
+ if Type in types:
+ return self.QueryTypeAttribute(Type, False)
+ elif Type in attributes:
+ TypesAndAttributes = set()
+ Types = self.QueryTypeAttribute(Type, True)
+ TypesAndAttributes |= Types
+ for T in Types:
+ TypesAndAttributes |= self.QueryTypeAttribute(T, False)
+ return TypesAndAttributes
+ else:
+ return set()
+
# Return all TERules that match:
# (any scontext) or (any tcontext) or (any tclass) or (any perms),
# perms.
@@ -106,23 +185,32 @@
# Will return any rule with:
# (tcontext="foo" or tcontext="bar") and ("entrypoint" in perms)
def QueryTERule(self, **kwargs):
- if self.__Rules is None:
+ if len(self.__Rules) == 0:
self.__InitTERules()
- for Rule in self.__Rules:
- # Match source type
- if "scontext" in kwargs and Rule.sctx not in kwargs['scontext']:
- continue
- # Match target type
- if "tcontext" in kwargs and Rule.tctx not in kwargs['tcontext']:
- continue
- # Match target class
- if "tclass" in kwargs and Rule.tclass not in kwargs['tclass']:
- continue
- # Match any perms
- if "perms" in kwargs and not bool(Rule.perms & set(kwargs['perms'])):
- continue
- yield Rule
+ # add any matching types and attributes for scontext and tcontext
+ if ("scontext" in kwargs and len(kwargs['scontext']) > 0):
+ scontext = set()
+ for sctx in kwargs['scontext']:
+ scontext |= self.ResolveTypeAttribute(sctx)
+ kwargs['scontext'] = scontext
+ if ("tcontext" in kwargs and len(kwargs['tcontext']) > 0):
+ tcontext = set()
+ for tctx in kwargs['tcontext']:
+ tcontext |= self.ResolveTypeAttribute(tctx)
+ kwargs['tcontext'] = tcontext
+ for Rule in self.__Rules:
+ if self.__TERuleMatch(Rule, **kwargs):
+ yield Rule
+
+ # Same as QueryTERule but only using the expanded ruleset.
+ # i.e. all attributes have been expanded to their various types.
+ def QueryExpandedTERule(self, **kwargs):
+ if len(self.__ExpandedRules) == 0:
+ self.__InitExpandedTERules()
+ for Rule in self.__ExpandedRules:
+ if self.__TERuleMatch(Rule, **kwargs):
+ yield Rule
def GetAllTypes(self, isAttr):
TypeIterP = self.__libsepolwrap.init_type_iter(self.__policydbP, None, isAttr)
@@ -143,21 +231,54 @@
self.__libsepolwrap.destroy_type_iter(TypeIterP)
return AllTypes
+ def __ExactMatchPathPrefix(self, pathregex, prefix):
+ pattern = re.compile('^' + pathregex + "$")
+ if pattern.match(prefix):
+ return True
+ return False
+
+ # Return a tuple (prefix, i) where i is the index of the most specific
+ # match of prefix in the sorted file_contexts. This is useful for limiting a
+ # file_contexts search to matches that are more specific and omitting less
+ # specific matches. For example, finding all matches to prefix /data/vendor
+ # should not include /data(/.*)? if /data/vendor(/.*)? is also specified.
+ def __FcSortedIndex(self, prefix):
+ index = 0
+ for i in range(0, len(self.__FcSorted)):
+ if self.__ExactMatchPathPrefix(self.__FcSorted[i].path, prefix):
+ index = i
+ return prefix, index
+
+ # Return a tuple of (path, Type) for all matching paths. Use the sorted
+ # file_contexts and index returned from __FcSortedIndex() to limit results
+ # to results that are more specific than the prefix.
+ def __MatchPathPrefixTypes(self, prefix, index):
+ PathType = []
+ for i in range(index, len(self.__FcSorted)):
+ if MatchPathPrefix(self.__FcSorted[i].path, prefix):
+ PathType.append((self.__FcSorted[i].path, self.__FcSorted[i].Type))
+ return PathType
+
+ # Return types that match MatchPrefixes but do not match
+ # DoNotMatchPrefixes
def __GetTypesByFilePathPrefix(self, MatchPrefixes, DoNotMatchPrefixes):
Types = set()
- for Type in self.__FcDict:
- for pathregex in self.__FcDict[Type]:
- if not MatchPathPrefixes(pathregex, MatchPrefixes):
+
+ MatchPrefixesWithIndex = []
+ for MatchPrefix in MatchPrefixes:
+ MatchPrefixesWithIndex.append(self.__FcSortedIndex(MatchPrefix))
+
+ for MatchPrefixWithIndex in MatchPrefixesWithIndex:
+ PathTypes = self.__MatchPathPrefixTypes(*MatchPrefixWithIndex)
+ for PathType in PathTypes:
+ if MatchPathPrefixes(PathType[0], DoNotMatchPrefixes):
continue
- if MatchPathPrefixes(pathregex, DoNotMatchPrefixes):
- continue
- Types.add(Type)
+ Types.add(PathType[1])
return Types
-
- def __GetTERules(self, policydbP, avtabIterP):
- if self.__Rules is None:
- self.__Rules = set()
+ def __GetTERules(self, policydbP, avtabIterP, Rules):
+ if Rules is None:
+ Rules = set()
buf = create_string_buffer(self.__BUFSIZE)
ret = 0
while True:
@@ -165,7 +286,7 @@
policydbP, avtabIterP)
if ret == 0:
Rule = TERule(buf.value)
- self.__Rules.add(Rule)
+ Rules.add(Rule)
continue
if ret == 1:
break;
@@ -176,22 +297,29 @@
avtabIterP = self.__libsepolwrap.init_avtab(self.__policydbP)
if (avtabIterP == None):
sys.exit("Failed to initialize avtab")
- self.__GetTERules(self.__policydbP, avtabIterP)
+ self.__GetTERules(self.__policydbP, avtabIterP, self.__Rules)
self.__libsepolwrap.destroy_avtab(avtabIterP)
avtabIterP = self.__libsepolwrap.init_cond_avtab(self.__policydbP)
if (avtabIterP == None):
sys.exit("Failed to initialize conditional avtab")
- self.__GetTERules(self.__policydbP, avtabIterP)
+ self.__GetTERules(self.__policydbP, avtabIterP, self.__Rules)
self.__libsepolwrap.destroy_avtab(avtabIterP)
+ def __InitExpandedTERules(self):
+ avtabIterP = self.__libsepolwrap.init_expanded_avtab(self.__policydbP)
+ if (avtabIterP == None):
+ sys.exit("Failed to initialize avtab")
+ self.__GetTERules(self.__policydbP, avtabIterP, self.__ExpandedRules)
+ self.__libsepolwrap.destroy_expanded_avtab(avtabIterP)
+ avtabIterP = self.__libsepolwrap.init_expanded_cond_avtab(self.__policydbP)
+ if (avtabIterP == None):
+ sys.exit("Failed to initialize conditional avtab")
+ self.__GetTERules(self.__policydbP, avtabIterP, self.__ExpandedRules)
+ self.__libsepolwrap.destroy_expanded_avtab(avtabIterP)
+
# load ctypes-ified libsepol wrapper
def __InitLibsepolwrap(self, LibPath):
- if "linux" in sys.platform:
- lib = CDLL(LibPath + "/libsepolwrap.so")
- elif "darwin" in sys.platform:
- lib = CDLL(LibPath + "/libsepolwrap.dylib")
- else:
- sys.exit("only Linux and Mac currrently supported")
+ lib = CDLL(LibPath)
# int get_allow_rule(char *out, size_t len, void *policydbp, void *avtab_iterp);
lib.get_allow_rule.restype = c_int
@@ -201,6 +329,14 @@
lib.load_policy.argtypes = [c_char_p]
# void destroy_policy(void *policydbp);
lib.destroy_policy.argtypes = [c_void_p]
+ # void *init_expanded_avtab(void *policydbp);
+ lib.init_expanded_avtab.restype = c_void_p
+ lib.init_expanded_avtab.argtypes = [c_void_p]
+ # void *init_expanded_cond_avtab(void *policydbp);
+ lib.init_expanded_cond_avtab.restype = c_void_p
+ lib.init_expanded_cond_avtab.argtypes = [c_void_p]
+ # void destroy_expanded_avtab(void *avtab_iterp);
+ lib.destroy_expanded_avtab.argtypes = [c_void_p]
# void *init_avtab(void *policydbp);
lib.init_avtab.restype = c_void_p
lib.init_avtab.argtypes = [c_void_p]
@@ -217,9 +353,43 @@
lib.init_type_iter.argtypes = [c_void_p, c_char_p, c_bool]
# void destroy_type_iter(void *type_iterp);
lib.destroy_type_iter.argtypes = [c_void_p]
+ # void *init_genfs_iter(void *policydbp)
+ lib.init_genfs_iter.restype = c_void_p
+ lib.init_genfs_iter.argtypes = [c_void_p]
+ # int get_genfs(char *out, size_t max_size, void *genfs_iterp);
+ lib.get_genfs.restype = c_int
+ lib.get_genfs.argtypes = [c_char_p, c_size_t, c_void_p, c_void_p]
+ # void destroy_genfs_iter(void *genfs_iterp)
+ lib.destroy_genfs_iter.argtypes = [c_void_p]
self.__libsepolwrap = lib
+ def __GenfsDictAdd(self, Dict, buf):
+ fs, path, context = buf.split(" ")
+ Type = context.split(":")[2]
+ if not fs in Dict:
+ Dict[fs] = {Type}
+ else:
+ Dict[fs].add(Type)
+
+ def __InitGenfsCon(self):
+ self.__GenfsDict = {}
+ GenfsIterP = self.__libsepolwrap.init_genfs_iter(self.__policydbP)
+ if (GenfsIterP == None):
+ sys.exit("Failed to retreive genfs entries")
+ buf = create_string_buffer(self.__BUFSIZE)
+ while True:
+ ret = self.__libsepolwrap.get_genfs(buf, self.__BUFSIZE,
+ self.__policydbP, GenfsIterP)
+ if ret == 0:
+ self.__GenfsDictAdd(self.__GenfsDict, buf.value)
+ continue
+ if ret == 1:
+ self.__GenfsDictAdd(self.__GenfsDict, buf.value)
+ break;
+ # We should never get here.
