Snap for 8426163 from 82d397e19dd3f6a37e38da22d7ab10e4f2922642 to mainline-tzdata2-release
Change-Id: I226941f81a4823f780cc87b3dd90c5fadbc3af0d
diff --git a/Android.bp b/Android.bp
index 3afa1d1..8705622 100644
--- a/Android.bp
+++ b/Android.bp
@@ -12,36 +12,6 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-package {
- default_applicable_licenses: ["system_sepolicy_license"],
-}
-
-// Added automatically by a large-scale-change that took the approach of
-// 'apply every license found to every target'. While this makes sure we respect
-// every license restriction, it may not be entirely correct.
-//
-// e.g. GPL in an MIT project might only apply to the contrib/ directory.
-//
-// Please consider splitting the single license below into multiple licenses,
-// taking care not to lose any license_kind information, and overriding the
-// default license using the 'licenses: [...]' property on targets as needed.
-//
-// For unused files, consider creating a 'filegroup' with "//visibility:private"
-// to attach the license to, and including a comment whether the files may be
-// used in the current project.
-// http://go/android-license-faq
-license {
- name: "system_sepolicy_license",
- visibility: [":__subpackages__"],
- license_kinds: [
- "SPDX-license-identifier-Apache-2.0",
- "legacy_unencumbered",
- ],
- license_text: [
- "NOTICE",
- ],
-}
-
cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
se_filegroup {
@@ -73,48 +43,6 @@
}
se_filegroup {
- name: "30.0.board.compat.map",
- srcs: [
- "compat/30.0/30.0.cil",
- ],
-}
-
-se_filegroup {
- name: "26.0.board.compat.cil",
- srcs: [
- "compat/26.0/26.0.compat.cil",
- ],
-}
-
-se_filegroup {
- name: "27.0.board.compat.cil",
- srcs: [
- "compat/27.0/27.0.compat.cil",
- ],
-}
-
-se_filegroup {
- name: "28.0.board.compat.cil",
- srcs: [
- "compat/28.0/28.0.compat.cil",
- ],
-}
-
-se_filegroup {
- name: "29.0.board.compat.cil",
- srcs: [
- "compat/29.0/29.0.compat.cil",
- ],
-}
-
-se_filegroup {
- name: "30.0.board.compat.cil",
- srcs: [
- "compat/30.0/30.0.compat.cil",
- ],
-}
-
-se_filegroup {
name: "26.0.board.ignore.map",
srcs: [
"compat/26.0/26.0.ignore.cil",
@@ -142,13 +70,6 @@
],
}
-se_filegroup {
- name: "30.0.board.ignore.map",
- srcs: [
- "compat/30.0/30.0.ignore.cil",
- ],
-}
-
se_cil_compat_map {
name: "plat_26.0.cil",
stem: "26.0.cil",
@@ -174,14 +95,7 @@
name: "plat_29.0.cil",
stem: "29.0.cil",
bottom_half: [":29.0.board.compat.map"],
- top_half: "plat_30.0.cil",
-}
-
-se_cil_compat_map {
- name: "plat_30.0.cil",
- stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
- // top_half: "plat_31.0.cil",
+ // top_half: "plat_30.0.cil",
}
se_cil_compat_map {
@@ -212,15 +126,7 @@
name: "system_ext_29.0.cil",
stem: "29.0.cil",
bottom_half: [":29.0.board.compat.map"],
- top_half: "system_ext_30.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_30.0.cil",
- stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
- // top_half: "system_ext_31.0.cil",
+ // top_half: "system_ext_30.0.cil",
system_ext_specific: true,
}
@@ -252,15 +158,7 @@
name: "product_29.0.cil",
stem: "29.0.cil",
bottom_half: [":29.0.board.compat.map"],
- top_half: "product_30.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_30.0.cil",
- stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
- // top_half: "product_31.0.cil",
+ // top_half: "product_30.0.cil",
product_specific: true,
}
@@ -285,87 +183,31 @@
se_cil_compat_map {
name: "29.0.ignore.cil",
bottom_half: [":29.0.board.ignore.map"],
- top_half: "30.0.ignore.cil",
+ // top_half: "30.0.ignore.cil",
}
-se_cil_compat_map {
- name: "30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
- // top_half: "31.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "system_ext_30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
- // top_half: "system_ext_31.0.ignore.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
- // top_half: "product_31.0.ignore.cil",
- product_specific: true,
-}
-
-se_compat_cil {
+prebuilt_etc {
name: "26.0.compat.cil",
- srcs: [":26.0.board.compat.cil"],
+ src: "private/compat/26.0/26.0.compat.cil",
+ sub_dir: "selinux/mapping",
}
-se_compat_cil {
+prebuilt_etc {
name: "27.0.compat.cil",
- srcs: [":27.0.board.compat.cil"],
+ src: "private/compat/27.0/27.0.compat.cil",
+ sub_dir: "selinux/mapping",
}
-se_compat_cil {
+prebuilt_etc {
name: "28.0.compat.cil",
- srcs: [":28.0.board.compat.cil"],
+ src: "private/compat/28.0/28.0.compat.cil",
+ sub_dir: "selinux/mapping",
}
-se_compat_cil {
+prebuilt_etc {
name: "29.0.compat.cil",
- srcs: [":29.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "30.0.compat.cil",
- srcs: [":30.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "system_ext_26.0.compat.cil",
- srcs: [":26.0.board.compat.cil"],
- stem: "26.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_27.0.compat.cil",
- srcs: [":27.0.board.compat.cil"],
- stem: "27.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_28.0.compat.cil",
- srcs: [":28.0.board.compat.cil"],
- stem: "28.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_29.0.compat.cil",
- srcs: [":29.0.board.compat.cil"],
- stem: "29.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_30.0.compat.cil",
- srcs: [":30.0.board.compat.cil"],
- stem: "30.0.compat.cil",
- system_ext_specific: true,
+ src: "private/compat/29.0/29.0.compat.cil",
+ sub_dir: "selinux/mapping",
}
se_filegroup {
@@ -398,11 +240,6 @@
srcs: ["service_contexts"],
}
-se_filegroup {
- name: "keystore2_key_contexts_files",
- srcs: ["keystore2_key_contexts"],
-}
-
file_contexts {
name: "plat_file_contexts",
srcs: [":file_contexts_files"],
@@ -539,451 +376,11 @@
soc_specific: true,
}
-keystore2_key_contexts {
- name: "plat_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files"],
-}
-
-keystore2_key_contexts {
- name: "system_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files"],
- system_ext_specific: true,
-}
-
-keystore2_key_contexts {
- name: "product_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files"],
- product_specific: true,
-}
-
-keystore2_key_contexts {
- name: "vendor_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files"],
- reqd_mask: true,
- soc_specific: true,
-}
-
// For vts_treble_sys_prop_test
filegroup {
- name: "private_property_contexts",
- srcs: ["private/property_contexts"],
+ name: "public_property_contexts",
+ srcs: ["public/property_contexts"],
visibility: [
"//test/vts-testcase/security/system_property",
],
}
-
-se_build_files {
- name: "se_build_files",
- srcs: [
- "security_classes",
- "initial_sids",
- "access_vectors",
- "global_macros",
- "neverallow_macros",
- "mls_macros",
- "mls_decl",
- "mls",
- "policy_capabilities",
- "te_macros",
- "attributes",
- "ioctl_defines",
- "ioctl_macros",
- "*.te",
- "roles_decl",
- "roles",
- "users",
- "initial_sid_contexts",
- "fs_use",
- "genfs_contexts",
- "port_contexts",
- ],
-}
-
-// reqd_policy_mask - a policy.conf file which contains only the bare minimum
-// policy necessary to use checkpolicy.
-//
-// This bare-minimum policy needs to be present in all policy.conf files, but
-// should not necessarily be exported as part of the public policy.
-//
-// The rules generated by reqd_policy_mask will allow the compilation of public
-// policy and subsequent removal of CIL policy that should not be exported.
-se_policy_conf {
- name: "reqd_policy_mask.conf",
- srcs: [":se_build_files{.reqd_mask}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "reqd_policy_mask.cil",
- src: ":reqd_policy_mask.conf",
- secilc_check: false,
- installable: false,
-}
-
-// pub_policy - policy that will be exported to be a part of non-platform
-// policy corresponding to this platform version.
-//
-// This is a limited subset of policy that would not compile in checkpolicy on
-// its own.
-//
-// To get around this limitation, add only the required files from private
-// policy, which will generate CIL policy that will then be filtered out by the
-// reqd_policy_mask.
-//
-// There are three pub_policy.cil files below:
-// - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
-// - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
-// - plat_pub_policy.cil: exported 'system' policy.
-//
-// Those above files will in turn be used to generate the following versioned cil files:
-// - product_mapping_file: the versioned, exported 'product' policy in product partition.
-// - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
-// - plat_mapping_file: the versioned, exported 'system' policy in system partition.
-// - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system' policy
-// in vendor partition.
-//
-se_policy_conf {
- name: "pub_policy.conf",
- srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext
- installable: false,
-}
-
-se_policy_cil {
- name: "pub_policy.cil",
- src: ":pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false,
- installable: false,
-}
-
-se_policy_conf {
- name: "system_ext_pub_policy.conf",
- srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system
- installable: false,
-}
-
-se_policy_cil {
- name: "system_ext_pub_policy.cil",
- src: ":system_ext_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false,
- installable: false,
-}
-
-se_policy_conf {
- name: "plat_pub_policy.conf",
- srcs: [":se_build_files{.plat_public}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "plat_pub_policy.cil",
- src: ":plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false,
- installable: false,
-}
-
-// plat_policy.conf - A combination of the private and public platform policy
-// which will ship with the device.
-//
-// The platform will always reflect the most recent platform version and is not
-// currently being attributized.
-se_policy_conf {
- name: "plat_sepolicy.conf",
- srcs: [":se_build_files{.plat}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "plat_sepolicy.cil",
- src: ":plat_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
-}
-
-// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
-se_policy_conf {
- name: "userdebug_plat_sepolicy.conf",
- srcs: [":se_build_files{.plat}"],
- build_variant: "userdebug",
- installable: false,
-}
-
-se_policy_cil {
- name: "userdebug_plat_sepolicy.cil",
- src: ":userdebug_plat_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
- debug_ramdisk: true,
-}
-
-// system_ext_policy.conf - A combination of the private and public system_ext
-// policy which will ship with the device. System_ext policy is not attributized
-se_policy_conf {
- name: "system_ext_sepolicy.conf",
- srcs: [":se_build_files{.system_ext}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "system_ext_sepolicy.cil",
- src: ":system_ext_sepolicy.conf",
- system_ext_specific: true,
- filter_out: [":plat_sepolicy.cil"],
- remove_line_marker: true,
-}
-
-// product_policy.conf - A combination of the private and public product policy
-// which will ship with the device. Product policy is not attributized
-se_policy_conf {
- name: "product_sepolicy.conf",
- srcs: [":se_build_files{.product}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "product_sepolicy.cil",
- src: ":product_sepolicy.conf",
- product_specific: true,
- filter_out: [":plat_sepolicy.cil", ":system_ext_sepolicy.cil"],
- remove_line_marker: true,
-}
-
-// policy mapping files
-// auto-generate the mapping file for current platform policy, since it needs to
-// track platform policy development
-se_versioned_policy {
- name: "plat_mapping_file",
- base: ":plat_pub_policy.cil",
- mapping: true,
- version: "current",
- relative_install_path: "mapping", // install to /system/etc/selinux/mapping
-}
-
-se_versioned_policy {
- name: "system_ext_mapping_file",
- base: ":system_ext_pub_policy.cil",
- mapping: true,
- version: "current",
- filter_out: [":plat_mapping_file"],
- relative_install_path: "mapping", // install to /system_ext/etc/selinux/mapping
- system_ext_specific: true,
-}
-
-se_versioned_policy {
- name: "product_mapping_file",
- base: ":pub_policy.cil",
- mapping: true,
- version: "current",
- filter_out: [":plat_mapping_file", ":system_ext_mapping_file"],
- relative_install_path: "mapping", // install to /product/etc/selinux/mapping
- product_specific: true,
-}
-
-// plat_pub_versioned.cil - the exported platform policy associated with the version
-// that non-platform policy targets.
-se_versioned_policy {
- name: "plat_pub_versioned.cil",
- base: ":pub_policy.cil",
- target_policy: ":pub_policy.cil",
- version: "current",
- dependent_cils: [
- ":plat_sepolicy.cil",
- ":system_ext_sepolicy.cil",
- ":product_sepolicy.cil",
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ":product_mapping_file",
- ],
- vendor: true,
-}
-
-//////////////////////////////////
-// Precompiled sepolicy is loaded if and only if:
-// - plat_sepolicy_and_mapping.sha256 equals
-// precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
-// AND
-// - system_ext_sepolicy_and_mapping.sha256 equals
-// precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
-// AND
-// - product_sepolicy_and_mapping.sha256 equals
-// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
-// See system/core/init/selinux.cpp for details.
-//////////////////////////////////
-genrule {
- name: "plat_sepolicy_and_mapping.sha256_gen",
- srcs: [":plat_sepolicy.cil", ":plat_mapping_file"],
- out: ["plat_sepolicy_and_mapping.sha256"],
- cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
-}
-
-prebuilt_etc {
- name: "plat_sepolicy_and_mapping.sha256",
- filename: "plat_sepolicy_and_mapping.sha256",
- src: ":plat_sepolicy_and_mapping.sha256_gen",
- relative_install_path: "selinux",
-}
-
-genrule {
- name: "system_ext_sepolicy_and_mapping.sha256_gen",
- srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
- out: ["system_ext_sepolicy_and_mapping.sha256"],
- cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
-}
-
-prebuilt_etc {
- name: "system_ext_sepolicy_and_mapping.sha256",
- filename: "system_ext_sepolicy_and_mapping.sha256",
- src: ":system_ext_sepolicy_and_mapping.sha256_gen",
- relative_install_path: "selinux",
- system_ext_specific: true,
-}
-
-genrule {
- name: "product_sepolicy_and_mapping.sha256_gen",
- srcs: [":product_sepolicy.cil", ":product_mapping_file"],
- out: ["product_sepolicy_and_mapping.sha256"],
- cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
-}
-
-prebuilt_etc {
- name: "product_sepolicy_and_mapping.sha256",
- filename: "product_sepolicy_and_mapping.sha256",
- src: ":product_sepolicy_and_mapping.sha256_gen",
- relative_install_path: "selinux",
- product_specific: true,
-}
-
-sepolicy_vers {
- name: "plat_sepolicy_vers.txt",
- version: "vendor",
- vendor: true,
-}
-
-soong_config_module_type {
- name: "precompiled_sepolicy_defaults",
- module_type: "prebuilt_defaults",
- config_namespace: "ANDROID",
- bool_variables: ["BOARD_USES_ODMIMAGE"],
- properties: ["vendor", "device_specific"],
-}
-
-precompiled_sepolicy_defaults {
- name: "precompiled_sepolicy",
- soong_config_variables: {
- BOARD_USES_ODMIMAGE: {
- device_specific: true,
- conditions_default: {
- vendor: true,
- },
- },
- },
-}
-
-//////////////////////////////////
-// SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
-// which precompiled_policy was built.
-//////////////////////////////////
-prebuilt_etc {
- defaults: ["precompiled_sepolicy"],
- name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
- filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
- src: ":plat_sepolicy_and_mapping.sha256_gen",
- relative_install_path: "selinux",
-}
-
-//////////////////////////////////
-// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
-// which precompiled_policy was built.
-//////////////////////////////////
-prebuilt_etc {
- defaults: ["precompiled_sepolicy"],
- name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
- filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
- src: ":system_ext_sepolicy_and_mapping.sha256_gen",
- relative_install_path: "selinux",
-}
-
-//////////////////////////////////
-// SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
-// which precompiled_policy was built.
-//////////////////////////////////
-prebuilt_etc {
- defaults: ["precompiled_sepolicy"],
- name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
- filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
- src: ":product_sepolicy_and_mapping.sha256_gen",
- relative_install_path: "selinux",
-}
-
-
-//////////////////////////////////
-// SELinux policy embedded into CTS.
-// CTS checks neverallow rules of this policy against the policy of the device under test.
-//////////////////////////////////
-se_policy_conf {
- name: "general_sepolicy.conf",
- srcs: [":se_build_files{.plat}"],
- build_variant: "user",
- cts: true,
- exclude_build_test: true,
-}
-
-//////////////////////////////////
-// modules for microdroid
-//////////////////////////////////
-
-// microdroid's system sepolicy is almost identical to host's system sepolicy, except that
-// microdroid doesn't have system_ext and product. So microdroid's plat_pub_versioned.cil is
-// generated with plat_pub_policy.cil (exported system), not pub_policy.cil (exported system +
-// system_ext + product). Other two files, plat_sepolicy.cil and plat_mapping_file, are copied from
-// host's files.
-se_versioned_policy {
- name: "microdroid_plat_pub_versioned.cil",
- stem: "plat_pub_versioned.cil",
- base: ":plat_pub_policy.cil",
- target_policy: ":plat_pub_policy.cil",
- version: "current",
- dependent_cils: [
- ":plat_sepolicy.cil",
- ":plat_mapping_file",
- ],
- installable: false,
-}
-
-// microdroid's vendor sepolicy is a minimalized sepolicy needed for microdroid to boot. It just
-// contains system/sepolicy/public and system/sepolicy/vendor.
-se_policy_conf {
- name: "microdroid_vendor_sepolicy.conf",
- srcs: [":se_build_files{.plat_vendor}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "microdroid_vendor_sepolicy.cil.raw",
- src: ":microdroid_vendor_sepolicy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false, // will be done in se_versioned_policy module
- installable: false,
-}
-
-se_versioned_policy {
- name: "microdroid_vendor_sepolicy.cil",
- stem: "vendor_sepolicy.cil",
- base: ":plat_pub_policy.cil",
- target_policy: ":microdroid_vendor_sepolicy.cil.raw",
- version: "current", // microdroid is bundled to system
- dependent_cils: [
- ":plat_sepolicy.cil",
- ":microdroid_plat_pub_versioned.cil",
- ":plat_mapping_file",
- ],
- filter_out: [":microdroid_plat_pub_versioned.cil"],
- installable: false,
-}
-
-sepolicy_vers {
- name: "microdroid_plat_sepolicy_vers.txt",
- version: "platform",
- stem: "plat_sepolicy_vers.txt",
- installable: false,
-}
diff --git a/Android.mk b/Android.mk
index d9c5b3c..f545b41 100644
--- a/Android.mk
+++ b/Android.mk
@@ -52,25 +52,11 @@
PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/private
PLAT_VENDOR_POLICY := $(LOCAL_PATH)/vendor
REQD_MASK_POLICY := $(LOCAL_PATH)/reqd_mask
-
-SYSTEM_EXT_PUBLIC_POLICY := $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS)
-ifneq (,$(BOARD_PLAT_PUBLIC_SEPOLICY_DIR))
- # TODO: Disallow BOARD_PLAT_*
- SYSTEM_EXT_PUBLIC_POLICY += $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
-endif
-SYSTEM_EXT_PRIVATE_POLICY := $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS)
-ifneq (,$(BOARD_PLAT_PRIVATE_SEPOLICY_DIR))
- # TODO: Disallow BOARD_PLAT_*
- SYSTEM_EXT_PRIVATE_POLICY += $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
-endif
-
+SYSTEM_EXT_PUBLIC_POLICY := $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR)
+SYSTEM_EXT_PRIVATE_POLICY := $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR)
PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
-# Extra sepolicy and prebuilts directories for sepolicy_freeze_test
-FREEZE_TEST_EXTRA_DIRS := $(SEPOLICY_FREEZE_TEST_EXTRA_DIRS)
-FREEZE_TEST_EXTRA_PREBUILT_DIRS := $(SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS)
-
ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY))
HAS_SYSTEM_EXT_SEPOLICY_DIR := true
endif
@@ -95,51 +81,6 @@
BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION)
endif
-# If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
-# policy files of platform (system, system_ext, product) can't be mixed with
-# policy files of vendor (vendor, odm). If it's the case, platform policies and
-# vendor policies are separately built. More specifically,
-#
-# - Platform policy files needed to build vendor policies, such as plat_policy,
-# plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
-# prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
-#
-# - sepolicy_neverallows only checks platform policies, and a new module
-# sepolicy_neverallows_vendor checks vendor policies.
-#
-# - neverallow checks are turned off while compiling precompiled_sepolicy module
-# and sepolicy module.
-#
-# - Vendor policies are not checked on the compat test (compat.mk).
-#
-# In such scenario, we can grab platform policy files from the prebuilts/api
-# directory. But we need more than that: prebuilts of system_ext, product,
-# system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following variables
-# are introduced to specify such prebuilts.
-#
-# - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
-# - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
-# - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
-# - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
-# - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
-# - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
-#
-# Vendors are responsible for copying policy files from the old version of the
-# source tree as prebuilts, and for setting BOARD_*_POLICY variables so they can
-# be used to build vendor policies. See prebuilt_policy.mk for more details.
-#
-# To support both mixed build and normal build, platform policy files are
-# indirectly referred by {partition}_{public|private}_policy_$(ver) variables
-# when building vendor policies. See vendor_sepolicy.cil and odm_sepolicy.cil
-# for more details.
-#
-# sepolicy.recovery is also compiled from vendor and plat prebuilt policies.
-ifneq ($(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS))
-mixed_sepolicy_build := true
-else
-mixed_sepolicy_build :=
-endif
-
NEVERALLOW_ARG :=
ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
ifeq ($(TARGET_BUILD_VARIANT),user)
@@ -159,21 +100,6 @@
BOARD_VENDOR_SEPOLICY_DIRS += $(BOARD_SEPOLICY_DIRS)
endif
-# Set default values for these prebuilt directories
-ifeq (,$(BOARD_REQD_MASK_POLICY))
-BOARD_REQD_MASK_POLICY := $(REQD_MASK_POLICY)
-endif
-
-ifeq (,$(BOARD_PLAT_VENDOR_POLICY))
-BOARD_PLAT_VENDOR_POLICY := $(PLAT_VENDOR_POLICY)
-endif
-
-$(foreach p,SYSTEM_EXT PRODUCT,$(foreach q,PUBLIC PRIVATE,$(eval \
- $(if $(BOARD_$(p)_$(q)_PREBUILT_DIRS),,\
- BOARD_$(p)_$(q)_PREBUILT_DIRS := $($(p)_$(q)_POLICY) \
- ) \
-)))
-
ifdef BOARD_ODM_SEPOLICY_DIRS
ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
$(error PRODUCT_SEPOLICY_SPLIT needs to be true when using BOARD_ODM_SEPOLICY_DIRS)
@@ -219,9 +145,6 @@
genfs_contexts \
port_contexts
-sepolicy_compat_files := $(foreach ver, $(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
- $(addprefix compat/$(ver)/, $(addsuffix .cil, $(ver))))
-
# Security classes and permissions defined outside of system/sepolicy.
security_class_extension_files := $(call build_policy, security_classes access_vectors, \
$(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
@@ -296,24 +219,6 @@
endif
endif
-enforce_sysprop_owner := true
-ifeq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),true)
- enforce_sysprop_owner := false
-endif
-
-enforce_debugfs_restriction := false
-ifeq ($(PRODUCT_SET_DEBUGFS_RESTRICTIONS),true)
- enforce_debugfs_restriction := true
-endif
-
-ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
- #$(warning no product shipping level defined)
-else ifneq ($(call math_lt,30,$(PRODUCT_SHIPPING_API_LEVEL)),)
- ifneq ($(BUILD_BROKEN_ENFORCE_SYSPROP_OWNER),)
- $(error BUILD_BROKEN_ENFORCE_SYSPROP_OWNER cannot be set on a device shipping with S or later, and this is tested by CTS.)
- endif
-endif
-
# Library extension for host-side tests
ifeq ($(HOST_OS),darwin)
SHAREDLIB_EXT=dylib
@@ -339,9 +244,6 @@
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_TAGS := optional
LOCAL_REQUIRED_MODULES += \
selinux_policy_nonsystem \
@@ -356,9 +258,6 @@
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_policy_system
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
# These build targets are not used on non-Treble devices. However, we build these to avoid
# divergence between Treble and non-Treble devices.
LOCAL_REQUIRED_MODULES += \
@@ -366,17 +265,13 @@
$(addprefix plat_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
plat_sepolicy.cil \
+ plat_sepolicy_and_mapping.sha256 \
secilc \
-ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-LOCAL_REQUIRED_MODULES += plat_sepolicy_and_mapping.sha256
-endif
-
LOCAL_REQUIRED_MODULES += \
build_sepolicy \
plat_file_contexts \
plat_file_contexts_test \
- plat_keystore2_key_contexts \
plat_mac_permissions.xml \
plat_property_contexts \
plat_property_contexts_test \
@@ -415,11 +310,6 @@
LOCAL_REQUIRED_MODULES += \
sepolicy_freeze_test \
-else
-ifneq (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
-$(error SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS\
-cannot be set before system/sepolicy freezes.)
-endif # (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
include $(BUILD_PHONY_PACKAGE)
@@ -428,116 +318,16 @@
include $(CLEAR_VARS)
-LOCAL_MODULE := selinux_policy_system_ext
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-# Include precompiled policy, unless told otherwise.
-ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-LOCAL_REQUIRED_MODULES += system_ext_sepolicy_and_mapping.sha256
-endif
-endif
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil
-endif
-
-ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-LOCAL_REQUIRED_MODULES += \
- system_ext_mapping_file
-
-system_ext_compat_files := $(call build_policy, $(sepolicy_compat_files), $(SYSTEM_EXT_PRIVATE_POLICY))
-
-LOCAL_REQUIRED_MODULES += $(addprefix system_ext_, $(notdir $(system_ext_compat_files)))
-
-endif
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-LOCAL_REQUIRED_MODULES += \
- system_ext_file_contexts \
- system_ext_file_contexts_test \
- system_ext_hwservice_contexts \
- system_ext_hwservice_contexts_test \
- system_ext_property_contexts \
- system_ext_property_contexts_test \
- system_ext_seapp_contexts \
- system_ext_service_contexts \
- system_ext_service_contexts_test \
- system_ext_mac_permissions.xml \
- $(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
-
-endif
-
-include $(BUILD_PHONY_PACKAGE)
-
-#################################
-
-include $(CLEAR_VARS)
-
-LOCAL_MODULE := selinux_policy_product
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-# Include precompiled policy, unless told otherwise.
-ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
-ifdef HAS_PRODUCT_SEPOLICY
-LOCAL_REQUIRED_MODULES += product_sepolicy_and_mapping.sha256
-endif
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY
-LOCAL_REQUIRED_MODULES += product_sepolicy.cil
-endif
-
-ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-LOCAL_REQUIRED_MODULES += \
- product_mapping_file
-
-product_compat_files := $(call build_policy, $(sepolicy_compat_files), $(PRODUCT_PRIVATE_POLICY))
-
-LOCAL_REQUIRED_MODULES += $(addprefix product_, $(notdir $(product_compat_files)))
-
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-LOCAL_REQUIRED_MODULES += \
- product_file_contexts \
- product_file_contexts_test \
- product_hwservice_contexts \
- product_hwservice_contexts_test \
- product_property_contexts \
- product_property_contexts_test \
- product_seapp_contexts \
- product_service_contexts \
- product_service_contexts_test \
- product_mac_permissions.xml \
-
-endif
-
-include $(BUILD_PHONY_PACKAGE)
-
-#################################
-
-include $(CLEAR_VARS)
-
LOCAL_MODULE := selinux_policy_nonsystem
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
# Include precompiled policy, unless told otherwise.
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += \
precompiled_sepolicy \
- precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY
-LOCAL_REQUIRED_MODULES += precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
-endif
-
-ifdef HAS_PRODUCT_SEPOLICY
-LOCAL_REQUIRED_MODULES += precompiled_sepolicy.product_sepolicy_and_mapping.sha256
-endif
+ precompiled_sepolicy.plat_sepolicy_and_mapping.sha256 \
+ precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256 \
+ system_ext_sepolicy_and_mapping.sha256 \
+ precompiled_sepolicy.product_sepolicy_and_mapping.sha256 \
+ product_sepolicy_and_mapping.sha256 \
endif # ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
@@ -574,8 +364,57 @@
odm_mac_permissions.xml
endif
-LOCAL_REQUIRED_MODULES += selinux_policy_system_ext
-LOCAL_REQUIRED_MODULES += selinux_policy_product
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+LOCAL_REQUIRED_MODULES += system_ext_sepolicy.cil
+endif
+
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+LOCAL_REQUIRED_MODULES += \
+ system_ext_mapping_file \
+ $(addprefix system_ext_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
+
+endif
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+LOCAL_REQUIRED_MODULES += \
+ system_ext_file_contexts \
+ system_ext_file_contexts_test \
+ system_ext_hwservice_contexts \
+ system_ext_hwservice_contexts_test \
+ system_ext_property_contexts \
+ system_ext_property_contexts_test \
+ system_ext_seapp_contexts \
+ system_ext_service_contexts \
+ system_ext_service_contexts_test \
+ system_ext_mac_permissions.xml \
+
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY
+LOCAL_REQUIRED_MODULES += product_sepolicy.cil
+endif
+
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+LOCAL_REQUIRED_MODULES += \
+ product_mapping_file \
+ $(addprefix product_,$(addsuffix .cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
+
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
+LOCAL_REQUIRED_MODULES += \
+ product_file_contexts \
+ product_file_contexts_test \
+ product_hwservice_contexts \
+ product_hwservice_contexts_test \
+ product_property_contexts \
+ product_property_contexts_test \
+ product_seapp_contexts \
+ product_service_contexts \
+ product_service_contexts_test \
+ product_mac_permissions.xml \
+
+endif
LOCAL_REQUIRED_MODULES += \
selinux_denial_metadata \
@@ -587,26 +426,9 @@
include $(BUILD_PHONY_PACKAGE)
#################################
-
-ifeq ($(mixed_sepolicy_build),true)
-include $(LOCAL_PATH)/prebuilt_policy.mk
-else
-reqd_policy_$(PLATFORM_SEPOLICY_VERSION) := $(REQD_MASK_POLICY)
-plat_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/public
-plat_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/private
-system_ext_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PUBLIC_POLICY)
-system_ext_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PRIVATE_POLICY)
-product_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PUBLIC_POLICY)
-product_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PRIVATE_POLICY)
-endif
-
-#################################
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_neverallows
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -614,19 +436,11 @@
# sepolicy_policy.conf - All of the policy for the device. This is only used to
# check neverallow rules.
-# In a mixed build target, vendor policies are checked separately, on the module
-# sepolicy_neverallows_vendor.
-
-all_plat_policy := $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
- $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)
-ifeq ($(mixed_sepolicy_build),true)
-policy_files := $(call build_policy, $(sepolicy_build_files), $(all_plat_policy))
-else
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(all_plat_policy) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
-endif
-
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
+ $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
+ $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
sepolicy_policy.conf := $(intermediates)/policy.conf
$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -636,7 +450,6 @@
$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -644,6 +457,11 @@
# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
# check neverallow rules using sepolicy-analyze, similar to CTS.
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
+ $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
+ $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
sepolicy_policy_2.conf := $(intermediates)/policy_2.conf
$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -654,7 +472,6 @@
$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy_policy_2.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -681,125 +498,467 @@
sepolicy_policy_2.conf :=
built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE)
+##################################
+# reqd_policy_mask - a policy.conf file which contains only the bare minimum
+# policy necessary to use checkpolicy. This bare-minimum policy needs to be
+# present in all policy.conf files, but should not necessarily be exported as
+# part of the public policy. The rules generated by reqd_policy_mask will allow
+# the compilation of public policy and subsequent removal of CIL policy that
+# should not be exported.
+
+policy_files := $(call build_policy, $(sepolicy_build_files), $(REQD_MASK_POLICY))
+reqd_policy_mask.conf := $(intermediates)/reqd_policy_mask.conf
+$(reqd_policy_mask.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(reqd_policy_mask.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(reqd_policy_mask.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(reqd_policy_mask.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(reqd_policy_mask.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(reqd_policy_mask.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(reqd_policy_mask.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(reqd_policy_mask.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(reqd_policy_mask.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(reqd_policy_mask.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(reqd_policy_mask.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+# b/37755687
+CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
+
+reqd_policy_mask.cil := $(intermediates)/reqd_policy_mask.cil
+$(reqd_policy_mask.cil): $(reqd_policy_mask.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
+ $(POLICYVERS) -o $@ $<
+
+reqd_policy_mask.conf :=
+
+##################################
+# pub_policy - policy that will be exported to be a part of non-platform
+# policy corresponding to this platform version. This is a limited subset of
+# policy that would not compile in checkpolicy on its own. To get around this
+# limitation, add only the required files from private policy, which will
+# generate CIL policy that will then be filtered out by the reqd_policy_mask.
+#
+# There are three pub_policy.cil files below:
+# - pub_policy.cil: exported 'product', 'system_ext' and 'system' policy.
+# - system_ext_pub_policy.cil: exported 'system_ext' and 'system' policy.
+# - plat_pub_policy.cil: exported 'system' policy.
+#
+# Those above files will in turn be used to generate the following versioned cil files:
+# - product_mapping_file: the versioned, exported 'product' policy in product partition.
+# - system_ext_mapping_file: the versioned, exported 'system_ext' policy in system_ext partition.
+# - plat_mapping_file: the versioned, exported 'system' policy in system partition.
+# - plat_pub_versioned.cil: the versioned, exported 'product', 'system_ext' and 'system'
+# policy in vendor partition.
+#
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+pub_policy.conf := $(intermediates)/pub_policy.conf
+$(pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(pub_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+pub_policy.cil := $(intermediates)/pub_policy.cil
+$(pub_policy.cil): PRIVATE_POL_CONF := $(pub_policy.conf)
+$(pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy.conf) $(reqd_policy_mask.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+pub_policy.conf :=
+
+##################################
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+system_ext_pub_policy.conf := $(intermediates)/system_ext_pub_policy.conf
+$(system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(system_ext_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(system_ext_pub_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+
+system_ext_pub_policy.cil := $(intermediates)/system_ext_pub_policy.cil
+$(system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(system_ext_pub_policy.conf)
+$(system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+system_ext_pub_policy.conf :=
+
+##################################
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+plat_pub_policy.conf := $(intermediates)/plat_pub_policy.conf
+$(plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(plat_pub_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(plat_pub_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+
+plat_pub_policy.cil := $(intermediates)/plat_pub_policy.cil
+$(plat_pub_policy.cil): PRIVATE_POL_CONF := $(plat_pub_policy.conf)
+$(plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy.conf) $(reqd_policy_mask.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+plat_pub_policy.conf :=
+
#################################
-# sepolicy_neverallows_vendor: neverallow check module for vendors in a mixed build target
-ifeq ($(mixed_sepolicy_build),true)
include $(CLEAR_VARS)
-LOCAL_MODULE := sepolicy_neverallows_vendor
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
-LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE := plat_sepolicy.cil
+LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
include $(BUILD_SYSTEM)/base_rules.mk
-# Check neverallow with prebuilt policy files
+# plat_policy.conf - A combination of the private and public platform policy
+# which will ship with the device. The platform will always reflect the most
+# recent platform version and is not currently being attributized.
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(plat_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(product_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
-
-# sepolicy_policy.conf - All of the policy for the device. This is only used to
-# check neverallow rules.
-sepolicy_policy.conf := $(intermediates)/policy_vendor.conf
-$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(sepolicy_policy.conf): $(policy_files) $(M4)
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+plat_policy.conf := $(intermediates)/plat_policy.conf
+$(plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
-# check neverallow rules using sepolicy-analyze, similar to CTS.
-sepolicy_policy_2.conf := $(intermediates)/policy_vendor_2.conf
-$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true
-$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
-$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
-$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(sepolicy_policy_2.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf)
-$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \
- $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
-ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
- $(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1)
- $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \
- ( echo "" 1>&2; \
- echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \
- echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \
- echo "the policy." 1>&2; \
- exit 1 )
-endif # ($(SELINUX_IGNORE_NEVERALLOWS),true)
- $(hide) touch $@.tmp
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(LOCAL_BUILT_MODULE): $(plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/secilc \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+ $(built_sepolicy_neverallows)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@.tmp $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
$(hide) mv $@.tmp $@
-sepolicy_policy.conf :=
-sepolicy_policy_2.conf :=
-built_sepolicy_neverallows += $(LOCAL_BUILT_MODULE)
+built_plat_cil := $(LOCAL_BUILT_MODULE)
+plat_policy.conf :=
-endif # ifeq ($(mixed_sepolicy_build),true)
+#################################
+include $(CLEAR_VARS)
-##################################
-# plat policy files are now built with Android.bp. Grab them from intermediate.
-# See Android.bp for details of plat policy files.
-#
-reqd_policy_mask.cil := $(call intermediates-dir-for,ETC,reqd_policy_mask.cil)/reqd_policy_mask.cil
-reqd_policy_mask_$(PLATFORM_SEPOLICY_VERSION).cil := $(reqd_policy_mask.cil)
+LOCAL_MODULE := userdebug_plat_sepolicy.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_DEBUG_RAMDISK_OUT)
-pub_policy.cil := $(call intermediates-dir-for,ETC,pub_policy.cil)/pub_policy.cil
-pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(pub_policy.cil)
+include $(BUILD_SYSTEM)/base_rules.mk
-system_ext_pub_policy.cil := $(call intermediates-dir-for,ETC,system_ext_pub_policy.cil)/system_ext_pub_policy.cil
-system_ext_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(system_ext_pub_policy.cil)
+# userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+userdebug_plat_policy.conf := $(intermediates)/userdebug_plat_policy.conf
+$(userdebug_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(userdebug_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(userdebug_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := userdebug
+$(userdebug_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(userdebug_plat_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(userdebug_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(userdebug_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(userdebug_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(userdebug_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(userdebug_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(userdebug_plat_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-plat_pub_policy.cil := $(call intermediates-dir-for,ETC,plat_pub_policy.cil)/plat_pub_policy.cil
-plat_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(plat_pub_policy.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(LOCAL_BUILT_MODULE): $(userdebug_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/secilc \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+ $(built_sepolicy_neverallows)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@.tmp $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
+ $(hide) mv $@.tmp $@
-built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
-built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil)
-built_plat_mapping_cil := $(call intermediates-dir-for,ETC,plat_mapping_file)/plat_mapping_file
-built_plat_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_mapping_cil)
+userdebug_plat_policy.conf :=
+
+#################################
+include $(CLEAR_VARS)
ifdef HAS_SYSTEM_EXT_SEPOLICY
-built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
-built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
-built_system_ext_mapping_cil := $(call intermediates-dir-for,ETC,system_ext_mapping_file)/system_ext_mapping_file
-built_system_ext_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_mapping_cil)
+LOCAL_MODULE := system_ext_sepolicy.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# system_ext_policy.conf - A combination of the private and public system_ext policy
+# which will ship with the device. System_ext policy is not attributized.
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
+ $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
+system_ext_policy.conf := $(intermediates)/system_ext_policy.conf
+$(system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(system_ext_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(system_ext_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL := $(built_plat_cil)
+$(LOCAL_BUILT_MODULE): $(system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_CIL) -t $@
+ # Line markers (denoted by ;;) are malformed after above cmd. They are only
+ # used for debugging, so we remove them.
+ $(hide) grep -v ';;' $@ > $@.tmp
+ $(hide) mv $@.tmp $@
+ # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
+ # latter doesn't accidentally depend on vendor/odm policies.
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
+ $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
+
+
+built_system_ext_cil := $(LOCAL_BUILT_MODULE)
+system_ext_policy.conf :=
endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
+#################################
+include $(CLEAR_VARS)
+
ifdef HAS_PRODUCT_SEPOLICY
-built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
-built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
-built_product_mapping_cil := $(call intermediates-dir-for,ETC,product_mapping_file)/product_mapping_file
-built_product_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_mapping_cil)
+LOCAL_MODULE := product_sepolicy.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# product_policy.conf - A combination of the private and public product policy
+# which will ship with the device. Product policy is not attributized.
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
+ $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
+product_policy.conf := $(intermediates)/product_policy.conf
+$(product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(product_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(product_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(product_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/dontaudit/d' $@ > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil)
+$(LOCAL_BUILT_MODULE): $(product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil) $(built_system_ext_cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_CIL_FILES) -t $@
+ # Line markers (denoted by ;;) are malformed after above cmd. They are only
+ # used for debugging, so we remove them.
+ $(hide) grep -v ';;' $@ > $@.tmp
+ $(hide) mv $@.tmp $@
+ # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
+ # make sure that the latter doesn't accidentally depend on vendor/odm policies.
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
+ $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
+
+
+built_product_cil := $(LOCAL_BUILT_MODULE)
+product_policy.conf :=
endif # ifdef HAS_PRODUCT_SEPOLICY
-built_pub_vers_cil := $(call intermediates-dir-for,ETC,plat_pub_versioned.cil)/plat_pub_versioned.cil
-built_pub_vers_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_pub_vers_cil)
+#################################
+include $(CLEAR_VARS)
-# b/37755687
-CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
+LOCAL_MODULE := plat_sepolicy_vers.txt
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_SEPOL_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE) :
+ mkdir -p $(dir $@)
+ echo $(PRIVATE_PLAT_SEPOL_VERS) > $@
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_mapping_file
+LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux/mapping
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# auto-generate the mapping file for current platform policy, since it needs to
+# track platform policy development
+$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
+$(LOCAL_BUILT_MODULE) : $(plat_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
+
+built_plat_mapping_cil := $(LOCAL_BUILT_MODULE)
+
+#################################
+include $(CLEAR_VARS)
+
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+LOCAL_MODULE := system_ext_mapping_file
+LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
+$(LOCAL_BUILT_MODULE) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil)
+$(LOCAL_BUILT_MODULE) : $(system_ext_pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
+$(built_plat_mapping_cil)
+ @mkdir -p $(dir $@)
+ # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
+ # sepolicy minus plat_mapping_file.
+ $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
+
+built_system_ext_mapping_cil := $(LOCAL_BUILT_MODULE)
+endif # ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+
+#################################
+include $(CLEAR_VARS)
+
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+LOCAL_MODULE := product_mapping_file
+LOCAL_MODULE_STEM := $(PLATFORM_SEPOLICY_VERSION).cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux/mapping
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(PLATFORM_SEPOLICY_VERSION)
+$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil) $(built_system_ext_mapping_cil)
+$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
+$(built_plat_mapping_cil) $(built_system_ext_mapping_cil)
+ @mkdir -p $(dir $@)
+ # Generate product mapping file as mapping file of all public sepolicy minus
+ # plat_mapping_file and system_ext_mapping_file.
+ $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_FILTER_CIL_FILES) -t $@
+
+built_product_mapping_cil := $(LOCAL_BUILT_MODULE)
+endif # ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+
+#################################
+include $(CLEAR_VARS)
+
+# plat_pub_versioned.cil - the exported platform policy associated with the version
+# that non-platform policy targets.
+LOCAL_MODULE := plat_pub_versioned.cil
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE) : PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE) : PRIVATE_TGT_POL := $(pub_policy.cil)
+$(LOCAL_BUILT_MODULE) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
+$(built_product_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \
+$(built_product_mapping_cil)
+$(LOCAL_BUILT_MODULE) : $(pub_policy.cil) $(HOST_OUT_EXECUTABLES)/version_policy \
+ $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \
+ $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil)
+ @mkdir -p $(dir $@)
+ $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
+ $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
+
+built_pub_vers_cil := $(LOCAL_BUILT_MODULE)
#################################
include $(CLEAR_VARS)
@@ -808,9 +967,6 @@
# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
# policy and the platform public policy files in order to use checkpolicy.
LOCAL_MODULE := vendor_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -818,11 +974,9 @@
include $(BUILD_SYSTEM)/base_rules.mk
-# Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
- $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
- $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+ $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \
+ $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
vendor_policy.conf := $(intermediates)/vendor_policy.conf
$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -834,28 +988,24 @@
$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(vendor_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(vendor_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil)
$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
-$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS))
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
+$(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \
+$(built_system_ext_mapping_cil) $(built_product_mapping_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
- $(vendor_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
- $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
+ $(vendor_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \
+ $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) \
+ $(built_pub_vers_cil) $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) \
+ $(built_product_mapping_cil)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
-i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
@@ -873,9 +1023,6 @@
# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
# policy and the platform public policy files in order to use checkpolicy.
LOCAL_MODULE := odm_sepolicy.cil
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -883,11 +1030,9 @@
include $(BUILD_SYSTEM)/base_rules.mk
-# Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
- $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
- $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+ $(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) \
+ $(REQD_MASK_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
odm_policy.conf := $(intermediates)/odm_policy.conf
$(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -899,29 +1044,23 @@
$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(odm_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
-$(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(odm_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
$(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf)
-$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy.cil)
$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
-$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
-$(built_vendor_cil)
-$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_vendor_cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil) $(built_system_ext_cil) \
+ $(built_product_cil) $(built_pub_vers_cil) $(built_plat_mapping_cil) \
+ $(built_system_ext_mapping_cil) $(built_product_mapping_cil) $(built_vendor_cil)
+$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil) $(built_vendor_cil)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
- $(odm_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
- $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
- $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(odm_policy.conf) $(reqd_policy_mask.cil) $(pub_policy.cil) \
+ $(built_plat_cil) $(built_system_ext_cil) $(built_product_cil) $(built_pub_vers_cil) \
+ $(built_plat_mapping_cil) $(built_system_ext_mapping_cil) $(built_product_mapping_cil) \
$(built_vendor_cil)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
@@ -938,9 +1077,6 @@
include $(CLEAR_VARS)
LOCAL_MODULE := precompiled_sepolicy
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_PROPRIETARY_MODULE := true
@@ -955,8 +1091,8 @@
all_cil_files := \
$(built_plat_cil) \
- $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
- $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_plat_mapping_cil) \
+ $(built_pub_vers_cil) \
$(built_vendor_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
@@ -964,7 +1100,7 @@
endif
ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
+all_cil_files += $(built_system_ext_mapping_cil)
endif
ifdef HAS_PRODUCT_SEPOLICY
@@ -972,7 +1108,7 @@
endif
ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
+all_cil_files += $(built_product_mapping_cil)
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -980,8 +1116,7 @@
endif
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-# Neverallow checks are skipped in a mixed build target.
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows)
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \
$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
@@ -1001,15 +1136,112 @@
# precompiled_sepolicy.product_sepolicy_and_mapping.sha256
# See system/core/init/selinux.cpp for details.
#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_sepolicy_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_plat_cil) $(built_plat_mapping_cil)
+ cat $^ | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := system_ext_sepolicy_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_system_ext_cil) $(built_system_ext_mapping_cil)
+ cat $^ | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_sepolicy_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH = $(TARGET_OUT_PRODUCT)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): $(built_product_cil) $(built_product_mapping_cil)
+ cat $^ | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+# SHA-256 digest of the plat_sepolicy.cil and plat_mapping_file against
+# which precompiled_policy was built.
+#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+
+ifeq ($(BOARD_USES_ODMIMAGE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_plat_cil) $(built_plat_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_plat_cil) $(built_plat_mapping_cil)
+ cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+# SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
+# which precompiled_policy was built.
+#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+
+ifeq ($(BOARD_USES_ODMIMAGE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_system_ext_cil) $(built_system_ext_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_system_ext_cil) $(built_system_ext_mapping_cil)
+ cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
+
+#################################
+# SHA-256 digest of the product_sepolicy.cil and product_mapping_file against
+# which precompiled_policy was built.
+#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+
+ifeq ($(BOARD_USES_ODMIMAGE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(built_product_cil) $(built_product_mapping_cil)
+$(LOCAL_BUILT_MODULE): $(built_precompiled_sepolicy) $(built_product_cil) $(built_product_mapping_cil)
+ cat $(PRIVATE_CIL_FILES) | sha256sum | cut -d' ' -f1 > $@
#################################
include $(CLEAR_VARS)
# build this target so that we can still perform neverallow checks
LOCAL_MODULE := sepolicy
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -1018,8 +1250,8 @@
all_cil_files := \
$(built_plat_cil) \
- $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
- $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_plat_mapping_cil) \
+ $(built_pub_vers_cil) \
$(built_vendor_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
@@ -1027,7 +1259,7 @@
endif
ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
+all_cil_files += $(built_system_ext_mapping_cil)
endif
ifdef HAS_PRODUCT_SEPOLICY
@@ -1035,7 +1267,7 @@
endif
ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
-all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
+all_cil_files += $(built_product_mapping_cil)
endif
ifdef BOARD_ODM_SEPOLICY_DIRS
@@ -1043,8 +1275,7 @@
endif
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
-# Neverallow checks are skipped in a mixed build target.
-$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \
$(built_sepolicy_neverallows)
@mkdir -p $(dir $@)
@@ -1069,9 +1300,6 @@
# If SELINUX_IGNORE_NEVERALLOWS is set, we use sed to remove the neverallow lines before compiling.
LOCAL_MODULE := sepolicy.recovery
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_STEM := sepolicy
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
@@ -1079,12 +1307,12 @@
include $(BUILD_SYSTEM)/base_rules.mk
-# We use vendor version's policy files because recovery partition is vendor-owned.
policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(plat_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(product_private_policy_$(BOARD_SEPOLICY_VERS)) \
- $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) \
+ $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY) \
+ $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) \
+ $(BOARD_ODM_SEPOLICY_DIRS))
sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf
$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
@@ -1094,7 +1322,6 @@
$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
-$(sepolicy.recovery.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(sepolicy.recovery.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1123,14 +1350,39 @@
sepolicy.recovery.conf :=
##################################
+# SELinux policy embedded into CTS.
+# CTS checks neverallow rules of this policy against the policy of the device under test.
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := general_sepolicy.conf
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := tests
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+$(LOCAL_BUILT_MODULE): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(LOCAL_BUILT_MODULE): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(LOCAL_BUILT_MODULE): PRIVATE_TARGET_BUILD_VARIANT := user
+$(LOCAL_BUILT_MODULE): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(LOCAL_BUILT_MODULE): PRIVATE_WITH_ASAN := false
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_SPLIT := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_COMPATIBLE_PROPERTY := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := cts
+$(LOCAL_BUILT_MODULE): PRIVATE_EXCLUDE_BUILD_TEST := true
+$(LOCAL_BUILT_MODULE): PRIVATE_POLICY_FILES := $(policy_files)
+$(LOCAL_BUILT_MODULE): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
#
include $(CLEAR_VARS)
LOCAL_MODULE := file_contexts.bin
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
@@ -1140,15 +1392,13 @@
# The file_contexts.bin is built in the following way:
# 1. Collect all file_contexts files in THIS repository and process them with
# m4 into a tmp file called file_contexts.local.tmp.
-# 2. Collect all file_contexts files from LOCAL_FILE_CONTEXTS of installed
-# modules with m4 with a tmp file called file_contexts.modules.tmp.
-# 3. Collect all device specific file_contexts files and process them with m4
+# 2. Collect all device specific file_contexts files and process them with m4
# into a tmp file called file_contexts.device.tmp.
-# 4. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
+# 3. Run checkfc -e (allow no device fc entries ie empty) and fc_sort on
# file_contexts.device.tmp and output to file_contexts.device.sorted.tmp.
-# 5. Concatenate file_contexts.local.tmp, file_contexts.modules.tmp and
-# file_contexts.device.sorted.tmp into file_contexts.concat.tmp.
-# 6. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
+# 4. Concatenate file_contexts.local.tmp and file_contexts.device.tmp into
+# file_contexts.concat.tmp.
+# 5. Run checkfc and sefcontext_compile on file_contexts.concat.tmp to produce
# file_contexts.bin.
#
# Note: That a newline file is placed between each file_context file found to
@@ -1171,12 +1421,21 @@
local_fc_files += $(wildcard $(addsuffix /file_contexts_overlayfs, $(PLAT_PRIVATE_POLICY)))
endif
-file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
-$(call merge-fc-files,$(local_fc_files),$(file_contexts.local.tmp))
+# Even if TARGET_FLATTEN_APEX is not turned on, "flattened" APEXes are installed
+$(foreach _tuple,$(APEX_FILE_CONTEXTS_INFOS),\
+ $(eval _apex_name := $(call word-colon,1,$(_tuple)))\
+ $(eval _apex_path := $(call word-colon,2,$(_tuple)))\
+ $(eval _fc_path := $(call word-colon,3,$(_tuple)))\
+ $(eval _input := $(_fc_path))\
+ $(eval _output := $(intermediates)/$(_apex_name)-flattened)\
+ $(eval $(call build_flattened_apex_file_contexts,$(_input),$(_apex_path),$(_output),local_fc_files))\
+ )
-# The rule for file_contexts.modules.tmp is defined in build/make/core/Makefile.
-# it gathers LOCAL_FILE_CONTEXTS from product_MODULES
-file_contexts.modules.tmp := $(intermediates)/file_contexts.modules.tmp
+file_contexts.local.tmp := $(intermediates)/file_contexts.local.tmp
+$(file_contexts.local.tmp): PRIVATE_FC_FILES := $(local_fc_files)
+$(file_contexts.local.tmp): $(local_fc_files) $(M4)
+ @mkdir -p $(dir $@)
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_FC_FILES) > $@
device_fc_files := $(call build_vendor_policy, file_contexts)
@@ -1200,9 +1459,10 @@
$(hide) $(HOST_OUT_EXECUTABLES)/fc_sort -i $< -o $@
file_contexts.concat.tmp := $(intermediates)/file_contexts.concat.tmp
-$(call merge-fc-files,\
- $(file_contexts.local.tmp) $(file_contexts.modules.tmp) $(file_contexts.device.sorted.tmp),\
- $(file_contexts.concat.tmp))
+$(file_contexts.concat.tmp): PRIVATE_CONTEXTS := $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp)
+$(file_contexts.concat.tmp): $(file_contexts.local.tmp) $(file_contexts.device.sorted.tmp) $(M4)
+ @mkdir -p $(dir $@)
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_CONTEXTS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): $(file_contexts.concat.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/sefcontext_compile $(HOST_OUT_EXECUTABLES)/checkfc
@@ -1219,15 +1479,11 @@
file_contexts.device.sorted.tmp :=
file_contexts.device.tmp :=
file_contexts.local.tmp :=
-file_contexts.modules.tmp :=
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := selinux_denial_metadata
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -1251,9 +1507,6 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vndservice_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -1284,9 +1537,6 @@
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_tests
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -1331,8 +1581,6 @@
$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(base_plat_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1364,8 +1612,6 @@
$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
-$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
$(base_plat_pub_policy.conf): $(policy_files) $(M4)
$(transform-policy-to-conf)
@@ -1380,130 +1626,6 @@
$(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
-f $(PRIVATE_REQD_MASK) -t $@
-
-#####################################################
-intermediates := $(call intermediates-dir-for,ETC,built_system_ext_sepolicy,,,,)
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
-base_system_ext_policy.conf := $(intermediates)/base_system_ext_policy.conf
-$(base_system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_system_ext_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-built_system_ext_sepolicy := $(intermediates)/built_system_ext_sepolicy
-$(built_system_ext_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(built_system_ext_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_system_ext_sepolicy): $(base_system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/secilc \
-$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
-$(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-base_system_ext_pub_policy.conf := $(intermediates)/base_system_ext_pub_policy.conf
-$(base_system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_system_ext_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-base_system_ext_pub_policy.cil := $(intermediates)/base_system_ext_pub_policy.cil
-$(base_system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(base_system_ext_pub_policy.conf)
-$(base_system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(base_system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-
-################################################################################
-intermediates := $(call intermediates-dir-for,ETC,built_product_sepolicy,,,,)
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
- $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
-base_product_policy.conf := $(intermediates)/base_product_policy.conf
-$(base_product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_product_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_product_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
- $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
-
-built_product_sepolicy := $(intermediates)/built_product_sepolicy
-$(built_product_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
-$(built_product_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(built_product_sepolicy): $(base_product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/secilc \
-$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
-$(built_sepolicy_neverallows)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
-
-
-policy_files := $(call build_policy, $(sepolicy_build_files), \
-$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
-base_product_pub_policy.conf := $(intermediates)/base_product_pub_policy.conf
-$(base_product_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
-$(base_product_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
-$(base_product_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
-$(base_product_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
-$(base_product_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
-$(base_product_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
-$(base_product_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
-$(base_product_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
-$(base_product_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
-$(base_product_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
-$(base_product_pub_policy.conf): $(policy_files) $(M4)
- $(transform-policy-to-conf)
-
-base_product_pub_policy.cil := $(intermediates)/base_product_pub_policy.cil
-$(base_product_pub_policy.cil): PRIVATE_POL_CONF := $(base_product_pub_policy.conf)
-$(base_product_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
-$(base_product_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_product_pub_policy.conf) $(reqd_policy_mask.cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
@@ -1515,8 +1637,6 @@
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
version_under_treble_tests := 29.0
include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
-version_under_treble_tests := 30.0
-include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
endif # PRODUCT_SEPOLICY_SPLIT
version_under_treble_tests := 26.0
@@ -1527,8 +1647,6 @@
include $(LOCAL_PATH)/compat.mk
version_under_treble_tests := 29.0
include $(LOCAL_PATH)/compat.mk
-version_under_treble_tests := 30.0
-include $(LOCAL_PATH)/compat.mk
base_plat_policy.conf :=
base_plat_pub_policy.conf :=
@@ -1539,19 +1657,11 @@
#################################
include $(CLEAR_VARS)
LOCAL_MODULE := sepolicy_freeze_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-define ziplist
-$(if $(and $1,$2), "$(firstword $1) $(firstword $2)"\
- $(call ziplist,$(wordlist 2,$(words $1),$1),$(wordlist 2,$(words $2),$2)))
-endef
-
base_plat_public := $(LOCAL_PATH)/public
base_plat_private := $(LOCAL_PATH)/private
base_plat_public_prebuilt := \
@@ -1566,16 +1676,10 @@
$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private)
$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt)
$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt)
-$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA := $(sort $(FREEZE_TEST_EXTRA_DIRS))
-$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_PREBUILT := $(sort $(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
$(LOCAL_BUILT_MODULE): $(all_frozen_files)
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
@diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC)
@diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE)
-ifneq (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
- @for pair in $(call ziplist, $(PRIVATE_EXTRA_PREBUILT), $(PRIVATE_EXTRA)); \
- do diff -rq -x bug_map $$pair; done
-endif # (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
$(hide) touch $@
@@ -1607,8 +1711,6 @@
built_vendor_svc :=
built_plat_sepolicy :=
treble_sysprop_neverallow :=
-enforce_sysprop_owner :=
-enforce_debugfs_restriction :=
mapping_policy :=
my_target_arch :=
pub_policy.cil :=
diff --git a/METADATA b/METADATA
deleted file mode 100644
index cdcfa70..0000000
--- a/METADATA
+++ /dev/null
@@ -1,6 +0,0 @@
-third_party {
- # would be UNENCUMBERED save for
- # tests/combine_maps.py
- # build/soong/
- license_type: NOTICE
-}
diff --git a/OWNERS b/OWNERS
index 866b7b6..55f7f00 100644
--- a/OWNERS
+++ b/OWNERS
@@ -2,10 +2,12 @@
alanstokes@google.com
bowgotsai@google.com
cbrubaker@google.com
-inseob@google.com
jbires@google.com
jeffv@google.com
jgalenson@google.com
jiyong@google.com
+nnk@google.com
smoreland@google.com
+sspatil@google.com
+tomcherry@google.com
trong@google.com
diff --git a/README b/README
index f14ac67..43d9bbc 100644
--- a/README
+++ b/README
@@ -34,17 +34,6 @@
BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
-Alongside vendor sepolicy dirs, OEMs can also amend the public and private
-policy of the product and system_ext partitions:
-
-SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/public
-SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/private
-PRODUCT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/public
-PRODUCT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/private
-
-The old BOARD_PLAT_PUBLIC_SEPOLICY_DIR and BOARD_PLAT_PRIVATE_SEPOLICY_DIR
-variables have been deprecated in favour of SYSTEM_EXT_*.
-
Additionally, OEMs can specify BOARD_SEPOLICY_M4DEFS to pass arbitrary m4
definitions during the build. A definition consists of a string in the form
of macro-name=value. Spaces must NOT be present. This is useful for building modular
diff --git a/apex/Android.bp b/apex/Android.bp
index b5199f0..d3acfdb 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -13,14 +13,6 @@
// limitations under the License.
-package {
- // http://go/android-license-faq
- // A large-scale-change added 'default_applicable_licenses' to import
- // the below license kinds from "system_sepolicy_license":
- // legacy_unencumbered
- default_applicable_licenses: ["system_sepolicy_license"],
-}
-
filegroup {
name: "apex.test-file_contexts",
srcs: [
@@ -43,16 +35,16 @@
}
filegroup {
- name: "com.android.art-file_contexts",
+ name: "com.android.art.debug-file_contexts",
srcs: [
- "com.android.art-file_contexts",
+ "com.android.art.debug-file_contexts",
],
}
filegroup {
- name: "com.android.art.debug-file_contexts",
+ name: "com.android.art.release-file_contexts",
srcs: [
- "com.android.art.debug-file_contexts",
+ "com.android.art.release-file_contexts",
],
}
@@ -71,13 +63,6 @@
}
filegroup {
- name: "com.android.compos-file_contexts",
- srcs: [
- "com.android.compos-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.conscrypt-file_contexts",
srcs: [
"com.android.conscrypt-file_contexts",
@@ -92,20 +77,6 @@
}
filegroup {
- name: "com.android.geotz-file_contexts",
- srcs: [
- "com.android.geotz-file_contexts",
- ],
-}
-
-filegroup {
- name: "com.android.gki-file_contexts",
- srcs: [
- "com.android.gki-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.ipsec-file_contexts",
srcs: [
"com.android.ipsec-file_contexts",
@@ -176,13 +147,6 @@
}
filegroup {
- name: "com.android.scheduling-file_contexts",
- srcs: [
- "com.android.scheduling-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.telephony-file_contexts",
srcs: [
"com.android.telephony-file_contexts",
@@ -197,13 +161,6 @@
}
filegroup {
- name: "com.android.virt-file_contexts",
- srcs: [
- "com.android.virt-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.vndk-file_contexts",
srcs: [
"com.android.vndk-file_contexts",
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
deleted file mode 100644
index d2a8626..0000000
--- a/apex/com.android.art-file_contexts
+++ /dev/null
@@ -1,9 +0,0 @@
-#############################
-# System files
-#
-(/.*)? u:object_r:system_file:s0
-/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
-/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
-/bin/odrefresh u:object_r:odrefresh_exec:s0
-/bin/profman u:object_r:profman_exec:s0
-/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.art.debug-file_contexts b/apex/com.android.art.debug-file_contexts
index a0e9ea0..8007efd 100644
--- a/apex/com.android.art.debug-file_contexts
+++ b/apex/com.android.art.debug-file_contexts
@@ -4,6 +4,7 @@
(/.*)? u:object_r:system_file:s0
/bin/dex2oat(d)?(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
-/bin/odrefresh u:object_r:odrefresh_exec:s0
/bin/profman(d)? u:object_r:profman_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
+/bin/art_preinstall_hook(.*)? u:object_r:art_apex_preinstall_exec:s0
+/bin/art_postinstall_hook(.*)? u:object_r:art_apex_postinstall_exec:s0
diff --git a/apex/com.android.art.release-file_contexts b/apex/com.android.art.release-file_contexts
new file mode 100644
index 0000000..1598afd
--- /dev/null
+++ b/apex/com.android.art.release-file_contexts
@@ -0,0 +1,8 @@
+#############################
+# System files
+#
+(/.*)? u:object_r:system_file:s0
+/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
+/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
+/bin/profman u:object_r:profman_exec:s0
+/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
deleted file mode 100644
index 83b4b58..0000000
--- a/apex/com.android.compos-file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.geotz-file_contexts b/apex/com.android.geotz-file_contexts
deleted file mode 100644
index 1918e73..0000000
--- a/apex/com.android.geotz-file_contexts
+++ /dev/null
@@ -1,4 +0,0 @@
-#############################
-# System files
-#
-(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.gki-file_contexts b/apex/com.android.gki-file_contexts
deleted file mode 100644
index ccee7f8..0000000
--- a/apex/com.android.gki-file_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-(/.*)? u:object_r:system_file:s0
-/bin/(.*)? u:object_r:gki_apex_prepostinstall_exec:s0
diff --git a/apex/com.android.i18n-file_contexts b/apex/com.android.i18n-file_contexts
index 51d45a0..c8b6ba1 100644
--- a/apex/com.android.i18n-file_contexts
+++ b/apex/com.android.i18n-file_contexts
@@ -2,4 +2,3 @@
# System files
#
(/.*)? u:object_r:system_file:s0
-/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.media-file_contexts b/apex/com.android.media-file_contexts
index 8822046..f6b21da 100644
--- a/apex/com.android.media-file_contexts
+++ b/apex/com.android.media-file_contexts
@@ -1,3 +1,2 @@
(/.*)? u:object_r:system_file:s0
/lib(64)?(/.*) u:object_r:system_lib_file:s0
-/bin/mediatranscoding u:object_r:mediatranscoding_exec:s0
diff --git a/apex/com.android.runtime-file_contexts b/apex/com.android.runtime-file_contexts
index d090d50..7878b20 100644
--- a/apex/com.android.runtime-file_contexts
+++ b/apex/com.android.runtime-file_contexts
@@ -2,7 +2,5 @@
# System files
#
(/.*)? u:object_r:system_file:s0
-/bin/crash_dump(32|64) u:object_r:crash_dump_exec:s0
/bin/linker(64)? u:object_r:system_linker_exec:s0
-/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.scheduling-file_contexts b/apex/com.android.scheduling-file_contexts
deleted file mode 100644
index 9398505..0000000
--- a/apex/com.android.scheduling-file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.sdkext-file_contexts b/apex/com.android.sdkext-file_contexts
index 551a12c..2d59dda 100644
--- a/apex/com.android.sdkext-file_contexts
+++ b/apex/com.android.sdkext-file_contexts
@@ -1,3 +1,2 @@
-(/.*)? u:object_r:system_file:s0
-/bin/derive_classpath u:object_r:derive_classpath_exec:s0
-/bin/derive_sdk u:object_r:derive_sdk_exec:s0
+(/.*)? u:object_r:system_file:s0
+/bin/derive_sdk u:object_r:derive_sdk_exec:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
deleted file mode 100644
index 4703eba..0000000
--- a/apex/com.android.virt-file_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-(/.*)? u:object_r:system_file:s0
-/bin/crosvm u:object_r:crosvm_exec:s0
-/bin/virtmanager u:object_r:virtmanager_exec:s0
diff --git a/build/Android.bp b/build/Android.bp
index 5298f71..d3f1fc3 100644
--- a/build/Android.bp
+++ b/build/Android.bp
@@ -12,14 +12,6 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-package {
- // http://go/android-license-faq
- // A large-scale-change added 'default_applicable_licenses' to import
- // the below license kinds from "system_sepolicy_license":
- // SPDX-license-identifier-Apache-2.0
- default_applicable_licenses: ["system_sepolicy_license"],
-}
-
python_binary_host {
name: "build_sepolicy",
srcs: [
diff --git a/build/file_utils.py b/build/file_utils.py
index 9f95f52..1559a9b 100644
--- a/build/file_utils.py
+++ b/build/file_utils.py
@@ -43,9 +43,6 @@
with open(input_file, 'r') as in_file:
tmp_output.writelines(line for line in in_file.readlines()
if line not in patterns)
- # Append empty line because a completely empty file
- # will trip up secilc later on:
- tmp_output.write("\n")
tmp_output.flush()
# Replaces the input_file.
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 2282112..ae2bdd6 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -12,14 +12,6 @@
// See the License for the specific language governing permissions and
// limitations under the License.
-package {
- // http://go/android-license-faq
- // A large-scale-change added 'default_applicable_licenses' to import
- // the below license kinds from "system_sepolicy_license":
- // SPDX-license-identifier-Apache-2.0
- default_applicable_licenses: ["system_sepolicy_license"],
-}
-
bootstrap_go_package {
name: "soong-selinux",
pkgPath: "android/soong/selinux",
@@ -28,18 +20,12 @@
"soong",
"soong-android",
"soong-genrule",
- "soong-sysprop",
],
srcs: [
- "build_files.go",
"cil_compat_map.go",
- "compat_cil.go",
"filegroup.go",
- "policy.go",
"selinux.go",
"selinux_contexts.go",
- "sepolicy_vers.go",
- "versioned_policy.go",
],
pluginFor: ["soong_build"],
}
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
deleted file mode 100644
index 5de6122..0000000
--- a/build/soong/build_files.go
+++ /dev/null
@@ -1,199 +0,0 @@
-// Copyright 2021 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package selinux
-
-import (
- "fmt"
- "path/filepath"
- "sort"
- "strings"
-
- "android/soong/android"
-)
-
-func init() {
- android.RegisterModuleType("se_build_files", buildFilesFactory)
-}
-
-// se_build_files gathers policy files from sepolicy dirs, and acts like a filegroup. A tag with
-// partition(plat, system_ext, product) and scope(public, private) is used to select directories.
-// Supported tags are: "plat", "plat_public", "system_ext", "system_ext_public", "product",
-// "product_public", and "reqd_mask".
-func buildFilesFactory() android.Module {
- module := &buildFiles{}
- module.AddProperties(&module.properties)
- android.InitAndroidModule(module)
- return module
-}
-
-type buildFilesProperties struct {
- // list of source file suffixes used to collect selinux policy files.
- // Source files will be looked up in the following local directories:
- // system/sepolicy/{public, private, vendor, reqd_mask}
- // and directories specified by following config variables:
- // BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
- // SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
- Srcs []string
-}
-
-type buildFiles struct {
- android.ModuleBase
- properties buildFilesProperties
-
- srcs map[string]android.Paths
-}
-
-func (b *buildFiles) findSrcsInDirs(ctx android.ModuleContext, dirs ...string) android.Paths {
- result := android.Paths{}
- for _, file := range b.properties.Srcs {
- for _, dir := range dirs {
- path := filepath.Join(dir, file)
- files, err := ctx.GlobWithDeps(path, nil)
- if err != nil {
- ctx.ModuleErrorf("glob: %s", err.Error())
- }
- for _, f := range files {
- result = append(result, android.PathForSource(ctx, f))
- }
- }
- }
- return result
-}
-
-func (b *buildFiles) DepsMutator(ctx android.BottomUpMutatorContext) {
- // do nothing
-}
-
-func (b *buildFiles) OutputFiles(tag string) (android.Paths, error) {
- if paths, ok := b.srcs[tag]; ok {
- return paths, nil
- }
-
- return nil, fmt.Errorf("unknown tag %q. Supported tags are: %q", tag, strings.Join(android.SortedStringKeys(b.srcs), " "))
-}
-
-var _ android.OutputFileProducer = (*buildFiles)(nil)
-
-type partition int
-
-const (
- system partition = iota
- system_ext
- product
-)
-
-type scope int
-
-const (
- public scope = iota
- private
-)
-
-type sepolicyDir struct {
- partition partition
- scope scope
- paths []string
-}
-
-func (p partition) String() string {
- switch p {
- case system:
- return "plat"
- case system_ext:
- return "system_ext"
- case product:
- return "product"
- default:
- panic(fmt.Sprintf("Unknown partition %#v", p))
- }
-}
-
-func (b *buildFiles) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- // Sepolicy directories should be included in the following order.
- // - system_public
- // - system_private
- // - system_ext_public
- // - system_ext_private
- // - product_public
- // - product_private
- dirs := []sepolicyDir{
- sepolicyDir{partition: system, scope: public, paths: []string{filepath.Join(ctx.ModuleDir(), "public")}},
- sepolicyDir{partition: system, scope: private, paths: []string{filepath.Join(ctx.ModuleDir(), "private")}},
- sepolicyDir{partition: system_ext, scope: public, paths: ctx.DeviceConfig().SystemExtPublicSepolicyDirs()},
- sepolicyDir{partition: system_ext, scope: private, paths: ctx.DeviceConfig().SystemExtPrivateSepolicyDirs()},
- sepolicyDir{partition: product, scope: public, paths: ctx.Config().ProductPublicSepolicyDirs()},
- sepolicyDir{partition: product, scope: private, paths: ctx.Config().ProductPrivateSepolicyDirs()},
- }
-
- if !sort.SliceIsSorted(dirs, func(i, j int) bool {
- if dirs[i].partition != dirs[j].partition {
- return dirs[i].partition < dirs[j].partition
- }
-
- return dirs[i].scope < dirs[j].scope
- }) {
- panic("dirs is not sorted")
- }
-
- // Exported cil policy files are built with the following policies.
- //
- // - plat_pub_policy.cil: exported 'system'
- // - system_ext_pub_policy.cil: exported 'system' and 'system_ext'
- // - pub_policy.cil: exported 'system', 'system_ext', and 'product'
- //
- // cil policy files are built with the following policies.
- //
- // - plat_policy.cil: 'system', including private
- // - system_ext_policy.cil: 'system_ext', including private
- // - product_sepolicy.cil: 'product', including private
- //
- // gatherDirsFor collects all needed directories for given partition and scope. For example,
- //
- // - gatherDirsFor(system_ext, private) will return system + system_ext (including private)
- // - gatherDirsFor(product, public) will return system + system_ext + product (public only)
- //
- // "dirs" should be sorted before calling this.
- gatherDirsFor := func(p partition, s scope) []string {
- var ret []string
-
- for _, d := range dirs {
- if d.partition <= p && d.scope <= s {
- ret = append(ret, d.paths...)
- }
- }
-
- return ret
- }
-
- reqdMaskDir := filepath.Join(ctx.ModuleDir(), "reqd_mask")
-
- b.srcs = make(map[string]android.Paths)
- b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, reqdMaskDir)
-
- for _, p := range []partition{system, system_ext, product} {
- b.srcs["."+p.String()] = b.findSrcsInDirs(ctx, gatherDirsFor(p, private)...)
-
- // reqd_mask is needed for public policies
- b.srcs["."+p.String()+"_public"] = b.findSrcsInDirs(ctx, append(gatherDirsFor(p, public), reqdMaskDir)...)
- }
-
- // A special tag, "plat_vendor", includes minimized vendor policies required to boot.
- // - system/sepolicy/public
- // - system/sepolicy/reqd_mask
- // - system/sepolicy/vendor
- // This is for minimized vendor partition, e.g. microdroid's vendor
- platVendorDir := filepath.Join(ctx.ModuleDir(), "vendor")
- b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, append(gatherDirsFor(system, public), reqdMaskDir, platVendorDir)...)
-}
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
deleted file mode 100644
index 230fdc3..0000000
--- a/build/soong/compat_cil.go
+++ /dev/null
@@ -1,113 +0,0 @@
-// Copyright 2021 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package selinux
-
-import (
- "github.com/google/blueprint/proptools"
-
- "android/soong/android"
-)
-
-func init() {
- android.RegisterModuleType("se_compat_cil", compatCilFactory)
-}
-
-// se_compat_cil collects and installs backwards compatibility cil files.
-func compatCilFactory() android.Module {
- c := &compatCil{}
- c.AddProperties(&c.properties)
- android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
- return c
-}
-
-type compatCil struct {
- android.ModuleBase
- properties compatCilProperties
- installSource android.Path
- installPath android.InstallPath
-}
-
-type compatCilProperties struct {
- // List of source files. Can reference se_filegroup type modules with the ":module" syntax.
- Srcs []string
-
- // Output file name. Defaults to module name if unspecified.
- Stem *string
-}
-
-func (c *compatCil) stem() string {
- return proptools.StringDefault(c.properties.Stem, c.Name())
-}
-
-func (c *compatCil) expandSeSources(ctx android.ModuleContext) android.Paths {
- srcPaths := make(android.Paths, 0, len(c.properties.Srcs))
- for _, src := range c.properties.Srcs {
- if m := android.SrcIsModule(src); m != "" {
- module := ctx.GetDirectDepWithTag(m, android.SourceDepTag)
- if module == nil {
- // Error would have been handled by ExtractSourcesDeps
- continue
- }
- if fg, ok := module.(*fileGroup); ok {
- if c.SystemExtSpecific() {
- srcPaths = append(srcPaths, fg.SystemExtPrivateSrcs()...)
- } else {
- srcPaths = append(srcPaths, fg.SystemPrivateSrcs()...)
- }
- } else {
- ctx.PropertyErrorf("srcs", "%q is not an se_filegroup", m)
- }
- } else {
- srcPaths = append(srcPaths, android.PathForModuleSrc(ctx, src))
- }
- }
- return srcPaths
-}
-
-func (c *compatCil) DepsMutator(ctx android.BottomUpMutatorContext) {
- android.ExtractSourcesDeps(ctx, c.properties.Srcs)
-}
-
-func (c *compatCil) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- if c.ProductSpecific() || c.SocSpecific() || c.DeviceSpecific() {
- ctx.ModuleErrorf("Compat cil files only support system and system_ext partitions")
- }
-
- srcPaths := c.expandSeSources(ctx)
- out := android.PathForModuleGen(ctx, c.Name())
- ctx.Build(pctx, android.BuildParams{
- Rule: android.Cat,
- Inputs: srcPaths,
- Output: out,
- Description: "Combining compat cil for " + c.Name(),
- })
-
- c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux", "mapping")
- c.installSource = out
- ctx.InstallFile(c.installPath, c.stem(), c.installSource)
-}
-
-func (c *compatCil) AndroidMkEntries() []android.AndroidMkEntries {
- return []android.AndroidMkEntries{android.AndroidMkEntries{
- Class: "ETC",
- OutputFile: android.OptionalPathForPath(c.installSource),
- ExtraEntries: []android.AndroidMkExtraEntriesFunc{
- func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
- entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
- },
- },
- }}
-}
diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go
index 0d426af..a45b427 100644
--- a/build/soong/filegroup.go
+++ b/build/soong/filegroup.go
@@ -36,7 +36,7 @@
// system/sepolicy/{public, private, vendor, reqd_mask}
// and directories specified by following config variables:
// BOARD_SEPOLICY_DIRS, BOARD_ODM_SEPOLICY_DIRS
- // SYSTEM_EXT_PUBLIC_SEPOLICY_DIR, SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
+ // BOARD_PLAT_PUBLIC_SEPOLICY_DIR, BOARD_PLAT_PRIVATE_SEPOLICY_DIR
Srcs []string
}
@@ -55,9 +55,8 @@
productPublicSrcs android.Paths
productPrivateSrcs android.Paths
- vendorSrcs android.Paths
- vendorReqdMaskSrcs android.Paths
- odmSrcs android.Paths
+ vendorSrcs android.Paths
+ odmSrcs android.Paths
}
// Source files from system/sepolicy/public
@@ -80,12 +79,12 @@
return fg.systemReqdMaskSrcs
}
-// Source files from SYSTEM_EXT_PUBLIC_SEPOLICY_DIR
+// Source files from BOARD_PLAT_PUBLIC_SEPOLICY_DIR
func (fg *fileGroup) SystemExtPublicSrcs() android.Paths {
return fg.systemExtPublicSrcs
}
-// Source files from SYSTEM_EXT_PRIVATE_SEPOLICY_DIR
+// Source files from BOARD_PLAT_PRIVATE_SEPOLICY_DIR
func (fg *fileGroup) SystemExtPrivateSrcs() android.Paths {
return fg.systemExtPrivateSrcs
}
@@ -105,10 +104,6 @@
return fg.vendorSrcs
}
-func (fg *fileGroup) VendorReqdMaskSrcs() android.Paths {
- return fg.vendorReqdMaskSrcs
-}
-
// Source files from BOARD_ODM_SEPOLICY_DIRS
func (fg *fileGroup) OdmSrcs() android.Paths {
return fg.odmSrcs
@@ -140,13 +135,12 @@
fg.systemVendorSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
fg.systemReqdMaskSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
- fg.systemExtPublicSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs())
- fg.systemExtPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs())
+ fg.systemExtPublicSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().PlatPublicSepolicyDirs())
+ fg.systemExtPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().PlatPrivateSepolicyDirs())
fg.productPublicSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs())
fg.productPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs())
- fg.vendorReqdMaskSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy())
fg.vendorSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs())
fg.odmSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs())
}
diff --git a/build/soong/policy.go b/build/soong/policy.go
deleted file mode 100644
index 75fbdf1..0000000
--- a/build/soong/policy.go
+++ /dev/null
@@ -1,363 +0,0 @@
-// Copyright (C) 2021 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package selinux
-
-import (
- "fmt"
- "os"
- "strconv"
-
- "github.com/google/blueprint/proptools"
-
- "android/soong/android"
-)
-
-const (
- // TODO: sync with Android.mk
- MlsSens = 1
- MlsCats = 1024
- PolicyVers = 30
-)
-
-func init() {
- android.RegisterModuleType("se_policy_conf", policyConfFactory)
- android.RegisterModuleType("se_policy_cil", policyCilFactory)
-}
-
-type policyConfProperties struct {
- // Name of the output. Default is {module_name}
- Stem *string
-
- // Policy files to be compiled to cil file.
- Srcs []string `android:"path"`
-
- // Target build variant (user / userdebug / eng). Default follows the current lunch target
- Build_variant *string
-
- // Whether to exclude build test or not. Default is false
- Exclude_build_test *bool
-
- // Whether to include asan specific policies or not. Default follows the current lunch target
- With_asan *bool
-
- // Whether to build CTS specific policy or not. Default is false
- Cts *bool
-
- // Whether this module is directly installable to one of the partitions. Default is true
- Installable *bool
-}
-
-type policyConf struct {
- android.ModuleBase
-
- properties policyConfProperties
-
- installSource android.Path
- installPath android.InstallPath
-}
-
-// se_policy_conf merges collection of policy files into a policy.conf file to be processed by
-// checkpolicy.
-func policyConfFactory() android.Module {
- c := &policyConf{}
- c.AddProperties(&c.properties)
- android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
- return c
-}
-
-func (c *policyConf) installable() bool {
- return proptools.BoolDefault(c.properties.Installable, true)
-}
-
-func (c *policyConf) stem() string {
- return proptools.StringDefault(c.properties.Stem, c.Name())
-}
-
-func (c *policyConf) buildVariant(ctx android.ModuleContext) string {
- if variant := proptools.String(c.properties.Build_variant); variant != "" {
- return variant
- }
- if ctx.Config().Eng() {
- return "eng"
- }
- if ctx.Config().Debuggable() {
- return "userdebug"
- }
- return "user"
-}
-
-func (c *policyConf) cts() bool {
- return proptools.Bool(c.properties.Cts)
-}
-
-func (c *policyConf) withAsan(ctx android.ModuleContext) string {
- isAsanDevice := android.InList("address", ctx.Config().SanitizeDevice())
- return strconv.FormatBool(proptools.BoolDefault(c.properties.With_asan, isAsanDevice))
-}
-
-func (c *policyConf) sepolicySplit(ctx android.ModuleContext) string {
- if c.cts() {
- return "cts"
- }
- return strconv.FormatBool(ctx.DeviceConfig().SepolicySplit())
-}
-
-func (c *policyConf) compatibleProperty(ctx android.ModuleContext) string {
- if c.cts() {
- return "cts"
- }
- return "true"
-}
-
-func (c *policyConf) trebleSyspropNeverallow(ctx android.ModuleContext) string {
- if c.cts() {
- return "cts"
- }
- return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenTrebleSyspropNeverallow())
-}
-
-func (c *policyConf) enforceSyspropOwner(ctx android.ModuleContext) string {
- if c.cts() {
- return "cts"
- }
- return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner())
-}
-
-func (c *policyConf) enforceDebugfsRestrictions(ctx android.ModuleContext) string {
- if c.cts() {
- return "cts"
- }
- return strconv.FormatBool(ctx.DeviceConfig().BuildDebugfsRestrictionsEnabled())
-}
-
-func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
- conf := android.PathForModuleOut(ctx, "conf").OutputPath
- rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
- Flag("--fatal-warnings").
- FlagForEachArg("-D ", ctx.DeviceConfig().SepolicyM4Defs()).
- FlagWithArg("-D mls_num_sens=", strconv.Itoa(MlsSens)).
- FlagWithArg("-D mls_num_cats=", strconv.Itoa(MlsCats)).
- FlagWithArg("-D target_arch=", ctx.DeviceConfig().DeviceArch()).
- FlagWithArg("-D target_with_asan=", c.withAsan(ctx)).
- FlagWithArg("-D target_with_dexpreopt=", strconv.FormatBool(ctx.DeviceConfig().WithDexpreopt())).
- FlagWithArg("-D target_with_native_coverage=", strconv.FormatBool(ctx.DeviceConfig().ClangCoverageEnabled() || ctx.DeviceConfig().GcovCoverageEnabled())).
- FlagWithArg("-D target_build_variant=", c.buildVariant(ctx)).
- FlagWithArg("-D target_full_treble=", c.sepolicySplit(ctx)).
- FlagWithArg("-D target_compatible_property=", c.compatibleProperty(ctx)).
- FlagWithArg("-D target_treble_sysprop_neverallow=", c.trebleSyspropNeverallow(ctx)).
- FlagWithArg("-D target_enforce_sysprop_owner=", c.enforceSyspropOwner(ctx)).
- FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))).
- FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
- FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
- Flag("-s").
- Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
- Text("> ").Output(conf)
-
- rule.Build("conf", "Transform policy to conf: "+ctx.ModuleName())
- return conf
-}
-
-func (c *policyConf) DepsMutator(ctx android.BottomUpMutatorContext) {
- // do nothing
-}
-
-func (c *policyConf) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- c.installSource = c.transformPolicyToConf(ctx)
- c.installPath = android.PathForModuleInstall(ctx, "etc")
- ctx.InstallFile(c.installPath, c.stem(), c.installSource)
-
- if !c.installable() {
- c.SkipInstall()
- }
-}
-
-func (c *policyConf) AndroidMkEntries() []android.AndroidMkEntries {
- return []android.AndroidMkEntries{android.AndroidMkEntries{
- OutputFile: android.OptionalPathForPath(c.installSource),
- Class: "ETC",
- ExtraEntries: []android.AndroidMkExtraEntriesFunc{
- func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.installable())
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
- entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
- },
- },
- }}
-}
-
-func (c *policyConf) OutputFiles(tag string) (android.Paths, error) {
- if tag == "" {
- return android.Paths{c.installSource}, nil
- }
- return nil, fmt.Errorf("Unknown tag %q", tag)
-}
-
-var _ android.OutputFileProducer = (*policyConf)(nil)
-
-type policyCilProperties struct {
- // Name of the output. Default is {module_name}
- Stem *string
-
- // Policy file to be compiled to cil file.
- Src *string `android:"path"`
-
- // Additional cil files to be added in the end of the output. This is to support workarounds
- // which are not supported by the policy language.
- Additional_cil_files []string `android:"path"`
-
- // Cil files to be filtered out by the filter_out tool of "build_sepolicy". Used to build
- // exported policies
- Filter_out []string `android:"path"`
-
- // Whether to remove line markers (denoted by ;;) out of compiled cil files. Defaults to false
- Remove_line_marker *bool
-
- // Whether to run secilc to check compiled policy or not. Defaults to true
- Secilc_check *bool
-
- // Whether to ignore neverallow when running secilc check. Defaults to
- // SELINUX_IGNORE_NEVERALLOWS.
- Ignore_neverallow *bool
-
- // Whether this module is directly installable to one of the partitions. Default is true
- Installable *bool
-}
-
-type policyCil struct {
- android.ModuleBase
-
- properties policyCilProperties
-
- installSource android.Path
- installPath android.InstallPath
-}
-
-// se_policy_cil compiles a policy.conf file to a cil file with checkpolicy, and optionally runs
-// secilc to check the output cil file. Affected by SELINUX_IGNORE_NEVERALLOWS.
-func policyCilFactory() android.Module {
- c := &policyCil{}
- c.AddProperties(&c.properties)
- android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
- return c
-}
-
-func (c *policyCil) Installable() bool {
- return proptools.BoolDefault(c.properties.Installable, true)
-}
-
-func (c *policyCil) stem() string {
- return proptools.StringDefault(c.properties.Stem, c.Name())
-}
-
-func (c *policyCil) compileConfToCil(ctx android.ModuleContext, conf android.Path) android.OutputPath {
- cil := android.PathForModuleOut(ctx, c.stem()).OutputPath
- rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().BuiltTool("checkpolicy").
- Flag("-C"). // Write CIL
- Flag("-M"). // Enable MLS
- FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
- FlagWithOutput("-o ", cil).
- Input(conf)
-
- if len(c.properties.Additional_cil_files) > 0 {
- rule.Command().Text("cat").
- Inputs(android.PathsForModuleSrc(ctx, c.properties.Additional_cil_files)).
- Text(">> ").Output(cil)
- }
-
- if len(c.properties.Filter_out) > 0 {
- rule.Command().BuiltTool("build_sepolicy").
- Text("filter_out").
- Flag("-f").
- Inputs(android.PathsForModuleSrc(ctx, c.properties.Filter_out)).
- FlagWithOutput("-t ", cil)
- }
-
- if proptools.Bool(c.properties.Remove_line_marker) {
- rule.Command().Text("grep -v").
- Text(proptools.ShellEscape(";;")).
- Text(cil.String()).
- Text(">").
- Text(cil.String() + ".tmp").
- Text("&& mv").
- Text(cil.String() + ".tmp").
- Text(cil.String())
- }
-
- if proptools.BoolDefault(c.properties.Secilc_check, true) {
- secilcCmd := rule.Command().BuiltTool("secilc").
- Flag("-m"). // Multiple decls
- FlagWithArg("-M ", "true"). // Enable MLS
- Flag("-G"). // expand and remove auto generated attributes
- FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
- Inputs(android.PathsForModuleSrc(ctx, c.properties.Filter_out)). // Also add cil files which are filtered out
- Text(cil.String()).
- FlagWithArg("-o ", os.DevNull).
- FlagWithArg("-f ", os.DevNull)
-
- if proptools.BoolDefault(c.properties.Ignore_neverallow, ctx.Config().SelinuxIgnoreNeverallows()) {
- secilcCmd.Flag("-N")
- }
- }
-
- rule.Build("cil", "Building cil for "+ctx.ModuleName())
- return cil
-}
-
-func (c *policyCil) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- if proptools.String(c.properties.Src) == "" {
- ctx.PropertyErrorf("src", "must be specified")
- return
- }
- conf := android.PathForModuleSrc(ctx, *c.properties.Src)
- cil := c.compileConfToCil(ctx, conf)
-
- if c.InstallInDebugRamdisk() {
- // for userdebug_plat_sepolicy.cil
- c.installPath = android.PathForModuleInstall(ctx)
- } else {
- c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
- }
- c.installSource = cil
- ctx.InstallFile(c.installPath, c.stem(), c.installSource)
-
- if !c.Installable() {
- c.SkipInstall()
- }
-}
-
-func (c *policyCil) AndroidMkEntries() []android.AndroidMkEntries {
- return []android.AndroidMkEntries{android.AndroidMkEntries{
- OutputFile: android.OptionalPathForPath(c.installSource),
- Class: "ETC",
- ExtraEntries: []android.AndroidMkExtraEntriesFunc{
- func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.Installable())
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
- entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
- },
- },
- }}
-}
-
-func (c *policyCil) OutputFiles(tag string) (android.Paths, error) {
- if tag == "" {
- return android.Paths{c.installSource}, nil
- }
- return nil, fmt.Errorf("Unknown tag %q", tag)
-}
-
-var _ android.OutputFileProducer = (*policyCil)(nil)
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index a9aed60..03f8f19 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -19,11 +19,14 @@
"io"
"strings"
- "github.com/google/blueprint"
"github.com/google/blueprint/proptools"
"android/soong/android"
- "android/soong/sysprop"
+)
+
+const (
+ coreMode = "core"
+ recoveryMode = "recovery"
)
type selinuxContextsProperties struct {
@@ -51,6 +54,8 @@
// Make this module available when building for recovery
Recovery_available *bool
+
+ InRecovery bool `blueprint:"mutated"`
}
type fileContextsProperties struct {
@@ -67,15 +72,13 @@
properties selinuxContextsProperties
fileContextsProperties fileContextsProperties
- build func(ctx android.ModuleContext, inputs android.Paths) android.Path
- deps func(ctx android.BottomUpMutatorContext)
- outputPath android.Path
+ build func(ctx android.ModuleContext, inputs android.Paths)
+ outputPath android.ModuleGenPath
installPath android.InstallPath
}
var (
- reuseContextsDepTag = dependencyTag{name: "reuseContexts"}
- syspropLibraryDepTag = dependencyTag{name: "sysprop_library"}
+ reuseContextsDepTag = dependencyTag{name: "reuseContexts"}
)
func init() {
@@ -85,50 +88,37 @@
android.RegisterModuleType("hwservice_contexts", hwServiceFactory)
android.RegisterModuleType("property_contexts", propertyFactory)
android.RegisterModuleType("service_contexts", serviceFactory)
- android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
+
+ android.PreDepsMutators(func(ctx android.RegisterMutatorsContext) {
+ ctx.BottomUp("selinux_contexts", selinuxContextsMutator).Parallel()
+ })
}
-func (m *selinuxContextsModule) InstallInRoot() bool {
- return m.InRecovery()
-}
-
-func (m *selinuxContextsModule) InstallInRecovery() bool {
- // ModuleBase.InRecovery() checks the image variant
- return m.InRecovery()
+func (m *selinuxContextsModule) inRecovery() bool {
+ return m.properties.InRecovery || m.ModuleBase.InstallInRecovery()
}
func (m *selinuxContextsModule) onlyInRecovery() bool {
- // ModuleBase.InstallInRecovery() checks commonProperties.Recovery property
return m.ModuleBase.InstallInRecovery()
}
-func (m *selinuxContextsModule) DepsMutator(ctx android.BottomUpMutatorContext) {
- if m.deps != nil {
- m.deps(ctx)
- }
-
- if m.InRecovery() && !m.onlyInRecovery() {
- ctx.AddFarVariationDependencies([]blueprint.Variation{
- {Mutator: "image", Variation: android.CoreVariation},
- }, reuseContextsDepTag, ctx.ModuleName())
- }
+func (m *selinuxContextsModule) InstallInRecovery() bool {
+ return m.inRecovery()
}
-func (m *selinuxContextsModule) propertyContextsDeps(ctx android.BottomUpMutatorContext) {
- for _, lib := range sysprop.SyspropLibraries(ctx.Config()) {
- ctx.AddFarVariationDependencies([]blueprint.Variation{}, syspropLibraryDepTag, lib)
- }
+func (m *selinuxContextsModule) InstallInRoot() bool {
+ return m.inRecovery()
}
func (m *selinuxContextsModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- if m.InRecovery() {
+ if m.inRecovery() {
// Installing context files at the root of the recovery partition
m.installPath = android.PathForModuleInstall(ctx)
} else {
m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
}
- if m.InRecovery() && !m.onlyInRecovery() {
+ if m.inRecovery() && !m.onlyInRecovery() {
dep := ctx.GetDirectDepWithTag(m.Name(), reuseContextsDepTag)
if reuseDeps, ok := dep.(*selinuxContextsModule); ok {
@@ -151,9 +141,7 @@
if ctx.ProductSpecific() {
inputs = append(inputs, segroup.ProductPrivateSrcs()...)
} else if ctx.SocSpecific() {
- if ctx.DeviceConfig().BoardSepolicyVers() == ctx.DeviceConfig().PlatformSepolicyVersion() {
- inputs = append(inputs, segroup.SystemVendorSrcs()...)
- }
+ inputs = append(inputs, segroup.SystemVendorSrcs()...)
inputs = append(inputs, segroup.VendorSrcs()...)
} else if ctx.DeviceSpecific() {
inputs = append(inputs, segroup.OdmSrcs()...)
@@ -161,15 +149,14 @@
inputs = append(inputs, segroup.SystemExtPrivateSrcs()...)
} else {
inputs = append(inputs, segroup.SystemPrivateSrcs()...)
- inputs = append(inputs, segroup.SystemPublicSrcs()...)
+
+ if ctx.Config().ProductCompatibleProperty() {
+ inputs = append(inputs, segroup.SystemPublicSrcs()...)
+ }
}
if proptools.Bool(m.properties.Reqd_mask) {
- if ctx.SocSpecific() || ctx.DeviceSpecific() {
- inputs = append(inputs, segroup.VendorReqdMaskSrcs()...)
- } else {
- inputs = append(inputs, segroup.SystemReqdMaskSrcs()...)
- }
+ inputs = append(inputs, segroup.SystemReqdMaskSrcs()...)
}
})
@@ -180,8 +167,7 @@
}
}
- m.outputPath = m.build(ctx, inputs)
- ctx.InstallFile(m.installPath, ctx.ModuleName(), m.outputPath)
+ m.build(ctx, inputs)
}
func newModule() *selinuxContextsModule {
@@ -218,13 +204,12 @@
return android.AndroidMkData{
Custom: func(w io.Writer, name, prefix, moduleDir string, data android.AndroidMkData) {
nameSuffix := ""
- if m.InRecovery() && !m.onlyInRecovery() {
+ if m.inRecovery() && !m.onlyInRecovery() {
nameSuffix = ".recovery"
}
fmt.Fprintln(w, "\ninclude $(CLEAR_VARS)")
fmt.Fprintln(w, "LOCAL_PATH :=", moduleDir)
fmt.Fprintln(w, "LOCAL_MODULE :=", name+nameSuffix)
- data.Entries.WriteLicenseVariables(w)
fmt.Fprintln(w, "LOCAL_MODULE_CLASS := ETC")
if m.Owner() != "" {
fmt.Fprintln(w, "LOCAL_MODULE_OWNER :=", m.Owner())
@@ -238,100 +223,102 @@
}
}
-func (m *selinuxContextsModule) ImageMutatorBegin(ctx android.BaseModuleContext) {
- if proptools.Bool(m.properties.Recovery_available) && m.InstallInRecovery() {
- ctx.PropertyErrorf("recovery_available",
- "doesn't make sense at the same time as `recovery: true`")
+func selinuxContextsMutator(ctx android.BottomUpMutatorContext) {
+ m, ok := ctx.Module().(*selinuxContextsModule)
+ if !ok {
+ return
+ }
+
+ var coreVariantNeeded bool = true
+ var recoveryVariantNeeded bool = false
+ if proptools.Bool(m.properties.Recovery_available) {
+ recoveryVariantNeeded = true
+ }
+
+ if m.ModuleBase.InstallInRecovery() {
+ recoveryVariantNeeded = true
+ coreVariantNeeded = false
+ }
+
+ var variants []string
+ if coreVariantNeeded {
+ variants = append(variants, coreMode)
+ }
+ if recoveryVariantNeeded {
+ variants = append(variants, recoveryMode)
+ }
+ mod := ctx.CreateVariations(variants...)
+
+ for i, v := range variants {
+ if v == recoveryMode {
+ m := mod[i].(*selinuxContextsModule)
+ m.properties.InRecovery = true
+
+ if coreVariantNeeded {
+ ctx.AddInterVariantDependency(reuseContextsDepTag, m, mod[i-1])
+ }
+ }
}
}
-func (m *selinuxContextsModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
- return !m.InstallInRecovery()
-}
+func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, inputs android.Paths) {
+ m.outputPath = android.PathForModuleGen(ctx, ctx.ModuleName()+"_m4out")
-func (m *selinuxContextsModule) RamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
- return false
-}
-
-func (m *selinuxContextsModule) VendorRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
- return false
-}
-
-func (m *selinuxContextsModule) DebugRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
- return false
-}
-
-func (m *selinuxContextsModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
- return m.InstallInRecovery() || proptools.Bool(m.properties.Recovery_available)
-}
-
-func (m *selinuxContextsModule) ExtraImageVariations(ctx android.BaseModuleContext) []string {
- return nil
-}
-
-func (m *selinuxContextsModule) SetImageVariation(ctx android.BaseModuleContext, variation string, module android.Module) {
-}
-
-var _ android.ImageInterface = (*selinuxContextsModule)(nil)
-
-func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
- ret := android.PathForModuleGen(ctx, ctx.ModuleName()+"_m4out")
-
- rule := android.NewRuleBuilder(pctx, ctx)
+ rule := android.NewRuleBuilder()
rule.Command().
Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Text("--fatal-warnings -s").
FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
Inputs(inputs).
- FlagWithOutput("> ", ret)
+ FlagWithOutput("> ", m.outputPath)
if proptools.Bool(m.properties.Remove_comment) {
- rule.Temporary(ret)
+ rule.Temporary(m.outputPath)
remove_comment_output := android.PathForModuleGen(ctx, ctx.ModuleName()+"_remove_comment")
rule.Command().
Text("sed -e 's/#.*$//' -e '/^$/d'").
- Input(ret).
+ Input(m.outputPath).
FlagWithOutput("> ", remove_comment_output)
- ret = remove_comment_output
+ m.outputPath = remove_comment_output
}
if proptools.Bool(m.properties.Fc_sort) {
- rule.Temporary(ret)
+ rule.Temporary(m.outputPath)
sorted_output := android.PathForModuleGen(ctx, ctx.ModuleName()+"_sorted")
rule.Command().
Tool(ctx.Config().HostToolPath(ctx, "fc_sort")).
- FlagWithInput("-i ", ret).
+ FlagWithInput("-i ", m.outputPath).
FlagWithOutput("-o ", sorted_output)
- ret = sorted_output
+ m.outputPath = sorted_output
}
- rule.Build("selinux_contexts", "building contexts: "+m.Name())
+ rule.Build(pctx, ctx, "selinux_contexts", m.Name())
rule.DeleteTemporaryFiles()
- return ret
+ ctx.InstallFile(m.installPath, ctx.ModuleName(), m.outputPath)
}
-func (m *selinuxContextsModule) buildFileContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
+func (m *selinuxContextsModule) buildFileContexts(ctx android.ModuleContext, inputs android.Paths) {
if m.properties.Fc_sort == nil {
m.properties.Fc_sort = proptools.BoolPtr(true)
}
- rule := android.NewRuleBuilder(pctx, ctx)
+ rule := android.NewRuleBuilder()
if ctx.Config().FlattenApex() {
for _, src := range m.fileContextsProperties.Flatten_apex.Srcs {
if m := android.SrcIsModule(src); m != "" {
ctx.ModuleErrorf(
"Module srcs dependency %q is not supported for flatten_apex.srcs", m)
- return nil
+ return
}
for _, path := range android.PathsForModuleSrcExcludes(ctx, []string{src}, nil) {
out := android.PathForModuleGen(ctx, "flattened_apex", path.Rel())
@@ -349,8 +336,8 @@
}
}
- rule.Build(m.Name(), "flattened_apex_file_contexts")
- return m.buildGeneralContexts(ctx, inputs)
+ rule.Build(pctx, ctx, m.Name(), "flattened_apex_file_contexts")
+ m.buildGeneralContexts(ctx, inputs)
}
func fileFactory() android.Module {
@@ -360,122 +347,12 @@
return m
}
-func (m *selinuxContextsModule) buildHwServiceContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
+func (m *selinuxContextsModule) buildHwServiceContexts(ctx android.ModuleContext, inputs android.Paths) {
if m.properties.Remove_comment == nil {
m.properties.Remove_comment = proptools.BoolPtr(true)
}
- return m.buildGeneralContexts(ctx, inputs)
-}
-
-func (m *selinuxContextsModule) checkVendorPropertyNamespace(ctx android.ModuleContext, inputs android.Paths) android.Paths {
- shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
- ApiLevelR := android.ApiLevelOrPanic(ctx, "R")
-
- rule := android.NewRuleBuilder(pctx, ctx)
-
- // This list is from vts_treble_sys_prop_test.
- allowedPropertyPrefixes := []string{
- "ctl.odm.",
- "ctl.vendor.",
- "ctl.start$odm.",
- "ctl.start$vendor.",
- "ctl.stop$odm.",
- "ctl.stop$vendor.",
- "init.svc.odm.",
- "init.svc.vendor.",
- "ro.boot.",
- "ro.hardware.",
- "ro.odm.",
- "ro.vendor.",
- "odm.",
- "persist.odm.",
- "persist.vendor.",
- "vendor.",
- }
-
- // persist.camera is also allowed for devices launching with R or eariler
- if shippingApiLevel.LessThanOrEqualTo(ApiLevelR) {
- allowedPropertyPrefixes = append(allowedPropertyPrefixes, "persist.camera.")
- }
-
- var allowedContextPrefixes []string
-
- if shippingApiLevel.GreaterThanOrEqualTo(ApiLevelR) {
- // This list is from vts_treble_sys_prop_test.
- allowedContextPrefixes = []string{
- "vendor_",
- "odm_",
- }
- }
-
- var ret android.Paths
- for _, input := range inputs {
- cmd := rule.Command().
- BuiltTool("check_prop_prefix").
- FlagWithInput("--property-contexts ", input).
- FlagForEachArg("--allowed-property-prefix ", proptools.ShellEscapeList(allowedPropertyPrefixes)). // contains shell special character '$'
- FlagForEachArg("--allowed-context-prefix ", allowedContextPrefixes)
-
- if !ctx.DeviceConfig().BuildBrokenVendorPropertyNamespace() {
- cmd.Flag("--strict")
- }
-
- out := android.PathForModuleGen(ctx, "namespace_checked").Join(ctx, input.String())
- rule.Command().Text("cp -f").Input(input).Output(out)
- ret = append(ret, out)
- }
- rule.Build("check_namespace", "checking namespace of "+ctx.ModuleName())
- return ret
-}
-
-func (m *selinuxContextsModule) buildPropertyContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
- // vendor/odm properties are enforced for devices launching with Android Q or later. So, if
- // vendor/odm, make sure that only vendor/odm properties exist.
- shippingApiLevel := ctx.DeviceConfig().ShippingApiLevel()
- ApiLevelQ := android.ApiLevelOrPanic(ctx, "Q")
- if (ctx.SocSpecific() || ctx.DeviceSpecific()) && shippingApiLevel.GreaterThanOrEqualTo(ApiLevelQ) {
- inputs = m.checkVendorPropertyNamespace(ctx, inputs)
- }
-
- builtCtxFile := m.buildGeneralContexts(ctx, inputs)
-
- var apiFiles android.Paths
- ctx.VisitDirectDepsWithTag(syspropLibraryDepTag, func(c android.Module) {
- i, ok := c.(interface{ CurrentSyspropApiFile() android.OptionalPath })
- if !ok {
- panic(fmt.Errorf("unknown dependency %q for %q", ctx.OtherModuleName(c), ctx.ModuleName()))
- }
- if api := i.CurrentSyspropApiFile(); api.Valid() {
- apiFiles = append(apiFiles, api.Path())
- }
- })
-
- // check compatibility with sysprop_library
- if len(apiFiles) > 0 {
- out := android.PathForModuleGen(ctx, ctx.ModuleName()+"_api_checked")
- rule := android.NewRuleBuilder(pctx, ctx)
-
- msg := `\n******************************\n` +
- `API of sysprop_library doesn't match with property_contexts\n` +
- `Please fix the breakage and rebuild.\n` +
- `******************************\n`
-
- rule.Command().
- Text("( ").
- BuiltTool("sysprop_type_checker").
- FlagForEachInput("--api ", apiFiles).
- FlagWithInput("--context ", builtCtxFile).
- Text(" || ( echo").Flag("-e").
- Flag(`"` + msg + `"`).
- Text("; exit 38) )")
-
- rule.Command().Text("cp -f").Input(builtCtxFile).Output(out)
- rule.Build("property_contexts_check_api", "checking API: "+m.Name())
- builtCtxFile = out
- }
-
- return builtCtxFile
+ m.buildGeneralContexts(ctx, inputs)
}
func hwServiceFactory() android.Module {
@@ -486,18 +363,11 @@
func propertyFactory() android.Module {
m := newModule()
- m.build = m.buildPropertyContexts
- m.deps = m.propertyContextsDeps
- return m
-}
-
-func serviceFactory() android.Module {
- m := newModule()
m.build = m.buildGeneralContexts
return m
}
-func keystoreKeyFactory() android.Module {
+func serviceFactory() android.Module {
m := newModule()
m.build = m.buildGeneralContexts
return m
diff --git a/build/soong/sepolicy_vers.go b/build/soong/sepolicy_vers.go
deleted file mode 100644
index 0d938e7..0000000
--- a/build/soong/sepolicy_vers.go
+++ /dev/null
@@ -1,114 +0,0 @@
-// Copyright 2021 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package selinux
-
-import (
- "fmt"
-
- "github.com/google/blueprint/proptools"
-
- "android/soong/android"
-)
-
-func init() {
- android.RegisterModuleType("sepolicy_vers", sepolicyVersFactory)
-}
-
-// sepolicy_vers prints sepolicy version string to {partition}/etc/selinux.
-func sepolicyVersFactory() android.Module {
- v := &sepolicyVers{}
- v.AddProperties(&v.properties)
- android.InitAndroidArchModule(v, android.DeviceSupported, android.MultilibCommon)
- return v
-}
-
-type sepolicyVers struct {
- android.ModuleBase
- properties sepolicyVersProperties
- installSource android.Path
- installPath android.InstallPath
-}
-
-type sepolicyVersProperties struct {
- // Version to output. Can be "platform" for PLATFORM_SEPOLICY_VERSION, "vendor" for
- // BOARD_SEPOLICY_VERS
- Version *string
-
- // Output file name. Defaults to module name if unspecified.
- Stem *string
-
- // Whether this module is directly installable to one of the partitions. Default is true
- Installable *bool
-}
-
-func (v *sepolicyVers) installable() bool {
- return proptools.BoolDefault(v.properties.Installable, true)
-}
-
-func (v *sepolicyVers) stem() string {
- return proptools.StringDefault(v.properties.Stem, v.Name())
-}
-
-func (v *sepolicyVers) DepsMutator(ctx android.BottomUpMutatorContext) {
- // do nothing
-}
-
-func (v *sepolicyVers) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- var ver string
- switch proptools.String(v.properties.Version) {
- case "platform":
- ver = ctx.DeviceConfig().PlatformSepolicyVersion()
- case "vendor":
- ver = ctx.DeviceConfig().BoardSepolicyVers()
- default:
- ctx.PropertyErrorf("version", `should be either "platform" or "vendor"`)
- }
-
- out := android.PathForModuleGen(ctx, v.stem())
-
- rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().Text("echo").Text(ver).Text(">").Output(out)
- rule.Build("sepolicy_vers", v.Name())
-
- v.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
- v.installSource = out
- ctx.InstallFile(v.installPath, v.stem(), v.installSource)
-
- if !v.installable() {
- v.SkipInstall()
- }
-}
-
-func (v *sepolicyVers) AndroidMkEntries() []android.AndroidMkEntries {
- return []android.AndroidMkEntries{android.AndroidMkEntries{
- Class: "ETC",
- OutputFile: android.OptionalPathForPath(v.installSource),
- ExtraEntries: []android.AndroidMkExtraEntriesFunc{
- func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetPath("LOCAL_MODULE_PATH", v.installPath.ToMakePath())
- entries.SetString("LOCAL_INSTALLED_MODULE_STEM", v.stem())
- },
- },
- }}
-}
-
-func (v *sepolicyVers) OutputFiles(tag string) (android.Paths, error) {
- if tag == "" {
- return android.Paths{v.installSource}, nil
- }
- return nil, fmt.Errorf("Unknown tag %q", tag)
-}
-
-var _ android.OutputFileProducer = (*sepolicyVers)(nil)
diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go
deleted file mode 100644
index f25cd59..0000000
--- a/build/soong/versioned_policy.go
+++ /dev/null
@@ -1,187 +0,0 @@
-// Copyright (C) 2021 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package selinux
-
-import (
- "fmt"
- "os"
- "strconv"
-
- "github.com/google/blueprint/proptools"
-
- "android/soong/android"
-)
-
-func init() {
- android.RegisterModuleType("se_versioned_policy", versionedPolicyFactory)
-}
-
-type versionedPolicyProperties struct {
- // Base cil file for versioning.
- Base *string `android:"path"`
-
- // Output file name. Defaults to {name} if target_policy is set, {version}.cil if mapping is set
- Stem *string
-
- // Target sepolicy version. Can be a specific version number (e.g. "30.0" for R) or "current"
- // (PLATFORM_SEPOLICY_VERSION). Defaults to "current"
- Version *string
-
- // If true, generate mapping file from given base cil file. Cannot be set with target_policy.
- Mapping *bool
-
- // If given, version target policy file according to base policy. Cannot be set with mapping.
- Target_policy *string `android:"path"`
-
- // Cil files to be filtered out by the filter_out tool of "build_sepolicy".
- Filter_out []string `android:"path"`
-
- // Cil files to which this mapping file depends. If specified, secilc checks whether the output
- // file can be merged with specified cil files or not.
- Dependent_cils []string `android:"path"`
-
- // Whether this module is directly installable to one of the partitions. Default is true
- Installable *bool
-
- // install to a subdirectory of the default install path for the module
- Relative_install_path *string
-}
-
-type versionedPolicy struct {
- android.ModuleBase
-
- properties versionedPolicyProperties
-
- installSource android.Path
- installPath android.InstallPath
-}
-
-// se_versioned_policy generates versioned cil file with "version_policy". This can generate either
-// mapping file for public plat policies, or associate a target policy file with the version that
-// non-platform policy targets.
-func versionedPolicyFactory() android.Module {
- m := &versionedPolicy{}
- m.AddProperties(&m.properties)
- android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
- return m
-}
-
-func (m *versionedPolicy) installable() bool {
- return proptools.BoolDefault(m.properties.Installable, true)
-}
-
-func (m *versionedPolicy) DepsMutator(ctx android.BottomUpMutatorContext) {
- // do nothing
-}
-
-func (m *versionedPolicy) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- version := proptools.StringDefault(m.properties.Version, "current")
- if version == "current" {
- version = ctx.DeviceConfig().PlatformSepolicyVersion()
- }
-
- var stem string
- if s := proptools.String(m.properties.Stem); s != "" {
- stem = s
- } else if proptools.Bool(m.properties.Mapping) {
- stem = version + ".cil"
- } else {
- stem = ctx.ModuleName()
- }
-
- out := android.PathForModuleOut(ctx, stem)
- rule := android.NewRuleBuilder(pctx, ctx)
-
- if proptools.String(m.properties.Base) == "" {
- ctx.PropertyErrorf("base", "must be specified")
- return
- }
-
- versionCmd := rule.Command().BuiltTool("version_policy").
- FlagWithInput("-b ", android.PathForModuleSrc(ctx, *m.properties.Base)).
- FlagWithArg("-n ", version).
- FlagWithOutput("-o ", out)
-
- if proptools.Bool(m.properties.Mapping) && proptools.String(m.properties.Target_policy) != "" {
- ctx.ModuleErrorf("Can't set both mapping and target_policy")
- return
- }
-
- if proptools.Bool(m.properties.Mapping) {
- versionCmd.Flag("-m")
- } else if target := proptools.String(m.properties.Target_policy); target != "" {
- versionCmd.FlagWithInput("-t ", android.PathForModuleSrc(ctx, target))
- } else {
- ctx.ModuleErrorf("Either mapping or target_policy must be set")
- return
- }
-
- if len(m.properties.Filter_out) > 0 {
- rule.Command().BuiltTool("build_sepolicy").
- Text("filter_out").
- Flag("-f").
- Inputs(android.PathsForModuleSrc(ctx, m.properties.Filter_out)).
- FlagWithOutput("-t ", out)
- }
-
- if len(m.properties.Dependent_cils) > 0 {
- rule.Command().BuiltTool("secilc").
- Flag("-m").
- FlagWithArg("-M ", "true").
- Flag("-G").
- Flag("-N").
- FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
- Inputs(android.PathsForModuleSrc(ctx, m.properties.Dependent_cils)).
- Text(out.String()).
- FlagWithArg("-o ", os.DevNull).
- FlagWithArg("-f ", os.DevNull)
- }
-
- rule.Build("mapping", "Versioning mapping file "+ctx.ModuleName())
-
- m.installSource = out
- m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
- if subdir := proptools.String(m.properties.Relative_install_path); subdir != "" {
- m.installPath = m.installPath.Join(ctx, subdir)
- }
- ctx.InstallFile(m.installPath, m.installSource.Base(), m.installSource)
-
- if !m.installable() {
- m.SkipInstall()
- }
-}
-
-func (m *versionedPolicy) AndroidMkEntries() []android.AndroidMkEntries {
- return []android.AndroidMkEntries{android.AndroidMkEntries{
- OutputFile: android.OptionalPathForPath(m.installSource),
- Class: "ETC",
- ExtraEntries: []android.AndroidMkExtraEntriesFunc{
- func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !m.installable())
- entries.SetPath("LOCAL_MODULE_PATH", m.installPath.ToMakePath())
- entries.SetString("LOCAL_INSTALLED_MODULE_STEM", m.installSource.Base())
- },
- },
- }}
-}
-
-func (m *versionedPolicy) OutputFiles(tag string) (android.Paths, error) {
- if tag == "" {
- return android.Paths{m.installSource}, nil
- }
- return nil, fmt.Errorf("Unknown tag %q", tag)
-}
-
-var _ android.OutputFileProducer = (*policyConf)(nil)
diff --git a/compat.mk b/compat.mk
index 4aed864..5e6dc41 100644
--- a/compat.mk
+++ b/compat.mk
@@ -5,9 +5,6 @@
# build this target to ensure the compat permissions files all build against the current policy
#
LOCAL_MODULE := $(version)_compat_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_REQUIRED_MODULES := $(version).compat.cil
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
@@ -18,6 +15,7 @@
$(built_plat_cil) \
$(built_plat_mapping_cil) \
$(built_pub_vers_cil) \
+ $(built_vendor_cil) \
$(ALL_MODULES.$(version).compat.cil.BUILT) \
ifdef HAS_SYSTEM_EXT_SEPOLICY
@@ -36,16 +34,10 @@
all_cil_files += $(built_product_mapping_cil)
endif
-ifneq ($(mixed_sepolicy_build),true)
-
-all_cil_files += $(built_vendor_cil)
-
ifdef BOARD_ODM_SEPOLICY_DIRS
all_cil_files += $(built_odm_cil)
endif
-endif # ifneq ($(mixed_sepolicy_build),true)
-
$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
@mkdir -p $(dir $@)
diff --git a/contexts_tests.mk b/contexts_tests.mk
index 1189b83..da5dd83 100644
--- a/contexts_tests.mk
+++ b/contexts_tests.mk
@@ -17,234 +17,197 @@
# TODO: move tests into Soong after refactoring sepolicy module (b/130693869)
# Run host-side test with contexts files and the sepolicy file.
-# $(1): names of modules containing context files
+# $(1): paths to contexts files
# $(2): path to the host tool
# $(3): additional argument to be passed to the tool
define run_contexts_test
-my_contexts := $(foreach m,$(1),$$(call intermediates-dir-for,ETC,$(m))/$(m))
-$$(LOCAL_BUILT_MODULE): PRIVATE_CONTEXTS := $$(my_contexts)
+$$(LOCAL_BUILT_MODULE): PRIVATE_CONTEXTS := $(1)
$$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $$(built_sepolicy)
-$$(LOCAL_BUILT_MODULE): $(2) $$(my_contexts) $$(built_sepolicy)
+$$(LOCAL_BUILT_MODULE): $(2) $(1) $$(built_sepolicy)
$$(hide) $$< $(3) $$(PRIVATE_SEPOLICY) $$(PRIVATE_CONTEXTS)
$$(hide) mkdir -p $$(dir $$@)
$$(hide) touch $$@
-my_contexts :=
endef
+system_out := $(TARGET_OUT)/etc/selinux
+system_ext_out := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
+product_out := $(TARGET_OUT_PRODUCT)/etc/selinux
+vendor_out := $(TARGET_OUT_VENDOR)/etc/selinux
+odm_out := $(TARGET_OUT_ODM)/etc/selinux
+
checkfc := $(HOST_OUT_EXECUTABLES)/checkfc
property_info_checker := $(HOST_OUT_EXECUTABLES)/property_info_checker
##################################
LOCAL_MODULE := plat_file_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, plat_file_contexts, $(checkfc),))
+
+$(eval $(call run_contexts_test, $(system_out)/plat_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_file_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, system_ext_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := product_file_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, product_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, $(product_out)/product_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_file_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, vendor_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, $(vendor_out)/vendor_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := odm_file_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, odm_file_contexts, $(checkfc),))
+$(eval $(call run_contexts_test, $(odm_out)/odm_file_contexts, $(checkfc),))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := plat_hwservice_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, plat_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, $(system_out)/plat_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_hwservice_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, system_ext_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := product_hwservice_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, product_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, $(product_out)/product_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_hwservice_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, vendor_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, $(vendor_out)/vendor_hwservice_contexts, $(checkfc), -e -l))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := odm_hwservice_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, odm_hwservice_contexts, $(checkfc), -e -l))
+$(eval $(call run_contexts_test, $(odm_out)/odm_hwservice_contexts, $(checkfc), -e -l))
##################################
-pc_modules := plat_property_contexts
+pc_files := $(system_out)/plat_property_contexts
include $(CLEAR_VARS)
LOCAL_MODULE := plat_property_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
##################################
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-pc_modules += system_ext_property_contexts
+pc_files += $(system_ext_out)/system_ext_property_contexts
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_property_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
endif
##################################
-pc_modules += vendor_property_contexts
+pc_files += $(vendor_out)/vendor_property_contexts
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_property_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
##################################
ifdef BOARD_ODM_SEPOLICY_DIRS
-pc_modules += odm_property_contexts
+pc_files += $(odm_out)/odm_property_contexts
include $(CLEAR_VARS)
LOCAL_MODULE := odm_property_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
endif
@@ -252,66 +215,54 @@
ifdef HAS_PRODUCT_SEPOLICY_DIR
-pc_modules += product_property_contexts
+pc_files += $(product_out)/product_property_contexts
include $(CLEAR_VARS)
LOCAL_MODULE := product_property_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
+$(eval $(call run_contexts_test, $(pc_files), $(property_info_checker),))
endif
-pc_modules :=
+pc_files :=
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := plat_service_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, plat_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, $(system_out)/plat_service_contexts, $(checkfc), -s))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_service_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, system_ext_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, $(system_ext_out)/system_ext_service_contexts, $(checkfc), -s))
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := product_service_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, product_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, $(product_out)/product_service_contexts, $(checkfc), -s))
##################################
# nonplat_service_contexts is only allowed on non-full-treble devices
@@ -320,18 +271,19 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_service_contexts_test
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
include $(BUILD_SYSTEM)/base_rules.mk
-$(eval $(call run_contexts_test, vendor_service_contexts, $(checkfc), -s))
+$(eval $(call run_contexts_test, $(vendor_out)/vendor_service_contexts, $(checkfc), -s))
endif
+system_out :=
+product_out :=
+vendor_out :=
+odm_out :=
checkfc :=
property_info_checker :=
run_contexts_test :=
diff --git a/definitions.mk b/definitions.mk
index 63c4d94..2ecdbdc 100644
--- a/definitions.mk
+++ b/definitions.mk
@@ -12,28 +12,9 @@
-D target_full_treble=$(PRIVATE_SEPOLICY_SPLIT) \
-D target_compatible_property=$(PRIVATE_COMPATIBLE_PROPERTY) \
-D target_treble_sysprop_neverallow=$(PRIVATE_TREBLE_SYSPROP_NEVERALLOW) \
- -D target_enforce_sysprop_owner=$(PRIVATE_ENFORCE_SYSPROP_OWNER) \
-D target_exclude_build_test=$(PRIVATE_EXCLUDE_BUILD_TEST) \
-D target_requires_insecure_execmem_for_swiftshader=$(PRODUCT_REQUIRES_INSECURE_EXECMEM_FOR_SWIFTSHADER) \
- -D target_enforce_debugfs_restriction=$(PRIVATE_ENFORCE_DEBUGFS_RESTRICTION) \
$(PRIVATE_TGT_RECOVERY) \
-s $(PRIVATE_POLICY_FILES) > $@
endef
.KATI_READONLY := transform-policy-to-conf
-
-###########################################################
-## Collect file_contexts files into a single tmp file with m4
-##
-## $(1): list of file_contexts files
-## $(2): filename into which file_contexts files are merged
-###########################################################
-
-define _merge-fc-files
-$(2): $(1) $(M4)
- $(hide) mkdir -p $$(dir $$@)
- $(hide) $(M4) --fatal-warnings -s $(1) > $$@
-endef
-
-define merge-fc-files
-$(eval $(call _merge-fc-files,$(1),$(2)))
-endef
diff --git a/mac_permissions.mk b/mac_permissions.mk
index 566c82b..3cc0151 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -1,9 +1,6 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
@@ -42,9 +39,6 @@
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
@@ -58,9 +52,9 @@
system_ext_mac_perms_keys.tmp := $(intermediates)/system_ext_keys.tmp
$(system_ext_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(system_ext_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_system_ext_mac_perms_keys)
-$(system_ext_mac_perms_keys.tmp): $(all_system_ext_mac_perms_keys) $(M4)
+$(system_ext_mac_perms_keys.tmp): $(all_system_ext_mac_perms_keys)
@mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_system_ext_mac_perms_files)
$(LOCAL_BUILT_MODULE): $(system_ext_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
@@ -76,9 +70,6 @@
include $(CLEAR_VARS)
LOCAL_MODULE := product_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
@@ -92,9 +83,9 @@
product_mac_perms_keys.tmp := $(intermediates)/product_keys.tmp
$(product_mac_perms_keys.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
$(product_mac_perms_keys.tmp): PRIVATE_KEYS := $(all_product_mac_perms_keys)
-$(product_mac_perms_keys.tmp): $(all_product_mac_perms_keys) $(M4)
+$(product_mac_perms_keys.tmp): $(all_product_mac_perms_keys)
@mkdir -p $(dir $@)
- $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $^ > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
@@ -110,9 +101,6 @@
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -145,9 +133,6 @@
include $(CLEAR_VARS)
LOCAL_MODULE := odm_mac_permissions.xml
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
diff --git a/prebuilt_policy.mk b/prebuilt_policy.mk
deleted file mode 100644
index e46f92a..0000000
--- a/prebuilt_policy.mk
+++ /dev/null
@@ -1,321 +0,0 @@
-# Copyright (C) 2020 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-# prebuilt_policy.mk generates policy files from prebuilts of BOARD_SEPOLICY_VERS.
-# The policy files will only be used to compile vendor and odm policies.
-#
-# Specifically, the following prebuilts are used...
-# - system/sepolicy/prebuilts/api/{BOARD_SEPOLICY_VERS}
-# - BOARD_PLAT_VENDOR_POLICY (copy of system/sepolicy/vendor from a previous release)
-# - BOARD_REQD_MASK_POLICY (copy of reqd_mask from a previous release)
-# - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (copy of system_ext public from a previous release)
-# - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (copy of system_ext private from a previous release)
-# - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (copy of product public from a previous release)
-# - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (copy of product private from a previous release)
-#
-# ... to generate following policy files.
-#
-# - reqd policy mask
-# - plat, system_ext, product public policy
-# - plat, system_ext, product policy
-# - plat, system_ext, product versioned policy
-#
-# These generated policy files will be used only when building vendor policies.
-# They are not installed to system, system_ext, or product partition.
-ver := $(BOARD_SEPOLICY_VERS)
-prebuilt_dir := $(LOCAL_PATH)/prebuilts/api/$(ver)
-plat_public_policy_$(ver) := $(prebuilt_dir)/public
-plat_private_policy_$(ver) := $(prebuilt_dir)/private
-system_ext_public_policy_$(ver) := $(BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS)
-system_ext_private_policy_$(ver) := $(BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS)
-product_public_policy_$(ver) := $(BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS)
-product_private_policy_$(ver) := $(BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS)
-
-##################################
-# policy-to-conf-rule: a helper macro to transform policy files to conf file.
-#
-# This expands to a set of rules which assign variables for transform-policy-to-conf and then call
-# transform-policy-to-conf. Before calling this, policy_files must be set with build_policy macro.
-#
-# $(1): output path (.conf file)
-define policy-to-conf-rule
-$(1): PRIVATE_MLS_SENS := $$(MLS_SENS)
-$(1): PRIVATE_MLS_CATS := $$(MLS_CATS)
-$(1): PRIVATE_TARGET_BUILD_VARIANT := $$(TARGET_BUILD_VARIANT)
-$(1): PRIVATE_TGT_ARCH := $$(my_target_arch)
-$(1): PRIVATE_TGT_WITH_ASAN := $$(with_asan)
-$(1): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $$(with_native_coverage)
-$(1): PRIVATE_ADDITIONAL_M4DEFS := $$(LOCAL_ADDITIONAL_M4DEFS)
-$(1): PRIVATE_SEPOLICY_SPLIT := $$(PRODUCT_SEPOLICY_SPLIT)
-$(1): PRIVATE_COMPATIBLE_PROPERTY := $$(PRODUCT_COMPATIBLE_PROPERTY)
-$(1): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $$(treble_sysprop_neverallow)
-$(1): PRIVATE_ENFORCE_SYSPROP_OWNER := $$(enforce_sysprop_owner)
-$(1): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $$(enforce_debugfs_restriction)
-$(1): PRIVATE_POLICY_FILES := $$(policy_files)
-$(1): $$(policy_files) $$(M4)
- $$(transform-policy-to-conf)
-endef
-
-##################################
-# reqd_policy_mask_$(ver).cil
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), $(BOARD_REQD_MASK_POLICY))
-reqd_policy_mask_$(ver).conf := $(intermediates)/reqd_policy_mask_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(reqd_policy_mask_$(ver).conf)))
-
-# b/37755687
-CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
-
-reqd_policy_mask_$(ver).cil := $(intermediates)/reqd_policy_mask_$(ver).cil
-$(reqd_policy_mask_$(ver).cil): $(reqd_policy_mask_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -C -M -c \
- $(POLICYVERS) -o $@ $<
-
-reqd_policy_mask_$(ver).conf :=
-
-reqd_policy_$(ver) := $(BOARD_REQD_MASK_POLICY)
-
-##################################
-# plat_pub_policy_$(ver).cil: exported plat policies
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(reqd_policy_$(ver)))
-plat_pub_policy_$(ver).conf := $(intermediates)/plat_pub_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(plat_pub_policy_$(ver).conf)))
-
-plat_pub_policy_$(ver).cil := $(intermediates)/plat_pub_policy_$(ver).cil
-$(plat_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(plat_pub_policy_$(ver).conf)
-$(plat_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
-$(plat_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(plat_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-plat_pub_policy_$(ver).conf :=
-
-##################################
-# plat_mapping_cil_$(ver).cil: versioned exported system policy
-#
-plat_mapping_cil_$(ver) := $(intermediates)/plat_mapping_$(ver).cil
-$(plat_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
-$(plat_mapping_cil_$(ver)) : $(plat_pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy
- @mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
-built_plat_mapping_cil_$(ver) := $(plat_mapping_cil_$(ver))
-
-##################################
-# plat_policy_$(ver).cil: system policy
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) )
-plat_policy_$(ver).conf := $(intermediates)/plat_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(plat_policy_$(ver).conf)))
-
-plat_policy_$(ver).cil := $(intermediates)/plat_policy_$(ver).cil
-$(plat_policy_$(ver).cil): PRIVATE_ADDITIONAL_CIL_FILES := \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
-$(plat_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(plat_policy_$(ver).cil): $(plat_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
- $(HOST_OUT_EXECUTABLES)/secilc \
- $(call build_policy, $(sepolicy_build_cil_workaround_files), $(plat_private_policy_$(ver)))
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@.tmp $<
- $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@.tmp
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@.tmp -o /dev/null -f /dev/null
- $(hide) mv $@.tmp $@
-
-plat_policy_$(ver).conf :=
-
-built_plat_cil_$(ver) := $(plat_policy_$(ver).cil)
-
-ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-
-##################################
-# system_ext_pub_policy_$(ver).cil: exported system and system_ext policy
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) $(reqd_policy_$(ver)))
-system_ext_pub_policy_$(ver).conf := $(intermediates)/system_ext_pub_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(system_ext_pub_policy_$(ver).conf)))
-
-system_ext_pub_policy_$(ver).cil := $(intermediates)/system_ext_pub_policy_$(ver).cil
-$(system_ext_pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(system_ext_pub_policy_$(ver).conf)
-$(system_ext_pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
-$(system_ext_pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(system_ext_pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-system_ext_pub_policy_$(ver).conf :=
-
-##################################
-# system_ext_policy_$(ver).cil: system_ext policy
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
- $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) )
-system_ext_policy_$(ver).conf := $(intermediates)/system_ext_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(system_ext_policy_$(ver).conf)))
-
-system_ext_policy_$(ver).cil := $(intermediates)/system_ext_policy_$(ver).cil
-$(system_ext_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(system_ext_policy_$(ver).cil): PRIVATE_PLAT_CIL := $(built_plat_cil_$(ver))
-$(system_ext_policy_$(ver).cil): $(system_ext_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver))
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL) -t $@
- # Line markers (denoted by ;;) are malformed after above cmd. They are only
- # used for debugging, so we remove them.
- $(hide) grep -v ';;' $@ > $@.tmp
- $(hide) mv $@.tmp $@
- # Combine plat_sepolicy.cil and system_ext_sepolicy.cil to make sure that the
- # latter doesn't accidentally depend on vendor/odm policies.
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
- $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL) $@ -o /dev/null -f /dev/null
-
-system_ext_policy_$(ver).conf :=
-
-built_system_ext_cil_$(ver) := $(system_ext_policy_$(ver).cil)
-
-##################################
-# system_ext_mapping_cil_$(ver).cil: versioned exported system_ext policy
-#
-system_ext_mapping_cil_$(ver) := $(intermediates)/system_ext_mapping_$(ver).cil
-$(system_ext_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
-$(system_ext_mapping_cil_$(ver)) : PRIVATE_PLAT_MAPPING_CIL := $(built_plat_mapping_cil_$(ver))
-$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
-$(system_ext_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
-$(system_ext_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
-$(system_ext_mapping_cil_$(ver)) : $(system_ext_pub_policy_$(ver).cil)
- @mkdir -p $(dir $@)
- # Generate system_ext mapping file as mapping file of 'system' (plat) and 'system_ext'
- # sepolicy minus plat_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_MAPPING_CIL) -t $@
-
-built_system_ext_mapping_cil_$(ver) := $(system_ext_mapping_cil_$(ver))
-
-endif # ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-##################################
-# product_policy_$(ver).cil: product policy
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(plat_private_policy_$(ver)) \
- $(system_ext_public_policy_$(ver)) $(system_ext_private_policy_$(ver)) \
- $(product_public_policy_$(ver)) $(product_private_policy_$(ver)) )
-product_policy_$(ver).conf := $(intermediates)/product_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(product_policy_$(ver).conf)))
-
-product_policy_$(ver).cil := $(intermediates)/product_policy_$(ver).cil
-$(product_policy_$(ver).cil): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
-$(product_policy_$(ver).cil): PRIVATE_PLAT_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
-$(product_policy_$(ver).cil): $(product_policy_$(ver).conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(HOST_OUT_EXECUTABLES)/secilc \
-$(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver))
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
- $(POLICYVERS) -o $@ $<
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_PLAT_CIL_FILES) -t $@
- # Line markers (denoted by ;;) are malformed after above cmd. They are only
- # used for debugging, so we remove them.
- $(hide) grep -v ';;' $@ > $@.tmp
- $(hide) mv $@.tmp $@
- # Combine plat_sepolicy.cil, system_ext_sepolicy.cil and product_sepolicy.cil to
- # make sure that the latter doesn't accidentally depend on vendor/odm policies.
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) \
- $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_PLAT_CIL_FILES) $@ -o /dev/null -f /dev/null
-
-product_policy_$(ver).conf :=
-
-built_product_cil_$(ver) := $(product_policy_$(ver).cil)
-
-endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-##################################
-# pub_policy_$(ver).cil: exported plat, system_ext, and product policies
-#
-policy_files := $(call build_policy, $(sepolicy_build_files), \
- $(plat_public_policy_$(ver)) $(system_ext_public_policy_$(ver)) \
- $(product_public_policy_$(ver)) $(reqd_policy_$(ver)) )
-pub_policy_$(ver).conf := $(intermediates)/pub_policy_$(ver).conf
-$(eval $(call policy-to-conf-rule,$(pub_policy_$(ver).conf)))
-
-pub_policy_$(ver).cil := $(intermediates)/pub_policy_$(ver).cil
-$(pub_policy_$(ver).cil): PRIVATE_POL_CONF := $(pub_policy_$(ver).conf)
-$(pub_policy_$(ver).cil): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(ver).cil)
-$(pub_policy_$(ver).cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
-$(HOST_OUT_EXECUTABLES)/build_sepolicy $(pub_policy_$(ver).conf) $(reqd_policy_mask_$(ver).cil)
- @mkdir -p $(dir $@)
- $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_REQD_MASK) -t $@
-
-pub_policy_$(ver).conf :=
-
-ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-##################################
-# product_mapping_cil_$(ver).cil: versioned exported product policy
-#
-product_mapping_cil_$(ver) := $(intermediates)/product_mapping_cil_$(ver).cil
-$(product_mapping_cil_$(ver)) : PRIVATE_VERS := $(ver)
-$(product_mapping_cil_$(ver)) : PRIVATE_FILTER_CIL_FILES := $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver))
-$(product_mapping_cil_$(ver)) : $(pub_policy_$(ver).cil)
-$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/build_sepolicy
-$(product_mapping_cil_$(ver)) : $(HOST_OUT_EXECUTABLES)/version_policy
-$(product_mapping_cil_$(ver)) : $(built_plat_mapping_cil_$(ver))
-$(product_mapping_cil_$(ver)) : $(built_system_ext_mapping_cil_$(ver))
- @mkdir -p $(dir $@)
- # Generate product mapping file as mapping file of all public sepolicy minus
- # plat_mapping_file and system_ext_mapping_file.
- $(hide) $(HOST_OUT_EXECUTABLES)/version_policy -b $< -m -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
- -f $(PRIVATE_FILTER_CIL_FILES) -t $@
-
-built_product_mapping_cil_$(ver) := $(product_mapping_cil_$(ver))
-
-endif # ifdef HAS_PRODUCT_SEPOLICY_DIR
-
-##################################
-# plat_pub_versioned_$(ver).cil - the exported platform policy
-#
-plat_pub_versioned_$(ver).cil := $(intermediates)/plat_pub_versioned_$(ver).cil
-$(plat_pub_versioned_$(ver).cil) : PRIVATE_VERS := $(ver)
-$(plat_pub_versioned_$(ver).cil) : PRIVATE_TGT_POL := $(pub_policy_$(ver).cil)
-$(plat_pub_versioned_$(ver).cil) : PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) \
-$(built_product_cil_$(ver)) $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) \
-$(built_product_mapping_cil_$(ver))
-$(plat_pub_versioned_$(ver).cil) : $(pub_policy_$(ver).cil) $(HOST_OUT_EXECUTABLES)/version_policy \
- $(HOST_OUT_EXECUTABLES)/secilc $(built_plat_cil_$(ver)) $(built_system_ext_cil_$(ver)) $(built_product_cil_$(ver)) \
- $(built_plat_mapping_cil_$(ver)) $(built_system_ext_mapping_cil_$(ver)) $(built_product_mapping_cil_$(ver))
- @mkdir -p $(dir $@)
- $(HOST_OUT_EXECUTABLES)/version_policy -b $< -t $(PRIVATE_TGT_POL) -n $(PRIVATE_VERS) -o $@
- $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
- $(PRIVATE_DEP_CIL_FILES) $@ -o /dev/null -f /dev/null
-
-built_pub_vers_cil_$(ver) := $(plat_pub_versioned_$(ver).cil)
diff --git a/prebuilts/api/26.0/private/app.te b/prebuilts/api/26.0/private/app.te
index da8c67b..6f2b820 100644
--- a/prebuilts/api/26.0/private/app.te
+++ b/prebuilts/api/26.0/private/app.te
@@ -494,7 +494,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Denylist app domains not allowed to execute from /data
+# Blacklist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -515,7 +515,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/26.0/private/domain.te b/prebuilts/api/26.0/private/domain.te
index 999c16a..d37a0bd 100644
--- a/prebuilts/api/26.0/private/domain.te
+++ b/prebuilts/api/26.0/private/domain.te
@@ -4,7 +4,7 @@
allow domain crash_dump:process sigchld;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these allowlisted domains.
+# with other UIDs to these whitelisted domains.
neverallow {
domain
-vold
diff --git a/prebuilts/api/26.0/private/incidentd.te b/prebuilts/api/26.0/private/incidentd.te
index 64e174f..efd23bd 100644
--- a/prebuilts/api/26.0/private/incidentd.te
+++ b/prebuilts/api/26.0/private/incidentd.te
@@ -66,7 +66,7 @@
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
-# Others can be allowlisted individually.
+# Others can be whitelisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/26.0/private/system_server.te b/prebuilts/api/26.0/private/system_server.te
index 2e14d18..05e4773 100644
--- a/prebuilts/api/26.0/private/system_server.te
+++ b/prebuilts/api/26.0/private/system_server.te
@@ -50,7 +50,7 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls allowlisted for all domains, also allow system_server
+# in addition to ioctls whitelisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
@@ -92,7 +92,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# allowlisted.
+# whitelisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/26.0/public/domain.te b/prebuilts/api/26.0/public/domain.te
index 3adefd1..d2b370a 100644
--- a/prebuilts/api/26.0/public/domain.te
+++ b/prebuilts/api/26.0/public/domain.te
@@ -195,19 +195,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a allowlist for common socket types. Additional
+# Restrict all domains to a whitelist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this allowlist to domain does
+# defaults for all processes. Note that granting this whitelist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default allowlist for unix sockets.
+# default whitelist for unix sockets.
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only allowlisted ioctls.
-# Note that granting this allowlist to domain does
+# Restrict PTYs to only whitelisted ioctls.
+# Note that granting this whitelist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -223,7 +223,7 @@
### neverallow rules
###
-# All socket ioctls must be restricted to a allowlist.
+# All socket ioctls must be restricted to a whitelist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
# TIOCSTI is only ever used for exploits. Block it.
@@ -234,7 +234,7 @@
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these allowlisted domains.
+# Limit device node creation to these whitelisted domains.
neverallow {
domain
-kernel
@@ -243,7 +243,7 @@
-vold
} self:capability mknod;
-# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
+# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
@@ -343,7 +343,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few allowlisted domains.
+# outside the rootfs or /system partition except for a few whitelisted domains.
#
neverallow {
domain
@@ -445,7 +445,7 @@
neverallow { domain -init } mmc_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
-# a few allowlisted domains.
+# a few whitelisted domains.
neverallow {
domain
-adbd
@@ -668,7 +668,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few allowlisted coredomains to keep system/vendor separation.
+# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
@@ -722,7 +722,7 @@
} vendor_shell_exec:file { execute execute_no_trans };
# Do not allow vendor components to execute files from system
- # except for the ones allowlist here.
+ # except for the ones whitelist here.
neverallow {
domain
-coredomain
@@ -923,7 +923,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowlisted domains should
+# directory is untrustworthy, and non-whitelisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/26.0/public/hal_wifi_supplicant.te b/prebuilts/api/26.0/public/hal_wifi_supplicant.te
index 028440c..0f2540e 100644
--- a/prebuilts/api/26.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/26.0/public/hal_wifi_supplicant.te
@@ -5,7 +5,7 @@
add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
-# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/26.0/public/netd.te b/prebuilts/api/26.0/public/netd.te
index 80fb76d..691887f 100644
--- a/prebuilts/api/26.0/public/netd.te
+++ b/prebuilts/api/26.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/26.0/public/vendor_toolbox.te b/prebuilts/api/26.0/public/vendor_toolbox.te
index 63f938d..eb292ca 100644
--- a/prebuilts/api/26.0/public/vendor_toolbox.te
+++ b/prebuilts/api/26.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the allowlisted domains.
+ # to vendor toolbox except for the whitelisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/27.0/private/app.te b/prebuilts/api/27.0/private/app.te
index c53fa36..9251ed9 100644
--- a/prebuilts/api/27.0/private/app.te
+++ b/prebuilts/api/27.0/private/app.te
@@ -512,7 +512,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Denylist app domains not allowed to execute from /data
+# Blacklist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -533,7 +533,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/27.0/private/domain.te b/prebuilts/api/27.0/private/domain.te
index 999c16a..d37a0bd 100644
--- a/prebuilts/api/27.0/private/domain.te
+++ b/prebuilts/api/27.0/private/domain.te
@@ -4,7 +4,7 @@
allow domain crash_dump:process sigchld;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these allowlisted domains.
+# with other UIDs to these whitelisted domains.
neverallow {
domain
-vold
diff --git a/prebuilts/api/27.0/private/incidentd.te b/prebuilts/api/27.0/private/incidentd.te
index 64e174f..efd23bd 100644
--- a/prebuilts/api/27.0/private/incidentd.te
+++ b/prebuilts/api/27.0/private/incidentd.te
@@ -66,7 +66,7 @@
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
-# Others can be allowlisted individually.
+# Others can be whitelisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/27.0/private/isolated_app.te b/prebuilts/api/27.0/private/isolated_app.te
index fbfb8a5..37935c3 100644
--- a/prebuilts/api/27.0/private/isolated_app.te
+++ b/prebuilts/api/27.0/private/isolated_app.te
@@ -74,7 +74,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services allowlisted below.
+# except the find actions for services whitelisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/prebuilts/api/27.0/private/system_server.te b/prebuilts/api/27.0/private/system_server.te
index 3a5b53b..40c5382 100644
--- a/prebuilts/api/27.0/private/system_server.te
+++ b/prebuilts/api/27.0/private/system_server.te
@@ -50,7 +50,7 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls allowlisted for all domains, also allow system_server
+# in addition to ioctls whitelisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
@@ -95,7 +95,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# allowlisted.
+# whitelisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/27.0/public/domain.te b/prebuilts/api/27.0/public/domain.te
index e9ae56c..f5c72cc 100644
--- a/prebuilts/api/27.0/public/domain.te
+++ b/prebuilts/api/27.0/public/domain.te
@@ -195,19 +195,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a allowlist for common socket types. Additional
+# Restrict all domains to a whitelist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this allowlist to domain does
+# defaults for all processes. Note that granting this whitelist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default allowlist for unix sockets.
+# default whitelist for unix sockets.
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only allowlisted ioctls.
-# Note that granting this allowlist to domain does
+# Restrict PTYs to only whitelisted ioctls.
+# Note that granting this whitelist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -226,7 +226,7 @@
### neverallow rules
###
-# All socket ioctls must be restricted to a allowlist.
+# All socket ioctls must be restricted to a whitelist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
# TIOCSTI is only ever used for exploits. Block it.
@@ -237,7 +237,7 @@
# Do not allow any domain other than init or recovery to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these allowlisted domains.
+# Limit device node creation to these whitelisted domains.
neverallow {
domain
-kernel
@@ -246,7 +246,7 @@
-vold
} self:capability mknod;
-# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
+# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
@@ -347,7 +347,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few allowlisted domains.
+# outside the rootfs or /system partition except for a few whitelisted domains.
#
neverallow {
domain
@@ -448,7 +448,7 @@
neverallow { domain -init } mmc_prop:property_service set;
# Do not allow reading device's serial number from system properties except form
-# a few allowlisted domains.
+# a few whitelisted domains.
neverallow {
domain
-adbd
@@ -664,7 +664,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few allowlisted coredomains to keep system/vendor separation.
+# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
@@ -718,7 +718,7 @@
} vendor_shell_exec:file { execute execute_no_trans };
# Do not allow vendor components to execute files from system
- # except for the ones allowlist here.
+ # except for the ones whitelist here.
neverallow {
domain
-coredomain
@@ -916,7 +916,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowlisted domains should
+# directory is untrustworthy, and non-whitelisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/27.0/public/hal_wifi_supplicant.te b/prebuilts/api/27.0/public/hal_wifi_supplicant.te
index 028440c..0f2540e 100644
--- a/prebuilts/api/27.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/27.0/public/hal_wifi_supplicant.te
@@ -5,7 +5,7 @@
add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
-# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/27.0/public/netd.te b/prebuilts/api/27.0/public/netd.te
index 7f7872e..aa99da2 100644
--- a/prebuilts/api/27.0/public/netd.te
+++ b/prebuilts/api/27.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/27.0/public/vendor_toolbox.te b/prebuilts/api/27.0/public/vendor_toolbox.te
index 63f938d..eb292ca 100644
--- a/prebuilts/api/27.0/public/vendor_toolbox.te
+++ b/prebuilts/api/27.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the allowlisted domains.
+ # to vendor toolbox except for the whitelisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/28.0/private/domain.te b/prebuilts/api/28.0/private/domain.te
index 5053c28..fb6ba4f 100644
--- a/prebuilts/api/28.0/private/domain.te
+++ b/prebuilts/api/28.0/private/domain.te
@@ -4,7 +4,7 @@
allow domain crash_dump:process sigchld;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these allowlisted domains.
+# with other UIDs to these whitelisted domains.
neverallow {
domain
-vold
diff --git a/prebuilts/api/28.0/private/incidentd.te b/prebuilts/api/28.0/private/incidentd.te
index 35b184c..6b248f1 100644
--- a/prebuilts/api/28.0/private/incidentd.te
+++ b/prebuilts/api/28.0/private/incidentd.te
@@ -115,7 +115,7 @@
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
-# Others can be allowlisted individually.
+# Others can be whitelisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/28.0/private/isolated_app.te b/prebuilts/api/28.0/private/isolated_app.te
index 6af6040..a6276b3 100644
--- a/prebuilts/api/28.0/private/isolated_app.te
+++ b/prebuilts/api/28.0/private/isolated_app.te
@@ -77,7 +77,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services allowlisted below.
+# except the find actions for services whitelisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/prebuilts/api/28.0/private/perfetto.te b/prebuilts/api/28.0/private/perfetto.te
index 67725bf..9ac5d87 100644
--- a/prebuilts/api/28.0/private/perfetto.te
+++ b/prebuilts/api/28.0/private/perfetto.te
@@ -1,5 +1,5 @@
# Perfetto command-line client. Can be used only from the domains that are
-# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
diff --git a/prebuilts/api/28.0/private/system_server.te b/prebuilts/api/28.0/private/system_server.te
index 2927e0b..fa84c32 100644
--- a/prebuilts/api/28.0/private/system_server.te
+++ b/prebuilts/api/28.0/private/system_server.te
@@ -46,7 +46,7 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls allowlisted for all domains, also allow system_server
+# in addition to ioctls whitelisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
@@ -91,7 +91,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# allowlisted.
+# whitelisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/28.0/private/traced_probes.te b/prebuilts/api/28.0/private/traced_probes.te
index e32e2e6..5d80f7e 100644
--- a/prebuilts/api/28.0/private/traced_probes.te
+++ b/prebuilts/api/28.0/private/traced_probes.te
@@ -16,7 +16,7 @@
allow traced_probes debugfs_trace_marker:file getattr;
# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the denylist/allowlist.
+# userdebug only until we nail down the blacklist/whitelist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
')
diff --git a/prebuilts/api/28.0/public/app.te b/prebuilts/api/28.0/public/app.te
index 55308da..439c1f8 100644
--- a/prebuilts/api/28.0/public/app.te
+++ b/prebuilts/api/28.0/public/app.te
@@ -530,7 +530,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Denylist app domains not allowed to execute from /data
+# Blacklist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -551,7 +551,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/28.0/public/domain.te b/prebuilts/api/28.0/public/domain.te
index 2533aec..e9337b6 100644
--- a/prebuilts/api/28.0/public/domain.te
+++ b/prebuilts/api/28.0/public/domain.te
@@ -257,19 +257,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a allowlist for common socket types. Additional
+# Restrict all domains to a whitelist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this allowlist to domain does
+# defaults for all processes. Note that granting this whitelist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default allowlist for unix sockets.
+# default whitelist for unix sockets.
allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only allowlisted ioctls.
-# Note that granting this allowlist to domain does
+# Restrict PTYs to only whitelisted ioctls.
+# Note that granting this whitelist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -288,7 +288,7 @@
### neverallow rules
###
-# All socket ioctls must be restricted to a allowlist.
+# All socket ioctls must be restricted to a whitelist.
neverallowxperm domain domain:socket_class_set ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
@@ -303,7 +303,7 @@
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these allowlisted domains.
+# Limit device node creation to these whitelisted domains.
neverallow {
domain
-kernel
@@ -312,7 +312,7 @@
-vold
} self:global_capability_class_set mknod;
-# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
+# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
@@ -424,7 +424,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few allowlisted domains.
+# outside the rootfs or /system partition except for a few whitelisted domains.
#
neverallow {
domain
@@ -552,7 +552,7 @@
')
# Do not allow reading device's serial number from system properties except form
-# a few allowlisted domains.
+# a few whitelisted domains.
neverallow {
domain
-adbd
@@ -928,7 +928,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few allowlisted coredomains to keep system/vendor separation.
+# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
@@ -997,7 +997,7 @@
full_treble_only(`
# Do not allow vendor components to execute files from system
- # except for the ones allowlist here.
+ # except for the ones whitelist here.
neverallow {
domain
-coredomain
@@ -1014,7 +1014,7 @@
full_treble_only(`
# Do not allow system components to execute files from vendor
- # except for the ones allowlisted here.
+ # except for the ones whitelisted here.
neverallow {
coredomain
-init
@@ -1224,7 +1224,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowlisted domains should
+# directory is untrustworthy, and non-whitelisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/28.0/public/hal_wifi_supplicant.te b/prebuilts/api/28.0/public/hal_wifi_supplicant.te
index 3778515..6bf0d32 100644
--- a/prebuilts/api/28.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/28.0/public/hal_wifi_supplicant.te
@@ -5,7 +5,7 @@
add_hwservice(hal_wifi_supplicant_server, hal_wifi_supplicant_hwservice)
allow hal_wifi_supplicant_client hal_wifi_supplicant_hwservice:hwservice_manager find;
-# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/28.0/public/netd.te b/prebuilts/api/28.0/public/netd.te
index 1fb3d48..18113e7 100644
--- a/prebuilts/api/28.0/public/netd.te
+++ b/prebuilts/api/28.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/28.0/public/vendor_toolbox.te b/prebuilts/api/28.0/public/vendor_toolbox.te
index 63f938d..eb292ca 100644
--- a/prebuilts/api/28.0/public/vendor_toolbox.te
+++ b/prebuilts/api/28.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the allowlisted domains.
+ # to vendor toolbox except for the whitelisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/29.0/private/adbd.te b/prebuilts/api/29.0/private/adbd.te
index ec5c57e..ea9fb1e 100644
--- a/prebuilts/api/29.0/private/adbd.te
+++ b/prebuilts/api/29.0/private/adbd.te
@@ -152,6 +152,9 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+# For CTS listening ports test.
+allow adbd proc_net_tcp_udp:file r_file_perms;
+
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/prebuilts/api/29.0/private/coredomain.te b/prebuilts/api/29.0/private/coredomain.te
index 419d9fe..169f6b2 100644
--- a/prebuilts/api/29.0/private/coredomain.te
+++ b/prebuilts/api/29.0/private/coredomain.te
@@ -15,7 +15,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few allowlisted coredomains to keep system/vendor separation.
+# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
index 447176e..209eeb0 100644
--- a/prebuilts/api/29.0/private/domain.te
+++ b/prebuilts/api/29.0/private/domain.te
@@ -83,7 +83,7 @@
')
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these allowlisted domains.
+# with other UIDs to these whitelisted domains.
neverallow {
domain
-vold
@@ -185,7 +185,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few allowlisted domains.
+# outside the rootfs or /system partition except for a few whitelisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
@@ -299,7 +299,7 @@
-zygote
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
+# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
diff --git a/prebuilts/api/29.0/private/heapprofd.te b/prebuilts/api/29.0/private/heapprofd.te
index f984677..5330c58 100644
--- a/prebuilts/api/29.0/private/heapprofd.te
+++ b/prebuilts/api/29.0/private/heapprofd.te
@@ -29,7 +29,7 @@
allow heapprofd self:capability kill;
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
-# profiling, only allowlisted domains will be allowed by SELinux. Avoid
+# profiling, only whitelisted domains will be allowed by SELinux. Avoid
# spamming logs with denials for entries that we can not access.
dontaudit heapprofd domain:dir { search open };
diff --git a/prebuilts/api/29.0/private/incidentd.te b/prebuilts/api/29.0/private/incidentd.te
index ee9812e..b93f1b2 100644
--- a/prebuilts/api/29.0/private/incidentd.te
+++ b/prebuilts/api/29.0/private/incidentd.te
@@ -126,7 +126,7 @@
# TODO control_logd(incidentd)
# Allow incidentd to find these standard groups of services.
-# Others can be allowlisted individually.
+# Others can be whitelisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/29.0/private/isolated_app.te b/prebuilts/api/29.0/private/isolated_app.te
index 714405f..94b49b0 100644
--- a/prebuilts/api/29.0/private/isolated_app.te
+++ b/prebuilts/api/29.0/private/isolated_app.te
@@ -87,7 +87,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services allowlisted below.
+# except the find actions for services whitelisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/prebuilts/api/29.0/private/perfetto.te b/prebuilts/api/29.0/private/perfetto.te
index 6b1a81a..60a6250 100644
--- a/prebuilts/api/29.0/private/perfetto.te
+++ b/prebuilts/api/29.0/private/perfetto.te
@@ -1,5 +1,5 @@
# Perfetto command-line client. Can be used only from the domains that are
-# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
diff --git a/prebuilts/api/29.0/private/system_server.te b/prebuilts/api/29.0/private/system_server.te
index 5f60674..73891c9 100644
--- a/prebuilts/api/29.0/private/system_server.te
+++ b/prebuilts/api/29.0/private/system_server.te
@@ -50,14 +50,14 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls allowlisted for all domains, also allow system_server
+# in addition to ioctls whitelisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
# Allow setup of tcp keepalive offload. This gives system_server the permission to
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
-# be granted individually, except for a small set of safe values allowlisted in
+# be granted individually, except for a small set of safe values whitelisted in
# public/domain.te.
allow system_server appdomain:tcp_socket ioctl;
@@ -102,7 +102,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# allowlisted.
+# whitelisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/29.0/private/traced_probes.te b/prebuilts/api/29.0/private/traced_probes.te
index 5b4c0cc..4820e3f 100644
--- a/prebuilts/api/29.0/private/traced_probes.te
+++ b/prebuilts/api/29.0/private/traced_probes.te
@@ -16,7 +16,7 @@
allow traced_probes debugfs_trace_marker:file getattr;
# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the denylist/allowlist.
+# userdebug only until we nail down the blacklist/whitelist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
diff --git a/prebuilts/api/29.0/public/app.te b/prebuilts/api/29.0/public/app.te
index 5b3459f..5c48e71 100644
--- a/prebuilts/api/29.0/public/app.te
+++ b/prebuilts/api/29.0/public/app.te
@@ -537,7 +537,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Denylist app domains not allowed to execute from /data
+# Blacklist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -558,7 +558,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/29.0/public/domain.te b/prebuilts/api/29.0/public/domain.te
index 1a9e0e1..987bb9f 100644
--- a/prebuilts/api/29.0/public/domain.te
+++ b/prebuilts/api/29.0/public/domain.te
@@ -260,19 +260,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a allowlist for common socket types. Additional
+# Restrict all domains to a whitelist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this allowlist to domain does
+# defaults for all processes. Note that granting this whitelist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default allowlist for unix sockets.
+# default whitelist for unix sockets.
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only allowlisted ioctls.
-# Note that granting this allowlist to domain does
+# Restrict PTYs to only whitelisted ioctls.
+# Note that granting this whitelist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -288,7 +288,7 @@
# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this allowlist to domain does not grant the ioctl permission to
+# this whitelist to domain does not grant the ioctl permission to
# these files. That must be granted separately.
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
allowxperm domain domain:fifo_file ioctl { TCGETS };
@@ -331,7 +331,7 @@
###
# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to a allowlist.
+# sockets must be restricted to a whitelist.
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
@@ -346,7 +346,7 @@
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these allowlisted domains.
+# Limit device node creation to these whitelisted domains.
neverallow {
domain
-kernel
@@ -544,7 +544,7 @@
')
# Do not allow reading device's serial number from system properties except form
-# a few allowlisted domains.
+# a few whitelisted domains.
neverallow {
domain
-adbd
@@ -951,7 +951,7 @@
full_treble_only(`
# Do not allow vendor components to execute files from system
- # except for the ones allowlist here.
+ # except for the ones whitelist here.
neverallow {
domain
-coredomain
@@ -970,7 +970,7 @@
full_treble_only(`
# Do not allow system components to execute files from vendor
- # except for the ones allowlisted here.
+ # except for the ones whitelisted here.
neverallow {
coredomain
-init
@@ -998,7 +998,7 @@
full_treble_only(`
# Do not allow system components access to /vendor files except for the
- # ones allowlisted here.
+ # ones whitelisted here.
neverallow {
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
@@ -1028,7 +1028,7 @@
full_treble_only(`
# Do not allow vendor components access to /system files except for the
- # ones allowlisted here.
+ # ones whitelisted here.
neverallow {
domain
-appdomain
@@ -1215,7 +1215,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowlisted domains should
+# directory is untrustworthy, and non-whitelisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/29.0/public/hal_wifi_supplicant.te b/prebuilts/api/29.0/public/hal_wifi_supplicant.te
index 79a0667..6004c33 100644
--- a/prebuilts/api/29.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/29.0/public/hal_wifi_supplicant.te
@@ -4,7 +4,7 @@
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
-# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/29.0/public/netd.te b/prebuilts/api/29.0/public/netd.te
index f776db6..c8877b2 100644
--- a/prebuilts/api/29.0/public/netd.te
+++ b/prebuilts/api/29.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, system_file_type, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/29.0/public/property_contexts b/prebuilts/api/29.0/public/property_contexts
index 71002be..865502e 100644
--- a/prebuilts/api/29.0/public/property_contexts
+++ b/prebuilts/api/29.0/public/property_contexts
@@ -148,9 +148,6 @@
ro.url.legal u:object_r:exported3_default_prop:s0 exact string
ro.url.legal.android_privacy u:object_r:exported3_default_prop:s0 exact string
ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
-ro.media.xml_variant.codecs u:object_r:media_variant_prop:s0 exact string
-ro.media.xml_variant.codecs_performance u:object_r:media_variant_prop:s0 exact string
-ro.media.xml_variant.profiles u:object_r:media_variant_prop:s0 exact string
ro.zram.mark_idle_delay_mins u:object_r:exported3_default_prop:s0 exact int
ro.zram.first_wb_delay_mins u:object_r:exported3_default_prop:s0 exact int
ro.zram.periodic_wb_delay_hours u:object_r:exported3_default_prop:s0 exact int
diff --git a/prebuilts/api/29.0/public/vendor_toolbox.te b/prebuilts/api/29.0/public/vendor_toolbox.te
index 63f938d..eb292ca 100644
--- a/prebuilts/api/29.0/public/vendor_toolbox.te
+++ b/prebuilts/api/29.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the allowlisted domains.