+ sys.exit("Failed to get genfs entries")
+ self.__libsepolwrap.destroy_genfs_iter(GenfsIterP)
# load file_contexts
def __InitFC(self, FcPaths):
@@ -243,6 +413,7 @@
self.__FcDict[t] = [rec[0]]
except:
pass
+ self.__FcSorted = FcSort.FcSort(FcPaths)
# load policy
def __InitPolicy(self, PolicyPath):
@@ -255,6 +426,7 @@
self.__InitLibsepolwrap(LibPath)
self.__InitFC(FcPaths)
self.__InitPolicy(PolicyPath)
+ self.__InitGenfsCon()
def __del__(self):
if self.__policydbP is not None:
diff --git a/tests/searchpolicy.py b/tests/searchpolicy.py
new file mode 100644
index 0000000..ff9318b
--- /dev/null
+++ b/tests/searchpolicy.py
@@ -0,0 +1,73 @@
+#!/usr/bin/env python
+
+import argparse
+import policy
+
+parser = argparse.ArgumentParser(
+ description="SELinux policy rule search tool. Intended to have a similar "
+ + "API as sesearch, but simplified to use only code availabe in AOSP")
+parser.add_argument("policy", help="Path to the SELinux policy to search.", nargs="?")
+parser.add_argument("--libpath", dest="libpath", help="Path to the libsepolwrap.so", nargs="?")
+tertypes = parser.add_argument_group("TE Rule Types")
+tertypes.add_argument("--allow", action="append_const",
+ const="allow", dest="tertypes",
+ help="Search allow rules.")
+expr = parser.add_argument_group("Expressions")
+expr.add_argument("-s", "--source",
+ help="Source type/role of the TE/RBAC rule.")
+expr.add_argument("-t", "--target",
+ help="Target type/role of the TE/RBAC rule.")
+expr.add_argument("-c", "--class", dest="tclass",
+ help="Comma separated list of object classes")
+expr.add_argument("-p", "--perms", metavar="PERMS",
+ help="Comma separated list of permissions.")
+
+args = parser.parse_args()
+
+if not args.tertypes:
+ parser.error("Must specify \"--allow\"")
+
+if not args.policy:
+ parser.error("Must include path to policy")
+if not args.libpath:
+ parser.error("Must include path to libsepolwrap library")
+
+if not (args.source or args.target or args.tclass or args.perms):
+ parser.error("Must something to filter on, e.g. --source, --target, etc.")
+
+pol = policy.Policy(args.policy, None, args.libpath)
+
+if args.source:
+ scontext = {args.source}
+else:
+ scontext = set()
+if args.target:
+ tcontext = {args.target}
+else:
+ tcontext = set()
+if args.tclass:
+ tclass = set(args.tclass.split(","))
+else:
+ tclass = set()
+if args.perms:
+ perms = set(args.perms.split(","))
+else:
+ perms = set()
+
+TERules = pol.QueryTERule(scontext=scontext,
+ tcontext=tcontext,
+ tclass=tclass,
+ perms=perms)
+
+# format rules for printing
+rules = []
+for r in TERules:
+ if len(r.perms) > 1:
+ rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " { " +
+ " ".join(r.perms) + " };")
+ else:
+ rules.append("allow " + r.sctx + " " + r.tctx + ":" + r.tclass + " " +
+ " ".join(r.perms) + ";")
+
+for r in sorted(rules):
+ print r
diff --git a/tests/sepol_wrap.cpp b/tests/sepol_wrap.cpp
index 8fea2d5..39b618b 100644
--- a/tests/sepol_wrap.cpp
+++ b/tests/sepol_wrap.cpp
@@ -17,6 +17,73 @@
#include <android-base/strings.h>
#include <sepol_wrap.h>
+struct genfs_iter {
+ genfs_t *genfs;
+ ocontext_t *ocon;
+};
+
+void *init_genfs_iter(void *policydbp)
+{
+ struct genfs_iter *out = (struct genfs_iter *)
+ calloc(1, sizeof(struct genfs_iter));
+
+ if (!out) {
+ std::cerr << "Failed to allocate genfs iterator" << std::endl;
+ return NULL;
+ }
+
+ policydb_t *db = static_cast<policydb_t *>(policydbp);
+
+ out->genfs = db->genfs;
+ out->ocon = db->genfs->head;
+
+ return static_cast<void *>(out);
+}
+
+/*
+ * print genfs path into *out buffer.
+ *
+ * Returns -1 on error.
+ * Returns 0 on successfully retrieving a genfs entry.
+ * Returns 1 on successfully retrieving the final genfs entry.
+ */
+int get_genfs(char *out, size_t max_size, void *policydbp, void *genfs_iterp)
+{
+ size_t len;
+ struct genfs_iter *i = static_cast<struct genfs_iter *>(genfs_iterp);
+ policydb_t *db = static_cast<policydb_t *>(policydbp);
+
+ len = snprintf(out, max_size, "%s %s %s:%s:%s:s0",
+ i->genfs->fstype,
+ i->ocon->u.name,
+ db->p_user_val_to_name[i->ocon->context->user-1],
+ db->p_role_val_to_name[i->ocon->context->role-1],
+ db->p_type_val_to_name[i->ocon->context->type-1]);
+
+ if (len >= max_size) {
+ std::cerr << "genfs path exceeds buffer size." << std::endl;
+ return -1;
+ }
+
+ i->ocon = i->ocon->next;
+ if (i->ocon == NULL) {
+ if (i->genfs->next != NULL) {
+ i->genfs = i->genfs->next;
+ i->ocon = i->genfs->head;
+ } else {
+ return 1;
+ }
+ }
+
+ return 0;
+}
+
+void destroy_genfs_iter(void *genfs_iterp)
+{
+ struct genfs_iter *genfs_i = static_cast<struct genfs_iter *>(genfs_iterp);
+ free(genfs_i);
+}
+
#define TYPE_ITER_LOOKUP 0
#define TYPE_ITER_ALLTYPES 1
#define TYPE_ITER_ALLATTRS 2
@@ -181,7 +248,7 @@
/* items needed to iterate over the avtab */
struct avtab_iter {
- avtab_t avtab;
+ avtab_t *avtab;
uint32_t i;
avtab_ptr_t cur;
};
@@ -198,9 +265,9 @@
{
size_t len;
- for (; avtab_i->i < avtab_i->avtab.nslot; (avtab_i->i)++) {
+ for (; avtab_i->i < avtab_i->avtab->nslot; (avtab_i->i)++) {
if (avtab_i->cur == NULL) {
- avtab_i->cur = avtab_i->avtab.htable[avtab_i->i];
+ avtab_i->cur = avtab_i->avtab->htable[avtab_i->i];
}
for (; avtab_i->cur; avtab_i->cur = (avtab_i->cur)->next) {
if (!((avtab_i->cur)->key.specified & AVTAB_ALLOWED)) continue;
@@ -233,6 +300,37 @@
return get_avtab_allow_rule(out, len, db, avtab_i);
}
+static avtab_iter *init_avtab_common(avtab_t *in)
+{
+ struct avtab_iter *out = (struct avtab_iter *)
+ calloc(1, sizeof(struct avtab_iter));
+ if (!out) {
+ std::cerr << "Failed to allocate avtab iterator" << std::endl;
+ return NULL;
+ }
+
+ out->avtab = in;
+ return out;
+}
+
+void *init_avtab(void *policydbp)
+{
+ policydb_t *p = static_cast<policydb_t *>(policydbp);
+ return static_cast<void *>(init_avtab_common(&p->te_avtab));
+}
+
+void *init_cond_avtab(void *policydbp)
+{
+ policydb_t *p = static_cast<policydb_t *>(policydbp);
+ return static_cast<void *>(init_avtab_common(&p->te_cond_avtab));
+}
+
+void destroy_avtab(void *avtab_iterp)
+{
+ struct avtab_iter *avtab_i = static_cast<struct avtab_iter *>(avtab_iterp);
+ free(avtab_i);
+}
+
/*
* <sepol/policydb/expand.h->conditional.h> uses 'bool' as a variable name
* inside extern "C" { .. } construct, which clang doesn't like.
@@ -240,45 +338,57 @@
*/
extern "C" int expand_avtab(policydb_t *p, avtab_t *a, avtab_t *expa);
-static avtab_iter *init_avtab_common(avtab_t *in, policydb_t *p)
+static avtab_iter *init_expanded_avtab_common(avtab_t *in, policydb_t *p)
{
struct avtab_iter *out = (struct avtab_iter *)
calloc(1, sizeof(struct avtab_iter));
if (!out) {
- std::cerr << "Failed to allocate avtab" << std::endl;
+ std::cerr << "Failed to allocate avtab iterator" << std::endl;
return NULL;
}
- if (avtab_init(&out->avtab)) {
- std::cerr << "Failed to initialize avtab" << std::endl;
+ avtab_t *avtab = (avtab_t *) calloc(1, sizeof(avtab_t));
+
+ if (!avtab) {
+ std::cerr << "Failed to allocate avtab" << std::endl;
free(out);
return NULL;
}
- if (expand_avtab(p, in, &out->avtab)) {
+ out->avtab = avtab;
+ if (avtab_init(out->avtab)) {
+ std::cerr << "Failed to initialize avtab" << std::endl;
+ free(avtab);
+ free(out);
+ return NULL;
+ }
+
+ if (expand_avtab(p, in, out->avtab)) {
std::cerr << "Failed to expand avtab" << std::endl;
+ free(avtab);
free(out);
return NULL;
}
return out;
}
-void *init_avtab(void *policydbp)
+void *init_expanded_avtab(void *policydbp)
{
policydb_t *p = static_cast<policydb_t *>(policydbp);
- return static_cast<void *>(init_avtab_common(&p->te_avtab, p));
+ return static_cast<void *>(init_expanded_avtab_common(&p->te_avtab, p));
}
-void *init_cond_avtab(void *policydbp)
+void *init_expanded_cond_avtab(void *policydbp)
{
policydb_t *p = static_cast<policydb_t *>(policydbp);
- return static_cast<void *>(init_avtab_common(&p->te_cond_avtab, p));
+ return static_cast<void *>(init_expanded_avtab_common(&p->te_cond_avtab, p));
}
-void destroy_avtab(void *avtab_iterp)
+void destroy_expanded_avtab(void *avtab_iterp)
{
struct avtab_iter *avtab_i = static_cast<struct avtab_iter *>(avtab_iterp);
- avtab_destroy(&avtab_i->avtab);
+ avtab_destroy(avtab_i->avtab);
+ free(avtab_i->avtab);
free(avtab_i);
}
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index 3f93ff4..6f69147 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -11,14 +11,29 @@
def TestDataTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")
+def TestProcTypeViolations(pol):
+ return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
+
def TestSysfsTypeViolations(pol):
- return pol.AssertPathTypesHaveAttr(["/sys/"], ["/sys/kernel/debug/",
+ ret = pol.AssertGenfsFilesystemTypesHaveAttr("sysfs", "sysfs_type")
+ ret += pol.AssertPathTypesHaveAttr(["/sys/"], ["/sys/kernel/debug/",
"/sys/kernel/tracing"], "sysfs_type")
+ return ret
def TestDebugfsTypeViolations(pol):
- # TODO: this should apply to genfs_context entries as well
- return pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
+ ret = pol.AssertGenfsFilesystemTypesHaveAttr("debugfs", "debugfs_type")
+ ret += pol.AssertGenfsFilesystemTypesHaveAttr("tracefs", "debugfs_type")
+ ret += pol.AssertPathTypesHaveAttr(["/sys/kernel/debug/",
"/sys/kernel/tracing"], [], "debugfs_type")
+ return ret
+
+def TestVendorTypeViolations(pol):
+ return pol.AssertPathTypesHaveAttr(["/vendor/"], [], "vendor_file_type")
+
+def TestCoreDataTypeViolations(pol):
+ return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
+ "/data/vendor_ce", "/data/vendor_de"], "core_data_file_type")
+
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
@@ -36,10 +51,18 @@
else:
Option.take_action(self, action, dest, opt, value, values, parser)
-Tests = ["TestDataTypeViolators"]
+Tests = [
+ "TestDataTypeViolators",
+ "TestProcTypeViolations",
+ "TestSysfsTypeViolations",
+ "TestDebugfsTypeViolations",
+ "TestVendorTypeViolations",
+ "TestCoreDataTypeViolations",
+]
if __name__ == '__main__':
- usage = "sepolicy_tests.py -f nonplat_file_contexts -f "
+ usage = "sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
+ usage += "-f vendor_file_contexts -f "
usage +="plat_file_contexts -p policy [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
parser.add_option("-f", "--file_contexts", dest="file_contexts",
@@ -52,7 +75,7 @@
(options, args) = parser.parse_args()
if not options.libpath:
- sys.exit("Must specify path to host libraries\n" + parser.usage)
+ sys.exit("Must specify path to libsepolwrap library\n" + parser.usage)
if not os.path.exists(options.libpath):
sys.exit("Error: library-path " + options.libpath + " does not exist\n"
+ parser.usage)
@@ -74,12 +97,18 @@
results = ""