+ # to vendor toolbox except for the whitelisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/30.0/plat_pub_versioned.cil b/prebuilts/api/30.0/plat_pub_versioned.cil
deleted file mode 100644
index 3942219..0000000
--- a/prebuilts/api/30.0/plat_pub_versioned.cil
+++ /dev/null
@@ -1,3011 +0,0 @@
-(type DockObserver_service)
-(type IProxyService_service)
-(type accessibility_service)
-(type account_service)
-(type activity_service)
-(type activity_task_service)
-(type adb_data_file)
-(type adb_keys_file)
-(type adb_service)
-(type adbd)
-(type adbd_exec)
-(type adbd_prop)
-(type adbd_socket)
-(type aidl_lazy_test_server)
-(type aidl_lazy_test_server_exec)
-(type aidl_lazy_test_service)
-(type alarm_service)
-(type anr_data_file)
-(type apex_data_file)
-(type apex_metadata_file)
-(type apex_mnt_dir)
-(type apex_module_data_file)
-(type apex_permission_data_file)
-(type apex_rollback_data_file)
-(type apex_service)
-(type apex_wifi_data_file)
-(type apexd)
-(type apexd_exec)
-(type apexd_prop)
-(type apk_data_file)
-(type apk_private_data_file)
-(type apk_private_tmp_file)
-(type apk_tmp_file)
-(type apk_verity_prop)
-(type app_binding_service)
-(type app_data_file)
-(type app_fuse_file)
-(type app_fusefs)
-(type app_integrity_service)
-(type app_prediction_service)
-(type app_search_service)
-(type app_zygote)
-(type app_zygote_tmpfs)
-(type appdomain_tmpfs)
-(type appops_service)
-(type appwidget_service)
-(type art_apex_dir)
-(type asec_apk_file)
-(type asec_image_file)
-(type asec_public_file)
-(type ashmem_device)
-(type ashmem_libcutils_device)
-(type assetatlas_service)
-(type audio_data_file)
-(type audio_device)
-(type audio_prop)
-(type audio_service)
-(type audiohal_data_file)
-(type audioserver)
-(type audioserver_data_file)
-(type audioserver_service)
-(type audioserver_tmpfs)
-(type auth_service)
-(type autofill_service)
-(type backup_data_file)
-(type backup_service)
-(type battery_service)
-(type batteryproperties_service)
-(type batterystats_service)
-(type binder_cache_bluetooth_server_prop)
-(type binder_cache_system_server_prop)
-(type binder_cache_telephony_server_prop)
-(type binder_calls_stats_service)
-(type binder_device)
-(type binderfs)
-(type binderfs_logs)
-(type binderfs_logs_proc)
-(type binfmt_miscfs)
-(type biometric_service)
-(type blkid)
-(type blkid_untrusted)
-(type blob_store_service)
-(type block_device)
-(type bluetooth)
-(type bluetooth_a2dp_offload_prop)
-(type bluetooth_audio_hal_prop)
-(type bluetooth_data_file)
-(type bluetooth_efs_file)
-(type bluetooth_logs_data_file)
-(type bluetooth_manager_service)
-(type bluetooth_prop)
-(type bluetooth_service)
-(type bluetooth_socket)
-(type boot_block_device)
-(type bootanim)
-(type bootanim_exec)
-(type bootchart_data_file)
-(type bootloader_boot_reason_prop)
-(type bootstat)
-(type bootstat_data_file)
-(type bootstat_exec)
-(type boottime_prop)
-(type boottime_public_prop)
-(type boottrace_data_file)
-(type bpf_progs_loaded_prop)
-(type bq_config_prop)
-(type broadcastradio_service)
-(type bufferhubd)
-(type bufferhubd_exec)
-(type bugreport_service)
-(type cache_backup_file)
-(type cache_block_device)
-(type cache_file)
-(type cache_private_backup_file)
-(type cache_recovery_file)
-(type cacheinfo_service)
-(type camera_data_file)
-(type camera_device)
-(type cameraproxy_service)
-(type cameraserver)
-(type cameraserver_exec)
-(type cameraserver_service)
-(type cameraserver_tmpfs)
-(type cgroup)
-(type cgroup_bpf)
-(type cgroup_desc_file)
-(type cgroup_rc_file)
-(type charger)
-(type charger_exec)
-(type charger_prop)
-(type clipboard_service)
-(type cold_boot_done_prop)
-(type color_display_service)
-(type companion_device_service)
-(type config_prop)
-(type configfs)
-(type connectivity_service)
-(type connmetrics_service)
-(type console_device)
-(type consumer_ir_service)
-(type content_capture_service)
-(type content_service)
-(type content_suggestions_service)
-(type contexthub_service)
-(type coredump_file)
-(type country_detector_service)
-(type coverage_service)
-(type cppreopt_prop)
-(type cpu_variant_prop)
-(type cpuinfo_service)
-(type crash_dump)
-(type crash_dump_exec)
-(type credstore)
-(type credstore_data_file)
-(type credstore_exec)
-(type credstore_service)
-(type crossprofileapps_service)
-(type ctl_adbd_prop)
-(type ctl_apexd_prop)
-(type ctl_bootanim_prop)
-(type ctl_bugreport_prop)
-(type ctl_console_prop)
-(type ctl_default_prop)
-(type ctl_dumpstate_prop)
-(type ctl_fuse_prop)
-(type ctl_gsid_prop)
-(type ctl_interface_restart_prop)
-(type ctl_interface_start_prop)
-(type ctl_interface_stop_prop)
-(type ctl_mdnsd_prop)
-(type ctl_restart_prop)
-(type ctl_rildaemon_prop)
-(type ctl_sigstop_prop)
-(type ctl_start_prop)
-(type ctl_stop_prop)
-(type dalvik_prop)
-(type dalvikcache_data_file)
-(type dataloader_manager_service)
-(type dbinfo_service)
-(type debug_prop)
-(type debugfs)
-(type debugfs_kprobes)
-(type debugfs_mmc)
-(type debugfs_trace_marker)
-(type debugfs_tracing)
-(type debugfs_tracing_debug)
-(type debugfs_tracing_instances)
-(type debugfs_wakeup_sources)
-(type debugfs_wifi_tracing)
-(type debuggerd_prop)
-(type default_android_hwservice)
-(type default_android_service)
-(type default_android_vndservice)
-(type default_prop)
-(type dev_cpu_variant)
-(type device)
-(type device_config_activity_manager_native_boot_prop)
-(type device_config_boot_count_prop)
-(type device_config_configuration_prop)
-(type device_config_input_native_boot_prop)
-(type device_config_media_native_prop)
-(type device_config_netd_native_prop)
-(type device_config_reset_performed_prop)
-(type device_config_runtime_native_boot_prop)
-(type device_config_runtime_native_prop)
-(type device_config_service)
-(type device_config_storage_native_boot_prop)
-(type device_config_sys_traced_prop)
-(type device_config_window_manager_native_boot_prop)
-(type device_identifiers_service)
-(type device_logging_prop)
-(type device_policy_service)
-(type deviceidle_service)
-(type devicestoragemonitor_service)
-(type devpts)
-(type dhcp)
-(type dhcp_data_file)
-(type dhcp_exec)
-(type dhcp_prop)
-(type diskstats_service)
-(type display_service)
-(type dm_device)
-(type dnsmasq)
-(type dnsmasq_exec)
-(type dnsproxyd_socket)
-(type dnsresolver_service)
-(type dreams_service)
-(type drm_data_file)
-(type drmserver)
-(type drmserver_exec)
-(type drmserver_service)
-(type drmserver_socket)
-(type dropbox_data_file)
-(type dropbox_service)
-(type dumpstate)
-(type dumpstate_exec)
-(type dumpstate_options_prop)
-(type dumpstate_prop)
-(type dumpstate_service)
-(type dumpstate_socket)
-(type dynamic_system_prop)
-(type e2fs)
-(type e2fs_exec)
-(type efs_file)
-(type emergency_affordance_service)
-(type ephemeral_app)
-(type ethernet_service)
-(type exfat)
-(type exported2_config_prop)
-(type exported2_default_prop)
-(type exported2_radio_prop)
-(type exported2_system_prop)
-(type exported2_vold_prop)
-(type exported3_default_prop)
-(type exported3_radio_prop)
-(type exported3_system_prop)
-(type exported_audio_prop)
-(type exported_bluetooth_prop)
-(type exported_camera_prop)
-(type exported_config_prop)
-(type exported_dalvik_prop)
-(type exported_default_prop)
-(type exported_dumpstate_prop)
-(type exported_ffs_prop)
-(type exported_fingerprint_prop)
-(type exported_overlay_prop)
-(type exported_pm_prop)
-(type exported_radio_prop)
-(type exported_secure_prop)
-(type exported_system_prop)
-(type exported_system_radio_prop)
-(type exported_vold_prop)
-(type exported_wifi_prop)
-(type external_vibrator_service)
-(type face_service)
-(type face_vendor_data_file)
-(type fastbootd)
-(type fastbootd_protocol_prop)
-(type ffs_prop)
-(type file_contexts_file)
-(type file_integrity_service)
-(type fingerprint_prop)
-(type fingerprint_service)
-(type fingerprint_vendor_data_file)
-(type fingerprintd)
-(type fingerprintd_data_file)
-(type fingerprintd_exec)
-(type fingerprintd_service)
-(type firstboot_prop)
-(type flags_health_check)
-(type flags_health_check_exec)
-(type font_service)
-(type frp_block_device)
-(type fs_bpf)
-(type fsck)
-(type fsck_exec)
-(type fsck_untrusted)
-(type fscklogs)
-(type functionfs)
-(type fuse)
-(type fuse_device)
-(type fusectlfs)
-(type fwk_automotive_display_hwservice)
-(type fwk_bufferhub_hwservice)
-(type fwk_camera_hwservice)
-(type fwk_display_hwservice)
-(type fwk_scheduler_hwservice)
-(type fwk_sensor_hwservice)
-(type fwk_stats_hwservice)
-(type fwmarkd_socket)
-(type gatekeeper_data_file)
-(type gatekeeper_service)
-(type gatekeeperd)
-(type gatekeeperd_exec)
-(type gfxinfo_service)
-(type gmscore_app)
-(type gps_control)
-(type gpu_device)
-(type gpu_service)
-(type gpuservice)
-(type graphics_config_prop)
-(type graphics_device)
-(type graphicsstats_service)
-(type gsi_data_file)
-(type gsi_metadata_file)
-(type gsid_prop)
-(type hal_atrace_hwservice)
-(type hal_audio_hwservice)
-(type hal_audiocontrol_hwservice)
-(type hal_authsecret_hwservice)
-(type hal_bluetooth_hwservice)
-(type hal_bootctl_hwservice)
-(type hal_broadcastradio_hwservice)
-(type hal_camera_hwservice)
-(type hal_can_bus_hwservice)
-(type hal_can_controller_hwservice)
-(type hal_cas_hwservice)
-(type hal_codec2_hwservice)
-(type hal_configstore_ISurfaceFlingerConfigs)
-(type hal_confirmationui_hwservice)
-(type hal_contexthub_hwservice)
-(type hal_drm_hwservice)
-(type hal_dumpstate_hwservice)
-(type hal_evs_hwservice)
-(type hal_face_hwservice)
-(type hal_fingerprint_hwservice)
-(type hal_fingerprint_service)
-(type hal_gatekeeper_hwservice)
-(type hal_gnss_hwservice)
-(type hal_graphics_allocator_hwservice)
-(type hal_graphics_composer_hwservice)
-(type hal_graphics_composer_server_tmpfs)
-(type hal_graphics_mapper_hwservice)
-(type hal_health_hwservice)
-(type hal_health_storage_hwservice)
-(type hal_identity_service)
-(type hal_input_classifier_hwservice)
-(type hal_ir_hwservice)
-(type hal_keymaster_hwservice)
-(type hal_light_hwservice)
-(type hal_light_service)
-(type hal_lowpan_hwservice)
-(type hal_memtrack_hwservice)
-(type hal_neuralnetworks_hwservice)
-(type hal_nfc_hwservice)
-(type hal_oemlock_hwservice)
-(type hal_omx_hwservice)
-(type hal_power_hwservice)
-(type hal_power_service)
-(type hal_power_stats_hwservice)
-(type hal_rebootescrow_service)
-(type hal_renderscript_hwservice)
-(type hal_secure_element_hwservice)
-(type hal_sensors_hwservice)
-(type hal_telephony_hwservice)
-(type hal_tetheroffload_hwservice)
-(type hal_thermal_hwservice)
-(type hal_tv_cec_hwservice)
-(type hal_tv_input_hwservice)
-(type hal_tv_tuner_hwservice)
-(type hal_usb_gadget_hwservice)
-(type hal_usb_hwservice)
-(type hal_vehicle_hwservice)
-(type hal_vibrator_hwservice)
-(type hal_vibrator_service)
-(type hal_vr_hwservice)
-(type hal_weaver_hwservice)
-(type hal_wifi_hostapd_hwservice)
-(type hal_wifi_hwservice)
-(type hal_wifi_supplicant_hwservice)
-(type hardware_properties_service)
-(type hardware_service)
-(type hci_attach_dev)
-(type hdmi_control_service)
-(type healthd)
-(type healthd_exec)
-(type heapdump_data_file)
-(type heapprofd)
-(type heapprofd_enabled_prop)
-(type heapprofd_prop)
-(type heapprofd_socket)
-(type hidl_allocator_hwservice)
-(type hidl_base_hwservice)
-(type hidl_manager_hwservice)
-(type hidl_memory_hwservice)
-(type hidl_token_hwservice)
-(type hw_random_device)
-(type hwbinder_device)
-(type hwservice_contexts_file)
-(type hwservicemanager)
-(type hwservicemanager_exec)
-(type hwservicemanager_prop)
-(type icon_file)
-(type idmap)
-(type idmap_exec)
-(type idmap_service)
-(type iio_device)
-(type imms_service)
-(type incident)
-(type incident_data_file)
-(type incident_helper)
-(type incident_service)
-(type incidentd)
-(type incremental_control_file)
-(type incremental_prop)
-(type incremental_service)
-(type init)
-(type init_exec)
-(type init_perf_lsm_hooks_prop)
-(type init_svc_debug_prop)
-(type init_tmpfs)
-(type inotify)
-(type input_device)
-(type input_method_service)
-(type input_service)
-(type inputflinger)
-(type inputflinger_exec)
-(type inputflinger_service)
-(type install_data_file)
-(type installd)
-(type installd_exec)
-(type installd_service)
-(type ion_device)
-(type iorap_inode2filename)
-(type iorap_inode2filename_exec)
-(type iorap_inode2filename_tmpfs)
-(type iorap_prefetcherd)
-(type iorap_prefetcherd_exec)
-(type iorap_prefetcherd_tmpfs)
-(type iorapd)
-(type iorapd_data_file)
-(type iorapd_exec)
-(type iorapd_service)
-(type iorapd_tmpfs)
-(type ipsec_service)
-(type iris_service)
-(type iris_vendor_data_file)
-(type isolated_app)
-(type jobscheduler_service)
-(type kernel)
-(type keychain_data_file)
-(type keychord_device)
-(type keystore)
-(type keystore_data_file)
-(type keystore_exec)
-(type keystore_service)
-(type kmsg_debug_device)
-(type kmsg_device)
-(type labeledfs)
-(type last_boot_reason_prop)
-(type launcherapps_service)
-(type light_service)
-(type linkerconfig_file)
-(type llkd)
-(type llkd_exec)
-(type llkd_prop)
-(type lmkd)
-(type lmkd_exec)
-(type lmkd_prop)
-(type lmkd_socket)
-(type location_service)
-(type lock_settings_service)
-(type log_prop)
-(type log_tag_prop)
-(type logcat_exec)
-(type logd)
-(type logd_exec)
-(type logd_prop)
-(type logd_socket)
-(type logdr_socket)
-(type logdw_socket)
-(type logpersist)
-(type logpersistd_logging_prop)
-(type loop_control_device)
-(type loop_device)
-(type looper_stats_service)
-(type lowpan_device)
-(type lowpan_prop)
-(type lowpan_service)
-(type lpdump_service)
-(type lpdumpd_prop)
-(type mac_perms_file)
-(type mdns_socket)
-(type mdnsd)
-(type mdnsd_socket)
-(type media_data_file)
-(type media_projection_service)
-(type media_router_service)
-(type media_rw_data_file)
-(type media_session_service)
-(type media_variant_prop)
-(type mediadrmserver)
-(type mediadrmserver_exec)
-(type mediadrmserver_service)
-(type mediaextractor)
-(type mediaextractor_exec)
-(type mediaextractor_service)
-(type mediaextractor_tmpfs)
-(type mediametrics)
-(type mediametrics_exec)
-(type mediametrics_service)
-(type mediaprovider)
-(type mediaserver)
-(type mediaserver_exec)
-(type mediaserver_service)
-(type mediaserver_tmpfs)
-(type mediaswcodec)
-(type mediaswcodec_exec)
-(type mediatranscoding)
-(type mediatranscoding_exec)
-(type mediatranscoding_service)
-(type meminfo_service)
-(type metadata_block_device)
-(type metadata_bootstat_file)
-(type metadata_file)
-(type method_trace_data_file)
-(type midi_service)
-(type mirror_data_file)
-(type misc_block_device)
-(type misc_logd_file)
-(type misc_user_data_file)
-(type mmc_prop)
-(type mnt_expand_file)
-(type mnt_media_rw_file)
-(type mnt_media_rw_stub_file)
-(type mnt_pass_through_file)
-(type mnt_product_file)
-(type mnt_sdcard_file)
-(type mnt_user_file)
-(type mnt_vendor_file)
-(type mock_ota_prop)
-(type modprobe)
-(type module_sdkextensions_prop)
-(type mount_service)
-(type mqueue)
-(type mtp)
-(type mtp_device)
-(type mtp_exec)
-(type mtpd_socket)
-(type nativetest_data_file)
-(type net_data_file)
-(type net_dns_prop)
-(type net_radio_prop)
-(type netd)
-(type netd_exec)
-(type netd_listener_service)
-(type netd_service)
-(type netd_stable_secret_prop)
-(type netif)
-(type netpolicy_service)
-(type netstats_service)
-(type netutils_wrapper)
-(type netutils_wrapper_exec)
-(type network_management_service)
-(type network_score_service)
-(type network_stack)
-(type network_stack_service)
-(type network_time_update_service)
-(type network_watchlist_data_file)
-(type network_watchlist_service)
-(type nfc)
-(type nfc_data_file)
-(type nfc_device)
-(type nfc_prop)
-(type nfc_service)
-(type nnapi_ext_deny_product_prop)
-(type node)
-(type nonplat_service_contexts_file)
-(type notification_service)
-(type null_device)
-(type oem_lock_service)
-(type oemfs)
-(type ota_data_file)
-(type ota_metadata_file)
-(type ota_package_file)
-(type ota_prop)
-(type otadexopt_service)
-(type overlay_prop)
-(type overlay_service)
-(type overlayfs_file)
-(type owntty_device)
-(type package_native_service)
-(type package_service)
-(type packages_list_file)
-(type pan_result_prop)
-(type password_slot_metadata_file)
-(type pdx_bufferhub_client_channel_socket)
-(type pdx_bufferhub_client_endpoint_socket)
-(type pdx_bufferhub_dir)
-(type pdx_display_client_channel_socket)
-(type pdx_display_client_endpoint_socket)
-(type pdx_display_dir)
-(type pdx_display_manager_channel_socket)
-(type pdx_display_manager_endpoint_socket)
-(type pdx_display_screenshot_channel_socket)
-(type pdx_display_screenshot_endpoint_socket)
-(type pdx_display_vsync_channel_socket)
-(type pdx_display_vsync_endpoint_socket)
-(type pdx_performance_client_channel_socket)
-(type pdx_performance_client_endpoint_socket)
-(type pdx_performance_dir)
-(type perfetto)
-(type performanced)
-(type performanced_exec)
-(type permission_service)
-(type permissionmgr_service)
-(type persist_debug_prop)
-(type persistent_data_block_service)
-(type persistent_properties_ready_prop)
-(type pinner_service)
-(type pipefs)
-(type platform_app)
-(type platform_compat_service)
-(type pm_prop)
-(type pmsg_device)
-(type port)
-(type port_device)
-(type postinstall)
-(type postinstall_apex_mnt_dir)
-(type postinstall_file)
-(type postinstall_mnt_dir)
-(type power_service)
-(type powerctl_prop)
-(type ppp)
-(type ppp_device)
-(type ppp_exec)
-(type preloads_data_file)
-(type preloads_media_file)
-(type prereboot_data_file)
-(type print_service)
-(type priv_app)
-(type privapp_data_file)
-(type proc)
-(type proc_abi)
-(type proc_asound)
-(type proc_bluetooth_writable)
-(type proc_buddyinfo)
-(type proc_cmdline)
-(type proc_cpuinfo)
-(type proc_dirty)
-(type proc_diskstats)
-(type proc_drop_caches)
-(type proc_extra_free_kbytes)
-(type proc_filesystems)
-(type proc_fs_verity)
-(type proc_hostname)
-(type proc_hung_task)
-(type proc_interrupts)
-(type proc_iomem)
-(type proc_keys)
-(type proc_kmsg)
-(type proc_kpageflags)
-(type proc_loadavg)
-(type proc_lowmemorykiller)
-(type proc_max_map_count)
-(type proc_meminfo)
-(type proc_min_free_order_shift)
-(type proc_misc)
-(type proc_modules)
-(type proc_mounts)
-(type proc_net)
-(type proc_net_tcp_udp)
-(type proc_overcommit_memory)
-(type proc_page_cluster)
-(type proc_pagetypeinfo)
-(type proc_panic)
-(type proc_perf)
-(type proc_pid_max)
-(type proc_pipe_conf)
-(type proc_pressure_cpu)
-(type proc_pressure_io)
-(type proc_pressure_mem)
-(type proc_qtaguid_ctrl)
-(type proc_qtaguid_stat)
-(type proc_random)
-(type proc_sched)
-(type proc_security)
-(type proc_slabinfo)
-(type proc_stat)
-(type proc_swaps)
-(type proc_sysrq)
-(type proc_timer)
-(type proc_tty_drivers)
-(type proc_uid_concurrent_active_time)
-(type proc_uid_concurrent_policy_time)
-(type proc_uid_cpupower)
-(type proc_uid_cputime_removeuid)
-(type proc_uid_cputime_showstat)
-(type proc_uid_io_stats)
-(type proc_uid_procstat_set)
-(type proc_uid_time_in_state)
-(type proc_uptime)
-(type proc_version)
-(type proc_vmallocinfo)
-(type proc_vmstat)
-(type proc_zoneinfo)
-(type processinfo_service)
-(type procstats_service)
-(type profman)
-(type profman_dump_data_file)
-(type profman_exec)
-(type properties_device)
-(type properties_serial)
-(type property_contexts_file)
-(type property_data_file)
-(type property_info)
-(type property_socket)
-(type pstorefs)
-(type ptmx_device)
-(type qtaguid_device)
-(type racoon)
-(type racoon_exec)
-(type racoon_socket)
-(type radio)
-(type radio_data_file)
-(type radio_device)
-(type radio_prop)
-(type radio_service)
-(type ram_device)
-(type random_device)
-(type rebootescrow_hal_prop)
-(type recovery)
-(type recovery_block_device)
-(type recovery_data_file)
-(type recovery_persist)
-(type recovery_persist_exec)
-(type recovery_refresh)
-(type recovery_refresh_exec)
-(type recovery_service)
-(type recovery_socket)
-(type registry_service)
-(type resourcecache_data_file)
-(type restorecon_prop)
-(type restrictions_service)
-(type rild_debug_socket)
-(type rild_socket)
-(type ringtone_file)
-(type role_service)
-(type rollback_service)
-(type root_block_device)
-(type rootfs)
-(type rpmsg_device)
-(type rs)
-(type rs_exec)
-(type rss_hwm_reset)
-(type rtc_device)
-(type rttmanager_service)
-(type runas)
-(type runas_app)
-(type runas_exec)
-(type runtime_event_log_tags_file)
-(type runtime_service)
-(type safemode_prop)
-(type same_process_hal_file)
-(type samplingprofiler_service)
-(type scheduling_policy_service)
-(type sdcard_block_device)
-(type sdcardd)
-(type sdcardd_exec)
-(type sdcardfs)
-(type seapp_contexts_file)
-(type search_service)
-(type sec_key_att_app_id_provider_service)
-(type secure_element)
-(type secure_element_device)
-(type secure_element_service)
-(type securityfs)
-(type selinuxfs)
-(type sensor_privacy_service)
-(type sensors_device)
-(type sensorservice_service)
-(type sepolicy_file)
-(type serial_device)
-(type serial_service)
-(type serialno_prop)
-(type server_configurable_flags_data_file)
-(type service_contexts_file)
-(type service_manager_service)
-(type service_manager_vndservice)
-(type servicediscovery_service)
-(type servicemanager)
-(type servicemanager_exec)
-(type settings_service)
-(type sgdisk)
-(type sgdisk_exec)
-(type shared_relro)
-(type shared_relro_file)
-(type shell)
-(type shell_data_file)
-(type shell_exec)
-(type shell_prop)
-(type shm)
-(type shortcut_manager_icons)
-(type shortcut_service)
-(type simpleperf)
-(type simpleperf_app_runner)
-(type simpleperf_app_runner_exec)
-(type slice_service)
-(type slideshow)
-(type snapshotctl_log_data_file)
-(type socket_device)
-(type socket_hook_prop)
-(type sockfs)
-(type sota_prop)
-(type soundtrigger_middleware_service)
-(type staged_install_file)
-(type staging_data_file)
-(type stats_data_file)
-(type statsd)
-(type statsd_exec)
-(type statsdw_socket)
-(type statusbar_service)
-(type storage_config_prop)
-(type storage_file)
-(type storage_stub_file)
-(type storaged_service)
-(type storagestats_service)
-(type su)
-(type su_exec)
-(type super_block_device)
-(type surfaceflinger)
-(type surfaceflinger_display_prop)
-(type surfaceflinger_service)
-(type surfaceflinger_tmpfs)
-(type swap_block_device)
-(type sysfs)
-(type sysfs_android_usb)
-(type sysfs_batteryinfo)
-(type sysfs_bluetooth_writable)
-(type sysfs_devices_block)
-(type sysfs_devices_system_cpu)
-(type sysfs_dm)
-(type sysfs_dm_verity)
-(type sysfs_dt_firmware_android)
-(type sysfs_extcon)
-(type sysfs_fs_ext4_features)
-(type sysfs_fs_f2fs)
-(type sysfs_hwrandom)
-(type sysfs_ion)
-(type sysfs_ipv4)
-(type sysfs_kernel_notes)
-(type sysfs_leds)
-(type sysfs_loop)
-(type sysfs_lowmemorykiller)
-(type sysfs_net)
-(type sysfs_nfc_power_writable)
-(type sysfs_power)
-(type sysfs_rtc)
-(type sysfs_suspend_stats)
-(type sysfs_switch)
-(type sysfs_thermal)
-(type sysfs_transparent_hugepage)
-(type sysfs_uio)
-(type sysfs_usb)
-(type sysfs_usermodehelper)
-(type sysfs_vibrator)
-(type sysfs_wake_lock)
-(type sysfs_wakeup)
-(type sysfs_wakeup_reasons)
-(type sysfs_wlan_fwpath)
-(type sysfs_zram)
-(type sysfs_zram_uevent)
-(type system_adbd_prop)
-(type system_app)
-(type system_app_data_file)
-(type system_app_service)
-(type system_asan_options_file)
-(type system_block_device)
-(type system_boot_reason_prop)
-(type system_bootstrap_lib_file)
-(type system_config_service)
-(type system_data_file)
-(type system_data_root_file)
-(type system_event_log_tags_file)
-(type system_file)
-(type system_group_file)
-(type system_jvmti_agent_prop)
-(type system_lib_file)
-(type system_linker_config_file)
-(type system_linker_exec)
-(type system_lmk_prop)
-(type system_ndebug_socket)
-(type system_net_netd_hwservice)
-(type system_passwd_file)
-(type system_prop)
-(type system_radio_prop)
-(type system_seccomp_policy_file)
-(type system_security_cacerts_file)
-(type system_server)
-(type system_server_tmpfs)
-(type system_suspend_control_service)
-(type system_suspend_hwservice)
-(type system_trace_prop)
-(type system_unsolzygote_socket)
-(type system_update_service)
-(type system_wifi_keystore_hwservice)
-(type system_wpa_socket)
-(type system_zoneinfo_file)
-(type systemkeys_data_file)
-(type task_profiles_file)
-(type task_service)
-(type tcpdump_exec)
-(type tee)
-(type tee_data_file)
-(type tee_device)
-(type telecom_service)
-(type test_boot_reason_prop)
-(type test_harness_prop)
-(type testharness_service)
-(type tethering_service)
-(type textclassification_service)
-(type textclassifier_data_file)
-(type textservices_service)
-(type theme_prop)
-(type thermal_service)
-(type thermalcallback_hwservice)
-(type time_prop)
-(type timedetector_service)
-(type timezone_service)
-(type timezonedetector_service)
-(type tmpfs)
-(type tombstone_data_file)
-(type tombstone_wifi_data_file)
-(type tombstoned)
-(type tombstoned_crash_socket)
-(type tombstoned_exec)
-(type tombstoned_intercept_socket)
-(type tombstoned_java_trace_socket)
-(type toolbox)
-(type toolbox_exec)
-(type trace_data_file)
-(type traced)
-(type traced_consumer_socket)
-(type traced_enabled_prop)
-(type traced_lazy_prop)
-(type traced_perf)
-(type traced_perf_enabled_prop)
-(type traced_perf_socket)
-(type traced_probes)
-(type traced_producer_socket)
-(type traceur_app)
-(type trust_service)
-(type tty_device)
-(type tun_device)
-(type tv_input_service)
-(type tv_tuner_resource_mgr_service)
-(type tzdatacheck)
-(type tzdatacheck_exec)
-(type ueventd)
-(type ueventd_tmpfs)
-(type uhid_device)
-(type uimode_service)
-(type uio_device)
-(type uncrypt)
-(type uncrypt_exec)
-(type uncrypt_socket)
-(type unencrypted_data_file)
-(type unlabeled)
-(type untrusted_app)
-(type untrusted_app_25)
-(type untrusted_app_27)
-(type untrusted_app_29)
-(type update_engine)
-(type update_engine_data_file)
-(type update_engine_exec)
-(type update_engine_log_data_file)
-(type update_engine_service)
-(type update_verifier)
-(type update_verifier_exec)
-(type updatelock_service)
-(type uri_grants_service)
-(type usagestats_service)
-(type usb_device)
-(type usb_serial_device)
-(type usb_service)
-(type usbaccessory_device)
-(type usbd)
-(type usbd_exec)
-(type usbfs)
-(type use_memfd_prop)
-(type user_profile_data_file)
-(type user_service)
-(type userdata_block_device)
-(type usermodehelper)
-(type userspace_reboot_config_prop)
-(type userspace_reboot_exported_prop)
-(type userspace_reboot_log_prop)
-(type userspace_reboot_test_prop)
-(type vdc)
-(type vdc_exec)
-(type vehicle_hal_prop)
-(type vendor_apex_file)
-(type vendor_app_file)
-(type vendor_cgroup_desc_file)
-(type vendor_configs_file)
-(type vendor_data_file)
-(type vendor_default_prop)
-(type vendor_file)
-(type vendor_framework_file)
-(type vendor_hal_file)
-(type vendor_idc_file)
-(type vendor_init)
-(type vendor_keychars_file)
-(type vendor_keylayout_file)
-(type vendor_misc_writer)
-(type vendor_misc_writer_exec)
-(type vendor_overlay_file)
-(type vendor_public_lib_file)
-(type vendor_security_patch_level_prop)
-(type vendor_service_contexts_file)
-(type vendor_shell)
-(type vendor_shell_exec)
-(type vendor_socket_hook_prop)
-(type vendor_task_profiles_file)
-(type vendor_toolbox_exec)
-(type vfat)
-(type vibrator_service)
-(type video_device)
-(type virtual_ab_prop)
-(type virtual_touchpad)
-(type virtual_touchpad_exec)
-(type virtual_touchpad_service)
-(type vndbinder_device)
-(type vndk_prop)
-(type vndk_sp_file)
-(type vndservice_contexts_file)
-(type vndservicemanager)
-(type voiceinteraction_service)
-(type vold)
-(type vold_data_file)
-(type vold_device)
-(type vold_exec)
-(type vold_metadata_file)
-(type vold_prepare_subdirs)
-(type vold_prepare_subdirs_exec)
-(type vold_prop)
-(type vold_service)
-(type vpn_data_file)
-(type vr_hwc)
-(type vr_hwc_exec)
-(type vr_hwc_service)
-(type vr_manager_service)
-(type vrflinger_vsync_service)
-(type wallpaper_file)
-(type wallpaper_service)
-(type watchdog_device)
-(type watchdogd)
-(type watchdogd_exec)
-(type webview_zygote)
-(type webview_zygote_exec)
-(type webview_zygote_tmpfs)
-(type webviewupdate_service)
-(type wifi_data_file)
-(type wifi_log_prop)
-(type wifi_prop)
-(type wifi_service)
-(type wifiaware_service)
-(type wificond)
-(type wificond_exec)
-(type wifinl80211_service)
-(type wifip2p_service)
-(type wifiscanner_service)
-(type window_service)
-(type wpa_socket)
-(type wpantund)
-(type wpantund_exec)
-(type wpantund_service)
-(type zero_device)
-(type zoneinfo_data_file)
-(type zygote)
-(type zygote_exec)
-(type zygote_socket)
-(type zygote_tmpfs)
-(typeattribute DockObserver_service_30_0)
-(typeattribute IProxyService_service_30_0)
-(typeattribute accessibility_service_30_0)
-(typeattribute account_service_30_0)
-(typeattribute activity_service_30_0)
-(typeattribute activity_task_service_30_0)
-(typeattribute adb_data_file_30_0)
-(typeattribute adb_keys_file_30_0)
-(typeattribute adb_service_30_0)
-(typeattribute adbd_30_0)
-(typeattribute adbd_exec_30_0)
-(typeattribute adbd_prop_30_0)
-(typeattribute adbd_socket_30_0)
-(typeattribute aidl_lazy_test_server_30_0)
-(typeattribute aidl_lazy_test_server_exec_30_0)
-(typeattribute aidl_lazy_test_service_30_0)
-(typeattribute alarm_service_30_0)
-(typeattribute anr_data_file_30_0)
-(typeattribute apex_data_file_30_0)
-(typeattribute apex_metadata_file_30_0)
-(typeattribute apex_mnt_dir_30_0)
-(typeattribute apex_module_data_file_30_0)
-(typeattribute apex_permission_data_file_30_0)
-(typeattribute apex_rollback_data_file_30_0)
-(typeattribute apex_service_30_0)
-(typeattribute apex_wifi_data_file_30_0)
-(typeattribute apexd_30_0)
-(typeattribute apexd_exec_30_0)
-(typeattribute apexd_prop_30_0)
-(typeattribute apk_data_file_30_0)
-(typeattribute apk_private_data_file_30_0)
-(typeattribute apk_private_tmp_file_30_0)
-(typeattribute apk_tmp_file_30_0)
-(typeattribute apk_verity_prop_30_0)
-(typeattribute app_api_service)
-(typeattribute app_binding_service_30_0)
-(typeattribute app_data_file_30_0)
-(typeattribute app_fuse_file_30_0)
-(typeattribute app_fusefs_30_0)
-(typeattribute app_integrity_service_30_0)
-(typeattribute app_prediction_service_30_0)
-(typeattribute app_search_service_30_0)
-(typeattribute app_zygote_30_0)
-(typeattribute app_zygote_tmpfs_30_0)
-(typeattribute appdomain)
-(typeattribute appdomain_tmpfs_30_0)
-(typeattribute appops_service_30_0)
-(typeattribute appwidget_service_30_0)
-(typeattribute art_apex_dir_30_0)
-(typeattribute asec_apk_file_30_0)
-(typeattribute asec_image_file_30_0)
-(typeattribute asec_public_file_30_0)
-(typeattribute ashmem_device_30_0)
-(typeattribute ashmem_libcutils_device_30_0)
-(typeattribute assetatlas_service_30_0)
-(typeattribute audio_data_file_30_0)
-(typeattribute audio_device_30_0)
-(typeattribute audio_prop_30_0)
-(typeattribute audio_service_30_0)
-(typeattribute audiohal_data_file_30_0)
-(typeattribute audioserver_30_0)
-(typeattribute audioserver_data_file_30_0)
-(typeattribute audioserver_service_30_0)
-(typeattribute audioserver_tmpfs_30_0)
-(typeattribute auth_service_30_0)
-(typeattribute autofill_service_30_0)
-(typeattribute automotive_display_service_server)
-(typeattribute backup_data_file_30_0)
-(typeattribute backup_service_30_0)
-(typeattribute base_typeattr_100_30_0)
-(typeattribute base_typeattr_101_30_0)
-(typeattribute base_typeattr_102_30_0)
-(typeattribute base_typeattr_103_30_0)
-(typeattribute base_typeattr_104_30_0)
-(typeattribute base_typeattr_105_30_0)
-(typeattribute base_typeattr_106_30_0)
-(typeattribute base_typeattr_107_30_0)
-(typeattribute base_typeattr_108_30_0)
-(typeattribute base_typeattr_109_30_0)
-(typeattribute base_typeattr_10_30_0)
-(typeattribute base_typeattr_110_30_0)
-(typeattribute base_typeattr_111_30_0)
-(typeattribute base_typeattr_112_30_0)
-(typeattribute base_typeattr_113_30_0)
-(typeattribute base_typeattr_114_30_0)
-(typeattribute base_typeattr_115_30_0)
-(typeattribute base_typeattr_116_30_0)
-(typeattribute base_typeattr_117_30_0)
-(typeattribute base_typeattr_118_30_0)
-(typeattribute base_typeattr_119_30_0)
-(typeattribute base_typeattr_11_30_0)
-(typeattribute base_typeattr_120_30_0)
-(typeattribute base_typeattr_121_30_0)
-(typeattribute base_typeattr_122_30_0)
-(typeattribute base_typeattr_123_30_0)
-(typeattribute base_typeattr_124_30_0)
-(typeattribute base_typeattr_125_30_0)
-(typeattribute base_typeattr_126_30_0)
-(typeattribute base_typeattr_127_30_0)
-(typeattribute base_typeattr_128_30_0)
-(typeattribute base_typeattr_129_30_0)
-(typeattribute base_typeattr_12_30_0)
-(typeattribute base_typeattr_130_30_0)
-(typeattribute base_typeattr_131_30_0)
-(typeattribute base_typeattr_132_30_0)
-(typeattribute base_typeattr_133_30_0)
-(typeattribute base_typeattr_134_30_0)
-(typeattribute base_typeattr_135_30_0)
-(typeattribute base_typeattr_136_30_0)
-(typeattribute base_typeattr_137_30_0)
-(typeattribute base_typeattr_138_30_0)
-(typeattribute base_typeattr_139_30_0)
-(typeattribute base_typeattr_13_30_0)
-(typeattribute base_typeattr_140_30_0)
-(typeattribute base_typeattr_141_30_0)
-(typeattribute base_typeattr_142_30_0)
-(typeattribute base_typeattr_143_30_0)
-(typeattribute base_typeattr_144_30_0)
-(typeattribute base_typeattr_145_30_0)
-(typeattribute base_typeattr_146_30_0)
-(typeattribute base_typeattr_147_30_0)
-(typeattribute base_typeattr_148_30_0)
-(typeattribute base_typeattr_149_30_0)
-(typeattribute base_typeattr_14_30_0)
-(typeattribute base_typeattr_150_30_0)
-(typeattribute base_typeattr_151_30_0)
-(typeattribute base_typeattr_152_30_0)
-(typeattribute base_typeattr_153_30_0)
-(typeattribute base_typeattr_154_30_0)
-(typeattribute base_typeattr_155_30_0)
-(typeattribute base_typeattr_156_30_0)
-(typeattribute base_typeattr_157_30_0)
-(typeattribute base_typeattr_158_30_0)
-(typeattribute base_typeattr_159_30_0)
-(typeattribute base_typeattr_15_30_0)
-(typeattribute base_typeattr_160_30_0)
-(typeattribute base_typeattr_161_30_0)
-(typeattribute base_typeattr_162_30_0)
-(typeattribute base_typeattr_163_30_0)
-(typeattribute base_typeattr_164_30_0)
-(typeattribute base_typeattr_165_30_0)
-(typeattribute base_typeattr_166_30_0)
-(typeattribute base_typeattr_167_30_0)
-(typeattribute base_typeattr_168_30_0)
-(typeattribute base_typeattr_169_30_0)
-(typeattribute base_typeattr_16_30_0)
-(typeattribute base_typeattr_170_30_0)
-(typeattribute base_typeattr_171_30_0)
-(typeattribute base_typeattr_172_30_0)
-(typeattribute base_typeattr_173_30_0)
-(typeattribute base_typeattr_174_30_0)
-(typeattribute base_typeattr_175_30_0)
-(typeattribute base_typeattr_176_30_0)
-(typeattribute base_typeattr_177_30_0)
-(typeattribute base_typeattr_178_30_0)
-(typeattribute base_typeattr_179_30_0)
-(typeattribute base_typeattr_17_30_0)
-(typeattribute base_typeattr_180_30_0)
-(typeattribute base_typeattr_181_30_0)
-(typeattribute base_typeattr_182_30_0)
-(typeattribute base_typeattr_183_30_0)
-(typeattribute base_typeattr_184_30_0)
-(typeattribute base_typeattr_185_30_0)
-(typeattribute base_typeattr_186_30_0)
-(typeattribute base_typeattr_187_30_0)
-(typeattribute base_typeattr_188_30_0)
-(typeattribute base_typeattr_189_30_0)
-(typeattribute base_typeattr_18_30_0)
-(typeattribute base_typeattr_190_30_0)
-(typeattribute base_typeattr_191_30_0)
-(typeattribute base_typeattr_192_30_0)
-(typeattribute base_typeattr_193_30_0)
-(typeattribute base_typeattr_194_30_0)
-(typeattribute base_typeattr_195_30_0)
-(typeattribute base_typeattr_196_30_0)
-(typeattribute base_typeattr_197_30_0)
-(typeattribute base_typeattr_198_30_0)
-(typeattribute base_typeattr_199_30_0)
-(typeattribute base_typeattr_19_30_0)
-(typeattribute base_typeattr_1_30_0)
-(typeattribute base_typeattr_200_30_0)
-(typeattribute base_typeattr_201_30_0)
-(typeattribute base_typeattr_202_30_0)
-(typeattribute base_typeattr_203_30_0)
-(typeattribute base_typeattr_204_30_0)
-(typeattribute base_typeattr_205_30_0)
-(typeattribute base_typeattr_206_30_0)
-(typeattribute base_typeattr_207_30_0)
-(typeattribute base_typeattr_208_30_0)
-(typeattribute base_typeattr_209_30_0)
-(typeattribute base_typeattr_20_30_0)
-(typeattribute base_typeattr_210_30_0)
-(typeattribute base_typeattr_211_30_0)
-(typeattribute base_typeattr_212_30_0)
-(typeattribute base_typeattr_213_30_0)
-(typeattribute base_typeattr_214_30_0)
-(typeattribute base_typeattr_215_30_0)
-(typeattribute base_typeattr_216_30_0)
-(typeattribute base_typeattr_217_30_0)
-(typeattribute base_typeattr_218_30_0)
-(typeattribute base_typeattr_219_30_0)
-(typeattribute base_typeattr_21_30_0)
-(typeattribute base_typeattr_220_30_0)
-(typeattribute base_typeattr_221_30_0)
-(typeattribute base_typeattr_222_30_0)
-(typeattribute base_typeattr_223_30_0)
-(typeattribute base_typeattr_224_30_0)
-(typeattribute base_typeattr_225_30_0)
-(typeattribute base_typeattr_226_30_0)
-(typeattribute base_typeattr_227_30_0)
-(typeattribute base_typeattr_228_30_0)
-(typeattribute base_typeattr_229_30_0)
-(typeattribute base_typeattr_22_30_0)
-(typeattribute base_typeattr_230_30_0)
-(typeattribute base_typeattr_231_30_0)
-(typeattribute base_typeattr_232_30_0)
-(typeattribute base_typeattr_233_30_0)
-(typeattribute base_typeattr_234_30_0)
-(typeattribute base_typeattr_235_30_0)
-(typeattribute base_typeattr_236_30_0)
-(typeattribute base_typeattr_237_30_0)
-(typeattribute base_typeattr_238_30_0)
-(typeattribute base_typeattr_239_30_0)
-(typeattribute base_typeattr_23_30_0)
-(typeattribute base_typeattr_240_30_0)
-(typeattribute base_typeattr_241_30_0)
-(typeattribute base_typeattr_242_30_0)
-(typeattribute base_typeattr_243_30_0)
-(typeattribute base_typeattr_244_30_0)
-(typeattribute base_typeattr_245_30_0)
-(typeattribute base_typeattr_246_30_0)
-(typeattribute base_typeattr_247_30_0)
-(typeattribute base_typeattr_248_30_0)
-(typeattribute base_typeattr_249_30_0)
-(typeattribute base_typeattr_24_30_0)
-(typeattribute base_typeattr_250_30_0)
-(typeattribute base_typeattr_251_30_0)
-(typeattribute base_typeattr_252_30_0)
-(typeattribute base_typeattr_253_30_0)
-(typeattribute base_typeattr_254_30_0)
-(typeattribute base_typeattr_255_30_0)
-(typeattribute base_typeattr_256_30_0)
-(typeattribute base_typeattr_257_30_0)
-(typeattribute base_typeattr_258_30_0)
-(typeattribute base_typeattr_259_30_0)
-(typeattribute base_typeattr_25_30_0)
-(typeattribute base_typeattr_260_30_0)
-(typeattribute base_typeattr_261_30_0)
-(typeattribute base_typeattr_262_30_0)
-(typeattribute base_typeattr_263_30_0)
-(typeattribute base_typeattr_264_30_0)
-(typeattribute base_typeattr_265_30_0)
-(typeattribute base_typeattr_266_30_0)
-(typeattribute base_typeattr_267_30_0)
-(typeattribute base_typeattr_268_30_0)
-(typeattribute base_typeattr_269_30_0)
-(typeattribute base_typeattr_26_30_0)
-(typeattribute base_typeattr_270_30_0)
-(typeattribute base_typeattr_271_30_0)
-(typeattribute base_typeattr_272_30_0)
-(typeattribute base_typeattr_273_30_0)
-(typeattribute base_typeattr_274_30_0)
-(typeattribute base_typeattr_275_30_0)
-(typeattribute base_typeattr_276_30_0)
-(typeattribute base_typeattr_277_30_0)
-(typeattribute base_typeattr_278_30_0)
-(typeattribute base_typeattr_279_30_0)
-(typeattribute base_typeattr_27_30_0)
-(typeattribute base_typeattr_280_30_0)
-(typeattribute base_typeattr_281_30_0)
-(typeattribute base_typeattr_282_30_0)
-(typeattribute base_typeattr_283_30_0)
-(typeattribute base_typeattr_284_30_0)
-(typeattribute base_typeattr_285_30_0)
-(typeattribute base_typeattr_286_30_0)
-(typeattribute base_typeattr_287_30_0)
-(typeattribute base_typeattr_288_30_0)
-(typeattribute base_typeattr_289_30_0)
-(typeattribute base_typeattr_28_30_0)
-(typeattribute base_typeattr_290_30_0)
-(typeattribute base_typeattr_291_30_0)
-(typeattribute base_typeattr_292_30_0)
-(typeattribute base_typeattr_293_30_0)
-(typeattribute base_typeattr_294_30_0)
-(typeattribute base_typeattr_295_30_0)
-(typeattribute base_typeattr_296_30_0)
-(typeattribute base_typeattr_297_30_0)
-(typeattribute base_typeattr_298_30_0)
-(typeattribute base_typeattr_299_30_0)
-(typeattribute base_typeattr_29_30_0)
-(typeattribute base_typeattr_2_30_0)
-(typeattribute base_typeattr_300_30_0)
-(typeattribute base_typeattr_301_30_0)
-(typeattribute base_typeattr_302_30_0)
-(typeattribute base_typeattr_303_30_0)
-(typeattribute base_typeattr_304_30_0)
-(typeattribute base_typeattr_305_30_0)
-(typeattribute base_typeattr_306_30_0)
-(typeattribute base_typeattr_307_30_0)
-(typeattribute base_typeattr_308_30_0)
-(typeattribute base_typeattr_309_30_0)
-(typeattribute base_typeattr_30_30_0)
-(typeattribute base_typeattr_310_30_0)
-(typeattribute base_typeattr_311_30_0)
-(typeattribute base_typeattr_312_30_0)
-(typeattribute base_typeattr_313_30_0)
-(typeattribute base_typeattr_314_30_0)
-(typeattribute base_typeattr_315_30_0)
-(typeattribute base_typeattr_316_30_0)
-(typeattribute base_typeattr_317_30_0)
-(typeattribute base_typeattr_318_30_0)
-(typeattribute base_typeattr_319_30_0)
-(typeattribute base_typeattr_31_30_0)
-(typeattribute base_typeattr_320_30_0)
-(typeattribute base_typeattr_321_30_0)
-(typeattribute base_typeattr_322_30_0)
-(typeattribute base_typeattr_323_30_0)
-(typeattribute base_typeattr_324_30_0)
-(typeattribute base_typeattr_325_30_0)
-(typeattribute base_typeattr_326_30_0)
-(typeattribute base_typeattr_327_30_0)
-(typeattribute base_typeattr_328_30_0)
-(typeattribute base_typeattr_329_30_0)
-(typeattribute base_typeattr_32_30_0)
-(typeattribute base_typeattr_330_30_0)
-(typeattribute base_typeattr_331_30_0)
-(typeattribute base_typeattr_332_30_0)
-(typeattribute base_typeattr_333_30_0)
-(typeattribute base_typeattr_334_30_0)
-(typeattribute base_typeattr_335_30_0)
-(typeattribute base_typeattr_336_30_0)
-(typeattribute base_typeattr_337_30_0)
-(typeattribute base_typeattr_338_30_0)
-(typeattribute base_typeattr_339_30_0)
-(typeattribute base_typeattr_33_30_0)
-(typeattribute base_typeattr_340_30_0)
-(typeattribute base_typeattr_341_30_0)
-(typeattribute base_typeattr_342_30_0)
-(typeattribute base_typeattr_343_30_0)
-(typeattribute base_typeattr_344_30_0)
-(typeattribute base_typeattr_345_30_0)
-(typeattribute base_typeattr_346_30_0)
-(typeattribute base_typeattr_347_30_0)
-(typeattribute base_typeattr_348_30_0)
-(typeattribute base_typeattr_349_30_0)
-(typeattribute base_typeattr_34_30_0)
-(typeattribute base_typeattr_350_30_0)
-(typeattribute base_typeattr_351_30_0)
-(typeattribute base_typeattr_352_30_0)
-(typeattribute base_typeattr_353_30_0)
-(typeattribute base_typeattr_354_30_0)
-(typeattribute base_typeattr_355_30_0)
-(typeattribute base_typeattr_356_30_0)
-(typeattribute base_typeattr_357_30_0)
-(typeattribute base_typeattr_358_30_0)
-(typeattribute base_typeattr_359_30_0)
-(typeattribute base_typeattr_35_30_0)
-(typeattribute base_typeattr_360_30_0)
-(typeattribute base_typeattr_361_30_0)
-(typeattribute base_typeattr_362_30_0)
-(typeattribute base_typeattr_363_30_0)
-(typeattribute base_typeattr_364_30_0)
-(typeattribute base_typeattr_365_30_0)
-(typeattribute base_typeattr_366_30_0)
-(typeattribute base_typeattr_367_30_0)
-(typeattribute base_typeattr_368_30_0)
-(typeattribute base_typeattr_369_30_0)
-(typeattribute base_typeattr_36_30_0)
-(typeattribute base_typeattr_370_30_0)
-(typeattribute base_typeattr_371_30_0)
-(typeattribute base_typeattr_372_30_0)
-(typeattribute base_typeattr_373_30_0)
-(typeattribute base_typeattr_374_30_0)
-(typeattribute base_typeattr_375_30_0)
-(typeattribute base_typeattr_376_30_0)
-(typeattribute base_typeattr_377_30_0)
-(typeattribute base_typeattr_378_30_0)
-(typeattribute base_typeattr_379_30_0)
-(typeattribute base_typeattr_37_30_0)
-(typeattribute base_typeattr_380_30_0)
-(typeattribute base_typeattr_381_30_0)
-(typeattribute base_typeattr_382_30_0)
-(typeattribute base_typeattr_383_30_0)
-(typeattribute base_typeattr_384_30_0)
-(typeattribute base_typeattr_385_30_0)
-(typeattribute base_typeattr_386_30_0)
-(typeattribute base_typeattr_387_30_0)
-(typeattribute base_typeattr_388_30_0)
-(typeattribute base_typeattr_389_30_0)
-(typeattribute base_typeattr_38_30_0)
-(typeattribute base_typeattr_390_30_0)
-(typeattribute base_typeattr_391_30_0)
-(typeattribute base_typeattr_392_30_0)
-(typeattribute base_typeattr_393_30_0)
-(typeattribute base_typeattr_394_30_0)
-(typeattribute base_typeattr_395_30_0)
-(typeattribute base_typeattr_396_30_0)
-(typeattribute base_typeattr_397_30_0)
-(typeattribute base_typeattr_398_30_0)
-(typeattribute base_typeattr_399_30_0)
-(typeattribute base_typeattr_39_30_0)
-(typeattribute base_typeattr_3_30_0)
-(typeattribute base_typeattr_400_30_0)
-(typeattribute base_typeattr_401_30_0)
-(typeattribute base_typeattr_402_30_0)
-(typeattribute base_typeattr_403_30_0)
-(typeattribute base_typeattr_404_30_0)
-(typeattribute base_typeattr_405_30_0)
-(typeattribute base_typeattr_406_30_0)
-(typeattribute base_typeattr_407_30_0)
-(typeattribute base_typeattr_408_30_0)
-(typeattribute base_typeattr_409_30_0)
-(typeattribute base_typeattr_40_30_0)
-(typeattribute base_typeattr_410_30_0)
-(typeattribute base_typeattr_411_30_0)
-(typeattribute base_typeattr_412_30_0)
-(typeattribute base_typeattr_413_30_0)
-(typeattribute base_typeattr_414_30_0)
-(typeattribute base_typeattr_415_30_0)
-(typeattribute base_typeattr_416_30_0)
-(typeattribute base_typeattr_417_30_0)
-(typeattribute base_typeattr_418_30_0)
-(typeattribute base_typeattr_419_30_0)
-(typeattribute base_typeattr_41_30_0)
-(typeattribute base_typeattr_420_30_0)
-(typeattribute base_typeattr_421_30_0)
-(typeattribute base_typeattr_422_30_0)
-(typeattribute base_typeattr_423_30_0)
-(typeattribute base_typeattr_424_30_0)
-(typeattribute base_typeattr_425_30_0)
-(typeattribute base_typeattr_426_30_0)
-(typeattribute base_typeattr_427_30_0)
-(typeattribute base_typeattr_428_30_0)
-(typeattribute base_typeattr_429_30_0)
-(typeattribute base_typeattr_42_30_0)
-(typeattribute base_typeattr_430_30_0)
-(typeattribute base_typeattr_431_30_0)
-(typeattribute base_typeattr_432_30_0)
-(typeattribute base_typeattr_433_30_0)
-(typeattribute base_typeattr_434_30_0)
-(typeattribute base_typeattr_435_30_0)
-(typeattribute base_typeattr_436_30_0)
-(typeattribute base_typeattr_437_30_0)
-(typeattribute base_typeattr_438_30_0)
-(typeattribute base_typeattr_439_30_0)
-(typeattribute base_typeattr_43_30_0)
-(typeattribute base_typeattr_440_30_0)
-(typeattribute base_typeattr_441_30_0)
-(typeattribute base_typeattr_442_30_0)
-(typeattribute base_typeattr_443_30_0)
-(typeattribute base_typeattr_444_30_0)
-(typeattribute base_typeattr_445_30_0)
-(typeattribute base_typeattr_446_30_0)
-(typeattribute base_typeattr_447_30_0)
-(typeattribute base_typeattr_448_30_0)
-(typeattribute base_typeattr_449_30_0)
-(typeattribute base_typeattr_44_30_0)
-(typeattribute base_typeattr_450_30_0)
-(typeattribute base_typeattr_451_30_0)
-(typeattribute base_typeattr_452_30_0)
-(typeattribute base_typeattr_453_30_0)
-(typeattribute base_typeattr_454_30_0)
-(typeattribute base_typeattr_455_30_0)
-(typeattribute base_typeattr_456_30_0)
-(typeattribute base_typeattr_457_30_0)
-(typeattribute base_typeattr_458_30_0)
-(typeattribute base_typeattr_459_30_0)
-(typeattribute base_typeattr_45_30_0)
-(typeattribute base_typeattr_460_30_0)
-(typeattribute base_typeattr_461_30_0)
-(typeattribute base_typeattr_462_30_0)
-(typeattribute base_typeattr_463_30_0)
-(typeattribute base_typeattr_464_30_0)
-(typeattribute base_typeattr_465_30_0)
-(typeattribute base_typeattr_466_30_0)
-(typeattribute base_typeattr_467_30_0)
-(typeattribute base_typeattr_468_30_0)
-(typeattribute base_typeattr_469_30_0)
-(typeattribute base_typeattr_46_30_0)
-(typeattribute base_typeattr_470_30_0)
-(typeattribute base_typeattr_471_30_0)
-(typeattribute base_typeattr_472_30_0)
-(typeattribute base_typeattr_473_30_0)
-(typeattribute base_typeattr_474_30_0)
-(typeattribute base_typeattr_475_30_0)
-(typeattribute base_typeattr_476_30_0)
-(typeattribute base_typeattr_477_30_0)
-(typeattribute base_typeattr_478_30_0)
-(typeattribute base_typeattr_479_30_0)
-(typeattribute base_typeattr_47_30_0)
-(typeattribute base_typeattr_480_30_0)
-(typeattribute base_typeattr_481_30_0)
-(typeattribute base_typeattr_482_30_0)
-(typeattribute base_typeattr_483_30_0)
-(typeattribute base_typeattr_484_30_0)
-(typeattribute base_typeattr_485_30_0)
-(typeattribute base_typeattr_486_30_0)
-(typeattribute base_typeattr_487_30_0)
-(typeattribute base_typeattr_488_30_0)
-(typeattribute base_typeattr_489_30_0)
-(typeattribute base_typeattr_48_30_0)
-(typeattribute base_typeattr_490_30_0)
-(typeattribute base_typeattr_491_30_0)
-(typeattribute base_typeattr_492_30_0)
-(typeattribute base_typeattr_493_30_0)
-(typeattribute base_typeattr_494_30_0)
-(typeattribute base_typeattr_495_30_0)
-(typeattribute base_typeattr_496_30_0)
-(typeattribute base_typeattr_497_30_0)
-(typeattribute base_typeattr_498_30_0)
-(typeattribute base_typeattr_499_30_0)
-(typeattribute base_typeattr_49_30_0)
-(typeattribute base_typeattr_4_30_0)
-(typeattribute base_typeattr_500_30_0)
-(typeattribute base_typeattr_501_30_0)
-(typeattribute base_typeattr_502_30_0)
-(typeattribute base_typeattr_503_30_0)
-(typeattribute base_typeattr_504_30_0)
-(typeattribute base_typeattr_505_30_0)
-(typeattribute base_typeattr_506_30_0)
-(typeattribute base_typeattr_507_30_0)
-(typeattribute base_typeattr_508_30_0)
-(typeattribute base_typeattr_509_30_0)
-(typeattribute base_typeattr_50_30_0)
-(typeattribute base_typeattr_510_30_0)
-(typeattribute base_typeattr_511_30_0)
-(typeattribute base_typeattr_512_30_0)
-(typeattribute base_typeattr_513_30_0)
-(typeattribute base_typeattr_514_30_0)
-(typeattribute base_typeattr_515_30_0)
-(typeattribute base_typeattr_516_30_0)
-(typeattribute base_typeattr_517_30_0)
-(typeattribute base_typeattr_518_30_0)
-(typeattribute base_typeattr_519_30_0)
-(typeattribute base_typeattr_51_30_0)
-(typeattribute base_typeattr_520_30_0)
-(typeattribute base_typeattr_521_30_0)
-(typeattribute base_typeattr_522_30_0)
-(typeattribute base_typeattr_523_30_0)
-(typeattribute base_typeattr_524_30_0)
-(typeattribute base_typeattr_525_30_0)
-(typeattribute base_typeattr_526_30_0)
-(typeattribute base_typeattr_527_30_0)
-(typeattribute base_typeattr_528_30_0)
-(typeattribute base_typeattr_529_30_0)
-(typeattribute base_typeattr_52_30_0)
-(typeattribute base_typeattr_530_30_0)
-(typeattribute base_typeattr_531_30_0)
-(typeattribute base_typeattr_532_30_0)
-(typeattribute base_typeattr_533_30_0)
-(typeattribute base_typeattr_534_30_0)
-(typeattribute base_typeattr_535_30_0)
-(typeattribute base_typeattr_536_30_0)
-(typeattribute base_typeattr_537_30_0)
-(typeattribute base_typeattr_538_30_0)
-(typeattribute base_typeattr_539_30_0)
-(typeattribute base_typeattr_53_30_0)
-(typeattribute base_typeattr_540_30_0)
-(typeattribute base_typeattr_541_30_0)
-(typeattribute base_typeattr_542_30_0)
-(typeattribute base_typeattr_543_30_0)
-(typeattribute base_typeattr_544_30_0)
-(typeattribute base_typeattr_545_30_0)
-(typeattribute base_typeattr_546_30_0)
-(typeattribute base_typeattr_547_30_0)
-(typeattribute base_typeattr_548_30_0)
-(typeattribute base_typeattr_54_30_0)
-(typeattribute base_typeattr_55_30_0)
-(typeattribute base_typeattr_56_30_0)
-(typeattribute base_typeattr_57_30_0)
-(typeattribute base_typeattr_58_30_0)
-(typeattribute base_typeattr_59_30_0)
-(typeattribute base_typeattr_5_30_0)
-(typeattribute base_typeattr_60_30_0)
-(typeattribute base_typeattr_61_30_0)
-(typeattribute base_typeattr_62_30_0)
-(typeattribute base_typeattr_63_30_0)
-(typeattribute base_typeattr_64_30_0)
-(typeattribute base_typeattr_65_30_0)
-(typeattribute base_typeattr_66_30_0)
-(typeattribute base_typeattr_67_30_0)
-(typeattribute base_typeattr_68_30_0)
-(typeattribute base_typeattr_69_30_0)
-(typeattribute base_typeattr_6_30_0)
-(typeattribute base_typeattr_70_30_0)
-(typeattribute base_typeattr_71_30_0)
-(typeattribute base_typeattr_72_30_0)
-(typeattribute base_typeattr_73_30_0)
-(typeattribute base_typeattr_74_30_0)
-(typeattribute base_typeattr_75_30_0)
-(typeattribute base_typeattr_76_30_0)
-(typeattribute base_typeattr_77_30_0)
-(typeattribute base_typeattr_78_30_0)
-(typeattribute base_typeattr_79_30_0)
-(typeattribute base_typeattr_7_30_0)
-(typeattribute base_typeattr_80_30_0)
-(typeattribute base_typeattr_81_30_0)
-(typeattribute base_typeattr_82_30_0)
-(typeattribute base_typeattr_83_30_0)
-(typeattribute base_typeattr_84_30_0)
-(typeattribute base_typeattr_85_30_0)
-(typeattribute base_typeattr_86_30_0)
-(typeattribute base_typeattr_87_30_0)
-(typeattribute base_typeattr_88_30_0)
-(typeattribute base_typeattr_89_30_0)
-(typeattribute base_typeattr_8_30_0)
-(typeattribute base_typeattr_90_30_0)
-(typeattribute base_typeattr_91_30_0)
-(typeattribute base_typeattr_92_30_0)
-(typeattribute base_typeattr_93_30_0)
-(typeattribute base_typeattr_94_30_0)
-(typeattribute base_typeattr_95_30_0)
-(typeattribute base_typeattr_96_30_0)
-(typeattribute base_typeattr_97_30_0)
-(typeattribute base_typeattr_98_30_0)
-(typeattribute base_typeattr_99_30_0)
-(typeattribute base_typeattr_9_30_0)
-(typeattribute battery_service_30_0)
-(typeattribute batteryproperties_service_30_0)
-(typeattribute batterystats_service_30_0)
-(typeattribute binder_cache_bluetooth_server_prop_30_0)
-(typeattribute binder_cache_system_server_prop_30_0)
-(typeattribute binder_cache_telephony_server_prop_30_0)
-(typeattribute binder_calls_stats_service_30_0)
-(typeattribute binder_device_30_0)
-(typeattribute binder_in_vendor_violators)
-(typeattribute binderfs_30_0)
-(typeattribute binderfs_logs_30_0)
-(typeattribute binderfs_logs_proc_30_0)
-(typeattribute binderservicedomain)
-(typeattribute binfmt_miscfs_30_0)
-(typeattribute biometric_service_30_0)
-(typeattribute blkid_30_0)
-(typeattribute blkid_untrusted_30_0)
-(typeattribute blob_store_service_30_0)
-(typeattribute block_device_30_0)
-(typeattribute bluetooth_30_0)
-(typeattribute bluetooth_a2dp_offload_prop_30_0)
-(typeattribute bluetooth_audio_hal_prop_30_0)
-(typeattribute bluetooth_data_file_30_0)
-(typeattribute bluetooth_efs_file_30_0)
-(typeattribute bluetooth_logs_data_file_30_0)
-(typeattribute bluetooth_manager_service_30_0)
-(typeattribute bluetooth_prop_30_0)
-(typeattribute bluetooth_service_30_0)
-(typeattribute bluetooth_socket_30_0)
-(typeattribute bluetoothdomain)
-(typeattribute boot_block_device_30_0)
-(typeattribute bootanim_30_0)
-(typeattribute bootanim_exec_30_0)
-(typeattribute bootchart_data_file_30_0)
-(typeattribute bootloader_boot_reason_prop_30_0)
-(typeattribute bootstat_30_0)
-(typeattribute bootstat_data_file_30_0)
-(typeattribute bootstat_exec_30_0)
-(typeattribute boottime_prop_30_0)
-(typeattribute boottime_public_prop_30_0)
-(typeattribute boottrace_data_file_30_0)
-(typeattribute bpf_progs_loaded_prop_30_0)
-(typeattribute bq_config_prop_30_0)
-(typeattribute broadcastradio_service_30_0)
-(typeattribute bufferhubd_30_0)
-(typeattribute bufferhubd_exec_30_0)
-(typeattribute bugreport_service_30_0)
-(typeattribute cache_backup_file_30_0)
-(typeattribute cache_block_device_30_0)
-(typeattribute cache_file_30_0)
-(typeattribute cache_private_backup_file_30_0)
-(typeattribute cache_recovery_file_30_0)
-(typeattribute cacheinfo_service_30_0)
-(typeattribute camera_data_file_30_0)
-(typeattribute camera_device_30_0)
-(typeattribute camera_service_server)
-(typeattribute cameraproxy_service_30_0)
-(typeattribute cameraserver_30_0)
-(typeattribute cameraserver_exec_30_0)
-(typeattribute cameraserver_service_30_0)
-(typeattribute cameraserver_tmpfs_30_0)
-(typeattribute cgroup_30_0)
-(typeattribute cgroup_bpf_30_0)
-(typeattribute cgroup_desc_file_30_0)
-(typeattribute cgroup_rc_file_30_0)
-(typeattribute charger_30_0)
-(typeattribute charger_exec_30_0)
-(typeattribute charger_prop_30_0)
-(typeattribute clipboard_service_30_0)
-(typeattribute cold_boot_done_prop_30_0)
-(typeattribute color_display_service_30_0)
-(typeattribute companion_device_service_30_0)
-(typeattribute config_prop_30_0)
-(typeattribute configfs_30_0)
-(typeattribute connectivity_service_30_0)
-(typeattribute connmetrics_service_30_0)
-(typeattribute console_device_30_0)
-(typeattribute consumer_ir_service_30_0)
-(typeattribute content_capture_service_30_0)
-(typeattribute content_service_30_0)
-(typeattribute content_suggestions_service_30_0)
-(typeattribute contexthub_service_30_0)
-(typeattribute contextmount_type)
-(typeattribute core_data_file_type)
-(typeattribute core_property_type)
-(typeattribute coredomain)
-(typeattribute coredomain_hwservice)
-(typeattribute coredomain_socket)
-(typeattribute coredump_file_30_0)
-(typeattribute country_detector_service_30_0)
-(typeattribute coverage_service_30_0)
-(typeattribute cppreopt_prop_30_0)
-(typeattribute cpu_variant_prop_30_0)
-(typeattribute cpuinfo_service_30_0)
-(typeattribute crash_dump_30_0)
-(typeattribute crash_dump_exec_30_0)
-(typeattribute credstore_30_0)
-(typeattribute credstore_data_file_30_0)
-(typeattribute credstore_exec_30_0)
-(typeattribute credstore_service_30_0)
-(typeattribute crossprofileapps_service_30_0)
-(typeattribute ctl_adbd_prop_30_0)
-(typeattribute ctl_apexd_prop_30_0)
-(typeattribute ctl_bootanim_prop_30_0)
-(typeattribute ctl_bugreport_prop_30_0)
-(typeattribute ctl_console_prop_30_0)
-(typeattribute ctl_default_prop_30_0)
-(typeattribute ctl_dumpstate_prop_30_0)
-(typeattribute ctl_fuse_prop_30_0)
-(typeattribute ctl_gsid_prop_30_0)
-(typeattribute ctl_interface_restart_prop_30_0)
-(typeattribute ctl_interface_start_prop_30_0)
-(typeattribute ctl_interface_stop_prop_30_0)
-(typeattribute ctl_mdnsd_prop_30_0)
-(typeattribute ctl_restart_prop_30_0)
-(typeattribute ctl_rildaemon_prop_30_0)
-(typeattribute ctl_sigstop_prop_30_0)
-(typeattribute ctl_start_prop_30_0)
-(typeattribute ctl_stop_prop_30_0)
-(typeattribute dalvik_prop_30_0)
-(typeattribute dalvikcache_data_file_30_0)
-(typeattribute data_between_core_and_vendor_violators)
-(typeattribute data_file_type)
-(typeattribute dataloader_manager_service_30_0)
-(typeattribute dbinfo_service_30_0)
-(typeattribute debug_prop_30_0)
-(typeattribute debugfs_30_0)
-(typeattribute debugfs_kprobes_30_0)
-(typeattribute debugfs_mmc_30_0)
-(typeattribute debugfs_trace_marker_30_0)
-(typeattribute debugfs_tracing_30_0)
-(typeattribute debugfs_tracing_debug_30_0)
-(typeattribute debugfs_tracing_instances_30_0)
-(typeattribute debugfs_type)
-(typeattribute debugfs_wakeup_sources_30_0)
-(typeattribute debugfs_wifi_tracing_30_0)
-(typeattribute debuggerd_prop_30_0)
-(typeattribute default_android_hwservice_30_0)
-(typeattribute default_android_service_30_0)
-(typeattribute default_android_vndservice_30_0)
-(typeattribute default_prop_30_0)
-(typeattribute dev_cpu_variant_30_0)
-(typeattribute dev_type)
-(typeattribute device_30_0)
-(typeattribute device_config_activity_manager_native_boot_prop_30_0)
-(typeattribute device_config_boot_count_prop_30_0)
-(typeattribute device_config_configuration_prop_30_0)
-(typeattribute device_config_input_native_boot_prop_30_0)
-(typeattribute device_config_media_native_prop_30_0)
-(typeattribute device_config_netd_native_prop_30_0)
-(typeattribute device_config_reset_performed_prop_30_0)
-(typeattribute device_config_runtime_native_boot_prop_30_0)
-(typeattribute device_config_runtime_native_prop_30_0)
-(typeattribute device_config_service_30_0)
-(typeattribute device_config_storage_native_boot_prop_30_0)
-(typeattribute device_config_sys_traced_prop_30_0)
-(typeattribute device_config_window_manager_native_boot_prop_30_0)
-(typeattribute device_identifiers_service_30_0)
-(typeattribute device_logging_prop_30_0)
-(typeattribute device_policy_service_30_0)
-(typeattribute deviceidle_service_30_0)
-(typeattribute devicestoragemonitor_service_30_0)
-(typeattribute devpts_30_0)
-(typeattribute dhcp_30_0)
-(typeattribute dhcp_data_file_30_0)
-(typeattribute dhcp_exec_30_0)
-(typeattribute dhcp_prop_30_0)
-(typeattribute diskstats_service_30_0)
-(typeattribute display_service_30_0)
-(typeattribute display_service_server)
-(typeattribute dm_device_30_0)
-(typeattribute dnsmasq_30_0)
-(typeattribute dnsmasq_exec_30_0)
-(typeattribute dnsproxyd_socket_30_0)
-(typeattribute dnsresolver_service_30_0)
-(typeattribute domain)
-(typeattribute dreams_service_30_0)
-(typeattribute drm_data_file_30_0)
-(typeattribute drmserver_30_0)
-(typeattribute drmserver_exec_30_0)
-(typeattribute drmserver_service_30_0)
-(typeattribute drmserver_socket_30_0)
-(typeattribute dropbox_data_file_30_0)
-(typeattribute dropbox_service_30_0)
-(typeattribute dumpstate_30_0)
-(typeattribute dumpstate_exec_30_0)
-(typeattribute dumpstate_options_prop_30_0)
-(typeattribute dumpstate_prop_30_0)
-(typeattribute dumpstate_service_30_0)
-(typeattribute dumpstate_socket_30_0)
-(typeattribute dynamic_system_prop_30_0)
-(typeattribute e2fs_30_0)
-(typeattribute e2fs_exec_30_0)
-(typeattribute efs_file_30_0)
-(typeattribute emergency_affordance_service_30_0)
-(typeattribute ephemeral_app_30_0)
-(typeattribute ephemeral_app_api_service)
-(typeattribute ethernet_service_30_0)
-(typeattribute exec_type)
-(typeattribute exfat_30_0)
-(typeattribute exported2_config_prop_30_0)
-(typeattribute exported2_default_prop_30_0)
-(typeattribute exported2_radio_prop_30_0)
-(typeattribute exported2_system_prop_30_0)
-(typeattribute exported2_vold_prop_30_0)
-(typeattribute exported3_default_prop_30_0)
-(typeattribute exported3_radio_prop_30_0)
-(typeattribute exported3_system_prop_30_0)
-(typeattribute exported_audio_prop_30_0)
-(typeattribute exported_bluetooth_prop_30_0)
-(typeattribute exported_camera_prop_30_0)
-(typeattribute exported_config_prop_30_0)
-(typeattribute exported_dalvik_prop_30_0)
-(typeattribute exported_default_prop_30_0)
-(typeattribute exported_dumpstate_prop_30_0)
-(typeattribute exported_ffs_prop_30_0)
-(typeattribute exported_fingerprint_prop_30_0)
-(typeattribute exported_overlay_prop_30_0)
-(typeattribute exported_pm_prop_30_0)
-(typeattribute exported_radio_prop_30_0)
-(typeattribute exported_secure_prop_30_0)
-(typeattribute exported_system_prop_30_0)
-(typeattribute exported_system_radio_prop_30_0)
-(typeattribute exported_vold_prop_30_0)
-(typeattribute exported_wifi_prop_30_0)
-(typeattribute extended_core_property_type)
-(typeattribute external_vibrator_service_30_0)
-(typeattribute face_service_30_0)
-(typeattribute face_vendor_data_file_30_0)
-(typeattribute fastbootd_30_0)
-(typeattribute fastbootd_protocol_prop_30_0)
-(typeattribute ffs_prop_30_0)
-(typeattribute file_contexts_file_30_0)
-(typeattribute file_integrity_service_30_0)
-(typeattribute file_type)
-(typeattribute fingerprint_prop_30_0)
-(typeattribute fingerprint_service_30_0)
-(typeattribute fingerprint_vendor_data_file_30_0)
-(typeattribute fingerprintd_30_0)
-(typeattribute fingerprintd_data_file_30_0)
-(typeattribute fingerprintd_exec_30_0)
-(typeattribute fingerprintd_service_30_0)
-(typeattribute firstboot_prop_30_0)
-(typeattribute flags_health_check_30_0)
-(typeattribute flags_health_check_exec_30_0)
-(typeattribute font_service_30_0)
-(typeattribute frp_block_device_30_0)
-(typeattribute fs_bpf_30_0)
-(typeattribute fs_type)
-(typeattribute fsck_30_0)
-(typeattribute fsck_exec_30_0)
-(typeattribute fsck_untrusted_30_0)
-(typeattribute fscklogs_30_0)
-(typeattribute functionfs_30_0)
-(typeattribute fuse_30_0)
-(typeattribute fuse_device_30_0)
-(typeattribute fusectlfs_30_0)
-(typeattribute fwk_automotive_display_hwservice_30_0)
-(typeattribute fwk_bufferhub_hwservice_30_0)
-(typeattribute fwk_camera_hwservice_30_0)
-(typeattribute fwk_display_hwservice_30_0)
-(typeattribute fwk_scheduler_hwservice_30_0)
-(typeattribute fwk_sensor_hwservice_30_0)
-(typeattribute fwk_stats_hwservice_30_0)
-(typeattribute fwmarkd_socket_30_0)
-(typeattribute gatekeeper_data_file_30_0)
-(typeattribute gatekeeper_service_30_0)
-(typeattribute gatekeeperd_30_0)
-(typeattribute gatekeeperd_exec_30_0)
-(typeattribute gfxinfo_service_30_0)
-(typeattribute gmscore_app_30_0)
-(typeattribute gps_control_30_0)
-(typeattribute gpu_device_30_0)
-(typeattribute gpu_service_30_0)
-(typeattribute gpuservice_30_0)
-(typeattribute graphics_config_prop_30_0)
-(typeattribute graphics_device_30_0)
-(typeattribute graphicsstats_service_30_0)
-(typeattribute gsi_data_file_30_0)
-(typeattribute gsi_metadata_file_30_0)
-(typeattribute gsid_prop_30_0)
-(typeattribute hal_allocator)
-(typeattribute hal_allocator_client)
-(typeattribute hal_allocator_server)
-(typeattribute hal_atrace)
-(typeattribute hal_atrace_client)
-(typeattribute hal_atrace_hwservice_30_0)
-(typeattribute hal_atrace_server)
-(typeattribute hal_audio)
-(typeattribute hal_audio_client)
-(typeattribute hal_audio_hwservice_30_0)
-(typeattribute hal_audio_server)
-(typeattribute hal_audiocontrol)
-(typeattribute hal_audiocontrol_client)
-(typeattribute hal_audiocontrol_hwservice_30_0)
-(typeattribute hal_audiocontrol_server)
-(typeattribute hal_authsecret)
-(typeattribute hal_authsecret_client)
-(typeattribute hal_authsecret_hwservice_30_0)
-(typeattribute hal_authsecret_server)
-(typeattribute hal_automotive_socket_exemption)
-(typeattribute hal_bluetooth)
-(typeattribute hal_bluetooth_client)
-(typeattribute hal_bluetooth_hwservice_30_0)
-(typeattribute hal_bluetooth_server)
-(typeattribute hal_bootctl)
-(typeattribute hal_bootctl_client)
-(typeattribute hal_bootctl_hwservice_30_0)
-(typeattribute hal_bootctl_server)
-(typeattribute hal_broadcastradio)
-(typeattribute hal_broadcastradio_client)
-(typeattribute hal_broadcastradio_hwservice_30_0)
-(typeattribute hal_broadcastradio_server)
-(typeattribute hal_bufferhub)
-(typeattribute hal_bufferhub_client)
-(typeattribute hal_bufferhub_server)
-(typeattribute hal_camera)
-(typeattribute hal_camera_client)
-(typeattribute hal_camera_hwservice_30_0)
-(typeattribute hal_camera_server)
-(typeattribute hal_can_bus)
-(typeattribute hal_can_bus_client)
-(typeattribute hal_can_bus_hwservice_30_0)
-(typeattribute hal_can_bus_server)
-(typeattribute hal_can_controller)
-(typeattribute hal_can_controller_client)
-(typeattribute hal_can_controller_hwservice_30_0)
-(typeattribute hal_can_controller_server)
-(typeattribute hal_cas)
-(typeattribute hal_cas_client)
-(typeattribute hal_cas_hwservice_30_0)
-(typeattribute hal_cas_server)
-(typeattribute hal_codec2)
-(typeattribute hal_codec2_client)
-(typeattribute hal_codec2_hwservice_30_0)
-(typeattribute hal_codec2_server)
-(typeattribute hal_configstore)
-(typeattribute hal_configstore_ISurfaceFlingerConfigs_30_0)
-(typeattribute hal_configstore_client)
-(typeattribute hal_configstore_server)
-(typeattribute hal_confirmationui)
-(typeattribute hal_confirmationui_client)
-(typeattribute hal_confirmationui_hwservice_30_0)
-(typeattribute hal_confirmationui_server)
-(typeattribute hal_contexthub)
-(typeattribute hal_contexthub_client)
-(typeattribute hal_contexthub_hwservice_30_0)
-(typeattribute hal_contexthub_server)
-(typeattribute hal_drm)
-(typeattribute hal_drm_client)
-(typeattribute hal_drm_hwservice_30_0)
-(typeattribute hal_drm_server)
-(typeattribute hal_dumpstate)
-(typeattribute hal_dumpstate_client)
-(typeattribute hal_dumpstate_hwservice_30_0)
-(typeattribute hal_dumpstate_server)
-(typeattribute hal_evs)
-(typeattribute hal_evs_client)
-(typeattribute hal_evs_hwservice_30_0)
-(typeattribute hal_evs_server)
-(typeattribute hal_face)
-(typeattribute hal_face_client)
-(typeattribute hal_face_hwservice_30_0)
-(typeattribute hal_face_server)
-(typeattribute hal_fingerprint)
-(typeattribute hal_fingerprint_client)
-(typeattribute hal_fingerprint_hwservice_30_0)
-(typeattribute hal_fingerprint_server)
-(typeattribute hal_fingerprint_service_30_0)
-(typeattribute hal_gatekeeper)
-(typeattribute hal_gatekeeper_client)
-(typeattribute hal_gatekeeper_hwservice_30_0)
-(typeattribute hal_gatekeeper_server)
-(typeattribute hal_gnss)
-(typeattribute hal_gnss_client)
-(typeattribute hal_gnss_hwservice_30_0)
-(typeattribute hal_gnss_server)
-(typeattribute hal_graphics_allocator)
-(typeattribute hal_graphics_allocator_client)
-(typeattribute hal_graphics_allocator_hwservice_30_0)
-(typeattribute hal_graphics_allocator_server)
-(typeattribute hal_graphics_composer)
-(typeattribute hal_graphics_composer_client)
-(typeattribute hal_graphics_composer_client_tmpfs)
-(typeattribute hal_graphics_composer_hwservice_30_0)
-(typeattribute hal_graphics_composer_server)
-(typeattribute hal_graphics_composer_server_tmpfs_30_0)
-(typeattribute hal_graphics_mapper_hwservice_30_0)
-(typeattribute hal_health)
-(typeattribute hal_health_client)
-(typeattribute hal_health_hwservice_30_0)
-(typeattribute hal_health_server)
-(typeattribute hal_health_storage)
-(typeattribute hal_health_storage_client)
-(typeattribute hal_health_storage_hwservice_30_0)
-(typeattribute hal_health_storage_server)
-(typeattribute hal_identity)
-(typeattribute hal_identity_client)
-(typeattribute hal_identity_server)
-(typeattribute hal_identity_service_30_0)
-(typeattribute hal_input_classifier)
-(typeattribute hal_input_classifier_client)
-(typeattribute hal_input_classifier_hwservice_30_0)
-(typeattribute hal_input_classifier_server)
-(typeattribute hal_ir)
-(typeattribute hal_ir_client)
-(typeattribute hal_ir_hwservice_30_0)
-(typeattribute hal_ir_server)
-(typeattribute hal_keymaster)
-(typeattribute hal_keymaster_client)
-(typeattribute hal_keymaster_hwservice_30_0)
-(typeattribute hal_keymaster_server)
-(typeattribute hal_light)
-(typeattribute hal_light_client)
-(typeattribute hal_light_hwservice_30_0)
-(typeattribute hal_light_server)
-(typeattribute hal_light_service_30_0)
-(typeattribute hal_lowpan)
-(typeattribute hal_lowpan_client)
-(typeattribute hal_lowpan_hwservice_30_0)
-(typeattribute hal_lowpan_server)
-(typeattribute hal_memtrack)
-(typeattribute hal_memtrack_client)
-(typeattribute hal_memtrack_hwservice_30_0)
-(typeattribute hal_memtrack_server)
-(typeattribute hal_neuralnetworks)
-(typeattribute hal_neuralnetworks_client)
-(typeattribute hal_neuralnetworks_hwservice_30_0)
-(typeattribute hal_neuralnetworks_server)
-(typeattribute hal_nfc)
-(typeattribute hal_nfc_client)
-(typeattribute hal_nfc_hwservice_30_0)
-(typeattribute hal_nfc_server)
-(typeattribute hal_oemlock)
-(typeattribute hal_oemlock_client)
-(typeattribute hal_oemlock_hwservice_30_0)
-(typeattribute hal_oemlock_server)
-(typeattribute hal_omx)
-(typeattribute hal_omx_client)
-(typeattribute hal_omx_hwservice_30_0)
-(typeattribute hal_omx_server)
-(typeattribute hal_power)
-(typeattribute hal_power_client)
-(typeattribute hal_power_hwservice_30_0)
-(typeattribute hal_power_server)
-(typeattribute hal_power_service_30_0)
-(typeattribute hal_power_stats)
-(typeattribute hal_power_stats_client)
-(typeattribute hal_power_stats_hwservice_30_0)
-(typeattribute hal_power_stats_server)
-(typeattribute hal_rebootescrow)
-(typeattribute hal_rebootescrow_client)
-(typeattribute hal_rebootescrow_server)
-(typeattribute hal_rebootescrow_service_30_0)
-(typeattribute hal_renderscript_hwservice_30_0)
-(typeattribute hal_secure_element)
-(typeattribute hal_secure_element_client)
-(typeattribute hal_secure_element_hwservice_30_0)
-(typeattribute hal_secure_element_server)
-(typeattribute hal_sensors)
-(typeattribute hal_sensors_client)
-(typeattribute hal_sensors_hwservice_30_0)
-(typeattribute hal_sensors_server)
-(typeattribute hal_telephony)
-(typeattribute hal_telephony_client)
-(typeattribute hal_telephony_hwservice_30_0)
-(typeattribute hal_telephony_server)
-(typeattribute hal_tetheroffload)
-(typeattribute hal_tetheroffload_client)
-(typeattribute hal_tetheroffload_hwservice_30_0)
-(typeattribute hal_tetheroffload_server)
-(typeattribute hal_thermal)
-(typeattribute hal_thermal_client)
-(typeattribute hal_thermal_hwservice_30_0)
-(typeattribute hal_thermal_server)
-(typeattribute hal_tv_cec)
-(typeattribute hal_tv_cec_client)
-(typeattribute hal_tv_cec_hwservice_30_0)
-(typeattribute hal_tv_cec_server)
-(typeattribute hal_tv_input)
-(typeattribute hal_tv_input_client)
-(typeattribute hal_tv_input_hwservice_30_0)
-(typeattribute hal_tv_input_server)
-(typeattribute hal_tv_tuner)
-(typeattribute hal_tv_tuner_client)
-(typeattribute hal_tv_tuner_hwservice_30_0)
-(typeattribute hal_tv_tuner_server)
-(typeattribute hal_usb)
-(typeattribute hal_usb_client)
-(typeattribute hal_usb_gadget)
-(typeattribute hal_usb_gadget_client)
-(typeattribute hal_usb_gadget_hwservice_30_0)
-(typeattribute hal_usb_gadget_server)
-(typeattribute hal_usb_hwservice_30_0)
-(typeattribute hal_usb_server)
-(typeattribute hal_vehicle)
-(typeattribute hal_vehicle_client)
-(typeattribute hal_vehicle_hwservice_30_0)
-(typeattribute hal_vehicle_server)
-(typeattribute hal_vibrator)
-(typeattribute hal_vibrator_client)
-(typeattribute hal_vibrator_hwservice_30_0)
-(typeattribute hal_vibrator_server)
-(typeattribute hal_vibrator_service_30_0)
-(typeattribute hal_vr)
-(typeattribute hal_vr_client)
-(typeattribute hal_vr_hwservice_30_0)
-(typeattribute hal_vr_server)
-(typeattribute hal_weaver)
-(typeattribute hal_weaver_client)
-(typeattribute hal_weaver_hwservice_30_0)
-(typeattribute hal_weaver_server)
-(typeattribute hal_wifi)
-(typeattribute hal_wifi_client)
-(typeattribute hal_wifi_hostapd)
-(typeattribute hal_wifi_hostapd_client)
-(typeattribute hal_wifi_hostapd_hwservice_30_0)
-(typeattribute hal_wifi_hostapd_server)
-(typeattribute hal_wifi_hwservice_30_0)
-(typeattribute hal_wifi_server)
-(typeattribute hal_wifi_supplicant)
-(typeattribute hal_wifi_supplicant_client)
-(typeattribute hal_wifi_supplicant_hwservice_30_0)
-(typeattribute hal_wifi_supplicant_server)
-(typeattribute halclientdomain)
-(typeattribute halserverdomain)
-(typeattribute hardware_properties_service_30_0)
-(typeattribute hardware_service_30_0)
-(typeattribute hci_attach_dev_30_0)
-(typeattribute hdmi_control_service_30_0)
-(typeattribute healthd_30_0)
-(typeattribute healthd_exec_30_0)
-(typeattribute heapdump_data_file_30_0)
-(typeattribute heapprofd_30_0)
-(typeattribute heapprofd_enabled_prop_30_0)
-(typeattribute heapprofd_prop_30_0)
-(typeattribute heapprofd_socket_30_0)
-(typeattribute hidl_allocator_hwservice_30_0)
-(typeattribute hidl_base_hwservice_30_0)
-(typeattribute hidl_manager_hwservice_30_0)
-(typeattribute hidl_memory_hwservice_30_0)
-(typeattribute hidl_token_hwservice_30_0)
-(typeattribute hw_random_device_30_0)
-(typeattribute hwbinder_device_30_0)
-(typeattribute hwservice_contexts_file_30_0)
-(typeattribute hwservice_manager_type)
-(typeattribute hwservicemanager_30_0)
-(typeattribute hwservicemanager_exec_30_0)
-(typeattribute hwservicemanager_prop_30_0)
-(typeattribute icon_file_30_0)
-(typeattribute idmap_30_0)
-(typeattribute idmap_exec_30_0)
-(typeattribute idmap_service_30_0)
-(typeattribute iio_device_30_0)
-(typeattribute imms_service_30_0)
-(typeattribute incident_30_0)
-(typeattribute incident_data_file_30_0)
-(typeattribute incident_helper_30_0)
-(typeattribute incident_service_30_0)
-(typeattribute incidentd_30_0)
-(typeattribute incremental_control_file_30_0)
-(typeattribute incremental_prop_30_0)
-(typeattribute incremental_service_30_0)
-(typeattribute init_30_0)
-(typeattribute init_exec_30_0)
-(typeattribute init_perf_lsm_hooks_prop_30_0)
-(typeattribute init_svc_debug_prop_30_0)
-(typeattribute init_tmpfs_30_0)
-(typeattribute inotify_30_0)
-(typeattribute input_device_30_0)
-(typeattribute input_method_service_30_0)
-(typeattribute input_service_30_0)
-(typeattribute inputflinger_30_0)
-(typeattribute inputflinger_exec_30_0)
-(typeattribute inputflinger_service_30_0)
-(typeattribute install_data_file_30_0)
-(typeattribute installd_30_0)
-(typeattribute installd_exec_30_0)
-(typeattribute installd_service_30_0)
-(typeattribute ion_device_30_0)
-(typeattribute iorap_inode2filename_30_0)
-(typeattribute iorap_inode2filename_exec_30_0)
-(typeattribute iorap_inode2filename_tmpfs_30_0)
-(typeattribute iorap_prefetcherd_30_0)
-(typeattribute iorap_prefetcherd_exec_30_0)
-(typeattribute iorap_prefetcherd_tmpfs_30_0)
-(typeattribute iorapd_30_0)
-(typeattribute iorapd_data_file_30_0)
-(typeattribute iorapd_exec_30_0)
-(typeattribute iorapd_service_30_0)
-(typeattribute iorapd_tmpfs_30_0)
-(typeattribute ipsec_service_30_0)
-(typeattribute iris_service_30_0)
-(typeattribute iris_vendor_data_file_30_0)
-(typeattribute isolated_app_30_0)
-(typeattribute jobscheduler_service_30_0)
-(typeattribute kernel_30_0)
-(typeattribute keychain_data_file_30_0)
-(typeattribute keychord_device_30_0)
-(typeattribute keystore_30_0)
-(typeattribute keystore_data_file_30_0)
-(typeattribute keystore_exec_30_0)
-(typeattribute keystore_service_30_0)
-(typeattribute kmsg_debug_device_30_0)
-(typeattribute kmsg_device_30_0)
-(typeattribute labeledfs_30_0)
-(typeattribute last_boot_reason_prop_30_0)
-(typeattribute launcherapps_service_30_0)
-(typeattribute light_service_30_0)
-(typeattribute linkerconfig_file_30_0)
-(typeattribute llkd_30_0)
-(typeattribute llkd_exec_30_0)
-(typeattribute llkd_prop_30_0)
-(typeattribute lmkd_30_0)
-(typeattribute lmkd_exec_30_0)
-(typeattribute lmkd_prop_30_0)
-(typeattribute lmkd_socket_30_0)
-(typeattribute location_service_30_0)
-(typeattribute lock_settings_service_30_0)
-(typeattribute log_prop_30_0)
-(typeattribute log_property_type)
-(typeattribute log_tag_prop_30_0)
-(typeattribute logcat_exec_30_0)
-(typeattribute logd_30_0)
-(typeattribute logd_exec_30_0)
-(typeattribute logd_prop_30_0)
-(typeattribute logd_socket_30_0)
-(typeattribute logdr_socket_30_0)
-(typeattribute logdw_socket_30_0)
-(typeattribute logpersist_30_0)
-(typeattribute logpersistd_logging_prop_30_0)
-(typeattribute loop_control_device_30_0)
-(typeattribute loop_device_30_0)
-(typeattribute looper_stats_service_30_0)
-(typeattribute lowpan_device_30_0)
-(typeattribute lowpan_prop_30_0)
-(typeattribute lowpan_service_30_0)
-(typeattribute lpdump_service_30_0)
-(typeattribute lpdumpd_prop_30_0)
-(typeattribute mac_perms_file_30_0)
-(typeattribute mdns_socket_30_0)
-(typeattribute mdnsd_30_0)
-(typeattribute mdnsd_socket_30_0)
-(typeattribute media_data_file_30_0)
-(typeattribute media_projection_service_30_0)
-(typeattribute media_router_service_30_0)
-(typeattribute media_rw_data_file_30_0)
-(typeattribute media_session_service_30_0)
-(typeattribute media_variant_prop_30_0)
-(typeattribute mediadrmserver_30_0)
-(typeattribute mediadrmserver_exec_30_0)
-(typeattribute mediadrmserver_service_30_0)
-(typeattribute mediaextractor_30_0)
-(typeattribute mediaextractor_exec_30_0)
-(typeattribute mediaextractor_service_30_0)
-(typeattribute mediaextractor_tmpfs_30_0)
-(typeattribute mediametrics_30_0)
-(typeattribute mediametrics_exec_30_0)
-(typeattribute mediametrics_service_30_0)
-(typeattribute mediaprovider_30_0)
-(typeattribute mediaserver_30_0)
-(typeattribute mediaserver_exec_30_0)
-(typeattribute mediaserver_service_30_0)
-(typeattribute mediaserver_tmpfs_30_0)
-(typeattribute mediaswcodec_30_0)
-(typeattribute mediaswcodec_exec_30_0)
-(typeattribute mediatranscoding_30_0)
-(typeattribute mediatranscoding_exec_30_0)
-(typeattribute mediatranscoding_service_30_0)
-(typeattribute meminfo_service_30_0)
-(typeattribute metadata_block_device_30_0)
-(typeattribute metadata_bootstat_file_30_0)
-(typeattribute metadata_file_30_0)
-(typeattribute method_trace_data_file_30_0)
-(typeattribute midi_service_30_0)
-(typeattribute mirror_data_file_30_0)
-(typeattribute misc_block_device_30_0)
-(typeattribute misc_logd_file_30_0)
-(typeattribute misc_user_data_file_30_0)
-(typeattribute mlstrustedobject)
-(typeattribute mlstrustedsubject)
-(typeattribute mmc_prop_30_0)
-(typeattribute mnt_expand_file_30_0)
-(typeattribute mnt_media_rw_file_30_0)
-(typeattribute mnt_media_rw_stub_file_30_0)
-(typeattribute mnt_pass_through_file_30_0)
-(typeattribute mnt_product_file_30_0)
-(typeattribute mnt_sdcard_file_30_0)
-(typeattribute mnt_user_file_30_0)
-(typeattribute mnt_vendor_file_30_0)
-(typeattribute mock_ota_prop_30_0)
-(typeattribute modprobe_30_0)
-(typeattribute module_sdkextensions_prop_30_0)
-(typeattribute mount_service_30_0)
-(typeattribute mqueue_30_0)
-(typeattribute mtp_30_0)
-(typeattribute mtp_device_30_0)
-(typeattribute mtp_exec_30_0)
-(typeattribute mtpd_socket_30_0)
-(typeattribute nativetest_data_file_30_0)
-(typeattribute net_data_file_30_0)
-(typeattribute net_dns_prop_30_0)
-(typeattribute net_radio_prop_30_0)
-(typeattribute netd_30_0)
-(typeattribute netd_exec_30_0)
-(typeattribute netd_listener_service_30_0)
-(typeattribute netd_service_30_0)
-(typeattribute netd_stable_secret_prop_30_0)
-(typeattribute netdomain)
-(typeattribute netif_30_0)
-(typeattribute netif_type)
-(typeattribute netpolicy_service_30_0)
-(typeattribute netstats_service_30_0)
-(typeattribute netutils_wrapper_30_0)
-(typeattribute netutils_wrapper_exec_30_0)
-(typeattribute network_management_service_30_0)
-(typeattribute network_score_service_30_0)
-(typeattribute network_stack_30_0)
-(typeattribute network_stack_service_30_0)
-(typeattribute network_time_update_service_30_0)
-(typeattribute network_watchlist_data_file_30_0)
-(typeattribute network_watchlist_service_30_0)
-(typeattribute nfc_30_0)
-(typeattribute nfc_data_file_30_0)
-(typeattribute nfc_device_30_0)
-(typeattribute nfc_prop_30_0)
-(typeattribute nfc_service_30_0)
-(typeattribute nnapi_ext_deny_product_prop_30_0)
-(typeattribute node_30_0)
-(typeattribute node_type)
-(typeattribute nonplat_service_contexts_file_30_0)
-(typeattribute notification_service_30_0)
-(typeattribute null_device_30_0)
-(typeattribute oem_lock_service_30_0)
-(typeattribute oemfs_30_0)
-(typeattribute ota_data_file_30_0)
-(typeattribute ota_metadata_file_30_0)
-(typeattribute ota_package_file_30_0)
-(typeattribute ota_prop_30_0)
-(typeattribute otadexopt_service_30_0)
-(typeattribute overlay_prop_30_0)
-(typeattribute overlay_service_30_0)
-(typeattribute overlayfs_file_30_0)
-(typeattribute owntty_device_30_0)
-(typeattribute package_native_service_30_0)
-(typeattribute package_service_30_0)
-(typeattribute packages_list_file_30_0)
-(typeattribute pan_result_prop_30_0)
-(typeattribute password_slot_metadata_file_30_0)
-(typeattribute pdx_bufferhub_client_channel_socket_30_0)
-(typeattribute pdx_bufferhub_client_channel_socket_type)
-(typeattribute pdx_bufferhub_client_endpoint_dir_type)
-(typeattribute pdx_bufferhub_client_endpoint_socket_30_0)
-(typeattribute pdx_bufferhub_client_endpoint_socket_type)
-(typeattribute pdx_bufferhub_client_server_type)
-(typeattribute pdx_bufferhub_dir_30_0)
-(typeattribute pdx_channel_socket_type)
-(typeattribute pdx_display_client_channel_socket_30_0)
-(typeattribute pdx_display_client_channel_socket_type)
-(typeattribute pdx_display_client_endpoint_dir_type)
-(typeattribute pdx_display_client_endpoint_socket_30_0)
-(typeattribute pdx_display_client_endpoint_socket_type)
-(typeattribute pdx_display_client_server_type)
-(typeattribute pdx_display_dir_30_0)
-(typeattribute pdx_display_manager_channel_socket_30_0)
-(typeattribute pdx_display_manager_channel_socket_type)
-(typeattribute pdx_display_manager_endpoint_dir_type)
-(typeattribute pdx_display_manager_endpoint_socket_30_0)
-(typeattribute pdx_display_manager_endpoint_socket_type)
-(typeattribute pdx_display_manager_server_type)
-(typeattribute pdx_display_screenshot_channel_socket_30_0)
-(typeattribute pdx_display_screenshot_channel_socket_type)
-(typeattribute pdx_display_screenshot_endpoint_dir_type)
-(typeattribute pdx_display_screenshot_endpoint_socket_30_0)
-(typeattribute pdx_display_screenshot_endpoint_socket_type)
-(typeattribute pdx_display_screenshot_server_type)
-(typeattribute pdx_display_vsync_channel_socket_30_0)
-(typeattribute pdx_display_vsync_channel_socket_type)
-(typeattribute pdx_display_vsync_endpoint_dir_type)
-(typeattribute pdx_display_vsync_endpoint_socket_30_0)
-(typeattribute pdx_display_vsync_endpoint_socket_type)
-(typeattribute pdx_display_vsync_server_type)
-(typeattribute pdx_endpoint_dir_type)
-(typeattribute pdx_endpoint_socket_type)
-(typeattribute pdx_performance_client_channel_socket_30_0)
-(typeattribute pdx_performance_client_channel_socket_type)
-(typeattribute pdx_performance_client_endpoint_dir_type)
-(typeattribute pdx_performance_client_endpoint_socket_30_0)
-(typeattribute pdx_performance_client_endpoint_socket_type)
-(typeattribute pdx_performance_client_server_type)
-(typeattribute pdx_performance_dir_30_0)
-(typeattribute perfetto_30_0)
-(typeattribute performanced_30_0)
-(typeattribute performanced_exec_30_0)
-(typeattribute permission_service_30_0)
-(typeattribute permissionmgr_service_30_0)
-(typeattribute persist_debug_prop_30_0)
-(typeattribute persistent_data_block_service_30_0)
-(typeattribute persistent_properties_ready_prop_30_0)
-(typeattribute pinner_service_30_0)
-(typeattribute pipefs_30_0)
-(typeattribute platform_app_30_0)
-(typeattribute platform_compat_service_30_0)
-(typeattribute pm_prop_30_0)
-(typeattribute pmsg_device_30_0)
-(typeattribute port_30_0)
-(typeattribute port_device_30_0)
-(typeattribute port_type)
-(typeattribute postinstall_30_0)
-(typeattribute postinstall_apex_mnt_dir_30_0)
-(typeattribute postinstall_file_30_0)
-(typeattribute postinstall_mnt_dir_30_0)
-(typeattribute power_service_30_0)
-(typeattribute powerctl_prop_30_0)
-(typeattribute ppp_30_0)
-(typeattribute ppp_device_30_0)
-(typeattribute ppp_exec_30_0)
-(typeattribute preloads_data_file_30_0)
-(typeattribute preloads_media_file_30_0)
-(typeattribute prereboot_data_file_30_0)
-(typeattribute print_service_30_0)
-(typeattribute priv_app_30_0)
-(typeattribute privapp_data_file_30_0)
-(typeattribute proc_30_0)
-(typeattribute proc_abi_30_0)
-(typeattribute proc_asound_30_0)
-(typeattribute proc_bluetooth_writable_30_0)
-(typeattribute proc_buddyinfo_30_0)
-(typeattribute proc_cmdline_30_0)
-(typeattribute proc_cpuinfo_30_0)
-(typeattribute proc_dirty_30_0)
-(typeattribute proc_diskstats_30_0)
-(typeattribute proc_drop_caches_30_0)
-(typeattribute proc_extra_free_kbytes_30_0)
-(typeattribute proc_filesystems_30_0)
-(typeattribute proc_fs_verity_30_0)
-(typeattribute proc_hostname_30_0)
-(typeattribute proc_hung_task_30_0)
-(typeattribute proc_interrupts_30_0)
-(typeattribute proc_iomem_30_0)
-(typeattribute proc_keys_30_0)
-(typeattribute proc_kmsg_30_0)
-(typeattribute proc_kpageflags_30_0)
-(typeattribute proc_loadavg_30_0)
-(typeattribute proc_lowmemorykiller_30_0)
-(typeattribute proc_max_map_count_30_0)
-(typeattribute proc_meminfo_30_0)
-(typeattribute proc_min_free_order_shift_30_0)
-(typeattribute proc_misc_30_0)
-(typeattribute proc_modules_30_0)
-(typeattribute proc_mounts_30_0)
-(typeattribute proc_net_30_0)
-(typeattribute proc_net_tcp_udp_30_0)
-(typeattribute proc_net_type)
-(typeattribute proc_overcommit_memory_30_0)
-(typeattribute proc_page_cluster_30_0)
-(typeattribute proc_pagetypeinfo_30_0)
-(typeattribute proc_panic_30_0)
-(typeattribute proc_perf_30_0)
-(typeattribute proc_pid_max_30_0)
-(typeattribute proc_pipe_conf_30_0)
-(typeattribute proc_pressure_cpu_30_0)
-(typeattribute proc_pressure_io_30_0)
-(typeattribute proc_pressure_mem_30_0)
-(typeattribute proc_qtaguid_ctrl_30_0)
-(typeattribute proc_qtaguid_stat_30_0)
-(typeattribute proc_random_30_0)
-(typeattribute proc_sched_30_0)
-(typeattribute proc_security_30_0)
-(typeattribute proc_slabinfo_30_0)
-(typeattribute proc_stat_30_0)
-(typeattribute proc_swaps_30_0)
-(typeattribute proc_sysrq_30_0)
-(typeattribute proc_timer_30_0)
-(typeattribute proc_tty_drivers_30_0)
-(typeattribute proc_type)
-(typeattribute proc_uid_concurrent_active_time_30_0)
-(typeattribute proc_uid_concurrent_policy_time_30_0)
-(typeattribute proc_uid_cpupower_30_0)
-(typeattribute proc_uid_cputime_removeuid_30_0)
-(typeattribute proc_uid_cputime_showstat_30_0)
-(typeattribute proc_uid_io_stats_30_0)
-(typeattribute proc_uid_procstat_set_30_0)
-(typeattribute proc_uid_time_in_state_30_0)
-(typeattribute proc_uptime_30_0)
-(typeattribute proc_version_30_0)
-(typeattribute proc_vmallocinfo_30_0)
-(typeattribute proc_vmstat_30_0)
-(typeattribute proc_zoneinfo_30_0)
-(typeattribute processinfo_service_30_0)
-(typeattribute procstats_service_30_0)
-(typeattribute profman_30_0)
-(typeattribute profman_dump_data_file_30_0)
-(typeattribute profman_exec_30_0)
-(typeattribute properties_device_30_0)
-(typeattribute properties_serial_30_0)
-(typeattribute property_contexts_file_30_0)
-(typeattribute property_data_file_30_0)
-(typeattribute property_info_30_0)
-(typeattribute property_socket_30_0)
-(typeattribute property_type)
-(typeattribute protected_hwservice)
-(typeattribute pstorefs_30_0)
-(typeattribute ptmx_device_30_0)
-(typeattribute qtaguid_device_30_0)
-(typeattribute racoon_30_0)
-(typeattribute racoon_exec_30_0)
-(typeattribute racoon_socket_30_0)
-(typeattribute radio_30_0)
-(typeattribute radio_data_file_30_0)
-(typeattribute radio_device_30_0)
-(typeattribute radio_prop_30_0)
-(typeattribute radio_service_30_0)
-(typeattribute ram_device_30_0)
-(typeattribute random_device_30_0)
-(typeattribute rebootescrow_hal_prop_30_0)
-(typeattribute recovery_30_0)
-(typeattribute recovery_block_device_30_0)
-(typeattribute recovery_data_file_30_0)
-(typeattribute recovery_persist_30_0)
-(typeattribute recovery_persist_exec_30_0)
-(typeattribute recovery_refresh_30_0)
-(typeattribute recovery_refresh_exec_30_0)
-(typeattribute recovery_service_30_0)
-(typeattribute recovery_socket_30_0)
-(typeattribute registry_service_30_0)
-(typeattribute resourcecache_data_file_30_0)
-(typeattribute restorecon_prop_30_0)
-(typeattribute restrictions_service_30_0)
-(typeattribute rild_debug_socket_30_0)
-(typeattribute rild_socket_30_0)
-(typeattribute ringtone_file_30_0)
-(typeattribute role_service_30_0)
-(typeattribute rollback_service_30_0)
-(typeattribute root_block_device_30_0)
-(typeattribute rootfs_30_0)
-(typeattribute rpmsg_device_30_0)
-(typeattribute rs_30_0)
-(typeattribute rs_exec_30_0)
-(typeattribute rss_hwm_reset_30_0)
-(typeattribute rtc_device_30_0)
-(typeattribute rttmanager_service_30_0)
-(typeattribute runas_30_0)
-(typeattribute runas_app_30_0)
-(typeattribute runas_exec_30_0)
-(typeattribute runtime_event_log_tags_file_30_0)
-(typeattribute runtime_service_30_0)
-(typeattribute safemode_prop_30_0)
-(typeattribute same_process_hal_file_30_0)
-(typeattribute same_process_hwservice)
-(typeattribute samplingprofiler_service_30_0)
-(typeattribute scheduler_service_server)
-(typeattribute scheduling_policy_service_30_0)
-(typeattribute sdcard_block_device_30_0)
-(typeattribute sdcard_type)
-(typeattribute sdcardd_30_0)
-(typeattribute sdcardd_exec_30_0)
-(typeattribute sdcardfs_30_0)
-(typeattribute seapp_contexts_file_30_0)
-(typeattribute search_service_30_0)
-(typeattribute sec_key_att_app_id_provider_service_30_0)
-(typeattribute secure_element_30_0)
-(typeattribute secure_element_device_30_0)
-(typeattribute secure_element_service_30_0)
-(typeattribute securityfs_30_0)
-(typeattribute selinuxfs_30_0)
-(typeattribute sensor_privacy_service_30_0)
-(typeattribute sensor_service_server)
-(typeattribute sensors_device_30_0)
-(typeattribute sensorservice_service_30_0)
-(typeattribute sepolicy_file_30_0)
-(typeattribute serial_device_30_0)
-(typeattribute serial_service_30_0)
-(typeattribute serialno_prop_30_0)
-(typeattribute server_configurable_flags_data_file_30_0)
-(typeattribute service_contexts_file_30_0)
-(typeattribute service_manager_service_30_0)
-(typeattribute service_manager_type)
-(typeattribute service_manager_vndservice_30_0)
-(typeattribute servicediscovery_service_30_0)
-(typeattribute servicemanager_30_0)
-(typeattribute servicemanager_exec_30_0)
-(typeattribute settings_service_30_0)
-(typeattribute sgdisk_30_0)
-(typeattribute sgdisk_exec_30_0)
-(typeattribute shared_relro_30_0)
-(typeattribute shared_relro_file_30_0)
-(typeattribute shell_30_0)
-(typeattribute shell_data_file_30_0)
-(typeattribute shell_exec_30_0)
-(typeattribute shell_prop_30_0)
-(typeattribute shm_30_0)
-(typeattribute shortcut_manager_icons_30_0)
-(typeattribute shortcut_service_30_0)
-(typeattribute simpleperf_30_0)
-(typeattribute simpleperf_app_runner_30_0)
-(typeattribute simpleperf_app_runner_exec_30_0)
-(typeattribute slice_service_30_0)
-(typeattribute slideshow_30_0)
-(typeattribute snapshotctl_log_data_file_30_0)
-(typeattribute socket_between_core_and_vendor_violators)
-(typeattribute socket_device_30_0)
-(typeattribute socket_hook_prop_30_0)
-(typeattribute sockfs_30_0)
-(typeattribute sota_prop_30_0)
-(typeattribute soundtrigger_middleware_service_30_0)
-(typeattribute staged_install_file_30_0)
-(typeattribute staging_data_file_30_0)
-(typeattribute stats_data_file_30_0)
-(typeattribute stats_service_server)
-(typeattribute statsd_30_0)
-(typeattribute statsd_exec_30_0)
-(typeattribute statsdw_socket_30_0)
-(typeattribute statusbar_service_30_0)
-(typeattribute storage_config_prop_30_0)
-(typeattribute storage_file_30_0)
-(typeattribute storage_stub_file_30_0)
-(typeattribute storaged_service_30_0)
-(typeattribute storagestats_service_30_0)
-(typeattribute su_30_0)
-(typeattribute su_exec_30_0)
-(typeattribute super_block_device_30_0)
-(typeattribute super_block_device_type)
-(typeattribute surfaceflinger_30_0)
-(typeattribute surfaceflinger_display_prop_30_0)
-(typeattribute surfaceflinger_service_30_0)
-(typeattribute surfaceflinger_tmpfs_30_0)
-(typeattribute swap_block_device_30_0)
-(typeattribute sysfs_30_0)
-(typeattribute sysfs_android_usb_30_0)
-(typeattribute sysfs_batteryinfo_30_0)
-(typeattribute sysfs_bluetooth_writable_30_0)
-(typeattribute sysfs_devices_block_30_0)
-(typeattribute sysfs_devices_system_cpu_30_0)
-(typeattribute sysfs_dm_30_0)
-(typeattribute sysfs_dm_verity_30_0)
-(typeattribute sysfs_dt_firmware_android_30_0)
-(typeattribute sysfs_extcon_30_0)
-(typeattribute sysfs_fs_ext4_features_30_0)
-(typeattribute sysfs_fs_f2fs_30_0)
-(typeattribute sysfs_hwrandom_30_0)
-(typeattribute sysfs_ion_30_0)
-(typeattribute sysfs_ipv4_30_0)
-(typeattribute sysfs_kernel_notes_30_0)
-(typeattribute sysfs_leds_30_0)
-(typeattribute sysfs_loop_30_0)
-(typeattribute sysfs_lowmemorykiller_30_0)
-(typeattribute sysfs_net_30_0)
-(typeattribute sysfs_nfc_power_writable_30_0)
-(typeattribute sysfs_power_30_0)
-(typeattribute sysfs_rtc_30_0)
-(typeattribute sysfs_suspend_stats_30_0)
-(typeattribute sysfs_switch_30_0)
-(typeattribute sysfs_thermal_30_0)
-(typeattribute sysfs_transparent_hugepage_30_0)
-(typeattribute sysfs_type)
-(typeattribute sysfs_uio_30_0)
-(typeattribute sysfs_usb_30_0)
-(typeattribute sysfs_usermodehelper_30_0)
-(typeattribute sysfs_vibrator_30_0)
-(typeattribute sysfs_wake_lock_30_0)
-(typeattribute sysfs_wakeup_30_0)
-(typeattribute sysfs_wakeup_reasons_30_0)
-(typeattribute sysfs_wlan_fwpath_30_0)
-(typeattribute sysfs_zram_30_0)
-(typeattribute sysfs_zram_uevent_30_0)
-(typeattribute system_adbd_prop_30_0)
-(typeattribute system_api_service)
-(typeattribute system_app_30_0)
-(typeattribute system_app_data_file_30_0)
-(typeattribute system_app_service_30_0)
-(typeattribute system_asan_options_file_30_0)
-(typeattribute system_block_device_30_0)
-(typeattribute system_boot_reason_prop_30_0)
-(typeattribute system_bootstrap_lib_file_30_0)
-(typeattribute system_config_service_30_0)
-(typeattribute system_data_file_30_0)
-(typeattribute system_data_root_file_30_0)
-(typeattribute system_event_log_tags_file_30_0)
-(typeattribute system_executes_vendor_violators)
-(typeattribute system_file_30_0)
-(typeattribute system_file_type)
-(typeattribute system_group_file_30_0)
-(typeattribute system_internal_property_type)
-(typeattribute system_jvmti_agent_prop_30_0)
-(typeattribute system_lib_file_30_0)
-(typeattribute system_linker_config_file_30_0)
-(typeattribute system_linker_exec_30_0)
-(typeattribute system_lmk_prop_30_0)
-(typeattribute system_ndebug_socket_30_0)
-(typeattribute system_net_netd_hwservice_30_0)
-(typeattribute system_passwd_file_30_0)
-(typeattribute system_prop_30_0)
-(typeattribute system_property_type)
-(typeattribute system_public_property_type)
-(typeattribute system_radio_prop_30_0)
-(typeattribute system_restricted_property_type)
-(typeattribute system_seccomp_policy_file_30_0)
-(typeattribute system_security_cacerts_file_30_0)
-(typeattribute system_server_30_0)
-(typeattribute system_server_service)
-(typeattribute system_server_tmpfs_30_0)
-(typeattribute system_suspend_control_service_30_0)
-(typeattribute system_suspend_hwservice_30_0)
-(typeattribute system_suspend_server)
-(typeattribute system_trace_prop_30_0)
-(typeattribute system_unsolzygote_socket_30_0)
-(typeattribute system_update_service_30_0)
-(typeattribute system_wifi_keystore_hwservice_30_0)
-(typeattribute system_wpa_socket_30_0)
-(typeattribute system_writes_mnt_vendor_violators)
-(typeattribute system_writes_vendor_properties_violators)
-(typeattribute system_zoneinfo_file_30_0)
-(typeattribute systemkeys_data_file_30_0)
-(typeattribute task_profiles_file_30_0)
-(typeattribute task_service_30_0)
-(typeattribute tcpdump_exec_30_0)
-(typeattribute tee_30_0)
-(typeattribute tee_data_file_30_0)
-(typeattribute tee_device_30_0)
-(typeattribute telecom_service_30_0)
-(typeattribute test_boot_reason_prop_30_0)
-(typeattribute test_harness_prop_30_0)
-(typeattribute testharness_service_30_0)
-(typeattribute tethering_service_30_0)
-(typeattribute textclassification_service_30_0)
-(typeattribute textclassifier_data_file_30_0)
-(typeattribute textservices_service_30_0)
-(typeattribute theme_prop_30_0)
-(typeattribute thermal_service_30_0)
-(typeattribute thermalcallback_hwservice_30_0)
-(typeattribute time_prop_30_0)
-(typeattribute timedetector_service_30_0)
-(typeattribute timezone_service_30_0)
-(typeattribute timezonedetector_service_30_0)
-(typeattribute tmpfs_30_0)
-(typeattribute tombstone_data_file_30_0)
-(typeattribute tombstone_wifi_data_file_30_0)
-(typeattribute tombstoned_30_0)
-(typeattribute tombstoned_crash_socket_30_0)
-(typeattribute tombstoned_exec_30_0)
-(typeattribute tombstoned_intercept_socket_30_0)
-(typeattribute tombstoned_java_trace_socket_30_0)
-(typeattribute toolbox_30_0)
-(typeattribute toolbox_exec_30_0)
-(typeattribute trace_data_file_30_0)
-(typeattribute traced_30_0)
-(typeattribute traced_consumer_socket_30_0)
-(typeattribute traced_enabled_prop_30_0)
-(typeattribute traced_lazy_prop_30_0)
-(typeattribute traced_perf_30_0)
-(typeattribute traced_perf_enabled_prop_30_0)
-(typeattribute traced_perf_socket_30_0)
-(typeattribute traced_probes_30_0)
-(typeattribute traced_producer_socket_30_0)
-(typeattribute traceur_app_30_0)
-(typeattribute trust_service_30_0)
-(typeattribute tty_device_30_0)
-(typeattribute tun_device_30_0)
-(typeattribute tv_input_service_30_0)
-(typeattribute tv_tuner_resource_mgr_service_30_0)
-(typeattribute tzdatacheck_30_0)
-(typeattribute tzdatacheck_exec_30_0)
-(typeattribute ueventd_30_0)
-(typeattribute ueventd_tmpfs_30_0)
-(typeattribute uhid_device_30_0)
-(typeattribute uimode_service_30_0)
-(typeattribute uio_device_30_0)
-(typeattribute uncrypt_30_0)
-(typeattribute uncrypt_exec_30_0)
-(typeattribute uncrypt_socket_30_0)
-(typeattribute unencrypted_data_file_30_0)
-(typeattribute unlabeled_30_0)
-(typeattribute untrusted_app_25_30_0)
-(typeattribute untrusted_app_27_30_0)
-(typeattribute untrusted_app_29_30_0)
-(typeattribute untrusted_app_30_0)
-(typeattribute untrusted_app_all)
-(typeattribute untrusted_app_visible_halserver_violators)
-(typeattribute untrusted_app_visible_hwservice_violators)
-(typeattribute update_engine_30_0)
-(typeattribute update_engine_common)
-(typeattribute update_engine_data_file_30_0)
-(typeattribute update_engine_exec_30_0)
-(typeattribute update_engine_log_data_file_30_0)
-(typeattribute update_engine_service_30_0)
-(typeattribute update_verifier_30_0)
-(typeattribute update_verifier_exec_30_0)
-(typeattribute updatelock_service_30_0)
-(typeattribute uri_grants_service_30_0)
-(typeattribute usagestats_service_30_0)
-(typeattribute usb_device_30_0)
-(typeattribute usb_serial_device_30_0)
-(typeattribute usb_service_30_0)
-(typeattribute usbaccessory_device_30_0)
-(typeattribute usbd_30_0)
-(typeattribute usbd_exec_30_0)
-(typeattribute usbfs_30_0)
-(typeattribute use_memfd_prop_30_0)
-(typeattribute user_profile_data_file_30_0)
-(typeattribute user_service_30_0)
-(typeattribute userdata_block_device_30_0)
-(typeattribute usermodehelper_30_0)
-(typeattribute userspace_reboot_config_prop_30_0)
-(typeattribute userspace_reboot_exported_prop_30_0)
-(typeattribute userspace_reboot_log_prop_30_0)
-(typeattribute userspace_reboot_test_prop_30_0)
-(typeattribute vdc_30_0)
-(typeattribute vdc_exec_30_0)
-(typeattribute vehicle_hal_prop_30_0)
-(typeattribute vendor_apex_file_30_0)
-(typeattribute vendor_app_file_30_0)
-(typeattribute vendor_cgroup_desc_file_30_0)
-(typeattribute vendor_configs_file_30_0)
-(typeattribute vendor_data_file_30_0)
-(typeattribute vendor_default_prop_30_0)
-(typeattribute vendor_executes_system_violators)
-(typeattribute vendor_file_30_0)
-(typeattribute vendor_file_type)
-(typeattribute vendor_framework_file_30_0)
-(typeattribute vendor_hal_file_30_0)
-(typeattribute vendor_idc_file_30_0)
-(typeattribute vendor_init_30_0)
-(typeattribute vendor_internal_property_type)
-(typeattribute vendor_keychars_file_30_0)
-(typeattribute vendor_keylayout_file_30_0)
-(typeattribute vendor_misc_writer_30_0)
-(typeattribute vendor_misc_writer_exec_30_0)
-(typeattribute vendor_overlay_file_30_0)
-(typeattribute vendor_property_type)
-(typeattribute vendor_public_lib_file_30_0)
-(typeattribute vendor_public_property_type)
-(typeattribute vendor_restricted_property_type)
-(typeattribute vendor_security_patch_level_prop_30_0)
-(typeattribute vendor_service)
-(typeattribute vendor_service_contexts_file_30_0)
-(typeattribute vendor_shell_30_0)
-(typeattribute vendor_shell_exec_30_0)
-(typeattribute vendor_socket_hook_prop_30_0)
-(typeattribute vendor_task_profiles_file_30_0)
-(typeattribute vendor_toolbox_exec_30_0)
-(typeattribute vfat_30_0)
-(typeattribute vibrator_service_30_0)
-(typeattribute video_device_30_0)
-(typeattribute virtual_ab_prop_30_0)
-(typeattribute virtual_touchpad_30_0)
-(typeattribute virtual_touchpad_exec_30_0)
-(typeattribute virtual_touchpad_service_30_0)
-(typeattribute vndbinder_device_30_0)
-(typeattribute vndk_prop_30_0)
-(typeattribute vndk_sp_file_30_0)
-(typeattribute vndservice_contexts_file_30_0)
-(typeattribute vndservice_manager_type)
-(typeattribute vndservicemanager_30_0)
-(typeattribute voiceinteraction_service_30_0)
-(typeattribute vold_30_0)
-(typeattribute vold_data_file_30_0)
-(typeattribute vold_device_30_0)
-(typeattribute vold_exec_30_0)
-(typeattribute vold_metadata_file_30_0)
-(typeattribute vold_prepare_subdirs_30_0)
-(typeattribute vold_prepare_subdirs_exec_30_0)
-(typeattribute vold_prop_30_0)
-(typeattribute vold_service_30_0)
-(typeattribute vpn_data_file_30_0)
-(typeattribute vr_hwc_30_0)
-(typeattribute vr_hwc_exec_30_0)
-(typeattribute vr_hwc_service_30_0)
-(typeattribute vr_manager_service_30_0)
-(typeattribute vrflinger_vsync_service_30_0)
-(typeattribute wallpaper_file_30_0)
-(typeattribute wallpaper_service_30_0)
-(typeattribute watchdog_device_30_0)
-(typeattribute watchdogd_30_0)
-(typeattribute watchdogd_exec_30_0)
-(typeattribute webview_zygote_30_0)
-(typeattribute webview_zygote_exec_30_0)
-(typeattribute webview_zygote_tmpfs_30_0)
-(typeattribute webviewupdate_service_30_0)
-(typeattribute wifi_data_file_30_0)
-(typeattribute wifi_keystore_service_server)
-(typeattribute wifi_log_prop_30_0)
-(typeattribute wifi_prop_30_0)
-(typeattribute wifi_service_30_0)
-(typeattribute wifiaware_service_30_0)
-(typeattribute wificond_30_0)
-(typeattribute wificond_exec_30_0)
-(typeattribute wifinl80211_service_30_0)
-(typeattribute wifip2p_service_30_0)
-(typeattribute wifiscanner_service_30_0)
-(typeattribute window_service_30_0)
-(typeattribute wpa_socket_30_0)
-(typeattribute wpantund_30_0)
-(typeattribute wpantund_exec_30_0)
-(typeattribute wpantund_service_30_0)
-(typeattribute zero_device_30_0)
-(typeattribute zoneinfo_data_file_30_0)
-(typeattribute zygote_30_0)
-(typeattribute zygote_exec_30_0)
-(typeattribute zygote_socket_30_0)
-(typeattribute zygote_tmpfs_30_0)
diff --git a/prebuilts/api/30.0/private/adbd.te b/prebuilts/api/30.0/private/adbd.te
index be4f0f7..e81aac7 100644
--- a/prebuilts/api/30.0/private/adbd.te
+++ b/prebuilts/api/30.0/private/adbd.te
@@ -158,6 +158,9 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+# For CTS listening ports test.