# If an individual test is not specified, run all tests.
- if options.test is None or "TestDataTypeViolations" in options.tests:
+ if options.test is None or "TestDataTypeViolations" in options.test:
results += TestDataTypeViolations(pol)
- if options.test is None or "TestSysfsTypeViolations" in options.tests:
+ if options.test is None or "TestProcTypeViolations" in options.test:
+ results += TestProcTypeViolations(pol)
+ if options.test is None or "TestSysfsTypeViolations" in options.test:
results += TestSysfsTypeViolations(pol)
- if options.test is None or "TestDebugfsTypeViolations" in options.tests:
+ if options.test is None or "TestDebugfsTypeViolations" in options.test:
results += TestDebugfsTypeViolations(pol)
+ if options.test is None or "TestVendorTypeViolations" in options.test:
+ results += TestVendorTypeViolations(pol)
+ if options.test is None or "TestCoreDataTypeViolations" in options.test:
+ results += TestCoreDataTypeViolations(pol)
if len(results) > 0:
sys.exit(results)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 58fd85b..cfa8ef9 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -38,6 +38,7 @@
'postinstall_dexopt',
'recovery',
'system_server',
+ 'vendor_init',
}
coredomainWhitelist |= coreAppdomain
@@ -70,12 +71,16 @@
coredomains = set()
appdomains = set()
vendordomains = set()
+pol = None
# compat vars
alltypes = set()
oldalltypes = set()
compatMapping = None
+# Distinguish between PRODUCT_FULL_TREBLE and PRODUCT_FULL_TREBLE_OVERRIDE
+FakeTreble = False
+
def GetAllDomains(pol):
global alldomains
for result in pol.QueryTypeAttribute("domain", True):
@@ -129,7 +134,7 @@
#
def GetDomainEntrypoints(pol):
global alldomains
- for x in pol.QueryTERule(tclass="file", perms=["entrypoint"]):
+ for x in pol.QueryExpandedTERule(tclass=set(["file"]), perms=set(["entrypoint"])):
if not x.sctx in alldomains:
continue
alldomains[x.sctx].entrypoints.append(str(x.tctx))
@@ -172,6 +177,14 @@
GetAllTypes(pol, oldpol)
compatMapping = mapping
+def DomainsWithAttribute(attr):
+ global alldomains
+ domains = []
+ for domain in alldomains:
+ if attr in alldomains[domain].attributes:
+ domains.append(domain)
+ return domains
+
#############################################################
# Tests
#############################################################
@@ -225,7 +238,7 @@
ret += "SELinux: The following types were found added to the policy "
ret += "without an entry into the compatibility mapping file(s) found "
ret += "in private/compat/" + compatMapping.apiLevel + "/"
- ret += compatMapping.apiLevel + "[.ignore].cil/n"
+ ret += compatMapping.apiLevel + "[.ignore].cil\n"
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
return ret
@@ -255,6 +268,32 @@
ret = TestNoUnmappedNewTypes()
ret += TestNoUnmappedRmTypes()
return ret
+
+def TestViolatorAttribute(attribute):
+ global FakeTreble
+ ret = ""
+ if FakeTreble:
+ return ret
+
+ violators = DomainsWithAttribute(attribute)
+ if len(violators) > 0:
+ ret += "SELinux: The following domains violate the Treble ban "
+ ret += "against use of the " + attribute + " attribute: "
+ ret += " ".join(str(x) for x in sorted(violators)) + "\n"
+ return ret
+
+def TestViolatorAttributes():
+ ret = TestViolatorAttribute("binder_in_vendor_violators")
+ ret += TestViolatorAttribute("socket_between_core_and_vendor_violators")
+ ret += TestViolatorAttribute("vendor_executes_system_violators")
+ return ret
+
+# TODO move this to sepolicy_tests
+def TestCoreDataTypeViolations():
+ global pol
+ return pol.AssertPathTypesDoNotHaveAttr(["/data/vendor/", "/data/vendor_ce/",
+ "/data/vendor_de/"], [], "core_data_file_type")
+
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
@@ -273,11 +312,14 @@
Option.take_action(self, action, dest, opt, value, values, parser)
Tests = {"CoredomainViolations": TestCoredomainViolations,
- "TrebleCompatMapping": TestTrebleCompatMapping }
+ "CoreDatatypeViolations": TestCoreDataTypeViolations,
+ "TrebleCompatMapping": TestTrebleCompatMapping,
+ "ViolatorAttributes": TestViolatorAttributes}
if __name__ == '__main__':
- usage = "treble_sepolicy_tests.py -f nonplat_file_contexts -f "
- usage +="plat_file_contexts -p curr_policy -b base_policy -o old_policy "
+ usage = "treble_sepolicy_tests -l $(ANDROID_HOST_OUT)/lib64/libsepolwrap.so "
+ usage += "-f nonplat_file_contexts -f plat_file_contexts "
+ usage += "-p curr_policy -b base_policy -o old_policy "
usage +="-m mapping file [--test test] [--help]"
parser = OptionParser(option_class=MultipleOption, usage=usage)
parser.add_option("-b", "--basepolicy", dest="basepolicy", metavar="FILE")
@@ -288,28 +330,22 @@
parser.add_option("-o", "--oldpolicy", dest="oldpolicy", metavar="FILE")
parser.add_option("-p", "--policy", dest="policy", metavar="FILE")
parser.add_option("-t", "--test", dest="tests", action="extend",
-
help="Test options include "+str(Tests))
+ parser.add_option("--fake-treble", action="store_true", dest="faketreble",
+ default=False)
(options, args) = parser.parse_args()
if not options.libpath:
- sys.exit("Must specify path to host libraries\n" + parser.usage)
+ sys.exit("Must specify path to libsepolwrap library\n" + parser.usage)
if not os.path.exists(options.libpath):
sys.exit("Error: library-path " + options.libpath + " does not exist\n"
+ parser.usage)
- if not options.basepolicy:
- sys.exit("Must specify the current platform-only policy file\n" + parser.usage)
- if not options.mapping:
- sys.exit("Must specify a compatibility mapping file\n" + parser.usage)
- if not options.oldpolicy:
- sys.exit("Must specify the previous monolithic policy file\n" + parser.usage)
if not options.policy:
sys.exit("Must specify current monolithic policy file\n" + parser.usage)
if not os.path.exists(options.policy):
sys.exit("Error: policy file " + options.policy + " does not exist\n"
+ parser.usage)
-
if not options.file_contexts:
sys.exit("Error: Must specify file_contexts file(s)\n" + parser.usage)
for f in options.file_contexts:
@@ -317,12 +353,25 @@
sys.exit("Error: File_contexts file " + f + " does not exist\n" +
parser.usage)
+ # Mapping files are only necessary for the TrebleCompatMapping test
+ if options.tests is None or options.tests is "TrebleCompatMapping":
+ if not options.basepolicy:
+ sys.exit("Must specify the current platform-only policy file\n" + parser.usage)
+ if not options.mapping:
+ sys.exit("Must specify a compatibility mapping file\n" + parser.usage)
+ if not options.oldpolicy:
+ sys.exit("Must specify the previous monolithic policy file\n" + parser.usage)
+ basepol = policy.Policy(options.basepolicy, None, options.libpath)
+ oldpol = policy.Policy(options.oldpolicy, None, options.libpath)
+ mapping = mini_parser.MiniCilParser(options.mapping)
+ compatSetup(basepol, oldpol, mapping)
+
+
+ if options.faketreble:
+ FakeTreble = True
+
pol = policy.Policy(options.policy, options.file_contexts, options.libpath)
setup(pol)
- basepol = policy.Policy(options.basepolicy, None, options.libpath)
- oldpol = policy.Policy(options.oldpolicy, None, options.libpath)
- mapping = mini_parser.MiniCilParser(options.mapping)
- compatSetup(basepol, oldpol, mapping)
if DEBUG:
PrintScontexts()
diff --git a/tools/README b/tools/README
index 6035c03..5e340a0 100644
--- a/tools/README
+++ b/tools/README
@@ -3,6 +3,15 @@
available for help in auditing and analyzing policy. The tools are
described further below.
+build_policies.sh
+ A tool to build SELinux policy for multiple targets in parallel.
+ This is useful for quickly testing a new test or neverallow rule
+ on multiple targets.
+
+ Usage:
+ ./build_policies.sh ~/android/master ~/tmp/build_policies
+ ./build_policies.sh ~/android/master ~/tmp/build_policies sailfish-eng walleye-eng
+
checkfc
A utility for checking the validity of a file_contexts or a
property_contexts configuration file. Used as part of the policy
diff --git a/tools/build_policies.sh b/tools/build_policies.sh
new file mode 100755
index 0000000..77f0fc6
--- /dev/null
+++ b/tools/build_policies.sh
@@ -0,0 +1,90 @@
+#!/bin/bash
+
+# Ensure that GNU parallel is installed.
+# We use this to build multiple targets at the same time.
+if [[ -z $(command -v parallel) ]]; then
+ echo "Please install GNU Parallel."
+ exit
+fi
+
+if [[ $# -lt 2 ]]; then
+ echo "Usage: $0 <Android root directory> <output directory> [specific targets to build]"
+ exit
+fi
+
+android_root_dir=$1
+export out_dir=$2
+shift 2
+all_targets="$@"
+
+echo "Android tree: $android_root_dir"
+echo "Output directory: $out_dir"
+
+mkdir -p $out_dir
+
+cd $android_root_dir
+source build/envsetup.sh > /dev/null
+
+# Collect the list of targets by parsing the output of lunch.
+# TODO: This misses some targets.
+if [[ "$all_targets" = "" ]]; then
+ all_targets=`lunch 2>/dev/null <<< _ | grep "[0-9]" | sed 's/^.* //'`
+fi
+
+# Clean up targets by replacing eng with userdebug using non-aosp variants.
+declare -A targets_map
+for target in $all_targets; do
+ targets_map[$target]=$target
+done
+targets=""
+for target in $all_targets; do
+ clean_target=$(echo $target | sed 's/-eng/-userdebug/' | sed 's/aosp_//')
+ if [[ $clean_target != $target ]] && [[ ${targets_map[$clean_target]} == $clean_target ]]; then
+ echo "Ignoring $target in favor of $clean_target"
+ else
+ if [[ -z $targets ]]; then
+ targets=$target
+ else
+ targets="$targets $target"
+ fi
+ fi
+done
+
+# Calculate the number of targets to build at once.
+# This heuristic could probably be improved.
+cores=$(nproc --all)
+num_targets=$(echo "$targets" | sed 's/ /\n/g' | wc -l)
+parallel_jobs=$(expr $cores / 2)
+if [[ $num_targets -lt $parallel_jobs ]]; then
+ export mmma_jobs=$(expr $cores / $num_targets \* 2)
+else
+ export mmma_jobs=4
+fi
+
+echo "$num_targets target(s): $(echo $targets | paste -sd' ')"
+
+compile_target () {
+ target=$1
+ source build/envsetup.sh > /dev/null
+ lunch $target &> /dev/null
+ # Some targets can't lunch properly.
+ if [ $? -ne 0 ]; then
+ echo "$target cannot be lunched"
+ return 1
+ fi
+ my_out_file="$out_dir/log.$target"
+ rm -f $my_out_file
+ # Build the policy.
+ OUT_DIR=$out_dir/out.$target mmma -j$mmma_jobs system/sepolicy &>> $my_out_file
+ if [ $? -ne 0 ]; then
+ echo "$target failed to build"
+ return 2
+ fi
+ return 0
+}
+export -f compile_target
+
+parallel --no-notice -j $parallel_jobs --bar --joblog $out_dir/joblog compile_target ::: $targets
+
+echo "Failed to lunch: $(grep "\s1\s0\scompile_target" $out_dir/joblog | sed 's/^.* //' | sort | paste -sd' ')"
+echo "Failed to build: $(grep "\s2\s0\scompile_target" $out_dir/joblog | sed 's/^.* //' | sort | paste -sd' ')"
diff --git a/tools/fc_sort/Android.mk b/tools/fc_sort/Android.mk
index f78d550..6b4ed23 100644
--- a/tools/fc_sort/Android.mk
+++ b/tools/fc_sort/Android.mk
@@ -5,6 +5,7 @@
LOCAL_MODULE := fc_sort
LOCAL_MODULE_TAGS := optional
LOCAL_SRC_FILES := fc_sort.c
+LOCAL_CFLAGS := -Wall -Werror
LOCAL_CXX_STL := none
include $(BUILD_HOST_EXECUTABLE)
diff --git a/tools/fc_sort/fc_sort.c b/tools/fc_sort/fc_sort.c
index 9a3a3ee..c7a4c90 100644
--- a/tools/fc_sort/fc_sort.c
+++ b/tools/fc_sort/fc_sort.c
@@ -38,6 +38,7 @@
char *path;
char *file_type;
char *context;
+ char *extra;
bool_t meta;
int stem_len;
int str_len;
@@ -46,6 +47,9 @@
void file_context_node_destroy(file_context_node_t *x)
{
+ if (!x)
+ return;
+
free(x->path);
free(x->file_type);
free(x->context);
@@ -135,8 +139,6 @@
file_context_node_t *temp;
file_context_node_t *jumpto;
-
-
/* If a is a empty list, and b is not,
* set a as b and proceed to the end. */
if (!a && b)
@@ -164,7 +166,6 @@
fc_compare(a_current->next,
b_current) != -1) {
-
temp = a_current->next;
a_current->next = b_current;
b_current = b_current->next;
@@ -177,7 +178,6 @@
a_current = jumpto;
}
-
/* if there is anything left in b to be inserted,
put it on the end */
if (b_current) {
@@ -209,11 +209,12 @@
*/
void fc_merge_sort(file_context_bucket_t *master)
{
-
-
file_context_bucket_t *current;
file_context_bucket_t *temp;
+ if (!master)
+ return;
+
/* Loop until master is the only bucket left
* so that this will stop when master contains
* the sorted list. */
@@ -222,28 +223,20 @@
/* This loop merges buckets two-by-two. */
while (current) {
-
if (current->next) {
-
current->data =
fc_merge(current->data,
current->next->data);
-
-
temp = current->next;
current->next = current->next->next;
free(temp);
-
}
-
current = current->next;
}
}
-
-
}
@@ -292,19 +285,40 @@
/* If a escape character is found,
* skip the next character. */
c++;
+ break;
default:
- /* If no meta character has been found yet,
- * add one to the stem length. */
- if (!fc_node->meta)
- fc_node->stem_len++;
break;
}
+ /* If no meta character has been found yet,
+ * add one to the stem length. */
+ if (!fc_node->meta)
+ fc_node->stem_len++;
+
fc_node->str_len++;
c++;
}
}
+
+
+/* fc_free_file_context_node_list
+ * Free the memory allocated to the linked list and its elements.
+ */
+void fc_free_file_context_node_list(struct file_context_node *node)
+{
+ struct file_context_node *next;
+
+ while (node) {
+ next = node->next;
+ file_context_node_destroy(node);
+ free(node);
+ node = next;
+ }
+}
+
+
+
/* main
* This program takes in two arguments, the input filename and the
* output filename. The input file should be syntactically correct.