+allow adbd proc_net_tcp_udp:file r_file_perms;
+
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/prebuilts/api/30.0/private/atrace.te b/prebuilts/api/30.0/private/atrace.te
index 585c254..ad7d177 100644
--- a/prebuilts/api/30.0/private/atrace.te
+++ b/prebuilts/api/30.0/private/atrace.te
@@ -59,7 +59,7 @@
hal_client_domain(atrace, hal_vibrator)
')
-# Remove logspam from notification attempts to non-allowlisted services.
+# Remove logspam from notification attempts to non-whitelisted services.
dontaudit atrace hwservice_manager_type:hwservice_manager find;
dontaudit atrace service_manager_type:service_manager find;
dontaudit atrace domain:binder call;
diff --git a/prebuilts/api/30.0/private/bug_map b/prebuilts/api/30.0/private/bug_map
index eaa1593..60c2f15 100644
--- a/prebuilts/api/30.0/private/bug_map
+++ b/prebuilts/api/30.0/private/bug_map
@@ -23,13 +23,11 @@
netd untrusted_app unix_stream_socket b/77870037
netd untrusted_app_25 unix_stream_socket b/77870037
netd untrusted_app_27 unix_stream_socket b/77870037
-netd untrusted_app_29 unix_stream_socket b/77870037
platform_app nfc_data_file dir b/74331887
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
system_server storage_stub_file dir b/145267097
system_server zygote process b/77856826
-untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
diff --git a/prebuilts/api/30.0/private/coredomain.te b/prebuilts/api/30.0/private/coredomain.te
index f13d98a..86e8009 100644
--- a/prebuilts/api/30.0/private/coredomain.te
+++ b/prebuilts/api/30.0/private/coredomain.te
@@ -15,7 +15,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few allowlisted coredomains to keep system/vendor separation.
+# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
diff --git a/prebuilts/api/30.0/private/domain.te b/prebuilts/api/30.0/private/domain.te
index 430cb3f..7116dad 100644
--- a/prebuilts/api/30.0/private/domain.te
+++ b/prebuilts/api/30.0/private/domain.te
@@ -122,7 +122,7 @@
allow domain boringssl_self_test_marker:dir search;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these allowlisted domains.
+# with other UIDs to these whitelisted domains.
neverallow {
domain
-vold
@@ -225,7 +225,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few allowlisted domains.
+# outside the rootfs or /system partition except for a few whitelisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
@@ -342,7 +342,7 @@
-zygote
} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
+# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
diff --git a/prebuilts/api/30.0/private/file_contexts b/prebuilts/api/30.0/private/file_contexts
index 71a72b4..9620b75 100644
--- a/prebuilts/api/30.0/private/file_contexts
+++ b/prebuilts/api/30.0/private/file_contexts
@@ -625,7 +625,6 @@
/data/incremental(/.*)? u:object_r:apk_data_file:s0
/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
-/data/incremental/MT_[^/]+/mount/.blocks_written u:object_r:incremental_control_file:s0
#############################
# Expanded data files
diff --git a/prebuilts/api/30.0/private/gmscore_app.te b/prebuilts/api/30.0/private/gmscore_app.te
index b7c9235..2355326 100644
--- a/prebuilts/api/30.0/private/gmscore_app.te
+++ b/prebuilts/api/30.0/private/gmscore_app.te
@@ -75,10 +75,6 @@
# TODO: Tighten (b/112357170)
allow gmscore_app privapp_data_file:file execute;
-# Chrome Crashpad uses the the dynamic linker to load native executables
-# from an APK (b/112050209, crbug.com/928422)
-allow gmscore_app system_linker_exec:file execute_no_trans;
-
allow gmscore_app privapp_data_file:lnk_file create_file_perms;
# /proc access
diff --git a/prebuilts/api/30.0/private/heapprofd.te b/prebuilts/api/30.0/private/heapprofd.te
index 7bd60a4..ec3e4d0 100644
--- a/prebuilts/api/30.0/private/heapprofd.te
+++ b/prebuilts/api/30.0/private/heapprofd.te
@@ -29,7 +29,7 @@
allow heapprofd self:capability kill;
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
-# profiling, only allowlisted domains will be allowed by SELinux. Avoid
+# profiling, only whitelisted domains will be allowed by SELinux. Avoid
# spamming logs with denials for entries that we can not access.
dontaudit heapprofd domain:dir { search open };
diff --git a/prebuilts/api/30.0/private/incidentd.te b/prebuilts/api/30.0/private/incidentd.te
index f10173b..656f69f 100644
--- a/prebuilts/api/30.0/private/incidentd.te
+++ b/prebuilts/api/30.0/private/incidentd.te
@@ -145,7 +145,7 @@
r_dir_file(incidentd, misc_logd_file)
# Allow incidentd to find these standard groups of services.
-# Others can be allowlisted individually.
+# Others can be whitelisted individually.
allow incidentd {
system_server_service
app_api_service
diff --git a/prebuilts/api/30.0/private/isolated_app.te b/prebuilts/api/30.0/private/isolated_app.te
index 94d60f0..4c6c5aa 100644
--- a/prebuilts/api/30.0/private/isolated_app.te
+++ b/prebuilts/api/30.0/private/isolated_app.te
@@ -88,7 +88,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services allowlisted below.
+# except the find actions for services whitelisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
diff --git a/prebuilts/api/30.0/private/mls b/prebuilts/api/30.0/private/mls
index 08d4e1f..9690440 100644
--- a/prebuilts/api/30.0/private/mls
+++ b/prebuilts/api/30.0/private/mls
@@ -54,7 +54,7 @@
# Only constrain open, not read/write.
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
# Subject must dominate object unless the subject is trusted.
-mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
+mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file sock_file } { open setattr unlink link rename }
( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
diff --git a/prebuilts/api/30.0/private/perfetto.te b/prebuilts/api/30.0/private/perfetto.te
index 14707ac..0161361 100644
--- a/prebuilts/api/30.0/private/perfetto.te
+++ b/prebuilts/api/30.0/private/perfetto.te
@@ -1,5 +1,5 @@
# Perfetto command-line client. Can be used only from the domains that are
-# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
diff --git a/prebuilts/api/30.0/private/priv_app.te b/prebuilts/api/30.0/private/priv_app.te
index c5f7013..44c81ee 100644
--- a/prebuilts/api/30.0/private/priv_app.te
+++ b/prebuilts/api/30.0/private/priv_app.te
@@ -25,10 +25,6 @@
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
-# Chrome Crashpad uses the the dynamic linker to load native executables
-# from an APK (b/112050209, crbug.com/928422)
-allow priv_app system_linker_exec:file execute_no_trans;
-
allow priv_app privapp_data_file:lnk_file create_file_perms;
# Priv apps can find services that expose both @SystemAPI and normal APIs.
diff --git a/prebuilts/api/30.0/private/shell.te b/prebuilts/api/30.0/private/shell.te
index fd78763..43e4dd5 100644
--- a/prebuilts/api/30.0/private/shell.te
+++ b/prebuilts/api/30.0/private/shell.te
@@ -92,4 +92,4 @@
neverallow shell self:perf_event ~{ open read write kernel };
# Allow to read graphics related properties.
-get_prop(shell, graphics_config_prop)
+get_prop(shell, graphics_config_prop)
\ No newline at end of file
diff --git a/prebuilts/api/30.0/private/system_server.te b/prebuilts/api/30.0/private/system_server.te
index 0082827..66c46ed 100644
--- a/prebuilts/api/30.0/private/system_server.te
+++ b/prebuilts/api/30.0/private/system_server.te
@@ -66,14 +66,14 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls allowlisted for all domains, also allow system_server
+# in addition to ioctls whitelisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
# Allow setup of tcp keepalive offload. This gives system_server the permission to
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
-# be granted individually, except for a small set of safe values allowlisted in
+# be granted individually, except for a small set of safe values whitelisted in
# public/domain.te.
allow system_server appdomain:tcp_socket ioctl;
@@ -118,7 +118,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# allowlisted.
+# whitelisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
diff --git a/prebuilts/api/30.0/private/traced_probes.te b/prebuilts/api/30.0/private/traced_probes.te
index 36f9c51..dd6ece0 100644
--- a/prebuilts/api/30.0/private/traced_probes.te
+++ b/prebuilts/api/30.0/private/traced_probes.te
@@ -16,7 +16,7 @@
allow traced_probes debugfs_trace_marker:file getattr;
# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the denylist/allowlist.
+# userdebug only until we nail down the blacklist/whitelist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
diff --git a/prebuilts/api/30.0/public/app.te b/prebuilts/api/30.0/public/app.te
index c892d9e..e5b9fd6 100644
--- a/prebuilts/api/30.0/public/app.te
+++ b/prebuilts/api/30.0/public/app.te
@@ -537,7 +537,7 @@
tmpfs
}:lnk_file no_w_file_perms;
-# Denylist app domains not allowed to execute from /data
+# Blacklist app domains not allowed to execute from /data
neverallow {
bluetooth
isolated_app
@@ -558,7 +558,7 @@
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few allowlisted domains.
+# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te
index c151b95..8cb4950 100644
--- a/prebuilts/api/30.0/public/domain.te
+++ b/prebuilts/api/30.0/public/domain.te
@@ -260,19 +260,19 @@
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to a allowlist for common socket types. Additional
+# Restrict all domains to a whitelist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this allowlist to domain does
+# defaults for all processes. Note that granting this whitelist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default allowlist for unix sockets.
+# default whitelist for unix sockets.
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only allowlisted ioctls.
-# Note that granting this allowlist to domain does
+# Restrict PTYs to only whitelisted ioctls.
+# Note that granting this whitelist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -288,7 +288,7 @@
# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this allowlist to domain does not grant the ioctl permission to
+# this whitelist to domain does not grant the ioctl permission to
# these files. That must be granted separately.
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
allowxperm domain domain:fifo_file ioctl { TCGETS };
@@ -331,7 +331,7 @@
###
# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to a allowlist.
+# sockets must be restricted to a whitelist.
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
@@ -346,7 +346,7 @@
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these allowlisted domains.
+# Limit device node creation to these whitelisted domains.
neverallow {
domain
-kernel
@@ -544,7 +544,7 @@
')
# Do not allow reading device's serial number from system properties except form
-# a few allowlisted domains.
+# a few whitelisted domains.
neverallow {
domain
-adbd
@@ -934,7 +934,7 @@
full_treble_only(`
# Do not allow vendor components to execute files from system
- # except for the ones allowlist here.
+ # except for the ones whitelist here.
neverallow {
domain
-coredomain
@@ -955,7 +955,7 @@
full_treble_only(`
# Do not allow system components to execute files from vendor
- # except for the ones allowlisted here.
+ # except for the ones whitelisted here.
neverallow {
coredomain
-init
@@ -984,7 +984,7 @@
full_treble_only(`
# Do not allow system components access to /vendor files except for the
- # ones allowlisted here.
+ # ones whitelisted here.
neverallow {
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
@@ -1019,7 +1019,7 @@
full_treble_only(`
# Do not allow vendor components access to /system files except for the
- # ones allowlisted here.
+ # ones whitelisted here.
neverallow {
domain
-appdomain
@@ -1212,7 +1212,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowlisted domains should
+# directory is untrustworthy, and non-whitelisted domains should
# not be trusting any content in those directories.
neverallow {
domain
diff --git a/prebuilts/api/30.0/public/hal_wifi_supplicant.te b/prebuilts/api/30.0/public/hal_wifi_supplicant.te
index 79a0667..6004c33 100644
--- a/prebuilts/api/30.0/public/hal_wifi_supplicant.te
+++ b/prebuilts/api/30.0/public/hal_wifi_supplicant.te
@@ -4,7 +4,7 @@
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
-# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
diff --git a/prebuilts/api/30.0/public/netd.te b/prebuilts/api/30.0/public/netd.te
index 0b83d4c..8005406 100644
--- a/prebuilts/api/30.0/public/netd.te
+++ b/prebuilts/api/30.0/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, system_file_type, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
diff --git a/prebuilts/api/30.0/public/vendor_toolbox.te b/prebuilts/api/30.0/public/vendor_toolbox.te
index 63f938d..eb292ca 100644
--- a/prebuilts/api/30.0/public/vendor_toolbox.te
+++ b/prebuilts/api/30.0/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the allowlisted domains.
+ # to vendor toolbox except for the whitelisted domains.
neverallow {
coredomain
-init
diff --git a/prebuilts/api/30.0/vendor_sepolicy.cil b/prebuilts/api/30.0/vendor_sepolicy.cil
deleted file mode 100644
index 4a3aac3..0000000
--- a/prebuilts/api/30.0/vendor_sepolicy.cil
+++ /dev/null
@@ -1 +0,0 @@
-;; empty stub
diff --git a/prebuilts/api/31.0/private/access_vectors b/prebuilts/api/31.0/private/access_vectors
deleted file mode 100644
index 7496c65..0000000
--- a/prebuilts/api/31.0/private/access_vectors
+++ /dev/null
@@ -1,779 +0,0 @@
-#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- map
- unlink
- link
- rename
- execute
- quotaon
- mounton
- audit_access
- open
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
-
-
-#
-# Define a common prefix for socket access vectors.
-#
-
-common socket
-{
-# inherited from file
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- map
-# socket-specific
- bind
- connect
- listen
- accept
- getopt
- setopt
- shutdown
- recvfrom
- sendto
- name_bind
-}
-
-#
-# Define a common prefix for ipc access vectors.
-#
-
-common ipc
-{
- create
- destroy
- getattr
- setattr
- read
- write
- associate
- unix_read
- unix_write
-}
-
-#
-# Define a common for capability access vectors.
-#
-common cap
-{
- # The capabilities are defined in include/linux/capability.h
- # Capabilities >= 32 are defined in the cap2 common.
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
-
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
- setfcap
-}
-
-common cap2
-{
- mac_override # unused by SELinux
- mac_admin
- syslog
- wake_alarm
- block_suspend
- audit_read
- perfmon
-}
-
-#
-# Define the access vectors.
-#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
-
-class filesystem
-{
- mount
- remount
- unmount
- getattr
- relabelfrom
- relabelto
- associate
- quotamod
- quotaget
- watch
-}
-
-class dir
-inherits file
-{
- add_name
- remove_name
- reparent
- search
- rmdir
-}
-
-class file
-inherits file
-{
- execute_no_trans
- entrypoint
-}
-
-class anon_inode
-inherits file
-
-class lnk_file
-inherits file
-
-class chr_file
-inherits file
-{
- execute_no_trans
- entrypoint
-}
-
-class blk_file
-inherits file
-
-class sock_file
-inherits file
-
-class fifo_file
-inherits file
-
-class fd
-{
- use
-}
-
-
-#
-# Define the access vector interpretation for network-related objects.
-#
-
-class socket
-inherits socket
-
-class tcp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class udp_socket
-inherits socket
-{
- node_bind
-}
-
-class rawip_socket
-inherits socket
-{
- node_bind
-}
-
-class node
-{
- recvfrom
- sendto
-}
-
-class netif
-{
- ingress
- egress
-}
-
-class netlink_socket
-inherits socket
-
-class packet_socket
-inherits socket
-
-class key_socket
-inherits socket
-
-class unix_stream_socket
-inherits socket
-{
- connectto
-}
-
-class unix_dgram_socket
-inherits socket
-
-#
-# Define the access vector interpretation for process-related objects
-#
-
-class process
-{
- fork
- transition
- sigchld # commonly granted from child to parent
- sigkill # cannot be caught or ignored
- sigstop # cannot be caught or ignored
- signull # for kill(pid, 0)
- signal # all other signals
- ptrace
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- share
- getattr
- setexec
- setfscreate
- noatsecure
- siginh
- setrlimit
- rlimitinh
- dyntransition
- setcurrent
- execmem
- execstack
- execheap
- setkeycreate
- setsockcreate
- getrlimit
-}
-
-class process2
-{
- nnp_transition
- nosuid_transition
-}
-
-#
-# Define the access vector interpretation for ipc-related objects
-#
-
-class ipc
-inherits ipc
-
-class sem
-inherits ipc
-
-class msgq
-inherits ipc
-{
- enqueue
-}
-
-class msg
-{
- send
- receive
-}
-
-class shm
-inherits ipc
-{
- lock
-}
-
-
-#
-# Define the access vector interpretation for the security server.
-#
-
-class security
-{
- compute_av
- compute_create
- compute_member
- check_context
- load_policy
- compute_relabel
- compute_user
- setenforce # was avc_toggle in system class
- setbool
- setsecparam
- setcheckreqprot
- read_policy
- validate_trans
-}
-
-
-#
-# Define the access vector interpretation for system operations.
-#
-
-class system
-{
- ipc_info
- syslog_read
- syslog_mod
- syslog_console
- module_request
- module_load
-}
-
-#
-# Define the access vector interpretation for controlling capabilities
-#
-
-class capability
-inherits cap
-
-class capability2
-inherits cap2
-
-#
-# Extended Netlink classes
-#
-class netlink_route_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_readpriv
-}
-
-class netlink_tcpdiag_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_nflog_socket
-inherits socket
-
-class netlink_xfrm_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_selinux_socket
-inherits socket
-
-class netlink_audit_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_relay
- nlmsg_readpriv
- nlmsg_tty_audit
-}
-
-class netlink_dnrt_socket
-inherits socket
-
-# Define the access vector interpretation for controlling
-# access to IPSec network data by association
-#
-class association
-{
- sendto
- recvfrom
- setcontext
- polmatch
-}
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-inherits socket
-
-class appletalk_socket
-inherits socket
-
-class packet
-{
- send
- recv
- relabelto
- forward_in
- forward_out
-}
-
-class key
-{
- view
- read
- write
- search
- link
- setattr
- create
-}
-
-class dccp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class memprotect
-{
- mmap_zero
-}
-
-# network peer labels
-class peer
-{
- recv
-}
-
-class kernel_service
-{
- use_as_override
- create_files_as
-}
-
-class tun_socket
-inherits socket
-{
- attach_queue
-}
-
-class binder
-{
- impersonate
- call
- set_context_mgr
- transfer
-}
-
-class netlink_iscsi_socket
-inherits socket
-
-class netlink_fib_lookup_socket
-inherits socket
-
-class netlink_connector_socket
-inherits socket
-
-class netlink_netfilter_socket
-inherits socket
-
-class netlink_generic_socket
-inherits socket
-
-class netlink_scsitransport_socket
-inherits socket
-
-class netlink_rdma_socket
-inherits socket
-
-class netlink_crypto_socket
-inherits socket
-
-class infiniband_pkey
-{
- access
-}
-
-class infiniband_endport
-{
- manage_subnet
-}
-
-#
-# Define the access vector interpretation for controlling capabilities
-# in user namespaces
-#
-
-class cap_userns
-inherits cap
-
-class cap2_userns
-inherits cap2
-
-
-#
-# Define the access vector interpretation for the new socket classes
-# enabled by the extended_socket_class policy capability.
-#
-
-#
-# The next two classes were previously mapped to rawip_socket and therefore
-# have the same definition as rawip_socket (until further permissions
-# are defined).
-#
-class sctp_socket
-inherits socket
-{
- node_bind
- name_connect
- association
-}
-
-class icmp_socket
-inherits socket
-{
- node_bind
-}
-
-#
-# The remaining network socket classes were previously
-# mapped to the socket class and therefore have the
-# same definition as socket.
-#
-
-class ax25_socket
-inherits socket
-
-class ipx_socket
-inherits socket
-
-class netrom_socket
-inherits socket
-
-class atmpvc_socket
-inherits socket
-
-class x25_socket
-inherits socket
-
-class rose_socket
-inherits socket
-
-class decnet_socket
-inherits socket
-
-class atmsvc_socket
-inherits socket
-
-class rds_socket
-inherits socket
-
-class irda_socket
-inherits socket
-
-class pppox_socket
-inherits socket
-
-class llc_socket
-inherits socket
-
-class can_socket
-inherits socket
-
-class tipc_socket
-inherits socket
-
-class bluetooth_socket
-inherits socket
-
-class iucv_socket
-inherits socket
-
-class rxrpc_socket
-inherits socket
-
-class isdn_socket
-inherits socket
-
-class phonet_socket
-inherits socket
-
-class ieee802154_socket
-inherits socket
-
-class caif_socket
-inherits socket
-
-class alg_socket
-inherits socket
-
-class nfc_socket
-inherits socket
-
-class vsock_socket
-inherits socket
-
-class kcm_socket
-inherits socket
-
-class qipcrtr_socket
-inherits socket
-
-class smc_socket
-inherits socket
-
-class bpf
-{
- map_create
- map_read
- map_write
- prog_load
- prog_run
-}
-
-class property_service
-{
- set
-}
-
-class service_manager
-{
- add
- find
- list
-}
-
-class hwservice_manager
-{
- add
- find
- list
-}
-
-class keystore_key
-{
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
- gen_unique_id
-}
-
-class keystore2
-{
- add_auth
- change_password
- change_user
- clear_ns
- clear_uid
- early_boot_ended
- get_auth_token
- get_state
- list
- lock
- pull_metrics
- report_off_body
- reset
- unlock
- delete_all_keys
-}
-
-class keystore2_key
-{
- convert_storage_key_to_ephemeral
- delete
- gen_unique_id
- get_info
- grant
- manage_blob
- rebind
- req_forced_op
- update
- use
- use_dev_id
-}
-
-class drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-}
-
-class xdp_socket
-inherits socket
-
-class perf_event
-{
- open
- cpu
- kernel
- tracepoint
- read
- write
-}
-
-class lockdown
-{
- integrity
- confidentiality
-}
diff --git a/prebuilts/api/31.0/private/adbd.te b/prebuilts/api/31.0/private/adbd.te
deleted file mode 100644
index c2c6164..0000000
--- a/prebuilts/api/31.0/private/adbd.te
+++ /dev/null
@@ -1,231 +0,0 @@
-### ADB daemon
-
-typeattribute adbd coredomain;
-typeattribute adbd mlstrustedsubject;
-
-init_daemon_domain(adbd)
-
-domain_auto_trans(adbd, shell_exec, shell)
-
-userdebug_or_eng(`
- allow adbd self:process setcurrent;
- allow adbd su:process dyntransition;
-')
-
-# When 'adb shell' is executed in recovery mode, adbd explicitly
-# switches into shell domain using setcon() because the shell executable
-# is not labeled as shell but as rootfs.
-recovery_only(`
- domain_trans(adbd, rootfs, shell)
- allow adbd shell:process dyntransition;
-
- # Allows reboot fastboot to enter fastboot directly
- unix_socket_connect(adbd, recovery, recovery)
-')
-
-# Control Perfetto traced and obtain traces from it.
-# Needed to allow port forwarding directly to traced.
-unix_socket_connect(adbd, traced_consumer, traced)
-
-# Do not sanitize the environment or open fds of the shell. Allow signaling
-# created processes.
-allow adbd shell:process { noatsecure signal };
-
-# Set UID and GID to shell. Set supplementary groups.
-allow adbd self:global_capability_class_set { setuid setgid };
-
-# Drop capabilities from bounding set on user builds.
-allow adbd self:global_capability_class_set setpcap;
-
-# ignore spurious denials for adbd when disk space is low.
-dontaudit adbd self:global_capability_class_set sys_resource;
-
-# adbd probes for vsock support. Do not generate denials when
-# this occurs. (b/123569840)
-dontaudit adbd self:{ socket vsock_socket } create;
-
-# Allow adbd inside vm to forward vm's vsock.
-allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-
-# Create and use network sockets.
-net_domain(adbd)
-
-# Access /dev/usb-ffs/adb/ep0
-allow adbd functionfs:dir search;
-allow adbd functionfs:file rw_file_perms;
-allowxperm adbd functionfs:file ioctl {
- FUNCTIONFS_ENDPOINT_DESC
- FUNCTIONFS_CLEAR_HALT
-};
-
-# Use a pseudo tty.
-allow adbd devpts:chr_file rw_file_perms;
-
-# adb push/pull /data/local/tmp.
-allow adbd shell_data_file:dir create_dir_perms;
-allow adbd shell_data_file:file create_file_perms;
-
-# adb pull /data/local/traces/*
-allow adbd trace_data_file:dir r_dir_perms;
-allow adbd trace_data_file:file r_file_perms;
-
-# adb pull /data/misc/profman.
-allow adbd profman_dump_data_file:dir r_dir_perms;
-allow adbd profman_dump_data_file:file r_file_perms;
-
-# adb push/pull sdcard.
-allow adbd tmpfs:dir search;
-allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
-allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
-allow adbd sdcard_type:dir create_dir_perms;
-allow adbd sdcard_type:file create_file_perms;
-
-# adb pull /data/anr/traces.txt
-allow adbd anr_data_file:dir r_dir_perms;
-allow adbd anr_data_file:file r_file_perms;
-
-# adb pull /vendor/framework/*
-allow adbd vendor_framework_file:dir r_dir_perms;
-allow adbd vendor_framework_file:file r_file_perms;
-
-# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
-set_prop(adbd, shell_prop)
-set_prop(adbd, powerctl_prop)
-get_prop(adbd, ffs_config_prop)
-set_prop(adbd, ffs_control_prop)
-
-# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
-set_prop(adbd, adbd_prop)
-set_prop(adbd, adbd_config_prop)
-
-# Allow adbd start/stop mdnsd via ctl.start
-set_prop(adbd, ctl_mdnsd_prop)
-
-# Access device logging gating property
-get_prop(adbd, device_logging_prop)
-
-# Read device's serial number from system properties
-get_prop(adbd, serialno_prop)
-
-# Read whether or not Test Harness Mode is enabled
-get_prop(adbd, test_harness_prop)
-
-# Read persist.adb.tls_server.enable property
-get_prop(adbd, system_adbd_prop)
-
-# Read device's overlayfs related properties and files
-userdebug_or_eng(`
- get_prop(adbd, persistent_properties_ready_prop)
- r_dir_file(adbd, sysfs_dt_firmware_android)
-')
-
-# Run /system/bin/bu
-allow adbd system_file:file rx_file_perms;
-
-# Perform binder IPC to surfaceflinger (screencap)
-# XXX Run screencap in a separate domain?
-binder_use(adbd)
-binder_call(adbd, surfaceflinger)
-binder_call(adbd, gpuservice)
-# b/13188914
-allow adbd gpu_device:chr_file rw_file_perms;
-allow adbd ion_device:chr_file rw_file_perms;
-r_dir_file(adbd, system_file)
-
-# Needed for various screenshots
-hal_client_domain(adbd, hal_graphics_allocator)
-
-# Read /data/misc/adb/adb_keys.
-allow adbd adb_keys_file:dir search;
-allow adbd adb_keys_file:file r_file_perms;
-
-userdebug_or_eng(`
- # Write debugging information to /data/adb
- # when persist.adb.trace_mask is set
- # https://code.google.com/p/android/issues/detail?id=72895
- allow adbd adb_data_file:dir rw_dir_perms;
- allow adbd adb_data_file:file create_file_perms;
-')
-
-# ndk-gdb invokes adb forward to forward the gdbserver socket.
-allow adbd app_data_file:dir search;
-allow adbd app_data_file:sock_file write;
-allow adbd appdomain:unix_stream_socket connectto;
-
-# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
-allow adbd zygote_exec:file r_file_perms;
-allow adbd system_file:file r_file_perms;
-
-# Allow pulling the SELinux policy for CTS purposes
-allow adbd selinuxfs:dir r_dir_perms;
-allow adbd selinuxfs:file r_file_perms;
-allow adbd kernel:security read_policy;
-allow adbd service_contexts_file:file r_file_perms;
-allow adbd file_contexts_file:file r_file_perms;
-allow adbd seapp_contexts_file:file r_file_perms;
-allow adbd property_contexts_file:file r_file_perms;
-allow adbd sepolicy_file:file r_file_perms;
-
-# Allow pulling config.gz for CTS purposes
-allow adbd config_gz:file r_file_perms;
-
-allow adbd gpu_service:service_manager find;
-allow adbd surfaceflinger_service:service_manager find;
-allow adbd bootchart_data_file:dir search;
-allow adbd bootchart_data_file:file r_file_perms;
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow adbd storage_file:dir r_dir_perms;
-allow adbd storage_file:lnk_file r_file_perms;
-allow adbd mnt_user_file:dir r_dir_perms;
-allow adbd mnt_user_file:lnk_file r_file_perms;
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow adbd media_rw_data_file:dir create_dir_perms;
-allow adbd media_rw_data_file:file create_file_perms;
-
-r_dir_file(adbd, apk_data_file)
-
-allow adbd rootfs:dir r_dir_perms;
-
-# Allow killing child "perfetto" binary processes, which auto-transition to
-# their own domain. Allows propagating termination of "adb shell perfetto ..."
-# invocations.
-allow adbd perfetto:process signal;
-
-# Allow to pull Perfetto traces.
-allow adbd perfetto_traces_data_file:file r_file_perms;
-allow adbd perfetto_traces_data_file:dir r_dir_perms;
-
-# Allow to push and manage configs in /data/misc/perfetto-configs.
-allow adbd perfetto_configs_data_file:dir rw_dir_perms;
-allow adbd perfetto_configs_data_file:file create_file_perms;
-
-# Connect to shell and use a socket transferred from it.
-# Used for e.g. abb.
-allow adbd shell:unix_stream_socket { read write shutdown };
-allow adbd shell:fd use;
-
-# Allow pull /vendor/apex files for CTS tests
-allow adbd vendor_apex_file:dir search;
-allow adbd vendor_apex_file:file r_file_perms;
-
-# Allow adb pull of updated apex files in /data/apex/active.
-allow adbd apex_data_file:dir search;
-allow adbd staging_data_file:file r_file_perms;
-
-# Allow adbd to pull /apex/apex-info-list.xml for CTS tests.
-allow adbd apex_info_file:file r_file_perms;
-
-###
-### Neverallow rules
-###
-
-# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
-# transitions to the shell domain (except when it crashes). In particular, we
-# never want to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -crash_dump -shell }:process transition;
-neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
diff --git a/prebuilts/api/31.0/private/aidl_lazy_test_server.te b/prebuilts/api/31.0/private/aidl_lazy_test_server.te
deleted file mode 100644
index 33efde0..0000000
--- a/prebuilts/api/31.0/private/aidl_lazy_test_server.te
+++ /dev/null
@@ -1,5 +0,0 @@
-userdebug_or_eng(`
- typeattribute aidl_lazy_test_server coredomain;
-
- init_daemon_domain(aidl_lazy_test_server)
-')
diff --git a/prebuilts/api/31.0/private/apex_test_prepostinstall.te b/prebuilts/api/31.0/private/apex_test_prepostinstall.te
deleted file mode 100644
index f1bc214..0000000
--- a/prebuilts/api/31.0/private/apex_test_prepostinstall.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# APEX pre- & post-install test.
-#
-# Allow to run pre- and post-install hooks for APEX test modules
-# in debuggable builds.
-
-type apex_test_prepostinstall, domain, coredomain;
-type apex_test_prepostinstall_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
- # /dev/zero
- allow apex_test_prepostinstall apexd:fd use;
- # Logwrapper.
- create_pty(apex_test_prepostinstall)
- # Logwrapper executing sh.
- allow apex_test_prepostinstall shell_exec:file rx_file_perms;
- # Logwrapper exec.
- allow apex_test_prepostinstall system_file:file execute_no_trans;
- # Ls.
- allow apex_test_prepostinstall toolbox_exec:file rx_file_perms;
-')
diff --git a/prebuilts/api/31.0/private/apexd.te b/prebuilts/api/31.0/private/apexd.te
deleted file mode 100644
index 09799bd..0000000
--- a/prebuilts/api/31.0/private/apexd.te
+++ /dev/null
@@ -1,216 +0,0 @@
-typeattribute apexd coredomain;
-
-init_daemon_domain(apexd)
-
-# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
-allow apexd apex_data_file:dir create_dir_perms;
-allow apexd apex_data_file:file create_file_perms;
-# Allow relabeling file created in /data/apex/decompressed
-allow apexd apex_data_file:file relabelfrom;
-
-# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
-allow apexd metadata_file:dir search;
-allow apexd apex_metadata_file:dir create_dir_perms;
-allow apexd apex_metadata_file:file create_file_perms;
-
-# Allow reserving space on /data/apex/ota_reserved for apex decompression
-allow apexd apex_ota_reserved_file:dir create_dir_perms;
-allow apexd apex_ota_reserved_file:file create_file_perms;
-
-# Allow apexd to create files and directories for snapshots of apex data
-allow apexd apex_appsearch_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_appsearch_data_file:file { create_file_perms relabelto };
-allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_art_data_file:file { create_file_perms relabelto };
-allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_permission_data_file:file { create_file_perms relabelto };
-allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
-allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
-allow apexd apex_rollback_data_file:dir create_dir_perms;
-allow apexd apex_rollback_data_file:file create_file_perms;
-allow apexd apex_scheduling_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_scheduling_data_file:file { create_file_perms relabelto };
-allow apexd apex_wifi_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_wifi_data_file:file { create_file_perms relabelto };
-
-# Allow apexd to read directories under /data/misc_de in order to snapshot and
-# restore apex data for all users.
-allow apexd system_data_file:dir r_dir_perms;
-
-# allow apexd to create loop devices with /dev/loop-control
-allow apexd loop_control_device:chr_file rw_file_perms;
-# allow apexd to access loop devices
-allow apexd loop_device:blk_file rw_file_perms;
-allowxperm apexd loop_device:blk_file ioctl {
- LOOP_GET_STATUS64
- LOOP_SET_STATUS64
- LOOP_SET_FD
- LOOP_SET_BLOCK_SIZE
- LOOP_SET_DIRECT_IO
- LOOP_CLR_FD
- BLKFLSBUF
- LOOP_CONFIGURE
-};
-# Allow apexd to access /dev/block
-allow apexd bdev_type:dir r_dir_perms;
-allow apexd bdev_type:blk_file getattr;
-
-#allow apexd to access virtual disks
-allow apexd vd_device:blk_file r_file_perms;
-
-# allow apexd to access /dev/block/dm-* (device-mapper entries)
-allow apexd dm_device:chr_file rw_file_perms;
-allow apexd dm_device:blk_file rw_file_perms;
-
-# sys_admin is required to access the device-mapper and mount
-# dac_override, chown, and fowner are needed for snapshot and restore
-allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };
-
-# Note: fsetid is deliberately not included above. fsetid checks are
-# triggered by chmod on a directory or file owned by a group other
-# than one of the groups assigned to the current process to see if
-# the setgid bit should be cleared, regardless of whether the setgid
-# bit was even set. We do not appear to truly need this capability
-# for apexd to operate.
-dontaudit apexd self:global_capability_class_set fsetid;
-
-# allow apexd to create a mount point in /apex
-allow apexd apex_mnt_dir:dir create_dir_perms;
-# allow apexd to mount in /apex
-allow apexd apex_mnt_dir:filesystem { mount unmount };
-allow apexd apex_mnt_dir:dir mounton;
-# allow apexd to create symlinks in /apex
-allow apexd apex_mnt_dir:lnk_file create_file_perms;
-# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
-allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
-allow apexd apex_info_file:file relabelto;
-# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
-allow apexd apex_info_file:file rw_file_perms;
-
-# allow apexd to unlink apex files in /data/apex/active
-# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
-# because it doesn't have write permission for staging_data_file object.
-allow apexd staging_data_file:file unlink;
-
-# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
-allow apexd staging_data_file:dir r_dir_perms;
-allow apexd staging_data_file:file { r_file_perms link };
-# # Allow relabeling file created in /data/apex/decompressed
-allow apexd staging_data_file:file relabelto;
-
-# allow apexd to read files from /vendor/apex
-allow apexd vendor_apex_file:dir r_dir_perms;
-allow apexd vendor_apex_file:file r_file_perms;
-
-# Unmount and mount filesystems
-allow apexd labeledfs:filesystem { mount unmount };
-
-# /sys directory tree traversal
-allow apexd sysfs_type:dir search;
-allow apexd sysfs_block_type:dir r_dir_perms;
-allow apexd sysfs_block_type:file r_file_perms;
-# Configure read-ahead of dm-verity and loop devices
-# for dm-X
-allow apexd sysfs_dm:dir r_dir_perms;
-allow apexd sysfs_dm:file rw_file_perms;
-# for loopX
-allow apexd sysfs_loop:dir r_dir_perms;
-allow apexd sysfs_loop:file rw_file_perms;
-
-# Allow apexd to log to the kernel.
-allow apexd kmsg_device:chr_file w_file_perms;
-
-# Allow apexd to reboot device. Required for rollbacks of apexes that are
-# not covered by rollback manager.
-set_prop(apexd, powerctl_prop)
-
-# Allow apexd to stop itself
-set_prop(apexd, ctl_apexd_prop)
-
-# Find the vold service, and call into vold to manage FS checkpoints
-allow apexd vold_service:service_manager find;
-binder_call(apexd, vold)
-
-# Apex pre- & post-install permission.
-
-# Allow self-execute for the fork mount helper.
-allow apexd apexd_exec:file execute_no_trans;
-
-# Unshare and make / private so that hooks cannot influence the
-# running system.
-allow apexd rootfs:dir mounton;
-
-# Allow to execute shell for pre- and postinstall scripts. A transition
-# rule is required, thus restricted to execute and not execute_no_trans.
-allow apexd shell_exec:file { r_file_perms execute };
-
-# apexd is using bootstrap bionic
-allow apexd system_bootstrap_lib_file:dir r_dir_perms;
-allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
-
-# Allow transition to test APEX preinstall domain.
-userdebug_or_eng(`
- domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
-')
-
-# Allow transition to GKI update pre/post install domain
-domain_auto_trans(apexd, gki_apex_prepostinstall_exec, gki_apex_prepostinstall)
-
-# Allow apexd to be invoked with logwrapper from init during userspace reboot.
-allow apexd devpts:chr_file { read write };
-
-# Allow apexd to create pts files via logwrap_fork_exec for its own use, to pass to
-# other processes
-create_pty(apexd)
-
-# Allow apexd to read file contexts when performing restorecon of snapshots.
-allow apexd file_contexts_file:file r_file_perms;
-
-# Allow apexd to execute toybox for snapshot & restore
-allow apexd toolbox_exec:file rx_file_perms;
-
-# Allow apexd to release compressed blocks in case /data is f2fs-compressed fs.
-allowxperm apexd staging_data_file:file ioctl {
- FS_IOC_GETFLAGS
- F2FS_IOC_RELEASE_COMPRESS_BLOCKS
-};
-
-# Allow apexd to read ro.cold_boot_done prop.
-# apexd uses it to decide whether it needs to keep retrying polling for loop device.
-get_prop(apexd, cold_boot_done_prop)
-
-# Allow apexd to read per-device configuration properties.
-get_prop(apexd, apexd_config_prop)
-
-neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
-neverallow { domain -apexd -init -kernel } apex_metadata_file:file no_w_file_perms;
-neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
-
-neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init -vold_prepare_subdirs } apex_module_data_file:file no_w_file_perms;
-
-neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
-
-# only apexd can set apexd sysprop
-set_prop(apexd, apexd_prop)
-neverallow { domain -apexd -init } apexd_prop:property_service set;
-
-# only apexd can write apex-info-list.xml
-neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
-
-# Only apexd and init should be allowed to manage /apex mounts
-# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
-# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
-# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
-neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
-neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
-
-# Allow for use in postinstall
-allow apexd otapreopt_chroot:fd use;
-allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
-allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
-allow apexd postinstall_apex_mnt_dir:lnk_file create;
-allow apexd proc_filesystems:file r_file_perms;
diff --git a/prebuilts/api/31.0/private/app.te b/prebuilts/api/31.0/private/app.te
deleted file mode 100644
index 2b3554f..0000000
--- a/prebuilts/api/31.0/private/app.te
+++ /dev/null
@@ -1,105 +0,0 @@
-# Allow apps to read the Test Harness Mode property. This property is used in
-# the implementation of ActivityManager.isDeviceInTestHarnessMode()
-get_prop(appdomain, test_harness_prop)
-
-get_prop(appdomain, boot_status_prop)
-get_prop(appdomain, dalvik_config_prop)
-get_prop(appdomain, media_config_prop)
-get_prop(appdomain, packagemanager_config_prop)
-get_prop(appdomain, radio_control_prop)
-get_prop(appdomain, surfaceflinger_color_prop)
-get_prop(appdomain, systemsound_config_prop)
-get_prop(appdomain, telephony_config_prop)
-get_prop(appdomain, userspace_reboot_config_prop)
-get_prop(appdomain, vold_config_prop)
-get_prop(appdomain, adbd_config_prop)
-
-# Allow ART to be configurable via device_config properties
-# (ART "runs" inside the app process)
-get_prop(appdomain, device_config_runtime_native_prop)
-get_prop(appdomain, device_config_runtime_native_boot_prop)
-
-userdebug_or_eng(`perfetto_producer({ appdomain })')
-
-# Prevent apps from causing presubmit failures.
-# Apps can cause selinux denials by accessing CE storage
-# and/or external storage. In either case, the selinux denial is
-# not the cause of the failure, but just a symptom that
-# storage isn't ready. Many apps handle the failure appropriately.
-#
-# Apps cannot access external storage before it becomes available.
-dontaudit appdomain storage_stub_file:dir getattr;
-# Attempts to write to system_data_file is generally a sign
-# that apps are attempting to access encrypted storage before
-# the ACTION_USER_UNLOCKED intent is delivered. Apps are not
-# allowed to write to CE storage before it's available.
-# Attempting to do so will be blocked by both selinux and unix
-# permissions.
-dontaudit appdomain system_data_file:dir write;
-# Apps should not be reading vendor-defined properties.
-dontaudit appdomain vendor_default_prop:file read;
-
-# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
-allow appdomain mnt_media_rw_file:dir search;
-
-neverallow appdomain system_server:udp_socket {
- accept append bind create ioctl listen lock name_bind
- relabelfrom relabelto setattr shutdown };
-
-# Transition to a non-app domain.
-# Exception for the shell and su domains, can transition to runas, etc.
-# Exception for crash_dump to allow for app crash reporting.
-# Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
-# to allow renderscript to create privileged executable files.
-neverallow { appdomain -shell userdebug_or_eng(`-su') }
- { domain -appdomain -crash_dump -rs }:process { transition };
-neverallow { appdomain -shell userdebug_or_eng(`-su') }
- { domain -appdomain }:process { dyntransition };
-
-# Don't allow regular apps access to storage configuration properties.
-neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
-
-# Allow to read sendbug.preferred.domain
-get_prop(appdomain, sendbug_config_prop)
-
-# Allow to read graphics related properties.
-get_prop(appdomain, graphics_config_prop)
-
-# Allow to read persist.config.calibration_fac
-get_prop(appdomain, camera_calibration_prop)
-
-# Allow to read db.log.detailed, db.log.slow_query_threshold*
-get_prop(appdomain, sqlite_log_prop)
-
-# Allow font file read by apps.
-allow appdomain font_data_file:file r_file_perms;
-allow appdomain font_data_file:dir r_dir_perms;
-
-# Enter /data/misc/apexdata/
-allow appdomain apex_module_data_file:dir search;
-# Read /data/misc/apexdata/com.android.art, execute signed AOT artifacts.
-allow appdomain apex_art_data_file:dir r_dir_perms;
-allow appdomain apex_art_data_file:file rx_file_perms;
-
-# Allow access to tombstones if an fd to one is given to you.
-# This is restricted by unix permissions, so an app must go through system_server to get one.
-allow appdomain tombstone_data_file:file { getattr read };
-neverallow appdomain tombstone_data_file:file ~{ getattr read };
-
-# Sensitive app domains are not allowed to execute from /data
-# to prevent persistence attacks and ensure all code is executed
-# from read-only locations.
-neverallow {
- bluetooth
- isolated_app
- nfc
- radio
- shared_relro
- system_app
-} {
- data_file_type
- -apex_art_data_file
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
diff --git a/prebuilts/api/31.0/private/app_neverallows.te b/prebuilts/api/31.0/private/app_neverallows.te
deleted file mode 100644
index c7fa4e8..0000000
--- a/prebuilts/api/31.0/private/app_neverallows.te
+++ /dev/null
@@ -1,245 +0,0 @@
-###
-### neverallow rules for untrusted app domains
-###
-
-define(`all_untrusted_apps',`{
- ephemeral_app
- isolated_app
- mediaprovider
- mediaprovider_app
- untrusted_app
- untrusted_app_25
- untrusted_app_27
- untrusted_app_29
- untrusted_app_all
-}')
-# Receive or send uevent messages.
-neverallow all_untrusted_apps domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow all_untrusted_apps domain:netlink_socket *;
-
-# Read or write kernel printk buffer
-neverallow all_untrusted_apps kmsg_device:chr_file no_rw_file_perms;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
-neverallow {all_untrusted_apps userdebug_or_eng(`-domain')} debugfs_type:{ file lnk_file } read;
-
-# Do not allow untrusted apps to register services.
-# Only trusted components of Android should be registering
-# services.
-neverallow all_untrusted_apps service_manager_type:service_manager add;
-
-# Do not allow untrusted apps to use VendorBinder
-neverallow all_untrusted_apps vndbinder_device:chr_file *;
-neverallow all_untrusted_apps vndservice_manager_type:service_manager *;
-
-# Do not allow untrusted apps to connect to the property service
-# or set properties. b/10243159
-neverallow { all_untrusted_apps -mediaprovider } property_socket:sock_file write;
-neverallow { all_untrusted_apps -mediaprovider } init:unix_stream_socket connectto;
-neverallow { all_untrusted_apps -mediaprovider } property_type:property_service set;
-
-# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
-neverallow { all_untrusted_apps } net_dns_prop:file read;
-
-# radio_cdma_ecm_prop properties are not a public API. Disallow untrusted apps from reading this property.
-neverallow { all_untrusted_apps } radio_cdma_ecm_prop:file read;
-
-# Shared libraries created by trusted components within an app home
-# directory can be dlopen()ed. To maintain the W^X property, these files
-# must never be writable to the app.
-neverallow all_untrusted_apps app_exec_data_file:file
- { append create link relabelfrom relabelto rename setattr write };
-
-# Block calling execve() on files in an apps home directory.
-# This is a W^X violation (loading executable code from a writable
-# home directory). For compatibility, allow for targetApi <= 28.
-# b/112357170
-neverallow {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
- -runas_app
-} { app_data_file privapp_data_file }:file execute_no_trans;
-
-# Do not allow untrusted apps to invoke dex2oat. This was historically required
-# by ART for compiling secondary dex files but has been removed in Q.
-# Exempt legacy apps (targetApi<=28) for compatibility.
-neverallow {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
-} dex2oat_exec:file no_x_file_perms;
-
-# Do not allow untrusted apps to be assigned mlstrustedsubject.
-# This would undermine the per-user isolation model being
-# enforced via levelFrom=user in seapp_contexts and the mls
-# constraints. As there is no direct way to specify a neverallow
-# on attribute assignment, this relies on the fact that fork
-# permission only makes sense within a domain (hence should
-# never be granted to any other domain within mlstrustedsubject)
-# and an untrusted app is allowed fork permission to itself.
-neverallow all_untrusted_apps mlstrustedsubject:process fork;
-
-# Do not allow untrusted apps to hard link to any files.
-# In particular, if an untrusted app links to other app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure untrusted apps never have this
-# capability.
-neverallow all_untrusted_apps file_type:file link;
-
-# Do not allow untrusted apps to access network MAC address file
-neverallow all_untrusted_apps sysfs_net:file no_rw_file_perms;
-
-# Do not allow any write access to files in /sys
-neverallow all_untrusted_apps sysfs_type:file { no_w_file_perms no_x_file_perms };
-
-# Apps may never access the default sysfs label.
-neverallow all_untrusted_apps sysfs:file no_rw_file_perms;
-
-# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
-# ioctl permission, or 3. disallow the socket class.
-neverallowxperm all_untrusted_apps domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-neverallow all_untrusted_apps *:{ netlink_route_socket netlink_selinux_socket } ioctl;
-neverallow all_untrusted_apps *:{
- socket netlink_socket packet_socket key_socket appletalk_socket
- netlink_tcpdiag_socket netlink_nflog_socket
- netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
- netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
- netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
- netlink_rdma_socket netlink_crypto_socket sctp_socket
- ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
- atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
- bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
- alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
-} *;
-
-# Disallow sending RTM_GETLINK messages on netlink sockets.
-neverallow {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
- -untrusted_app_29
-} domain:netlink_route_socket { bind nlmsg_readpriv };
-
-# Do not allow untrusted apps access to /cache
-neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:dir ~{ r_dir_perms };
-neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_file }:file ~{ read getattr };
-
-# Do not allow untrusted apps to create/unlink files outside of its sandbox,
-# internal storage or sdcard.
-# World accessible data locations allow application to fill the device
-# with unaccounted for data. This data will not get removed during
-# application un-installation.
-neverallow { all_untrusted_apps -mediaprovider } {
- fs_type
- -sdcard_type
- file_type
- -app_data_file # The apps sandbox itself
- -privapp_data_file
- -app_exec_data_file # stored within the app sandbox directory
- -media_rw_data_file # Internal storage. Known that apps can
- # leave artfacts here after uninstall.
- -user_profile_data_file # Access to profile files
- userdebug_or_eng(`
- -method_trace_data_file # only on ro.debuggable=1
- -coredump_file # userdebug/eng only
- ')
-}:dir_file_class_set { create unlink };
-
-# No untrusted component except mediaprovider_app should be touching /dev/fuse
-neverallow { all_untrusted_apps -mediaprovider_app } fuse_device:chr_file *;
-
-# Do not allow untrusted apps to directly open the tun_device
-neverallow all_untrusted_apps tun_device:chr_file open;
-# The tun_device ioctls below are not allowed, to prove equivalence
-# to the kernel patch at
-# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
-neverallowxperm all_untrusted_apps tun_device:chr_file ioctl ~{ FIOCLEX FIONCLEX TUNGETIFF };
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-neverallow all_untrusted_apps anr_data_file:file ~{ open append };
-neverallow all_untrusted_apps anr_data_file:dir ~search;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow all_untrusted_apps {
- proc
- proc_asound
- proc_kmsg
- proc_loadavg
- proc_mounts
- proc_pagetypeinfo
- proc_slabinfo
- proc_stat
- proc_swaps
- proc_uptime
- proc_version
- proc_vmallocinfo
- proc_vmstat
-}:file { no_rw_file_perms no_x_file_perms };
-
-# /proc/filesystems is accessible to mediaprovider_app only since it handles
-# external storage
-neverallow { all_untrusted_apps - mediaprovider_app } proc_filesystems:file { no_rw_file_perms no_x_file_perms };
-
-# Avoid all access to kernel configuration
-neverallow all_untrusted_apps config_gz:file { no_rw_file_perms no_x_file_perms };
-
-# Do not allow untrusted apps access to preloads data files
-neverallow all_untrusted_apps preloads_data_file:file no_rw_file_perms;
-
-# Locking of files on /system could lead to denial of service attacks
-# against privileged system components
-neverallow all_untrusted_apps system_file:file lock;
-
-# Do not permit untrusted apps to perform actions on HwBinder service_manager
-# other than find actions for services listed below
-neverallow all_untrusted_apps *:hwservice_manager ~find;
-
-# Do not permit access from apps which host arbitrary code to the protected services
-# The two main reasons for this are:
-# 1. Protected HwBinder servers do not perform client authentication because
-# vendor code does not have a way to understand apps or their relation to
-# caller UID information and, even if it did, those services either operate
-# at a level below that of apps (e.g., HALs) or must not rely on app identity
-# for authorization. Thus, to be safe, the default assumption for all added
-# vendor services is that they treat all their clients as equally authorized
-# to perform operations offered by the service.
-# 2. HAL servers contain code with higher incidence rate of security issues
-# than system/core components and have access to lower layes of the stack
-# (all the way down to hardware) thus increasing opportunities for bypassing
-# the Android security model.
-neverallow all_untrusted_apps protected_hwservice:hwservice_manager find;
-neverallow all_untrusted_apps protected_service:service_manager find;
-
-# SELinux is not an API for untrusted apps to use
-neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
-
-# Access to /proc/tty/drivers, to allow apps to determine if they
-# are running in an emulated environment.
-# b/33214085 b/33814662 b/33791054 b/33211769
-# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
-# This will go away in a future Android release
-neverallow { all_untrusted_apps -untrusted_app_25 } proc_tty_drivers:file r_file_perms;
-neverallow all_untrusted_apps proc_tty_drivers:file ~r_file_perms;
-
-# Untrusted apps are not allowed to use cgroups.
-neverallow all_untrusted_apps cgroup:file *;
-neverallow all_untrusted_apps cgroup_v2:file *;
-
-# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
-# must not use it.
-neverallow {
- all_untrusted_apps
- -untrusted_app_25
- -untrusted_app_27
-} mnt_sdcard_file:lnk_file *;
-
-# Only privileged apps may find the incident service
-neverallow all_untrusted_apps incident_service:service_manager find;
diff --git a/prebuilts/api/31.0/private/app_zygote.te b/prebuilts/api/31.0/private/app_zygote.te
deleted file mode 100644
index 004c108..0000000
--- a/prebuilts/api/31.0/private/app_zygote.te
+++ /dev/null
@@ -1,174 +0,0 @@
-typeattribute app_zygote coredomain;
-
-######
-###### Policy below is different from regular zygote-spawned apps
-######
-
-# Allow access to temporary files, which is normally permitted through
-# a domain macro.
-tmpfs_domain(app_zygote);
-
-# Set the UID/GID of the process.
-# This will be further limited to a range of isolated UIDs with seccomp.
-allow app_zygote self:global_capability_class_set { setgid setuid };
-# Drop capabilities from bounding set.
-allow app_zygote self:global_capability_class_set setpcap;
-# Switch SELinux context to isolated app domain.
-allow app_zygote self:process setcurrent;
-allow app_zygote isolated_app:process dyntransition;
-
-# For JIT
-allow app_zygote self:process execmem;
-
-# Allow app_zygote to stat the files that it opens. It must
-# be able to inspect them so that it can reopen them on fork
-# if necessary: b/30963384.
-allow app_zygote debugfs_trace_marker:file getattr;
-
-# get system_server process group
-allow app_zygote system_server:process getpgid;
-
-# Interaction between the app_zygote and its children.
-allow app_zygote isolated_app:process setpgid;
-
-# TODO (b/63631799) fix this access
-dontaudit app_zygote mnt_expand_file:dir getattr;
-
-# Get seapp_contexts
-allow app_zygote seapp_contexts_file:file r_file_perms;
-# Check validity of SELinux context before use.
-selinux_check_context(app_zygote)
-# Check SELinux permissions.
-selinux_check_access(app_zygote)
-
-# Read and inspect temporary files managed by zygote.
-allow app_zygote zygote_tmpfs:file { read getattr };
-
-######
-###### Policy below is shared with regular zygote-spawned apps
-######
-
-# Child of zygote.
-allow app_zygote zygote:fd use;
-allow app_zygote zygote:process sigchld;
-
-# For ART (read /data/dalvik-cache).
-r_dir_file(app_zygote, dalvikcache_data_file);
-allow app_zygote dalvikcache_data_file:file execute;
-
-# Read /data/misc/apexdata/ to (get to com.android.art/dalvik-cache).
-allow app_zygote apex_module_data_file:dir search;
-# For ART APEX (read /data/misc/apexdata/com.android.art/dalvik-cache).
-r_dir_file(app_zygote, apex_art_data_file)
-
-# Allow reading/executing installed binaries to enable preloading
-# application data
-allow app_zygote apk_data_file:dir r_dir_perms;
-allow app_zygote apk_data_file:file { r_file_perms execute };
-
-# /oem accesses.
-allow app_zygote oemfs:dir search;
-
-# Allow app_zygote access to /vendor/overlay
-r_dir_file(app_zygote, vendor_overlay_file)
-
-allow app_zygote system_data_file:lnk_file r_file_perms;
-allow app_zygote system_data_file:file { getattr read map };
-
-# Send unsolicited message to system_server
-unix_socket_send(app_zygote, system_unsolzygote, system_server)
-
-# Allow the app_zygote to access the runtime feature flag properties.
-get_prop(app_zygote, device_config_runtime_native_prop)
-get_prop(app_zygote, device_config_runtime_native_boot_prop)
-
-# Allow app_zygote to access odsign verification status
-get_prop(app_zygote, odsign_prop)
-
-#####
-##### Neverallow
-#####
-
-# Only permit transition to isolated_app.
-neverallow app_zygote { domain -isolated_app }:process dyntransition;
-
-# Only setcon() transitions, no exec() based transitions, except for crash_dump.
-neverallow app_zygote { domain -crash_dump }:process transition;
-
-# Must not exec() a program without changing domains.
-# Having said that, exec() above is not allowed.
-neverallow app_zygote *:file execute_no_trans;
-
-# The only way to enter this domain is for the zygote to fork a new
-# app_zygote child.
-neverallow { domain -zygote } app_zygote:process dyntransition;
-
-# Disallow write access to properties.
-neverallow app_zygote property_socket:sock_file write;
-neverallow app_zygote property_type:property_service set;
-
-# Should not have any access to data files.
-neverallow app_zygote app_data_file_type:file { rwx_file_perms };
-
-neverallow app_zygote {
- service_manager_type
- -activity_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps should not be able to access the driver directly.
-neverallow app_zygote gpu_device:chr_file { rwx_file_perms };
-
-# Do not allow app_zygote access to /cache.
-neverallow app_zygote cache_file:dir ~{ r_dir_perms };
-neverallow app_zygote cache_file:file ~{ read getattr };
-
-# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
-# unix_stream_socket, and netlink_selinux_socket.
-neverallow app_zygote domain:{
- socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
- appletalk_socket netlink_route_socket netlink_tcpdiag_socket
- netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
- netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
- netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
- sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
- x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
- pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
- rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
- alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
-} *;
-
-# Only allow app_zygote to talk to the logd socket, and
-# su/heapprofd/traced_perf on eng/userdebug. This is because
-# cap_setuid/cap_setgid allow to forge uid/gid in SCM_CREDENTIALS.
-# Think twice before changing.
-neverallow app_zygote {
- domain
- -app_zygote
- -logd
- -system_server
- userdebug_or_eng(`-su')
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
-}:unix_dgram_socket *;
-
-neverallow app_zygote {
- domain
- -app_zygote
- userdebug_or_eng(`-su')
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
-}:unix_stream_socket *;
-
-# Never allow ptrace
-neverallow app_zygote *:process ptrace;
-
-# Do not allow access to Bluetooth-related system properties.
-# neverallow rules for Bluetooth-related data files are listed above.
-neverallow app_zygote {
- bluetooth_a2dp_offload_prop
- bluetooth_audio_hal_prop
- bluetooth_prop
- exported_bluetooth_prop
-}:file create_file_perms;
diff --git a/prebuilts/api/31.0/private/asan_extract.te b/prebuilts/api/31.0/private/asan_extract.te
deleted file mode 100644
index 69bcd50..0000000
--- a/prebuilts/api/31.0/private/asan_extract.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-# Technically not a daemon but we do want the transition from init domain to
-# asan_extract to occur.
-with_asan(`
- typeattribute asan_extract coredomain;
- init_daemon_domain(asan_extract)
-
- # We need to signal a reboot when done.
- set_prop(asan_extract, powerctl_prop)
-')
diff --git a/prebuilts/api/31.0/private/atrace.te b/prebuilts/api/31.0/private/atrace.te
deleted file mode 100644
index d9e351c..0000000
--- a/prebuilts/api/31.0/private/atrace.te
+++ /dev/null
@@ -1,80 +0,0 @@
-# Domain for atrace process.
-# It is spawned either by traced_probes or by init for the boottrace service.
-
-type atrace_exec, exec_type, file_type, system_file_type;
-
-# boottrace services uses /data/misc/boottrace/categories
-allow atrace boottrace_data_file:dir search;
-allow atrace boottrace_data_file:file r_file_perms;
-
-# Allow atrace to access tracefs.
-allow atrace debugfs_tracing:dir r_dir_perms;
-allow atrace debugfs_tracing:file rw_file_perms;
-allow atrace debugfs_trace_marker:file getattr;
-
-# Allow atrace to write data when a pipe is used for stdout/stderr
-# This is used by Perfetto to capture the output on error in atrace.
-allow atrace traced_probes:fd use;
-allow atrace traced_probes:fifo_file write;
-
-# atrace sets debug.atrace.* properties
-set_prop(atrace, debug_prop)
-
-# atrace pokes all the binder-enabled processes at startup with a
-# SYSPROPS_TRANSACTION, to tell them to reload the debug.atrace.* properties.
-
-# Allow discovery of binder services.
-allow atrace {
- service_manager_type
- -apex_service
- -dnsresolver_service
- -dumpstate_service
- -incident_service
- -installd_service
- -iorapd_service
- -lpdump_service
- -netd_service
- -stats_service
- -tracingproxy_service
- -vold_service
- -default_android_service
-}:service_manager { find };
-allow atrace servicemanager:service_manager list;
-
-# Allow notifying the processes hosting specific binder services that
-# trace-related system properties have changed.
-binder_use(atrace)
-allow atrace healthd:binder call;
-allow atrace surfaceflinger:binder call;
-allow atrace system_server:binder call;
-allow atrace cameraserver:binder call;
-
-# Similarly, on debug builds, allow specific HALs to be notified that
-# trace-related system properties have changed.
-userdebug_or_eng(`
- # List HAL interfaces.
- allow atrace hwservicemanager:hwservice_manager list;
- # Notify the camera HAL.
- hal_client_domain(atrace, hal_camera)
- hal_client_domain(atrace, hal_vibrator)
-')
-
-# Remove logspam from notification attempts to non-allowlisted services.
-dontaudit atrace hwservice_manager_type:hwservice_manager find;
-dontaudit atrace service_manager_type:service_manager find;
-dontaudit atrace domain:binder call;
-
-# atrace can call atrace HAL
-hal_client_domain(atrace, hal_atrace)
-
-get_prop(atrace, hwservicemanager_prop)
-
-userdebug_or_eng(`
- # atrace is generally invoked as a standalone binary from shell or perf
- # daemons like Perfetto traced_probes. However, in userdebug builds, there is
- # a further option to run atrace as an init daemon for boot tracing.
- init_daemon_domain(atrace)
-
- allow atrace debugfs_tracing_debug:dir r_dir_perms;
- allow atrace debugfs_tracing_debug:file rw_file_perms;
-')
diff --git a/prebuilts/api/31.0/private/attributes b/prebuilts/api/31.0/private/attributes
deleted file mode 100644
index 991bac1..0000000
--- a/prebuilts/api/31.0/private/attributes
+++ /dev/null
@@ -1,12 +0,0 @@
-hal_attribute(lazy_test);
-
-# This is applied to apps on vendor images with SDK <=30 only,
-# to exempt them from recent mls changes. It must not be applied
-# to any domain on newer system or vendor image.
-attribute mlsvendorcompat;
-
-# Attributes for property types having both system_property_type
-# and vendor_property_type. Such types are ill-formed because
-# property owner attributes must be exclusive.
-attribute system_and_vendor_property_type;
-expandattribute system_and_vendor_property_type false;
diff --git a/prebuilts/api/31.0/private/audioserver.te b/prebuilts/api/31.0/private/audioserver.te
deleted file mode 100644
index 2d0b46d..0000000
--- a/prebuilts/api/31.0/private/audioserver.te
+++ /dev/null
@@ -1,104 +0,0 @@
-# audioserver - audio services daemon
-
-typeattribute audioserver coredomain;
-
-type audioserver_exec, exec_type, file_type, system_file_type;
-init_daemon_domain(audioserver)
-tmpfs_domain(audioserver)
-
-r_dir_file(audioserver, sdcard_type)
-
-binder_use(audioserver)
-binder_call(audioserver, binderservicedomain)
-binder_call(audioserver, appdomain)
-binder_service(audioserver)
-
-hal_client_domain(audioserver, hal_allocator)
-# /system/lib64/hw for always-passthrough Allocator HAL ashmem / mapper .so
-r_dir_file(audioserver, system_file)
-
-hal_client_domain(audioserver, hal_audio)
-
-userdebug_or_eng(`
- # used for TEE sink - pcm capture for debug.
- allow audioserver media_data_file:dir create_dir_perms;
- allow audioserver audioserver_data_file:dir create_dir_perms;
- allow audioserver audioserver_data_file:file create_file_perms;
-
- # ptrace to processes in the same domain for memory leak detection
- allow audioserver self:process ptrace;
-')
-
-add_service(audioserver, audioserver_service)
-allow audioserver activity_service:service_manager find;
-allow audioserver appops_service:service_manager find;
-allow audioserver batterystats_service:service_manager find;
-allow audioserver external_vibrator_service:service_manager find;
-allow audioserver package_native_service:service_manager find;
-allow audioserver permission_service:service_manager find;
-allow audioserver permission_checker_service:service_manager find;
-allow audioserver power_service:service_manager find;
-allow audioserver scheduling_policy_service:service_manager find;
-allow audioserver mediametrics_service:service_manager find;
-allow audioserver sensor_privacy_service:service_manager find;
-allow audioserver soundtrigger_middleware_service:service_manager find;
-
-# Allow read/write access to bluetooth-specific properties
-set_prop(audioserver, bluetooth_a2dp_offload_prop)
-set_prop(audioserver, bluetooth_audio_hal_prop)
-set_prop(audioserver, bluetooth_prop)
-set_prop(audioserver, exported_bluetooth_prop)
-
-# Grant access to audio files to audioserver
-allow audioserver audio_data_file:dir ra_dir_perms;
-allow audioserver audio_data_file:file create_file_perms;
-
-# allow access to ALSA MMAP FDs for AAudio API
-allow audioserver audio_device:chr_file { read write };
-
-not_full_treble(`allow audioserver audio_device:dir r_dir_perms;')
-not_full_treble(`allow audioserver audio_device:chr_file rw_file_perms;')
-
-# For A2DP bridge which is loaded directly into audioserver
-unix_socket_connect(audioserver, bluetooth, bluetooth)
-
-# Allow shell commands from ADB and shell for CTS testing/dumping
-allow audioserver adbd:fd use;
-allow audioserver adbd:unix_stream_socket { read write };
-allow audioserver shell:fifo_file { read write };
-
-# Allow shell commands from ADB for CTS testing/dumping
-userdebug_or_eng(`
- allow audioserver su:fd use;
- allow audioserver su:fifo_file { read write };
- allow audioserver su:unix_stream_socket { read write };
-')
-
-# Allow write access to log tag property
-set_prop(audioserver, log_tag_prop);
-
-###
-### neverallow rules
-###
-
-# audioserver should never execute any executable without a
-# domain transition
-neverallow audioserver { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow audioserver domain:{ tcp_socket udp_socket rawip_socket } *;
-
-# Allow using wake locks
-wakelock_use(audioserver)
-
-# Allow reading audio config props, e.g. af.fast_track_multiplier
-get_prop(audioserver, audio_config_prop)
diff --git a/prebuilts/api/31.0/private/auditctl.te b/prebuilts/api/31.0/private/auditctl.te
deleted file mode 100644
index f634d3d..0000000
--- a/prebuilts/api/31.0/private/auditctl.te
+++ /dev/null
@@ -1,18 +0,0 @@
-#
-# /system/bin/auditctl executed for logd
-#
-# Performs maintenance of the kernel auditing system, including
-# setting rate limits on SELinux denials.
-#
-
-type auditctl, domain, coredomain;
-type auditctl_exec, file_type, system_file_type, exec_type;
-
-# Uncomment the line below to put this domain into permissive
-# mode. This helps speed SELinux policy development.
-# userdebug_or_eng(`permissive auditctl;')
-
-init_daemon_domain(auditctl)
-
-allow auditctl self:global_capability_class_set audit_control;
-allow auditctl self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
diff --git a/prebuilts/api/31.0/private/automotive_display_service.te b/prebuilts/api/31.0/private/automotive_display_service.te
deleted file mode 100644
index da933a9..0000000
--- a/prebuilts/api/31.0/private/automotive_display_service.te
+++ /dev/null
@@ -1,34 +0,0 @@
-# Display proxy service for Automotive
-type automotive_display_service, domain, coredomain;
-type automotive_display_service_exec, system_file_type, exec_type, file_type;
-
-typeattribute automotive_display_service automotive_display_service_server;
-
-# Allow to add a display service to the manager
-add_hwservice(automotive_display_service, fwk_automotive_display_hwservice);
-
-# Allow init to launch automotive display service
-init_daemon_domain(automotive_display_service)
-
-# Allow to use Binder IPC for SurfaceFlinger.
-binder_use(automotive_display_service)
-
-# Allow to use HwBinder IPC for HAL implementations.
-hwbinder_use(automotive_display_service)
-hal_client_domain(automotive_display_service, hal_graphics_composer)
-hal_client_domain(automotive_display_service, hal_graphics_allocator)
-
-# Allow to read the target property.
-get_prop(automotive_display_service, hwservicemanager_prop)
-
-# Allow to find SurfaceFlinger.
-allow automotive_display_service surfaceflinger_service:service_manager find;
-
-# Allow client domain to do binder IPC to serverdomain.
-binder_call(automotive_display_service, surfaceflinger)
-
-# Allow to use a graphics mapper
-allow automotive_display_service hal_graphics_mapper_hwservice:hwservice_manager find;
-
-# Allow to use hidl token service
-allow automotive_display_service hidl_token_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/31.0/private/binderservicedomain.te b/prebuilts/api/31.0/private/binderservicedomain.te
deleted file mode 100644
index 7275954..0000000
--- a/prebuilts/api/31.0/private/binderservicedomain.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# Rules common to all binder service domains
-
-# Allow dumpstate and incidentd to collect information from binder services
-allow binderservicedomain { dumpstate incidentd }:fd use;
-allow binderservicedomain { dumpstate incidentd }:unix_stream_socket { read write getopt getattr };
-allow binderservicedomain { dumpstate incidentd }:fifo_file { getattr write };
-allow binderservicedomain shell_data_file:file { getattr write };
-
-# Allow dumpsys to work from adb shell or the serial console
-allow binderservicedomain devpts:chr_file rw_file_perms;
-allow binderservicedomain console_device:chr_file rw_file_perms;
-
-# Receive and write to a pipe received over Binder from an app.
-allow binderservicedomain appdomain:fd use;
-allow binderservicedomain appdomain:fifo_file write;
-
-# allow all services to run permission checks
-allow binderservicedomain permission_service:service_manager find;
-
-allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow binderservicedomain keystore:keystore2 { get_state };
-allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
-
-use_keystore(binderservicedomain)
diff --git a/prebuilts/api/31.0/private/blank_screen.te b/prebuilts/api/31.0/private/blank_screen.te
deleted file mode 100644
index 20d50cc..0000000
--- a/prebuilts/api/31.0/private/blank_screen.te
+++ /dev/null
@@ -1,7 +0,0 @@
-type blank_screen, domain, coredomain;
-type blank_screen_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(blank_screen)
-
-# hal_light_client has access to hal_light_server
-hal_client_domain(blank_screen, hal_light)
diff --git a/prebuilts/api/31.0/private/blkid.te b/prebuilts/api/31.0/private/blkid.te
deleted file mode 100644
index 4e972ab..0000000
--- a/prebuilts/api/31.0/private/blkid.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# blkid called from vold
-
-typeattribute blkid coredomain;
-
-type blkid_exec, system_file_type, exec_type, file_type;
-
-# Allowed read-only access to encrypted devices to extract UUID/label
-allow blkid block_device:dir search;
-allow blkid userdata_block_device:blk_file r_file_perms;
-allow blkid dm_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid vold:fd use;
-allow blkid vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid blkid_exec:file rx_file_perms;
-
-# Only allow entry from vold
-neverallow { domain -vold } blkid:process transition;
-neverallow * blkid:process dyntransition;
-neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/prebuilts/api/31.0/private/blkid_untrusted.te b/prebuilts/api/31.0/private/blkid_untrusted.te
deleted file mode 100644
index 1256771..0000000
--- a/prebuilts/api/31.0/private/blkid_untrusted.te
+++ /dev/null
@@ -1,37 +0,0 @@
-# blkid for untrusted block devices
-
-typeattribute blkid_untrusted coredomain;
-
-# Allowed read-only access to vold block devices to extract UUID/label
-allow blkid_untrusted block_device:dir search;
-allow blkid_untrusted vold_device:blk_file r_file_perms;
-
-# Allow stdin/out back to vold
-allow blkid_untrusted vold:fd use;
-allow blkid_untrusted vold:fifo_file { read write getattr };
-
-# For blkid launched through popen()
-allow blkid_untrusted blkid_exec:file rx_file_perms;
-
-###
-### neverallow rules
-###
-
-# Untrusted blkid should never be run on block devices holding sensitive data
-neverallow blkid_untrusted {
- boot_block_device
- frp_block_device
- metadata_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdata_block_device
- cache_block_device
- dm_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via blkid binary
-neverallow { domain -vold } blkid_untrusted:process transition;
-neverallow * blkid_untrusted:process dyntransition;
-neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
diff --git a/prebuilts/api/31.0/private/bluetooth.te b/prebuilts/api/31.0/private/bluetooth.te
deleted file mode 100644
index 8fc6d20..0000000
--- a/prebuilts/api/31.0/private/bluetooth.te
+++ /dev/null
@@ -1,87 +0,0 @@
-# bluetooth app
-
-typeattribute bluetooth coredomain, mlstrustedsubject;
-
-app_domain(bluetooth)
-net_domain(bluetooth)
-
-# Socket creation under /data/misc/bluedroid.
-type_transition bluetooth bluetooth_data_file:sock_file bluetooth_socket;
-
-# Allow access to net_admin ioctls
-allowxperm bluetooth self:udp_socket ioctl priv_sock_ioctls;
-
-wakelock_use(bluetooth);
-
-# Data file accesses.
-allow bluetooth bluetooth_data_file:dir create_dir_perms;
-allow bluetooth bluetooth_data_file:notdevfile_class_set create_file_perms;
-allow bluetooth bluetooth_logs_data_file:dir rw_dir_perms;
-allow bluetooth bluetooth_logs_data_file:file create_file_perms;
-
-# Socket creation under /data/misc/bluedroid.
-allow bluetooth bluetooth_socket:sock_file create_file_perms;
-
-allow bluetooth self:global_capability_class_set net_admin;
-allow bluetooth self:global_capability2_class_set wake_alarm;
-
-# tethering
-allow bluetooth self:packet_socket create_socket_perms_no_ioctl;
-allow bluetooth self:global_capability_class_set { net_admin net_raw net_bind_service };
-allow bluetooth self:tun_socket create_socket_perms_no_ioctl;
-allow bluetooth tun_device:chr_file rw_file_perms;
-allowxperm bluetooth tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
-allow bluetooth efs_file:dir search;
-
-# allow Bluetooth to access uhid device for HID profile
-allow bluetooth uhid_device:chr_file rw_file_perms;
-
-# proc access.
-allow bluetooth proc_bluetooth_writable:file rw_file_perms;
-
-# Allow write access to bluetooth specific properties
-set_prop(bluetooth, binder_cache_bluetooth_server_prop);
-neverallow { domain -bluetooth -init }
- binder_cache_bluetooth_server_prop:property_service set;
-set_prop(bluetooth, bluetooth_a2dp_offload_prop)
-set_prop(bluetooth, bluetooth_audio_hal_prop)
-set_prop(bluetooth, bluetooth_prop)
-set_prop(bluetooth, exported_bluetooth_prop)
-set_prop(bluetooth, pan_result_prop)
-
-allow bluetooth audioserver_service:service_manager find;
-allow bluetooth bluetooth_service:service_manager find;
-allow bluetooth drmserver_service:service_manager find;
-allow bluetooth mediaserver_service:service_manager find;
-allow bluetooth radio_service:service_manager find;
-allow bluetooth app_api_service:service_manager find;
-allow bluetooth system_api_service:service_manager find;
-allow bluetooth network_stack_service:service_manager find;
-allow bluetooth system_suspend_control_service:service_manager find;
-
-# already open bugreport file descriptors may be shared with
-# the bluetooth process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow bluetooth shell_data_file:file read;
-
-# Bluetooth audio needs RT scheduling to meet deadlines, allow sys_nice
-allow bluetooth self:global_capability_class_set sys_nice;
-
-hal_client_domain(bluetooth, hal_bluetooth)
-hal_client_domain(bluetooth, hal_telephony)
-
-# Bluetooth A2DP offload requires binding with audio HAL
-hal_client_domain(bluetooth, hal_audio)
-
-read_runtime_log_tags(bluetooth)
-
-###
-### Neverallow rules
-###
-### These are things that the bluetooth app should NEVER be able to do
-###
-
-# Superuser capabilities.
-# Bluetooth requires net_{admin,raw,bind_service} and wake_alarm and block_suspend and sys_nice.
-neverallow bluetooth self:global_capability_class_set ~{ net_admin net_raw net_bind_service sys_nice};
-neverallow bluetooth self:global_capability2_class_set ~{ wake_alarm block_suspend };
diff --git a/prebuilts/api/31.0/private/bluetoothdomain.te b/prebuilts/api/31.0/private/bluetoothdomain.te
deleted file mode 100644
index fe4f0e6..0000000
--- a/prebuilts/api/31.0/private/bluetoothdomain.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Allow clients to use a socket provided by the bluetooth app.
-allow bluetoothdomain bluetooth:unix_stream_socket { getopt setopt getattr read write ioctl shutdown };
diff --git a/prebuilts/api/31.0/private/bootanim.te b/prebuilts/api/31.0/private/bootanim.te
deleted file mode 100644
index 855bc3d..0000000
--- a/prebuilts/api/31.0/private/bootanim.te
+++ /dev/null
@@ -1,17 +0,0 @@
-typeattribute bootanim coredomain;
-
-init_daemon_domain(bootanim)
-
-# b/68864350
-dontaudit bootanim unlabeled:dir search;
-
-# Bootanim should not be reading default vendor-defined properties.
-dontaudit bootanim vendor_default_prop:file read;
-
-# Read ro.boot.bootreason b/30654343
-get_prop(bootanim, bootloader_boot_reason_prop)
-
-get_prop(bootanim, bootanim_config_prop)
-
-# Allow updating boot animation status.
-set_prop(bootanim, bootanim_system_prop)
diff --git a/prebuilts/api/31.0/private/bootstat.te b/prebuilts/api/31.0/private/bootstat.te
deleted file mode 100644
index 016292e..0000000
--- a/prebuilts/api/31.0/private/bootstat.te
+++ /dev/null
@@ -1,34 +0,0 @@
-typeattribute bootstat coredomain;
-
-init_daemon_domain(bootstat)
-
-# Collect metrics on boot time created by init
-get_prop(bootstat, boottime_prop)
-
-# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
-set_prop(bootstat, bootloader_boot_reason_prop)
-set_prop(bootstat, system_boot_reason_prop)
-set_prop(bootstat, last_boot_reason_prop)
-
-neverallow {
- domain
- -bootanim
- -bootstat
- -dumpstate
- userdebug_or_eng(`-incidentd')
- -init
- -recovery
- -shell
- -system_server
-} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
-# ... and refine, as these components should not set the last boot reason
-neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
-
-neverallow {
- domain
- -bootstat
- -init
- -system_server
-} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
-# ... and refine ... for a ro propertly no less ... keep this _tight_
-neverallow system_server bootloader_boot_reason_prop:property_service set;
diff --git a/prebuilts/api/31.0/private/boringssl_self_test.te b/prebuilts/api/31.0/private/boringssl_self_test.te
deleted file mode 100644
index 50fc1fc..0000000
--- a/prebuilts/api/31.0/private/boringssl_self_test.te
+++ /dev/null
@@ -1,74 +0,0 @@
-# System and vendor domains for BoringSSL self test binaries.
-#
-# For FIPS compliance, all processes linked against libcrypto perform a startup
-# self test which computes a hash of the BoringSSL Crypto Module (BCM) and, at least once
-# per device boot, also run a series of Known Answer Tests (KAT) to verify functionality.
-#
-# The KATs are expensive, and to ensure they are run as few times as possible, they
-# are skipped if a marker file exists in /dev/boringssl/selftest whose name is
-# the hash of the BCM that was computed earlier. The files are zero length and their contents
-# should never be read or written. To avoid giving arbitrary processes access to /dev/boringssl
-# to create these marker files, there are dedicated self test binaries which this policy
-# gives access to and which are run during early-init.
-#
-# Due to build skew, the version of libcrypto in /vendor may have a different hash than
-# the system one. To cater for this there are vendor variants of the self test binaries
-# which also have permission to write to the same files in /dev/boringssl. In the case where
-# vendor and system libcrypto have the same hash, there will be a race to create the file,
-# but this is harmless.
-#
-# If the self tests fail, then the device should reboot into firmware and for this reason
-# the system boringssl_self_test domain needs to be in coredomain. As vendor domains
-# are not allowed in coredomain, this means that the vendor self tests cannot trigger a
-# reboot. However every binary linked against the vendor libcrypto will abort on startup,
-# so in practice the device will crash anyway in this unlikely scenario.
-
-# System boringssl_self_test domain
-type boringssl_self_test, domain, coredomain;
-type boringssl_self_test_exec, system_file_type, exec_type, file_type;
-
-# Vendor boringssl_self_test domain
-type vendor_boringssl_self_test, domain;
-type vendor_boringssl_self_test_exec, vendor_file_type, exec_type, file_type;
-
-# Switch to boringssl_self_test security domain when running boringssl_self_test_exec
-init_daemon_domain(boringssl_self_test)
-
-# Switch to vendor_boringssl_self_test security domain when running vendor_boringssl_self_test_exec
-init_daemon_domain(vendor_boringssl_self_test)
-
-# Marker files, common to both domains, indicating KAT have been performed on a particular libcrypto
-#
-# The files are zero length so there is no issue if both vendor and system code
-# try to create the same file simultaneously. One will succeed and the other will fail
-# silently, i.e. still indicate success. Similar harmless naming collisions will happen in the
-# system domain e.g. when system and APEX copies of libcrypto are identical.
-type boringssl_self_test_marker, file_type;
-
-# Allow self test binaries to create/check for the existence of boringssl_self_test_marker files
-allow { boringssl_self_test vendor_boringssl_self_test }
- boringssl_self_test_marker:file create_file_perms;
-allow { boringssl_self_test vendor_boringssl_self_test }
- boringssl_self_test_marker:dir ra_dir_perms;
-
-# Allow self test binaries to write their stdout/stderr messages to kmsg_debug
-allow { boringssl_self_test vendor_boringssl_self_test }
- kmsg_debug_device:chr_file { w_file_perms getattr ioctl };
-
-# No other process should be able to create marker files because their existence causes the
-# boringssl KAT to be skipped.
-neverallow {
- domain
- -vendor_boringssl_self_test
- -boringssl_self_test
- -init
- -vendor_init
-} boringssl_self_test_marker:file no_rw_file_perms;
-
-neverallow {
- domain
- -vendor_boringssl_self_test
- -boringssl_self_test
- -init
- -vendor_init
-} boringssl_self_test_marker:dir write;
diff --git a/prebuilts/api/31.0/private/bpfloader.te b/prebuilts/api/31.0/private/bpfloader.te
deleted file mode 100644
index 343ec7a..0000000
--- a/prebuilts/api/31.0/private/bpfloader.te
+++ /dev/null
@@ -1,43 +0,0 @@
-# bpf program loader
-type bpfloader, domain;
-type bpfloader_exec, system_file_type, exec_type, file_type;
-typeattribute bpfloader coredomain;
-
-# These permissions are required to pin ebpf maps & programs.
-allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
-allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
-allow fs_bpf_tethering fs_bpf:filesystem associate;
-
-# Allow bpfloader to create bpf maps and programs.
-allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
-
-allow bpfloader self:capability { chown sys_admin net_admin };
-
-set_prop(bpfloader, bpf_progs_loaded_prop)
-
-###
-### Neverallow rules
-###
-
-# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write };
-neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write };
-
-# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
-neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
-
-neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -lmkd -netd -network_stack -system_server } *:bpf { map_read map_write };
-
-neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
-
-neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
-
-# No domain should be allowed to ptrace bpfloader
-neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
diff --git a/prebuilts/api/31.0/private/bufferhubd.te b/prebuilts/api/31.0/private/bufferhubd.te
deleted file mode 100644
index 012eb20..0000000
--- a/prebuilts/api/31.0/private/bufferhubd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute bufferhubd coredomain;
-
-init_daemon_domain(bufferhubd)
diff --git a/prebuilts/api/31.0/private/bug_map b/prebuilts/api/31.0/private/bug_map
deleted file mode 100644
index 5b042ae..0000000
--- a/prebuilts/api/31.0/private/bug_map
+++ /dev/null
@@ -1,35 +0,0 @@
-dnsmasq netd fifo_file b/77868789
-dnsmasq netd unix_stream_socket b/77868789
-gmscore_app system_data_file dir b/146166941
-init app_data_file file b/77873135
-init cache_file blk_file b/77873135
-init logpersist file b/77873135
-init nativetest_data_file dir b/77873135
-init pstorefs dir b/77873135
-init shell_data_file dir b/77873135
-init shell_data_file file b/77873135
-init shell_data_file lnk_file b/77873135
-init shell_data_file sock_file b/77873135
-init system_data_file chr_file b/77873135
-isolated_app privapp_data_file dir b/119596573
-isolated_app app_data_file dir b/120394782
-mediaextractor app_data_file file b/77923736
-mediaextractor radio_data_file file b/77923736
-mediaprovider cache_file blk_file b/77925342
-mediaprovider mnt_media_rw_file dir b/77925342
-mediaprovider shell_data_file dir b/77925342
-mediaswcodec ashmem_device chr_file b/142679232
-netd priv_app unix_stream_socket b/77870037
-netd untrusted_app unix_stream_socket b/77870037
-netd untrusted_app_25 unix_stream_socket b/77870037
-netd untrusted_app_27 unix_stream_socket b/77870037
-netd untrusted_app_29 unix_stream_socket b/77870037
-platform_app nfc_data_file dir b/74331887
-system_server crash_dump process b/73128755
-system_server overlayfs_file file b/142390309
-system_server sdcardfs file b/77856826
-system_server zygote process b/77856826
-untrusted_app untrusted_app netlink_route_socket b/155595000
-vold system_data_file file b/124108085
-zygote untrusted_app_25 process b/77925912
-zygote labeledfs filesystem b/170748799
diff --git a/prebuilts/api/31.0/private/cameraserver.te b/prebuilts/api/31.0/private/cameraserver.te
deleted file mode 100644
index 2be3c9e..0000000
--- a/prebuilts/api/31.0/private/cameraserver.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute cameraserver coredomain;
-
-typeattribute cameraserver camera_service_server;
-
-init_daemon_domain(cameraserver)
-tmpfs_domain(cameraserver)
diff --git a/prebuilts/api/31.0/private/canhalconfigurator.te b/prebuilts/api/31.0/private/canhalconfigurator.te
deleted file mode 100644
index 9ba60ac..0000000
--- a/prebuilts/api/31.0/private/canhalconfigurator.te
+++ /dev/null
@@ -1,7 +0,0 @@
-type canhalconfigurator, domain, coredomain;
-type canhalconfigurator_exec, exec_type, system_file_type, file_type;
-init_daemon_domain(canhalconfigurator)
-
-# This allows the configurator to look up the CAN HAL controller via
-# hwservice_manager and communicate with it.
-hal_client_domain(canhalconfigurator, hal_can_controller)
diff --git a/prebuilts/api/31.0/private/charger.te b/prebuilts/api/31.0/private/charger.te
deleted file mode 100644
index 8be113f..0000000
--- a/prebuilts/api/31.0/private/charger.te
+++ /dev/null
@@ -1,31 +0,0 @@
-typeattribute charger coredomain;
-
-# charger needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(charger, system_prop)
-set_prop(charger, exported_system_prop)
-set_prop(charger, exported3_system_prop)
-set_prop(charger, charger_status_prop)
-
-get_prop(charger, charger_prop)
-get_prop(charger, charger_config_prop)
-
-# get minui properties
-get_prop(charger, recovery_config_prop)
-
-compatible_property_only(`
- neverallow {
- domain
- -init
- -dumpstate
- -charger
- } charger_prop:file no_rw_file_perms;
-')
-
-neverallow {
- domain
- -init
- -dumpstate
- -vendor_init
- -charger
-} { charger_config_prop charger_status_prop }:file no_rw_file_perms;
diff --git a/prebuilts/api/31.0/private/clatd.te b/prebuilts/api/31.0/private/clatd.te
deleted file mode 100644
index 0fa774a..0000000
--- a/prebuilts/api/31.0/private/clatd.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# 464xlat daemon
-type clatd, domain, coredomain;
-type clatd_exec, system_file_type, exec_type, file_type;
-
-net_domain(clatd)
-
-r_dir_file(clatd, proc_net_type)
-userdebug_or_eng(`
- auditallow clatd proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-# Access objects inherited from netd.
-allow clatd netd:fd use;
-allow clatd netd:fifo_file { read write };
-# TODO: Check whether some or all of these sockets should be close-on-exec.
-allow clatd netd:netlink_kobject_uevent_socket { read write };
-allow clatd netd:netlink_nflog_socket { read write };
-allow clatd netd:netlink_route_socket { read write };
-allow clatd netd:udp_socket { read write };
-allow clatd netd:unix_stream_socket { read write };
-allow clatd netd:unix_dgram_socket { read write };
-
-allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
-
-# clatd calls mmap(MAP_LOCKED) with a 1M buffer. MAP_LOCKED first checks
-# capable(CAP_IPC_LOCK), and then checks to see the requested amount is
-# under RLIMIT_MEMLOCK. If the latter check succeeds clatd won't have
-# needed CAP_IPC_LOCK. But this is not guaranteed to succeed on all devices
-# so we permit any requests we see from clatd asking for this capability.
-# See https://android-review.googlesource.com/127940 and
-# https://b.corp.google.com/issues/21736319
-allow clatd self:global_capability_class_set ipc_lock;
-
-allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
-allow clatd tun_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/31.0/private/compat/26.0/26.0.cil b/prebuilts/api/31.0/private/compat/26.0/26.0.cil
deleted file mode 100644
index 498bca5..0000000
--- a/prebuilts/api/31.0/private/compat/26.0/26.0.cil
+++ /dev/null
@@ -1,786 +0,0 @@
-;; attributes removed from current policy
-(typeattribute hal_wifi_keystore)
-(typeattribute hal_wifi_keystore_client)
-(typeattribute hal_wifi_keystore_server)
-(typeattribute hal_wifi_offload)
-(typeattribute hal_wifi_offload_client)
-(typeattribute hal_wifi_offload_server)
-
-;; types removed from current policy
-(type untrusted_v2_app)
-(type asan_reboot_prop)
-(type commontime_management_service)
-(type hal_wifi_offload_hwservice)
-(type log_device)
-(type mediacasserver_service)
-(type mediacodec)
-(type mediacodec_exec)
-(type qtaguid_proc)
-(type reboot_data_file)
-(type tracing_shell_writable)
-(type tracing_shell_writable_debug)
-(type vold_socket)
-(type webview_zygote_socket)
-(type rild)
-(type netd_socket)
-
-(typeattributeset accessibility_service_26_0 (accessibility_service))
-(typeattributeset account_service_26_0 (account_service))
-(typeattributeset activity_service_26_0 (activity_service))
-(typeattributeset adbd_26_0 (adbd))
-(typeattributeset adb_data_file_26_0 (adb_data_file))
-(typeattributeset adbd_socket_26_0 (adbd_socket))
-(typeattributeset adb_keys_file_26_0 (adb_keys_file))
-(typeattributeset alarm_device_26_0 (alarm_device))
-(typeattributeset alarm_service_26_0 (alarm_service))
-(typeattributeset anr_data_file_26_0 (anr_data_file))
-(typeattributeset apk_data_file_26_0 (apk_data_file))
-(typeattributeset apk_private_data_file_26_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_26_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_26_0 (apk_tmp_file))
-(typeattributeset app_data_file_26_0 (app_data_file privapp_data_file))
-(typeattributeset app_fuse_file_26_0 (app_fuse_file))
-(typeattributeset app_fusefs_26_0 (app_fusefs))
-(typeattributeset appops_service_26_0 (appops_service))
-(typeattributeset appwidget_service_26_0 (appwidget_service))
-(typeattributeset asan_reboot_prop_26_0 (asan_reboot_prop))
-(typeattributeset asec_apk_file_26_0 (asec_apk_file))
-(typeattributeset asec_image_file_26_0 (asec_image_file))
-(typeattributeset asec_public_file_26_0 (asec_public_file))
-(typeattributeset ashmem_device_26_0 (ashmem_device))
-(typeattributeset assetatlas_service_26_0 (assetatlas_service))
-(typeattributeset audio_data_file_26_0 (audio_data_file))
-(typeattributeset audio_device_26_0 (audio_device))
-(typeattributeset audiohal_data_file_26_0 (audiohal_data_file))
-(typeattributeset audio_prop_26_0 (audio_prop))
-(typeattributeset audio_seq_device_26_0 (audio_seq_device))
-(typeattributeset audioserver_26_0 (audioserver))
-(typeattributeset audioserver_data_file_26_0 (audioserver_data_file))
-(typeattributeset audioserver_service_26_0 (audioserver_service))
-(typeattributeset audio_service_26_0 (audio_service))
-(typeattributeset audio_timer_device_26_0 (audio_timer_device))
-(typeattributeset autofill_service_26_0 (autofill_service))
-(typeattributeset backup_data_file_26_0 (backup_data_file))
-(typeattributeset backup_service_26_0 (backup_service))
-(typeattributeset batteryproperties_service_26_0 (batteryproperties_service))
-(typeattributeset battery_service_26_0 (battery_service))
-(typeattributeset batterystats_service_26_0 (batterystats_service))
-(typeattributeset binder_device_26_0 (binder_device))
-(typeattributeset binfmt_miscfs_26_0 (binfmt_miscfs))
-(typeattributeset blkid_26_0 (blkid))
-(typeattributeset blkid_untrusted_26_0 (blkid_untrusted))
-(typeattributeset block_device_26_0 (block_device))
-(typeattributeset bluetooth_26_0 (bluetooth))
-(typeattributeset bluetooth_data_file_26_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_26_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_26_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_26_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_26_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_26_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_26_0 (bluetooth_socket))
-(typeattributeset bootanim_26_0 (bootanim))
-(typeattributeset bootanim_exec_26_0 (bootanim_exec))
-(typeattributeset boot_block_device_26_0 (boot_block_device))
-(typeattributeset bootchart_data_file_26_0 (bootchart_data_file))
-(typeattributeset bootstat_26_0 (bootstat))
-(typeattributeset bootstat_data_file_26_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_26_0 (bootstat_exec))
-(typeattributeset boottime_prop_26_0 (boottime_prop))
-(typeattributeset boottrace_data_file_26_0 (boottrace_data_file))
-(typeattributeset bufferhubd_26_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_26_0 (bufferhubd_exec))
-(typeattributeset cache_backup_file_26_0 (cache_backup_file))
-(typeattributeset cache_block_device_26_0 (cache_block_device))
-(typeattributeset cache_file_26_0 (cache_file))
-(typeattributeset cache_private_backup_file_26_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_26_0 (cache_recovery_file))
-(typeattributeset camera_data_file_26_0 (camera_data_file))
-(typeattributeset camera_device_26_0 (camera_device))
-(typeattributeset cameraproxy_service_26_0 (cameraproxy_service))
-(typeattributeset cameraserver_26_0 (cameraserver))
-(typeattributeset cameraserver_exec_26_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_26_0 (cameraserver_service))
-(typeattributeset cgroup_26_0 (cgroup))
-(typeattributeset charger_26_0 (charger))
-(typeattributeset clatd_26_0 (clatd))
-(typeattributeset clatd_exec_26_0 (clatd_exec))
-(typeattributeset clipboard_service_26_0 (clipboard_service))
-(typeattributeset commontime_management_service_26_0 (commontime_management_service))
-(typeattributeset companion_device_service_26_0 (companion_device_service))
-(typeattributeset configfs_26_0 (configfs))
-(typeattributeset config_prop_26_0 (config_prop))
-(typeattributeset connectivity_service_26_0 (connectivity_service))
-(typeattributeset connmetrics_service_26_0 (connmetrics_service))
-(typeattributeset console_device_26_0 (console_device))
-(typeattributeset consumer_ir_service_26_0 (consumer_ir_service))
-(typeattributeset content_service_26_0 (content_service))
-(typeattributeset contexthub_service_26_0 (contexthub_service))
-(typeattributeset coredump_file_26_0 (coredump_file))
-(typeattributeset country_detector_service_26_0 (country_detector_service))
-(typeattributeset coverage_service_26_0 (coverage_service))
-(typeattributeset cppreopt_prop_26_0 (cppreopt_prop))
-(typeattributeset cppreopts_26_0 (cppreopts))
-(typeattributeset cppreopts_exec_26_0 (cppreopts_exec))
-(typeattributeset cpuctl_device_26_0 (cpuctl_device))
-(typeattributeset cpuinfo_service_26_0 (cpuinfo_service))
-(typeattributeset crash_dump_26_0 (crash_dump))
-(typeattributeset crash_dump_exec_26_0 (crash_dump_exec))
-(typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop))
-(typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
-(typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_rildaemon_prop_26_0 (ctl_rildaemon_prop))
-(typeattributeset dalvikcache_data_file_26_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_26_0 (dalvik_prop))
-(typeattributeset dbinfo_service_26_0 (dbinfo_service))
-(typeattributeset debugfs_26_0
- ( debugfs
- debugfs_wakeup_sources
- ))
-(typeattributeset debugfs_mmc_26_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_26_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_26_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_instances_26_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wifi_tracing_26_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_26_0 (debuggerd_prop))
-(typeattributeset debug_prop_26_0 (debug_prop))
-(typeattributeset default_android_hwservice_26_0 (default_android_hwservice))
-(typeattributeset default_android_service_26_0 (default_android_service))
-(typeattributeset default_android_vndservice_26_0 (default_android_vndservice))
-(typeattributeset default_prop_26_0
- ( default_prop pm_prop))
-(typeattributeset device_26_0 (device))
-(typeattributeset device_identifiers_service_26_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_26_0 (deviceidle_service))
-(typeattributeset device_logging_prop_26_0 (device_logging_prop))
-(typeattributeset device_policy_service_26_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_26_0 (devicestoragemonitor_service))
-(typeattributeset devpts_26_0 (devpts))
-(typeattributeset dex2oat_26_0 (dex2oat))
-(typeattributeset dex2oat_exec_26_0 (dex2oat_exec))
-(typeattributeset dhcp_26_0 (dhcp))
-(typeattributeset dhcp_data_file_26_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_26_0 (dhcp_exec))
-(typeattributeset dhcp_prop_26_0 (dhcp_prop))
-(typeattributeset diskstats_service_26_0 (diskstats_service))
-(typeattributeset display_service_26_0 (display_service))
-(typeattributeset dm_device_26_0 (dm_device))
-(typeattributeset dnsmasq_26_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_26_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_26_0 (dnsproxyd_socket))
-(typeattributeset DockObserver_service_26_0 (DockObserver_service))
-(typeattributeset dreams_service_26_0 (dreams_service))
-(typeattributeset drm_data_file_26_0 (drm_data_file))
-(typeattributeset drmserver_26_0 (drmserver))
-(typeattributeset drmserver_exec_26_0 (drmserver_exec))
-(typeattributeset drmserver_service_26_0 (drmserver_service))
-(typeattributeset drmserver_socket_26_0 (drmserver_socket))
-(typeattributeset dropbox_service_26_0 (dropbox_service))
-(typeattributeset dumpstate_26_0 (dumpstate))
-(typeattributeset dumpstate_exec_26_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_26_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_26_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_26_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_26_0 (dumpstate_socket))
-(typeattributeset efs_file_26_0 (efs_file))
-(typeattributeset ephemeral_app_26_0 (ephemeral_app))
-(typeattributeset ethernet_service_26_0 (ethernet_service))
-(typeattributeset ffs_prop_26_0 (ffs_prop))
-(typeattributeset file_contexts_file_26_0 (file_contexts_file))
-(typeattributeset fingerprintd_26_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_26_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_26_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_26_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_26_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_26_0 (fingerprint_service))
-(typeattributeset firstboot_prop_26_0 (firstboot_prop))
-(typeattributeset font_service_26_0 (font_service))
-(typeattributeset frp_block_device_26_0 (frp_block_device))
-(typeattributeset fsck_26_0 (fsck))
-(typeattributeset fsck_exec_26_0 (fsck_exec))
-(typeattributeset fscklogs_26_0 (fscklogs))
-(typeattributeset fsck_untrusted_26_0 (fsck_untrusted))
-(typeattributeset full_device_26_0 (full_device))
-(typeattributeset functionfs_26_0 (functionfs))
-(typeattributeset fuse_26_0 (fuse))
-(typeattributeset fuse_device_26_0 (fuse_device))
-(typeattributeset fwk_display_hwservice_26_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_26_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_26_0 (fwk_sensor_hwservice))
-(typeattributeset fwmarkd_socket_26_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_26_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_26_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_26_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_26_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_26_0 (gfxinfo_service))
-(typeattributeset gps_control_26_0 (gps_control))
-(typeattributeset gpu_device_26_0 (gpu_device))
-(typeattributeset gpu_service_26_0 (gpu_service))
-(typeattributeset graphics_device_26_0 (graphics_device))
-(typeattributeset graphicsstats_service_26_0 (graphicsstats_service))
-(typeattributeset hal_audio_hwservice_26_0 (hal_audio_hwservice))
-(typeattributeset hal_bluetooth_hwservice_26_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_26_0 (hal_bootctl_hwservice))
-(typeattributeset hal_camera_hwservice_26_0 (hal_camera_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_26_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_contexthub_hwservice_26_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_26_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_26_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_fingerprint_hwservice_26_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_26_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_26_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_26_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_26_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_26_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_mapper_hwservice_26_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_26_0 (hal_health_hwservice))
-(typeattributeset hal_ir_hwservice_26_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_26_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_26_0 (hal_light_hwservice))
-(typeattributeset hal_memtrack_hwservice_26_0 (hal_memtrack_hwservice))
-(typeattributeset hal_nfc_hwservice_26_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_26_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_26_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_26_0 (hal_power_hwservice))
-(typeattributeset hal_renderscript_hwservice_26_0 (hal_renderscript_hwservice))
-(typeattributeset hal_sensors_hwservice_26_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_26_0 (hal_telephony_hwservice))
-(typeattributeset hal_thermal_hwservice_26_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_26_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_26_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_hwservice_26_0 (hal_usb_hwservice))
-(typeattributeset hal_vibrator_hwservice_26_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_26_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_26_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hwservice_26_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_26_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_26_0 (hardware_properties_service))
-(typeattributeset hardware_service_26_0 (hardware_service))
-(typeattributeset hci_attach_dev_26_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_26_0 (hdmi_control_service))
-(typeattributeset healthd_26_0 (healthd))
-(typeattributeset healthd_exec_26_0 (healthd_exec))
-(typeattributeset heapdump_data_file_26_0 (heapdump_data_file))
-(typeattributeset hidl_allocator_hwservice_26_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_26_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_26_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_26_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_26_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_26_0 (hwbinder_device))
-(typeattributeset hw_random_device_26_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_26_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_26_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_26_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_26_0 (hwservicemanager_prop))
-(typeattributeset i2c_device_26_0 (i2c_device))
-(typeattributeset icon_file_26_0 (icon_file))
-(typeattributeset idmap_26_0 (idmap))
-(typeattributeset idmap_exec_26_0 (idmap_exec))
-(typeattributeset iio_device_26_0 (iio_device))
-(typeattributeset imms_service_26_0 (imms_service))
-(typeattributeset incident_26_0 (incident))
-(typeattributeset incidentd_26_0 (incidentd))
-(typeattributeset incident_data_file_26_0 (incident_data_file))
-(typeattributeset incident_service_26_0 (incident_service))
-(typeattributeset init_26_0 (init))
-(typeattributeset init_exec_26_0 (init_exec watchdogd_exec))
-(typeattributeset inotify_26_0 (inotify))
-(typeattributeset input_device_26_0 (input_device))
-(typeattributeset inputflinger_26_0 (inputflinger))
-(typeattributeset inputflinger_exec_26_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_26_0 (inputflinger_service))
-(typeattributeset input_method_service_26_0 (input_method_service))
-(typeattributeset input_service_26_0 (input_service))
-(typeattributeset installd_26_0 (installd))
-(typeattributeset install_data_file_26_0 (install_data_file))
-(typeattributeset installd_exec_26_0 (installd_exec))
-(typeattributeset installd_service_26_0 (installd_service))
-(typeattributeset install_recovery_26_0 (install_recovery))
-(typeattributeset install_recovery_exec_26_0 (install_recovery_exec))
-(typeattributeset ion_device_26_0 (ion_device))
-(typeattributeset IProxyService_service_26_0 (IProxyService_service))
-(typeattributeset ipsec_service_26_0 (ipsec_service))
-(typeattributeset isolated_app_26_0 (isolated_app))
-(typeattributeset jobscheduler_service_26_0 (jobscheduler_service))
-(typeattributeset kernel_26_0 (kernel))
-(typeattributeset keychain_data_file_26_0 (keychain_data_file))
-(typeattributeset keychord_device_26_0 (keychord_device))
-(typeattributeset keystore_26_0 (keystore))
-(typeattributeset keystore_data_file_26_0 (keystore_data_file))
-(typeattributeset keystore_exec_26_0 (keystore_exec))
-(typeattributeset keystore_service_26_0 (keystore_service))
-(typeattributeset kmem_device_26_0 (kmem_device))
-(typeattributeset kmsg_device_26_0 (kmsg_device))
-(typeattributeset labeledfs_26_0 (labeledfs))
-(typeattributeset launcherapps_service_26_0 (launcherapps_service))
-(typeattributeset lmkd_26_0 (lmkd))
-(typeattributeset lmkd_exec_26_0 (lmkd_exec))
-(typeattributeset lmkd_socket_26_0 (lmkd_socket))
-(typeattributeset location_service_26_0 (location_service))
-(typeattributeset lock_settings_service_26_0 (lock_settings_service))
-(typeattributeset logcat_exec_26_0 (logcat_exec))
-(typeattributeset logd_26_0 (logd))
-(typeattributeset log_device_26_0 (log_device))
-(typeattributeset logd_exec_26_0 (logd_exec))
-(typeattributeset logd_prop_26_0 (logd_prop))
-(typeattributeset logdr_socket_26_0 (logdr_socket))
-(typeattributeset logd_socket_26_0 (logd_socket))
-(typeattributeset logdw_socket_26_0 (logdw_socket))
-(typeattributeset logpersist_26_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_26_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_26_0 (log_prop))
-(typeattributeset log_tag_prop_26_0 (log_tag_prop))
-(typeattributeset loop_control_device_26_0 (loop_control_device))
-(typeattributeset loop_device_26_0 (loop_device))
-(typeattributeset mac_perms_file_26_0 (mac_perms_file))
-(typeattributeset mdnsd_26_0 (mdnsd))
-(typeattributeset mdnsd_socket_26_0 (mdnsd_socket))
-(typeattributeset mdns_socket_26_0 (mdns_socket))
-(typeattributeset mediacasserver_service_26_0 (mediacasserver_service))
-(typeattributeset hal_omx_server (mediacodec_26_0))
-(typeattributeset mediacodec_26_0 (mediacodec))
-(typeattributeset mediacodec_exec_26_0 (mediacodec_exec))
-(typeattributeset mediacodec_service_26_0 (mediacodec_service))
-(typeattributeset media_data_file_26_0 (media_data_file))
-(typeattributeset mediadrmserver_26_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_26_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_26_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_26_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_26_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_26_0 (mediaextractor_service))
-(typeattributeset mediametrics_26_0 (mediametrics))
-(typeattributeset mediametrics_exec_26_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_26_0 (mediametrics_service))
-(typeattributeset media_projection_service_26_0 (media_projection_service))
-(typeattributeset media_router_service_26_0 (media_router_service))
-(typeattributeset media_rw_data_file_26_0 (media_rw_data_file))
-(typeattributeset mediaserver_26_0 (mediaserver))
-(typeattributeset mediaserver_exec_26_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_26_0 (mediaserver_service))
-(typeattributeset media_session_service_26_0 (media_session_service))
-(typeattributeset meminfo_service_26_0 (meminfo_service))
-(typeattributeset metadata_block_device_26_0 (metadata_block_device))
-(typeattributeset method_trace_data_file_26_0 (method_trace_data_file))
-(typeattributeset midi_service_26_0 (midi_service))
-(typeattributeset misc_block_device_26_0 (misc_block_device))
-(typeattributeset misc_logd_file_26_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_26_0 (misc_user_data_file))
-(typeattributeset mmc_prop_26_0 (mmc_prop))
-(typeattributeset mnt_expand_file_26_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_26_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_26_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_user_file_26_0 (mnt_user_file))
-(typeattributeset modprobe_26_0 (modprobe))
-(typeattributeset mount_service_26_0 (mount_service))
-(typeattributeset mqueue_26_0 (mqueue))
-(typeattributeset mtd_device_26_0 (mtd_device))
-(typeattributeset mtp_26_0 (mtp))
-(typeattributeset mtp_device_26_0 (mtp_device))
-(typeattributeset mtpd_socket_26_0 (mtpd_socket))
-(typeattributeset mtp_exec_26_0 (mtp_exec))
-(typeattributeset nativetest_data_file_26_0 (nativetest_data_file))
-(typeattributeset netd_26_0 (netd))
-(typeattributeset net_data_file_26_0 (net_data_file))
-(typeattributeset netd_exec_26_0 (netd_exec))
-(typeattributeset netd_listener_service_26_0 (netd_listener_service))
-(typeattributeset net_dns_prop_26_0 (net_dns_prop))
-(typeattributeset netd_service_26_0 (netd_service))
-(typeattributeset netd_socket_26_0 (netd_socket))
-(typeattributeset netif_26_0 (netif))
-(typeattributeset netpolicy_service_26_0 (netpolicy_service))
-(typeattributeset net_radio_prop_26_0 (net_radio_prop))
-(typeattributeset netstats_service_26_0 (netstats_service))
-(typeattributeset netutils_wrapper_26_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_26_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_26_0 (network_management_service))
-(typeattributeset network_score_service_26_0 (network_score_service))
-(typeattributeset network_time_update_service_26_0 (network_time_update_service))
-(typeattributeset nfc_26_0 (nfc))
-(typeattributeset nfc_data_file_26_0 (nfc_data_file))
-(typeattributeset nfc_device_26_0 (nfc_device))
-(typeattributeset nfc_prop_26_0 (nfc_prop))
-(typeattributeset nfc_service_26_0 (nfc_service))
-(typeattributeset node_26_0 (node))
-(typeattributeset notification_service_26_0 (notification_service))
-(typeattributeset null_device_26_0 (null_device))
-(typeattributeset oemfs_26_0 (oemfs))
-(typeattributeset oem_lock_service_26_0 (oem_lock_service))
-(typeattributeset ota_data_file_26_0 (ota_data_file))
-(typeattributeset otadexopt_service_26_0 (otadexopt_service))
-(typeattributeset ota_package_file_26_0 (ota_package_file))
-(typeattributeset otapreopt_chroot_26_0 (otapreopt_chroot))
-(typeattributeset otapreopt_chroot_exec_26_0 (otapreopt_chroot_exec))
-(typeattributeset otapreopt_slot_26_0 (otapreopt_slot))
-(typeattributeset otapreopt_slot_exec_26_0 (otapreopt_slot_exec))
-(typeattributeset overlay_prop_26_0 (overlay_prop))
-(typeattributeset overlay_service_26_0 (overlay_service))
-(typeattributeset owntty_device_26_0 (owntty_device))
-(typeattributeset package_service_26_0 (package_service))
-(typeattributeset pan_result_prop_26_0 (pan_result_prop))
-(typeattributeset pdx_bufferhub_client_channel_socket_26_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_26_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_26_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_26_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_26_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_26_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_26_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_26_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_26_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_26_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_26_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_26_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_26_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_26_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_26_0 (pdx_performance_dir))
-(typeattributeset performanced_26_0 (performanced))
-(typeattributeset performanced_exec_26_0 (performanced_exec))
-(typeattributeset permission_service_26_0 (permission_service))
-(typeattributeset persist_debug_prop_26_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_26_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_26_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_26_0 (pinner_service))
-(typeattributeset pipefs_26_0 (pipefs))
-(typeattributeset platform_app_26_0 (platform_app))
-(typeattributeset pmsg_device_26_0 (pmsg_device))
-(typeattributeset port_26_0 (port))
-(typeattributeset port_device_26_0 (port_device))
-(typeattributeset postinstall_26_0 (postinstall))
-(typeattributeset postinstall_dexopt_26_0 (postinstall_dexopt))
-(typeattributeset postinstall_file_26_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_26_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_26_0 (powerctl_prop))
-(typeattributeset power_service_26_0 (power_service))
-(typeattributeset ppp_26_0 (ppp))
-(typeattributeset ppp_device_26_0 (ppp_device))
-(typeattributeset ppp_exec_26_0 (ppp_exec))
-(typeattributeset preloads_data_file_26_0 (preloads_data_file))
-(typeattributeset preloads_media_file_26_0 (preloads_media_file))
-(typeattributeset preopt2cachename_26_0 (preopt2cachename))
-(typeattributeset preopt2cachename_exec_26_0 (preopt2cachename_exec))
-(typeattributeset print_service_26_0 (print_service))
-(typeattributeset priv_app_26_0 (mediaprovider priv_app))
-(typeattributeset proc_26_0
- ( proc
- proc_abi
- proc_asound
- proc_buddyinfo
- proc_cmdline
- proc_dirty
- proc_diskstats
- proc_extra_free_kbytes
- proc_filesystems
- proc_hostname
- proc_hung_task
- proc_kmsg
- proc_loadavg
- proc_max_map_count
- proc_min_free_order_shift
- proc_mounts
- proc_page_cluster
- proc_pagetypeinfo
- proc_panic
- proc_pid_max
- proc_pipe_conf
- proc_random
- proc_sched
- proc_slabinfo
- proc_swaps
- proc_uid_time_in_state
- proc_uid_concurrent_active_time
- proc_uid_concurrent_policy_time
- proc_uid_cpupower
- proc_uptime
- proc_version
- proc_vmallocinfo
- proc_vmstat))
-(typeattributeset proc_bluetooth_writable_26_0 (proc_bluetooth_writable))
-(typeattributeset proc_cpuinfo_26_0 (proc_cpuinfo))
-(typeattributeset proc_drop_caches_26_0 (proc_drop_caches))
-(typeattributeset processinfo_service_26_0 (processinfo_service))
-(typeattributeset proc_interrupts_26_0 (proc_interrupts))
-(typeattributeset proc_iomem_26_0 (proc_iomem))
-(typeattributeset proc_meminfo_26_0 (proc_meminfo))
-(typeattributeset proc_misc_26_0 (proc_misc))
-(typeattributeset proc_modules_26_0 (proc_modules))
-(typeattributeset proc_net_26_0
- ( proc_net
- proc_net_tcp_udp
- proc_qtaguid_stat))
-(typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
-(typeattributeset proc_perf_26_0 (proc_perf))
-(typeattributeset proc_security_26_0 (proc_security))
-(typeattributeset proc_stat_26_0 (proc_stat))
-(typeattributeset procstats_service_26_0 (procstats_service))
-(typeattributeset proc_sysrq_26_0 (proc_sysrq))
-(typeattributeset proc_timer_26_0 (proc_timer))
-(typeattributeset proc_tty_drivers_26_0 (proc_tty_drivers))
-(typeattributeset proc_uid_cputime_removeuid_26_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_26_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_26_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_26_0 (proc_uid_procstat_set))
-(typeattributeset proc_zoneinfo_26_0 (proc_zoneinfo))
-(typeattributeset profman_26_0 (profman))
-(typeattributeset profman_dump_data_file_26_0 (profman_dump_data_file))
-(typeattributeset profman_exec_26_0 (profman_exec))
-(typeattributeset properties_device_26_0 (properties_device))
-(typeattributeset properties_serial_26_0 (properties_serial))
-(typeattributeset property_contexts_file_26_0 (property_contexts_file))
-(typeattributeset property_data_file_26_0 (property_data_file))
-(typeattributeset property_socket_26_0 (property_socket))
-(typeattributeset pstorefs_26_0 (pstorefs))
-(typeattributeset ptmx_device_26_0 (ptmx_device))
-(typeattributeset qtaguid_device_26_0 (qtaguid_device))
-(typeattributeset qtaguid_proc_26_0
- ( qtaguid_proc
- proc_qtaguid_ctrl))
-(typeattributeset racoon_26_0 (racoon))
-(typeattributeset racoon_exec_26_0 (racoon_exec))
-(typeattributeset racoon_socket_26_0 (racoon_socket))
-(typeattributeset radio_26_0 (radio))
-(typeattributeset radio_data_file_26_0 (radio_data_file))
-(typeattributeset radio_device_26_0 (radio_device))
-(typeattributeset radio_prop_26_0 (radio_prop))
-(typeattributeset radio_service_26_0 (radio_service))
-(typeattributeset ram_device_26_0 (ram_device))
-(typeattributeset random_device_26_0 (random_device))
-(typeattributeset reboot_data_file_26_0 (reboot_data_file))
-(typeattributeset recovery_26_0 (recovery))
-(typeattributeset recovery_block_device_26_0 (recovery_block_device))
-(typeattributeset recovery_data_file_26_0 (recovery_data_file))
-(typeattributeset recovery_persist_26_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_26_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_26_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_26_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_26_0 (recovery_service))
-(typeattributeset registry_service_26_0 (registry_service))
-(typeattributeset resourcecache_data_file_26_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_26_0 (restorecon_prop))
-(typeattributeset restrictions_service_26_0 (restrictions_service))
-(typeattributeset rild_26_0 (rild))
-(typeattributeset rild_debug_socket_26_0 (rild_debug_socket))
-(typeattributeset rild_socket_26_0 (rild_socket))
-(typeattributeset ringtone_file_26_0 (ringtone_file))
-(typeattributeset root_block_device_26_0 (root_block_device))
-(typeattributeset rootfs_26_0 (rootfs))
-(typeattributeset rpmsg_device_26_0 (rpmsg_device))
-(typeattributeset rtc_device_26_0 (rtc_device))
-(typeattributeset rttmanager_service_26_0 (rttmanager_service))
-(typeattributeset runas_26_0 (runas))
-(typeattributeset runas_exec_26_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_26_0 (runtime_event_log_tags_file))
-(typeattributeset safemode_prop_26_0 (safemode_prop))
-(typeattributeset same_process_hal_file_26_0
- ( same_process_hal_file
- vendor_public_lib_file))
-(typeattributeset samplingprofiler_service_26_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_26_0 (scheduling_policy_service))
-(typeattributeset sdcardd_26_0 (sdcardd))
-(typeattributeset sdcardd_exec_26_0 (sdcardd_exec))
-(typeattributeset sdcardfs_26_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_26_0 (seapp_contexts_file))
-(typeattributeset search_service_26_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_26_0 (sec_key_att_app_id_provider_service))
-(typeattributeset selinuxfs_26_0 (selinuxfs))
-(typeattributeset sensors_device_26_0 (sensors_device))
-(typeattributeset sensorservice_service_26_0 (sensorservice_service))
-(typeattributeset sepolicy_file_26_0 (sepolicy_file))
-(typeattributeset serial_device_26_0 (serial_device))
-(typeattributeset serialno_prop_26_0 (serialno_prop))
-(typeattributeset serial_service_26_0 (serial_service))
-(typeattributeset service_contexts_file_26_0 (service_contexts_file nonplat_service_contexts_file))
-(typeattributeset servicediscovery_service_26_0 (servicediscovery_service))
-(typeattributeset servicemanager_26_0 (servicemanager))
-(typeattributeset servicemanager_exec_26_0 (servicemanager_exec))
-(typeattributeset settings_service_26_0 (settings_service))
-(typeattributeset sgdisk_26_0 (sgdisk))
-(typeattributeset sgdisk_exec_26_0 (sgdisk_exec))
-(typeattributeset shared_relro_26_0 (shared_relro))
-(typeattributeset shared_relro_file_26_0 (shared_relro_file))
-(typeattributeset shell_26_0 (shell))
-(typeattributeset shell_data_file_26_0 (shell_data_file))
-(typeattributeset shell_exec_26_0 (shell_exec))
-(typeattributeset shell_prop_26_0 (shell_prop))
-(typeattributeset shm_26_0 (shm))
-(typeattributeset shortcut_manager_icons_26_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_26_0 (shortcut_service))
-(typeattributeset slideshow_26_0 (slideshow))
-(typeattributeset socket_device_26_0 (socket_device))
-(typeattributeset sockfs_26_0 (sockfs))
-(typeattributeset statusbar_service_26_0 (statusbar_service))
-(typeattributeset storaged_service_26_0 (storaged_service))
-(typeattributeset storage_file_26_0 (storage_file))
-(typeattributeset storagestats_service_26_0 (storagestats_service))
-(typeattributeset storage_stub_file_26_0 (storage_stub_file))
-(typeattributeset su_26_0 (su))
-(typeattributeset su_exec_26_0 (su_exec))
-(typeattributeset surfaceflinger_26_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_26_0 (surfaceflinger_service))
-(typeattributeset swap_block_device_26_0 (swap_block_device))
-(typeattributeset sysfs_26_0
- ( sysfs
- sysfs_android_usb
- sysfs_dm
- sysfs_dt_firmware_android
- sysfs_ipv4
- sysfs_kernel_notes
- sysfs_loop
- sysfs_net
- sysfs_power
- sysfs_rtc
- sysfs_switch
- sysfs_wakeup_reasons))
-(typeattributeset sysfs_batteryinfo_26_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_26_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_system_cpu_26_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_hwrandom_26_0 (sysfs_hwrandom))
-(typeattributeset sysfs_leds_26_0 (sysfs_leds))
-(typeattributeset sysfs_lowmemorykiller_26_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_26_0 (sysfs_mac_address))
-(typeattributeset sysfs_nfc_power_writable_26_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_thermal_26_0 (sysfs_thermal))
-(typeattributeset sysfs_uio_26_0 (sysfs_uio))
-(typeattributeset sysfs_usb_26_0 (sysfs_usb))
-(typeattributeset sysfs_vibrator_26_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_26_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wlan_fwpath_26_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_26_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_26_0 (sysfs_zram_uevent))
-(typeattributeset system_app_26_0 (system_app))
-(typeattributeset system_app_data_file_26_0 (system_app_data_file))
-(typeattributeset system_app_service_26_0 (system_app_service))
-(typeattributeset system_block_device_26_0 (system_block_device))
-(typeattributeset system_data_file_26_0
- ( system_data_file
- dropbox_data_file
- vendor_data_file))
-(typeattributeset system_file_26_0
- ( system_file
- system_lib_file
- system_linker_config_file
- system_linker_exec
- system_seccomp_policy_file
- system_security_cacerts_file
- system_zoneinfo_file
-))
-(typeattributeset systemkeys_data_file_26_0 (systemkeys_data_file))
-(typeattributeset system_ndebug_socket_26_0 (system_ndebug_socket))
-(typeattributeset system_prop_26_0 (system_prop))
-(typeattributeset system_radio_prop_26_0 (system_radio_prop))
-(typeattributeset system_server_26_0 (system_server))
-(typeattributeset system_wifi_keystore_hwservice_26_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_26_0 (system_wpa_socket))
-(typeattributeset task_service_26_0 (task_service))
-(typeattributeset tee_26_0 (tee))
-(typeattributeset tee_data_file_26_0 (tee_data_file))
-(typeattributeset tee_device_26_0 (tee_device))
-(typeattributeset telecom_service_26_0 (telecom_service))
-(typeattributeset textclassification_service_26_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_26_0 (textclassifier_data_file))
-(typeattributeset textservices_service_26_0 (textservices_service))
-(typeattributeset tmpfs_26_0 (tmpfs))
-(typeattributeset tombstoned_26_0 (tombstoned))
-(typeattributeset tombstone_data_file_26_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_26_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_26_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_26_0 (tombstoned_intercept_socket))
-(typeattributeset toolbox_26_0 (toolbox))
-(typeattributeset toolbox_exec_26_0 (toolbox_exec))
-(typeattributeset tracing_shell_writable_26_0 (debugfs_tracing tracing_shell_writable))
-(typeattributeset tracing_shell_writable_debug_26_0 (debugfs_tracing_debug tracing_shell_writable_debug))
-(typeattributeset trust_service_26_0 (trust_service))
-(typeattributeset tty_device_26_0 (tty_device))
-(typeattributeset tun_device_26_0 (tun_device))
-(typeattributeset tv_input_service_26_0 (tv_input_service))
-(typeattributeset tzdatacheck_26_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_26_0 (tzdatacheck_exec))
-(typeattributeset ueventd_26_0 (ueventd))
-(typeattributeset uhid_device_26_0 (uhid_device))
-(typeattributeset uimode_service_26_0 (uimode_service))
-(typeattributeset uio_device_26_0 (uio_device))
-(typeattributeset uncrypt_26_0 (uncrypt))
-(typeattributeset uncrypt_exec_26_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_26_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_26_0 (unencrypted_data_file))
-(typeattributeset unlabeled_26_0 (unlabeled))
-(typeattributeset untrusted_app_25_26_0 (untrusted_app_25))
-(typeattributeset untrusted_app_26_0
- ( untrusted_app
- untrusted_app_27))
-(typeattributeset untrusted_v2_app_26_0 (untrusted_v2_app))
-(typeattributeset update_engine_26_0 (update_engine))
-(typeattributeset update_engine_data_file_26_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_26_0 (update_engine_exec))
-(typeattributeset update_engine_service_26_0 (update_engine_service))
-(typeattributeset updatelock_service_26_0 (updatelock_service))
-(typeattributeset update_verifier_26_0 (update_verifier))
-(typeattributeset update_verifier_exec_26_0 (update_verifier_exec))
-(typeattributeset usagestats_service_26_0 (usagestats_service))
-(typeattributeset usbaccessory_device_26_0 (usbaccessory_device))
-(typeattributeset usb_device_26_0 (usb_device))
-(typeattributeset usbfs_26_0 (usbfs))
-(typeattributeset usb_service_26_0 (usb_service))
-(typeattributeset userdata_block_device_26_0 (userdata_block_device))
-(typeattributeset usermodehelper_26_0 (sysfs_usermodehelper usermodehelper))
-(typeattributeset user_profile_data_file_26_0 (user_profile_data_file))
-(typeattributeset user_service_26_0 (user_service))
-(typeattributeset vcs_device_26_0 (vcs_device))
-(typeattributeset vdc_26_0 (vdc))
-(typeattributeset vdc_exec_26_0 (vdc_exec))
-(typeattributeset vendor_app_file_26_0 (vendor_app_file))
-(typeattributeset vendor_configs_file_26_0 (vendor_configs_file))
-(typeattributeset vendor_file_26_0 (vendor_file))
-(typeattributeset vendor_framework_file_26_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_26_0 (vendor_hal_file))
-(typeattributeset vendor_overlay_file_26_0 (vendor_overlay_file))
-(typeattributeset vendor_shell_exec_26_0 (vendor_shell_exec))
-(typeattributeset vendor_toolbox_exec_26_0 (vendor_toolbox_exec))
-(typeattributeset vfat_26_0 (vfat))
-(typeattributeset vibrator_service_26_0 (vibrator_service))
-(typeattributeset video_device_26_0 (video_device))
-(typeattributeset virtual_touchpad_26_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_26_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_26_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_26_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_26_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_26_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_26_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_26_0 (voiceinteraction_service))
-(typeattributeset vold_26_0 (vold))
-(typeattributeset vold_data_file_26_0 (vold_data_file))
-(typeattributeset vold_device_26_0 (vold_device))
-(typeattributeset vold_exec_26_0 (vold_exec))
-(typeattributeset vold_prop_26_0 (vold_prop))
-(typeattributeset vold_socket_26_0 (vold_socket))
-(typeattributeset vpn_data_file_26_0 (vpn_data_file))
-(typeattributeset vr_hwc_26_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_26_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_26_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_26_0 (vr_manager_service))
-(typeattributeset wallpaper_file_26_0 (wallpaper_file))
-(typeattributeset wallpaper_service_26_0 (wallpaper_service))
-(typeattributeset watchdogd_26_0 (watchdogd))
-(typeattributeset watchdog_device_26_0 (watchdog_device))
-(typeattributeset webviewupdate_service_26_0 (webviewupdate_service))
-(typeattributeset webview_zygote_26_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_26_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_socket_26_0 (webview_zygote_socket))
-(typeattributeset wifiaware_service_26_0 (wifiaware_service))
-(typeattributeset wificond_26_0 (wificond))
-(typeattributeset wificond_exec_26_0 (wificond_exec))
-(typeattributeset wificond_service_26_0 (wificond_service))
-(typeattributeset wifi_data_file_26_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_26_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_26_0 (wifip2p_service))
-(typeattributeset wifi_prop_26_0 (wifi_prop))
-(typeattributeset wifiscanner_service_26_0 (wifiscanner_service))
-(typeattributeset wifi_service_26_0 (wifi_service))
-(typeattributeset window_service_26_0 (window_service))
-(typeattributeset wpa_socket_26_0 (wpa_socket))
-(typeattributeset zero_device_26_0 (zero_device))
-(typeattributeset zoneinfo_data_file_26_0 (zoneinfo_data_file))
-(typeattributeset zygote_26_0 (zygote))
-(typeattributeset zygote_exec_26_0 (zygote_exec))
-(typeattributeset zygote_socket_26_0 (zygote_socket))
diff --git a/prebuilts/api/31.0/private/compat/26.0/26.0.compat.cil b/prebuilts/api/31.0/private/compat/26.0/26.0.compat.cil
deleted file mode 100644
index 2e85b23..0000000
--- a/prebuilts/api/31.0/private/compat/26.0/26.0.compat.cil
+++ /dev/null
@@ -1,11 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
-(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
-
-(typeattributeset mlsvendorcompat (and appdomain vendordomain))
-(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
-(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/prebuilts/api/31.0/private/compat/26.0/26.0.ignore.cil b/prebuilts/api/31.0/private/compat/26.0/26.0.ignore.cil
deleted file mode 100644
index 98d5840..0000000
--- a/prebuilts/api/31.0/private/compat/26.0/26.0.ignore.cil
+++ /dev/null
@@ -1,238 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(type new_objects)
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( new_objects
- activity_task_service
- adb_service
- adbd_exec
- app_binding_service
- apex_data_file
- apex_metadata_file
- apex_mnt_dir
- apex_service
- apexd
- apexd_exec
- apexd_prop
- apexd_tmpfs
- app_zygote
- audio_config_prop
- atrace
- binder_calls_stats_service
- biometric_service
- boot_status_prop
- bootloader_boot_reason_prop
- blank_screen
- blank_screen_exec
- blank_screen_tmpfs
- bluetooth_a2dp_offload_prop
- bpfloader
- bpfloader_exec
- broadcastradio_service
- cgroup_bpf
- charger_exec
- color_display_service
- content_capture_service
- crossprofileapps_service
- ctl_apexd_prop
- ctl_interface_restart_prop
- ctl_interface_start_prop
- ctl_interface_stop_prop
- ctl_sigstop_prop
- dalvik_config_prop
- device_config_boot_count_prop
- device_config_reset_performed_prop
- device_config_netd_native_prop
- dnsresolver_service
- e2fs
- e2fs_exec
- exfat
- exported_audio_prop
- exported_bluetooth_prop
- exported_config_prop
- exported_dalvik_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_ffs_prop
- exported_fingerprint_prop
- exported_overlay_prop
- exported_pm_prop
- exported_radio_prop
- exported_secure_prop
- exported_system_prop
- exported_system_radio_prop
- exported_vold_prop
- exported_wifi_prop
- exported2_config_prop
- exported2_default_prop
- exported2_radio_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_radio_prop
- exported3_system_prop
- fastbootd
- fingerprint_vendor_data_file
- flags_health_check
- flags_health_check_exec
- fs_bpf
- fwk_stats_hwservice
- hal_atrace_hwservice
- hal_audiocontrol_hwservice
- hal_authsecret_hwservice
- hal_broadcastradio_hwservice
- hal_cas_hwservice
- hal_codec2_hwservice
- hal_confirmationui_hwservice
- hal_evs_hwservice
- hal_health_storage_hwservice
- hal_lowpan_hwservice
- hal_neuralnetworks_hwservice
- hal_secure_element_hwservice
- hal_tetheroffload_hwservice
- hal_wifi_hostapd_hwservice
- hal_usb_gadget_hwservice
- hal_vehicle_hwservice
- hal_wifi_offload_hwservice
- heapprofd
- heapprofd_exec
- heapprofd_socket
- incident_helper
- incident_helper_exec
- iorapd
- iorapd_data_file
- iorapd_exec
- iorapd_service
- iorapd_tmpfs
- kmsg_debug_device
- last_boot_reason_prop
- llkd
- llkd_exec
- llkd_prop
- llkd_tmpfs
- lmkd_config_prop
- looper_stats_service
- lowpan_device
- lowpan_prop
- lowpan_service
- mediaswcodec
- mediaswcodec_exec
- mediaswcodec_tmpfs
- mediaextractor_update_service
- mediaprovider_tmpfs
- metadata_bootstat_file
- metadata_file
- mnt_product_file
- mnt_vendor_file
- netd_stable_secret_prop
- network_stack
- network_stack_service
- network_watchlist_data_file
- network_watchlist_service
- overlayfs_file
- package_native_service
- perfetto
- perfetto_exec
- perfetto_tmpfs
- perfetto_traces_data_file
- property_info
- recovery_socket
- role_service
- runas_app
- art_apex_dir
- runtime_service
- secure_element
- secure_element_device
- secure_element_tmpfs
- secure_element_service
- server_configurable_flags_data_file
- simpleperf_app_runner
- simpleperf_app_runner_exec
- slice_service
- socket_hook_prop
- staging_data_file
- stats
- stats_data_file
- stats_exec
- stats_service
- statsd
- statsd_exec
- statsd_tmpfs
- statsdw
- statsdw_socket
- statscompanion_service
- storaged_data_file
- super_block_device
- surfaceflinger_color_prop
- surfaceflinger_prop
- sysfs_fs_ext4_features
- system_boot_reason_prop
- system_bootstrap_lib_file
- system_lmk_prop
- system_net_netd_hwservice
- system_update_service
- systemsound_config_prop
- test_boot_reason_prop
- thermal_service
- thermalcallback_hwservice
- thermalserviced
- thermalserviced_exec
- thermalserviced_tmpfs
- time_prop
- timedetector_service
- timezone_service
- tombstoned_java_trace_socket
- tombstone_wifi_data_file
- trace_data_file
- traceur_app
- traceur_app_tmpfs
- traced
- traced_consumer_socket
- traced_enabled_prop
- traced_exec
- traced_probes
- traced_probes_exec
- traced_probes_tmpfs
- traced_producer_socket
- traced_tmpfs
- untrusted_app_all_devpts
- update_engine_log_data_file
- vendor_default_prop
- vendor_security_patch_level_prop
- uri_grants_service
- usbd
- usbd_exec
- usbd_tmpfs
- vendor_apex_file
- vendor_init
- vendor_shell
- vendor_socket_hook_prop
- vndk_prop
- vold_config_prop
- vold_metadata_file
- vold_post_fs_data_prop
- vold_prepare_subdirs
- vold_prepare_subdirs_exec
- vold_service
- vold_status_prop
- vrflinger_vsync_service
- wait_for_keymaster
- wait_for_keymaster_exec
- wait_for_keymaster_tmpfs
- watchdogd_tmpfs
- wpantund
- wpantund_exec
- wpantund_service
- wpantund_tmpfs
- wm_trace_data_file))
-
-;; private_objects - a collection of types that were labeled differently in
-;; older policy, but that should not remain accessible to vendor policy.
-;; Thus, these types are also not mapped, but recorded for checkapi tests
-(type priv_objects)
-(typeattribute priv_objects)
-(typeattributeset priv_objects
- ( priv_objects
- adbd_tmpfs
- untrusted_app_27_tmpfs))
diff --git a/prebuilts/api/31.0/private/compat/27.0/27.0.cil b/prebuilts/api/31.0/private/compat/27.0/27.0.cil
deleted file mode 100644
index 0d883c0..0000000
--- a/prebuilts/api/31.0/private/compat/27.0/27.0.cil
+++ /dev/null
@@ -1,1507 +0,0 @@
-;; attributes removed from current policy
-(typeattribute hal_wifi_offload)
-(typeattribute hal_wifi_offload_client)
-(typeattribute hal_wifi_offload_server)
-
-;; types removed from current policy
-(type commontime_management_service)
-(type hal_wifi_offload_hwservice)
-(type mediacodec)
-(type mediacodec_exec)
-(type netd_socket)
-(type qtaguid_proc)
-(type reboot_data_file)
-(type rild)
-(type untrusted_v2_app)
-(type webview_zygote_socket)
-(type vold_socket)
-
-(expandtypeattribute (accessibility_service_27_0) true)
-(expandtypeattribute (account_service_27_0) true)
-(expandtypeattribute (activity_service_27_0) true)
-(expandtypeattribute (adbd_27_0) true)
-(expandtypeattribute (adb_data_file_27_0) true)
-(expandtypeattribute (adbd_exec_27_0) true)
-(expandtypeattribute (adbd_socket_27_0) true)
-(expandtypeattribute (adb_keys_file_27_0) true)
-(expandtypeattribute (alarm_device_27_0) true)
-(expandtypeattribute (alarm_service_27_0) true)
-(expandtypeattribute (anr_data_file_27_0) true)
-(expandtypeattribute (apk_data_file_27_0) true)
-(expandtypeattribute (apk_private_data_file_27_0) true)
-(expandtypeattribute (apk_private_tmp_file_27_0) true)
-(expandtypeattribute (apk_tmp_file_27_0) true)
-(expandtypeattribute (app_data_file_27_0) true)
-(expandtypeattribute (app_fuse_file_27_0) true)
-(expandtypeattribute (app_fusefs_27_0) true)
-(expandtypeattribute (appops_service_27_0) true)
-(expandtypeattribute (appwidget_service_27_0) true)
-(expandtypeattribute (asec_apk_file_27_0) true)
-(expandtypeattribute (asec_image_file_27_0) true)
-(expandtypeattribute (asec_public_file_27_0) true)
-(expandtypeattribute (ashmem_device_27_0) true)
-(expandtypeattribute (assetatlas_service_27_0) true)
-(expandtypeattribute (audio_data_file_27_0) true)
-(expandtypeattribute (audio_device_27_0) true)
-(expandtypeattribute (audiohal_data_file_27_0) true)
-(expandtypeattribute (audio_prop_27_0) true)
-(expandtypeattribute (audio_seq_device_27_0) true)
-(expandtypeattribute (audioserver_27_0) true)
-(expandtypeattribute (audioserver_data_file_27_0) true)
-(expandtypeattribute (audioserver_service_27_0) true)
-(expandtypeattribute (audio_service_27_0) true)
-(expandtypeattribute (audio_timer_device_27_0) true)
-(expandtypeattribute (autofill_service_27_0) true)
-(expandtypeattribute (backup_data_file_27_0) true)
-(expandtypeattribute (backup_service_27_0) true)
-(expandtypeattribute (batteryproperties_service_27_0) true)
-(expandtypeattribute (battery_service_27_0) true)
-(expandtypeattribute (batterystats_service_27_0) true)
-(expandtypeattribute (binder_device_27_0) true)
-(expandtypeattribute (binfmt_miscfs_27_0) true)
-(expandtypeattribute (blkid_27_0) true)
-(expandtypeattribute (blkid_untrusted_27_0) true)
-(expandtypeattribute (block_device_27_0) true)
-(expandtypeattribute (bluetooth_27_0) true)
-(expandtypeattribute (bluetooth_data_file_27_0) true)
-(expandtypeattribute (bluetooth_efs_file_27_0) true)
-(expandtypeattribute (bluetooth_logs_data_file_27_0) true)
-(expandtypeattribute (bluetooth_manager_service_27_0) true)
-(expandtypeattribute (bluetooth_prop_27_0) true)
-(expandtypeattribute (bluetooth_service_27_0) true)
-(expandtypeattribute (bluetooth_socket_27_0) true)
-(expandtypeattribute (bootanim_27_0) true)
-(expandtypeattribute (bootanim_exec_27_0) true)
-(expandtypeattribute (boot_block_device_27_0) true)
-(expandtypeattribute (bootchart_data_file_27_0) true)
-(expandtypeattribute (bootstat_27_0) true)
-(expandtypeattribute (bootstat_data_file_27_0) true)
-(expandtypeattribute (bootstat_exec_27_0) true)
-(expandtypeattribute (boottime_prop_27_0) true)
-(expandtypeattribute (boottrace_data_file_27_0) true)
-(expandtypeattribute (broadcastradio_service_27_0) true)
-(expandtypeattribute (bufferhubd_27_0) true)
-(expandtypeattribute (bufferhubd_exec_27_0) true)
-(expandtypeattribute (cache_backup_file_27_0) true)
-(expandtypeattribute (cache_block_device_27_0) true)
-(expandtypeattribute (cache_file_27_0) true)
-(expandtypeattribute (cache_private_backup_file_27_0) true)
-(expandtypeattribute (cache_recovery_file_27_0) true)
-(expandtypeattribute (camera_data_file_27_0) true)
-(expandtypeattribute (camera_device_27_0) true)
-(expandtypeattribute (cameraproxy_service_27_0) true)
-(expandtypeattribute (cameraserver_27_0) true)
-(expandtypeattribute (cameraserver_exec_27_0) true)
-(expandtypeattribute (cameraserver_service_27_0) true)
-(expandtypeattribute (cgroup_27_0) true)
-(expandtypeattribute (charger_27_0) true)
-(expandtypeattribute (clatd_27_0) true)
-(expandtypeattribute (clatd_exec_27_0) true)
-(expandtypeattribute (clipboard_service_27_0) true)
-(expandtypeattribute (commontime_management_service_27_0) true)
-(expandtypeattribute (companion_device_service_27_0) true)
-(expandtypeattribute (configfs_27_0) true)
-(expandtypeattribute (config_prop_27_0) true)
-(expandtypeattribute (connectivity_service_27_0) true)
-(expandtypeattribute (connmetrics_service_27_0) true)
-(expandtypeattribute (console_device_27_0) true)
-(expandtypeattribute (consumer_ir_service_27_0) true)
-(expandtypeattribute (content_service_27_0) true)
-(expandtypeattribute (contexthub_service_27_0) true)
-(expandtypeattribute (coredump_file_27_0) true)
-(expandtypeattribute (country_detector_service_27_0) true)
-(expandtypeattribute (coverage_service_27_0) true)
-(expandtypeattribute (cppreopt_prop_27_0) true)
-(expandtypeattribute (cppreopts_27_0) true)
-(expandtypeattribute (cppreopts_exec_27_0) true)
-(expandtypeattribute (cpuctl_device_27_0) true)
-(expandtypeattribute (cpuinfo_service_27_0) true)
-(expandtypeattribute (crash_dump_27_0) true)
-(expandtypeattribute (crash_dump_exec_27_0) true)
-(expandtypeattribute (ctl_bootanim_prop_27_0) true)
-(expandtypeattribute (ctl_bugreport_prop_27_0) true)
-(expandtypeattribute (ctl_console_prop_27_0) true)
-(expandtypeattribute (ctl_default_prop_27_0) true)
-(expandtypeattribute (ctl_dumpstate_prop_27_0) true)
-(expandtypeattribute (ctl_fuse_prop_27_0) true)
-(expandtypeattribute (ctl_mdnsd_prop_27_0) true)
-(expandtypeattribute (ctl_rildaemon_prop_27_0) true)
-(expandtypeattribute (dalvikcache_data_file_27_0) true)
-(expandtypeattribute (dalvik_prop_27_0) true)
-(expandtypeattribute (dbinfo_service_27_0) true)
-(expandtypeattribute (debugfs_27_0) true)
-(expandtypeattribute (debugfs_mmc_27_0) true)
-(expandtypeattribute (debugfs_trace_marker_27_0) true)
-(expandtypeattribute (debugfs_tracing_27_0) true)
-(expandtypeattribute (debugfs_tracing_debug_27_0) true)
-(expandtypeattribute (debugfs_tracing_instances_27_0) true)
-(expandtypeattribute (debugfs_wifi_tracing_27_0) true)
-(expandtypeattribute (debuggerd_prop_27_0) true)
-(expandtypeattribute (debug_prop_27_0) true)
-(expandtypeattribute (default_android_hwservice_27_0) true)
-(expandtypeattribute (default_android_service_27_0) true)
-(expandtypeattribute (default_android_vndservice_27_0) true)
-(expandtypeattribute (default_prop_27_0) true)
-(expandtypeattribute (device_27_0) true)
-(expandtypeattribute (device_identifiers_service_27_0) true)
-(expandtypeattribute (deviceidle_service_27_0) true)
-(expandtypeattribute (device_logging_prop_27_0) true)
-(expandtypeattribute (device_policy_service_27_0) true)
-(expandtypeattribute (devicestoragemonitor_service_27_0) true)
-(expandtypeattribute (devpts_27_0) true)
-(expandtypeattribute (dex2oat_27_0) true)
-(expandtypeattribute (dex2oat_exec_27_0) true)
-(expandtypeattribute (dhcp_27_0) true)
-(expandtypeattribute (dhcp_data_file_27_0) true)
-(expandtypeattribute (dhcp_exec_27_0) true)
-(expandtypeattribute (dhcp_prop_27_0) true)
-(expandtypeattribute (diskstats_service_27_0) true)
-(expandtypeattribute (display_service_27_0) true)
-(expandtypeattribute (dm_device_27_0) true)
-(expandtypeattribute (dnsmasq_27_0) true)
-(expandtypeattribute (dnsmasq_exec_27_0) true)
-(expandtypeattribute (dnsproxyd_socket_27_0) true)
-(expandtypeattribute (DockObserver_service_27_0) true)
-(expandtypeattribute (dreams_service_27_0) true)
-(expandtypeattribute (drm_data_file_27_0) true)
-(expandtypeattribute (drmserver_27_0) true)
-(expandtypeattribute (drmserver_exec_27_0) true)
-(expandtypeattribute (drmserver_service_27_0) true)
-(expandtypeattribute (drmserver_socket_27_0) true)
-(expandtypeattribute (dropbox_service_27_0) true)
-(expandtypeattribute (dumpstate_27_0) true)
-(expandtypeattribute (dumpstate_exec_27_0) true)
-(expandtypeattribute (dumpstate_options_prop_27_0) true)
-(expandtypeattribute (dumpstate_prop_27_0) true)
-(expandtypeattribute (dumpstate_service_27_0) true)
-(expandtypeattribute (dumpstate_socket_27_0) true)
-(expandtypeattribute (e2fs_27_0) true)
-(expandtypeattribute (e2fs_exec_27_0) true)
-(expandtypeattribute (efs_file_27_0) true)
-(expandtypeattribute (ephemeral_app_27_0) true)
-(expandtypeattribute (ethernet_service_27_0) true)
-(expandtypeattribute (ffs_prop_27_0) true)
-(expandtypeattribute (file_contexts_file_27_0) true)
-(expandtypeattribute (fingerprintd_27_0) true)
-(expandtypeattribute (fingerprintd_data_file_27_0) true)
-(expandtypeattribute (fingerprintd_exec_27_0) true)
-(expandtypeattribute (fingerprintd_service_27_0) true)
-(expandtypeattribute (fingerprint_prop_27_0) true)
-(expandtypeattribute (fingerprint_service_27_0) true)
-(expandtypeattribute (firstboot_prop_27_0) true)
-(expandtypeattribute (font_service_27_0) true)
-(expandtypeattribute (frp_block_device_27_0) true)
-(expandtypeattribute (fsck_27_0) true)
-(expandtypeattribute (fsck_exec_27_0) true)
-(expandtypeattribute (fscklogs_27_0) true)
-(expandtypeattribute (fsck_untrusted_27_0) true)
-(expandtypeattribute (full_device_27_0) true)
-(expandtypeattribute (functionfs_27_0) true)
-(expandtypeattribute (fuse_27_0) true)
-(expandtypeattribute (fuse_device_27_0) true)
-(expandtypeattribute (fwk_display_hwservice_27_0) true)
-(expandtypeattribute (fwk_scheduler_hwservice_27_0) true)
-(expandtypeattribute (fwk_sensor_hwservice_27_0) true)
-(expandtypeattribute (fwmarkd_socket_27_0) true)
-(expandtypeattribute (gatekeeperd_27_0) true)
-(expandtypeattribute (gatekeeper_data_file_27_0) true)
-(expandtypeattribute (gatekeeperd_exec_27_0) true)
-(expandtypeattribute (gatekeeper_service_27_0) true)
-(expandtypeattribute (gfxinfo_service_27_0) true)
-(expandtypeattribute (gps_control_27_0) true)
-(expandtypeattribute (gpu_device_27_0) true)
-(expandtypeattribute (gpu_service_27_0) true)
-(expandtypeattribute (graphics_device_27_0) true)
-(expandtypeattribute (graphicsstats_service_27_0) true)
-(expandtypeattribute (hal_audio_hwservice_27_0) true)
-(expandtypeattribute (hal_bluetooth_hwservice_27_0) true)
-(expandtypeattribute (hal_bootctl_hwservice_27_0) true)
-(expandtypeattribute (hal_broadcastradio_hwservice_27_0) true)
-(expandtypeattribute (hal_camera_hwservice_27_0) true)
-(expandtypeattribute (hal_cas_hwservice_27_0) true)
-(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_27_0) true)
-(expandtypeattribute (hal_contexthub_hwservice_27_0) true)
-(expandtypeattribute (hal_drm_hwservice_27_0) true)
-(expandtypeattribute (hal_dumpstate_hwservice_27_0) true)
-(expandtypeattribute (hal_fingerprint_hwservice_27_0) true)
-(expandtypeattribute (hal_fingerprint_service_27_0) true)
-(expandtypeattribute (hal_gatekeeper_hwservice_27_0) true)
-(expandtypeattribute (hal_gnss_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_allocator_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_composer_hwservice_27_0) true)
-(expandtypeattribute (hal_graphics_mapper_hwservice_27_0) true)
-(expandtypeattribute (hal_health_hwservice_27_0) true)
-(expandtypeattribute (hal_ir_hwservice_27_0) true)
-(expandtypeattribute (hal_keymaster_hwservice_27_0) true)
-(expandtypeattribute (hal_light_hwservice_27_0) true)
-(expandtypeattribute (hal_memtrack_hwservice_27_0) true)
-(expandtypeattribute (hal_neuralnetworks_hwservice_27_0) true)
-(expandtypeattribute (hal_nfc_hwservice_27_0) true)
-(expandtypeattribute (hal_oemlock_hwservice_27_0) true)
-(expandtypeattribute (hal_omx_hwservice_27_0) true)
-(expandtypeattribute (hal_power_hwservice_27_0) true)
-(expandtypeattribute (hal_renderscript_hwservice_27_0) true)
-(expandtypeattribute (hal_sensors_hwservice_27_0) true)
-(expandtypeattribute (hal_telephony_hwservice_27_0) true)
-(expandtypeattribute (hal_tetheroffload_hwservice_27_0) true)
-(expandtypeattribute (hal_thermal_hwservice_27_0) true)
-(expandtypeattribute (hal_tv_cec_hwservice_27_0) true)
-(expandtypeattribute (hal_tv_input_hwservice_27_0) true)
-(expandtypeattribute (hal_usb_hwservice_27_0) true)
-(expandtypeattribute (hal_vibrator_hwservice_27_0) true)
-(expandtypeattribute (hal_vr_hwservice_27_0) true)
-(expandtypeattribute (hal_weaver_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_offload_hwservice_27_0) true)
-(expandtypeattribute (hal_wifi_supplicant_hwservice_27_0) true)
-(expandtypeattribute (hardware_properties_service_27_0) true)
-(expandtypeattribute (hardware_service_27_0) true)
-(expandtypeattribute (hci_attach_dev_27_0) true)
-(expandtypeattribute (hdmi_control_service_27_0) true)
-(expandtypeattribute (healthd_27_0) true)
-(expandtypeattribute (healthd_exec_27_0) true)
-(expandtypeattribute (heapdump_data_file_27_0) true)
-(expandtypeattribute (hidl_allocator_hwservice_27_0) true)
-(expandtypeattribute (hidl_base_hwservice_27_0) true)
-(expandtypeattribute (hidl_manager_hwservice_27_0) true)
-(expandtypeattribute (hidl_memory_hwservice_27_0) true)
-(expandtypeattribute (hidl_token_hwservice_27_0) true)
-(expandtypeattribute (hwbinder_device_27_0) true)
-(expandtypeattribute (hw_random_device_27_0) true)
-(expandtypeattribute (hwservice_contexts_file_27_0) true)
-(expandtypeattribute (hwservicemanager_27_0) true)
-(expandtypeattribute (hwservicemanager_exec_27_0) true)
-(expandtypeattribute (hwservicemanager_prop_27_0) true)
-(expandtypeattribute (i2c_device_27_0) true)
-(expandtypeattribute (icon_file_27_0) true)
-(expandtypeattribute (idmap_27_0) true)
-(expandtypeattribute (idmap_exec_27_0) true)
-(expandtypeattribute (iio_device_27_0) true)
-(expandtypeattribute (imms_service_27_0) true)
-(expandtypeattribute (incident_27_0) true)
-(expandtypeattribute (incidentd_27_0) true)
-(expandtypeattribute (incident_data_file_27_0) true)
-(expandtypeattribute (incident_service_27_0) true)
-(expandtypeattribute (init_27_0) true)
-(expandtypeattribute (init_exec_27_0) true)
-(expandtypeattribute (inotify_27_0) true)
-(expandtypeattribute (input_device_27_0) true)
-(expandtypeattribute (inputflinger_27_0) true)
-(expandtypeattribute (inputflinger_exec_27_0) true)
-(expandtypeattribute (inputflinger_service_27_0) true)
-(expandtypeattribute (input_method_service_27_0) true)
-(expandtypeattribute (input_service_27_0) true)
-(expandtypeattribute (installd_27_0) true)
-(expandtypeattribute (install_data_file_27_0) true)
-(expandtypeattribute (installd_exec_27_0) true)
-(expandtypeattribute (installd_service_27_0) true)
-(expandtypeattribute (install_recovery_27_0) true)
-(expandtypeattribute (install_recovery_exec_27_0) true)
-(expandtypeattribute (ion_device_27_0) true)
-(expandtypeattribute (IProxyService_service_27_0) true)
-(expandtypeattribute (ipsec_service_27_0) true)
-(expandtypeattribute (isolated_app_27_0) true)
-(expandtypeattribute (jobscheduler_service_27_0) true)
-(expandtypeattribute (kernel_27_0) true)
-(expandtypeattribute (keychain_data_file_27_0) true)
-(expandtypeattribute (keychord_device_27_0) true)
-(expandtypeattribute (keystore_27_0) true)
-(expandtypeattribute (keystore_data_file_27_0) true)
-(expandtypeattribute (keystore_exec_27_0) true)
-(expandtypeattribute (keystore_service_27_0) true)
-(expandtypeattribute (kmem_device_27_0) true)
-(expandtypeattribute (kmsg_debug_device_27_0) true)
-(expandtypeattribute (kmsg_device_27_0) true)
-(expandtypeattribute (labeledfs_27_0) true)
-(expandtypeattribute (launcherapps_service_27_0) true)
-(expandtypeattribute (lmkd_27_0) true)
-(expandtypeattribute (lmkd_exec_27_0) true)
-(expandtypeattribute (lmkd_socket_27_0) true)
-(expandtypeattribute (location_service_27_0) true)
-(expandtypeattribute (lock_settings_service_27_0) true)
-(expandtypeattribute (logcat_exec_27_0) true)
-(expandtypeattribute (logd_27_0) true)
-(expandtypeattribute (logd_exec_27_0) true)
-(expandtypeattribute (logd_prop_27_0) true)
-(expandtypeattribute (logdr_socket_27_0) true)
-(expandtypeattribute (logd_socket_27_0) true)
-(expandtypeattribute (logdw_socket_27_0) true)
-(expandtypeattribute (logpersist_27_0) true)
-(expandtypeattribute (logpersistd_logging_prop_27_0) true)
-(expandtypeattribute (log_prop_27_0) true)
-(expandtypeattribute (log_tag_prop_27_0) true)
-(expandtypeattribute (loop_control_device_27_0) true)
-(expandtypeattribute (loop_device_27_0) true)
-(expandtypeattribute (mac_perms_file_27_0) true)
-(expandtypeattribute (mdnsd_27_0) true)
-(expandtypeattribute (mdnsd_socket_27_0) true)
-(expandtypeattribute (mdns_socket_27_0) true)
-(expandtypeattribute (mediacodec_27_0) true)
-(expandtypeattribute (mediacodec_exec_27_0) true)
-(expandtypeattribute (mediacodec_service_27_0) true)
-(expandtypeattribute (media_data_file_27_0) true)
-(expandtypeattribute (mediadrmserver_27_0) true)
-(expandtypeattribute (mediadrmserver_exec_27_0) true)
-(expandtypeattribute (mediadrmserver_service_27_0) true)
-(expandtypeattribute (mediaextractor_27_0) true)
-(expandtypeattribute (mediaextractor_exec_27_0) true)
-(expandtypeattribute (mediaextractor_service_27_0) true)
-(expandtypeattribute (mediametrics_27_0) true)
-(expandtypeattribute (mediametrics_exec_27_0) true)
-(expandtypeattribute (mediametrics_service_27_0) true)
-(expandtypeattribute (media_projection_service_27_0) true)
-(expandtypeattribute (mediaprovider_27_0) true)
-(expandtypeattribute (media_router_service_27_0) true)
-(expandtypeattribute (media_rw_data_file_27_0) true)
-(expandtypeattribute (mediaserver_27_0) true)
-(expandtypeattribute (mediaserver_exec_27_0) true)
-(expandtypeattribute (mediaserver_service_27_0) true)
-(expandtypeattribute (media_session_service_27_0) true)
-(expandtypeattribute (meminfo_service_27_0) true)
-(expandtypeattribute (metadata_block_device_27_0) true)
-(expandtypeattribute (method_trace_data_file_27_0) true)
-(expandtypeattribute (midi_service_27_0) true)
-(expandtypeattribute (misc_block_device_27_0) true)
-(expandtypeattribute (misc_logd_file_27_0) true)
-(expandtypeattribute (misc_user_data_file_27_0) true)
-(expandtypeattribute (mmc_prop_27_0) true)
-(expandtypeattribute (mnt_expand_file_27_0) true)
-(expandtypeattribute (mnt_media_rw_file_27_0) true)
-(expandtypeattribute (mnt_media_rw_stub_file_27_0) true)
-(expandtypeattribute (mnt_user_file_27_0) true)
-(expandtypeattribute (modprobe_27_0) true)
-(expandtypeattribute (mount_service_27_0) true)
-(expandtypeattribute (mqueue_27_0) true)
-(expandtypeattribute (mtd_device_27_0) true)
-(expandtypeattribute (mtp_27_0) true)
-(expandtypeattribute (mtp_device_27_0) true)
-(expandtypeattribute (mtpd_socket_27_0) true)
-(expandtypeattribute (mtp_exec_27_0) true)
-(expandtypeattribute (nativetest_data_file_27_0) true)
-(expandtypeattribute (netd_27_0) true)
-(expandtypeattribute (net_data_file_27_0) true)
-(expandtypeattribute (netd_exec_27_0) true)
-(expandtypeattribute (netd_listener_service_27_0) true)
-(expandtypeattribute (net_dns_prop_27_0) true)
-(expandtypeattribute (netd_service_27_0) true)
-(expandtypeattribute (netd_socket_27_0) true)
-(expandtypeattribute (netd_stable_secret_prop_27_0) true)
-(expandtypeattribute (netif_27_0) true)
-(expandtypeattribute (netpolicy_service_27_0) true)
-(expandtypeattribute (net_radio_prop_27_0) true)
-(expandtypeattribute (netstats_service_27_0) true)
-(expandtypeattribute (netutils_wrapper_27_0) true)
-(expandtypeattribute (netutils_wrapper_exec_27_0) true)
-(expandtypeattribute (network_management_service_27_0) true)
-(expandtypeattribute (network_score_service_27_0) true)
-(expandtypeattribute (network_time_update_service_27_0) true)
-(expandtypeattribute (nfc_27_0) true)
-(expandtypeattribute (nfc_data_file_27_0) true)
-(expandtypeattribute (nfc_device_27_0) true)
-(expandtypeattribute (nfc_prop_27_0) true)
-(expandtypeattribute (nfc_service_27_0) true)
-(expandtypeattribute (node_27_0) true)
-(expandtypeattribute (nonplat_service_contexts_file_27_0) true)
-(expandtypeattribute (notification_service_27_0) true)
-(expandtypeattribute (null_device_27_0) true)
-(expandtypeattribute (oemfs_27_0) true)
-(expandtypeattribute (oem_lock_service_27_0) true)
-(expandtypeattribute (ota_data_file_27_0) true)
-(expandtypeattribute (otadexopt_service_27_0) true)
-(expandtypeattribute (ota_package_file_27_0) true)
-(expandtypeattribute (otapreopt_chroot_27_0) true)
-(expandtypeattribute (otapreopt_chroot_exec_27_0) true)
-(expandtypeattribute (otapreopt_slot_27_0) true)
-(expandtypeattribute (otapreopt_slot_exec_27_0) true)
-(expandtypeattribute (overlay_prop_27_0) true)
-(expandtypeattribute (overlay_service_27_0) true)
-(expandtypeattribute (owntty_device_27_0) true)
-(expandtypeattribute (package_native_service_27_0) true)
-(expandtypeattribute (package_service_27_0) true)
-(expandtypeattribute (pan_result_prop_27_0) true)
-(expandtypeattribute (pdx_bufferhub_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_bufferhub_dir_27_0) true)
-(expandtypeattribute (pdx_display_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_dir_27_0) true)
-(expandtypeattribute (pdx_display_manager_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_manager_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_screenshot_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_screenshot_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_display_vsync_channel_socket_27_0) true)
-(expandtypeattribute (pdx_display_vsync_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_performance_client_channel_socket_27_0) true)
-(expandtypeattribute (pdx_performance_client_endpoint_socket_27_0) true)
-(expandtypeattribute (pdx_performance_dir_27_0) true)
-(expandtypeattribute (performanced_27_0) true)
-(expandtypeattribute (performanced_exec_27_0) true)
-(expandtypeattribute (permission_service_27_0) true)
-(expandtypeattribute (persist_debug_prop_27_0) true)
-(expandtypeattribute (persistent_data_block_service_27_0) true)
-(expandtypeattribute (persistent_properties_ready_prop_27_0) true)
-(expandtypeattribute (pinner_service_27_0) true)
-(expandtypeattribute (pipefs_27_0) true)
-(expandtypeattribute (platform_app_27_0) true)
-(expandtypeattribute (pmsg_device_27_0) true)
-(expandtypeattribute (port_27_0) true)
-(expandtypeattribute (port_device_27_0) true)
-(expandtypeattribute (postinstall_27_0) true)
-(expandtypeattribute (postinstall_dexopt_27_0) true)
-(expandtypeattribute (postinstall_file_27_0) true)
-(expandtypeattribute (postinstall_mnt_dir_27_0) true)
-(expandtypeattribute (powerctl_prop_27_0) true)
-(expandtypeattribute (power_service_27_0) true)
-(expandtypeattribute (ppp_27_0) true)
-(expandtypeattribute (ppp_device_27_0) true)
-(expandtypeattribute (ppp_exec_27_0) true)
-(expandtypeattribute (preloads_data_file_27_0) true)
-(expandtypeattribute (preloads_media_file_27_0) true)
-(expandtypeattribute (preopt2cachename_27_0) true)
-(expandtypeattribute (preopt2cachename_exec_27_0) true)
-(expandtypeattribute (print_service_27_0) true)
-(expandtypeattribute (priv_app_27_0) true)
-(expandtypeattribute (proc_27_0) true)
-(expandtypeattribute (proc_bluetooth_writable_27_0) true)
-(expandtypeattribute (proc_cpuinfo_27_0) true)
-(expandtypeattribute (proc_drop_caches_27_0) true)
-(expandtypeattribute (processinfo_service_27_0) true)
-(expandtypeattribute (proc_interrupts_27_0) true)
-(expandtypeattribute (proc_iomem_27_0) true)
-(expandtypeattribute (proc_meminfo_27_0) true)
-(expandtypeattribute (proc_misc_27_0) true)
-(expandtypeattribute (proc_modules_27_0) true)
-(expandtypeattribute (proc_net_27_0) true)
-(expandtypeattribute (proc_overcommit_memory_27_0) true)
-(expandtypeattribute (proc_perf_27_0) true)
-(expandtypeattribute (proc_security_27_0) true)
-(expandtypeattribute (proc_stat_27_0) true)
-(expandtypeattribute (procstats_service_27_0) true)
-(expandtypeattribute (proc_sysrq_27_0) true)
-(expandtypeattribute (proc_timer_27_0) true)
-(expandtypeattribute (proc_tty_drivers_27_0) true)
-(expandtypeattribute (proc_uid_cputime_removeuid_27_0) true)
-(expandtypeattribute (proc_uid_cputime_showstat_27_0) true)
-(expandtypeattribute (proc_uid_io_stats_27_0) true)
-(expandtypeattribute (proc_uid_procstat_set_27_0) true)
-(expandtypeattribute (proc_uid_time_in_state_27_0) true)
-(expandtypeattribute (proc_zoneinfo_27_0) true)
-(expandtypeattribute (profman_27_0) true)
-(expandtypeattribute (profman_dump_data_file_27_0) true)
-(expandtypeattribute (profman_exec_27_0) true)
-(expandtypeattribute (properties_device_27_0) true)
-(expandtypeattribute (properties_serial_27_0) true)
-(expandtypeattribute (property_contexts_file_27_0) true)
-(expandtypeattribute (property_data_file_27_0) true)
-(expandtypeattribute (property_socket_27_0) true)
-(expandtypeattribute (pstorefs_27_0) true)
-(expandtypeattribute (ptmx_device_27_0) true)
-(expandtypeattribute (qtaguid_device_27_0) true)
-(expandtypeattribute (qtaguid_proc_27_0) true)
-(expandtypeattribute (racoon_27_0) true)
-(expandtypeattribute (racoon_exec_27_0) true)
-(expandtypeattribute (racoon_socket_27_0) true)
-(expandtypeattribute (radio_27_0) true)
-(expandtypeattribute (radio_data_file_27_0) true)
-(expandtypeattribute (radio_device_27_0) true)
-(expandtypeattribute (radio_prop_27_0) true)
-(expandtypeattribute (radio_service_27_0) true)
-(expandtypeattribute (ram_device_27_0) true)
-(expandtypeattribute (random_device_27_0) true)
-(expandtypeattribute (reboot_data_file_27_0) true)
-(expandtypeattribute (recovery_27_0) true)
-(expandtypeattribute (recovery_block_device_27_0) true)
-(expandtypeattribute (recovery_data_file_27_0) true)
-(expandtypeattribute (recovery_persist_27_0) true)
-(expandtypeattribute (recovery_persist_exec_27_0) true)
-(expandtypeattribute (recovery_refresh_27_0) true)
-(expandtypeattribute (recovery_refresh_exec_27_0) true)
-(expandtypeattribute (recovery_service_27_0) true)
-(expandtypeattribute (registry_service_27_0) true)
-(expandtypeattribute (resourcecache_data_file_27_0) true)
-(expandtypeattribute (restorecon_prop_27_0) true)
-(expandtypeattribute (restrictions_service_27_0) true)
-(expandtypeattribute (rild_27_0) true)
-(expandtypeattribute (rild_debug_socket_27_0) true)
-(expandtypeattribute (rild_socket_27_0) true)
-(expandtypeattribute (ringtone_file_27_0) true)
-(expandtypeattribute (root_block_device_27_0) true)
-(expandtypeattribute (rootfs_27_0) true)
-(expandtypeattribute (rpmsg_device_27_0) true)
-(expandtypeattribute (rtc_device_27_0) true)
-(expandtypeattribute (rttmanager_service_27_0) true)
-(expandtypeattribute (runas_27_0) true)
-(expandtypeattribute (runas_exec_27_0) true)
-(expandtypeattribute (runtime_event_log_tags_file_27_0) true)
-(expandtypeattribute (safemode_prop_27_0) true)
-(expandtypeattribute (same_process_hal_file_27_0) true)
-(expandtypeattribute (samplingprofiler_service_27_0) true)
-(expandtypeattribute (scheduling_policy_service_27_0) true)
-(expandtypeattribute (sdcardd_27_0) true)
-(expandtypeattribute (sdcardd_exec_27_0) true)
-(expandtypeattribute (sdcardfs_27_0) true)
-(expandtypeattribute (seapp_contexts_file_27_0) true)
-(expandtypeattribute (search_service_27_0) true)
-(expandtypeattribute (sec_key_att_app_id_provider_service_27_0) true)
-(expandtypeattribute (selinuxfs_27_0) true)
-(expandtypeattribute (sensors_device_27_0) true)
-(expandtypeattribute (sensorservice_service_27_0) true)
-(expandtypeattribute (sepolicy_file_27_0) true)
-(expandtypeattribute (serial_device_27_0) true)
-(expandtypeattribute (serialno_prop_27_0) true)
-(expandtypeattribute (serial_service_27_0) true)
-(expandtypeattribute (service_contexts_file_27_0) true)
-(expandtypeattribute (servicediscovery_service_27_0) true)
-(expandtypeattribute (servicemanager_27_0) true)
-(expandtypeattribute (servicemanager_exec_27_0) true)
-(expandtypeattribute (settings_service_27_0) true)
-(expandtypeattribute (sgdisk_27_0) true)
-(expandtypeattribute (sgdisk_exec_27_0) true)
-(expandtypeattribute (shared_relro_27_0) true)
-(expandtypeattribute (shared_relro_file_27_0) true)
-(expandtypeattribute (shell_27_0) true)
-(expandtypeattribute (shell_data_file_27_0) true)
-(expandtypeattribute (shell_exec_27_0) true)
-(expandtypeattribute (shell_prop_27_0) true)
-(expandtypeattribute (shm_27_0) true)
-(expandtypeattribute (shortcut_manager_icons_27_0) true)
-(expandtypeattribute (shortcut_service_27_0) true)
-(expandtypeattribute (slideshow_27_0) true)
-(expandtypeattribute (socket_device_27_0) true)
-(expandtypeattribute (sockfs_27_0) true)
-(expandtypeattribute (statusbar_service_27_0) true)
-(expandtypeattribute (storaged_service_27_0) true)
-(expandtypeattribute (storage_file_27_0) true)
-(expandtypeattribute (storagestats_service_27_0) true)
-(expandtypeattribute (storage_stub_file_27_0) true)
-(expandtypeattribute (su_27_0) true)
-(expandtypeattribute (su_exec_27_0) true)
-(expandtypeattribute (surfaceflinger_27_0) true)
-(expandtypeattribute (surfaceflinger_service_27_0) true)
-(expandtypeattribute (swap_block_device_27_0) true)
-(expandtypeattribute (sysfs_27_0) true)
-(expandtypeattribute (sysfs_batteryinfo_27_0) true)
-(expandtypeattribute (sysfs_bluetooth_writable_27_0) true)
-(expandtypeattribute (sysfs_devices_system_cpu_27_0) true)
-(expandtypeattribute (sysfs_fs_ext4_features_27_0) true)
-(expandtypeattribute (sysfs_hwrandom_27_0) true)
-(expandtypeattribute (sysfs_leds_27_0) true)
-(expandtypeattribute (sysfs_lowmemorykiller_27_0) true)
-(expandtypeattribute (sysfs_mac_address_27_0) true)
-(expandtypeattribute (sysfs_nfc_power_writable_27_0) true)
-(expandtypeattribute (sysfs_thermal_27_0) true)
-(expandtypeattribute (sysfs_uio_27_0) true)
-(expandtypeattribute (sysfs_usb_27_0) true)
-(expandtypeattribute (sysfs_usermodehelper_27_0) true)
-(expandtypeattribute (sysfs_vibrator_27_0) true)
-(expandtypeattribute (sysfs_wake_lock_27_0) true)
-(expandtypeattribute (sysfs_wlan_fwpath_27_0) true)
-(expandtypeattribute (sysfs_zram_27_0) true)
-(expandtypeattribute (sysfs_zram_uevent_27_0) true)
-(expandtypeattribute (system_app_27_0) true)
-(expandtypeattribute (system_app_data_file_27_0) true)
-(expandtypeattribute (system_app_service_27_0) true)
-(expandtypeattribute (system_block_device_27_0) true)
-(expandtypeattribute (system_data_file_27_0) true)
-(expandtypeattribute (system_file_27_0) true)
-(expandtypeattribute (systemkeys_data_file_27_0) true)
-(expandtypeattribute (system_ndebug_socket_27_0) true)
-(expandtypeattribute (system_net_netd_hwservice_27_0) true)
-(expandtypeattribute (system_prop_27_0) true)
-(expandtypeattribute (system_radio_prop_27_0) true)
-(expandtypeattribute (system_server_27_0) true)
-(expandtypeattribute (system_wifi_keystore_hwservice_27_0) true)
-(expandtypeattribute (system_wpa_socket_27_0) true)
-(expandtypeattribute (task_service_27_0) true)
-(expandtypeattribute (tee_27_0) true)
-(expandtypeattribute (tee_data_file_27_0) true)
-(expandtypeattribute (tee_device_27_0) true)
-(expandtypeattribute (telecom_service_27_0) true)
-(expandtypeattribute (textclassification_service_27_0) true)
-(expandtypeattribute (textclassifier_data_file_27_0) true)
-(expandtypeattribute (textservices_service_27_0) true)
-(expandtypeattribute (thermalcallback_hwservice_27_0) true)
-(expandtypeattribute (thermal_service_27_0) true)
-(expandtypeattribute (thermalserviced_27_0) true)
-(expandtypeattribute (thermalserviced_exec_27_0) true)
-(expandtypeattribute (timezone_service_27_0) true)
-(expandtypeattribute (tmpfs_27_0) true)
-(expandtypeattribute (tombstoned_27_0) true)
-(expandtypeattribute (tombstone_data_file_27_0) true)
-(expandtypeattribute (tombstoned_crash_socket_27_0) true)
-(expandtypeattribute (tombstoned_exec_27_0) true)
-(expandtypeattribute (tombstoned_intercept_socket_27_0) true)
-(expandtypeattribute (tombstoned_java_trace_socket_27_0) true)
-(expandtypeattribute (toolbox_27_0) true)
-(expandtypeattribute (toolbox_exec_27_0) true)
-(expandtypeattribute (trust_service_27_0) true)
-(expandtypeattribute (tty_device_27_0) true)
-(expandtypeattribute (tun_device_27_0) true)
-(expandtypeattribute (tv_input_service_27_0) true)
-(expandtypeattribute (tzdatacheck_27_0) true)
-(expandtypeattribute (tzdatacheck_exec_27_0) true)
-(expandtypeattribute (ueventd_27_0) true)
-(expandtypeattribute (uhid_device_27_0) true)
-(expandtypeattribute (uimode_service_27_0) true)
-(expandtypeattribute (uio_device_27_0) true)
-(expandtypeattribute (uncrypt_27_0) true)
-(expandtypeattribute (uncrypt_exec_27_0) true)
-(expandtypeattribute (uncrypt_socket_27_0) true)
-(expandtypeattribute (unencrypted_data_file_27_0) true)
-(expandtypeattribute (unlabeled_27_0) true)
-(expandtypeattribute (untrusted_app_25_27_0) true)
-(expandtypeattribute (untrusted_app_27_0) true)
-(expandtypeattribute (untrusted_v2_app_27_0) true)
-(expandtypeattribute (update_engine_27_0) true)
-(expandtypeattribute (update_engine_data_file_27_0) true)
-(expandtypeattribute (update_engine_exec_27_0) true)
-(expandtypeattribute (update_engine_service_27_0) true)
-(expandtypeattribute (updatelock_service_27_0) true)
-(expandtypeattribute (update_verifier_27_0) true)
-(expandtypeattribute (update_verifier_exec_27_0) true)
-(expandtypeattribute (usagestats_service_27_0) true)
-(expandtypeattribute (usbaccessory_device_27_0) true)
-(expandtypeattribute (usb_device_27_0) true)
-(expandtypeattribute (usbfs_27_0) true)
-(expandtypeattribute (usb_service_27_0) true)
-(expandtypeattribute (userdata_block_device_27_0) true)
-(expandtypeattribute (usermodehelper_27_0) true)
-(expandtypeattribute (user_profile_data_file_27_0) true)
-(expandtypeattribute (user_service_27_0) true)
-(expandtypeattribute (vcs_device_27_0) true)
-(expandtypeattribute (vdc_27_0) true)
-(expandtypeattribute (vdc_exec_27_0) true)
-(expandtypeattribute (vendor_app_file_27_0) true)
-(expandtypeattribute (vendor_configs_file_27_0) true)
-(expandtypeattribute (vendor_file_27_0) true)
-(expandtypeattribute (vendor_framework_file_27_0) true)
-(expandtypeattribute (vendor_hal_file_27_0) true)
-(expandtypeattribute (vendor_overlay_file_27_0) true)
-(expandtypeattribute (vendor_shell_exec_27_0) true)
-(expandtypeattribute (vendor_toolbox_exec_27_0) true)
-(expandtypeattribute (vfat_27_0) true)
-(expandtypeattribute (vibrator_service_27_0) true)
-(expandtypeattribute (video_device_27_0) true)
-(expandtypeattribute (virtual_touchpad_27_0) true)
-(expandtypeattribute (virtual_touchpad_exec_27_0) true)
-(expandtypeattribute (virtual_touchpad_service_27_0) true)
-(expandtypeattribute (vndbinder_device_27_0) true)
-(expandtypeattribute (vndk_sp_file_27_0) true)
-(expandtypeattribute (vndservice_contexts_file_27_0) true)
-(expandtypeattribute (vndservicemanager_27_0) true)
-(expandtypeattribute (voiceinteraction_service_27_0) true)
-(expandtypeattribute (vold_27_0) true)
-(expandtypeattribute (vold_data_file_27_0) true)
-(expandtypeattribute (vold_device_27_0) true)
-(expandtypeattribute (vold_exec_27_0) true)
-(expandtypeattribute (vold_prop_27_0) true)
-(expandtypeattribute (vold_socket_27_0) true)
-(expandtypeattribute (vpn_data_file_27_0) true)
-(expandtypeattribute (vr_hwc_27_0) true)
-(expandtypeattribute (vr_hwc_exec_27_0) true)
-(expandtypeattribute (vr_hwc_service_27_0) true)
-(expandtypeattribute (vr_manager_service_27_0) true)
-(expandtypeattribute (wallpaper_file_27_0) true)
-(expandtypeattribute (wallpaper_service_27_0) true)
-(expandtypeattribute (watchdogd_27_0) true)
-(expandtypeattribute (watchdog_device_27_0) true)
-(expandtypeattribute (webviewupdate_service_27_0) true)
-(expandtypeattribute (webview_zygote_27_0) true)
-(expandtypeattribute (webview_zygote_exec_27_0) true)
-(expandtypeattribute (webview_zygote_socket_27_0) true)
-(expandtypeattribute (wifiaware_service_27_0) true)
-(expandtypeattribute (wificond_27_0) true)
-(expandtypeattribute (wificond_exec_27_0) true)
-(expandtypeattribute (wificond_service_27_0) true)
-(expandtypeattribute (wifi_data_file_27_0) true)
-(expandtypeattribute (wifi_log_prop_27_0) true)
-(expandtypeattribute (wifip2p_service_27_0) true)
-(expandtypeattribute (wifi_prop_27_0) true)
-(expandtypeattribute (wifiscanner_service_27_0) true)
-(expandtypeattribute (wifi_service_27_0) true)
-(expandtypeattribute (window_service_27_0) true)
-(expandtypeattribute (wpa_socket_27_0) true)
-(expandtypeattribute (zero_device_27_0) true)
-(expandtypeattribute (zoneinfo_data_file_27_0) true)
-(expandtypeattribute (zygote_27_0) true)
-(expandtypeattribute (zygote_exec_27_0) true)
-(expandtypeattribute (zygote_socket_27_0) true)
-(typeattributeset accessibility_service_27_0 (accessibility_service))
-(typeattributeset account_service_27_0 (account_service))