@@ -326,7 +340,6 @@
FILE *in_file, *out_file;
-
/* Check for the correct number of command line arguments. */
if (argc < 2 || argc > 3) {
fprintf(stderr, "Usage: %s <infile> [<outfile>]\n",argv[0]);
@@ -345,55 +358,55 @@
}
/* Initialize the head of the linked list. */
- head = current = (file_context_node_t*)malloc(sizeof(file_context_node_t));
- head->next = NULL;
+ head = current = (file_context_node_t*)calloc(1, sizeof(file_context_node_t));
+ if (!head) {
+ fprintf(stderr, "Error: failure allocating memory.\n");
+ return 1;
+ }
/* Parse the file into a file_context linked list. */
line_buf = NULL;
- buf_len = 0;
while ( getline(&line_buf, &buf_len, in_file) != -1 ){
line_len = strlen(line_buf);
+
if( line_len == 0 || line_len == 1)
continue;
+
/* Get rid of whitespace from the front of the line. */
for (i = 0; i < line_len; i++) {
if (!isspace(line_buf[i]))
break;
}
-
if (i >= line_len)
continue;
+
/* Check if the line isn't empty and isn't a comment */
if (line_buf[i] == '#')
continue;
/* We have a valid line - allocate a new node. */
- temp = (file_context_node_t *)malloc(sizeof(file_context_node_t));
+ temp = (file_context_node_t *)calloc(1, sizeof(file_context_node_t));
if (!temp) {
+ free(line_buf);
fprintf(stderr, "Error: failure allocating memory.\n");
+ fc_free_file_context_node_list(head);
return 1;
}
- temp->next = NULL;
- memset(temp, 0, sizeof(file_context_node_t));
/* Parse out the regular expression from the line. */
start = i;
-
while (i < line_len && (!isspace(line_buf[i])))
i++;
finish = i;
-
regex_len = finish - start;
if (regex_len == 0) {
file_context_node_destroy(temp);
free(temp);
-
-
continue;
}
@@ -401,13 +414,14 @@
if (!temp->path) {
file_context_node_destroy(temp);
free(temp);
+ free(line_buf);
fprintf(stderr, "Error: failure allocating memory.\n");
+ fc_free_file_context_node_list(head);
return 1;
}
/* Get rid of whitespace after the regular expression. */
for (; i < line_len; i++) {
-
if (!isspace(line_buf[i]))
break;
}
@@ -419,18 +433,21 @@
}
/* Parse out the type from the line (if it
- * is there). */
+ * is there). */
if (line_buf[i] == '-') {
temp->file_type = (char *)malloc(sizeof(char) * 3);
if (!(temp->file_type)) {
+ file_context_node_destroy(temp);
+ free(temp);
+ free(line_buf);
fprintf(stderr, "Error: failure allocating memory.\n");
+ fc_free_file_context_node_list(head);
return 1;
}
if( i + 2 >= line_len ) {
file_context_node_destroy(temp);
free(temp);
-
continue;
}
@@ -447,7 +464,6 @@
}
if (i == line_len) {
-
file_context_node_destroy(temp);
free(temp);
continue;
@@ -466,16 +482,42 @@
if (!temp->context) {
file_context_node_destroy(temp);
free(temp);
+ free(line_buf);
fprintf(stderr, "Error: failure allocating memory.\n");
+ fc_free_file_context_node_list(head);
return 1;
}
+ /* Get rid of whitespace after the context. */
+ for (; i < line_len; i++) {
+ if (!isspace(line_buf[i]))
+ break;
+ }
+
+ /* Parse out the extra from the line. */
+ start = i;
+ finish = line_len;
+ while (start < finish && (!isspace(line_buf[i - 1])))
+ finish--;
+
+ if (start < finish && line_buf[start] != '#') {
+ temp->extra = (char*)strndup(&line_buf[start], finish - start);
+ if (!(temp->extra)) {
+ file_context_node_destroy(temp);
+ free(temp);
+ free(line_buf);
+ fprintf(stderr, "Error: failure allocating memory.\n");
+ fc_free_file_context_node_list(head);
+ return 1;
+ }
+ }
+
/* Set all the data about the regular
- * expression. */
+ * expression. */
fc_fill_data(temp);
/* Link this line of code at the end of
- * the linked list. */
+ * the linked list. */
current->next = temp;
current = current->next;
lines++;
@@ -485,10 +527,15 @@
/* Create the bucket linked list from the earlier linked list. */
current = head->next;
- free(head);
bcurrent = master =
(file_context_bucket_t *)
malloc(sizeof(file_context_bucket_t));
+ if (!bcurrent) {
+ printf
+ ("Error: failure allocating memory.\n");
+ fc_free_file_context_node_list(head);
+ return -1;
+ }
bcurrent->next = NULL;
bcurrent->data = NULL;
@@ -509,25 +556,33 @@
if (!(bcurrent->next)) {
printf
("Error: failure allocating memory.\n");
+ free(head);
+ fc_free_file_context_node_list(current);
+ fc_merge_sort(master);
+ fc_free_file_context_node_list(master->data);
+ free(master);
return -1;
}
/* Make sure the new bucket thinks it's the end of the
- * list. */
+ * list. */
bcurrent->next->next = NULL;
bcurrent = bcurrent->next;
}
-
}
/* Sort the bucket list. */
fc_merge_sort(master);
+ free(head);
+
/* Open the output file. */
if (output_name) {
if (!(out_file = fopen(output_name, "w"))) {
printf("Error: failure opening output file for write.\n");
+ fc_free_file_context_node_list(master->data);
+ free(master);
return -1;
}
} else {
@@ -536,6 +591,7 @@
/* Output the sorted file_context linked list to the output file. */
current = master->data;
+
while (current) {
/* Output the path. */
fprintf(out_file, "%s\t\t", current->path);
@@ -546,16 +602,19 @@
}
/* Output the context. */
- fprintf(out_file, "%s\n", current->context);
+ fprintf(out_file, "%s", current->context);
- /* Remove the node. */
- temp = current;
+ /* Output the extra, if there is one. */
+ if (current->extra) {
+ fprintf(out_file, "\t%s", current->extra);
+ }
+
+ fprintf(out_file, "\n");
+
current = current->next;
-
- file_context_node_destroy(temp);
- free(temp);
-
}
+
+ fc_free_file_context_node_list(master->data);
free(master);
if (output_name) {
diff --git a/tools/sepolicy-analyze/Android.mk b/tools/sepolicy-analyze/Android.mk
index 6d8eb5a..56204a5 100644
--- a/tools/sepolicy-analyze/Android.mk
+++ b/tools/sepolicy-analyze/Android.mk
@@ -10,6 +10,6 @@
LOCAL_STATIC_LIBRARIES := libsepol
LOCAL_CXX_STL := none
-LOCAL_COMPATIBILITY_SUITE := cts gts vts sts
+LOCAL_COMPATIBILITY_SUITE := ats cts gts vts sts
include $(BUILD_HOST_EXECUTABLE)
diff --git a/tools/sepolicy-analyze/neverallow.c b/tools/sepolicy-analyze/neverallow.c
index 26ce144..25e6a0c 100644
--- a/tools/sepolicy-analyze/neverallow.c
+++ b/tools/sepolicy-analyze/neverallow.c
@@ -258,6 +258,7 @@
node->next = classperms;
classperms = node;
free(id);
+ id = NULL;
} while (p < end && openparens);
if (p == end)
@@ -325,6 +326,8 @@
if (!strcmp(id, "*")) {
for (node = classperms; node; node = node->next)
node->data = ~0;
+ free(id);
+ id = NULL;
continue;
}
@@ -341,6 +344,7 @@
node->data |= 1U << (perm->s.value - 1);
}
free(id);
+ id = NULL;
} while (p < end && openparens);
if (p == end)
@@ -361,6 +365,12 @@
*ptr = p;
return 0;
err:
+ // free classperms memory
+ for (node = classperms; node; ) {
+ class_perm_node_t *freeptr = node;
+ node = node->next;
+ free(freeptr);
+ }
return -1;
}
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
new file mode 100644
index 0000000..5f419d1
--- /dev/null
+++ b/treble_sepolicy_tests_for_release.mk
@@ -0,0 +1,104 @@
+version := $(version_under_treble_tests)
+
+include $(CLEAR_VARS)
+# For Treble builds run tests verifying that processes are properly labeled and
+# permissions granted do not violate the treble model. Also ensure that treble
+# compatibility guarantees are upheld between SELinux version bumps.
+LOCAL_MODULE := treble_sepolicy_tests_$(version)
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := tests
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# $(version)_plat - the platform policy shipped as part of the $(version) release. This is
+# built to enable us to determine the diff between the current policy and the
+# $(version) policy, which will be used in tests to make sure that compatibility has
+# been maintained by our mapping files.
+$(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public
+$(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private
+$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
+$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$($(version)_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$($(version)_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$($(version)_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$($(version)_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$($(version)_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$($(version)_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$($(version)_plat_policy.conf): $(call build_policy, $(sepolicy_build_files), \
+$($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
+ $(transform-policy-to-conf)
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+
+built_$(version)_plat_sepolicy := $(intermediates)/built_$(version)_plat_sepolicy
+$(built_$(version)_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, technical_debt.cil , $($(version)_PLAT_PRIVATE_POLICY))
+$(built_$(version)_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(built_$(version)_plat_sepolicy): $($(version)_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/secilc \
+ $(call build_policy, technical_debt.cil, $($(version)_PLAT_PRIVATE_POLICY)) \
+ $(built_sepolicy_neverallows)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+
+$(version)_plat_policy.conf :=
+
+
+# $(version)_compat - the current plat_sepolicy.cil built with the compatibility file
+# targeting the $(version) SELinux release. This ensures that our policy will build
+# when used on a device that has non-platform policy targetting the $(version) release.
+$(version)_compat := $(intermediates)/$(version)_compat
+$(version)_mapping.cil := $(LOCAL_PATH)/private/compat/$(version)/$(version).cil
+$(version)_mapping.ignore.cil := $(LOCAL_PATH)/private/compat/$(version)/$(version).ignore.cil
+$(version)_nonplat := $(LOCAL_PATH)/prebuilts/api/$(version)/nonplat_sepolicy.cil
+$($(version)_compat): PRIVATE_CIL_FILES := \
+$(built_plat_cil) $($(version)_mapping.cil) $($(version)_nonplat)
+$($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil) $($(version)_mapping.cil) $($(version)_nonplat)
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
+ $(PRIVATE_CIL_FILES) -o $@ -f /dev/null
+
+# $(version)_mapping.combined.cil - a combination of the mapping file used when
+# combining the current platform policy with nonplatform policy based on the
+# $(version) policy release and also a special ignored file that exists purely for
+# these tests.