-(typeattributeset activity_service_27_0 (activity_service))
-(typeattributeset adbd_27_0 (adbd))
-(typeattributeset adb_data_file_27_0 (adb_data_file))
-(typeattributeset adbd_exec_27_0 (adbd_exec))
-(typeattributeset adbd_socket_27_0 (adbd_socket))
-(typeattributeset adb_keys_file_27_0 (adb_keys_file))
-(typeattributeset alarm_device_27_0 (alarm_device))
-(typeattributeset alarm_service_27_0 (alarm_service))
-(typeattributeset anr_data_file_27_0 (anr_data_file))
-(typeattributeset apk_data_file_27_0 (apk_data_file))
-(typeattributeset apk_private_data_file_27_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_27_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_27_0 (apk_tmp_file))
-(typeattributeset app_data_file_27_0 (app_data_file privapp_data_file))
-(typeattributeset app_fuse_file_27_0 (app_fuse_file))
-(typeattributeset app_fusefs_27_0 (app_fusefs))
-(typeattributeset appops_service_27_0 (appops_service))
-(typeattributeset appwidget_service_27_0 (appwidget_service))
-(typeattributeset asec_apk_file_27_0 (asec_apk_file))
-(typeattributeset asec_image_file_27_0 (asec_image_file))
-(typeattributeset asec_public_file_27_0 (asec_public_file))
-(typeattributeset ashmem_device_27_0 (ashmem_device))
-(typeattributeset assetatlas_service_27_0 (assetatlas_service))
-(typeattributeset audio_data_file_27_0 (audio_data_file))
-(typeattributeset audio_device_27_0 (audio_device))
-(typeattributeset audiohal_data_file_27_0 (audiohal_data_file))
-(typeattributeset audio_prop_27_0 (audio_prop))
-(typeattributeset audio_seq_device_27_0 (audio_seq_device))
-(typeattributeset audioserver_27_0 (audioserver))
-(typeattributeset audioserver_data_file_27_0 (audioserver_data_file))
-(typeattributeset audioserver_service_27_0 (audioserver_service))
-(typeattributeset audio_service_27_0 (audio_service))
-(typeattributeset audio_timer_device_27_0 (audio_timer_device))
-(typeattributeset autofill_service_27_0 (autofill_service))
-(typeattributeset backup_data_file_27_0 (backup_data_file))
-(typeattributeset backup_service_27_0 (backup_service))
-(typeattributeset batteryproperties_service_27_0 (batteryproperties_service))
-(typeattributeset battery_service_27_0 (battery_service))
-(typeattributeset batterystats_service_27_0 (batterystats_service))
-(typeattributeset binder_device_27_0 (binder_device))
-(typeattributeset binfmt_miscfs_27_0 (binfmt_miscfs))
-(typeattributeset blkid_27_0 (blkid))
-(typeattributeset blkid_untrusted_27_0 (blkid_untrusted))
-(typeattributeset block_device_27_0 (block_device))
-(typeattributeset bluetooth_27_0 (bluetooth))
-(typeattributeset bluetooth_data_file_27_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_27_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_27_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_27_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_27_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_27_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_27_0 (bluetooth_socket))
-(typeattributeset bootanim_27_0 (bootanim))
-(typeattributeset bootanim_exec_27_0 (bootanim_exec))
-(typeattributeset boot_block_device_27_0 (boot_block_device))
-(typeattributeset bootchart_data_file_27_0 (bootchart_data_file))
-(typeattributeset bootstat_27_0 (bootstat))
-(typeattributeset bootstat_data_file_27_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_27_0 (bootstat_exec))
-(typeattributeset boottime_prop_27_0 (boottime_prop))
-(typeattributeset boottrace_data_file_27_0 (boottrace_data_file))
-(typeattributeset broadcastradio_service_27_0 (broadcastradio_service))
-(typeattributeset bufferhubd_27_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_27_0 (bufferhubd_exec))
-(typeattributeset cache_backup_file_27_0 (cache_backup_file))
-(typeattributeset cache_block_device_27_0 (cache_block_device))
-(typeattributeset cache_file_27_0 (cache_file))
-(typeattributeset cache_private_backup_file_27_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_27_0 (cache_recovery_file))
-(typeattributeset camera_data_file_27_0 (camera_data_file))
-(typeattributeset camera_device_27_0 (camera_device))
-(typeattributeset cameraproxy_service_27_0 (cameraproxy_service))
-(typeattributeset cameraserver_27_0 (cameraserver))
-(typeattributeset cameraserver_exec_27_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_27_0 (cameraserver_service))
-(typeattributeset cgroup_27_0 (cgroup))
-(typeattributeset charger_27_0 (charger))
-(typeattributeset clatd_27_0 (clatd))
-(typeattributeset clatd_exec_27_0 (clatd_exec))
-(typeattributeset clipboard_service_27_0 (clipboard_service))
-(typeattributeset commontime_management_service_27_0 (commontime_management_service))
-(typeattributeset companion_device_service_27_0 (companion_device_service))
-(typeattributeset configfs_27_0 (configfs))
-(typeattributeset config_prop_27_0 (config_prop))
-(typeattributeset connectivity_service_27_0 (connectivity_service))
-(typeattributeset connmetrics_service_27_0 (connmetrics_service))
-(typeattributeset console_device_27_0 (console_device))
-(typeattributeset consumer_ir_service_27_0 (consumer_ir_service))
-(typeattributeset content_service_27_0 (content_service))
-(typeattributeset contexthub_service_27_0 (contexthub_service))
-(typeattributeset coredump_file_27_0 (coredump_file))
-(typeattributeset country_detector_service_27_0 (country_detector_service))
-(typeattributeset coverage_service_27_0 (coverage_service))
-(typeattributeset cppreopt_prop_27_0 (cppreopt_prop))
-(typeattributeset cppreopts_27_0 (cppreopts))
-(typeattributeset cppreopts_exec_27_0 (cppreopts_exec))
-(typeattributeset cpuctl_device_27_0 (cpuctl_device))
-(typeattributeset cpuinfo_service_27_0 (cpuinfo_service))
-(typeattributeset crash_dump_27_0 (crash_dump))
-(typeattributeset crash_dump_exec_27_0 (crash_dump_exec))
-(typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop))
-(typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
-(typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_rildaemon_prop_27_0 (ctl_rildaemon_prop))
-(typeattributeset dalvikcache_data_file_27_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_27_0 (dalvik_prop))
-(typeattributeset dbinfo_service_27_0 (dbinfo_service))
-(typeattributeset debugfs_27_0
- ( debugfs
- debugfs_wakeup_sources))
-(typeattributeset debugfs_mmc_27_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_27_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_27_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_debug_27_0 (debugfs_tracing_debug))
-(typeattributeset debugfs_tracing_instances_27_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wifi_tracing_27_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_27_0 (debuggerd_prop))
-(typeattributeset debug_prop_27_0 (debug_prop))
-(typeattributeset default_android_hwservice_27_0 (default_android_hwservice))
-(typeattributeset default_android_service_27_0 (default_android_service))
-(typeattributeset default_android_vndservice_27_0 (default_android_vndservice))
-(typeattributeset default_prop_27_0
- ( default_prop
- pm_prop))
-(typeattributeset device_27_0 (device))
-(typeattributeset device_identifiers_service_27_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_27_0 (deviceidle_service))
-(typeattributeset device_logging_prop_27_0 (device_logging_prop))
-(typeattributeset device_policy_service_27_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_27_0 (devicestoragemonitor_service))
-(typeattributeset devpts_27_0 (devpts))
-(typeattributeset dex2oat_27_0 (dex2oat))
-(typeattributeset dex2oat_exec_27_0 (dex2oat_exec))
-(typeattributeset dhcp_27_0 (dhcp))
-(typeattributeset dhcp_data_file_27_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_27_0 (dhcp_exec))
-(typeattributeset dhcp_prop_27_0 (dhcp_prop))
-(typeattributeset diskstats_service_27_0 (diskstats_service))
-(typeattributeset display_service_27_0 (display_service))
-(typeattributeset dm_device_27_0 (dm_device))
-(typeattributeset dnsmasq_27_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_27_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_27_0 (dnsproxyd_socket))
-(typeattributeset DockObserver_service_27_0 (DockObserver_service))
-(typeattributeset dreams_service_27_0 (dreams_service))
-(typeattributeset drm_data_file_27_0 (drm_data_file))
-(typeattributeset drmserver_27_0 (drmserver))
-(typeattributeset drmserver_exec_27_0 (drmserver_exec))
-(typeattributeset drmserver_service_27_0 (drmserver_service))
-(typeattributeset drmserver_socket_27_0 (drmserver_socket))
-(typeattributeset dropbox_service_27_0 (dropbox_service))
-(typeattributeset dumpstate_27_0 (dumpstate))
-(typeattributeset dumpstate_exec_27_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_27_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_27_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_27_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_27_0 (dumpstate_socket))
-(typeattributeset e2fs_27_0 (e2fs))
-(typeattributeset e2fs_exec_27_0 (e2fs_exec))
-(typeattributeset efs_file_27_0 (efs_file))
-(typeattributeset ephemeral_app_27_0 (ephemeral_app))
-(typeattributeset ethernet_service_27_0 (ethernet_service))
-(typeattributeset ffs_prop_27_0 (ffs_prop))
-(typeattributeset file_contexts_file_27_0 (file_contexts_file))
-(typeattributeset fingerprintd_27_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_27_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_27_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_27_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_27_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_27_0 (fingerprint_service))
-(typeattributeset firstboot_prop_27_0 (firstboot_prop))
-(typeattributeset font_service_27_0 (font_service))
-(typeattributeset frp_block_device_27_0 (frp_block_device))
-(typeattributeset fsck_27_0 (fsck))
-(typeattributeset fsck_exec_27_0 (fsck_exec))
-(typeattributeset fscklogs_27_0 (fscklogs))
-(typeattributeset fsck_untrusted_27_0 (fsck_untrusted))
-(typeattributeset full_device_27_0 (full_device))
-(typeattributeset functionfs_27_0 (functionfs))
-(typeattributeset fuse_27_0 (fuse))
-(typeattributeset fuse_device_27_0 (fuse_device))
-(typeattributeset fwk_display_hwservice_27_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_27_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_27_0 (fwk_sensor_hwservice))
-(typeattributeset fwmarkd_socket_27_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_27_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_27_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_27_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_27_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_27_0 (gfxinfo_service))
-(typeattributeset gps_control_27_0 (gps_control))
-(typeattributeset gpu_device_27_0 (gpu_device))
-(typeattributeset gpu_service_27_0 (gpu_service))
-(typeattributeset graphics_device_27_0 (graphics_device))
-(typeattributeset graphicsstats_service_27_0 (graphicsstats_service))
-(typeattributeset hal_audio_hwservice_27_0 (hal_audio_hwservice))
-(typeattributeset hal_bluetooth_hwservice_27_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_27_0 (hal_bootctl_hwservice))
-(typeattributeset hal_broadcastradio_hwservice_27_0 (hal_broadcastradio_hwservice))
-(typeattributeset hal_camera_hwservice_27_0 (hal_camera_hwservice))
-(typeattributeset hal_cas_hwservice_27_0 (hal_cas_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_27_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_contexthub_hwservice_27_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_27_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_27_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_fingerprint_hwservice_27_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_27_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_27_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_27_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_27_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_27_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_mapper_hwservice_27_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_27_0 (hal_health_hwservice))
-(typeattributeset hal_ir_hwservice_27_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_27_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_27_0 (hal_light_hwservice))
-(typeattributeset hal_memtrack_hwservice_27_0 (hal_memtrack_hwservice))
-(typeattributeset hal_neuralnetworks_hwservice_27_0 (hal_neuralnetworks_hwservice))
-(typeattributeset hal_nfc_hwservice_27_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_27_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_27_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_27_0 (hal_power_hwservice))
-(typeattributeset hal_renderscript_hwservice_27_0 (hal_renderscript_hwservice))
-(typeattributeset hal_sensors_hwservice_27_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_27_0 (hal_telephony_hwservice))
-(typeattributeset hal_tetheroffload_hwservice_27_0 (hal_tetheroffload_hwservice))
-(typeattributeset hal_thermal_hwservice_27_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_27_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_27_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_hwservice_27_0 (hal_usb_hwservice))
-(typeattributeset hal_vibrator_hwservice_27_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_27_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_27_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hwservice_27_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_offload_hwservice_27_0 (hal_wifi_offload_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_27_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_27_0 (hardware_properties_service))
-(typeattributeset hardware_service_27_0 (hardware_service))
-(typeattributeset hci_attach_dev_27_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_27_0 (hdmi_control_service))
-(typeattributeset healthd_27_0 (healthd))
-(typeattributeset healthd_exec_27_0 (healthd_exec))
-(typeattributeset heapdump_data_file_27_0 (heapdump_data_file))
-(typeattributeset hidl_allocator_hwservice_27_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_27_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_27_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_27_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_27_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_27_0 (hwbinder_device))
-(typeattributeset hw_random_device_27_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_27_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_27_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_27_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_27_0 (hwservicemanager_prop))
-(typeattributeset i2c_device_27_0 (i2c_device))
-(typeattributeset icon_file_27_0 (icon_file))
-(typeattributeset idmap_27_0 (idmap))
-(typeattributeset idmap_exec_27_0 (idmap_exec))
-(typeattributeset iio_device_27_0 (iio_device))
-(typeattributeset imms_service_27_0 (imms_service))
-(typeattributeset incident_27_0 (incident))
-(typeattributeset incidentd_27_0 (incidentd))
-(typeattributeset incident_data_file_27_0 (incident_data_file))
-(typeattributeset incident_service_27_0 (incident_service))
-(typeattributeset init_27_0 (init))
-(typeattributeset init_exec_27_0 (init_exec watchdogd_exec))
-(typeattributeset inotify_27_0 (inotify))
-(typeattributeset input_device_27_0 (input_device))
-(typeattributeset inputflinger_27_0 (inputflinger))
-(typeattributeset inputflinger_exec_27_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_27_0 (inputflinger_service))
-(typeattributeset input_method_service_27_0 (input_method_service))
-(typeattributeset input_service_27_0 (input_service))
-(typeattributeset installd_27_0 (installd))
-(typeattributeset install_data_file_27_0 (install_data_file))
-(typeattributeset installd_exec_27_0 (installd_exec))
-(typeattributeset installd_service_27_0 (installd_service))
-(typeattributeset install_recovery_27_0 (install_recovery))
-(typeattributeset install_recovery_exec_27_0 (install_recovery_exec))
-(typeattributeset ion_device_27_0 (ion_device))
-(typeattributeset IProxyService_service_27_0 (IProxyService_service))
-(typeattributeset ipsec_service_27_0 (ipsec_service))
-(typeattributeset isolated_app_27_0 (isolated_app))
-(typeattributeset jobscheduler_service_27_0 (jobscheduler_service))
-(typeattributeset kernel_27_0 (kernel))
-(typeattributeset keychain_data_file_27_0 (keychain_data_file))
-(typeattributeset keychord_device_27_0 (keychord_device))
-(typeattributeset keystore_27_0 (keystore))
-(typeattributeset keystore_data_file_27_0 (keystore_data_file))
-(typeattributeset keystore_exec_27_0 (keystore_exec))
-(typeattributeset keystore_service_27_0 (keystore_service))
-(typeattributeset kmem_device_27_0 (kmem_device))
-(typeattributeset kmsg_debug_device_27_0 (kmsg_debug_device))
-(typeattributeset kmsg_device_27_0 (kmsg_device))
-(typeattributeset labeledfs_27_0 (labeledfs))
-(typeattributeset launcherapps_service_27_0 (launcherapps_service))
-(typeattributeset lmkd_27_0 (lmkd))
-(typeattributeset lmkd_exec_27_0 (lmkd_exec))
-(typeattributeset lmkd_socket_27_0 (lmkd_socket))
-(typeattributeset location_service_27_0 (location_service))
-(typeattributeset lock_settings_service_27_0 (lock_settings_service))
-(typeattributeset logcat_exec_27_0 (logcat_exec))
-(typeattributeset logd_27_0 (logd))
-(typeattributeset logd_exec_27_0 (logd_exec))
-(typeattributeset logd_prop_27_0 (logd_prop))
-(typeattributeset logdr_socket_27_0 (logdr_socket))
-(typeattributeset logd_socket_27_0 (logd_socket))
-(typeattributeset logdw_socket_27_0 (logdw_socket))
-(typeattributeset logpersist_27_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_27_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_27_0 (log_prop))
-(typeattributeset log_tag_prop_27_0 (log_tag_prop))
-(typeattributeset loop_control_device_27_0 (loop_control_device))
-(typeattributeset loop_device_27_0 (loop_device))
-(typeattributeset mac_perms_file_27_0 (mac_perms_file))
-(typeattributeset mdnsd_27_0 (mdnsd))
-(typeattributeset mdnsd_socket_27_0 (mdnsd_socket))
-(typeattributeset mdns_socket_27_0 (mdns_socket))
-(typeattributeset hal_omx_server (mediacodec_27_0))
-(typeattributeset mediacodec_27_0 (mediacodec))
-(typeattributeset mediacodec_exec_27_0 (mediacodec_exec))
-(typeattributeset mediacodec_service_27_0 (mediacodec_service))
-(typeattributeset media_data_file_27_0 (media_data_file))
-(typeattributeset mediadrmserver_27_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_27_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_27_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_27_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_27_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_27_0 (mediaextractor_service))
-(typeattributeset mediametrics_27_0 (mediametrics))
-(typeattributeset mediametrics_exec_27_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_27_0 (mediametrics_service))
-(typeattributeset media_projection_service_27_0 (media_projection_service))
-(typeattributeset mediaprovider_27_0 (mediaprovider))
-(typeattributeset media_router_service_27_0 (media_router_service))
-(typeattributeset media_rw_data_file_27_0 (media_rw_data_file))
-(typeattributeset mediaserver_27_0 (mediaserver))
-(typeattributeset mediaserver_exec_27_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_27_0 (mediaserver_service))
-(typeattributeset media_session_service_27_0 (media_session_service))
-(typeattributeset meminfo_service_27_0 (meminfo_service))
-(typeattributeset metadata_block_device_27_0 (metadata_block_device))
-(typeattributeset method_trace_data_file_27_0 (method_trace_data_file))
-(typeattributeset midi_service_27_0 (midi_service))
-(typeattributeset misc_block_device_27_0 (misc_block_device))
-(typeattributeset misc_logd_file_27_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_27_0 (misc_user_data_file))
-(typeattributeset mmc_prop_27_0 (mmc_prop))
-(typeattributeset mnt_expand_file_27_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_27_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_27_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_user_file_27_0 (mnt_user_file))
-(typeattributeset modprobe_27_0 (modprobe))
-(typeattributeset mount_service_27_0 (mount_service))
-(typeattributeset mqueue_27_0 (mqueue))
-(typeattributeset mtd_device_27_0 (mtd_device))
-(typeattributeset mtp_27_0 (mtp))
-(typeattributeset mtp_device_27_0 (mtp_device))
-(typeattributeset mtpd_socket_27_0 (mtpd_socket))
-(typeattributeset mtp_exec_27_0 (mtp_exec))
-(typeattributeset nativetest_data_file_27_0 (nativetest_data_file))
-(typeattributeset netd_27_0 (netd))
-(typeattributeset net_data_file_27_0 (net_data_file))
-(typeattributeset netd_exec_27_0 (netd_exec))
-(typeattributeset netd_listener_service_27_0 (netd_listener_service))
-(typeattributeset net_dns_prop_27_0 (net_dns_prop))
-(typeattributeset netd_service_27_0 (netd_service))
-(typeattributeset netd_socket_27_0 (netd_socket))
-(typeattributeset netd_stable_secret_prop_27_0 (netd_stable_secret_prop))
-(typeattributeset netif_27_0 (netif))
-(typeattributeset netpolicy_service_27_0 (netpolicy_service))
-(typeattributeset net_radio_prop_27_0 (net_radio_prop))
-(typeattributeset netstats_service_27_0 (netstats_service))
-(typeattributeset netutils_wrapper_27_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_27_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_27_0 (network_management_service))
-(typeattributeset network_score_service_27_0 (network_score_service))
-(typeattributeset network_time_update_service_27_0 (network_time_update_service))
-(typeattributeset nfc_27_0 (nfc))
-(typeattributeset nfc_data_file_27_0 (nfc_data_file))
-(typeattributeset nfc_device_27_0 (nfc_device))
-(typeattributeset nfc_prop_27_0 (nfc_prop))
-(typeattributeset nfc_service_27_0 (nfc_service))
-(typeattributeset node_27_0 (node))
-(typeattributeset nonplat_service_contexts_file_27_0 (nonplat_service_contexts_file))
-(typeattributeset notification_service_27_0 (notification_service))
-(typeattributeset null_device_27_0 (null_device))
-(typeattributeset oemfs_27_0 (oemfs))
-(typeattributeset oem_lock_service_27_0 (oem_lock_service))
-(typeattributeset ota_data_file_27_0 (ota_data_file))
-(typeattributeset otadexopt_service_27_0 (otadexopt_service))
-(typeattributeset ota_package_file_27_0 (ota_package_file))
-(typeattributeset otapreopt_chroot_27_0 (otapreopt_chroot))
-(typeattributeset otapreopt_chroot_exec_27_0 (otapreopt_chroot_exec))
-(typeattributeset otapreopt_slot_27_0 (otapreopt_slot))
-(typeattributeset otapreopt_slot_exec_27_0 (otapreopt_slot_exec))
-(typeattributeset overlay_prop_27_0 (overlay_prop))
-(typeattributeset overlay_service_27_0 (overlay_service))
-(typeattributeset owntty_device_27_0 (owntty_device))
-(typeattributeset package_native_service_27_0 (package_native_service))
-(typeattributeset package_service_27_0 (package_service))
-(typeattributeset pan_result_prop_27_0 (pan_result_prop))
-(typeattributeset pdx_bufferhub_client_channel_socket_27_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_27_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_27_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_27_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_27_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_27_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_27_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_27_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_27_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_27_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_27_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_27_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_27_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_27_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_27_0 (pdx_performance_dir))
-(typeattributeset performanced_27_0 (performanced))
-(typeattributeset performanced_exec_27_0 (performanced_exec))
-(typeattributeset permission_service_27_0 (permission_service))
-(typeattributeset persist_debug_prop_27_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_27_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_27_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_27_0 (pinner_service))
-(typeattributeset pipefs_27_0 (pipefs))
-(typeattributeset platform_app_27_0 (platform_app))
-(typeattributeset pmsg_device_27_0 (pmsg_device))
-(typeattributeset port_27_0 (port))
-(typeattributeset port_device_27_0 (port_device))
-(typeattributeset postinstall_27_0 (postinstall))
-(typeattributeset postinstall_dexopt_27_0 (postinstall_dexopt))
-(typeattributeset postinstall_file_27_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_27_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_27_0 (powerctl_prop))
-(typeattributeset power_service_27_0 (power_service))
-(typeattributeset ppp_27_0 (ppp))
-(typeattributeset ppp_device_27_0 (ppp_device))
-(typeattributeset ppp_exec_27_0 (ppp_exec))
-(typeattributeset preloads_data_file_27_0 (preloads_data_file))
-(typeattributeset preloads_media_file_27_0 (preloads_media_file))
-(typeattributeset preopt2cachename_27_0 (preopt2cachename))
-(typeattributeset preopt2cachename_exec_27_0 (preopt2cachename_exec))
-(typeattributeset print_service_27_0 (print_service))
-(typeattributeset priv_app_27_0 (priv_app))
-(typeattributeset proc_27_0
- ( proc
- proc_abi
- proc_asound
- proc_buddyinfo
- proc_cmdline
- proc_dirty
- proc_diskstats
- proc_extra_free_kbytes
- proc_filesystems
- proc_hostname
- proc_hung_task
- proc_kmsg
- proc_loadavg
- proc_max_map_count
- proc_min_free_order_shift
- proc_mounts
- proc_page_cluster
- proc_pagetypeinfo
- proc_panic
- proc_pid_max
- proc_pipe_conf
- proc_random
- proc_sched
- proc_slabinfo
- proc_swaps
- proc_uid_concurrent_active_time
- proc_uid_concurrent_policy_time
- proc_uid_cpupower
- proc_uptime
- proc_version
- proc_vmallocinfo
- proc_vmstat))
-(typeattributeset proc_bluetooth_writable_27_0 (proc_bluetooth_writable))
-(typeattributeset proc_cpuinfo_27_0 (proc_cpuinfo))
-(typeattributeset proc_drop_caches_27_0 (proc_drop_caches))
-(typeattributeset processinfo_service_27_0 (processinfo_service))
-(typeattributeset proc_interrupts_27_0 (proc_interrupts))
-(typeattributeset proc_iomem_27_0 (proc_iomem))
-(typeattributeset proc_meminfo_27_0 (proc_meminfo))
-(typeattributeset proc_misc_27_0 (proc_misc))
-(typeattributeset proc_modules_27_0 (proc_modules))
-(typeattributeset proc_net_27_0
- ( proc_net
- proc_net_tcp_udp
- proc_qtaguid_stat))
-(typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
-(typeattributeset proc_perf_27_0 (proc_perf))
-(typeattributeset proc_security_27_0 (proc_security))
-(typeattributeset proc_stat_27_0 (proc_stat))
-(typeattributeset procstats_service_27_0 (procstats_service))
-(typeattributeset proc_sysrq_27_0 (proc_sysrq))
-(typeattributeset proc_timer_27_0 (proc_timer))
-(typeattributeset proc_tty_drivers_27_0 (proc_tty_drivers))
-(typeattributeset proc_uid_cputime_removeuid_27_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_27_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_27_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_27_0 (proc_uid_procstat_set))
-(typeattributeset proc_uid_time_in_state_27_0 (proc_uid_time_in_state))
-(typeattributeset proc_zoneinfo_27_0 (proc_zoneinfo))
-(typeattributeset profman_27_0 (profman))
-(typeattributeset profman_dump_data_file_27_0 (profman_dump_data_file))
-(typeattributeset profman_exec_27_0 (profman_exec))
-(typeattributeset properties_device_27_0 (properties_device))
-(typeattributeset properties_serial_27_0 (properties_serial))
-(typeattributeset property_contexts_file_27_0 (property_contexts_file))
-(typeattributeset property_data_file_27_0 (property_data_file))
-(typeattributeset property_socket_27_0 (property_socket))
-(typeattributeset pstorefs_27_0 (pstorefs))
-(typeattributeset ptmx_device_27_0 (ptmx_device))
-(typeattributeset qtaguid_device_27_0 (qtaguid_device))
-(typeattributeset qtaguid_proc_27_0
- ( proc_qtaguid_ctrl
- qtaguid_proc))
-(typeattributeset racoon_27_0 (racoon))
-(typeattributeset racoon_exec_27_0 (racoon_exec))
-(typeattributeset racoon_socket_27_0 (racoon_socket))
-(typeattributeset radio_27_0 (radio))
-(typeattributeset radio_data_file_27_0 (radio_data_file))
-(typeattributeset radio_device_27_0 (radio_device))
-(typeattributeset radio_prop_27_0 (radio_prop))
-(typeattributeset radio_service_27_0 (radio_service))
-(typeattributeset ram_device_27_0 (ram_device))
-(typeattributeset random_device_27_0 (random_device))
-(typeattributeset reboot_data_file_27_0 (reboot_data_file))
-(typeattributeset recovery_27_0 (recovery))
-(typeattributeset recovery_block_device_27_0 (recovery_block_device))
-(typeattributeset recovery_data_file_27_0 (recovery_data_file))
-(typeattributeset recovery_persist_27_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_27_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_27_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_27_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_27_0 (recovery_service))
-(typeattributeset registry_service_27_0 (registry_service))
-(typeattributeset resourcecache_data_file_27_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_27_0 (restorecon_prop))
-(typeattributeset restrictions_service_27_0 (restrictions_service))
-(typeattributeset rild_27_0 (rild))
-(typeattributeset rild_debug_socket_27_0 (rild_debug_socket))
-(typeattributeset rild_socket_27_0 (rild_socket))
-(typeattributeset ringtone_file_27_0 (ringtone_file))
-(typeattributeset root_block_device_27_0 (root_block_device))
-(typeattributeset rootfs_27_0 (rootfs))
-(typeattributeset rpmsg_device_27_0 (rpmsg_device))
-(typeattributeset rtc_device_27_0 (rtc_device))
-(typeattributeset rttmanager_service_27_0 (rttmanager_service))
-(typeattributeset runas_27_0 (runas))
-(typeattributeset runas_exec_27_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_27_0 (runtime_event_log_tags_file))
-(typeattributeset safemode_prop_27_0 (safemode_prop))
-(typeattributeset same_process_hal_file_27_0
- ( same_process_hal_file
- vendor_public_lib_file))
-(typeattributeset samplingprofiler_service_27_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_27_0 (scheduling_policy_service))
-(typeattributeset sdcardd_27_0 (sdcardd))
-(typeattributeset sdcardd_exec_27_0 (sdcardd_exec))
-(typeattributeset sdcardfs_27_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_27_0 (seapp_contexts_file))
-(typeattributeset search_service_27_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_27_0 (sec_key_att_app_id_provider_service))
-(typeattributeset selinuxfs_27_0 (selinuxfs))
-(typeattributeset sensors_device_27_0 (sensors_device))
-(typeattributeset sensorservice_service_27_0 (sensorservice_service))
-(typeattributeset sepolicy_file_27_0 (sepolicy_file))
-(typeattributeset serial_device_27_0 (serial_device))
-(typeattributeset serialno_prop_27_0 (serialno_prop))
-(typeattributeset serial_service_27_0 (serial_service))
-(typeattributeset service_contexts_file_27_0 (service_contexts_file))
-(typeattributeset servicediscovery_service_27_0 (servicediscovery_service))
-(typeattributeset servicemanager_27_0 (servicemanager))
-(typeattributeset servicemanager_exec_27_0 (servicemanager_exec))
-(typeattributeset settings_service_27_0 (settings_service))
-(typeattributeset sgdisk_27_0 (sgdisk))
-(typeattributeset sgdisk_exec_27_0 (sgdisk_exec))
-(typeattributeset shared_relro_27_0 (shared_relro))
-(typeattributeset shared_relro_file_27_0 (shared_relro_file))
-(typeattributeset shell_27_0 (shell))
-(typeattributeset shell_data_file_27_0 (shell_data_file))
-(typeattributeset shell_exec_27_0 (shell_exec))
-(typeattributeset shell_prop_27_0 (shell_prop))
-(typeattributeset shm_27_0 (shm))
-(typeattributeset shortcut_manager_icons_27_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_27_0 (shortcut_service))
-(typeattributeset slideshow_27_0 (slideshow))
-(typeattributeset socket_device_27_0 (socket_device))
-(typeattributeset sockfs_27_0 (sockfs))
-(typeattributeset statusbar_service_27_0 (statusbar_service))
-(typeattributeset storaged_service_27_0 (storaged_service))
-(typeattributeset storage_file_27_0 (storage_file))
-(typeattributeset storagestats_service_27_0 (storagestats_service))
-(typeattributeset storage_stub_file_27_0 (storage_stub_file))
-(typeattributeset su_27_0 (su))
-(typeattributeset su_exec_27_0 (su_exec))
-(typeattributeset surfaceflinger_27_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_27_0 (surfaceflinger_service))
-(typeattributeset swap_block_device_27_0 (swap_block_device))
-(typeattributeset sysfs_27_0
- ( sysfs
- sysfs_android_usb
- sysfs_dm
- sysfs_dt_firmware_android
- sysfs_ipv4
- sysfs_kernel_notes
- sysfs_loop
- sysfs_net
- sysfs_power
- sysfs_rtc
- sysfs_switch
- sysfs_wakeup_reasons))
-(typeattributeset sysfs_batteryinfo_27_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_27_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_system_cpu_27_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_fs_ext4_features_27_0 (sysfs_fs_ext4_features))
-(typeattributeset sysfs_hwrandom_27_0 (sysfs_hwrandom))
-(typeattributeset sysfs_leds_27_0 (sysfs_leds))
-(typeattributeset sysfs_lowmemorykiller_27_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_27_0 (sysfs_mac_address))
-(typeattributeset sysfs_nfc_power_writable_27_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_thermal_27_0 (sysfs_thermal))
-(typeattributeset sysfs_uio_27_0 (sysfs_uio))
-(typeattributeset sysfs_usb_27_0 (sysfs_usb))
-(typeattributeset sysfs_usermodehelper_27_0 (sysfs_usermodehelper))
-(typeattributeset sysfs_vibrator_27_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_27_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wlan_fwpath_27_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_27_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_27_0 (sysfs_zram_uevent))
-(typeattributeset system_app_27_0 (system_app))
-(typeattributeset system_app_data_file_27_0 (system_app_data_file))
-(typeattributeset system_app_service_27_0 (system_app_service))
-(typeattributeset system_block_device_27_0 (system_block_device))
-(typeattributeset system_data_file_27_0
- ( system_data_file
- dropbox_data_file
- vendor_data_file))
-(typeattributeset system_file_27_0
- ( system_file
- system_lib_file
- system_linker_config_file
- system_linker_exec
- system_seccomp_policy_file
- system_security_cacerts_file
- system_zoneinfo_file
-))
-(typeattributeset systemkeys_data_file_27_0 (systemkeys_data_file))
-(typeattributeset system_ndebug_socket_27_0 (system_ndebug_socket))
-(typeattributeset system_net_netd_hwservice_27_0 (system_net_netd_hwservice))
-(typeattributeset system_prop_27_0 (system_prop))
-(typeattributeset system_radio_prop_27_0 (system_radio_prop))
-(typeattributeset system_server_27_0 (system_server))
-(typeattributeset system_wifi_keystore_hwservice_27_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_27_0 (system_wpa_socket))
-(typeattributeset task_service_27_0 (task_service))
-(typeattributeset tee_27_0 (tee))
-(typeattributeset tee_data_file_27_0 (tee_data_file))
-(typeattributeset tee_device_27_0 (tee_device))
-(typeattributeset telecom_service_27_0 (telecom_service))
-(typeattributeset textclassification_service_27_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_27_0 (textclassifier_data_file))
-(typeattributeset textservices_service_27_0 (textservices_service))
-(typeattributeset thermalcallback_hwservice_27_0 (thermalcallback_hwservice))
-(typeattributeset thermal_service_27_0 (thermal_service))
-(typeattributeset thermalserviced_27_0 (thermalserviced))
-(typeattributeset thermalserviced_exec_27_0 (thermalserviced_exec))
-(typeattributeset timezone_service_27_0 (timezone_service))
-(typeattributeset tmpfs_27_0 (tmpfs))
-(typeattributeset tombstoned_27_0 (tombstoned))
-(typeattributeset tombstone_data_file_27_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_27_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_27_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_27_0 (tombstoned_intercept_socket))
-(typeattributeset tombstoned_java_trace_socket_27_0 (tombstoned_java_trace_socket))
-(typeattributeset toolbox_27_0 (toolbox))
-(typeattributeset toolbox_exec_27_0 (toolbox_exec))
-(typeattributeset trust_service_27_0 (trust_service))
-(typeattributeset tty_device_27_0 (tty_device))
-(typeattributeset tun_device_27_0 (tun_device))
-(typeattributeset tv_input_service_27_0 (tv_input_service))
-(typeattributeset tzdatacheck_27_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_27_0 (tzdatacheck_exec))
-(typeattributeset ueventd_27_0 (ueventd))
-(typeattributeset uhid_device_27_0 (uhid_device))
-(typeattributeset uimode_service_27_0 (uimode_service))
-(typeattributeset uio_device_27_0 (uio_device))
-(typeattributeset uncrypt_27_0 (uncrypt))
-(typeattributeset uncrypt_exec_27_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_27_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_27_0 (unencrypted_data_file))
-(typeattributeset unlabeled_27_0 (unlabeled))
-(typeattributeset untrusted_app_25_27_0 (untrusted_app_25))
-(typeattributeset untrusted_app_27_0
- ( untrusted_app
- untrusted_app_27))
-(typeattributeset untrusted_v2_app_27_0 (untrusted_v2_app))
-(typeattributeset update_engine_27_0 (update_engine))
-(typeattributeset update_engine_data_file_27_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_27_0 (update_engine_exec))
-(typeattributeset update_engine_service_27_0 (update_engine_service))
-(typeattributeset updatelock_service_27_0 (updatelock_service))
-(typeattributeset update_verifier_27_0 (update_verifier))
-(typeattributeset update_verifier_exec_27_0 (update_verifier_exec))
-(typeattributeset usagestats_service_27_0 (usagestats_service))
-(typeattributeset usbaccessory_device_27_0 (usbaccessory_device))
-(typeattributeset usb_device_27_0 (usb_device))
-(typeattributeset usbfs_27_0 (usbfs))
-(typeattributeset usb_service_27_0 (usb_service))
-(typeattributeset userdata_block_device_27_0 (userdata_block_device))
-(typeattributeset usermodehelper_27_0 (usermodehelper))
-(typeattributeset user_profile_data_file_27_0 (user_profile_data_file))
-(typeattributeset user_service_27_0 (user_service))
-(typeattributeset vcs_device_27_0 (vcs_device))
-(typeattributeset vdc_27_0 (vdc))
-(typeattributeset vdc_exec_27_0 (vdc_exec))
-(typeattributeset vendor_app_file_27_0 (vendor_app_file))
-(typeattributeset vendor_configs_file_27_0 (vendor_configs_file))
-(typeattributeset vendor_file_27_0 (vendor_file))
-(typeattributeset vendor_framework_file_27_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_27_0 (vendor_hal_file))
-(typeattributeset vendor_overlay_file_27_0 (vendor_overlay_file))
-(typeattributeset vendor_shell_exec_27_0 (vendor_shell_exec))
-(typeattributeset vendor_toolbox_exec_27_0 (vendor_toolbox_exec))
-(typeattributeset vfat_27_0 (vfat))
-(typeattributeset vibrator_service_27_0 (vibrator_service))
-(typeattributeset video_device_27_0 (video_device))
-(typeattributeset virtual_touchpad_27_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_27_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_27_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_27_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_27_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_27_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_27_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_27_0 (voiceinteraction_service))
-(typeattributeset vold_27_0 (vold))
-(typeattributeset vold_data_file_27_0 (vold_data_file))
-(typeattributeset vold_device_27_0 (vold_device))
-(typeattributeset vold_exec_27_0 (vold_exec))
-(typeattributeset vold_prop_27_0 (vold_prop))
-(typeattributeset vold_socket_27_0 (vold_socket))
-(typeattributeset vpn_data_file_27_0 (vpn_data_file))
-(typeattributeset vr_hwc_27_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_27_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_27_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_27_0 (vr_manager_service))
-(typeattributeset wallpaper_file_27_0 (wallpaper_file))
-(typeattributeset wallpaper_service_27_0 (wallpaper_service))
-(typeattributeset watchdogd_27_0 (watchdogd))
-(typeattributeset watchdog_device_27_0 (watchdog_device))
-(typeattributeset webviewupdate_service_27_0 (webviewupdate_service))
-(typeattributeset webview_zygote_27_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_27_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_socket_27_0 (webview_zygote_socket))
-(typeattributeset wifiaware_service_27_0 (wifiaware_service))
-(typeattributeset wificond_27_0 (wificond))
-(typeattributeset wificond_exec_27_0 (wificond_exec))
-(typeattributeset wificond_service_27_0 (wificond_service))
-(typeattributeset wifi_data_file_27_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_27_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_27_0 (wifip2p_service))
-(typeattributeset wifi_prop_27_0 (wifi_prop))
-(typeattributeset wifiscanner_service_27_0 (wifiscanner_service))
-(typeattributeset wifi_service_27_0 (wifi_service))
-(typeattributeset window_service_27_0 (window_service))
-(typeattributeset wpa_socket_27_0 (wpa_socket))
-(typeattributeset zero_device_27_0 (zero_device))
-(typeattributeset zoneinfo_data_file_27_0 (zoneinfo_data_file))
-(typeattributeset zygote_27_0 (zygote))
-(typeattributeset zygote_exec_27_0 (zygote_exec))
-(typeattributeset zygote_socket_27_0 (zygote_socket))
diff --git a/prebuilts/api/31.0/private/compat/27.0/27.0.compat.cil b/prebuilts/api/31.0/private/compat/27.0/27.0.compat.cil
deleted file mode 100644
index 2e85b23..0000000
--- a/prebuilts/api/31.0/private/compat/27.0/27.0.compat.cil
+++ /dev/null
@@ -1,11 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
-(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
-
-(typeattributeset mlsvendorcompat (and appdomain vendordomain))
-(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
-(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/prebuilts/api/31.0/private/compat/27.0/27.0.ignore.cil b/prebuilts/api/31.0/private/compat/27.0/27.0.ignore.cil
deleted file mode 100644
index 427f4d4..0000000
--- a/prebuilts/api/31.0/private/compat/27.0/27.0.ignore.cil
+++ /dev/null
@@ -1,260 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(type new_objects)
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( new_objects
- aac_drc_prop
- aaudio_config_prop
- activity_task_service
- adb_service
- app_binding_service
- apex_data_file
- apex_metadata_file
- apex_mnt_dir
- apex_service
- apexd
- apexd_exec
- apexd_prop
- apexd_tmpfs
- app_zygote
- art_apex_dir
- atrace
- audio_config_prop
- binder_calls_stats_service
- biometric_service
- blank_screen
- blank_screen_exec
- blank_screen_tmpfs
- boot_status_prop
- bootanim_system_prop
- bootloader_boot_reason_prop
- bootloader_prop
- bluetooth_a2dp_offload_prop
- bpfloader
- bpfloader_exec
- build_bootimage_prop
- build_odm_prop
- build_prop
- build_vendor_prop
- camera_calibration_prop
- camera_config_prop
- cgroup_bpf
- charger_config_prop
- charger_exec
- charger_status_prop
- color_display_service
- content_capture_service
- crossprofileapps_service
- ctl_apexd_prop
- ctl_interface_restart_prop
- ctl_interface_start_prop
- ctl_interface_stop_prop
- ctl_sigstop_prop
- dalvik_config_prop
- dalvik_runtime_prop
- device_config_boot_count_prop
- device_config_reset_performed_prop
- device_config_netd_native_prop
- dnsresolver_service
- drm_service_config_prop
- exfat
- exported2_config_prop
- exported2_default_prop
- exported2_radio_prop
- exported2_system_prop
- exported2_vold_prop
- exported3_default_prop
- exported3_radio_prop
- exported3_system_prop
- exported_audio_prop
- exported_bluetooth_prop
- exported_config_prop
- exported_dalvik_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_ffs_prop
- exported_fingerprint_prop
- exported_overlay_prop
- exported_pm_prop
- exported_radio_prop
- exported_secure_prop
- exported_system_prop
- exported_system_radio_prop
- exported_vold_prop
- exported_wifi_prop
- fastbootd
- ffs_config_prop
- ffs_control_prop
- flags_health_check
- flags_health_check_exec
- fingerprint_vendor_data_file
- fs_bpf
- fwk_stats_hwservice
- hal_atrace_hwservice
- hal_audiocontrol_hwservice
- hal_authsecret_hwservice
- hal_codec2_hwservice
- hal_confirmationui_hwservice
- hal_evs_hwservice
- hal_health_storage_hwservice
- hal_instrumentation_prop
- hal_lowpan_hwservice
- hal_secure_element_hwservice
- hal_usb_gadget_hwservice
- hal_vehicle_hwservice
- hal_wifi_hostapd_hwservice
- hdmi_config_prop
- heapprofd
- heapprofd_exec
- heapprofd_socket
- incident_helper
- incident_helper_exec
- init_service_status_private_prop
- init_service_status_prop
- iorapd
- iorapd_data_file
- iorapd_exec
- iorapd_service
- iorapd_tmpfs
- keyguard_config_prop
- last_boot_reason_prop
- libc_debug_prop
- llkd
- llkd_exec
- llkd_prop
- llkd_tmpfs
- lmkd_config_prop
- looper_stats_service
- lowpan_device
- lowpan_prop
- lowpan_service
- media_config_prop
- mediadrm_config_prop
- mediaextractor_update_service
- mediaswcodec
- mediaswcodec_exec
- mediaswcodec_tmpfs
- metadata_bootstat_file
- metadata_file
- mnt_product_file
- mnt_vendor_file
- network_stack
- network_stack_service
- network_watchlist_data_file
- network_watchlist_service
- oem_unlock_prop
- overlayfs_file
- packagemanager_config_prop
- perfetto
- perfetto_exec
- perfetto_tmpfs
- perfetto_traces_data_file
- property_info
- property_service_version_prop
- provisioned_prop
- radio_control_prop
- recovery_config_prop
- recovery_socket
- retaildemo_prop
- role_service
- runas_app
- runtime_service
- secure_element
- secure_element_device
- secure_element_service
- secure_element_tmpfs
- sendbug_config_prop
- server_configurable_flags_data_file
- simpleperf_app_runner
- simpleperf_app_runner_exec
- slice_service
- socket_hook_prop
- stats
- stats_data_file
- stats_exec
- stats_service
- statscompanion_service
- statsd
- statsd_exec
- statsd_tmpfs
- statsdw
- statsdw_socket
- storaged_data_file
- super_block_device
- surfaceflinger_color_prop
- surfaceflinger_prop
- staging_data_file
- storagemanager_config_prop
- system_boot_reason_prop
- system_bootstrap_lib_file
- system_lmk_prop
- system_update_service
- systemsound_config_prop
- telephony_config_prop
- telephony_status_prop
- test_boot_reason_prop
- time_prop
- timedetector_service
- tombstone_config_prop
- tombstone_wifi_data_file
- trace_data_file
- traced
- traced_consumer_socket
- traced_enabled_prop
- traced_exec
- traced_probes
- traced_probes_exec
- traced_probes_tmpfs
- traced_producer_socket
- traced_tmpfs
- traceur_app
- traceur_app_tmpfs
- untrusted_app_all_devpts
- update_engine_log_data_file
- uri_grants_service
- usb_config_prop
- usb_control_prop
- usbd
- usbd_exec
- usbd_tmpfs
- vendor_apex_file
- vendor_default_prop
- vendor_init
- vendor_security_patch_level_prop
- vendor_shell
- vendor_socket_hook_prop
- vndk_prop
- vold_config_prop
- vold_metadata_file
- vold_post_fs_data_prop
- vold_prepare_subdirs
- vold_prepare_subdirs_exec
- vold_service
- vold_status_prop
- vrflinger_vsync_service
- vts_config_prop
- vts_status_prop
- wait_for_keymaster
- wait_for_keymaster_exec
- wait_for_keymaster_tmpfs
- watchdogd_tmpfs
- wifi_config_prop
- wifi_hal_prop
- wm_trace_data_file
- wpantund
- wpantund_exec
- wpantund_service
- wpantund_tmpfs
- zram_config_prop
- zram_control_prop))
-
-;; private_objects - a collection of types that were labeled differently in
-;; older policy, but that should not remain accessible to vendor policy.
-;; Thus, these types are also not mapped, but recorded for checkapi tests
-(type priv_objects)
-(typeattribute priv_objects)
-(typeattributeset priv_objects
- ( priv_objects
- untrusted_app_27_tmpfs))
diff --git a/prebuilts/api/31.0/private/compat/28.0/28.0.cil b/prebuilts/api/31.0/private/compat/28.0/28.0.cil
deleted file mode 100644
index 321e938..0000000
--- a/prebuilts/api/31.0/private/compat/28.0/28.0.cil
+++ /dev/null
@@ -1,1744 +0,0 @@
-;; attributes removed from current policy
-(typeattribute hal_wifi_offload)
-(typeattribute hal_wifi_offload_client)
-(typeattribute hal_wifi_offload_server)
-
-;; types removed from current policy
-(type alarm_device)
-(type audio_seq_device)
-(type audio_timer_device)
-(type commontime_management_service)
-(type cpuctl_device)
-(type full_device)
-(type hal_wifi_offload_hwservice)
-(type i2c_device)
-(type kmem_device)
-(type mediacodec)
-(type mediacodec_exec)
-(type mediaextractor_update_service)
-(type mtd_device)
-(type netd_socket)
-(type qtaguid_proc)
-(type thermalcallback_hwservice)
-(type thermalserviced)
-(type thermalserviced_exec)
-(type untrusted_v2_app)
-(type vcs_device)
-
-;; Public 28.0 SEPolicy is divergent on different devices w.r.t
-;; exported_audio_prop type. We need this typeattribute declaration so that the
-;; mapping file compiles with vendor policies without exported_audio_prop type.
-(typeattribute exported_audio_prop_28_0)
-
-(expandtypeattribute (accessibility_service_28_0) true)
-(expandtypeattribute (account_service_28_0) true)
-(expandtypeattribute (activity_service_28_0) true)
-(expandtypeattribute (adbd_28_0) true)
-(expandtypeattribute (adb_data_file_28_0) true)
-(expandtypeattribute (adbd_exec_28_0) true)
-(expandtypeattribute (adbd_socket_28_0) true)
-(expandtypeattribute (adb_keys_file_28_0) true)
-(expandtypeattribute (alarm_device_28_0) true)
-(expandtypeattribute (alarm_service_28_0) true)
-(expandtypeattribute (anr_data_file_28_0) true)
-(expandtypeattribute (apk_data_file_28_0) true)
-(expandtypeattribute (apk_private_data_file_28_0) true)
-(expandtypeattribute (apk_private_tmp_file_28_0) true)
-(expandtypeattribute (apk_tmp_file_28_0) true)
-(expandtypeattribute (app_data_file_28_0) true)
-(expandtypeattribute (app_fuse_file_28_0) true)
-(expandtypeattribute (app_fusefs_28_0) true)
-(expandtypeattribute (appops_service_28_0) true)
-(expandtypeattribute (appwidget_service_28_0) true)
-(expandtypeattribute (asec_apk_file_28_0) true)
-(expandtypeattribute (asec_image_file_28_0) true)
-(expandtypeattribute (asec_public_file_28_0) true)
-(expandtypeattribute (ashmem_device_28_0) true)
-(expandtypeattribute (assetatlas_service_28_0) true)
-(expandtypeattribute (audio_data_file_28_0) true)
-(expandtypeattribute (audio_device_28_0) true)
-(expandtypeattribute (audiohal_data_file_28_0) true)
-(expandtypeattribute (audio_prop_28_0) true)
-(expandtypeattribute (audio_seq_device_28_0) true)
-(expandtypeattribute (audioserver_28_0) true)
-(expandtypeattribute (audioserver_data_file_28_0) true)
-(expandtypeattribute (audioserver_service_28_0) true)
-(expandtypeattribute (audio_service_28_0) true)
-(expandtypeattribute (audio_timer_device_28_0) true)
-(expandtypeattribute (autofill_service_28_0) true)
-(expandtypeattribute (backup_data_file_28_0) true)
-(expandtypeattribute (backup_service_28_0) true)
-(expandtypeattribute (batteryproperties_service_28_0) true)
-(expandtypeattribute (battery_service_28_0) true)
-(expandtypeattribute (batterystats_service_28_0) true)
-(expandtypeattribute (binder_calls_stats_service_28_0) true)
-(expandtypeattribute (binder_device_28_0) true)
-(expandtypeattribute (binfmt_miscfs_28_0) true)
-(expandtypeattribute (blkid_28_0) true)
-(expandtypeattribute (blkid_untrusted_28_0) true)
-(expandtypeattribute (block_device_28_0) true)
-(expandtypeattribute (bluetooth_28_0) true)
-(expandtypeattribute (bluetooth_a2dp_offload_prop_28_0) true)
-(expandtypeattribute (bluetooth_data_file_28_0) true)
-(expandtypeattribute (bluetooth_efs_file_28_0) true)
-(expandtypeattribute (bluetooth_logs_data_file_28_0) true)
-(expandtypeattribute (bluetooth_manager_service_28_0) true)
-(expandtypeattribute (bluetooth_prop_28_0) true)
-(expandtypeattribute (bluetooth_service_28_0) true)
-(expandtypeattribute (bluetooth_socket_28_0) true)
-(expandtypeattribute (bootanim_28_0) true)
-(expandtypeattribute (bootanim_exec_28_0) true)
-(expandtypeattribute (boot_block_device_28_0) true)
-(expandtypeattribute (bootchart_data_file_28_0) true)
-(expandtypeattribute (bootloader_boot_reason_prop_28_0) true)
-(expandtypeattribute (bootstat_28_0) true)
-(expandtypeattribute (bootstat_data_file_28_0) true)
-(expandtypeattribute (bootstat_exec_28_0) true)
-(expandtypeattribute (boottime_prop_28_0) true)
-(expandtypeattribute (boottrace_data_file_28_0) true)
-(expandtypeattribute (broadcastradio_service_28_0) true)
-(expandtypeattribute (bufferhubd_28_0) true)
-(expandtypeattribute (bufferhubd_exec_28_0) true)
-(expandtypeattribute (cache_backup_file_28_0) true)
-(expandtypeattribute (cache_block_device_28_0) true)
-(expandtypeattribute (cache_file_28_0) true)
-(expandtypeattribute (cache_private_backup_file_28_0) true)
-(expandtypeattribute (cache_recovery_file_28_0) true)
-(expandtypeattribute (camera_data_file_28_0) true)
-(expandtypeattribute (camera_device_28_0) true)
-(expandtypeattribute (cameraproxy_service_28_0) true)
-(expandtypeattribute (cameraserver_28_0) true)
-(expandtypeattribute (cameraserver_exec_28_0) true)
-(expandtypeattribute (cameraserver_service_28_0) true)
-(expandtypeattribute (cgroup_28_0) true)
-(expandtypeattribute (cgroup_bpf_28_0) true)
-(expandtypeattribute (charger_28_0) true)
-(expandtypeattribute (clatd_28_0) true)
-(expandtypeattribute (clatd_exec_28_0) true)
-(expandtypeattribute (clipboard_service_28_0) true)
-(expandtypeattribute (commontime_management_service_28_0) true)
-(expandtypeattribute (companion_device_service_28_0) true)
-(expandtypeattribute (configfs_28_0) true)
-(expandtypeattribute (config_prop_28_0) true)
-(expandtypeattribute (connectivity_service_28_0) true)
-(expandtypeattribute (connmetrics_service_28_0) true)
-(expandtypeattribute (console_device_28_0) true)
-(expandtypeattribute (consumer_ir_service_28_0) true)
-(expandtypeattribute (content_service_28_0) true)
-(expandtypeattribute (contexthub_service_28_0) true)
-(expandtypeattribute (coredump_file_28_0) true)
-(expandtypeattribute (country_detector_service_28_0) true)
-(expandtypeattribute (coverage_service_28_0) true)
-(expandtypeattribute (cppreopt_prop_28_0) true)
-(expandtypeattribute (cppreopts_28_0) true)
-(expandtypeattribute (cppreopts_exec_28_0) true)
-(expandtypeattribute (cpuctl_device_28_0) true)
-(expandtypeattribute (cpuinfo_service_28_0) true)
-(expandtypeattribute (crash_dump_28_0) true)
-(expandtypeattribute (crash_dump_exec_28_0) true)
-(expandtypeattribute (crossprofileapps_service_28_0) true)
-(expandtypeattribute (ctl_bootanim_prop_28_0) true)
-(expandtypeattribute (ctl_bugreport_prop_28_0) true)
-(expandtypeattribute (ctl_console_prop_28_0) true)
-(expandtypeattribute (ctl_default_prop_28_0) true)
-(expandtypeattribute (ctl_dumpstate_prop_28_0) true)
-(expandtypeattribute (ctl_fuse_prop_28_0) true)
-(expandtypeattribute (ctl_interface_restart_prop_28_0) true)
-(expandtypeattribute (ctl_interface_start_prop_28_0) true)
-(expandtypeattribute (ctl_interface_stop_prop_28_0) true)
-(expandtypeattribute (ctl_mdnsd_prop_28_0) true)
-(expandtypeattribute (ctl_restart_prop_28_0) true)
-(expandtypeattribute (ctl_rildaemon_prop_28_0) true)
-(expandtypeattribute (ctl_sigstop_prop_28_0) true)
-(expandtypeattribute (ctl_start_prop_28_0) true)
-(expandtypeattribute (ctl_stop_prop_28_0) true)
-(expandtypeattribute (dalvikcache_data_file_28_0) true)
-(expandtypeattribute (dalvik_prop_28_0) true)
-(expandtypeattribute (dbinfo_service_28_0) true)
-(expandtypeattribute (debugfs_28_0) true)
-(expandtypeattribute (debugfs_mmc_28_0) true)
-(expandtypeattribute (debugfs_trace_marker_28_0) true)
-(expandtypeattribute (debugfs_tracing_28_0) true)
-(expandtypeattribute (debugfs_tracing_debug_28_0) true)
-(expandtypeattribute (debugfs_tracing_instances_28_0) true)
-(expandtypeattribute (debugfs_wakeup_sources_28_0) true)
-(expandtypeattribute (debugfs_wifi_tracing_28_0) true)
-(expandtypeattribute (debuggerd_prop_28_0) true)
-(expandtypeattribute (debug_prop_28_0) true)
-(expandtypeattribute (default_android_hwservice_28_0) true)
-(expandtypeattribute (default_android_service_28_0) true)
-(expandtypeattribute (default_android_vndservice_28_0) true)
-(expandtypeattribute (default_prop_28_0) true)
-(expandtypeattribute (device_28_0) true)
-(expandtypeattribute (device_identifiers_service_28_0) true)
-(expandtypeattribute (deviceidle_service_28_0) true)
-(expandtypeattribute (device_logging_prop_28_0) true)
-(expandtypeattribute (device_policy_service_28_0) true)
-(expandtypeattribute (devicestoragemonitor_service_28_0) true)
-(expandtypeattribute (devpts_28_0) true)
-(expandtypeattribute (dex2oat_28_0) true)
-(expandtypeattribute (dex2oat_exec_28_0) true)
-(expandtypeattribute (dhcp_28_0) true)
-(expandtypeattribute (dhcp_data_file_28_0) true)
-(expandtypeattribute (dhcp_exec_28_0) true)
-(expandtypeattribute (dhcp_prop_28_0) true)
-(expandtypeattribute (diskstats_service_28_0) true)
-(expandtypeattribute (display_service_28_0) true)
-(expandtypeattribute (dm_device_28_0) true)
-(expandtypeattribute (dnsmasq_28_0) true)
-(expandtypeattribute (dnsmasq_exec_28_0) true)
-(expandtypeattribute (dnsproxyd_socket_28_0) true)
-(expandtypeattribute (DockObserver_service_28_0) true)
-(expandtypeattribute (dreams_service_28_0) true)
-(expandtypeattribute (drm_data_file_28_0) true)
-(expandtypeattribute (drmserver_28_0) true)
-(expandtypeattribute (drmserver_exec_28_0) true)
-(expandtypeattribute (drmserver_service_28_0) true)
-(expandtypeattribute (drmserver_socket_28_0) true)
-(expandtypeattribute (dropbox_service_28_0) true)
-(expandtypeattribute (dumpstate_28_0) true)
-(expandtypeattribute (dumpstate_exec_28_0) true)
-(expandtypeattribute (dumpstate_options_prop_28_0) true)
-(expandtypeattribute (dumpstate_prop_28_0) true)
-(expandtypeattribute (dumpstate_service_28_0) true)
-(expandtypeattribute (dumpstate_socket_28_0) true)
-(expandtypeattribute (e2fs_28_0) true)
-(expandtypeattribute (e2fs_exec_28_0) true)
-(expandtypeattribute (efs_file_28_0) true)
-(expandtypeattribute (ephemeral_app_28_0) true)
-(expandtypeattribute (ethernet_service_28_0) true)
-(expandtypeattribute (exfat_28_0) true)
-(expandtypeattribute (exported2_config_prop_28_0) true)
-(expandtypeattribute (exported2_default_prop_28_0) true)
-(expandtypeattribute (exported2_radio_prop_28_0) true)
-(expandtypeattribute (exported2_system_prop_28_0) true)
-(expandtypeattribute (exported2_vold_prop_28_0) true)
-(expandtypeattribute (exported3_default_prop_28_0) true)
-(expandtypeattribute (exported3_radio_prop_28_0) true)
-(expandtypeattribute (exported3_system_prop_28_0) true)
-(expandtypeattribute (exported_audio_prop_28_0) true)
-(expandtypeattribute (exported_bluetooth_prop_28_0) true)
-(expandtypeattribute (exported_config_prop_28_0) true)
-(expandtypeattribute (exported_dalvik_prop_28_0) true)
-(expandtypeattribute (exported_default_prop_28_0) true)
-(expandtypeattribute (exported_dumpstate_prop_28_0) true)
-(expandtypeattribute (exported_ffs_prop_28_0) true)
-(expandtypeattribute (exported_fingerprint_prop_28_0) true)
-(expandtypeattribute (exported_overlay_prop_28_0) true)
-(expandtypeattribute (exported_pm_prop_28_0) true)
-(expandtypeattribute (exported_radio_prop_28_0) true)
-(expandtypeattribute (exported_secure_prop_28_0) true)
-(expandtypeattribute (exported_system_prop_28_0) true)
-(expandtypeattribute (exported_system_radio_prop_28_0) true)
-(expandtypeattribute (exported_vold_prop_28_0) true)
-(expandtypeattribute (exported_wifi_prop_28_0) true)
-(expandtypeattribute (ffs_prop_28_0) true)
-(expandtypeattribute (file_contexts_file_28_0) true)
-(expandtypeattribute (fingerprintd_28_0) true)
-(expandtypeattribute (fingerprintd_data_file_28_0) true)
-(expandtypeattribute (fingerprintd_exec_28_0) true)
-(expandtypeattribute (fingerprintd_service_28_0) true)
-(expandtypeattribute (fingerprint_prop_28_0) true)
-(expandtypeattribute (fingerprint_service_28_0) true)
-(expandtypeattribute (fingerprint_vendor_data_file_28_0) true)
-(expandtypeattribute (firstboot_prop_28_0) true)
-(expandtypeattribute (font_service_28_0) true)
-(expandtypeattribute (frp_block_device_28_0) true)
-(expandtypeattribute (fs_bpf_28_0) true)
-(expandtypeattribute (fsck_28_0) true)
-(expandtypeattribute (fsck_exec_28_0) true)
-(expandtypeattribute (fscklogs_28_0) true)
-(expandtypeattribute (fsck_untrusted_28_0) true)
-(expandtypeattribute (full_device_28_0) true)
-(expandtypeattribute (functionfs_28_0) true)
-(expandtypeattribute (fuse_28_0) true)
-(expandtypeattribute (fuse_device_28_0) true)
-(expandtypeattribute (fwk_display_hwservice_28_0) true)
-(expandtypeattribute (fwk_scheduler_hwservice_28_0) true)
-(expandtypeattribute (fwk_sensor_hwservice_28_0) true)
-(expandtypeattribute (fwmarkd_socket_28_0) true)
-(expandtypeattribute (gatekeeperd_28_0) true)
-(expandtypeattribute (gatekeeper_data_file_28_0) true)
-(expandtypeattribute (gatekeeperd_exec_28_0) true)
-(expandtypeattribute (gatekeeper_service_28_0) true)
-(expandtypeattribute (gfxinfo_service_28_0) true)
-(expandtypeattribute (gps_control_28_0) true)
-(expandtypeattribute (gpu_device_28_0) true)
-(expandtypeattribute (gpu_service_28_0) true)
-(expandtypeattribute (graphics_device_28_0) true)
-(expandtypeattribute (graphicsstats_service_28_0) true)
-(expandtypeattribute (hal_audiocontrol_hwservice_28_0) true)
-(expandtypeattribute (hal_audio_hwservice_28_0) true)
-(expandtypeattribute (hal_authsecret_hwservice_28_0) true)
-(expandtypeattribute (hal_bluetooth_hwservice_28_0) true)
-(expandtypeattribute (hal_bootctl_hwservice_28_0) true)
-(expandtypeattribute (hal_broadcastradio_hwservice_28_0) true)
-(expandtypeattribute (hal_camera_hwservice_28_0) true)
-(expandtypeattribute (hal_cas_hwservice_28_0) true)
-(expandtypeattribute (hal_codec2_hwservice_28_0) true)
-(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_28_0) true)
-(expandtypeattribute (hal_confirmationui_hwservice_28_0) true)
-(expandtypeattribute (hal_contexthub_hwservice_28_0) true)
-(expandtypeattribute (hal_drm_hwservice_28_0) true)
-(expandtypeattribute (hal_dumpstate_hwservice_28_0) true)
-(expandtypeattribute (hal_evs_hwservice_28_0) true)
-(expandtypeattribute (hal_fingerprint_hwservice_28_0) true)
-(expandtypeattribute (hal_fingerprint_service_28_0) true)
-(expandtypeattribute (hal_gatekeeper_hwservice_28_0) true)
-(expandtypeattribute (hal_gnss_hwservice_28_0) true)
-(expandtypeattribute (hal_graphics_allocator_hwservice_28_0) true)
-(expandtypeattribute (hal_graphics_composer_hwservice_28_0) true)
-(expandtypeattribute (hal_graphics_mapper_hwservice_28_0) true)
-(expandtypeattribute (hal_health_hwservice_28_0) true)
-(expandtypeattribute (hal_ir_hwservice_28_0) true)
-(expandtypeattribute (hal_keymaster_hwservice_28_0) true)
-(expandtypeattribute (hal_light_hwservice_28_0) true)
-(expandtypeattribute (hal_lowpan_hwservice_28_0) true)
-(expandtypeattribute (hal_memtrack_hwservice_28_0) true)
-(expandtypeattribute (hal_neuralnetworks_hwservice_28_0) true)
-(expandtypeattribute (hal_nfc_hwservice_28_0) true)
-(expandtypeattribute (hal_oemlock_hwservice_28_0) true)
-(expandtypeattribute (hal_omx_hwservice_28_0) true)
-(expandtypeattribute (hal_power_hwservice_28_0) true)
-(expandtypeattribute (hal_renderscript_hwservice_28_0) true)
-(expandtypeattribute (hal_secure_element_hwservice_28_0) true)
-(expandtypeattribute (hal_sensors_hwservice_28_0) true)
-(expandtypeattribute (hal_telephony_hwservice_28_0) true)
-(expandtypeattribute (hal_tetheroffload_hwservice_28_0) true)
-(expandtypeattribute (hal_thermal_hwservice_28_0) true)
-(expandtypeattribute (hal_tv_cec_hwservice_28_0) true)
-(expandtypeattribute (hal_tv_input_hwservice_28_0) true)
-(expandtypeattribute (hal_usb_gadget_hwservice_28_0) true)
-(expandtypeattribute (hal_usb_hwservice_28_0) true)
-(expandtypeattribute (hal_vehicle_hwservice_28_0) true)
-(expandtypeattribute (hal_vibrator_hwservice_28_0) true)
-(expandtypeattribute (hal_vr_hwservice_28_0) true)
-(expandtypeattribute (hal_weaver_hwservice_28_0) true)
-(expandtypeattribute (hal_wifi_hostapd_hwservice_28_0) true)
-(expandtypeattribute (hal_wifi_hwservice_28_0) true)
-(expandtypeattribute (hal_wifi_offload_hwservice_28_0) true)
-(expandtypeattribute (hal_wifi_supplicant_hwservice_28_0) true)
-(expandtypeattribute (hardware_properties_service_28_0) true)
-(expandtypeattribute (hardware_service_28_0) true)
-(expandtypeattribute (hci_attach_dev_28_0) true)
-(expandtypeattribute (hdmi_control_service_28_0) true)
-(expandtypeattribute (healthd_28_0) true)
-(expandtypeattribute (healthd_exec_28_0) true)
-(expandtypeattribute (heapdump_data_file_28_0) true)
-(expandtypeattribute (hidl_allocator_hwservice_28_0) true)
-(expandtypeattribute (hidl_base_hwservice_28_0) true)
-(expandtypeattribute (hidl_manager_hwservice_28_0) true)
-(expandtypeattribute (hidl_memory_hwservice_28_0) true)
-(expandtypeattribute (hidl_token_hwservice_28_0) true)
-(expandtypeattribute (hwbinder_device_28_0) true)
-(expandtypeattribute (hw_random_device_28_0) true)
-(expandtypeattribute (hwservice_contexts_file_28_0) true)
-(expandtypeattribute (hwservicemanager_28_0) true)
-(expandtypeattribute (hwservicemanager_exec_28_0) true)
-(expandtypeattribute (hwservicemanager_prop_28_0) true)
-(expandtypeattribute (i2c_device_28_0) true)
-(expandtypeattribute (icon_file_28_0) true)
-(expandtypeattribute (idmap_28_0) true)
-(expandtypeattribute (idmap_exec_28_0) true)
-(expandtypeattribute (iio_device_28_0) true)
-(expandtypeattribute (imms_service_28_0) true)
-(expandtypeattribute (incident_28_0) true)
-(expandtypeattribute (incidentd_28_0) true)
-(expandtypeattribute (incident_data_file_28_0) true)
-(expandtypeattribute (incident_helper_28_0) true)
-(expandtypeattribute (incident_service_28_0) true)
-(expandtypeattribute (init_28_0) true)
-(expandtypeattribute (init_exec_28_0) true)
-(expandtypeattribute (inotify_28_0) true)
-(expandtypeattribute (input_device_28_0) true)
-(expandtypeattribute (inputflinger_28_0) true)
-(expandtypeattribute (inputflinger_exec_28_0) true)
-(expandtypeattribute (inputflinger_service_28_0) true)
-(expandtypeattribute (input_method_service_28_0) true)
-(expandtypeattribute (input_service_28_0) true)
-(expandtypeattribute (installd_28_0) true)
-(expandtypeattribute (install_data_file_28_0) true)
-(expandtypeattribute (installd_exec_28_0) true)
-(expandtypeattribute (installd_service_28_0) true)
-(expandtypeattribute (install_recovery_28_0) true)
-(expandtypeattribute (install_recovery_exec_28_0) true)
-(expandtypeattribute (ion_device_28_0) true)
-(expandtypeattribute (IProxyService_service_28_0) true)
-(expandtypeattribute (ipsec_service_28_0) true)
-(expandtypeattribute (isolated_app_28_0) true)
-(expandtypeattribute (jobscheduler_service_28_0) true)
-(expandtypeattribute (kernel_28_0) true)
-(expandtypeattribute (keychain_data_file_28_0) true)
-(expandtypeattribute (keychord_device_28_0) true)
-(expandtypeattribute (keystore_28_0) true)
-(expandtypeattribute (keystore_data_file_28_0) true)
-(expandtypeattribute (keystore_exec_28_0) true)
-(expandtypeattribute (keystore_service_28_0) true)
-(expandtypeattribute (kmem_device_28_0) true)
-(expandtypeattribute (kmsg_debug_device_28_0) true)
-(expandtypeattribute (kmsg_device_28_0) true)
-(expandtypeattribute (labeledfs_28_0) true)
-(expandtypeattribute (last_boot_reason_prop_28_0) true)
-(expandtypeattribute (launcherapps_service_28_0) true)
-(expandtypeattribute (lmkd_28_0) true)
-(expandtypeattribute (lmkd_exec_28_0) true)
-(expandtypeattribute (lmkd_socket_28_0) true)
-(expandtypeattribute (location_service_28_0) true)
-(expandtypeattribute (lock_settings_service_28_0) true)
-(expandtypeattribute (logcat_exec_28_0) true)
-(expandtypeattribute (logd_28_0) true)
-(expandtypeattribute (logd_exec_28_0) true)
-(expandtypeattribute (logd_prop_28_0) true)
-(expandtypeattribute (logdr_socket_28_0) true)
-(expandtypeattribute (logd_socket_28_0) true)
-(expandtypeattribute (logdw_socket_28_0) true)
-(expandtypeattribute (logpersist_28_0) true)
-(expandtypeattribute (logpersistd_logging_prop_28_0) true)
-(expandtypeattribute (log_prop_28_0) true)
-(expandtypeattribute (log_tag_prop_28_0) true)
-(expandtypeattribute (loop_control_device_28_0) true)
-(expandtypeattribute (loop_device_28_0) true)
-(expandtypeattribute (lowpan_device_28_0) true)
-(expandtypeattribute (lowpan_prop_28_0) true)
-(expandtypeattribute (lowpan_service_28_0) true)
-(expandtypeattribute (mac_perms_file_28_0) true)
-(expandtypeattribute (mdnsd_28_0) true)
-(expandtypeattribute (mdnsd_socket_28_0) true)
-(expandtypeattribute (mdns_socket_28_0) true)
-(expandtypeattribute (mediacodec_28_0) true)
-(expandtypeattribute (mediacodec_exec_28_0) true)
-(expandtypeattribute (mediacodec_service_28_0) true)
-(expandtypeattribute (media_data_file_28_0) true)
-(expandtypeattribute (mediadrmserver_28_0) true)
-(expandtypeattribute (mediadrmserver_exec_28_0) true)
-(expandtypeattribute (mediadrmserver_service_28_0) true)
-(expandtypeattribute (mediaextractor_28_0) true)
-(expandtypeattribute (mediaextractor_exec_28_0) true)
-(expandtypeattribute (mediaextractor_service_28_0) true)
-(expandtypeattribute (mediaextractor_update_service_28_0) true)
-(expandtypeattribute (mediametrics_28_0) true)
-(expandtypeattribute (mediametrics_exec_28_0) true)
-(expandtypeattribute (mediametrics_service_28_0) true)
-(expandtypeattribute (media_projection_service_28_0) true)
-(expandtypeattribute (mediaprovider_28_0) true)
-(expandtypeattribute (media_router_service_28_0) true)
-(expandtypeattribute (media_rw_data_file_28_0) true)
-(expandtypeattribute (mediaserver_28_0) true)
-(expandtypeattribute (mediaserver_exec_28_0) true)
-(expandtypeattribute (mediaserver_service_28_0) true)
-(expandtypeattribute (media_session_service_28_0) true)
-(expandtypeattribute (meminfo_service_28_0) true)
-(expandtypeattribute (metadata_block_device_28_0) true)
-(expandtypeattribute (metadata_file_28_0) true)
-(expandtypeattribute (method_trace_data_file_28_0) true)
-(expandtypeattribute (midi_service_28_0) true)
-(expandtypeattribute (misc_block_device_28_0) true)
-(expandtypeattribute (misc_logd_file_28_0) true)
-(expandtypeattribute (misc_user_data_file_28_0) true)
-(expandtypeattribute (mmc_prop_28_0) true)
-(expandtypeattribute (mnt_expand_file_28_0) true)
-(expandtypeattribute (mnt_media_rw_file_28_0) true)
-(expandtypeattribute (mnt_media_rw_stub_file_28_0) true)
-(expandtypeattribute (mnt_user_file_28_0) true)
-(expandtypeattribute (mnt_vendor_file_28_0) true)
-(expandtypeattribute (modprobe_28_0) true)
-(expandtypeattribute (mount_service_28_0) true)
-(expandtypeattribute (mqueue_28_0) true)
-(expandtypeattribute (mtd_device_28_0) true)
-(expandtypeattribute (mtp_28_0) true)
-(expandtypeattribute (mtp_device_28_0) true)
-(expandtypeattribute (mtpd_socket_28_0) true)
-(expandtypeattribute (mtp_exec_28_0) true)
-(expandtypeattribute (nativetest_data_file_28_0) true)
-(expandtypeattribute (netd_28_0) true)
-(expandtypeattribute (net_data_file_28_0) true)
-(expandtypeattribute (netd_exec_28_0) true)
-(expandtypeattribute (netd_listener_service_28_0) true)
-(expandtypeattribute (net_dns_prop_28_0) true)
-(expandtypeattribute (netd_service_28_0) true)
-(expandtypeattribute (netd_socket_28_0) true)
-(expandtypeattribute (netd_stable_secret_prop_28_0) true)
-(expandtypeattribute (netif_28_0) true)
-(expandtypeattribute (netpolicy_service_28_0) true)
-(expandtypeattribute (net_radio_prop_28_0) true)
-(expandtypeattribute (netstats_service_28_0) true)
-(expandtypeattribute (netutils_wrapper_28_0) true)
-(expandtypeattribute (netutils_wrapper_exec_28_0) true)
-(expandtypeattribute (network_management_service_28_0) true)
-(expandtypeattribute (network_score_service_28_0) true)
-(expandtypeattribute (network_time_update_service_28_0) true)
-(expandtypeattribute (network_watchlist_data_file_28_0) true)
-(expandtypeattribute (network_watchlist_service_28_0) true)
-(expandtypeattribute (nfc_28_0) true)
-(expandtypeattribute (nfc_data_file_28_0) true)
-(expandtypeattribute (nfc_device_28_0) true)
-(expandtypeattribute (nfc_prop_28_0) true)
-(expandtypeattribute (nfc_service_28_0) true)
-(expandtypeattribute (node_28_0) true)
-(expandtypeattribute (nonplat_service_contexts_file_28_0) true)
-(expandtypeattribute (notification_service_28_0) true)
-(expandtypeattribute (null_device_28_0) true)
-(expandtypeattribute (oemfs_28_0) true)
-(expandtypeattribute (oem_lock_service_28_0) true)
-(expandtypeattribute (ota_data_file_28_0) true)
-(expandtypeattribute (otadexopt_service_28_0) true)
-(expandtypeattribute (ota_package_file_28_0) true)
-(expandtypeattribute (otapreopt_chroot_28_0) true)
-(expandtypeattribute (otapreopt_chroot_exec_28_0) true)
-(expandtypeattribute (otapreopt_slot_28_0) true)
-(expandtypeattribute (otapreopt_slot_exec_28_0) true)
-(expandtypeattribute (overlay_prop_28_0) true)
-(expandtypeattribute (overlay_service_28_0) true)
-(expandtypeattribute (owntty_device_28_0) true)
-(expandtypeattribute (package_native_service_28_0) true)
-(expandtypeattribute (package_service_28_0) true)
-(expandtypeattribute (pan_result_prop_28_0) true)
-(expandtypeattribute (pdx_bufferhub_client_channel_socket_28_0) true)
-(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_28_0) true)
-(expandtypeattribute (pdx_bufferhub_dir_28_0) true)
-(expandtypeattribute (pdx_display_client_channel_socket_28_0) true)
-(expandtypeattribute (pdx_display_client_endpoint_socket_28_0) true)
-(expandtypeattribute (pdx_display_dir_28_0) true)
-(expandtypeattribute (pdx_display_manager_channel_socket_28_0) true)
-(expandtypeattribute (pdx_display_manager_endpoint_socket_28_0) true)
-(expandtypeattribute (pdx_display_screenshot_channel_socket_28_0) true)
-(expandtypeattribute (pdx_display_screenshot_endpoint_socket_28_0) true)
-(expandtypeattribute (pdx_display_vsync_channel_socket_28_0) true)
-(expandtypeattribute (pdx_display_vsync_endpoint_socket_28_0) true)
-(expandtypeattribute (pdx_performance_client_channel_socket_28_0) true)
-(expandtypeattribute (pdx_performance_client_endpoint_socket_28_0) true)
-(expandtypeattribute (pdx_performance_dir_28_0) true)
-(expandtypeattribute (performanced_28_0) true)
-(expandtypeattribute (performanced_exec_28_0) true)
-(expandtypeattribute (permission_service_28_0) true)
-(expandtypeattribute (persist_debug_prop_28_0) true)
-(expandtypeattribute (persistent_data_block_service_28_0) true)
-(expandtypeattribute (persistent_properties_ready_prop_28_0) true)
-(expandtypeattribute (pinner_service_28_0) true)
-(expandtypeattribute (pipefs_28_0) true)
-(expandtypeattribute (platform_app_28_0) true)
-(expandtypeattribute (pm_prop_28_0) true)
-(expandtypeattribute (pmsg_device_28_0) true)
-(expandtypeattribute (port_28_0) true)
-(expandtypeattribute (port_device_28_0) true)
-(expandtypeattribute (postinstall_28_0) true)
-(expandtypeattribute (postinstall_dexopt_28_0) true)
-(expandtypeattribute (postinstall_file_28_0) true)
-(expandtypeattribute (postinstall_mnt_dir_28_0) true)
-(expandtypeattribute (powerctl_prop_28_0) true)
-(expandtypeattribute (power_service_28_0) true)
-(expandtypeattribute (ppp_28_0) true)
-(expandtypeattribute (ppp_device_28_0) true)
-(expandtypeattribute (ppp_exec_28_0) true)
-(expandtypeattribute (preloads_data_file_28_0) true)
-(expandtypeattribute (preloads_media_file_28_0) true)
-(expandtypeattribute (preopt2cachename_28_0) true)
-(expandtypeattribute (preopt2cachename_exec_28_0) true)
-(expandtypeattribute (print_service_28_0) true)
-(expandtypeattribute (priv_app_28_0) true)
-(expandtypeattribute (proc_28_0) true)
-(expandtypeattribute (proc_abi_28_0) true)
-(expandtypeattribute (proc_asound_28_0) true)
-(expandtypeattribute (proc_bluetooth_writable_28_0) true)
-(expandtypeattribute (proc_buddyinfo_28_0) true)
-(expandtypeattribute (proc_cmdline_28_0) true)
-(expandtypeattribute (proc_cpuinfo_28_0) true)
-(expandtypeattribute (proc_dirty_28_0) true)
-(expandtypeattribute (proc_diskstats_28_0) true)
-(expandtypeattribute (proc_drop_caches_28_0) true)
-(expandtypeattribute (processinfo_service_28_0) true)
-(expandtypeattribute (proc_extra_free_kbytes_28_0) true)
-(expandtypeattribute (proc_filesystems_28_0) true)
-(expandtypeattribute (proc_hostname_28_0) true)
-(expandtypeattribute (proc_hung_task_28_0) true)
-(expandtypeattribute (proc_interrupts_28_0) true)
-(expandtypeattribute (proc_iomem_28_0) true)
-(expandtypeattribute (proc_kmsg_28_0) true)
-(expandtypeattribute (proc_loadavg_28_0) true)
-(expandtypeattribute (proc_max_map_count_28_0) true)
-(expandtypeattribute (proc_meminfo_28_0) true)
-(expandtypeattribute (proc_min_free_order_shift_28_0) true)
-(expandtypeattribute (proc_misc_28_0) true)
-(expandtypeattribute (proc_modules_28_0) true)
-(expandtypeattribute (proc_mounts_28_0) true)
-(expandtypeattribute (proc_net_28_0) true)
-(expandtypeattribute (proc_overcommit_memory_28_0) true)
-(expandtypeattribute (proc_page_cluster_28_0) true)
-(expandtypeattribute (proc_pagetypeinfo_28_0) true)
-(expandtypeattribute (proc_panic_28_0) true)
-(expandtypeattribute (proc_perf_28_0) true)
-(expandtypeattribute (proc_pid_max_28_0) true)
-(expandtypeattribute (proc_pipe_conf_28_0) true)
-(expandtypeattribute (proc_qtaguid_stat_28_0) true)
-(expandtypeattribute (proc_random_28_0) true)
-(expandtypeattribute (proc_sched_28_0) true)
-(expandtypeattribute (proc_security_28_0) true)
-(expandtypeattribute (proc_stat_28_0) true)
-(expandtypeattribute (procstats_service_28_0) true)
-(expandtypeattribute (proc_swaps_28_0) true)
-(expandtypeattribute (proc_sysrq_28_0) true)
-(expandtypeattribute (proc_timer_28_0) true)
-(expandtypeattribute (proc_tty_drivers_28_0) true)
-(expandtypeattribute (proc_uid_concurrent_active_time_28_0) true)
-(expandtypeattribute (proc_uid_concurrent_policy_time_28_0) true)
-(expandtypeattribute (proc_uid_cpupower_28_0) true)
-(expandtypeattribute (proc_uid_cputime_removeuid_28_0) true)
-(expandtypeattribute (proc_uid_cputime_showstat_28_0) true)
-(expandtypeattribute (proc_uid_io_stats_28_0) true)
-(expandtypeattribute (proc_uid_procstat_set_28_0) true)
-(expandtypeattribute (proc_uid_time_in_state_28_0) true)
-(expandtypeattribute (proc_uptime_28_0) true)
-(expandtypeattribute (proc_version_28_0) true)
-(expandtypeattribute (proc_vmallocinfo_28_0) true)
-(expandtypeattribute (proc_vmstat_28_0) true)
-(expandtypeattribute (proc_zoneinfo_28_0) true)
-(expandtypeattribute (profman_28_0) true)
-(expandtypeattribute (profman_dump_data_file_28_0) true)
-(expandtypeattribute (profman_exec_28_0) true)
-(expandtypeattribute (properties_device_28_0) true)
-(expandtypeattribute (properties_serial_28_0) true)
-(expandtypeattribute (property_contexts_file_28_0) true)
-(expandtypeattribute (property_data_file_28_0) true)
-(expandtypeattribute (property_info_28_0) true)
-(expandtypeattribute (property_socket_28_0) true)
-(expandtypeattribute (pstorefs_28_0) true)
-(expandtypeattribute (ptmx_device_28_0) true)
-(expandtypeattribute (qtaguid_device_28_0) true)
-(expandtypeattribute (qtaguid_proc_28_0) true)
-(expandtypeattribute (racoon_28_0) true)
-(expandtypeattribute (racoon_exec_28_0) true)
-(expandtypeattribute (racoon_socket_28_0) true)
-(expandtypeattribute (radio_28_0) true)
-(expandtypeattribute (radio_data_file_28_0) true)
-(expandtypeattribute (radio_device_28_0) true)
-(expandtypeattribute (radio_prop_28_0) true)
-(expandtypeattribute (radio_service_28_0) true)
-(expandtypeattribute (ram_device_28_0) true)
-(expandtypeattribute (random_device_28_0) true)
-(expandtypeattribute (recovery_28_0) true)
-(expandtypeattribute (recovery_block_device_28_0) true)
-(expandtypeattribute (recovery_data_file_28_0) true)
-(expandtypeattribute (recovery_persist_28_0) true)
-(expandtypeattribute (recovery_persist_exec_28_0) true)
-(expandtypeattribute (recovery_refresh_28_0) true)
-(expandtypeattribute (recovery_refresh_exec_28_0) true)
-(expandtypeattribute (recovery_service_28_0) true)
-(expandtypeattribute (registry_service_28_0) true)
-(expandtypeattribute (resourcecache_data_file_28_0) true)
-(expandtypeattribute (restorecon_prop_28_0) true)
-(expandtypeattribute (restrictions_service_28_0) true)
-(expandtypeattribute (rild_debug_socket_28_0) true)
-(expandtypeattribute (rild_socket_28_0) true)
-(expandtypeattribute (ringtone_file_28_0) true)
-(expandtypeattribute (root_block_device_28_0) true)
-(expandtypeattribute (rootfs_28_0) true)
-(expandtypeattribute (rpmsg_device_28_0) true)
-(expandtypeattribute (rtc_device_28_0) true)
-(expandtypeattribute (rttmanager_service_28_0) true)
-(expandtypeattribute (runas_28_0) true)
-(expandtypeattribute (runas_exec_28_0) true)
-(expandtypeattribute (runtime_event_log_tags_file_28_0) true)
-(expandtypeattribute (safemode_prop_28_0) true)
-(expandtypeattribute (same_process_hal_file_28_0) true)
-(expandtypeattribute (samplingprofiler_service_28_0) true)
-(expandtypeattribute (scheduling_policy_service_28_0) true)
-(expandtypeattribute (sdcardd_28_0) true)
-(expandtypeattribute (sdcardd_exec_28_0) true)
-(expandtypeattribute (sdcardfs_28_0) true)
-(expandtypeattribute (seapp_contexts_file_28_0) true)
-(expandtypeattribute (search_service_28_0) true)
-(expandtypeattribute (sec_key_att_app_id_provider_service_28_0) true)
-(expandtypeattribute (secure_element_28_0) true)
-(expandtypeattribute (secure_element_device_28_0) true)
-(expandtypeattribute (secure_element_service_28_0) true)
-(expandtypeattribute (selinuxfs_28_0) true)
-(expandtypeattribute (sensors_device_28_0) true)
-(expandtypeattribute (sensorservice_service_28_0) true)
-(expandtypeattribute (sepolicy_file_28_0) true)
-(expandtypeattribute (serial_device_28_0) true)
-(expandtypeattribute (serialno_prop_28_0) true)
-(expandtypeattribute (serial_service_28_0) true)
-(expandtypeattribute (service_contexts_file_28_0) true)
-(expandtypeattribute (servicediscovery_service_28_0) true)
-(expandtypeattribute (servicemanager_28_0) true)
-(expandtypeattribute (servicemanager_exec_28_0) true)
-(expandtypeattribute (settings_service_28_0) true)
-(expandtypeattribute (sgdisk_28_0) true)
-(expandtypeattribute (sgdisk_exec_28_0) true)
-(expandtypeattribute (shared_relro_28_0) true)
-(expandtypeattribute (shared_relro_file_28_0) true)
-(expandtypeattribute (shell_28_0) true)
-(expandtypeattribute (shell_data_file_28_0) true)
-(expandtypeattribute (shell_exec_28_0) true)
-(expandtypeattribute (shell_prop_28_0) true)
-(expandtypeattribute (shm_28_0) true)
-(expandtypeattribute (shortcut_manager_icons_28_0) true)
-(expandtypeattribute (shortcut_service_28_0) true)
-(expandtypeattribute (slice_service_28_0) true)
-(expandtypeattribute (slideshow_28_0) true)
-(expandtypeattribute (socket_device_28_0) true)
-(expandtypeattribute (sockfs_28_0) true)
-(expandtypeattribute (statusbar_service_28_0) true)
-(expandtypeattribute (storaged_service_28_0) true)
-(expandtypeattribute (storage_file_28_0) true)
-(expandtypeattribute (storagestats_service_28_0) true)
-(expandtypeattribute (storage_stub_file_28_0) true)
-(expandtypeattribute (su_28_0) true)
-(expandtypeattribute (su_exec_28_0) true)
-(expandtypeattribute (surfaceflinger_28_0) true)
-(expandtypeattribute (surfaceflinger_service_28_0) true)
-(expandtypeattribute (swap_block_device_28_0) true)
-(expandtypeattribute (sysfs_28_0) true)
-(expandtypeattribute (sysfs_android_usb_28_0) true)
-(expandtypeattribute (sysfs_batteryinfo_28_0) true)
-(expandtypeattribute (sysfs_bluetooth_writable_28_0) true)
-(expandtypeattribute (sysfs_devices_system_cpu_28_0) true)
-(expandtypeattribute (sysfs_dm_28_0) true)
-(expandtypeattribute (sysfs_dt_firmware_android_28_0) true)
-(expandtypeattribute (sysfs_fs_ext4_features_28_0) true)
-(expandtypeattribute (sysfs_hwrandom_28_0) true)
-(expandtypeattribute (sysfs_ipv4_28_0) true)
-(expandtypeattribute (sysfs_kernel_notes_28_0) true)
-(expandtypeattribute (sysfs_leds_28_0) true)
-(expandtypeattribute (sysfs_lowmemorykiller_28_0) true)
-(expandtypeattribute (sysfs_mac_address_28_0) true)
-(expandtypeattribute (sysfs_net_28_0) true)
-(expandtypeattribute (sysfs_nfc_power_writable_28_0) true)
-(expandtypeattribute (sysfs_power_28_0) true)
-(expandtypeattribute (sysfs_rtc_28_0) true)
-(expandtypeattribute (sysfs_switch_28_0) true)
-(expandtypeattribute (sysfs_thermal_28_0) true)
-(expandtypeattribute (sysfs_uio_28_0) true)
-(expandtypeattribute (sysfs_usb_28_0) true)
-(expandtypeattribute (sysfs_usermodehelper_28_0) true)
-(expandtypeattribute (sysfs_vibrator_28_0) true)
-(expandtypeattribute (sysfs_wake_lock_28_0) true)
-(expandtypeattribute (sysfs_wakeup_reasons_28_0) true)
-(expandtypeattribute (sysfs_wlan_fwpath_28_0) true)
-(expandtypeattribute (sysfs_zram_28_0) true)
-(expandtypeattribute (sysfs_zram_uevent_28_0) true)
-(expandtypeattribute (system_app_28_0) true)
-(expandtypeattribute (system_app_data_file_28_0) true)
-(expandtypeattribute (system_app_service_28_0) true)
-(expandtypeattribute (system_block_device_28_0) true)
-(expandtypeattribute (system_boot_reason_prop_28_0) true)
-(expandtypeattribute (system_data_file_28_0) true)
-(expandtypeattribute (system_file_28_0) true)
-(expandtypeattribute (systemkeys_data_file_28_0) true)
-(expandtypeattribute (system_ndebug_socket_28_0) true)
-(expandtypeattribute (system_net_netd_hwservice_28_0) true)
-(expandtypeattribute (system_prop_28_0) true)
-(expandtypeattribute (system_radio_prop_28_0) true)
-(expandtypeattribute (system_server_28_0) true)
-(expandtypeattribute (system_update_service_28_0) true)
-(expandtypeattribute (system_wifi_keystore_hwservice_28_0) true)
-(expandtypeattribute (system_wpa_socket_28_0) true)
-(expandtypeattribute (task_service_28_0) true)
-(expandtypeattribute (tee_28_0) true)
-(expandtypeattribute (tee_data_file_28_0) true)
-(expandtypeattribute (tee_device_28_0) true)
-(expandtypeattribute (telecom_service_28_0) true)
-(expandtypeattribute (test_boot_reason_prop_28_0) true)
-(expandtypeattribute (textclassification_service_28_0) true)
-(expandtypeattribute (textclassifier_data_file_28_0) true)
-(expandtypeattribute (textservices_service_28_0) true)
-(expandtypeattribute (thermalcallback_hwservice_28_0) true)
-(expandtypeattribute (thermal_service_28_0) true)
-(expandtypeattribute (timezone_service_28_0) true)
-(expandtypeattribute (tmpfs_28_0) true)
-(expandtypeattribute (tombstoned_28_0) true)
-(expandtypeattribute (tombstone_data_file_28_0) true)
-(expandtypeattribute (tombstoned_crash_socket_28_0) true)
-(expandtypeattribute (tombstoned_exec_28_0) true)
-(expandtypeattribute (tombstoned_intercept_socket_28_0) true)
-(expandtypeattribute (tombstoned_java_trace_socket_28_0) true)
-(expandtypeattribute (tombstone_wifi_data_file_28_0) true)
-(expandtypeattribute (toolbox_28_0) true)
-(expandtypeattribute (toolbox_exec_28_0) true)
-(expandtypeattribute (trace_data_file_28_0) true)
-(expandtypeattribute (traced_consumer_socket_28_0) true)
-(expandtypeattribute (traced_enabled_prop_28_0) true)
-(expandtypeattribute (traced_probes_28_0) true)
-(expandtypeattribute (traced_producer_socket_28_0) true)
-(expandtypeattribute (traceur_app_28_0) true)
-(expandtypeattribute (trust_service_28_0) true)
-(expandtypeattribute (tty_device_28_0) true)
-(expandtypeattribute (tun_device_28_0) true)
-(expandtypeattribute (tv_input_service_28_0) true)
-(expandtypeattribute (tzdatacheck_28_0) true)
-(expandtypeattribute (tzdatacheck_exec_28_0) true)
-(expandtypeattribute (ueventd_28_0) true)
-(expandtypeattribute (uhid_device_28_0) true)
-(expandtypeattribute (uimode_service_28_0) true)
-(expandtypeattribute (uio_device_28_0) true)
-(expandtypeattribute (uncrypt_28_0) true)
-(expandtypeattribute (uncrypt_exec_28_0) true)
-(expandtypeattribute (uncrypt_socket_28_0) true)
-(expandtypeattribute (unencrypted_data_file_28_0) true)
-(expandtypeattribute (unlabeled_28_0) true)
-(expandtypeattribute (untrusted_app_25_28_0) true)
-(expandtypeattribute (untrusted_app_27_28_0) true)
-(expandtypeattribute (untrusted_app_28_0) true)
-(expandtypeattribute (untrusted_v2_app_28_0) true)
-(expandtypeattribute (update_engine_28_0) true)
-(expandtypeattribute (update_engine_data_file_28_0) true)
-(expandtypeattribute (update_engine_exec_28_0) true)
-(expandtypeattribute (update_engine_log_data_file_28_0) true)
-(expandtypeattribute (update_engine_service_28_0) true)
-(expandtypeattribute (updatelock_service_28_0) true)
-(expandtypeattribute (update_verifier_28_0) true)
-(expandtypeattribute (update_verifier_exec_28_0) true)
-(expandtypeattribute (usagestats_service_28_0) true)
-(expandtypeattribute (usbaccessory_device_28_0) true)
-(expandtypeattribute (usbd_28_0) true)
-(expandtypeattribute (usb_device_28_0) true)
-(expandtypeattribute (usbd_exec_28_0) true)
-(expandtypeattribute (usbfs_28_0) true)
-(expandtypeattribute (usb_service_28_0) true)
-(expandtypeattribute (userdata_block_device_28_0) true)
-(expandtypeattribute (usermodehelper_28_0) true)
-(expandtypeattribute (user_profile_data_file_28_0) true)
-(expandtypeattribute (user_service_28_0) true)
-(expandtypeattribute (vcs_device_28_0) true)
-(expandtypeattribute (vdc_28_0) true)
-(expandtypeattribute (vdc_exec_28_0) true)
-(expandtypeattribute (vendor_app_file_28_0) true)
-(expandtypeattribute (vendor_configs_file_28_0) true)
-(expandtypeattribute (vendor_data_file_28_0) true)
-(expandtypeattribute (vendor_default_prop_28_0) true)
-(expandtypeattribute (vendor_file_28_0) true)
-(expandtypeattribute (vendor_framework_file_28_0) true)
-(expandtypeattribute (vendor_hal_file_28_0) true)
-(expandtypeattribute (vendor_init_28_0) true)
-(expandtypeattribute (vendor_overlay_file_28_0) true)
-(expandtypeattribute (vendor_security_patch_level_prop_28_0) true)
-(expandtypeattribute (vendor_shell_28_0) true)
-(expandtypeattribute (vendor_shell_exec_28_0) true)
-(expandtypeattribute (vendor_toolbox_exec_28_0) true)
-(expandtypeattribute (vfat_28_0) true)
-(expandtypeattribute (vibrator_service_28_0) true)
-(expandtypeattribute (video_device_28_0) true)
-(expandtypeattribute (virtual_touchpad_28_0) true)
-(expandtypeattribute (virtual_touchpad_exec_28_0) true)
-(expandtypeattribute (virtual_touchpad_service_28_0) true)
-(expandtypeattribute (vndbinder_device_28_0) true)
-(expandtypeattribute (vndk_sp_file_28_0) true)
-(expandtypeattribute (vndservice_contexts_file_28_0) true)
-(expandtypeattribute (vndservicemanager_28_0) true)
-(expandtypeattribute (voiceinteraction_service_28_0) true)
-(expandtypeattribute (vold_28_0) true)
-(expandtypeattribute (vold_data_file_28_0) true)
-(expandtypeattribute (vold_device_28_0) true)
-(expandtypeattribute (vold_exec_28_0) true)
-(expandtypeattribute (vold_metadata_file_28_0) true)
-(expandtypeattribute (vold_prepare_subdirs_28_0) true)
-(expandtypeattribute (vold_prepare_subdirs_exec_28_0) true)
-(expandtypeattribute (vold_prop_28_0) true)
-(expandtypeattribute (vold_service_28_0) true)
-(expandtypeattribute (vpn_data_file_28_0) true)
-(expandtypeattribute (vr_hwc_28_0) true)
-(expandtypeattribute (vr_hwc_exec_28_0) true)
-(expandtypeattribute (vr_hwc_service_28_0) true)
-(expandtypeattribute (vr_manager_service_28_0) true)
-(expandtypeattribute (wallpaper_file_28_0) true)
-(expandtypeattribute (wallpaper_service_28_0) true)
-(expandtypeattribute (watchdogd_28_0) true)
-(expandtypeattribute (watchdog_device_28_0) true)
-(expandtypeattribute (webviewupdate_service_28_0) true)
-(expandtypeattribute (webview_zygote_28_0) true)
-(expandtypeattribute (webview_zygote_exec_28_0) true)
-(expandtypeattribute (wifiaware_service_28_0) true)
-(expandtypeattribute (wificond_28_0) true)
-(expandtypeattribute (wificond_exec_28_0) true)
-(expandtypeattribute (wificond_service_28_0) true)
-(expandtypeattribute (wifi_data_file_28_0) true)
-(expandtypeattribute (wifi_log_prop_28_0) true)
-(expandtypeattribute (wifip2p_service_28_0) true)
-(expandtypeattribute (wifi_prop_28_0) true)
-(expandtypeattribute (wifiscanner_service_28_0) true)
-(expandtypeattribute (wifi_service_28_0) true)
-(expandtypeattribute (window_service_28_0) true)
-(expandtypeattribute (wpantund_28_0) true)
-(expandtypeattribute (wpantund_exec_28_0) true)
-(expandtypeattribute (wpantund_service_28_0) true)
-(expandtypeattribute (wpa_socket_28_0) true)
-(expandtypeattribute (zero_device_28_0) true)
-(expandtypeattribute (zoneinfo_data_file_28_0) true)
-(expandtypeattribute (zygote_28_0) true)
-(expandtypeattribute (zygote_exec_28_0) true)
-(expandtypeattribute (zygote_socket_28_0) true)
-(typeattributeset accessibility_service_28_0 (accessibility_service))
-(typeattributeset account_service_28_0 (account_service))
-(typeattributeset activity_service_28_0 (activity_service))
-(typeattributeset adbd_28_0 (adbd))
-(typeattributeset adb_data_file_28_0 (adb_data_file))
-(typeattributeset adbd_exec_28_0 (adbd_exec))
-(typeattributeset adbd_socket_28_0 (adbd_socket))
-(typeattributeset adb_keys_file_28_0 (adb_keys_file))
-(typeattributeset alarm_device_28_0 (alarm_device))
-(typeattributeset alarm_service_28_0 (alarm_service))
-(typeattributeset anr_data_file_28_0 (anr_data_file))
-(typeattributeset apk_data_file_28_0 (apk_data_file))
-(typeattributeset apk_private_data_file_28_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_28_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_28_0 (apk_tmp_file))
-(typeattributeset app_data_file_28_0 (app_data_file privapp_data_file))
-(typeattributeset app_fuse_file_28_0 (app_fuse_file))
-(typeattributeset app_fusefs_28_0 (app_fusefs))
-(typeattributeset appops_service_28_0 (appops_service))
-(typeattributeset appwidget_service_28_0 (appwidget_service))
-(typeattributeset asec_apk_file_28_0 (asec_apk_file))
-(typeattributeset asec_image_file_28_0 (asec_image_file))
-(typeattributeset asec_public_file_28_0 (asec_public_file))
-(typeattributeset ashmem_device_28_0 (ashmem_device))
-(typeattributeset assetatlas_service_28_0 (assetatlas_service))
-(typeattributeset audio_data_file_28_0 (audio_data_file))
-(typeattributeset audio_device_28_0 (audio_device))
-(typeattributeset audiohal_data_file_28_0 (audiohal_data_file))
-(typeattributeset audio_prop_28_0 (audio_prop))
-(typeattributeset audio_seq_device_28_0 (audio_seq_device))
-(typeattributeset audioserver_28_0 (audioserver))
-(typeattributeset audioserver_data_file_28_0 (audioserver_data_file))
-(typeattributeset audioserver_service_28_0 (audioserver_service))
-(typeattributeset audio_service_28_0 (audio_service))
-(typeattributeset audio_timer_device_28_0 (audio_timer_device))
-(typeattributeset autofill_service_28_0 (autofill_service))
-(typeattributeset backup_data_file_28_0 (backup_data_file))
-(typeattributeset backup_service_28_0 (backup_service))
-(typeattributeset batteryproperties_service_28_0 (batteryproperties_service))
-(typeattributeset battery_service_28_0 (battery_service))
-(typeattributeset batterystats_service_28_0 (batterystats_service))
-(typeattributeset binder_calls_stats_service_28_0 (binder_calls_stats_service))
-(typeattributeset binder_device_28_0 (binder_device))
-(typeattributeset binfmt_miscfs_28_0 (binfmt_miscfs))
-(typeattributeset blkid_28_0 (blkid))
-(typeattributeset blkid_untrusted_28_0 (blkid_untrusted))
-(typeattributeset block_device_28_0 (block_device))
-(typeattributeset bluetooth_28_0 (bluetooth))
-(typeattributeset bluetooth_a2dp_offload_prop_28_0 (bluetooth_a2dp_offload_prop))
-(typeattributeset bluetooth_data_file_28_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_28_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_28_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_28_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_28_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_28_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_28_0 (bluetooth_socket))
-(typeattributeset bootanim_28_0 (bootanim))
-(typeattributeset bootanim_exec_28_0 (bootanim_exec))
-(typeattributeset boot_block_device_28_0 (boot_block_device))
-(typeattributeset bootchart_data_file_28_0 (bootchart_data_file))
-(typeattributeset bootloader_boot_reason_prop_28_0 (bootloader_boot_reason_prop))
-(typeattributeset bootstat_28_0 (bootstat))
-(typeattributeset bootstat_data_file_28_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_28_0 (bootstat_exec))
-(typeattributeset boottime_prop_28_0 (boottime_prop))
-(typeattributeset boottrace_data_file_28_0 (boottrace_data_file))
-(typeattributeset broadcastradio_service_28_0 (broadcastradio_service))
-(typeattributeset bufferhubd_28_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_28_0 (bufferhubd_exec))
-(typeattributeset cache_backup_file_28_0 (cache_backup_file))
-(typeattributeset cache_block_device_28_0 (cache_block_device))
-(typeattributeset cache_file_28_0 (cache_file))
-(typeattributeset cache_private_backup_file_28_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_28_0 (cache_recovery_file))
-(typeattributeset camera_data_file_28_0 (camera_data_file))
-(typeattributeset camera_device_28_0 (camera_device))
-(typeattributeset cameraproxy_service_28_0 (cameraproxy_service))
-(typeattributeset cameraserver_28_0 (cameraserver))
-(typeattributeset cameraserver_exec_28_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_28_0 (cameraserver_service))
-(typeattributeset cgroup_28_0 (cgroup))
-(typeattributeset cgroup_bpf_28_0 (cgroup_bpf))
-(typeattributeset charger_28_0 (charger))
-(typeattributeset clatd_28_0 (clatd))
-(typeattributeset clatd_exec_28_0 (clatd_exec))
-(typeattributeset clipboard_service_28_0 (clipboard_service))
-(typeattributeset commontime_management_service_28_0 (commontime_management_service))
-(typeattributeset companion_device_service_28_0 (companion_device_service))
-(typeattributeset configfs_28_0 (configfs))
-(typeattributeset config_prop_28_0 (config_prop))
-(typeattributeset connectivity_service_28_0 (connectivity_service))
-(typeattributeset connmetrics_service_28_0 (connmetrics_service))
-(typeattributeset console_device_28_0 (console_device))
-(typeattributeset consumer_ir_service_28_0 (consumer_ir_service))
-(typeattributeset content_service_28_0 (content_service))
-(typeattributeset contexthub_service_28_0 (contexthub_service))
-(typeattributeset coredump_file_28_0 (coredump_file))
-(typeattributeset country_detector_service_28_0 (country_detector_service))
-(typeattributeset coverage_service_28_0 (coverage_service))
-(typeattributeset cppreopt_prop_28_0 (cppreopt_prop))
-(typeattributeset cppreopts_28_0 (cppreopts))
-(typeattributeset cppreopts_exec_28_0 (cppreopts_exec))
-(typeattributeset cpuctl_device_28_0 (cpuctl_device))
-(typeattributeset cpuinfo_service_28_0 (cpuinfo_service))
-(typeattributeset crash_dump_28_0 (crash_dump))
-(typeattributeset crash_dump_exec_28_0 (crash_dump_exec))
-(typeattributeset crossprofileapps_service_28_0 (crossprofileapps_service))
-(typeattributeset ctl_bootanim_prop_28_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_28_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_28_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_28_0
- ( ctl_adbd_prop
- ctl_default_prop))
-(typeattributeset ctl_dumpstate_prop_28_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_28_0 (ctl_fuse_prop))
-(typeattributeset ctl_interface_restart_prop_28_0 (ctl_interface_restart_prop))
-(typeattributeset ctl_interface_start_prop_28_0 (ctl_interface_start_prop))
-(typeattributeset ctl_interface_stop_prop_28_0 (ctl_interface_stop_prop))
-(typeattributeset ctl_mdnsd_prop_28_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_restart_prop_28_0 (ctl_restart_prop))
-(typeattributeset ctl_rildaemon_prop_28_0 (ctl_rildaemon_prop))
-(typeattributeset ctl_sigstop_prop_28_0 (ctl_sigstop_prop))
-(typeattributeset ctl_start_prop_28_0 (ctl_start_prop))
-(typeattributeset ctl_stop_prop_28_0 (ctl_stop_prop))
-(typeattributeset dalvikcache_data_file_28_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_28_0 (dalvik_prop))
-(typeattributeset dbinfo_service_28_0 (dbinfo_service))
-(typeattributeset debugfs_28_0 (debugfs))
-(typeattributeset debugfs_mmc_28_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_28_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_28_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_debug_28_0 (debugfs_tracing_debug))
-(typeattributeset debugfs_tracing_instances_28_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wakeup_sources_28_0 (debugfs_wakeup_sources))
-(typeattributeset debugfs_wifi_tracing_28_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_28_0 (debuggerd_prop))
-(typeattributeset debug_prop_28_0 (debug_prop))
-(typeattributeset default_android_hwservice_28_0 (default_android_hwservice))
-(typeattributeset default_android_service_28_0 (default_android_service))
-(typeattributeset default_android_vndservice_28_0 (default_android_vndservice))
-(typeattributeset default_prop_28_0 (default_prop))
-(typeattributeset device_28_0 (device))
-(typeattributeset device_identifiers_service_28_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_28_0 (deviceidle_service))
-(typeattributeset device_logging_prop_28_0 (device_logging_prop))
-(typeattributeset device_policy_service_28_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_28_0 (devicestoragemonitor_service))
-(typeattributeset devpts_28_0 (devpts))
-(typeattributeset dex2oat_28_0 (dex2oat))
-(typeattributeset dex2oat_exec_28_0 (dex2oat_exec))
-(typeattributeset dhcp_28_0 (dhcp))
-(typeattributeset dhcp_data_file_28_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_28_0 (dhcp_exec))
-(typeattributeset dhcp_prop_28_0 (dhcp_prop))
-(typeattributeset diskstats_service_28_0 (diskstats_service))
-(typeattributeset display_service_28_0 (display_service))
-(typeattributeset dm_device_28_0 (dm_device))
-(typeattributeset dnsmasq_28_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_28_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_28_0 (dnsproxyd_socket))
-(typeattributeset DockObserver_service_28_0 (DockObserver_service))
-(typeattributeset dreams_service_28_0 (dreams_service))
-(typeattributeset drm_data_file_28_0 (drm_data_file))
-(typeattributeset drmserver_28_0 (drmserver))
-(typeattributeset drmserver_exec_28_0 (drmserver_exec))
-(typeattributeset drmserver_service_28_0 (drmserver_service))
-(typeattributeset drmserver_socket_28_0 (drmserver_socket))
-(typeattributeset dropbox_service_28_0 (dropbox_service))
-(typeattributeset dumpstate_28_0 (dumpstate))
-(typeattributeset dumpstate_exec_28_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_28_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_28_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_28_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_28_0 (dumpstate_socket))
-(typeattributeset e2fs_28_0 (e2fs))
-(typeattributeset e2fs_exec_28_0 (e2fs_exec))
-(typeattributeset efs_file_28_0 (efs_file))
-(typeattributeset ephemeral_app_28_0 (ephemeral_app))
-(typeattributeset ethernet_service_28_0 (ethernet_service))
-(typeattributeset exfat_28_0 (exfat))
-(typeattributeset exported2_config_prop_28_0 (exported2_config_prop))
-(typeattributeset exported2_default_prop_28_0 (exported2_default_prop))
-(typeattributeset exported2_radio_prop_28_0 (exported2_radio_prop))
-(typeattributeset exported2_system_prop_28_0 (exported2_system_prop))
-(typeattributeset exported2_vold_prop_28_0 (exported2_vold_prop))
-(typeattributeset exported3_default_prop_28_0 (exported3_default_prop))
-(typeattributeset exported3_radio_prop_28_0 (exported3_radio_prop))
-(typeattributeset exported3_system_prop_28_0 (exported3_system_prop))
-(typeattributeset exported_audio_prop_28_0 (exported_audio_prop))
-(typeattributeset exported_bluetooth_prop_28_0 (exported_bluetooth_prop))
-(typeattributeset exported_config_prop_28_0 (exported_config_prop))
-(typeattributeset exported_dalvik_prop_28_0 (exported_dalvik_prop))
-(typeattributeset exported_default_prop_28_0 (exported_default_prop))
-(typeattributeset exported_dumpstate_prop_28_0 (exported_dumpstate_prop))
-(typeattributeset exported_ffs_prop_28_0 (exported_ffs_prop))
-(typeattributeset exported_fingerprint_prop_28_0 (exported_fingerprint_prop))
-(typeattributeset exported_overlay_prop_28_0 (exported_overlay_prop))
-(typeattributeset exported_pm_prop_28_0 (exported_pm_prop))
-(typeattributeset exported_radio_prop_28_0 (exported_radio_prop))
-(typeattributeset exported_secure_prop_28_0 (exported_secure_prop))
-(typeattributeset exported_system_prop_28_0 (exported_system_prop))
-(typeattributeset exported_system_radio_prop_28_0 (exported_system_radio_prop))
-(typeattributeset exported_vold_prop_28_0 (exported_vold_prop))
-(typeattributeset exported_wifi_prop_28_0 (exported_wifi_prop))
-(typeattributeset ffs_prop_28_0 (ffs_prop))
-(typeattributeset file_contexts_file_28_0 (file_contexts_file))
-(typeattributeset fingerprintd_28_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_28_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_28_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_28_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_28_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_28_0 (fingerprint_service))
-(typeattributeset fingerprint_vendor_data_file_28_0 (fingerprint_vendor_data_file))
-(typeattributeset firstboot_prop_28_0 (firstboot_prop))
-(typeattributeset font_service_28_0 (font_service))
-(typeattributeset frp_block_device_28_0 (frp_block_device))
-(typeattributeset fs_bpf_28_0 (fs_bpf))
-(typeattributeset fsck_28_0 (fsck))
-(typeattributeset fsck_exec_28_0 (fsck_exec))
-(typeattributeset fscklogs_28_0 (fscklogs))
-(typeattributeset fsck_untrusted_28_0 (fsck_untrusted))
-(typeattributeset full_device_28_0 (full_device))
-(typeattributeset functionfs_28_0 (functionfs))
-(typeattributeset fuse_28_0 (fuse))
-(typeattributeset fuse_device_28_0 (fuse_device))
-(typeattributeset fwk_display_hwservice_28_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_28_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_28_0 (fwk_sensor_hwservice))
-(typeattributeset fwmarkd_socket_28_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_28_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_28_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_28_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_28_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_28_0 (gfxinfo_service))
-(typeattributeset gps_control_28_0 (gps_control))
-(typeattributeset gpu_device_28_0 (gpu_device))
-(typeattributeset gpu_service_28_0 (gpu_service))
-(typeattributeset graphics_device_28_0 (graphics_device))
-(typeattributeset graphicsstats_service_28_0 (graphicsstats_service))
-(typeattributeset hal_audiocontrol_hwservice_28_0 (hal_audiocontrol_hwservice))
-(typeattributeset hal_audio_hwservice_28_0 (hal_audio_hwservice))
-(typeattributeset hal_authsecret_hwservice_28_0 (hal_authsecret_hwservice))
-(typeattributeset hal_bluetooth_hwservice_28_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_28_0 (hal_bootctl_hwservice))
-(typeattributeset hal_broadcastradio_hwservice_28_0 (hal_broadcastradio_hwservice))
-(typeattributeset hal_camera_hwservice_28_0 (hal_camera_hwservice))
-(typeattributeset hal_cas_hwservice_28_0 (hal_cas_hwservice))
-(typeattributeset hal_codec2_hwservice_28_0 (hal_codec2_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_28_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_confirmationui_hwservice_28_0 (hal_confirmationui_hwservice))
-(typeattributeset hal_contexthub_hwservice_28_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_28_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_28_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_evs_hwservice_28_0 (hal_evs_hwservice))
-(typeattributeset hal_fingerprint_hwservice_28_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_28_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_28_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_28_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_28_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_28_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_mapper_hwservice_28_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_28_0 (hal_health_hwservice))
-(typeattributeset hal_ir_hwservice_28_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_28_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_28_0 (hal_light_hwservice))
-(typeattributeset hal_lowpan_hwservice_28_0 (hal_lowpan_hwservice))
-(typeattributeset hal_memtrack_hwservice_28_0 (hal_memtrack_hwservice))
-(typeattributeset hal_neuralnetworks_hwservice_28_0 (hal_neuralnetworks_hwservice))
-(typeattributeset hal_nfc_hwservice_28_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_28_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_28_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_28_0 (hal_power_hwservice))
-(typeattributeset hal_renderscript_hwservice_28_0 (hal_renderscript_hwservice))
-(typeattributeset hal_secure_element_hwservice_28_0 (hal_secure_element_hwservice))
-(typeattributeset hal_sensors_hwservice_28_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_28_0 (hal_telephony_hwservice))
-(typeattributeset hal_tetheroffload_hwservice_28_0 (hal_tetheroffload_hwservice))
-(typeattributeset hal_thermal_hwservice_28_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_28_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_28_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_gadget_hwservice_28_0 (hal_usb_gadget_hwservice))
-(typeattributeset hal_usb_hwservice_28_0 (hal_usb_hwservice))
-(typeattributeset hal_vehicle_hwservice_28_0 (hal_vehicle_hwservice))
-(typeattributeset hal_vibrator_hwservice_28_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_28_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_28_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hostapd_hwservice_28_0 (hal_wifi_hostapd_hwservice))
-(typeattributeset hal_wifi_hwservice_28_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_offload_hwservice_28_0 (hal_wifi_offload_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_28_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_28_0 (hardware_properties_service))
-(typeattributeset hardware_service_28_0 (hardware_service))
-(typeattributeset hci_attach_dev_28_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_28_0 (hdmi_control_service))
-(typeattributeset healthd_28_0 (healthd))
-(typeattributeset healthd_exec_28_0 (healthd_exec))
-(typeattributeset heapdump_data_file_28_0 (heapdump_data_file))
-(typeattributeset hidl_allocator_hwservice_28_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_28_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_28_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_28_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_28_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_28_0 (hwbinder_device))
-(typeattributeset hw_random_device_28_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_28_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_28_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_28_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_28_0 (hwservicemanager_prop))
-(typeattributeset i2c_device_28_0 (i2c_device))
-(typeattributeset icon_file_28_0 (icon_file))
-(typeattributeset idmap_28_0 (idmap))
-(typeattributeset idmap_exec_28_0 (idmap_exec))
-(typeattributeset iio_device_28_0 (iio_device))
-(typeattributeset imms_service_28_0 (imms_service))
-(typeattributeset incident_28_0 (incident))
-(typeattributeset incidentd_28_0 (incidentd))
-(typeattributeset incident_data_file_28_0 (incident_data_file))
-(typeattributeset incident_helper_28_0 (incident_helper))
-(typeattributeset incident_service_28_0 (incident_service))
-(typeattributeset init_28_0 (init))
-(typeattributeset init_exec_28_0 (init_exec watchdogd_exec))
-(typeattributeset inotify_28_0 (inotify))
-(typeattributeset input_device_28_0 (input_device))
-(typeattributeset inputflinger_28_0 (inputflinger))
-(typeattributeset inputflinger_exec_28_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_28_0 (inputflinger_service))
-(typeattributeset input_method_service_28_0 (input_method_service))
-(typeattributeset input_service_28_0 (input_service))
-(typeattributeset installd_28_0 (installd))
-(typeattributeset install_data_file_28_0 (install_data_file))
-(typeattributeset installd_exec_28_0 (installd_exec))
-(typeattributeset installd_service_28_0 (installd_service))
-(typeattributeset install_recovery_28_0 (install_recovery))
-(typeattributeset install_recovery_exec_28_0 (install_recovery_exec))
-(typeattributeset ion_device_28_0 (ion_device))
-(typeattributeset IProxyService_service_28_0 (IProxyService_service))
-(typeattributeset ipsec_service_28_0 (ipsec_service))
-(typeattributeset isolated_app_28_0 (isolated_app))
-(typeattributeset jobscheduler_service_28_0 (jobscheduler_service))
-(typeattributeset kernel_28_0 (kernel))
-(typeattributeset keychain_data_file_28_0 (keychain_data_file))
-(typeattributeset keychord_device_28_0 (keychord_device))
-(typeattributeset keystore_28_0 (keystore))
-(typeattributeset keystore_data_file_28_0 (keystore_data_file))
-(typeattributeset keystore_exec_28_0 (keystore_exec))
-(typeattributeset keystore_service_28_0 (keystore_service))
-(typeattributeset kmem_device_28_0 (kmem_device))
-(typeattributeset kmsg_debug_device_28_0 (kmsg_debug_device))
-(typeattributeset kmsg_device_28_0 (kmsg_device))
-(typeattributeset labeledfs_28_0 (labeledfs))
-(typeattributeset last_boot_reason_prop_28_0 (last_boot_reason_prop))
-(typeattributeset launcherapps_service_28_0 (launcherapps_service))
-(typeattributeset lmkd_28_0 (lmkd))
-(typeattributeset lmkd_exec_28_0 (lmkd_exec))
-(typeattributeset lmkd_socket_28_0 (lmkd_socket))
-(typeattributeset location_service_28_0 (location_service))
-(typeattributeset lock_settings_service_28_0 (lock_settings_service))
-(typeattributeset logcat_exec_28_0 (logcat_exec))
-(typeattributeset logd_28_0 (logd))
-(typeattributeset logd_exec_28_0 (logd_exec))
-(typeattributeset logd_prop_28_0 (logd_prop))
-(typeattributeset logdr_socket_28_0 (logdr_socket))
-(typeattributeset logd_socket_28_0 (logd_socket))
-(typeattributeset logdw_socket_28_0 (logdw_socket))
-(typeattributeset logpersist_28_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_28_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_28_0 (log_prop))
-(typeattributeset log_tag_prop_28_0 (log_tag_prop))
-(typeattributeset loop_control_device_28_0 (loop_control_device))
-(typeattributeset loop_device_28_0 (loop_device))
-(typeattributeset lowpan_device_28_0 (lowpan_device))
-(typeattributeset lowpan_prop_28_0 (lowpan_prop))
-(typeattributeset lowpan_service_28_0 (lowpan_service))
-(typeattributeset mac_perms_file_28_0 (mac_perms_file))
-(typeattributeset mdnsd_28_0 (mdnsd))
-(typeattributeset mdnsd_socket_28_0 (mdnsd_socket))
-(typeattributeset mdns_socket_28_0 (mdns_socket))
-(typeattributeset hal_omx_server (mediacodec_28_0))
-(typeattributeset mediacodec_28_0 (mediacodec))
-(typeattributeset mediacodec_exec_28_0 (mediacodec_exec))
-(typeattributeset mediacodec_service_28_0 (mediacodec_service))
-(typeattributeset media_data_file_28_0 (media_data_file))
-(typeattributeset mediadrmserver_28_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_28_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_28_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_28_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_28_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_28_0 (mediaextractor_service))
-(typeattributeset mediaextractor_update_service_28_0 (mediaextractor_update_service))
-(typeattributeset mediametrics_28_0 (mediametrics))
-(typeattributeset mediametrics_exec_28_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_28_0 (mediametrics_service))
-(typeattributeset media_projection_service_28_0 (media_projection_service))
-(typeattributeset mediaprovider_28_0 (mediaprovider))
-(typeattributeset media_router_service_28_0 (media_router_service))
-(typeattributeset media_rw_data_file_28_0 (media_rw_data_file))
-(typeattributeset mediaserver_28_0 (mediaserver))
-(typeattributeset mediaserver_exec_28_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_28_0 (mediaserver_service))
-(typeattributeset media_session_service_28_0 (media_session_service))
-(typeattributeset meminfo_service_28_0 (meminfo_service))
-(typeattributeset metadata_block_device_28_0 (metadata_block_device))
-(typeattributeset metadata_file_28_0 (metadata_file))
-(typeattributeset method_trace_data_file_28_0 (method_trace_data_file))
-(typeattributeset midi_service_28_0 (midi_service))
-(typeattributeset misc_block_device_28_0 (misc_block_device))
-(typeattributeset misc_logd_file_28_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_28_0 (misc_user_data_file))
-(typeattributeset mmc_prop_28_0 (mmc_prop))
-(typeattributeset mnt_expand_file_28_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_28_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_28_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_user_file_28_0 (mnt_user_file))
-(typeattributeset mnt_vendor_file_28_0 (mnt_vendor_file))
-(typeattributeset modprobe_28_0 (modprobe))
-(typeattributeset mount_service_28_0 (mount_service))
-(typeattributeset mqueue_28_0 (mqueue))
-(typeattributeset mtd_device_28_0 (mtd_device))
-(typeattributeset mtp_28_0 (mtp))
-(typeattributeset mtp_device_28_0 (mtp_device))
-(typeattributeset mtpd_socket_28_0 (mtpd_socket))
-(typeattributeset mtp_exec_28_0 (mtp_exec))
-(typeattributeset nativetest_data_file_28_0 (nativetest_data_file))
-(typeattributeset netd_28_0 (netd))
-(typeattributeset net_data_file_28_0 (net_data_file))
-(typeattributeset netd_exec_28_0 (netd_exec))
-(typeattributeset netd_listener_service_28_0 (netd_listener_service))
-(typeattributeset net_dns_prop_28_0 (net_dns_prop))
-(typeattributeset netd_service_28_0 (netd_service))
-(typeattributeset netd_socket_28_0 (netd_socket))
-(typeattributeset netd_stable_secret_prop_28_0 (netd_stable_secret_prop))
-(typeattributeset netif_28_0 (netif))
-(typeattributeset netpolicy_service_28_0 (netpolicy_service))
-(typeattributeset net_radio_prop_28_0 (net_radio_prop))
-(typeattributeset netstats_service_28_0 (netstats_service))
-(typeattributeset netutils_wrapper_28_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_28_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_28_0 (network_management_service))
-(typeattributeset network_score_service_28_0 (network_score_service))
-(typeattributeset network_time_update_service_28_0 (network_time_update_service))
-(typeattributeset network_watchlist_data_file_28_0 (network_watchlist_data_file))
-(typeattributeset network_watchlist_service_28_0 (network_watchlist_service))
-(typeattributeset nfc_28_0 (nfc))
-(typeattributeset nfc_data_file_28_0 (nfc_data_file))
-(typeattributeset nfc_device_28_0 (nfc_device))
-(typeattributeset nfc_prop_28_0 (nfc_prop))
-(typeattributeset nfc_service_28_0 (nfc_service))
-(typeattributeset node_28_0 (node))
-(typeattributeset nonplat_service_contexts_file_28_0 (nonplat_service_contexts_file))
-(typeattributeset notification_service_28_0 (notification_service))
-(typeattributeset null_device_28_0 (null_device))
-(typeattributeset oemfs_28_0 (oemfs))
-(typeattributeset oem_lock_service_28_0 (oem_lock_service))
-(typeattributeset ota_data_file_28_0 (ota_data_file))
-(typeattributeset otadexopt_service_28_0 (otadexopt_service))
-(typeattributeset ota_package_file_28_0 (ota_package_file))
-(typeattributeset otapreopt_chroot_28_0 (otapreopt_chroot))
-(typeattributeset otapreopt_chroot_exec_28_0 (otapreopt_chroot_exec))
-(typeattributeset otapreopt_slot_28_0 (otapreopt_slot))
-(typeattributeset otapreopt_slot_exec_28_0 (otapreopt_slot_exec))
-(typeattributeset overlay_prop_28_0 (overlay_prop))
-(typeattributeset overlay_service_28_0 (overlay_service))
-(typeattributeset owntty_device_28_0 (owntty_device))
-(typeattributeset package_native_service_28_0 (package_native_service))
-(typeattributeset package_service_28_0 (package_service))
-(typeattributeset pan_result_prop_28_0 (pan_result_prop))
-(typeattributeset pdx_bufferhub_client_channel_socket_28_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_28_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_28_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_28_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_28_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_28_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_28_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_28_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_28_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_28_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_28_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_28_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_28_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_28_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_28_0 (pdx_performance_dir))
-(typeattributeset performanced_28_0 (performanced))
-(typeattributeset performanced_exec_28_0 (performanced_exec))
-(typeattributeset permission_service_28_0 (permission_service))
-(typeattributeset persist_debug_prop_28_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_28_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_28_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_28_0 (pinner_service))
-(typeattributeset pipefs_28_0 (pipefs))
-(typeattributeset platform_app_28_0 (platform_app))
-(typeattributeset pm_prop_28_0 (pm_prop))
-(typeattributeset pmsg_device_28_0 (pmsg_device))
-(typeattributeset port_28_0 (port))
-(typeattributeset port_device_28_0 (port_device))
-(typeattributeset postinstall_28_0 (postinstall))
-(typeattributeset postinstall_dexopt_28_0 (postinstall_dexopt))
-(typeattributeset postinstall_file_28_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_28_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_28_0 (powerctl_prop))
-(typeattributeset power_service_28_0 (power_service))
-(typeattributeset ppp_28_0 (ppp))
-(typeattributeset ppp_device_28_0 (ppp_device))
-(typeattributeset ppp_exec_28_0 (ppp_exec))
-(typeattributeset preloads_data_file_28_0 (preloads_data_file))
-(typeattributeset preloads_media_file_28_0 (preloads_media_file))
-(typeattributeset preopt2cachename_28_0 (preopt2cachename))
-(typeattributeset preopt2cachename_exec_28_0 (preopt2cachename_exec))
-(typeattributeset print_service_28_0 (print_service))
-(typeattributeset priv_app_28_0 (priv_app))
-(typeattributeset proc_28_0
- ( proc
- proc_fs_verity
- proc_keys
- proc_kpageflags
- proc_lowmemorykiller
- proc_pressure_cpu
- proc_pressure_io
- proc_pressure_mem
- proc_slabinfo))
-(typeattributeset proc_abi_28_0 (proc_abi))
-(typeattributeset proc_asound_28_0 (proc_asound))
-(typeattributeset proc_bluetooth_writable_28_0 (proc_bluetooth_writable))
-(typeattributeset proc_buddyinfo_28_0 (proc_buddyinfo))
-(typeattributeset proc_cmdline_28_0 (proc_cmdline))
-(typeattributeset proc_cpuinfo_28_0 (proc_cpuinfo))
-(typeattributeset proc_dirty_28_0 (proc_dirty))
-(typeattributeset proc_diskstats_28_0 (proc_diskstats))
-(typeattributeset proc_drop_caches_28_0 (proc_drop_caches))
-(typeattributeset processinfo_service_28_0 (processinfo_service))
-(typeattributeset proc_extra_free_kbytes_28_0 (proc_extra_free_kbytes))
-(typeattributeset proc_filesystems_28_0 (proc_filesystems))
-(typeattributeset proc_hostname_28_0 (proc_hostname))
-(typeattributeset proc_hung_task_28_0 (proc_hung_task))
-(typeattributeset proc_interrupts_28_0 (proc_interrupts))
-(typeattributeset proc_iomem_28_0 (proc_iomem))
-(typeattributeset proc_kmsg_28_0 (proc_kmsg))
-(typeattributeset proc_loadavg_28_0 (proc_loadavg))
-(typeattributeset proc_max_map_count_28_0 (proc_max_map_count))
-(typeattributeset proc_meminfo_28_0 (proc_meminfo))
-(typeattributeset proc_min_free_order_shift_28_0 (proc_min_free_order_shift))
-(typeattributeset proc_misc_28_0 (proc_misc))
-(typeattributeset proc_modules_28_0 (proc_modules))
-(typeattributeset proc_mounts_28_0 (proc_mounts))
-(typeattributeset proc_net_28_0
- ( proc_net
- proc_net_tcp_udp))
-(typeattributeset proc_overcommit_memory_28_0 (proc_overcommit_memory))
-(typeattributeset proc_page_cluster_28_0 (proc_page_cluster))
-(typeattributeset proc_pagetypeinfo_28_0 (proc_pagetypeinfo))
-(typeattributeset proc_panic_28_0 (proc_panic))
-(typeattributeset proc_perf_28_0 (proc_perf))
-(typeattributeset proc_pid_max_28_0 (proc_pid_max))
-(typeattributeset proc_pipe_conf_28_0 (proc_pipe_conf))
-(typeattributeset proc_qtaguid_stat_28_0 (proc_qtaguid_stat))
-(typeattributeset proc_random_28_0 (proc_random))
-(typeattributeset proc_sched_28_0 (proc_sched))
-(typeattributeset proc_security_28_0 (proc_security))
-(typeattributeset proc_stat_28_0 (proc_stat))
-(typeattributeset procstats_service_28_0 (procstats_service))
-(typeattributeset proc_swaps_28_0 (proc_swaps))
-(typeattributeset proc_sysrq_28_0 (proc_sysrq))
-(typeattributeset proc_timer_28_0 (proc_timer))
-(typeattributeset proc_tty_drivers_28_0 (proc_tty_drivers))
-(typeattributeset proc_uid_concurrent_active_time_28_0 (proc_uid_concurrent_active_time))
-(typeattributeset proc_uid_concurrent_policy_time_28_0 (proc_uid_concurrent_policy_time))
-(typeattributeset proc_uid_cpupower_28_0 (proc_uid_cpupower))
-(typeattributeset proc_uid_cputime_removeuid_28_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_28_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_28_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_28_0 (proc_uid_procstat_set))
-(typeattributeset proc_uid_time_in_state_28_0 (proc_uid_time_in_state))
-(typeattributeset proc_uptime_28_0 (proc_uptime))
-(typeattributeset proc_version_28_0 (proc_version))
-(typeattributeset proc_vmallocinfo_28_0 (proc_vmallocinfo))
-(typeattributeset proc_vmstat_28_0 (proc_vmstat))
-(typeattributeset proc_zoneinfo_28_0 (proc_zoneinfo))
-(typeattributeset profman_28_0 (profman))
-(typeattributeset profman_dump_data_file_28_0 (profman_dump_data_file))
-(typeattributeset profman_exec_28_0 (profman_exec))
-(typeattributeset properties_device_28_0 (properties_device))
-(typeattributeset properties_serial_28_0 (properties_serial))
-(typeattributeset property_contexts_file_28_0 (property_contexts_file))
-(typeattributeset property_data_file_28_0 (property_data_file))
-(typeattributeset property_info_28_0 (property_info))
-(typeattributeset property_socket_28_0 (property_socket))
-(typeattributeset pstorefs_28_0 (pstorefs))
-(typeattributeset ptmx_device_28_0 (ptmx_device))
-(typeattributeset qtaguid_device_28_0 (qtaguid_device))
-(typeattributeset qtaguid_proc_28_0
- ( proc_qtaguid_ctrl
- qtaguid_proc))
-(typeattributeset racoon_28_0 (racoon))
-(typeattributeset racoon_exec_28_0 (racoon_exec))
-(typeattributeset racoon_socket_28_0 (racoon_socket))
-(typeattributeset radio_28_0 (radio))
-(typeattributeset radio_data_file_28_0 (radio_data_file))
-(typeattributeset radio_device_28_0 (radio_device))
-(typeattributeset radio_prop_28_0 (radio_prop))
-(typeattributeset radio_service_28_0 (radio_service))
-(typeattributeset ram_device_28_0 (ram_device))
-(typeattributeset random_device_28_0 (random_device))
-(typeattributeset recovery_28_0 (recovery))
-(typeattributeset recovery_block_device_28_0 (recovery_block_device))
-(typeattributeset recovery_data_file_28_0 (recovery_data_file))
-(typeattributeset recovery_persist_28_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_28_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_28_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_28_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_28_0 (recovery_service))
-(typeattributeset registry_service_28_0 (registry_service))
-(typeattributeset resourcecache_data_file_28_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_28_0 (restorecon_prop))
-(typeattributeset restrictions_service_28_0 (restrictions_service))
-(typeattributeset rild_debug_socket_28_0 (rild_debug_socket))
-(typeattributeset rild_socket_28_0 (rild_socket))
-(typeattributeset ringtone_file_28_0 (ringtone_file))
-(typeattributeset root_block_device_28_0 (root_block_device))
-(typeattributeset rootfs_28_0 (rootfs))
-(typeattributeset rpmsg_device_28_0 (rpmsg_device))
-(typeattributeset rtc_device_28_0 (rtc_device))
-(typeattributeset rttmanager_service_28_0 (rttmanager_service))
-(typeattributeset runas_28_0 (runas))
-(typeattributeset runas_exec_28_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_28_0 (runtime_event_log_tags_file))
-(typeattributeset safemode_prop_28_0 (safemode_prop))
-(typeattributeset same_process_hal_file_28_0
- ( same_process_hal_file
- vendor_public_lib_file))
-(typeattributeset samplingprofiler_service_28_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_28_0 (scheduling_policy_service))
-(typeattributeset sdcardd_28_0 (sdcardd))
-(typeattributeset sdcardd_exec_28_0 (sdcardd_exec))
-(typeattributeset sdcardfs_28_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_28_0 (seapp_contexts_file))
-(typeattributeset search_service_28_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_28_0 (sec_key_att_app_id_provider_service))
-(typeattributeset secure_element_28_0 (secure_element))
-(typeattributeset secure_element_device_28_0 (secure_element_device))
-(typeattributeset secure_element_service_28_0 (secure_element_service))
-(typeattributeset selinuxfs_28_0 (selinuxfs))
-(typeattributeset sensors_device_28_0 (sensors_device))
-(typeattributeset sensorservice_service_28_0 (sensorservice_service))
-(typeattributeset sepolicy_file_28_0 (sepolicy_file))
-(typeattributeset serial_device_28_0 (serial_device))
-(typeattributeset serialno_prop_28_0 (serialno_prop))
-(typeattributeset serial_service_28_0 (serial_service))
-(typeattributeset service_contexts_file_28_0 (service_contexts_file))
-(typeattributeset servicediscovery_service_28_0 (servicediscovery_service))
-(typeattributeset servicemanager_28_0 (servicemanager))
-(typeattributeset servicemanager_exec_28_0 (servicemanager_exec))
-(typeattributeset settings_service_28_0 (settings_service))
-(typeattributeset sgdisk_28_0 (sgdisk))
-(typeattributeset sgdisk_exec_28_0 (sgdisk_exec))
-(typeattributeset shared_relro_28_0 (shared_relro))
-(typeattributeset shared_relro_file_28_0 (shared_relro_file))
-(typeattributeset shell_28_0 (shell))
-(typeattributeset shell_data_file_28_0 (shell_data_file))
-(typeattributeset shell_exec_28_0 (shell_exec))
-(typeattributeset shell_prop_28_0 (shell_prop))
-(typeattributeset shm_28_0 (shm))
-(typeattributeset shortcut_manager_icons_28_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_28_0 (shortcut_service))
-(typeattributeset slice_service_28_0 (slice_service))
-(typeattributeset slideshow_28_0 (slideshow))
-(typeattributeset socket_device_28_0 (socket_device))
-(typeattributeset sockfs_28_0 (sockfs))
-(typeattributeset statusbar_service_28_0 (statusbar_service))
-(typeattributeset storaged_service_28_0 (storaged_service))
-(typeattributeset storage_file_28_0 (storage_file))
-(typeattributeset storagestats_service_28_0 (storagestats_service))
-(typeattributeset storage_stub_file_28_0 (storage_stub_file))
-(typeattributeset su_28_0 (su))
-(typeattributeset su_exec_28_0 (su_exec))
-(typeattributeset surfaceflinger_28_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_28_0 (surfaceflinger_service))
-(typeattributeset swap_block_device_28_0 (swap_block_device))
-(typeattributeset sysfs_28_0
- ( sysfs
- sysfs_devices_block
- sysfs_extcon
- sysfs_loop
- sysfs_transparent_hugepage))
-(typeattributeset sysfs_android_usb_28_0 (sysfs_android_usb))
-(typeattributeset sysfs_batteryinfo_28_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_28_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_system_cpu_28_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_dm_28_0 (sysfs_dm))
-(typeattributeset sysfs_dt_firmware_android_28_0 (sysfs_dt_firmware_android))
-(typeattributeset sysfs_fs_ext4_features_28_0 (sysfs_fs_ext4_features))
-(typeattributeset sysfs_hwrandom_28_0 (sysfs_hwrandom))
-(typeattributeset sysfs_ipv4_28_0 (sysfs_ipv4))
-(typeattributeset sysfs_kernel_notes_28_0 (sysfs_kernel_notes))
-(typeattributeset sysfs_leds_28_0 (sysfs_leds))
-(typeattributeset sysfs_lowmemorykiller_28_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_28_0 (sysfs_mac_address))
-(typeattributeset sysfs_net_28_0 (sysfs_net))
-(typeattributeset sysfs_nfc_power_writable_28_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_power_28_0 (sysfs_power))
-(typeattributeset sysfs_rtc_28_0 (sysfs_rtc))
-(typeattributeset sysfs_switch_28_0 (sysfs_switch))
-(typeattributeset sysfs_thermal_28_0 (sysfs_thermal))
-(typeattributeset sysfs_uio_28_0 (sysfs_uio))
-(typeattributeset sysfs_usb_28_0 (sysfs_usb))
-(typeattributeset sysfs_usermodehelper_28_0 (sysfs_usermodehelper))
-(typeattributeset sysfs_vibrator_28_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_28_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wakeup_reasons_28_0 (sysfs_wakeup_reasons))
-(typeattributeset sysfs_wlan_fwpath_28_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_28_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_28_0 (sysfs_zram_uevent))
-(typeattributeset system_app_28_0 (system_app))
-(typeattributeset system_app_data_file_28_0 (system_app_data_file))
-(typeattributeset system_app_service_28_0 (system_app_service))
-(typeattributeset system_block_device_28_0 (system_block_device))
-(typeattributeset system_boot_reason_prop_28_0 (system_boot_reason_prop))
-(typeattributeset system_data_file_28_0
- ( dropbox_data_file
- system_data_file
- packages_list_file))
-(typeattributeset system_file_28_0
- ( system_file
- system_asan_options_file
- system_lib_file
- system_linker_config_file
- system_linker_exec
- system_seccomp_policy_file
- system_security_cacerts_file
- tcpdump_exec
- system_zoneinfo_file
-))
-(typeattributeset systemkeys_data_file_28_0 (systemkeys_data_file))
-(typeattributeset system_ndebug_socket_28_0 (system_ndebug_socket))
-(typeattributeset system_net_netd_hwservice_28_0 (system_net_netd_hwservice))
-(typeattributeset system_prop_28_0 (system_prop))
-(typeattributeset system_radio_prop_28_0 (system_radio_prop))
-(typeattributeset system_server_28_0 (system_server))
-(typeattributeset system_update_service_28_0 (system_update_service))
-(typeattributeset system_wifi_keystore_hwservice_28_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_28_0 (system_wpa_socket))
-(typeattributeset task_service_28_0 (task_service))
-(typeattributeset tee_28_0 (tee))
-(typeattributeset tee_data_file_28_0 (tee_data_file))
-(typeattributeset tee_device_28_0 (tee_device))
-(typeattributeset telecom_service_28_0 (telecom_service))
-(typeattributeset test_boot_reason_prop_28_0 (test_boot_reason_prop))
-(typeattributeset textclassification_service_28_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_28_0 (textclassifier_data_file))
-(typeattributeset textservices_service_28_0 (textservices_service))
-(typeattributeset thermalcallback_hwservice_28_0 (thermalcallback_hwservice))
-(typeattributeset thermal_service_28_0 (thermal_service))
-(typeattributeset timezone_service_28_0 (timezone_service))
-(typeattributeset tmpfs_28_0
- ( mnt_sdcard_file
- tmpfs))
-(typeattributeset tombstoned_28_0 (tombstoned))
-(typeattributeset tombstone_data_file_28_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_28_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_28_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_28_0 (tombstoned_intercept_socket))
-(typeattributeset tombstoned_java_trace_socket_28_0 (tombstoned_java_trace_socket))
-(typeattributeset tombstone_wifi_data_file_28_0 (tombstone_wifi_data_file))
-(typeattributeset toolbox_28_0 (toolbox))
-(typeattributeset toolbox_exec_28_0 (toolbox_exec))
-(typeattributeset trace_data_file_28_0 (trace_data_file))
-(typeattributeset traced_consumer_socket_28_0 (traced_consumer_socket))
-(typeattributeset traced_enabled_prop_28_0 (traced_enabled_prop))
-(typeattributeset traced_probes_28_0 (traced_probes))
-(typeattributeset traced_producer_socket_28_0 (traced_producer_socket))
-(typeattributeset traceur_app_28_0 (traceur_app))
-(typeattributeset trust_service_28_0 (trust_service))
-(typeattributeset tty_device_28_0 (tty_device))
-(typeattributeset tun_device_28_0 (tun_device))
-(typeattributeset tv_input_service_28_0 (tv_input_service))
-(typeattributeset tzdatacheck_28_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_28_0 (tzdatacheck_exec))
-(typeattributeset ueventd_28_0 (ueventd))
-(typeattributeset uhid_device_28_0 (uhid_device))
-(typeattributeset uimode_service_28_0 (uimode_service))
-(typeattributeset uio_device_28_0 (uio_device))
-(typeattributeset uncrypt_28_0 (uncrypt))
-(typeattributeset uncrypt_exec_28_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_28_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_28_0 (unencrypted_data_file))
-(typeattributeset unlabeled_28_0 (unlabeled))
-(typeattributeset untrusted_app_25_28_0 (untrusted_app_25))
-(typeattributeset untrusted_app_27_28_0 (untrusted_app_27))
-(typeattributeset untrusted_app_28_0 (untrusted_app))
-(typeattributeset untrusted_v2_app_28_0 (untrusted_v2_app))
-(typeattributeset update_engine_28_0 (update_engine))
-(typeattributeset update_engine_data_file_28_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_28_0 (update_engine_exec))
-(typeattributeset update_engine_log_data_file_28_0 (update_engine_log_data_file))
-(typeattributeset update_engine_service_28_0 (update_engine_service))
-(typeattributeset updatelock_service_28_0 (updatelock_service))
-(typeattributeset update_verifier_28_0 (update_verifier))
-(typeattributeset update_verifier_exec_28_0 (update_verifier_exec))
-(typeattributeset usagestats_service_28_0 (usagestats_service))
-(typeattributeset usbaccessory_device_28_0 (usbaccessory_device))
-(typeattributeset usbd_28_0 (usbd))
-(typeattributeset usb_device_28_0 (usb_device))
-(typeattributeset usbd_exec_28_0 (usbd_exec))
-(typeattributeset usbfs_28_0 (usbfs))
-(typeattributeset usb_service_28_0 (usb_service))
-(typeattributeset userdata_block_device_28_0 (userdata_block_device))
-(typeattributeset usermodehelper_28_0 (usermodehelper))
-(typeattributeset user_profile_data_file_28_0 (user_profile_data_file))
-(typeattributeset user_service_28_0 (user_service))
-(typeattributeset vcs_device_28_0 (vcs_device))
-(typeattributeset vdc_28_0 (vdc))
-(typeattributeset vdc_exec_28_0 (vdc_exec))
-(typeattributeset vendor_app_file_28_0 (vendor_app_file))
-(typeattributeset vendor_configs_file_28_0 (vendor_configs_file))
-(typeattributeset vendor_data_file_28_0 (vendor_data_file))
-(typeattributeset vendor_default_prop_28_0 (vendor_default_prop))
-(typeattributeset vendor_file_28_0 (vendor_file))
-(typeattributeset vendor_framework_file_28_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_28_0 (vendor_hal_file))
-(typeattributeset vendor_init_28_0 (vendor_init))
-(typeattributeset vendor_overlay_file_28_0 (vendor_overlay_file))
-(typeattributeset vendor_security_patch_level_prop_28_0 (vendor_security_patch_level_prop))
-(typeattributeset vendor_shell_28_0 (vendor_shell))
-(typeattributeset vendor_shell_exec_28_0 (vendor_shell_exec))
-(typeattributeset vendor_toolbox_exec_28_0 (vendor_toolbox_exec))
-(typeattributeset vfat_28_0 (vfat))
-(typeattributeset vibrator_service_28_0 (vibrator_service))
-(typeattributeset video_device_28_0 (video_device))
-(typeattributeset virtual_touchpad_28_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_28_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_28_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_28_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_28_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_28_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_28_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_28_0 (voiceinteraction_service))
-(typeattributeset vold_28_0 (vold))
-(typeattributeset vold_data_file_28_0 (vold_data_file))
-(typeattributeset vold_device_28_0 (vold_device))
-(typeattributeset vold_exec_28_0 (vold_exec))
-(typeattributeset vold_metadata_file_28_0 (vold_metadata_file))
-(typeattributeset vold_prepare_subdirs_28_0 (vold_prepare_subdirs))
-(typeattributeset vold_prepare_subdirs_exec_28_0 (vold_prepare_subdirs_exec))
-(typeattributeset vold_prop_28_0 (vold_prop))
-(typeattributeset vold_service_28_0 (vold_service))
-(typeattributeset vpn_data_file_28_0 (vpn_data_file))
-(typeattributeset vr_hwc_28_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_28_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_28_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_28_0 (vr_manager_service))
-(typeattributeset wallpaper_file_28_0 (wallpaper_file))
-(typeattributeset wallpaper_service_28_0 (wallpaper_service))
-(typeattributeset watchdogd_28_0 (watchdogd))
-(typeattributeset watchdog_device_28_0 (watchdog_device))
-(typeattributeset webviewupdate_service_28_0 (webviewupdate_service))
-(typeattributeset webview_zygote_28_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_28_0 (webview_zygote_exec))
-(typeattributeset wifiaware_service_28_0 (wifiaware_service))
-(typeattributeset wificond_28_0 (wificond))
-(typeattributeset wificond_exec_28_0 (wificond_exec))
-(typeattributeset wificond_service_28_0 (wificond_service))
-(typeattributeset wifi_data_file_28_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_28_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_28_0 (wifip2p_service))
-(typeattributeset wifi_prop_28_0 (wifi_prop))
-(typeattributeset wifiscanner_service_28_0 (wifiscanner_service))
-(typeattributeset wifi_service_28_0 (wifi_service))
-(typeattributeset window_service_28_0 (window_service))
-(typeattributeset wpantund_28_0 (wpantund))
-(typeattributeset wpantund_exec_28_0 (wpantund_exec))
-(typeattributeset wpantund_service_28_0 (wpantund_service))
-(typeattributeset wpa_socket_28_0 (wpa_socket))
-(typeattributeset zero_device_28_0 (zero_device))
-(typeattributeset zoneinfo_data_file_28_0 (zoneinfo_data_file))
-(typeattributeset zygote_28_0 (zygote))
-(typeattributeset zygote_exec_28_0 (zygote_exec))
-(typeattributeset zygote_socket_28_0 (zygote_socket))
diff --git a/prebuilts/api/31.0/private/compat/28.0/28.0.compat.cil b/prebuilts/api/31.0/private/compat/28.0/28.0.compat.cil
deleted file mode 100644
index 2e85b23..0000000
--- a/prebuilts/api/31.0/private/compat/28.0/28.0.compat.cil
+++ /dev/null
@@ -1,11 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
-(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
-(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
-
-(typeattributeset mlsvendorcompat (and appdomain vendordomain))
-(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
-(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/prebuilts/api/31.0/private/compat/28.0/28.0.ignore.cil b/prebuilts/api/31.0/private/compat/28.0/28.0.ignore.cil
deleted file mode 100644
index e7ddf48..0000000
--- a/prebuilts/api/31.0/private/compat/28.0/28.0.ignore.cil
+++ /dev/null
@@ -1,160 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(type new_objects)
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( new_objects
- activity_task_service
- adb_service
- apex_data_file
- apex_metadata_file
- apex_mnt_dir
- apex_service
- apexd
- apexd_exec
- apexd_prop
- apexd_tmpfs
- appdomain_tmpfs
- app_binding_service
- app_prediction_service
- app_zygote
- app_zygote_tmpfs
- ashmemd
- ashmem_device_service
- attention_service
- biometric_service
- bluetooth_audio_hal_prop
- bpf_progs_loaded_prop
- bugreport_service
- cgroup_desc_file
- cgroup_rc_file
- charger_exec
- content_capture_service
- content_suggestions_service
- cpu_variant_prop
- ctl_apexd_prop
- ctl_gsid_prop
- dev_cpu_variant
- device_config_activity_manager_native_boot_prop
- device_config_boot_count_prop
- device_config_input_native_boot_prop
- device_config_netd_native_prop
- device_config_reset_performed_prop
- device_config_runtime_native_boot_prop
- device_config_runtime_native_prop
- device_config_media_native_prop
- device_config_service
- device_config_sys_traced_prop
- dnsresolver_service
- dynamic_system_service
- dynamic_system_prop
- face_service
- face_vendor_data_file
- sota_prop
- fastbootd
- flags_health_check
- flags_health_check_exec
- fwk_bufferhub_hwservice
- fwk_camera_hwservice
- fwk_stats_hwservice
- gpuservice
- gsi_data_file
- gsi_metadata_file
- gsi_public_metadata_file
- gsi_service
- gsid
- gsid_exec
- gsid_prop
- color_display_service
- external_vibrator_service
- hal_atrace_hwservice
- hal_face_hwservice
- hal_graphics_composer_server_tmpfs
- hal_health_storage_hwservice
- hal_input_classifier_hwservice
- hal_power_stats_hwservice
- heapprofd
- heapprofd_enabled_prop
- heapprofd_exec
- heapprofd_prop
- heapprofd_socket
- idmap_service
- iris_service
- iris_vendor_data_file
- llkd
- llkd_exec
- llkd_prop
- llkd_tmpfs
- looper_stats_service
- lpdumpd
- lpdumpd_exec
- lpdumpd_prop
- lpdump_service
- iorapd
- iorapd_exec
- iorapd_data_file
- iorapd_service
- iorapd_tmpfs
- mediaswcodec
- mediaswcodec_exec
- mediaswcodec_tmpfs
- metadata_bootstat_file
- mnt_product_file
- network_stack
- network_stack_service
- network_stack_tmpfs
- nnapi_ext_deny_product_prop
- overlayfs_file
- password_slot_metadata_file
- permissionmgr_service
- postinstall_apex_mnt_dir
- recovery_socket
- role_service
- rollback_service
- rs
- rs_exec
- rss_hwm_reset
- rss_hwm_reset_exec
- runas_app
- runas_app_tmpfs
- art_apex_dir
- runtime_service
- sdcard_block_device
- sensor_privacy_service
- server_configurable_flags_data_file
- simpleperf_app_runner
- simpleperf_app_runner_exec
- socket_hook_prop
- su_tmpfs
- super_block_device
- sysfs_fs_f2fs
- system_bootstrap_lib_file
- system_event_log_tags_file
- system_lmk_prop
- system_suspend_hwservice
- system_suspend_control_service
- system_trace_prop
- staging_data_file
- task_profiles_file
- testharness_service
- test_harness_prop
- theme_prop
- time_prop
- timedetector_service
- timezonedetector_service
- traced_lazy_prop
- uri_grants_service
- use_memfd_prop
- vendor_apex_file
- vendor_cgroup_desc_file
- vendor_idc_file
- vendor_keychars_file
- vendor_keylayout_file
- vendor_misc_writer
- vendor_misc_writer_exec
- vendor_socket_hook_prop
- vendor_task_profiles_file
- vndk_prop
- vrflinger_vsync_service
- watchdogd_tmpfs))
diff --git a/prebuilts/api/31.0/private/compat/29.0/29.0.cil b/prebuilts/api/31.0/private/compat/29.0/29.0.cil
deleted file mode 100644
index 0fb0a1c..0000000
--- a/prebuilts/api/31.0/private/compat/29.0/29.0.cil
+++ /dev/null
@@ -1,1983 +0,0 @@
-;; types removed from current policy
-(type ashmemd)
-(type exported_audio_prop)
-(type exported_dalvik_prop)
-(type exported_vold_prop)
-(type exported2_config_prop)
-(type exported2_vold_prop)
-(type hal_wifi_offload_hwservice)
-(type install_recovery)
-(type install_recovery_exec)
-(type mediacodec_service)
-(type perfprofd_data_file)
-(type perfprofd_service)
-(type sysfs_mac_address)
-(type wificond_service)
-
-(expandtypeattribute (accessibility_service_29_0) true)
-(expandtypeattribute (account_service_29_0) true)
-(expandtypeattribute (activity_service_29_0) true)
-(expandtypeattribute (activity_task_service_29_0) true)
-(expandtypeattribute (adbd_29_0) true)
-(expandtypeattribute (adb_data_file_29_0) true)
-(expandtypeattribute (adbd_exec_29_0) true)
-(expandtypeattribute (adbd_socket_29_0) true)
-(expandtypeattribute (adb_keys_file_29_0) true)
-(expandtypeattribute (adb_service_29_0) true)
-(expandtypeattribute (alarm_service_29_0) true)
-(expandtypeattribute (anr_data_file_29_0) true)
-(expandtypeattribute (apexd_29_0) true)
-(expandtypeattribute (apex_data_file_29_0) true)
-(expandtypeattribute (apexd_exec_29_0) true)
-(expandtypeattribute (apexd_prop_29_0) true)
-(expandtypeattribute (apex_metadata_file_29_0) true)
-(expandtypeattribute (apex_mnt_dir_29_0) true)
-(expandtypeattribute (apex_service_29_0) true)
-(expandtypeattribute (apk_data_file_29_0) true)
-(expandtypeattribute (apk_private_data_file_29_0) true)
-(expandtypeattribute (apk_private_tmp_file_29_0) true)
-(expandtypeattribute (apk_tmp_file_29_0) true)
-(expandtypeattribute (app_binding_service_29_0) true)
-(expandtypeattribute (app_data_file_29_0) true)
-(expandtypeattribute (appdomain_tmpfs_29_0) true)
-(expandtypeattribute (app_fuse_file_29_0) true)
-(expandtypeattribute (app_fusefs_29_0) true)
-(expandtypeattribute (appops_service_29_0) true)
-(expandtypeattribute (app_prediction_service_29_0) true)
-(expandtypeattribute (appwidget_service_29_0) true)
-(expandtypeattribute (app_zygote_29_0) true)
-(expandtypeattribute (app_zygote_tmpfs_29_0) true)
-(expandtypeattribute (asec_apk_file_29_0) true)
-(expandtypeattribute (asec_image_file_29_0) true)
-(expandtypeattribute (asec_public_file_29_0) true)
-(expandtypeattribute (ashmemd_29_0) true)
-(expandtypeattribute (ashmem_device_29_0) true)
-(expandtypeattribute (assetatlas_service_29_0) true)
-(expandtypeattribute (audio_data_file_29_0) true)
-(expandtypeattribute (audio_device_29_0) true)
-(expandtypeattribute (audiohal_data_file_29_0) true)
-(expandtypeattribute (audio_prop_29_0) true)
-(expandtypeattribute (audioserver_29_0) true)
-(expandtypeattribute (audioserver_data_file_29_0) true)
-(expandtypeattribute (audioserver_service_29_0) true)
-(expandtypeattribute (audioserver_tmpfs_29_0) true)
-(expandtypeattribute (audio_service_29_0) true)
-(expandtypeattribute (autofill_service_29_0) true)
-(expandtypeattribute (backup_data_file_29_0) true)
-(expandtypeattribute (backup_service_29_0) true)
-(expandtypeattribute (batteryproperties_service_29_0) true)
-(expandtypeattribute (battery_service_29_0) true)
-(expandtypeattribute (batterystats_service_29_0) true)
-(expandtypeattribute (binder_calls_stats_service_29_0) true)
-(expandtypeattribute (binder_device_29_0) true)
-(expandtypeattribute (binfmt_miscfs_29_0) true)
-(expandtypeattribute (biometric_service_29_0) true)
-(expandtypeattribute (blkid_29_0) true)
-(expandtypeattribute (blkid_untrusted_29_0) true)
-(expandtypeattribute (block_device_29_0) true)
-(expandtypeattribute (bluetooth_29_0) true)
-(expandtypeattribute (bluetooth_a2dp_offload_prop_29_0) true)
-(expandtypeattribute (bluetooth_audio_hal_prop_29_0) true)
-(expandtypeattribute (bluetooth_data_file_29_0) true)
-(expandtypeattribute (bluetooth_efs_file_29_0) true)
-(expandtypeattribute (bluetooth_logs_data_file_29_0) true)
-(expandtypeattribute (bluetooth_manager_service_29_0) true)
-(expandtypeattribute (bluetooth_prop_29_0) true)
-(expandtypeattribute (bluetooth_service_29_0) true)
-(expandtypeattribute (bluetooth_socket_29_0) true)
-(expandtypeattribute (bootanim_29_0) true)
-(expandtypeattribute (bootanim_exec_29_0) true)
-(expandtypeattribute (boot_block_device_29_0) true)
-(expandtypeattribute (bootchart_data_file_29_0) true)
-(expandtypeattribute (bootloader_boot_reason_prop_29_0) true)
-(expandtypeattribute (bootstat_29_0) true)
-(expandtypeattribute (bootstat_data_file_29_0) true)
-(expandtypeattribute (bootstat_exec_29_0) true)
-(expandtypeattribute (boottime_prop_29_0) true)
-(expandtypeattribute (boottrace_data_file_29_0) true)
-(expandtypeattribute (bpf_progs_loaded_prop_29_0) true)
-(expandtypeattribute (broadcastradio_service_29_0) true)
-(expandtypeattribute (bufferhubd_29_0) true)
-(expandtypeattribute (bufferhubd_exec_29_0) true)
-(expandtypeattribute (bugreport_service_29_0) true)
-(expandtypeattribute (cache_backup_file_29_0) true)
-(expandtypeattribute (cache_block_device_29_0) true)
-(expandtypeattribute (cache_file_29_0) true)
-(expandtypeattribute (cache_private_backup_file_29_0) true)
-(expandtypeattribute (cache_recovery_file_29_0) true)
-(expandtypeattribute (camera_data_file_29_0) true)
-(expandtypeattribute (camera_device_29_0) true)
-(expandtypeattribute (cameraproxy_service_29_0) true)
-(expandtypeattribute (cameraserver_29_0) true)
-(expandtypeattribute (cameraserver_exec_29_0) true)
-(expandtypeattribute (cameraserver_service_29_0) true)
-(expandtypeattribute (cameraserver_tmpfs_29_0) true)
-(expandtypeattribute (cgroup_29_0) true)
-(expandtypeattribute (cgroup_bpf_29_0) true)
-(expandtypeattribute (cgroup_desc_file_29_0) true)
-(expandtypeattribute (cgroup_rc_file_29_0) true)
-(expandtypeattribute (charger_29_0) true)
-(expandtypeattribute (charger_exec_29_0) true)
-(expandtypeattribute (clatd_29_0) true)
-(expandtypeattribute (clatd_exec_29_0) true)
-(expandtypeattribute (clipboard_service_29_0) true)
-(expandtypeattribute (color_display_service_29_0) true)
-(expandtypeattribute (companion_device_service_29_0) true)
-(expandtypeattribute (configfs_29_0) true)
-(expandtypeattribute (config_prop_29_0) true)
-(expandtypeattribute (connectivity_service_29_0) true)
-(expandtypeattribute (connmetrics_service_29_0) true)
-(expandtypeattribute (console_device_29_0) true)
-(expandtypeattribute (consumer_ir_service_29_0) true)
-(expandtypeattribute (content_capture_service_29_0) true)
-(expandtypeattribute (content_service_29_0) true)
-(expandtypeattribute (content_suggestions_service_29_0) true)
-(expandtypeattribute (contexthub_service_29_0) true)
-(expandtypeattribute (coredump_file_29_0) true)
-(expandtypeattribute (country_detector_service_29_0) true)
-(expandtypeattribute (coverage_service_29_0) true)
-(expandtypeattribute (cppreopt_prop_29_0) true)
-(expandtypeattribute (cpuinfo_service_29_0) true)
-(expandtypeattribute (cpu_variant_prop_29_0) true)
-(expandtypeattribute (crash_dump_29_0) true)
-(expandtypeattribute (crash_dump_exec_29_0) true)
-(expandtypeattribute (crossprofileapps_service_29_0) true)
-(expandtypeattribute (ctl_adbd_prop_29_0) true)
-(expandtypeattribute (ctl_bootanim_prop_29_0) true)
-(expandtypeattribute (ctl_bugreport_prop_29_0) true)
-(expandtypeattribute (ctl_console_prop_29_0) true)
-(expandtypeattribute (ctl_default_prop_29_0) true)
-(expandtypeattribute (ctl_dumpstate_prop_29_0) true)
-(expandtypeattribute (ctl_fuse_prop_29_0) true)
-(expandtypeattribute (ctl_gsid_prop_29_0) true)
-(expandtypeattribute (ctl_interface_restart_prop_29_0) true)
-(expandtypeattribute (ctl_interface_start_prop_29_0) true)
-(expandtypeattribute (ctl_interface_stop_prop_29_0) true)
-(expandtypeattribute (ctl_mdnsd_prop_29_0) true)
-(expandtypeattribute (ctl_restart_prop_29_0) true)
-(expandtypeattribute (ctl_rildaemon_prop_29_0) true)
-(expandtypeattribute (ctl_sigstop_prop_29_0) true)
-(expandtypeattribute (ctl_start_prop_29_0) true)
-(expandtypeattribute (ctl_stop_prop_29_0) true)
-(expandtypeattribute (dalvikcache_data_file_29_0) true)
-(expandtypeattribute (dalvik_prop_29_0) true)
-(expandtypeattribute (dbinfo_service_29_0) true)
-(expandtypeattribute (debugfs_29_0) true)
-(expandtypeattribute (debugfs_mmc_29_0) true)
-(expandtypeattribute (debugfs_trace_marker_29_0) true)
-(expandtypeattribute (debugfs_tracing_29_0) true)
-(expandtypeattribute (debugfs_tracing_debug_29_0) true)
-(expandtypeattribute (debugfs_tracing_instances_29_0) true)
-(expandtypeattribute (debugfs_wakeup_sources_29_0) true)
-(expandtypeattribute (debugfs_wifi_tracing_29_0) true)
-(expandtypeattribute (debuggerd_prop_29_0) true)
-(expandtypeattribute (debug_prop_29_0) true)
-(expandtypeattribute (default_android_hwservice_29_0) true)
-(expandtypeattribute (default_android_service_29_0) true)
-(expandtypeattribute (default_android_vndservice_29_0) true)
-(expandtypeattribute (default_prop_29_0) true)
-(expandtypeattribute (dev_cpu_variant_29_0) true)
-(expandtypeattribute (device_29_0) true)
-(expandtypeattribute (device_config_activity_manager_native_boot_prop_29_0) true)
-(expandtypeattribute (device_config_boot_count_prop_29_0) true)
-(expandtypeattribute (device_config_input_native_boot_prop_29_0) true)
-(expandtypeattribute (device_config_media_native_prop_29_0) true)
-(expandtypeattribute (device_config_netd_native_prop_29_0) true)
-(expandtypeattribute (device_config_reset_performed_prop_29_0) true)
-(expandtypeattribute (device_config_runtime_native_boot_prop_29_0) true)
-(expandtypeattribute (device_config_runtime_native_prop_29_0) true)
-(expandtypeattribute (device_config_service_29_0) true)
-(expandtypeattribute (device_identifiers_service_29_0) true)
-(expandtypeattribute (deviceidle_service_29_0) true)
-(expandtypeattribute (device_logging_prop_29_0) true)
-(expandtypeattribute (device_policy_service_29_0) true)
-(expandtypeattribute (devicestoragemonitor_service_29_0) true)
-(expandtypeattribute (devpts_29_0) true)
-(expandtypeattribute (dhcp_29_0) true)
-(expandtypeattribute (dhcp_data_file_29_0) true)
-(expandtypeattribute (dhcp_exec_29_0) true)
-(expandtypeattribute (dhcp_prop_29_0) true)
-(expandtypeattribute (diskstats_service_29_0) true)
-(expandtypeattribute (display_service_29_0) true)
-(expandtypeattribute (dm_device_29_0) true)
-(expandtypeattribute (dnsmasq_29_0) true)
-(expandtypeattribute (dnsmasq_exec_29_0) true)
-(expandtypeattribute (dnsproxyd_socket_29_0) true)
-(expandtypeattribute (dnsresolver_service_29_0) true)
-(expandtypeattribute (DockObserver_service_29_0) true)
-(expandtypeattribute (dreams_service_29_0) true)
-(expandtypeattribute (drm_data_file_29_0) true)
-(expandtypeattribute (drmserver_29_0) true)
-(expandtypeattribute (drmserver_exec_29_0) true)
-(expandtypeattribute (drmserver_service_29_0) true)
-(expandtypeattribute (drmserver_socket_29_0) true)
-(expandtypeattribute (dropbox_data_file_29_0) true)
-(expandtypeattribute (dropbox_service_29_0) true)
-(expandtypeattribute (dumpstate_29_0) true)
-(expandtypeattribute (dumpstate_exec_29_0) true)
-(expandtypeattribute (dumpstate_options_prop_29_0) true)
-(expandtypeattribute (dumpstate_prop_29_0) true)
-(expandtypeattribute (dumpstate_service_29_0) true)
-(expandtypeattribute (dumpstate_socket_29_0) true)
-(expandtypeattribute (dynamic_system_prop_29_0) true)
-(expandtypeattribute (e2fs_29_0) true)
-(expandtypeattribute (e2fs_exec_29_0) true)
-(expandtypeattribute (efs_file_29_0) true)
-(expandtypeattribute (ephemeral_app_29_0) true)
-(expandtypeattribute (ethernet_service_29_0) true)
-(expandtypeattribute (exfat_29_0) true)
-(expandtypeattribute (exported2_config_prop_29_0) true)
-(expandtypeattribute (exported2_default_prop_29_0) true)
-(expandtypeattribute (exported2_radio_prop_29_0) true)
-(expandtypeattribute (exported2_system_prop_29_0) true)
-(expandtypeattribute (exported2_vold_prop_29_0) true)
-(expandtypeattribute (exported3_default_prop_29_0) true)
-(expandtypeattribute (exported3_radio_prop_29_0) true)
-(expandtypeattribute (exported3_system_prop_29_0) true)
-(expandtypeattribute (exported_audio_prop_29_0) true)
-(expandtypeattribute (exported_bluetooth_prop_29_0) true)
-(expandtypeattribute (exported_config_prop_29_0) true)
-(expandtypeattribute (exported_dalvik_prop_29_0) true)
-(expandtypeattribute (exported_default_prop_29_0) true)
-(expandtypeattribute (exported_dumpstate_prop_29_0) true)
-(expandtypeattribute (exported_ffs_prop_29_0) true)
-(expandtypeattribute (exported_fingerprint_prop_29_0) true)
-(expandtypeattribute (exported_overlay_prop_29_0) true)
-(expandtypeattribute (exported_pm_prop_29_0) true)
-(expandtypeattribute (exported_radio_prop_29_0) true)
-(expandtypeattribute (exported_secure_prop_29_0) true)
-(expandtypeattribute (exported_system_prop_29_0) true)
-(expandtypeattribute (exported_system_radio_prop_29_0) true)
-(expandtypeattribute (exported_vold_prop_29_0) true)
-(expandtypeattribute (exported_wifi_prop_29_0) true)
-(expandtypeattribute (external_vibrator_service_29_0) true)
-(expandtypeattribute (face_service_29_0) true)
-(expandtypeattribute (face_vendor_data_file_29_0) true)
-(expandtypeattribute (fastbootd_29_0) true)
-(expandtypeattribute (ffs_prop_29_0) true)
-(expandtypeattribute (file_contexts_file_29_0) true)
-(expandtypeattribute (fingerprintd_29_0) true)
-(expandtypeattribute (fingerprintd_data_file_29_0) true)
-(expandtypeattribute (fingerprintd_exec_29_0) true)
-(expandtypeattribute (fingerprintd_service_29_0) true)
-(expandtypeattribute (fingerprint_prop_29_0) true)
-(expandtypeattribute (fingerprint_service_29_0) true)
-(expandtypeattribute (fingerprint_vendor_data_file_29_0) true)
-(expandtypeattribute (firstboot_prop_29_0) true)
-(expandtypeattribute (flags_health_check_29_0) true)
-(expandtypeattribute (flags_health_check_exec_29_0) true)
-(expandtypeattribute (font_service_29_0) true)
-(expandtypeattribute (frp_block_device_29_0) true)
-(expandtypeattribute (fs_bpf_29_0) true)
-(expandtypeattribute (fsck_29_0) true)
-(expandtypeattribute (fsck_exec_29_0) true)
-(expandtypeattribute (fscklogs_29_0) true)
-(expandtypeattribute (fsck_untrusted_29_0) true)
-(expandtypeattribute (functionfs_29_0) true)
-(expandtypeattribute (fuse_29_0) true)
-(expandtypeattribute (fuse_device_29_0) true)
-(expandtypeattribute (fwk_bufferhub_hwservice_29_0) true)
-(expandtypeattribute (fwk_camera_hwservice_29_0) true)
-(expandtypeattribute (fwk_display_hwservice_29_0) true)
-(expandtypeattribute (fwk_scheduler_hwservice_29_0) true)
-(expandtypeattribute (fwk_sensor_hwservice_29_0) true)
-(expandtypeattribute (fwk_stats_hwservice_29_0) true)
-(expandtypeattribute (fwmarkd_socket_29_0) true)
-(expandtypeattribute (gatekeeperd_29_0) true)
-(expandtypeattribute (gatekeeper_data_file_29_0) true)
-(expandtypeattribute (gatekeeperd_exec_29_0) true)
-(expandtypeattribute (gatekeeper_service_29_0) true)
-(expandtypeattribute (gfxinfo_service_29_0) true)
-(expandtypeattribute (gps_control_29_0) true)
-(expandtypeattribute (gpu_device_29_0) true)
-(expandtypeattribute (gpu_service_29_0) true)
-(expandtypeattribute (gpuservice_29_0) true)
-(expandtypeattribute (graphics_device_29_0) true)
-(expandtypeattribute (graphicsstats_service_29_0) true)
-(expandtypeattribute (gsi_data_file_29_0) true)
-(expandtypeattribute (gsid_prop_29_0) true)
-(expandtypeattribute (gsi_metadata_file_29_0) true)
-(expandtypeattribute (hal_atrace_hwservice_29_0) true)
-(expandtypeattribute (hal_audiocontrol_hwservice_29_0) true)
-(expandtypeattribute (hal_audio_hwservice_29_0) true)
-(expandtypeattribute (hal_authsecret_hwservice_29_0) true)
-(expandtypeattribute (hal_bluetooth_hwservice_29_0) true)
-(expandtypeattribute (hal_bootctl_hwservice_29_0) true)
-(expandtypeattribute (hal_broadcastradio_hwservice_29_0) true)
-(expandtypeattribute (hal_camera_hwservice_29_0) true)
-(expandtypeattribute (hal_cas_hwservice_29_0) true)
-(expandtypeattribute (hal_codec2_hwservice_29_0) true)
-(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_29_0) true)
-(expandtypeattribute (hal_confirmationui_hwservice_29_0) true)
-(expandtypeattribute (hal_contexthub_hwservice_29_0) true)
-(expandtypeattribute (hal_drm_hwservice_29_0) true)
-(expandtypeattribute (hal_dumpstate_hwservice_29_0) true)
-(expandtypeattribute (hal_evs_hwservice_29_0) true)
-(expandtypeattribute (hal_face_hwservice_29_0) true)
-(expandtypeattribute (hal_fingerprint_hwservice_29_0) true)
-(expandtypeattribute (hal_fingerprint_service_29_0) true)
-(expandtypeattribute (hal_gatekeeper_hwservice_29_0) true)
-(expandtypeattribute (hal_gnss_hwservice_29_0) true)
-(expandtypeattribute (hal_graphics_allocator_hwservice_29_0) true)
-(expandtypeattribute (hal_graphics_composer_hwservice_29_0) true)
-(expandtypeattribute (hal_graphics_composer_server_tmpfs_29_0) true)
-(expandtypeattribute (hal_graphics_mapper_hwservice_29_0) true)
-(expandtypeattribute (hal_health_hwservice_29_0) true)
-(expandtypeattribute (hal_health_storage_hwservice_29_0) true)
-(expandtypeattribute (hal_input_classifier_hwservice_29_0) true)
-(expandtypeattribute (hal_ir_hwservice_29_0) true)
-(expandtypeattribute (hal_keymaster_hwservice_29_0) true)
-(expandtypeattribute (hal_light_hwservice_29_0) true)
-(expandtypeattribute (hal_lowpan_hwservice_29_0) true)
-(expandtypeattribute (hal_memtrack_hwservice_29_0) true)
-(expandtypeattribute (hal_neuralnetworks_hwservice_29_0) true)
-(expandtypeattribute (hal_nfc_hwservice_29_0) true)
-(expandtypeattribute (hal_oemlock_hwservice_29_0) true)
-(expandtypeattribute (hal_omx_hwservice_29_0) true)
-(expandtypeattribute (hal_power_hwservice_29_0) true)
-(expandtypeattribute (hal_power_stats_hwservice_29_0) true)
-(expandtypeattribute (hal_renderscript_hwservice_29_0) true)
-(expandtypeattribute (hal_secure_element_hwservice_29_0) true)
-(expandtypeattribute (hal_sensors_hwservice_29_0) true)
-(expandtypeattribute (hal_telephony_hwservice_29_0) true)
-(expandtypeattribute (hal_tetheroffload_hwservice_29_0) true)
-(expandtypeattribute (hal_thermal_hwservice_29_0) true)
-(expandtypeattribute (hal_tv_cec_hwservice_29_0) true)
-(expandtypeattribute (hal_tv_input_hwservice_29_0) true)
-(expandtypeattribute (hal_usb_gadget_hwservice_29_0) true)
-(expandtypeattribute (hal_usb_hwservice_29_0) true)
-(expandtypeattribute (hal_vehicle_hwservice_29_0) true)
-(expandtypeattribute (hal_vibrator_hwservice_29_0) true)
-(expandtypeattribute (hal_vr_hwservice_29_0) true)
-(expandtypeattribute (hal_weaver_hwservice_29_0) true)
-(expandtypeattribute (hal_wifi_hostapd_hwservice_29_0) true)
-(expandtypeattribute (hal_wifi_hwservice_29_0) true)
-(expandtypeattribute (hal_wifi_offload_hwservice_29_0) true)
-(expandtypeattribute (hal_wifi_supplicant_hwservice_29_0) true)
-(expandtypeattribute (hardware_properties_service_29_0) true)
-(expandtypeattribute (hardware_service_29_0) true)
-(expandtypeattribute (hci_attach_dev_29_0) true)
-(expandtypeattribute (hdmi_control_service_29_0) true)
-(expandtypeattribute (healthd_29_0) true)
-(expandtypeattribute (healthd_exec_29_0) true)
-(expandtypeattribute (heapdump_data_file_29_0) true)
-(expandtypeattribute (heapprofd_29_0) true)
-(expandtypeattribute (heapprofd_enabled_prop_29_0) true)
-(expandtypeattribute (heapprofd_prop_29_0) true)
-(expandtypeattribute (heapprofd_socket_29_0) true)
-(expandtypeattribute (hidl_allocator_hwservice_29_0) true)
-(expandtypeattribute (hidl_base_hwservice_29_0) true)
-(expandtypeattribute (hidl_manager_hwservice_29_0) true)
-(expandtypeattribute (hidl_memory_hwservice_29_0) true)
-(expandtypeattribute (hidl_token_hwservice_29_0) true)
-(expandtypeattribute (hwbinder_device_29_0) true)
-(expandtypeattribute (hw_random_device_29_0) true)
-(expandtypeattribute (hwservice_contexts_file_29_0) true)
-(expandtypeattribute (hwservicemanager_29_0) true)
-(expandtypeattribute (hwservicemanager_exec_29_0) true)
-(expandtypeattribute (hwservicemanager_prop_29_0) true)
-(expandtypeattribute (icon_file_29_0) true)
-(expandtypeattribute (idmap_29_0) true)
-(expandtypeattribute (idmap_exec_29_0) true)
-(expandtypeattribute (idmap_service_29_0) true)
-(expandtypeattribute (iio_device_29_0) true)
-(expandtypeattribute (imms_service_29_0) true)
-(expandtypeattribute (incident_29_0) true)
-(expandtypeattribute (incidentd_29_0) true)
-(expandtypeattribute (incident_data_file_29_0) true)
-(expandtypeattribute (incident_helper_29_0) true)
-(expandtypeattribute (incident_service_29_0) true)
-(expandtypeattribute (init_29_0) true)
-(expandtypeattribute (init_exec_29_0) true)
-(expandtypeattribute (init_tmpfs_29_0) true)
-(expandtypeattribute (inotify_29_0) true)
-(expandtypeattribute (input_device_29_0) true)
-(expandtypeattribute (inputflinger_29_0) true)
-(expandtypeattribute (inputflinger_exec_29_0) true)
-(expandtypeattribute (inputflinger_service_29_0) true)
-(expandtypeattribute (input_method_service_29_0) true)
-(expandtypeattribute (input_service_29_0) true)
-(expandtypeattribute (installd_29_0) true)
-(expandtypeattribute (install_data_file_29_0) true)
-(expandtypeattribute (installd_exec_29_0) true)
-(expandtypeattribute (installd_service_29_0) true)
-(expandtypeattribute (install_recovery_29_0) true)
-(expandtypeattribute (install_recovery_exec_29_0) true)
-(expandtypeattribute (ion_device_29_0) true)
-(expandtypeattribute (iorapd_29_0) true)
-(expandtypeattribute (iorapd_data_file_29_0) true)
-(expandtypeattribute (iorapd_exec_29_0) true)
-(expandtypeattribute (iorapd_service_29_0) true)
-(expandtypeattribute (iorapd_tmpfs_29_0) true)
-(expandtypeattribute (IProxyService_service_29_0) true)
-(expandtypeattribute (ipsec_service_29_0) true)
-(expandtypeattribute (iris_service_29_0) true)
-(expandtypeattribute (iris_vendor_data_file_29_0) true)
-(expandtypeattribute (isolated_app_29_0) true)
-(expandtypeattribute (jobscheduler_service_29_0) true)
-(expandtypeattribute (kernel_29_0) true)
-(expandtypeattribute (keychain_data_file_29_0) true)
-(expandtypeattribute (keychord_device_29_0) true)
-(expandtypeattribute (keystore_29_0) true)
-(expandtypeattribute (keystore_data_file_29_0) true)
-(expandtypeattribute (keystore_exec_29_0) true)
-(expandtypeattribute (keystore_service_29_0) true)
-(expandtypeattribute (kmsg_debug_device_29_0) true)
-(expandtypeattribute (kmsg_device_29_0) true)
-(expandtypeattribute (labeledfs_29_0) true)
-(expandtypeattribute (last_boot_reason_prop_29_0) true)
-(expandtypeattribute (launcherapps_service_29_0) true)
-(expandtypeattribute (llkd_29_0) true)
-(expandtypeattribute (llkd_exec_29_0) true)
-(expandtypeattribute (llkd_prop_29_0) true)
-(expandtypeattribute (lmkd_29_0) true)
-(expandtypeattribute (lmkd_exec_29_0) true)
-(expandtypeattribute (lmkd_socket_29_0) true)
-(expandtypeattribute (location_service_29_0) true)
-(expandtypeattribute (lock_settings_service_29_0) true)
-(expandtypeattribute (logcat_exec_29_0) true)
-(expandtypeattribute (logd_29_0) true)
-(expandtypeattribute (logd_exec_29_0) true)
-(expandtypeattribute (logd_prop_29_0) true)
-(expandtypeattribute (logdr_socket_29_0) true)
-(expandtypeattribute (logd_socket_29_0) true)
-(expandtypeattribute (logdw_socket_29_0) true)
-(expandtypeattribute (logpersist_29_0) true)
-(expandtypeattribute (logpersistd_logging_prop_29_0) true)
-(expandtypeattribute (log_prop_29_0) true)
-(expandtypeattribute (log_tag_prop_29_0) true)
-(expandtypeattribute (loop_control_device_29_0) true)
-(expandtypeattribute (loop_device_29_0) true)
-(expandtypeattribute (looper_stats_service_29_0) true)
-(expandtypeattribute (lowpan_device_29_0) true)
-(expandtypeattribute (lowpan_prop_29_0) true)
-(expandtypeattribute (lowpan_service_29_0) true)
-(expandtypeattribute (lpdumpd_prop_29_0) true)
-(expandtypeattribute (lpdump_service_29_0) true)
-(expandtypeattribute (mac_perms_file_29_0) true)
-(expandtypeattribute (mdnsd_29_0) true)
-(expandtypeattribute (mdnsd_socket_29_0) true)
-(expandtypeattribute (mdns_socket_29_0) true)
-(expandtypeattribute (mediacodec_service_29_0) true)
-(expandtypeattribute (media_data_file_29_0) true)
-(expandtypeattribute (mediadrmserver_29_0) true)
-(expandtypeattribute (mediadrmserver_exec_29_0) true)
-(expandtypeattribute (mediadrmserver_service_29_0) true)
-(expandtypeattribute (mediaextractor_29_0) true)
-(expandtypeattribute (mediaextractor_exec_29_0) true)
-(expandtypeattribute (mediaextractor_service_29_0) true)
-(expandtypeattribute (mediaextractor_tmpfs_29_0) true)
-(expandtypeattribute (mediametrics_29_0) true)
-(expandtypeattribute (mediametrics_exec_29_0) true)
-(expandtypeattribute (mediametrics_service_29_0) true)
-(expandtypeattribute (media_projection_service_29_0) true)
-(expandtypeattribute (mediaprovider_29_0) true)
-(expandtypeattribute (media_router_service_29_0) true)
-(expandtypeattribute (media_rw_data_file_29_0) true)
-(expandtypeattribute (mediaserver_29_0) true)
-(expandtypeattribute (mediaserver_exec_29_0) true)
-(expandtypeattribute (mediaserver_service_29_0) true)
-(expandtypeattribute (mediaserver_tmpfs_29_0) true)
-(expandtypeattribute (media_session_service_29_0) true)
-(expandtypeattribute (mediaswcodec_29_0) true)
-(expandtypeattribute (mediaswcodec_exec_29_0) true)
-(expandtypeattribute (meminfo_service_29_0) true)
-(expandtypeattribute (metadata_block_device_29_0) true)
-(expandtypeattribute (metadata_file_29_0) true)
-(expandtypeattribute (method_trace_data_file_29_0) true)
-(expandtypeattribute (midi_service_29_0) true)
-(expandtypeattribute (misc_block_device_29_0) true)
-(expandtypeattribute (misc_logd_file_29_0) true)
-(expandtypeattribute (misc_user_data_file_29_0) true)
-(expandtypeattribute (mmc_prop_29_0) true)
-(expandtypeattribute (mnt_expand_file_29_0) true)
-(expandtypeattribute (mnt_media_rw_file_29_0) true)
-(expandtypeattribute (mnt_media_rw_stub_file_29_0) true)
-(expandtypeattribute (mnt_product_file_29_0) true)
-(expandtypeattribute (mnt_user_file_29_0) true)
-(expandtypeattribute (mnt_vendor_file_29_0) true)
-(expandtypeattribute (modprobe_29_0) true)
-(expandtypeattribute (mount_service_29_0) true)
-(expandtypeattribute (mqueue_29_0) true)
-(expandtypeattribute (mtp_29_0) true)
-(expandtypeattribute (mtp_device_29_0) true)
-(expandtypeattribute (mtpd_socket_29_0) true)
-(expandtypeattribute (mtp_exec_29_0) true)
-(expandtypeattribute (nativetest_data_file_29_0) true)
-(expandtypeattribute (netd_29_0) true)
-(expandtypeattribute (net_data_file_29_0) true)
-(expandtypeattribute (netd_exec_29_0) true)
-(expandtypeattribute (netd_listener_service_29_0) true)
-(expandtypeattribute (net_dns_prop_29_0) true)
-(expandtypeattribute (netd_service_29_0) true)
-(expandtypeattribute (netd_stable_secret_prop_29_0) true)
-(expandtypeattribute (netif_29_0) true)
-(expandtypeattribute (netpolicy_service_29_0) true)
-(expandtypeattribute (net_radio_prop_29_0) true)
-(expandtypeattribute (netstats_service_29_0) true)
-(expandtypeattribute (netutils_wrapper_29_0) true)
-(expandtypeattribute (netutils_wrapper_exec_29_0) true)
-(expandtypeattribute (network_management_service_29_0) true)
-(expandtypeattribute (network_score_service_29_0) true)
-(expandtypeattribute (network_stack_29_0) true)
-(expandtypeattribute (network_stack_service_29_0) true)
-(expandtypeattribute (network_time_update_service_29_0) true)
-(expandtypeattribute (network_watchlist_data_file_29_0) true)
-(expandtypeattribute (network_watchlist_service_29_0) true)
-(expandtypeattribute (nfc_29_0) true)
-(expandtypeattribute (nfc_data_file_29_0) true)
-(expandtypeattribute (nfc_device_29_0) true)
-(expandtypeattribute (nfc_prop_29_0) true)
-(expandtypeattribute (nfc_service_29_0) true)
-(expandtypeattribute (nnapi_ext_deny_product_prop_29_0) true)