+$(version)_mapping.combined.cil := $(intermediates)/$(version)_mapping.combined.cil
+$($(version)_mapping.combined.cil): $($(version)_mapping.cil) $($(version)_mapping.ignore.cil)
+ mkdir -p $(dir $@)
+ cat $^ > $@
+
+treble_sepolicy_tests_$(version) := $(intermediates)/treble_sepolicy_tests_$(version)
+$(treble_sepolicy_tests_$(version)): ALL_FC_ARGS := $(all_fc_args)
+$(treble_sepolicy_tests_$(version)): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(treble_sepolicy_tests_$(version)): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
+$(treble_sepolicy_tests_$(version)): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
+$(treble_sepolicy_tests_$(version)): PRIVATE_PLAT_SEPOLICY := $(built_plat_sepolicy)
+ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
+$(treble_sepolicy_tests_$(version)): PRIVATE_FAKE_TREBLE := --fake-treble
+else
+$(treble_sepolicy_tests_$(version)): PRIVATE_FAKE_TREBLE :=
+endif
+$(treble_sepolicy_tests_$(version)): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
+ $(all_fc_files) $(built_sepolicy) $(built_plat_sepolicy) \
+ $(built_$(version)_plat_sepolicy) $($(version)_compat) $($(version)_mapping.combined.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
+ $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
+ -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
+ -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
+ $(PRIVATE_FAKE_TREBLE)
+ $(hide) touch $@
+
+$(version)_PLAT_PUBLIC_POLICY :=
+$(version)_PLAT_PRIVATE_POLICY :=
+$(version)_compat :=
+$(version)_mapping.cil :=
+$(version)_mapping.combined.cil :=
+$(version)_mapping.ignore.cil :=
+$(version)_nonplat :=
+built_$(version)_plat_sepolicy :=
+version :=
+version_under_treble_tests :=
diff --git a/vendor/bug_map b/vendor/bug_map
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/vendor/bug_map
diff --git a/vendor/file.te b/vendor/file.te
index 3350b1e..0b1fd74 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -1,2 +1,2 @@
-# Socket types
-type hostapd_socket, file_type, data_file_type;
+type hostapd_data_file, file_type, data_file_type;
+type wpa_data_file, file_type, data_file_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 522e4bf..22f0dbb 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -2,12 +2,18 @@
# Default HALs
#
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.0-service u:object_r:hal_evs_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-service u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_bootctl_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@1\.1-service u:object_r:hal_broadcastradio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service_64 u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-service u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.4-external-service u:object_r:hal_camera_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.configstore@1\.[0-9]+-service u:object_r:hal_configstore_default_exec:s0
+/(vendor|sustem/vendor)/bin/hw/android\.hardware\.confirmationui@1\.0-service u:object_r:hal_confirmationui_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.contexthub@1\.0-service u:object_r:hal_contexthub_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.0-service u:object_r:hal_drm_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.0-service u:object_r:hal_cas_default_exec:s0
@@ -16,15 +22,24 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.0-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@2\.1-service u:object_r:hal_graphics_composer_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@2\.2-service u:object_r:hal_graphics_composer_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@1\.0-service u:object_r:hal_health_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service u:object_r:hal_keymaster_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.1-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-sap-service u:object_r:hal_radio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
@@ -34,8 +49,8 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.vr@1\.0-service u:object_r:hal_vr_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi\.offload@1\.0-service u:object_r:hal_wifi_offload_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service u:object_r:hal_wifi_default_exec:s0
+/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
-/(vendor|system/vendor)/bin/hostapd u:object_r:hostapd_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
#############################
@@ -48,4 +63,5 @@
#############################
# Data files
#
-/data/misc/wifi/hostapd(/.*)? u:object_r:hostapd_socket:s0
+/data/vendor/wifi/hostapd(/.*)? u:object_r:hostapd_data_file:s0
+/data/vendor/wifi/wpa(/.*)? u:object_r:wpa_data_file:s0
diff --git a/vendor/hal_audiocontrol_default.te b/vendor/hal_audiocontrol_default.te
new file mode 100644
index 0000000..d1940c9
--- /dev/null
+++ b/vendor/hal_audiocontrol_default.te
@@ -0,0 +1,7 @@
+# audiocontrol subsystem
+type hal_audiocontrol_default, domain;
+hal_server_domain(hal_audiocontrol_default, hal_audiocontrol)
+
+# may be started by init
+type hal_audiocontrol_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_audiocontrol_default)
diff --git a/vendor/hal_authsecret_default.te b/vendor/hal_authsecret_default.te
new file mode 100644
index 0000000..46f5291
--- /dev/null
+++ b/vendor/hal_authsecret_default.te
@@ -0,0 +1,5 @@
+type hal_authsecret_default, domain;
+hal_server_domain(hal_authsecret_default, hal_authsecret)
+
+type hal_authsecret_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_authsecret_default)
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 239e5c1..5bc4a61 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -5,3 +5,7 @@
init_daemon_domain(hal_camera_default)
allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
+
+# For collecting bugreports.
+allow hal_camera_default dumpstate:fd use;
+allow hal_camera_default dumpstate:fifo_file write;
diff --git a/vendor/hal_cas_default.te b/vendor/hal_cas_default.te
index c7a858c..fc548bf 100644
--- a/vendor/hal_cas_default.te
+++ b/vendor/hal_cas_default.te
@@ -4,3 +4,5 @@
type hal_cas_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_cas_default)
+# Allow CAS HAL's default implementation to use vendor-binder service
+vndbinder_use(hal_cas_default);
diff --git a/vendor/hal_confirmationui_default.te b/vendor/hal_confirmationui_default.te
new file mode 100644
index 0000000..832c687
--- /dev/null
+++ b/vendor/hal_confirmationui_default.te
@@ -0,0 +1,5 @@
+type hal_confirmationui_default, domain;
+hal_server_domain(hal_confirmationui_default, hal_confirmationui)
+
+type hal_confirmationui_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_confirmationui_default)
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index b79c3b5..0dac075 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -6,3 +6,5 @@
allow hal_drm_default mediacodec:fd use;
allow hal_drm_default { appdomain -isolated_app }:fd use;
+
+allow hal_drm_default hal_allocator_server:fd use;
diff --git a/vendor/hal_evs_default.te b/vendor/hal_evs_default.te
new file mode 100644
index 0000000..b927f1e
--- /dev/null
+++ b/vendor/hal_evs_default.te
@@ -0,0 +1,10 @@
+# evs_mock mock hardware driver service
+type hal_evs_default, domain;
+hal_server_domain(hal_evs_default, hal_evs)
+
+# allow init to launch processes in this context
+type hal_evs_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_evs_default)
+
+allow hal_evs_default hal_graphics_allocator_default:fd use;
+
diff --git a/vendor/hal_graphics_allocator_default.te b/vendor/hal_graphics_allocator_default.te
index 5afa2b5..3d97ed0 100644
--- a/vendor/hal_graphics_allocator_default.te
+++ b/vendor/hal_graphics_allocator_default.te
@@ -3,3 +3,6 @@
type hal_graphics_allocator_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_allocator_default)
+
+# b/70180742
+dontaudit hal_graphics_allocator_default unlabeled:dir search;
diff --git a/vendor/hal_graphics_composer_default.te b/vendor/hal_graphics_composer_default.te
index 47343d9..72d781d 100644
--- a/vendor/hal_graphics_composer_default.te
+++ b/vendor/hal_graphics_composer_default.te
@@ -3,3 +3,6 @@
type hal_graphics_composer_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_graphics_composer_default)
+
+# b/68864350
+dontaudit hal_graphics_composer_default unlabeled:dir search;
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 82a5a20..6f0d82a 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -3,3 +3,5 @@
type hal_keymaster_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_keymaster_default)
+
+get_prop(hal_keymaster_default, vendor_security_patch_level_prop);
diff --git a/vendor/hal_lowpan_default.te b/vendor/hal_lowpan_default.te
new file mode 100644
index 0000000..a49bf24
--- /dev/null
+++ b/vendor/hal_lowpan_default.te
@@ -0,0 +1,5 @@
+type hal_lowpan_default, domain;
+type hal_lowpan_default_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(hal_lowpan_default, hal_lowpan)
+init_daemon_domain(hal_lowpan_default)
diff --git a/vendor/hal_radio_config_default.te b/vendor/hal_radio_config_default.te
new file mode 100644
index 0000000..ccbe5bf
--- /dev/null
+++ b/vendor/hal_radio_config_default.te
@@ -0,0 +1,6 @@
+type hal_radio_config_default, domain;
+hal_server_domain(hal_radio_config_default, hal_telephony)
+
+type hal_radio_config_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_radio_config_default)
+
diff --git a/vendor/hal_radio_default.te b/vendor/hal_radio_default.te
new file mode 100644
index 0000000..82fd40e
--- /dev/null
+++ b/vendor/hal_radio_default.te
@@ -0,0 +1,6 @@
+type hal_radio_default, domain;
+hal_server_domain(hal_radio_default, hal_telephony)
+
+type hal_radio_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_radio_default)
+
diff --git a/vendor/hal_secure_element_default.te b/vendor/hal_secure_element_default.te
new file mode 100644
index 0000000..b1a94a1
--- /dev/null
+++ b/vendor/hal_secure_element_default.te
@@ -0,0 +1,7 @@
+type hal_secure_element_default, domain;
+hal_server_domain(hal_secure_element_default, hal_secure_element)
+type hal_secure_element_default_exec, exec_type, vendor_file_type, file_type;
+
+allow hal_secure_element_default secure_element_device:chr_file rw_file_perms;
+
+init_daemon_domain(hal_secure_element_default)
diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
new file mode 100644
index 0000000..e605ecb
--- /dev/null
+++ b/vendor/hal_vehicle_default.te
@@ -0,0 +1,7 @@
+# vehicle subsystem
+type hal_vehicle_default, domain;
+hal_server_domain(hal_vehicle_default, hal_vehicle)
+
+# may be started by init
+type hal_vehicle_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_vehicle_default)
diff --git a/vendor/hal_wifi_hostapd_default.te b/vendor/hal_wifi_hostapd_default.te
new file mode 100644
index 0000000..1e0dcb8
--- /dev/null
+++ b/vendor/hal_wifi_hostapd_default.te
@@ -0,0 +1,12 @@
+# hostapd or equivalent
+type hal_wifi_hostapd_default, domain;
+hal_server_domain(hal_wifi_hostapd_default, hal_wifi_hostapd)
+type hal_wifi_hostapd_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_wifi_hostapd_default)
+
+net_domain(hal_wifi_hostapd_default)
+
+# Allow hostapd to access it's data folder
+allow hal_wifi_hostapd_default hostapd_data_file:dir create_dir_perms;
+allow hal_wifi_hostapd_default hostapd_data_file:file create_file_perms;
+allow hal_wifi_hostapd_default hostapd_data_file:sock_file create_file_perms;
diff --git a/vendor/hal_wifi_supplicant_default.te b/vendor/hal_wifi_supplicant_default.te
index 8d7069c..a446721 100644
--- a/vendor/hal_wifi_supplicant_default.te
+++ b/vendor/hal_wifi_supplicant_default.te
@@ -8,7 +8,25 @@
# Create a socket for receiving info from wpa
type_transition hal_wifi_supplicant_default wifi_data_file:dir wpa_socket "sockets";
+# Allow wpa_supplicant to configure nl80211
+allow hal_wifi_supplicant_default proc_net:file write;
+
# Allow wpa_supplicant to talk to Wifi Keystore HwBinder service.
hwbinder_use(hal_wifi_supplicant_default)
allow hal_wifi_supplicant_default system_wifi_keystore_hwservice:hwservice_manager find;
binder_call(hal_wifi_supplicant_default, wifi_keystore_service_server)
+
+allow hal_wifi_supplicant_default wpa_data_file:dir create_dir_perms;
+allow hal_wifi_supplicant_default wpa_data_file:file create_file_perms;
+allow hal_wifi_supplicant_default wpa_data_file:sock_file create_file_perms;
+
+# Write to security logs for audit.
+get_prop(hal_wifi_supplicant_default, device_logging_prop)
+
+# Devices upgrading to P may grant this permission in device-specific
+# policy along with the data_between_core_and_vendor_violators
+# attribute needed for an exemption. However, devices that launch with
+# P should use /data/vendor/wifi, which is already granted in core
+# policy. This is dontaudited here to avoid conditional
+# device-specific behavior in wpa_supplicant.
+dontaudit hal_wifi_supplicant_default wifi_data_file:dir search;
diff --git a/vendor/hostapd.te b/vendor/hostapd.te
deleted file mode 100644
index 2c62cf0..0000000
--- a/vendor/hostapd.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# userspace wifi access points
-type hostapd, domain;
-type hostapd_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(hostapd)
-
-net_domain(hostapd)
-allow hostapd self:capability { net_admin net_raw };
-
-# hostapd learns about its network interface via sysfs.
-allow hostapd sysfs:file r_file_perms;
-# hostapd follows the /sys/class/net/wlan0 link to the PCI device.
-allow hostapd sysfs:lnk_file r_file_perms;
-
-# Allow hostapd to access /proc/net/psched
-allow hostapd proc_net:file { getattr open read };
-
-# Various socket permissions.
-allowxperm hostapd self:udp_socket ioctl priv_sock_ioctls;
-allow hostapd self:netlink_socket create_socket_perms_no_ioctl;
-allow hostapd self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hostapd self:packet_socket create_socket_perms_no_ioctl;
-allow hostapd self:netlink_route_socket nlmsg_write;
-
-# hostapd can read and write WiFi related data and configuration.
-# For example, the entropy file is periodically updated.
-allow hostapd wifi_data_file:file rw_file_perms;
-r_dir_file(hostapd, wifi_data_file)
-
-# hostapd wants to create the directory holding its control socket.
-allow hostapd hostapd_socket:dir create_dir_perms;
-# hostapd needs to create, bind to, read, and write its control socket.
-allow hostapd hostapd_socket:sock_file create_file_perms;
diff --git a/vendor/rild.te b/vendor/rild.te
index 510a776..fc84ef7 100644
--- a/vendor/rild.te
+++ b/vendor/rild.te
@@ -1,3 +1,8 @@
+# rild - radio interface layer daemon
+type rild, domain;
+hal_server_domain(rild, hal_telephony)
+net_domain(rild)
+
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
type rild_exec, exec_type, vendor_file_type, file_type;
diff --git a/vendor/tee.te b/vendor/tee.te
index 348d715..4b2e6c7 100644
--- a/vendor/tee.te
+++ b/vendor/tee.te
@@ -4,7 +4,7 @@
type tee_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(tee)
-allow tee self:capability { dac_override };
+allow tee self:global_capability_class_set { dac_override };
allow tee tee_device:chr_file rw_file_perms;
allow tee tee_data_file:dir rw_dir_perms;
allow tee tee_data_file:file create_file_perms;
@@ -14,4 +14,4 @@
r_dir_file(tee, sysfs_type)
allow tee system_data_file:file { getattr read };
-allow tee system_data_file:lnk_file r_file_perms;
+allow tee system_data_file:lnk_file { getattr read };
diff --git a/vendor/vendor_modprobe.te b/vendor/vendor_modprobe.te
index b8a1edb..7689ca5 100644
--- a/vendor/vendor_modprobe.te
+++ b/vendor/vendor_modprobe.te
@@ -4,7 +4,7 @@
domain_trans(init, vendor_toolbox_exec, vendor_modprobe)
allow vendor_modprobe proc_modules:file r_file_perms;
-allow vendor_modprobe self:capability sys_module;
+allow vendor_modprobe self:global_capability_class_set sys_module;
allow vendor_modprobe kernel:key search;
allow vendor_modprobe { vendor_file }:system module_load;
diff --git a/vendor/vndservicemanager.te b/vendor/vndservicemanager.te
index f956af8..dbc88fa 100644
--- a/vendor/vndservicemanager.te
+++ b/vendor/vndservicemanager.te
@@ -6,7 +6,7 @@
allow vndservicemanager self:binder set_context_mgr;
# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
-allow vndservicemanager { domain -coredomain -init }:binder transfer;
+allow vndservicemanager { domain -coredomain -init -vendor_init }:binder transfer;
allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