-(expandtypeattribute (node_29_0) true)
-(expandtypeattribute (nonplat_service_contexts_file_29_0) true)
-(expandtypeattribute (notification_service_29_0) true)
-(expandtypeattribute (null_device_29_0) true)
-(expandtypeattribute (oemfs_29_0) true)
-(expandtypeattribute (oem_lock_service_29_0) true)
-(expandtypeattribute (ota_data_file_29_0) true)
-(expandtypeattribute (otadexopt_service_29_0) true)
-(expandtypeattribute (ota_package_file_29_0) true)
-(expandtypeattribute (overlayfs_file_29_0) true)
-(expandtypeattribute (overlay_prop_29_0) true)
-(expandtypeattribute (overlay_service_29_0) true)
-(expandtypeattribute (owntty_device_29_0) true)
-(expandtypeattribute (package_native_service_29_0) true)
-(expandtypeattribute (package_service_29_0) true)
-(expandtypeattribute (packages_list_file_29_0) true)
-(expandtypeattribute (pan_result_prop_29_0) true)
-(expandtypeattribute (password_slot_metadata_file_29_0) true)
-(expandtypeattribute (pdx_bufferhub_client_channel_socket_29_0) true)
-(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_29_0) true)
-(expandtypeattribute (pdx_bufferhub_dir_29_0) true)
-(expandtypeattribute (pdx_display_client_channel_socket_29_0) true)
-(expandtypeattribute (pdx_display_client_endpoint_socket_29_0) true)
-(expandtypeattribute (pdx_display_dir_29_0) true)
-(expandtypeattribute (pdx_display_manager_channel_socket_29_0) true)
-(expandtypeattribute (pdx_display_manager_endpoint_socket_29_0) true)
-(expandtypeattribute (pdx_display_screenshot_channel_socket_29_0) true)
-(expandtypeattribute (pdx_display_screenshot_endpoint_socket_29_0) true)
-(expandtypeattribute (pdx_display_vsync_channel_socket_29_0) true)
-(expandtypeattribute (pdx_display_vsync_endpoint_socket_29_0) true)
-(expandtypeattribute (pdx_performance_client_channel_socket_29_0) true)
-(expandtypeattribute (pdx_performance_client_endpoint_socket_29_0) true)
-(expandtypeattribute (pdx_performance_dir_29_0) true)
-(expandtypeattribute (perfetto_29_0) true)
-(expandtypeattribute (performanced_29_0) true)
-(expandtypeattribute (performanced_exec_29_0) true)
-(expandtypeattribute (permissionmgr_service_29_0) true)
-(expandtypeattribute (permission_service_29_0) true)
-(expandtypeattribute (persist_debug_prop_29_0) true)
-(expandtypeattribute (persistent_data_block_service_29_0) true)
-(expandtypeattribute (persistent_properties_ready_prop_29_0) true)
-(expandtypeattribute (pinner_service_29_0) true)
-(expandtypeattribute (pipefs_29_0) true)
-(expandtypeattribute (platform_app_29_0) true)
-(expandtypeattribute (pm_prop_29_0) true)
-(expandtypeattribute (pmsg_device_29_0) true)
-(expandtypeattribute (port_29_0) true)
-(expandtypeattribute (port_device_29_0) true)
-(expandtypeattribute (postinstall_29_0) true)
-(expandtypeattribute (postinstall_apex_mnt_dir_29_0) true)
-(expandtypeattribute (postinstall_file_29_0) true)
-(expandtypeattribute (postinstall_mnt_dir_29_0) true)
-(expandtypeattribute (powerctl_prop_29_0) true)
-(expandtypeattribute (power_service_29_0) true)
-(expandtypeattribute (ppp_29_0) true)
-(expandtypeattribute (ppp_device_29_0) true)
-(expandtypeattribute (ppp_exec_29_0) true)
-(expandtypeattribute (preloads_data_file_29_0) true)
-(expandtypeattribute (preloads_media_file_29_0) true)
-(expandtypeattribute (print_service_29_0) true)
-(expandtypeattribute (priv_app_29_0) true)
-(expandtypeattribute (privapp_data_file_29_0) true)
-(expandtypeattribute (proc_29_0) true)
-(expandtypeattribute (proc_abi_29_0) true)
-(expandtypeattribute (proc_asound_29_0) true)
-(expandtypeattribute (proc_bluetooth_writable_29_0) true)
-(expandtypeattribute (proc_buddyinfo_29_0) true)
-(expandtypeattribute (proc_cmdline_29_0) true)
-(expandtypeattribute (proc_cpuinfo_29_0) true)
-(expandtypeattribute (proc_dirty_29_0) true)
-(expandtypeattribute (proc_diskstats_29_0) true)
-(expandtypeattribute (proc_drop_caches_29_0) true)
-(expandtypeattribute (processinfo_service_29_0) true)
-(expandtypeattribute (proc_extra_free_kbytes_29_0) true)
-(expandtypeattribute (proc_filesystems_29_0) true)
-(expandtypeattribute (proc_fs_verity_29_0) true)
-(expandtypeattribute (proc_hostname_29_0) true)
-(expandtypeattribute (proc_hung_task_29_0) true)
-(expandtypeattribute (proc_interrupts_29_0) true)
-(expandtypeattribute (proc_iomem_29_0) true)
-(expandtypeattribute (proc_keys_29_0) true)
-(expandtypeattribute (proc_kmsg_29_0) true)
-(expandtypeattribute (proc_loadavg_29_0) true)
-(expandtypeattribute (proc_max_map_count_29_0) true)
-(expandtypeattribute (proc_meminfo_29_0) true)
-(expandtypeattribute (proc_min_free_order_shift_29_0) true)
-(expandtypeattribute (proc_misc_29_0) true)
-(expandtypeattribute (proc_modules_29_0) true)
-(expandtypeattribute (proc_mounts_29_0) true)
-(expandtypeattribute (proc_net_29_0) true)
-(expandtypeattribute (proc_net_tcp_udp_29_0) true)
-(expandtypeattribute (proc_overcommit_memory_29_0) true)
-(expandtypeattribute (proc_page_cluster_29_0) true)
-(expandtypeattribute (proc_pagetypeinfo_29_0) true)
-(expandtypeattribute (proc_panic_29_0) true)
-(expandtypeattribute (proc_perf_29_0) true)
-(expandtypeattribute (proc_pid_max_29_0) true)
-(expandtypeattribute (proc_pipe_conf_29_0) true)
-(expandtypeattribute (proc_pressure_cpu_29_0) true)
-(expandtypeattribute (proc_pressure_io_29_0) true)
-(expandtypeattribute (proc_pressure_mem_29_0) true)
-(expandtypeattribute (proc_qtaguid_ctrl_29_0) true)
-(expandtypeattribute (proc_qtaguid_stat_29_0) true)
-(expandtypeattribute (proc_random_29_0) true)
-(expandtypeattribute (proc_sched_29_0) true)
-(expandtypeattribute (proc_security_29_0) true)
-(expandtypeattribute (proc_slabinfo_29_0) true)
-(expandtypeattribute (proc_stat_29_0) true)
-(expandtypeattribute (procstats_service_29_0) true)
-(expandtypeattribute (proc_swaps_29_0) true)
-(expandtypeattribute (proc_sysrq_29_0) true)
-(expandtypeattribute (proc_timer_29_0) true)
-(expandtypeattribute (proc_tty_drivers_29_0) true)
-(expandtypeattribute (proc_uid_concurrent_active_time_29_0) true)
-(expandtypeattribute (proc_uid_concurrent_policy_time_29_0) true)
-(expandtypeattribute (proc_uid_cpupower_29_0) true)
-(expandtypeattribute (proc_uid_cputime_removeuid_29_0) true)
-(expandtypeattribute (proc_uid_cputime_showstat_29_0) true)
-(expandtypeattribute (proc_uid_io_stats_29_0) true)
-(expandtypeattribute (proc_uid_procstat_set_29_0) true)
-(expandtypeattribute (proc_uid_time_in_state_29_0) true)
-(expandtypeattribute (proc_uptime_29_0) true)
-(expandtypeattribute (proc_version_29_0) true)
-(expandtypeattribute (proc_vmallocinfo_29_0) true)
-(expandtypeattribute (proc_vmstat_29_0) true)
-(expandtypeattribute (proc_zoneinfo_29_0) true)
-(expandtypeattribute (profman_29_0) true)
-(expandtypeattribute (profman_dump_data_file_29_0) true)
-(expandtypeattribute (profman_exec_29_0) true)
-(expandtypeattribute (properties_device_29_0) true)
-(expandtypeattribute (properties_serial_29_0) true)
-(expandtypeattribute (property_contexts_file_29_0) true)
-(expandtypeattribute (property_data_file_29_0) true)
-(expandtypeattribute (property_info_29_0) true)
-(expandtypeattribute (property_socket_29_0) true)
-(expandtypeattribute (pstorefs_29_0) true)
-(expandtypeattribute (ptmx_device_29_0) true)
-(expandtypeattribute (qtaguid_device_29_0) true)
-(expandtypeattribute (racoon_29_0) true)
-(expandtypeattribute (racoon_exec_29_0) true)
-(expandtypeattribute (racoon_socket_29_0) true)
-(expandtypeattribute (radio_29_0) true)
-(expandtypeattribute (radio_data_file_29_0) true)
-(expandtypeattribute (radio_device_29_0) true)
-(expandtypeattribute (radio_prop_29_0) true)
-(expandtypeattribute (radio_service_29_0) true)
-(expandtypeattribute (ram_device_29_0) true)
-(expandtypeattribute (random_device_29_0) true)
-(expandtypeattribute (recovery_29_0) true)
-(expandtypeattribute (recovery_block_device_29_0) true)
-(expandtypeattribute (recovery_data_file_29_0) true)
-(expandtypeattribute (recovery_persist_29_0) true)
-(expandtypeattribute (recovery_persist_exec_29_0) true)
-(expandtypeattribute (recovery_refresh_29_0) true)
-(expandtypeattribute (recovery_refresh_exec_29_0) true)
-(expandtypeattribute (recovery_service_29_0) true)
-(expandtypeattribute (recovery_socket_29_0) true)
-(expandtypeattribute (registry_service_29_0) true)
-(expandtypeattribute (resourcecache_data_file_29_0) true)
-(expandtypeattribute (restorecon_prop_29_0) true)
-(expandtypeattribute (restrictions_service_29_0) true)
-(expandtypeattribute (rild_debug_socket_29_0) true)
-(expandtypeattribute (rild_socket_29_0) true)
-(expandtypeattribute (ringtone_file_29_0) true)
-(expandtypeattribute (role_service_29_0) true)
-(expandtypeattribute (rollback_service_29_0) true)
-(expandtypeattribute (root_block_device_29_0) true)
-(expandtypeattribute (rootfs_29_0) true)
-(expandtypeattribute (rpmsg_device_29_0) true)
-(expandtypeattribute (rs_29_0) true)
-(expandtypeattribute (rs_exec_29_0) true)
-(expandtypeattribute (rss_hwm_reset_29_0) true)
-(expandtypeattribute (rtc_device_29_0) true)
-(expandtypeattribute (rttmanager_service_29_0) true)
-(expandtypeattribute (runas_29_0) true)
-(expandtypeattribute (runas_app_29_0) true)
-(expandtypeattribute (runas_exec_29_0) true)
-(expandtypeattribute (runtime_event_log_tags_file_29_0) true)
-(expandtypeattribute (runtime_service_29_0) true)
-(expandtypeattribute (safemode_prop_29_0) true)
-(expandtypeattribute (same_process_hal_file_29_0) true)
-(expandtypeattribute (samplingprofiler_service_29_0) true)
-(expandtypeattribute (scheduling_policy_service_29_0) true)
-(expandtypeattribute (sdcard_block_device_29_0) true)
-(expandtypeattribute (sdcardd_29_0) true)
-(expandtypeattribute (sdcardd_exec_29_0) true)
-(expandtypeattribute (sdcardfs_29_0) true)
-(expandtypeattribute (seapp_contexts_file_29_0) true)
-(expandtypeattribute (search_service_29_0) true)
-(expandtypeattribute (sec_key_att_app_id_provider_service_29_0) true)
-(expandtypeattribute (secure_element_29_0) true)
-(expandtypeattribute (secure_element_device_29_0) true)
-(expandtypeattribute (secure_element_service_29_0) true)
-(expandtypeattribute (selinuxfs_29_0) true)
-(expandtypeattribute (sensor_privacy_service_29_0) true)
-(expandtypeattribute (sensors_device_29_0) true)
-(expandtypeattribute (sensorservice_service_29_0) true)
-(expandtypeattribute (sepolicy_file_29_0) true)
-(expandtypeattribute (serial_device_29_0) true)
-(expandtypeattribute (serialno_prop_29_0) true)
-(expandtypeattribute (serial_service_29_0) true)
-(expandtypeattribute (server_configurable_flags_data_file_29_0) true)
-(expandtypeattribute (service_contexts_file_29_0) true)
-(expandtypeattribute (servicediscovery_service_29_0) true)
-(expandtypeattribute (servicemanager_29_0) true)
-(expandtypeattribute (servicemanager_exec_29_0) true)
-(expandtypeattribute (settings_service_29_0) true)
-(expandtypeattribute (sgdisk_29_0) true)
-(expandtypeattribute (sgdisk_exec_29_0) true)
-(expandtypeattribute (shared_relro_29_0) true)
-(expandtypeattribute (shared_relro_file_29_0) true)
-(expandtypeattribute (shell_29_0) true)
-(expandtypeattribute (shell_data_file_29_0) true)
-(expandtypeattribute (shell_exec_29_0) true)
-(expandtypeattribute (shell_prop_29_0) true)
-(expandtypeattribute (shm_29_0) true)
-(expandtypeattribute (shortcut_manager_icons_29_0) true)
-(expandtypeattribute (shortcut_service_29_0) true)
-(expandtypeattribute (simpleperf_app_runner_29_0) true)
-(expandtypeattribute (simpleperf_app_runner_exec_29_0) true)
-(expandtypeattribute (slice_service_29_0) true)
-(expandtypeattribute (slideshow_29_0) true)
-(expandtypeattribute (socket_device_29_0) true)
-(expandtypeattribute (sockfs_29_0) true)
-(expandtypeattribute (staging_data_file_29_0) true)
-(expandtypeattribute (statsd_29_0) true)
-(expandtypeattribute (stats_data_file_29_0) true)
-(expandtypeattribute (statsd_exec_29_0) true)
-(expandtypeattribute (statsdw_socket_29_0) true)
-(expandtypeattribute (statusbar_service_29_0) true)
-(expandtypeattribute (storaged_service_29_0) true)
-(expandtypeattribute (storage_file_29_0) true)
-(expandtypeattribute (storagestats_service_29_0) true)
-(expandtypeattribute (storage_stub_file_29_0) true)
-(expandtypeattribute (su_29_0) true)
-(expandtypeattribute (su_exec_29_0) true)
-(expandtypeattribute (super_block_device_29_0) true)
-(expandtypeattribute (surfaceflinger_29_0) true)
-(expandtypeattribute (surfaceflinger_service_29_0) true)
-(expandtypeattribute (surfaceflinger_tmpfs_29_0) true)
-(expandtypeattribute (swap_block_device_29_0) true)
-(expandtypeattribute (sysfs_29_0) true)
-(expandtypeattribute (sysfs_android_usb_29_0) true)
-(expandtypeattribute (sysfs_batteryinfo_29_0) true)
-(expandtypeattribute (sysfs_bluetooth_writable_29_0) true)
-(expandtypeattribute (sysfs_devices_block_29_0) true)
-(expandtypeattribute (sysfs_devices_system_cpu_29_0) true)
-(expandtypeattribute (sysfs_dm_29_0) true)
-(expandtypeattribute (sysfs_dt_firmware_android_29_0) true)
-(expandtypeattribute (sysfs_extcon_29_0) true)
-(expandtypeattribute (sysfs_fs_ext4_features_29_0) true)
-(expandtypeattribute (sysfs_fs_f2fs_29_0) true)
-(expandtypeattribute (sysfs_hwrandom_29_0) true)
-(expandtypeattribute (sysfs_ipv4_29_0) true)
-(expandtypeattribute (sysfs_kernel_notes_29_0) true)
-(expandtypeattribute (sysfs_leds_29_0) true)
-(expandtypeattribute (sysfs_loop_29_0) true)
-(expandtypeattribute (sysfs_lowmemorykiller_29_0) true)
-(expandtypeattribute (sysfs_mac_address_29_0) true)
-(expandtypeattribute (sysfs_net_29_0) true)
-(expandtypeattribute (sysfs_nfc_power_writable_29_0) true)
-(expandtypeattribute (sysfs_power_29_0) true)
-(expandtypeattribute (sysfs_rtc_29_0) true)
-(expandtypeattribute (sysfs_switch_29_0) true)
-(expandtypeattribute (sysfs_thermal_29_0) true)
-(expandtypeattribute (sysfs_transparent_hugepage_29_0) true)
-(expandtypeattribute (sysfs_uio_29_0) true)
-(expandtypeattribute (sysfs_usb_29_0) true)
-(expandtypeattribute (sysfs_usermodehelper_29_0) true)
-(expandtypeattribute (sysfs_vibrator_29_0) true)
-(expandtypeattribute (sysfs_wake_lock_29_0) true)
-(expandtypeattribute (sysfs_wakeup_reasons_29_0) true)
-(expandtypeattribute (sysfs_wlan_fwpath_29_0) true)
-(expandtypeattribute (sysfs_zram_29_0) true)
-(expandtypeattribute (sysfs_zram_uevent_29_0) true)
-(expandtypeattribute (system_app_29_0) true)
-(expandtypeattribute (system_app_data_file_29_0) true)
-(expandtypeattribute (system_app_service_29_0) true)
-(expandtypeattribute (system_asan_options_file_29_0) true)
-(expandtypeattribute (system_block_device_29_0) true)
-(expandtypeattribute (system_boot_reason_prop_29_0) true)
-(expandtypeattribute (system_bootstrap_lib_file_29_0) true)
-(expandtypeattribute (system_data_file_29_0) true)
-(expandtypeattribute (system_event_log_tags_file_29_0) true)
-(expandtypeattribute (system_file_29_0) true)
-(expandtypeattribute (systemkeys_data_file_29_0) true)
-(expandtypeattribute (system_lib_file_29_0) true)
-(expandtypeattribute (system_linker_config_file_29_0) true)
-(expandtypeattribute (system_linker_exec_29_0) true)
-(expandtypeattribute (system_lmk_prop_29_0) true)
-(expandtypeattribute (system_ndebug_socket_29_0) true)
-(expandtypeattribute (system_net_netd_hwservice_29_0) true)
-(expandtypeattribute (system_prop_29_0) true)
-(expandtypeattribute (system_radio_prop_29_0) true)
-(expandtypeattribute (system_seccomp_policy_file_29_0) true)
-(expandtypeattribute (system_security_cacerts_file_29_0) true)
-(expandtypeattribute (system_server_29_0) true)
-(expandtypeattribute (system_server_tmpfs_29_0) true)
-(expandtypeattribute (system_suspend_control_service_29_0) true)
-(expandtypeattribute (system_suspend_hwservice_29_0) true)
-(expandtypeattribute (system_trace_prop_29_0) true)
-(expandtypeattribute (system_update_service_29_0) true)
-(expandtypeattribute (system_wifi_keystore_hwservice_29_0) true)
-(expandtypeattribute (system_wpa_socket_29_0) true)
-(expandtypeattribute (system_zoneinfo_file_29_0) true)
-(expandtypeattribute (task_profiles_file_29_0) true)
-(expandtypeattribute (task_service_29_0) true)
-(expandtypeattribute (tcpdump_exec_29_0) true)
-(expandtypeattribute (tee_29_0) true)
-(expandtypeattribute (tee_data_file_29_0) true)
-(expandtypeattribute (tee_device_29_0) true)
-(expandtypeattribute (telecom_service_29_0) true)
-(expandtypeattribute (test_boot_reason_prop_29_0) true)
-(expandtypeattribute (test_harness_prop_29_0) true)
-(expandtypeattribute (testharness_service_29_0) true)
-(expandtypeattribute (textclassification_service_29_0) true)
-(expandtypeattribute (textclassifier_data_file_29_0) true)
-(expandtypeattribute (textservices_service_29_0) true)
-(expandtypeattribute (thermalcallback_hwservice_29_0) true)
-(expandtypeattribute (thermal_service_29_0) true)
-(expandtypeattribute (timedetector_service_29_0) true)
-(expandtypeattribute (time_prop_29_0) true)
-(expandtypeattribute (timezone_service_29_0) true)
-(expandtypeattribute (tmpfs_29_0) true)
-(expandtypeattribute (tombstoned_29_0) true)
-(expandtypeattribute (tombstone_data_file_29_0) true)
-(expandtypeattribute (tombstoned_crash_socket_29_0) true)
-(expandtypeattribute (tombstoned_exec_29_0) true)
-(expandtypeattribute (tombstoned_intercept_socket_29_0) true)
-(expandtypeattribute (tombstoned_java_trace_socket_29_0) true)
-(expandtypeattribute (tombstone_wifi_data_file_29_0) true)
-(expandtypeattribute (toolbox_29_0) true)
-(expandtypeattribute (toolbox_exec_29_0) true)
-(expandtypeattribute (traced_29_0) true)
-(expandtypeattribute (trace_data_file_29_0) true)
-(expandtypeattribute (traced_consumer_socket_29_0) true)
-(expandtypeattribute (traced_enabled_prop_29_0) true)
-(expandtypeattribute (traced_lazy_prop_29_0) true)
-(expandtypeattribute (traced_probes_29_0) true)
-(expandtypeattribute (traced_producer_socket_29_0) true)
-(expandtypeattribute (traceur_app_29_0) true)
-(expandtypeattribute (trust_service_29_0) true)
-(expandtypeattribute (tty_device_29_0) true)
-(expandtypeattribute (tun_device_29_0) true)
-(expandtypeattribute (tv_input_service_29_0) true)
-(expandtypeattribute (tzdatacheck_29_0) true)
-(expandtypeattribute (tzdatacheck_exec_29_0) true)
-(expandtypeattribute (ueventd_29_0) true)
-(expandtypeattribute (ueventd_tmpfs_29_0) true)
-(expandtypeattribute (uhid_device_29_0) true)
-(expandtypeattribute (uimode_service_29_0) true)
-(expandtypeattribute (uio_device_29_0) true)
-(expandtypeattribute (uncrypt_29_0) true)
-(expandtypeattribute (uncrypt_exec_29_0) true)
-(expandtypeattribute (uncrypt_socket_29_0) true)
-(expandtypeattribute (unencrypted_data_file_29_0) true)
-(expandtypeattribute (unlabeled_29_0) true)
-(expandtypeattribute (untrusted_app_25_29_0) true)
-(expandtypeattribute (untrusted_app_27_29_0) true)
-(expandtypeattribute (untrusted_app_29_0) true)
-(expandtypeattribute (update_engine_29_0) true)
-(expandtypeattribute (update_engine_data_file_29_0) true)
-(expandtypeattribute (update_engine_exec_29_0) true)
-(expandtypeattribute (update_engine_log_data_file_29_0) true)
-(expandtypeattribute (update_engine_service_29_0) true)
-(expandtypeattribute (updatelock_service_29_0) true)
-(expandtypeattribute (update_verifier_29_0) true)
-(expandtypeattribute (update_verifier_exec_29_0) true)
-(expandtypeattribute (uri_grants_service_29_0) true)
-(expandtypeattribute (usagestats_service_29_0) true)
-(expandtypeattribute (usbaccessory_device_29_0) true)
-(expandtypeattribute (usbd_29_0) true)
-(expandtypeattribute (usb_device_29_0) true)
-(expandtypeattribute (usbd_exec_29_0) true)
-(expandtypeattribute (usbfs_29_0) true)
-(expandtypeattribute (usb_service_29_0) true)
-(expandtypeattribute (use_memfd_prop_29_0) true)
-(expandtypeattribute (userdata_block_device_29_0) true)
-(expandtypeattribute (usermodehelper_29_0) true)
-(expandtypeattribute (user_profile_data_file_29_0) true)
-(expandtypeattribute (user_service_29_0) true)
-(expandtypeattribute (vdc_29_0) true)
-(expandtypeattribute (vdc_exec_29_0) true)
-(expandtypeattribute (vendor_app_file_29_0) true)
-(expandtypeattribute (vendor_cgroup_desc_file_29_0) true)
-(expandtypeattribute (vendor_configs_file_29_0) true)
-(expandtypeattribute (vendor_data_file_29_0) true)
-(expandtypeattribute (vendor_default_prop_29_0) true)
-(expandtypeattribute (vendor_file_29_0) true)
-(expandtypeattribute (vendor_framework_file_29_0) true)
-(expandtypeattribute (vendor_hal_file_29_0) true)
-(expandtypeattribute (vendor_idc_file_29_0) true)
-(expandtypeattribute (vendor_init_29_0) true)
-(expandtypeattribute (vendor_keychars_file_29_0) true)
-(expandtypeattribute (vendor_keylayout_file_29_0) true)
-(expandtypeattribute (vendor_overlay_file_29_0) true)
-(expandtypeattribute (vendor_public_lib_file_29_0) true)
-(expandtypeattribute (vendor_security_patch_level_prop_29_0) true)
-(expandtypeattribute (vendor_shell_29_0) true)
-(expandtypeattribute (vendor_shell_exec_29_0) true)
-(expandtypeattribute (vendor_task_profiles_file_29_0) true)
-(expandtypeattribute (vendor_toolbox_exec_29_0) true)
-(expandtypeattribute (vfat_29_0) true)
-(expandtypeattribute (vibrator_service_29_0) true)
-(expandtypeattribute (video_device_29_0) true)
-(expandtypeattribute (virtual_touchpad_29_0) true)
-(expandtypeattribute (virtual_touchpad_exec_29_0) true)
-(expandtypeattribute (virtual_touchpad_service_29_0) true)
-(expandtypeattribute (vndbinder_device_29_0) true)
-(expandtypeattribute (vndk_sp_file_29_0) true)
-(expandtypeattribute (vndservice_contexts_file_29_0) true)
-(expandtypeattribute (vndservicemanager_29_0) true)
-(expandtypeattribute (voiceinteraction_service_29_0) true)
-(expandtypeattribute (vold_29_0) true)
-(expandtypeattribute (vold_data_file_29_0) true)
-(expandtypeattribute (vold_device_29_0) true)
-(expandtypeattribute (vold_exec_29_0) true)
-(expandtypeattribute (vold_metadata_file_29_0) true)
-(expandtypeattribute (vold_prepare_subdirs_29_0) true)
-(expandtypeattribute (vold_prepare_subdirs_exec_29_0) true)
-(expandtypeattribute (vold_prop_29_0) true)
-(expandtypeattribute (vold_service_29_0) true)
-(expandtypeattribute (vpn_data_file_29_0) true)
-(expandtypeattribute (vrflinger_vsync_service_29_0) true)
-(expandtypeattribute (vr_hwc_29_0) true)
-(expandtypeattribute (vr_hwc_exec_29_0) true)
-(expandtypeattribute (vr_hwc_service_29_0) true)
-(expandtypeattribute (vr_manager_service_29_0) true)
-(expandtypeattribute (wallpaper_file_29_0) true)
-(expandtypeattribute (wallpaper_service_29_0) true)
-(expandtypeattribute (watchdogd_29_0) true)
-(expandtypeattribute (watchdog_device_29_0) true)
-(expandtypeattribute (watchdogd_exec_29_0) true)
-(expandtypeattribute (webviewupdate_service_29_0) true)
-(expandtypeattribute (webview_zygote_29_0) true)
-(expandtypeattribute (webview_zygote_exec_29_0) true)
-(expandtypeattribute (webview_zygote_tmpfs_29_0) true)
-(expandtypeattribute (wifiaware_service_29_0) true)
-(expandtypeattribute (wificond_29_0) true)
-(expandtypeattribute (wificond_exec_29_0) true)
-(expandtypeattribute (wificond_service_29_0) true)
-(expandtypeattribute (wifi_data_file_29_0) true)
-(expandtypeattribute (wifi_log_prop_29_0) true)
-(expandtypeattribute (wifip2p_service_29_0) true)
-(expandtypeattribute (wifi_prop_29_0) true)
-(expandtypeattribute (wifiscanner_service_29_0) true)
-(expandtypeattribute (wifi_service_29_0) true)
-(expandtypeattribute (window_service_29_0) true)
-(expandtypeattribute (wpantund_29_0) true)
-(expandtypeattribute (wpantund_exec_29_0) true)
-(expandtypeattribute (wpantund_service_29_0) true)
-(expandtypeattribute (wpa_socket_29_0) true)
-(expandtypeattribute (zero_device_29_0) true)
-(expandtypeattribute (zoneinfo_data_file_29_0) true)
-(expandtypeattribute (zygote_29_0) true)
-(expandtypeattribute (zygote_exec_29_0) true)
-(expandtypeattribute (zygote_socket_29_0) true)
-(expandtypeattribute (zygote_tmpfs_29_0) true)
-(typeattributeset accessibility_service_29_0 (accessibility_service))
-(typeattributeset account_service_29_0 (account_service))
-(typeattributeset activity_service_29_0 (activity_service))
-(typeattributeset activity_task_service_29_0 (activity_task_service))
-(typeattributeset adbd_29_0 (adbd))
-(typeattributeset adb_data_file_29_0 (adb_data_file))
-(typeattributeset adbd_exec_29_0 (adbd_exec))
-(typeattributeset adbd_socket_29_0 (adbd_socket))
-(typeattributeset adb_keys_file_29_0 (adb_keys_file))
-(typeattributeset adb_service_29_0 (adb_service))
-(typeattributeset alarm_service_29_0 (alarm_service))
-(typeattributeset anr_data_file_29_0 (anr_data_file))
-(typeattributeset apexd_29_0 (apexd))
-(typeattributeset apex_data_file_29_0 (apex_data_file))
-(typeattributeset apexd_exec_29_0 (apexd_exec))
-(typeattributeset apexd_prop_29_0 (apexd_prop))
-(typeattributeset apex_metadata_file_29_0 (apex_metadata_file))
-(typeattributeset apex_mnt_dir_29_0 (apex_mnt_dir))
-(typeattributeset apex_service_29_0 (apex_service))
-(typeattributeset apk_data_file_29_0 (apk_data_file))
-(typeattributeset apk_private_data_file_29_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_29_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_29_0 (apk_tmp_file))
-(typeattributeset app_binding_service_29_0 (app_binding_service))
-(typeattributeset app_data_file_29_0 (app_data_file))
-(typeattributeset appdomain_tmpfs_29_0 (appdomain_tmpfs))
-(typeattributeset app_fuse_file_29_0 (app_fuse_file))
-(typeattributeset app_fusefs_29_0 (app_fusefs))
-(typeattributeset appops_service_29_0 (appops_service))
-(typeattributeset app_prediction_service_29_0 (app_prediction_service))
-(typeattributeset appwidget_service_29_0 (appwidget_service))
-(typeattributeset app_zygote_29_0 (app_zygote))
-(typeattributeset app_zygote_tmpfs_29_0 (app_zygote_tmpfs))
-(typeattributeset asec_apk_file_29_0 (asec_apk_file))
-(typeattributeset asec_image_file_29_0 (asec_image_file))
-(typeattributeset asec_public_file_29_0 (asec_public_file))
-(typeattributeset ashmemd_29_0 (ashmemd))
-(typeattributeset ashmem_device_29_0 (ashmem_device))
-(typeattributeset assetatlas_service_29_0 (assetatlas_service))
-(typeattributeset audio_data_file_29_0 (audio_data_file))
-(typeattributeset audio_device_29_0 (audio_device))
-(typeattributeset audiohal_data_file_29_0 (audiohal_data_file))
-(typeattributeset audio_prop_29_0 (audio_prop))
-(typeattributeset audioserver_29_0 (audioserver))
-(typeattributeset audioserver_data_file_29_0 (audioserver_data_file))
-(typeattributeset audioserver_service_29_0 (audioserver_service))
-(typeattributeset audioserver_tmpfs_29_0 (audioserver_tmpfs))
-(typeattributeset audio_service_29_0 (audio_service))
-(typeattributeset autofill_service_29_0 (autofill_service))
-(typeattributeset backup_data_file_29_0 (backup_data_file))
-(typeattributeset backup_service_29_0 (backup_service))
-(typeattributeset batteryproperties_service_29_0 (batteryproperties_service))
-(typeattributeset battery_service_29_0 (battery_service))
-(typeattributeset batterystats_service_29_0 (batterystats_service))
-(typeattributeset binder_calls_stats_service_29_0 (binder_calls_stats_service))
-(typeattributeset binder_device_29_0 (binder_device))
-(typeattributeset binfmt_miscfs_29_0 (binfmt_miscfs))
-(typeattributeset biometric_service_29_0 (biometric_service))
-(typeattributeset blkid_29_0 (blkid))
-(typeattributeset blkid_untrusted_29_0 (blkid_untrusted))
-(typeattributeset block_device_29_0 (block_device))
-(typeattributeset bluetooth_29_0 (bluetooth))
-(typeattributeset bluetooth_a2dp_offload_prop_29_0 (bluetooth_a2dp_offload_prop))
-(typeattributeset bluetooth_audio_hal_prop_29_0 (bluetooth_audio_hal_prop))
-(typeattributeset bluetooth_data_file_29_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_29_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_29_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_29_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_29_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_29_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_29_0 (bluetooth_socket))
-(typeattributeset bootanim_29_0 (bootanim))
-(typeattributeset bootanim_exec_29_0 (bootanim_exec))
-(typeattributeset boot_block_device_29_0 (boot_block_device))
-(typeattributeset bootchart_data_file_29_0 (bootchart_data_file))
-(typeattributeset bootloader_boot_reason_prop_29_0 (bootloader_boot_reason_prop))
-(typeattributeset bootstat_29_0 (bootstat))
-(typeattributeset bootstat_data_file_29_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_29_0 (bootstat_exec))
-(typeattributeset boottime_prop_29_0 (boottime_prop))
-(typeattributeset boottrace_data_file_29_0 (boottrace_data_file))
-(typeattributeset bpf_progs_loaded_prop_29_0 (bpf_progs_loaded_prop))
-(typeattributeset broadcastradio_service_29_0 (broadcastradio_service))
-(typeattributeset bufferhubd_29_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_29_0 (bufferhubd_exec))
-(typeattributeset bugreport_service_29_0 (bugreport_service))
-(typeattributeset cache_backup_file_29_0 (cache_backup_file))
-(typeattributeset cache_block_device_29_0 (cache_block_device))
-(typeattributeset cache_file_29_0 (cache_file))
-(typeattributeset cache_private_backup_file_29_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_29_0 (cache_recovery_file))
-(typeattributeset camera_data_file_29_0 (camera_data_file))
-(typeattributeset camera_device_29_0 (camera_device))
-(typeattributeset cameraproxy_service_29_0 (cameraproxy_service))
-(typeattributeset cameraserver_29_0 (cameraserver))
-(typeattributeset cameraserver_exec_29_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_29_0 (cameraserver_service))
-(typeattributeset cameraserver_tmpfs_29_0 (cameraserver_tmpfs))
-(typeattributeset cgroup_29_0 (cgroup))
-(typeattributeset cgroup_bpf_29_0 (cgroup_bpf))
-(typeattributeset cgroup_desc_file_29_0 (cgroup_desc_file))
-(typeattributeset cgroup_rc_file_29_0 (cgroup_rc_file))
-(typeattributeset charger_29_0 (charger))
-(typeattributeset charger_exec_29_0 (charger_exec))
-(typeattributeset clatd_29_0 (clatd))
-(typeattributeset clatd_exec_29_0 (clatd_exec))
-(typeattributeset clipboard_service_29_0 (clipboard_service))
-(typeattributeset color_display_service_29_0 (color_display_service))
-(typeattributeset companion_device_service_29_0 (companion_device_service))
-(typeattributeset configfs_29_0 (configfs))
-(typeattributeset config_prop_29_0 (config_prop))
-(typeattributeset connectivity_service_29_0 (connectivity_service))
-(typeattributeset connmetrics_service_29_0 (connmetrics_service))
-(typeattributeset console_device_29_0 (console_device))
-(typeattributeset consumer_ir_service_29_0 (consumer_ir_service))
-(typeattributeset content_capture_service_29_0 (content_capture_service))
-(typeattributeset content_service_29_0 (content_service))
-(typeattributeset content_suggestions_service_29_0 (content_suggestions_service))
-(typeattributeset contexthub_service_29_0 (contexthub_service))
-(typeattributeset coredump_file_29_0 (coredump_file))
-(typeattributeset country_detector_service_29_0 (country_detector_service))
-(typeattributeset coverage_service_29_0 (coverage_service))
-(typeattributeset cppreopt_prop_29_0 (cppreopt_prop))
-(typeattributeset cpuinfo_service_29_0 (cpuinfo_service))
-(typeattributeset cpu_variant_prop_29_0 (cpu_variant_prop))
-(typeattributeset crash_dump_29_0 (crash_dump))
-(typeattributeset crash_dump_exec_29_0 (crash_dump_exec))
-(typeattributeset crossprofileapps_service_29_0 (crossprofileapps_service))
-(typeattributeset ctl_adbd_prop_29_0 (ctl_adbd_prop))
-(typeattributeset ctl_bootanim_prop_29_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_29_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_29_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_29_0 (ctl_default_prop))
-(typeattributeset ctl_dumpstate_prop_29_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_29_0 (ctl_fuse_prop))
-(typeattributeset ctl_gsid_prop_29_0 (ctl_gsid_prop))
-(typeattributeset ctl_interface_restart_prop_29_0 (ctl_interface_restart_prop))
-(typeattributeset ctl_interface_start_prop_29_0 (ctl_interface_start_prop))
-(typeattributeset ctl_interface_stop_prop_29_0 (ctl_interface_stop_prop))
-(typeattributeset ctl_mdnsd_prop_29_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_restart_prop_29_0 (ctl_restart_prop))
-(typeattributeset ctl_rildaemon_prop_29_0 (ctl_rildaemon_prop))
-(typeattributeset ctl_sigstop_prop_29_0 (ctl_sigstop_prop))
-(typeattributeset ctl_start_prop_29_0 (ctl_start_prop))
-(typeattributeset ctl_stop_prop_29_0 (ctl_stop_prop))
-(typeattributeset dalvikcache_data_file_29_0 (dalvikcache_data_file))
-(typeattributeset dalvik_prop_29_0 (dalvik_prop))
-(typeattributeset dbinfo_service_29_0 (dbinfo_service))
-(typeattributeset debugfs_29_0 (debugfs))
-(typeattributeset debugfs_mmc_29_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_29_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_29_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_debug_29_0 (debugfs_tracing_debug))
-(typeattributeset debugfs_tracing_instances_29_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wakeup_sources_29_0 (debugfs_wakeup_sources))
-(typeattributeset debugfs_wifi_tracing_29_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_29_0 (debuggerd_prop))
-(typeattributeset debug_prop_29_0 (debug_prop))
-(typeattributeset default_android_hwservice_29_0 (default_android_hwservice))
-(typeattributeset default_android_service_29_0 (default_android_service))
-(typeattributeset default_android_vndservice_29_0 (default_android_vndservice))
-(typeattributeset default_prop_29_0 (default_prop apk_verity_prop))
-(typeattributeset dev_cpu_variant_29_0 (dev_cpu_variant))
-(typeattributeset device_29_0 (device))
-(typeattributeset device_config_activity_manager_native_boot_prop_29_0 (device_config_activity_manager_native_boot_prop))
-(typeattributeset device_config_boot_count_prop_29_0 (device_config_boot_count_prop))
-(typeattributeset device_config_input_native_boot_prop_29_0 (device_config_input_native_boot_prop))
-(typeattributeset device_config_media_native_prop_29_0 (device_config_media_native_prop))
-(typeattributeset device_config_netd_native_prop_29_0 (device_config_netd_native_prop))
-(typeattributeset device_config_reset_performed_prop_29_0 (device_config_reset_performed_prop))
-(typeattributeset device_config_runtime_native_boot_prop_29_0 (device_config_runtime_native_boot_prop))
-(typeattributeset device_config_runtime_native_prop_29_0 (device_config_runtime_native_prop))
-(typeattributeset device_config_service_29_0 (device_config_service))
-(typeattributeset device_identifiers_service_29_0 (device_identifiers_service))
-(typeattributeset deviceidle_service_29_0 (deviceidle_service))
-(typeattributeset device_logging_prop_29_0 (device_logging_prop))
-(typeattributeset device_policy_service_29_0 (device_policy_service))
-(typeattributeset devicestoragemonitor_service_29_0 (devicestoragemonitor_service))
-(typeattributeset devpts_29_0 (devpts))
-(typeattributeset dhcp_29_0 (dhcp))
-(typeattributeset dhcp_data_file_29_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_29_0 (dhcp_exec))
-(typeattributeset dhcp_prop_29_0 (dhcp_prop))
-(typeattributeset diskstats_service_29_0 (diskstats_service))
-(typeattributeset display_service_29_0 (display_service))
-(typeattributeset dm_device_29_0 (dm_device))
-(typeattributeset dnsmasq_29_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_29_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_29_0 (dnsproxyd_socket))
-(typeattributeset dnsresolver_service_29_0 (dnsresolver_service))
-(typeattributeset DockObserver_service_29_0 (DockObserver_service))
-(typeattributeset dreams_service_29_0 (dreams_service))
-(typeattributeset drm_data_file_29_0 (drm_data_file))
-(typeattributeset drmserver_29_0 (drmserver))
-(typeattributeset drmserver_exec_29_0 (drmserver_exec))
-(typeattributeset drmserver_service_29_0 (drmserver_service))
-(typeattributeset drmserver_socket_29_0 (drmserver_socket))
-(typeattributeset dropbox_data_file_29_0 (dropbox_data_file))
-(typeattributeset dropbox_service_29_0 (dropbox_service))
-(typeattributeset dumpstate_29_0 (dumpstate))
-(typeattributeset dumpstate_exec_29_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_29_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_29_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_29_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_29_0 (dumpstate_socket))
-(typeattributeset dynamic_system_prop_29_0 (dynamic_system_prop))
-(typeattributeset e2fs_29_0 (e2fs))
-(typeattributeset e2fs_exec_29_0 (e2fs_exec))
-(typeattributeset efs_file_29_0 (efs_file))
-(typeattributeset ephemeral_app_29_0 (ephemeral_app))
-(typeattributeset ethernet_service_29_0 (ethernet_service))
-(typeattributeset exfat_29_0 (exfat))
-(typeattributeset exported2_config_prop_29_0 (exported2_config_prop systemsound_config_prop))
-(typeattributeset exported2_default_prop_29_0 (exported2_default_prop))
-(typeattributeset exported2_radio_prop_29_0 (exported2_radio_prop))
-(typeattributeset exported2_system_prop_29_0
- ( exported2_system_prop
- surfaceflinger_color_prop))
-(typeattributeset exported2_vold_prop_29_0
- ( exported2_vold_prop
- vold_config_prop
- vold_post_fs_data_prop))
-(typeattributeset exported3_default_prop_29_0 (exported3_default_prop lmkd_config_prop))
-(typeattributeset exported3_radio_prop_29_0 (exported3_radio_prop))
-(typeattributeset exported3_system_prop_29_0 (exported3_system_prop boot_status_prop))
-(typeattributeset exported_audio_prop_29_0 (exported_audio_prop audio_config_prop))
-(typeattributeset exported_bluetooth_prop_29_0 (exported_bluetooth_prop))
-(typeattributeset exported_config_prop_29_0 (exported_config_prop))
-(typeattributeset exported_dalvik_prop_29_0 (exported_dalvik_prop dalvik_config_prop))
-(typeattributeset exported_default_prop_29_0
- ( exported_default_prop
- surfaceflinger_prop
- vndk_prop))
-(typeattributeset exported_dumpstate_prop_29_0 (exported_dumpstate_prop))
-(typeattributeset exported_ffs_prop_29_0 (exported_ffs_prop))
-(typeattributeset exported_fingerprint_prop_29_0 (exported_fingerprint_prop))
-(typeattributeset exported_overlay_prop_29_0 (exported_overlay_prop))
-(typeattributeset exported_pm_prop_29_0 (exported_pm_prop))
-(typeattributeset exported_radio_prop_29_0 (exported_radio_prop))
-(typeattributeset exported_secure_prop_29_0 (exported_secure_prop))
-(typeattributeset exported_system_prop_29_0 (exported_system_prop))
-(typeattributeset exported_system_radio_prop_29_0 (exported_system_radio_prop))
-(typeattributeset exported_vold_prop_29_0 (exported_vold_prop vold_status_prop))
-(typeattributeset exported_wifi_prop_29_0 (exported_wifi_prop))
-(typeattributeset external_vibrator_service_29_0 (external_vibrator_service))
-(typeattributeset face_service_29_0 (face_service))
-(typeattributeset face_vendor_data_file_29_0 (face_vendor_data_file))
-(typeattributeset fastbootd_29_0 (fastbootd))
-(typeattributeset ffs_prop_29_0 (ffs_prop))
-(typeattributeset file_contexts_file_29_0 (file_contexts_file))
-(typeattributeset fingerprintd_29_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_29_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_29_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_29_0 (fingerprintd_service))
-(typeattributeset fingerprint_prop_29_0 (fingerprint_prop))
-(typeattributeset fingerprint_service_29_0 (fingerprint_service))
-(typeattributeset fingerprint_vendor_data_file_29_0 (fingerprint_vendor_data_file))
-(typeattributeset firstboot_prop_29_0 (firstboot_prop))
-(typeattributeset flags_health_check_29_0 (flags_health_check))
-(typeattributeset flags_health_check_exec_29_0 (flags_health_check_exec))
-(typeattributeset font_service_29_0 (font_service))
-(typeattributeset frp_block_device_29_0 (frp_block_device))
-(typeattributeset fs_bpf_29_0 (fs_bpf))
-(typeattributeset fsck_29_0 (fsck))
-(typeattributeset fsck_exec_29_0 (fsck_exec))
-(typeattributeset fscklogs_29_0 (fscklogs))
-(typeattributeset fsck_untrusted_29_0 (fsck_untrusted))
-(typeattributeset functionfs_29_0 (functionfs))
-(typeattributeset fuse_29_0 (fuse))
-(typeattributeset fuse_device_29_0 (fuse_device))
-(typeattributeset fwk_bufferhub_hwservice_29_0 (fwk_bufferhub_hwservice))
-(typeattributeset fwk_camera_hwservice_29_0 (fwk_camera_hwservice))
-(typeattributeset fwk_display_hwservice_29_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_29_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_29_0 (fwk_sensor_hwservice))
-(typeattributeset fwk_stats_hwservice_29_0 (fwk_stats_hwservice))
-(typeattributeset fwmarkd_socket_29_0 (fwmarkd_socket))
-(typeattributeset gatekeeperd_29_0 (gatekeeperd))
-(typeattributeset gatekeeper_data_file_29_0 (gatekeeper_data_file))
-(typeattributeset gatekeeperd_exec_29_0 (gatekeeperd_exec))
-(typeattributeset gatekeeper_service_29_0 (gatekeeper_service))
-(typeattributeset gfxinfo_service_29_0 (gfxinfo_service))
-(typeattributeset gps_control_29_0 (gps_control))
-(typeattributeset gpu_device_29_0 (gpu_device))
-(typeattributeset gpu_service_29_0 (gpu_service))
-(typeattributeset gpuservice_29_0 (gpuservice))
-(typeattributeset graphics_device_29_0 (graphics_device))
-(typeattributeset graphicsstats_service_29_0 (graphicsstats_service))
-(typeattributeset gsi_data_file_29_0 (gsi_data_file))
-(typeattributeset gsid_prop_29_0 (gsid_prop))
-(typeattributeset gsi_metadata_file_29_0 (gsi_metadata_file))
-(typeattributeset hal_atrace_hwservice_29_0 (hal_atrace_hwservice))
-(typeattributeset hal_audiocontrol_hwservice_29_0 (hal_audiocontrol_hwservice))
-(typeattributeset hal_audio_hwservice_29_0 (hal_audio_hwservice))
-(typeattributeset hal_authsecret_hwservice_29_0 (hal_authsecret_hwservice))
-(typeattributeset hal_bluetooth_hwservice_29_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_29_0 (hal_bootctl_hwservice))
-(typeattributeset hal_broadcastradio_hwservice_29_0 (hal_broadcastradio_hwservice))
-(typeattributeset hal_camera_hwservice_29_0 (hal_camera_hwservice))
-(typeattributeset hal_cas_hwservice_29_0 (hal_cas_hwservice))
-(typeattributeset hal_codec2_hwservice_29_0 (hal_codec2_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_29_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_confirmationui_hwservice_29_0 (hal_confirmationui_hwservice))
-(typeattributeset hal_contexthub_hwservice_29_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_29_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_29_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_evs_hwservice_29_0 (hal_evs_hwservice))
-(typeattributeset hal_face_hwservice_29_0 (hal_face_hwservice))
-(typeattributeset hal_fingerprint_hwservice_29_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_29_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_29_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_29_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_29_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_29_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_composer_server_tmpfs_29_0 (hal_graphics_composer_server_tmpfs))
-(typeattributeset hal_graphics_mapper_hwservice_29_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_29_0 (hal_health_hwservice))
-(typeattributeset hal_health_storage_hwservice_29_0 (hal_health_storage_hwservice))
-(typeattributeset hal_input_classifier_hwservice_29_0 (hal_input_classifier_hwservice))
-(typeattributeset hal_ir_hwservice_29_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_29_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_29_0 (hal_light_hwservice))
-(typeattributeset hal_lowpan_hwservice_29_0 (hal_lowpan_hwservice))
-(typeattributeset hal_memtrack_hwservice_29_0 (hal_memtrack_hwservice))
-(typeattributeset hal_neuralnetworks_hwservice_29_0 (hal_neuralnetworks_hwservice))
-(typeattributeset hal_nfc_hwservice_29_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_29_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_29_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_29_0 (hal_power_hwservice))
-(typeattributeset hal_power_stats_hwservice_29_0 (hal_power_stats_hwservice))
-(typeattributeset hal_renderscript_hwservice_29_0 (hal_renderscript_hwservice))
-(typeattributeset hal_secure_element_hwservice_29_0 (hal_secure_element_hwservice))
-(typeattributeset hal_sensors_hwservice_29_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_29_0 (hal_telephony_hwservice))
-(typeattributeset hal_tetheroffload_hwservice_29_0 (hal_tetheroffload_hwservice))
-(typeattributeset hal_thermal_hwservice_29_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_29_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_29_0 (hal_tv_input_hwservice))
-(typeattributeset hal_usb_gadget_hwservice_29_0 (hal_usb_gadget_hwservice))
-(typeattributeset hal_usb_hwservice_29_0 (hal_usb_hwservice))
-(typeattributeset hal_vehicle_hwservice_29_0 (hal_vehicle_hwservice))
-(typeattributeset hal_vibrator_hwservice_29_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vr_hwservice_29_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_29_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hostapd_hwservice_29_0 (hal_wifi_hostapd_hwservice))
-(typeattributeset hal_wifi_hwservice_29_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_offload_hwservice_29_0 (hal_wifi_offload_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_29_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_29_0 (hardware_properties_service))
-(typeattributeset hardware_service_29_0 (hardware_service))
-(typeattributeset hci_attach_dev_29_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_29_0 (hdmi_control_service))
-(typeattributeset healthd_29_0 (healthd))
-(typeattributeset healthd_exec_29_0 (healthd_exec))
-(typeattributeset heapdump_data_file_29_0 (heapdump_data_file))
-(typeattributeset heapprofd_29_0 (heapprofd))
-(typeattributeset heapprofd_enabled_prop_29_0 (heapprofd_enabled_prop))
-(typeattributeset heapprofd_prop_29_0 (heapprofd_prop))
-(typeattributeset heapprofd_socket_29_0 (heapprofd_socket))
-(typeattributeset hidl_allocator_hwservice_29_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_29_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_29_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_29_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_29_0 (hidl_token_hwservice))
-(typeattributeset hwbinder_device_29_0 (hwbinder_device))
-(typeattributeset hw_random_device_29_0 (hw_random_device))
-(typeattributeset hwservice_contexts_file_29_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_29_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_29_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_29_0 (hwservicemanager_prop))
-(typeattributeset icon_file_29_0 (icon_file))
-(typeattributeset idmap_29_0 (idmap))
-(typeattributeset idmap_exec_29_0 (idmap_exec))
-(typeattributeset idmap_service_29_0 (idmap_service))
-(typeattributeset iio_device_29_0 (iio_device))
-(typeattributeset imms_service_29_0 (imms_service))
-(typeattributeset incident_29_0 (incident))
-(typeattributeset incidentd_29_0 (incidentd))
-(typeattributeset incident_data_file_29_0 (incident_data_file))
-(typeattributeset incident_helper_29_0 (incident_helper))
-(typeattributeset incident_service_29_0 (incident_service))
-(typeattributeset init_29_0 (init))
-(typeattributeset init_exec_29_0 (init_exec))
-(typeattributeset init_tmpfs_29_0 (init_tmpfs))
-(typeattributeset inotify_29_0 (inotify))
-(typeattributeset input_device_29_0 (input_device))
-(typeattributeset inputflinger_29_0 (inputflinger))
-(typeattributeset inputflinger_exec_29_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_29_0 (inputflinger_service))
-(typeattributeset input_method_service_29_0 (input_method_service))
-(typeattributeset input_service_29_0 (input_service))
-(typeattributeset installd_29_0 (installd))
-(typeattributeset install_data_file_29_0 (install_data_file))
-(typeattributeset installd_exec_29_0 (installd_exec))
-(typeattributeset installd_service_29_0 (installd_service))
-(typeattributeset install_recovery_29_0 (install_recovery))
-(typeattributeset install_recovery_exec_29_0 (install_recovery_exec))
-(typeattributeset ion_device_29_0 (ion_device))
-(typeattributeset iorapd_29_0 (iorapd))
-(typeattributeset iorapd_data_file_29_0 (iorapd_data_file))
-(typeattributeset iorapd_exec_29_0 (iorapd_exec))
-(typeattributeset iorapd_service_29_0 (iorapd_service))
-(typeattributeset iorapd_tmpfs_29_0 (iorapd_tmpfs))
-(typeattributeset IProxyService_service_29_0 (IProxyService_service))
-(typeattributeset ipsec_service_29_0 (ipsec_service))
-(typeattributeset iris_service_29_0 (iris_service))
-(typeattributeset iris_vendor_data_file_29_0 (iris_vendor_data_file))
-(typeattributeset isolated_app_29_0 (isolated_app))
-(typeattributeset jobscheduler_service_29_0 (jobscheduler_service))
-(typeattributeset kernel_29_0 (kernel))
-(typeattributeset keychain_data_file_29_0 (keychain_data_file))
-(typeattributeset keychord_device_29_0 (keychord_device))
-(typeattributeset keystore_29_0 (keystore))
-(typeattributeset keystore_data_file_29_0 (keystore_data_file))
-(typeattributeset keystore_exec_29_0 (keystore_exec))
-(typeattributeset keystore_service_29_0 (keystore_service))
-(typeattributeset kmsg_debug_device_29_0 (kmsg_debug_device))
-(typeattributeset kmsg_device_29_0 (kmsg_device))
-(typeattributeset labeledfs_29_0 (labeledfs))
-(typeattributeset last_boot_reason_prop_29_0 (last_boot_reason_prop))
-(typeattributeset launcherapps_service_29_0 (launcherapps_service))
-(typeattributeset llkd_29_0 (llkd))
-(typeattributeset llkd_exec_29_0 (llkd_exec))
-(typeattributeset llkd_prop_29_0 (llkd_prop))
-(typeattributeset lmkd_29_0 (lmkd))
-(typeattributeset lmkd_exec_29_0 (lmkd_exec))
-(typeattributeset lmkd_socket_29_0 (lmkd_socket))
-(typeattributeset location_service_29_0 (location_service))
-(typeattributeset lock_settings_service_29_0 (lock_settings_service))
-(typeattributeset logcat_exec_29_0 (logcat_exec))
-(typeattributeset logd_29_0 (logd))
-(typeattributeset logd_exec_29_0 (logd_exec))
-(typeattributeset logd_prop_29_0 (logd_prop))
-(typeattributeset logdr_socket_29_0 (logdr_socket))
-(typeattributeset logd_socket_29_0 (logd_socket))
-(typeattributeset logdw_socket_29_0 (logdw_socket))
-(typeattributeset logpersist_29_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_29_0 (logpersistd_logging_prop))
-(typeattributeset log_prop_29_0 (log_prop))
-(typeattributeset log_tag_prop_29_0 (log_tag_prop))
-(typeattributeset loop_control_device_29_0 (loop_control_device))
-(typeattributeset loop_device_29_0 (loop_device))
-(typeattributeset looper_stats_service_29_0 (looper_stats_service))
-(typeattributeset lowpan_device_29_0 (lowpan_device))
-(typeattributeset lowpan_prop_29_0 (lowpan_prop))
-(typeattributeset lowpan_service_29_0 (lowpan_service))
-(typeattributeset lpdumpd_prop_29_0 (lpdumpd_prop))
-(typeattributeset lpdump_service_29_0 (lpdump_service))
-(typeattributeset mac_perms_file_29_0 (mac_perms_file))
-(typeattributeset mdnsd_29_0 (mdnsd))
-(typeattributeset mdnsd_socket_29_0 (mdnsd_socket))
-(typeattributeset mdns_socket_29_0 (mdns_socket))
-(typeattributeset mediacodec_service_29_0 (mediacodec_service))
-(typeattributeset media_data_file_29_0 (media_data_file))
-(typeattributeset mediadrmserver_29_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_29_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_29_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_29_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_29_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_29_0 (mediaextractor_service))
-(typeattributeset mediaextractor_tmpfs_29_0 (mediaextractor_tmpfs))
-(typeattributeset mediametrics_29_0 (mediametrics))
-(typeattributeset mediametrics_exec_29_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_29_0 (mediametrics_service))
-(typeattributeset media_projection_service_29_0 (media_projection_service))
-(typeattributeset mediaprovider_29_0 (mediaprovider))
-(typeattributeset media_router_service_29_0 (media_router_service))
-(typeattributeset media_rw_data_file_29_0 (media_rw_data_file))
-(typeattributeset mediaserver_29_0 (mediaserver))
-(typeattributeset mediaserver_exec_29_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_29_0 (mediaserver_service))
-(typeattributeset mediaserver_tmpfs_29_0 (mediaserver_tmpfs))
-(typeattributeset media_session_service_29_0 (media_session_service))
-(typeattributeset mediaswcodec_29_0 (mediaswcodec))
-(typeattributeset mediaswcodec_exec_29_0 (mediaswcodec_exec))
-(typeattributeset meminfo_service_29_0 (meminfo_service))
-(typeattributeset metadata_block_device_29_0 (metadata_block_device))
-(typeattributeset metadata_file_29_0 (metadata_file))
-(typeattributeset method_trace_data_file_29_0 (method_trace_data_file))
-(typeattributeset midi_service_29_0 (midi_service))
-(typeattributeset misc_block_device_29_0 (misc_block_device))
-(typeattributeset misc_logd_file_29_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_29_0 (misc_user_data_file))
-(typeattributeset mmc_prop_29_0 (mmc_prop))
-(typeattributeset mnt_expand_file_29_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_29_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_29_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_product_file_29_0 (mnt_product_file))
-(typeattributeset mnt_user_file_29_0 (mnt_user_file))
-(typeattributeset mnt_vendor_file_29_0 (mnt_vendor_file))
-(typeattributeset modprobe_29_0 (modprobe))
-(typeattributeset mount_service_29_0 (mount_service))
-(typeattributeset mqueue_29_0 (mqueue))
-(typeattributeset mtp_29_0 (mtp))
-(typeattributeset mtp_device_29_0 (mtp_device))
-(typeattributeset mtpd_socket_29_0 (mtpd_socket))
-(typeattributeset mtp_exec_29_0 (mtp_exec))
-(typeattributeset nativetest_data_file_29_0 (nativetest_data_file))
-(typeattributeset netd_29_0 (netd))
-(typeattributeset net_data_file_29_0 (net_data_file))
-(typeattributeset netd_exec_29_0 (netd_exec))
-(typeattributeset netd_listener_service_29_0 (netd_listener_service))
-(typeattributeset net_dns_prop_29_0 (net_dns_prop))
-(typeattributeset netd_service_29_0 (netd_service))
-(typeattributeset netd_stable_secret_prop_29_0 (netd_stable_secret_prop))
-(typeattributeset netif_29_0 (netif))
-(typeattributeset netpolicy_service_29_0 (netpolicy_service))
-(typeattributeset net_radio_prop_29_0 (net_radio_prop))
-(typeattributeset netstats_service_29_0 (netstats_service))
-(typeattributeset netutils_wrapper_29_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_29_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_29_0 (network_management_service))
-(typeattributeset network_score_service_29_0 (network_score_service))
-(typeattributeset network_stack_29_0 (network_stack))
-(typeattributeset network_stack_service_29_0 (network_stack_service))
-(typeattributeset network_time_update_service_29_0 (network_time_update_service))
-(typeattributeset network_watchlist_data_file_29_0 (network_watchlist_data_file))
-(typeattributeset network_watchlist_service_29_0 (network_watchlist_service))
-(typeattributeset nfc_29_0 (nfc))
-(typeattributeset nfc_data_file_29_0 (nfc_data_file))
-(typeattributeset nfc_device_29_0 (nfc_device))
-(typeattributeset nfc_prop_29_0 (nfc_prop))
-(typeattributeset nfc_service_29_0 (nfc_service))
-(typeattributeset nnapi_ext_deny_product_prop_29_0 (nnapi_ext_deny_product_prop))
-(typeattributeset node_29_0 (node))
-(typeattributeset nonplat_service_contexts_file_29_0 (nonplat_service_contexts_file))
-(typeattributeset notification_service_29_0 (notification_service))
-(typeattributeset null_device_29_0 (null_device))
-(typeattributeset oemfs_29_0 (oemfs))
-(typeattributeset oem_lock_service_29_0 (oem_lock_service))
-(typeattributeset ota_data_file_29_0 (ota_data_file))
-(typeattributeset otadexopt_service_29_0 (otadexopt_service))
-(typeattributeset ota_package_file_29_0 (ota_package_file))
-(typeattributeset overlayfs_file_29_0 (overlayfs_file))
-(typeattributeset overlay_prop_29_0 (overlay_prop))
-(typeattributeset overlay_service_29_0 (overlay_service))
-(typeattributeset owntty_device_29_0 (owntty_device))
-(typeattributeset package_native_service_29_0 (package_native_service))
-(typeattributeset package_service_29_0 (package_service))
-(typeattributeset packages_list_file_29_0 (packages_list_file))
-(typeattributeset pan_result_prop_29_0 (pan_result_prop))
-(typeattributeset password_slot_metadata_file_29_0 (password_slot_metadata_file))
-(typeattributeset pdx_bufferhub_client_channel_socket_29_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_29_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_29_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_29_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_29_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_29_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_29_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_29_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_29_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_29_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_29_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_29_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_29_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_29_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_29_0 (pdx_performance_dir))
-(typeattributeset perfetto_29_0 (perfetto))
-(typeattributeset performanced_29_0 (performanced))
-(typeattributeset performanced_exec_29_0 (performanced_exec))
-(typeattributeset permissionmgr_service_29_0 (permissionmgr_service))
-(typeattributeset permission_service_29_0 (permission_service))
-(typeattributeset persist_debug_prop_29_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_29_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_29_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_29_0 (pinner_service))
-(typeattributeset pipefs_29_0 (pipefs))
-(typeattributeset platform_app_29_0 (platform_app))
-(typeattributeset pm_prop_29_0 (pm_prop))
-(typeattributeset pmsg_device_29_0 (pmsg_device))
-(typeattributeset port_29_0 (port))
-(typeattributeset port_device_29_0 (port_device))
-(typeattributeset postinstall_29_0 (postinstall))
-(typeattributeset postinstall_apex_mnt_dir_29_0 (postinstall_apex_mnt_dir))
-(typeattributeset postinstall_file_29_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_29_0 (postinstall_mnt_dir))
-(typeattributeset powerctl_prop_29_0 (powerctl_prop))
-(typeattributeset power_service_29_0 (power_service))
-(typeattributeset ppp_29_0 (ppp))
-(typeattributeset ppp_device_29_0 (ppp_device))
-(typeattributeset ppp_exec_29_0 (ppp_exec))
-(typeattributeset preloads_data_file_29_0 (preloads_data_file))
-(typeattributeset preloads_media_file_29_0 (preloads_media_file))
-(typeattributeset print_service_29_0 (print_service))
-(typeattributeset priv_app_29_0 (priv_app))
-(typeattributeset privapp_data_file_29_0 (privapp_data_file))
-(typeattributeset proc_29_0
- ( proc
- proc_kpageflags
- proc_lowmemorykiller))
-(typeattributeset proc_abi_29_0 (proc_abi))
-(typeattributeset proc_asound_29_0 (proc_asound))
-(typeattributeset proc_bluetooth_writable_29_0 (proc_bluetooth_writable))
-(typeattributeset proc_buddyinfo_29_0 (proc_buddyinfo))
-(typeattributeset proc_cmdline_29_0 (proc_cmdline))
-(typeattributeset proc_cpuinfo_29_0 (proc_cpuinfo))
-(typeattributeset proc_dirty_29_0 (proc_dirty))
-(typeattributeset proc_diskstats_29_0 (proc_diskstats))
-(typeattributeset proc_drop_caches_29_0 (proc_drop_caches))
-(typeattributeset processinfo_service_29_0 (processinfo_service))
-(typeattributeset proc_extra_free_kbytes_29_0 (proc_extra_free_kbytes))
-(typeattributeset proc_filesystems_29_0 (proc_filesystems))
-(typeattributeset proc_fs_verity_29_0 (proc_fs_verity))
-(typeattributeset proc_hostname_29_0 (proc_hostname))
-(typeattributeset proc_hung_task_29_0 (proc_hung_task))
-(typeattributeset proc_interrupts_29_0 (proc_interrupts))
-(typeattributeset proc_iomem_29_0 (proc_iomem))
-(typeattributeset proc_keys_29_0 (proc_keys))
-(typeattributeset proc_kmsg_29_0 (proc_kmsg))
-(typeattributeset proc_loadavg_29_0 (proc_loadavg))
-(typeattributeset proc_max_map_count_29_0 (proc_max_map_count))
-(typeattributeset proc_meminfo_29_0 (proc_meminfo))
-(typeattributeset proc_min_free_order_shift_29_0 (proc_min_free_order_shift))
-(typeattributeset proc_misc_29_0 (proc_misc))
-(typeattributeset proc_modules_29_0 (proc_modules))
-(typeattributeset proc_mounts_29_0 (proc_mounts))
-(typeattributeset proc_net_29_0 (proc_net))
-(typeattributeset proc_net_tcp_udp_29_0 (proc_net_tcp_udp))
-(typeattributeset proc_overcommit_memory_29_0 (proc_overcommit_memory))
-(typeattributeset proc_page_cluster_29_0 (proc_page_cluster))
-(typeattributeset proc_pagetypeinfo_29_0 (proc_pagetypeinfo))
-(typeattributeset proc_panic_29_0 (proc_panic))
-(typeattributeset proc_perf_29_0 (proc_perf))
-(typeattributeset proc_pid_max_29_0 (proc_pid_max))
-(typeattributeset proc_pipe_conf_29_0 (proc_pipe_conf))
-(typeattributeset proc_pressure_cpu_29_0 (proc_pressure_cpu))
-(typeattributeset proc_pressure_io_29_0 (proc_pressure_io))
-(typeattributeset proc_pressure_mem_29_0 (proc_pressure_mem))
-(typeattributeset proc_qtaguid_ctrl_29_0 (proc_qtaguid_ctrl))
-(typeattributeset proc_qtaguid_stat_29_0 (proc_qtaguid_stat))
-(typeattributeset proc_random_29_0 (proc_random))
-(typeattributeset proc_sched_29_0 (proc_sched))
-(typeattributeset proc_security_29_0 (proc_security))
-(typeattributeset proc_slabinfo_29_0 (proc_slabinfo))
-(typeattributeset proc_stat_29_0 (proc_stat))
-(typeattributeset procstats_service_29_0 (procstats_service))
-(typeattributeset proc_swaps_29_0 (proc_swaps))
-(typeattributeset proc_sysrq_29_0 (proc_sysrq))
-(typeattributeset proc_timer_29_0 (proc_timer))
-(typeattributeset proc_tty_drivers_29_0 (proc_tty_drivers))
-(typeattributeset proc_uid_concurrent_active_time_29_0 (proc_uid_concurrent_active_time))
-(typeattributeset proc_uid_concurrent_policy_time_29_0 (proc_uid_concurrent_policy_time))
-(typeattributeset proc_uid_cpupower_29_0 (proc_uid_cpupower))
-(typeattributeset proc_uid_cputime_removeuid_29_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_29_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_29_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_29_0 (proc_uid_procstat_set))
-(typeattributeset proc_uid_time_in_state_29_0 (proc_uid_time_in_state))
-(typeattributeset proc_uptime_29_0 (proc_uptime))
-(typeattributeset proc_version_29_0 (proc_version))
-(typeattributeset proc_vmallocinfo_29_0 (proc_vmallocinfo))
-(typeattributeset proc_vmstat_29_0 (proc_vmstat))
-(typeattributeset proc_zoneinfo_29_0 (proc_zoneinfo))
-(typeattributeset profman_29_0 (profman))
-(typeattributeset profman_dump_data_file_29_0 (profman_dump_data_file))
-(typeattributeset profman_exec_29_0 (profman_exec))
-(typeattributeset properties_device_29_0 (properties_device))
-(typeattributeset properties_serial_29_0 (properties_serial))
-(typeattributeset property_contexts_file_29_0 (property_contexts_file))
-(typeattributeset property_data_file_29_0 (property_data_file))
-(typeattributeset property_info_29_0 (property_info))
-(typeattributeset property_socket_29_0 (property_socket))
-(typeattributeset pstorefs_29_0 (pstorefs))
-(typeattributeset ptmx_device_29_0 (ptmx_device))
-(typeattributeset qtaguid_device_29_0 (qtaguid_device))
-(typeattributeset racoon_29_0 (racoon))
-(typeattributeset racoon_exec_29_0 (racoon_exec))
-(typeattributeset racoon_socket_29_0 (racoon_socket))
-(typeattributeset radio_29_0 (radio))
-(typeattributeset radio_data_file_29_0 (radio_data_file))
-(typeattributeset radio_device_29_0 (radio_device))
-(typeattributeset radio_prop_29_0 (radio_prop))
-(typeattributeset radio_service_29_0 (radio_service))
-(typeattributeset ram_device_29_0 (ram_device))
-(typeattributeset random_device_29_0 (random_device))
-(typeattributeset recovery_29_0 (recovery))
-(typeattributeset recovery_block_device_29_0 (recovery_block_device))
-(typeattributeset recovery_data_file_29_0 (recovery_data_file))
-(typeattributeset recovery_persist_29_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_29_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_29_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_29_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_29_0 (recovery_service))
-(typeattributeset recovery_socket_29_0 (recovery_socket))
-(typeattributeset registry_service_29_0 (registry_service))
-(typeattributeset resourcecache_data_file_29_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_29_0 (restorecon_prop))
-(typeattributeset restrictions_service_29_0 (restrictions_service))
-(typeattributeset rild_debug_socket_29_0 (rild_debug_socket))
-(typeattributeset rild_socket_29_0 (rild_socket))
-(typeattributeset ringtone_file_29_0 (ringtone_file))
-(typeattributeset role_service_29_0 (role_service))
-(typeattributeset rollback_service_29_0 (rollback_service))
-(typeattributeset root_block_device_29_0 (root_block_device))
-(typeattributeset rootfs_29_0 (rootfs))
-(typeattributeset rpmsg_device_29_0 (rpmsg_device))
-(typeattributeset rs_29_0 (rs))
-(typeattributeset rs_exec_29_0 (rs_exec))
-(typeattributeset rss_hwm_reset_29_0 (rss_hwm_reset))
-(typeattributeset rtc_device_29_0 (rtc_device))
-(typeattributeset rttmanager_service_29_0 (rttmanager_service))
-(typeattributeset runas_29_0 (runas))
-(typeattributeset runas_app_29_0 (runas_app))
-(typeattributeset runas_exec_29_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_29_0 (runtime_event_log_tags_file))
-(typeattributeset runtime_service_29_0 (runtime_service))
-(typeattributeset safemode_prop_29_0 (safemode_prop))
-(typeattributeset same_process_hal_file_29_0 (same_process_hal_file))
-(typeattributeset samplingprofiler_service_29_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_29_0 (scheduling_policy_service))
-(typeattributeset sdcard_block_device_29_0 (sdcard_block_device))
-(typeattributeset sdcardd_29_0 (sdcardd))
-(typeattributeset sdcardd_exec_29_0 (sdcardd_exec))
-(typeattributeset sdcardfs_29_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_29_0 (seapp_contexts_file))
-(typeattributeset search_service_29_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_29_0 (sec_key_att_app_id_provider_service))
-(typeattributeset secure_element_29_0 (secure_element))
-(typeattributeset secure_element_device_29_0 (secure_element_device))
-(typeattributeset secure_element_service_29_0 (secure_element_service))
-(typeattributeset selinuxfs_29_0 (selinuxfs))
-(typeattributeset sensor_privacy_service_29_0 (sensor_privacy_service))
-(typeattributeset sensors_device_29_0 (sensors_device))
-(typeattributeset sensorservice_service_29_0 (sensorservice_service))
-(typeattributeset sepolicy_file_29_0 (sepolicy_file))
-(typeattributeset serial_device_29_0 (serial_device))
-(typeattributeset serialno_prop_29_0 (serialno_prop))
-(typeattributeset serial_service_29_0 (serial_service))
-(typeattributeset server_configurable_flags_data_file_29_0 (server_configurable_flags_data_file))
-(typeattributeset service_contexts_file_29_0 (service_contexts_file))
-(typeattributeset servicediscovery_service_29_0 (servicediscovery_service))
-(typeattributeset servicemanager_29_0 (servicemanager))
-(typeattributeset servicemanager_exec_29_0 (servicemanager_exec))
-(typeattributeset settings_service_29_0 (settings_service))
-(typeattributeset sgdisk_29_0 (sgdisk))
-(typeattributeset sgdisk_exec_29_0 (sgdisk_exec))
-(typeattributeset shared_relro_29_0 (shared_relro))
-(typeattributeset shared_relro_file_29_0 (shared_relro_file))
-(typeattributeset shell_29_0 (shell))
-(typeattributeset shell_data_file_29_0 (shell_data_file))
-(typeattributeset shell_exec_29_0 (shell_exec))
-(typeattributeset shell_prop_29_0 (shell_prop))
-(typeattributeset shm_29_0 (shm))
-(typeattributeset shortcut_manager_icons_29_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_29_0 (shortcut_service))
-(typeattributeset simpleperf_app_runner_29_0 (simpleperf_app_runner))
-(typeattributeset simpleperf_app_runner_exec_29_0 (simpleperf_app_runner_exec))
-(typeattributeset slice_service_29_0 (slice_service))
-(typeattributeset slideshow_29_0 (slideshow))
-(typeattributeset socket_device_29_0 (socket_device))
-(typeattributeset sockfs_29_0 (sockfs))
-(typeattributeset staging_data_file_29_0 (staging_data_file))
-(typeattributeset statsd_29_0 (statsd))
-(typeattributeset stats_data_file_29_0 (stats_data_file))
-(typeattributeset statsd_exec_29_0 (statsd_exec))
-(typeattributeset statsdw_socket_29_0 (statsdw_socket))
-(typeattributeset statusbar_service_29_0 (statusbar_service))
-(typeattributeset storaged_service_29_0 (storaged_service))
-(typeattributeset storage_file_29_0 (storage_file))
-(typeattributeset storagestats_service_29_0 (storagestats_service))
-(typeattributeset storage_stub_file_29_0 (storage_stub_file))
-(typeattributeset su_29_0 (su))
-(typeattributeset su_exec_29_0 (su_exec))
-(typeattributeset super_block_device_29_0 (super_block_device))
-(typeattributeset surfaceflinger_29_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_29_0 (surfaceflinger_service))
-(typeattributeset surfaceflinger_tmpfs_29_0 (surfaceflinger_tmpfs))
-(typeattributeset swap_block_device_29_0 (swap_block_device))
-(typeattributeset sysfs_29_0
- ( sysfs
- sysfs_ion
- sysfs_suspend_stats
- sysfs_wakeup))
-(typeattributeset sysfs_android_usb_29_0 (sysfs_android_usb))
-(typeattributeset sysfs_batteryinfo_29_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_29_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_block_29_0 (sysfs_devices_block))
-(typeattributeset sysfs_devices_system_cpu_29_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_dm_29_0 (sysfs_dm))
-(typeattributeset sysfs_dt_firmware_android_29_0 (sysfs_dt_firmware_android))
-(typeattributeset sysfs_extcon_29_0 (sysfs_extcon))
-(typeattributeset sysfs_fs_ext4_features_29_0 (sysfs_fs_ext4_features))
-(typeattributeset sysfs_fs_f2fs_29_0 (sysfs_fs_f2fs))
-(typeattributeset sysfs_hwrandom_29_0 (sysfs_hwrandom))
-(typeattributeset sysfs_ipv4_29_0 (sysfs_ipv4))
-(typeattributeset sysfs_kernel_notes_29_0 (sysfs_kernel_notes))
-(typeattributeset sysfs_leds_29_0 (sysfs_leds))
-(typeattributeset sysfs_loop_29_0 (sysfs_loop))
-(typeattributeset sysfs_lowmemorykiller_29_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_mac_address_29_0 (sysfs_mac_address))
-(typeattributeset sysfs_net_29_0 (sysfs_net))
-(typeattributeset sysfs_nfc_power_writable_29_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_power_29_0 (sysfs_power))
-(typeattributeset sysfs_rtc_29_0 (sysfs_rtc))
-(typeattributeset sysfs_switch_29_0 (sysfs_switch))
-(typeattributeset sysfs_thermal_29_0 (sysfs_thermal))
-(typeattributeset sysfs_transparent_hugepage_29_0 (sysfs_transparent_hugepage))
-(typeattributeset sysfs_uio_29_0 (sysfs_uio))
-(typeattributeset sysfs_usb_29_0 (sysfs_usb))
-(typeattributeset sysfs_usermodehelper_29_0 (sysfs_usermodehelper))
-(typeattributeset sysfs_vibrator_29_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_29_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wakeup_reasons_29_0 (sysfs_wakeup_reasons))
-(typeattributeset sysfs_wlan_fwpath_29_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_29_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_29_0 (sysfs_zram_uevent))
-(typeattributeset system_app_29_0 (system_app))
-(typeattributeset system_app_data_file_29_0 (system_app_data_file))
-(typeattributeset system_app_service_29_0 (system_app_service))
-(typeattributeset system_asan_options_file_29_0 (system_asan_options_file))
-(typeattributeset system_block_device_29_0 (system_block_device))
-(typeattributeset system_boot_reason_prop_29_0 (system_boot_reason_prop))
-(typeattributeset system_bootstrap_lib_file_29_0 (system_bootstrap_lib_file))
-(typeattributeset system_data_file_29_0 (system_data_file system_data_root_file))
-(typeattributeset system_event_log_tags_file_29_0 (system_event_log_tags_file))
-(typeattributeset system_file_29_0 (system_file))
-(typeattributeset systemkeys_data_file_29_0 (systemkeys_data_file))
-(typeattributeset system_lib_file_29_0 (system_lib_file))
-(typeattributeset system_linker_config_file_29_0 (system_linker_config_file))
-(typeattributeset system_linker_exec_29_0 (system_linker_exec))
-(typeattributeset system_lmk_prop_29_0 (system_lmk_prop))
-(typeattributeset system_ndebug_socket_29_0 (system_ndebug_socket))
-(typeattributeset system_net_netd_hwservice_29_0 (system_net_netd_hwservice))
-(typeattributeset system_prop_29_0 (system_prop))
-(typeattributeset system_radio_prop_29_0 (system_radio_prop))
-(typeattributeset system_seccomp_policy_file_29_0 (system_seccomp_policy_file))
-(typeattributeset system_security_cacerts_file_29_0 (system_security_cacerts_file))
-(typeattributeset system_server_29_0 (system_server))
-(typeattributeset system_server_tmpfs_29_0 (system_server_tmpfs))
-(typeattributeset system_suspend_control_service_29_0 (system_suspend_control_service))
-(typeattributeset system_suspend_hwservice_29_0 (system_suspend_hwservice))
-(typeattributeset system_trace_prop_29_0 (system_trace_prop))
-(typeattributeset system_update_service_29_0 (system_update_service))
-(typeattributeset system_wifi_keystore_hwservice_29_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_29_0 (system_wpa_socket))
-(typeattributeset system_zoneinfo_file_29_0 (system_zoneinfo_file))
-(typeattributeset task_profiles_file_29_0 (task_profiles_file))
-(typeattributeset task_service_29_0 (task_service))
-(typeattributeset tcpdump_exec_29_0 (tcpdump_exec))
-(typeattributeset tee_29_0 (tee))
-(typeattributeset tee_data_file_29_0 (tee_data_file))
-(typeattributeset tee_device_29_0 (tee_device))
-(typeattributeset telecom_service_29_0 (telecom_service))
-(typeattributeset test_boot_reason_prop_29_0 (test_boot_reason_prop))
-(typeattributeset test_harness_prop_29_0 (test_harness_prop))
-(typeattributeset testharness_service_29_0 (testharness_service))
-(typeattributeset textclassification_service_29_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_29_0 (textclassifier_data_file))
-(typeattributeset textservices_service_29_0 (textservices_service))
-(typeattributeset thermalcallback_hwservice_29_0 (thermalcallback_hwservice))
-(typeattributeset thermal_service_29_0 (thermal_service))
-(typeattributeset timedetector_service_29_0 (timedetector_service))
-(typeattributeset time_prop_29_0 (time_prop))
-(typeattributeset timezone_service_29_0 (timezone_service))
-(typeattributeset tmpfs_29_0
- ( mnt_sdcard_file
- tmpfs))
-(typeattributeset tombstoned_29_0 (tombstoned))
-(typeattributeset tombstone_data_file_29_0 (tombstone_data_file))
-(typeattributeset tombstoned_crash_socket_29_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_29_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_29_0 (tombstoned_intercept_socket))
-(typeattributeset tombstoned_java_trace_socket_29_0 (tombstoned_java_trace_socket))
-(typeattributeset tombstone_wifi_data_file_29_0 (tombstone_wifi_data_file))
-(typeattributeset toolbox_29_0 (toolbox))
-(typeattributeset toolbox_exec_29_0 (toolbox_exec))
-(typeattributeset traced_29_0 (traced))
-(typeattributeset trace_data_file_29_0 (trace_data_file))
-(typeattributeset traced_consumer_socket_29_0 (traced_consumer_socket))
-(typeattributeset traced_enabled_prop_29_0 (traced_enabled_prop))
-(typeattributeset traced_lazy_prop_29_0 (traced_lazy_prop))
-(typeattributeset traced_probes_29_0 (traced_probes))
-(typeattributeset traced_producer_socket_29_0 (traced_producer_socket))
-(typeattributeset traceur_app_29_0 (traceur_app))
-(typeattributeset trust_service_29_0 (trust_service))
-(typeattributeset tty_device_29_0 (tty_device))
-(typeattributeset tun_device_29_0 (tun_device))
-(typeattributeset tv_input_service_29_0 (tv_input_service))
-(typeattributeset tzdatacheck_29_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_29_0 (tzdatacheck_exec))
-(typeattributeset ueventd_29_0 (ueventd))
-(typeattributeset ueventd_tmpfs_29_0 (ueventd_tmpfs))
-(typeattributeset uhid_device_29_0 (uhid_device))
-(typeattributeset uimode_service_29_0 (uimode_service))
-(typeattributeset uio_device_29_0 (uio_device))
-(typeattributeset uncrypt_29_0 (uncrypt))
-(typeattributeset uncrypt_exec_29_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_29_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_29_0 (unencrypted_data_file))
-(typeattributeset unlabeled_29_0 (unlabeled))
-(typeattributeset untrusted_app_25_29_0 (untrusted_app_25))
-(typeattributeset untrusted_app_27_29_0 (untrusted_app_27))
-(typeattributeset untrusted_app_29_0 (untrusted_app))
-(typeattributeset update_engine_29_0 (update_engine))
-(typeattributeset update_engine_data_file_29_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_29_0 (update_engine_exec))
-(typeattributeset update_engine_log_data_file_29_0 (update_engine_log_data_file))
-(typeattributeset update_engine_service_29_0 (update_engine_service))
-(typeattributeset updatelock_service_29_0 (updatelock_service))
-(typeattributeset update_verifier_29_0 (update_verifier))
-(typeattributeset update_verifier_exec_29_0 (update_verifier_exec))
-(typeattributeset uri_grants_service_29_0 (uri_grants_service))
-(typeattributeset usagestats_service_29_0 (usagestats_service))
-(typeattributeset usbaccessory_device_29_0 (usbaccessory_device))
-(typeattributeset usbd_29_0 (usbd))
-(typeattributeset usb_device_29_0 (usb_device))
-(typeattributeset usbd_exec_29_0 (usbd_exec))
-(typeattributeset usbfs_29_0 (usbfs))
-(typeattributeset usb_service_29_0 (usb_service))
-(typeattributeset use_memfd_prop_29_0 (use_memfd_prop))
-(typeattributeset userdata_block_device_29_0 (userdata_block_device))
-(typeattributeset usermodehelper_29_0 (usermodehelper))
-(typeattributeset user_profile_data_file_29_0 (user_profile_data_file))
-(typeattributeset user_service_29_0 (user_service))
-(typeattributeset vdc_29_0 (vdc))
-(typeattributeset vdc_exec_29_0 (vdc_exec))
-(typeattributeset vendor_app_file_29_0 (vendor_app_file))
-(typeattributeset vendor_cgroup_desc_file_29_0 (vendor_cgroup_desc_file))
-(typeattributeset vendor_configs_file_29_0 (vendor_configs_file))
-(typeattributeset vendor_data_file_29_0 (vendor_data_file))
-(typeattributeset vendor_default_prop_29_0 (vendor_default_prop))
-(typeattributeset vendor_file_29_0 (vendor_file))
-(typeattributeset vendor_framework_file_29_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_29_0 (vendor_hal_file))
-(typeattributeset vendor_idc_file_29_0 (vendor_idc_file))
-(typeattributeset vendor_init_29_0 (vendor_init))
-(typeattributeset vendor_keychars_file_29_0 (vendor_keychars_file))
-(typeattributeset vendor_keylayout_file_29_0 (vendor_keylayout_file))
-(typeattributeset vendor_overlay_file_29_0 (vendor_overlay_file))
-(typeattributeset vendor_public_lib_file_29_0
- ( vendor_public_framework_file
- vendor_public_lib_file))
-(typeattributeset vendor_security_patch_level_prop_29_0 (vendor_security_patch_level_prop))
-(typeattributeset vendor_shell_29_0 (vendor_shell))
-(typeattributeset vendor_shell_exec_29_0 (vendor_shell_exec))
-(typeattributeset vendor_task_profiles_file_29_0 (vendor_task_profiles_file))
-(typeattributeset vendor_toolbox_exec_29_0 (vendor_toolbox_exec))
-(typeattributeset vfat_29_0 (vfat))
-(typeattributeset vibrator_service_29_0 (vibrator_service))
-(typeattributeset video_device_29_0 (video_device))
-(typeattributeset virtual_touchpad_29_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_29_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_29_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_29_0 (vndbinder_device))
-(typeattributeset vndk_sp_file_29_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_29_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_29_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_29_0 (voiceinteraction_service))
-(typeattributeset vold_29_0 (vold))
-(typeattributeset vold_data_file_29_0 (vold_data_file))
-(typeattributeset vold_device_29_0 (vold_device))
-(typeattributeset vold_exec_29_0 (vold_exec))
-(typeattributeset vold_metadata_file_29_0 (vold_metadata_file))
-(typeattributeset vold_prepare_subdirs_29_0 (vold_prepare_subdirs))
-(typeattributeset vold_prepare_subdirs_exec_29_0 (vold_prepare_subdirs_exec))
-(typeattributeset vold_prop_29_0 (vold_prop))
-(typeattributeset vold_service_29_0 (vold_service))
-(typeattributeset vpn_data_file_29_0 (vpn_data_file))
-(typeattributeset vrflinger_vsync_service_29_0 (vrflinger_vsync_service))
-(typeattributeset vr_hwc_29_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_29_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_29_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_29_0 (vr_manager_service))
-(typeattributeset wallpaper_file_29_0 (wallpaper_file))
-(typeattributeset wallpaper_service_29_0 (wallpaper_service))
-(typeattributeset watchdogd_29_0 (watchdogd))
-(typeattributeset watchdog_device_29_0 (watchdog_device))
-(typeattributeset watchdogd_exec_29_0 (watchdogd_exec))
-(typeattributeset webviewupdate_service_29_0 (webviewupdate_service))
-(typeattributeset webview_zygote_29_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_29_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_tmpfs_29_0 (webview_zygote_tmpfs))
-(typeattributeset wifiaware_service_29_0 (wifiaware_service))
-(typeattributeset wificond_29_0 (wificond))
-(typeattributeset wificond_exec_29_0 (wificond_exec))
-(typeattributeset wificond_service_29_0 (wificond_service wifinl80211_service))
-(typeattributeset wifi_data_file_29_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_29_0 (wifi_log_prop))
-(typeattributeset wifip2p_service_29_0 (wifip2p_service))
-(typeattributeset wifi_prop_29_0 (wifi_prop))
-(typeattributeset wifiscanner_service_29_0 (wifiscanner_service))
-(typeattributeset wifi_service_29_0 (wifi_service))
-(typeattributeset window_service_29_0 (window_service))
-(typeattributeset wpantund_29_0 (wpantund))
-(typeattributeset wpantund_exec_29_0 (wpantund_exec))
-(typeattributeset wpantund_service_29_0 (wpantund_service))
-(typeattributeset wpa_socket_29_0 (wpa_socket))
-(typeattributeset zero_device_29_0 (zero_device))
-(typeattributeset zoneinfo_data_file_29_0 (zoneinfo_data_file))
-(typeattributeset zygote_29_0 (zygote))
-(typeattributeset zygote_exec_29_0 (zygote_exec))
-(typeattributeset zygote_socket_29_0 (zygote_socket))
-(typeattributeset zygote_tmpfs_29_0 (zygote_tmpfs))
diff --git a/prebuilts/api/31.0/private/compat/29.0/29.0.compat.cil b/prebuilts/api/31.0/private/compat/29.0/29.0.compat.cil
deleted file mode 100644
index ccd9d1a..0000000
--- a/prebuilts/api/31.0/private/compat/29.0/29.0.compat.cil
+++ /dev/null
@@ -1,9 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
-
-(typeattributeset mlsvendorcompat (and appdomain vendordomain))
-(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
-(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/prebuilts/api/31.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/31.0/private/compat/29.0/29.0.ignore.cil
deleted file mode 100644
index 1079046..0000000
--- a/prebuilts/api/31.0/private/compat/29.0/29.0.ignore.cil
+++ /dev/null
@@ -1,130 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(type new_objects)
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( new_objects
- aidl_lazy_test_server
- aidl_lazy_test_server_exec
- aidl_lazy_test_service
- adbd_prop
- apex_module_data_file
- apex_permission_data_file
- apex_rollback_data_file
- apex_wifi_data_file
- app_integrity_service
- app_search_service
- auth_service
- automotive_display_service
- automotive_display_service_exec
- ashmem_libcutils_device
- blob_store_service
- binder_cache_bluetooth_server_prop
- binder_cache_system_server_prop
- binder_cache_telephony_server_prop
- binderfs
- binderfs_logs
- binderfs_logs_proc
- boringssl_self_test
- bq_config_prop
- cacheinfo_service
- charger_prop
- cold_boot_done_prop
- credstore
- credstore_data_file
- credstore_exec
- credstore_service
- platform_compat_service
- ctl_apexd_prop
- dataloader_manager_service
- device_config_storage_native_boot_prop
- device_config_sys_traced_prop
- device_config_window_manager_native_boot_prop
- device_config_configuration_prop
- emergency_affordance_service
- exported_camera_prop
- fastbootd_protocol_prop
- file_integrity_service
- fwk_automotive_display_hwservice
- fusectlfs
- gmscore_app
- gnss_device
- graphics_config_prop
- hal_can_bus_hwservice
- hal_can_controller_hwservice
- hal_identity_service
- hal_light_service
- hal_power_service
- hal_rebootescrow_service
- hal_tv_tuner_hwservice
- hal_vibrator_service
- incremental_control_file
- incremental_prop
- incremental_service
- init_perf_lsm_hooks_prop
- init_svc_debug_prop
- iorap_inode2filename
- iorap_inode2filename_data_file
- iorap_inode2filename_exec
- iorap_inode2filename_tmpfs
- iorap_prefetcherd
- iorap_prefetcherd_data_file
- iorap_prefetcherd_exec
- iorap_prefetcherd_tmpfs
- mediatranscoding_service
- mediatranscoding
- mediatranscoding_exec
- mediatranscoding_tmpfs
- mirror_data_file
- light_service
- linkerconfig_file
- lmkd_prop
- media_variant_prop
- metadata_bootstat_file
- mnt_pass_through_file
- mock_ota_prop
- module_sdkextensions_prop
- ota_metadata_file
- ota_prop
- prereboot_data_file
- art_apex_dir
- rebootescrow_hal_prop
- securityfs
- service_manager_service
- service_manager_vndservice
- simpleperf
- snapshotctl_log_data_file
- socket_hook_prop
- soundtrigger_middleware_service
- staged_install_file
- storage_config_prop
- surfaceflinger_display_prop
- sysfs_dm_verity
- system_adbd_prop
- system_config_service
- system_group_file
- system_jvmti_agent_prop
- system_passwd_file
- system_unsolzygote_socket
- tethering_service
- traced_perf
- traced_perf_enabled_prop
- traced_perf_socket
- timezonedetector_service
- untrusted_app_29
- usb_serial_device
- userspace_reboot_config_prop
- userspace_reboot_exported_prop
- userspace_reboot_log_prop
- userspace_reboot_test_prop
- vehicle_hal_prop
- tv_tuner_resource_mgr_service
- vendor_apex_file
- vendor_boringssl_self_test
- vendor_install_recovery
- vendor_install_recovery_exec
- vendor_service_contexts_file
- vendor_socket_hook_prop
- vendor_socket_hook_prop
- virtual_ab_prop))
diff --git a/prebuilts/api/31.0/private/compat/30.0/30.0.cil b/prebuilts/api/31.0/private/compat/30.0/30.0.cil
deleted file mode 100644
index 9f40876..0000000
--- a/prebuilts/api/31.0/private/compat/30.0/30.0.cil
+++ /dev/null
@@ -1,2266 +0,0 @@
-;; types removed from current policy
-(type cgroup_bpf)
-(type exported_audio_prop)
-(type exported_dalvik_prop)
-(type exported_ffs_prop)
-(type exported_fingerprint_prop)
-(type exported_system_radio_prop)
-(type exported_radio_prop)
-(type exported_vold_prop)
-(type exported_wifi_prop)
-(type exported2_config_prop)
-(type exported2_default_prop)
-(type exported2_radio_prop)
-(type exported2_system_prop)
-(type exported2_vold_prop)
-(type exported3_default_prop)
-(type exported3_radio_prop)
-(type ffs_prop)
-(type system_radio_prop)
-(type thermalcallback_hwservice)
-
-(typeattribute binder_in_vendor_violators)
-
-(expandtypeattribute (DockObserver_service_30_0) true)
-(expandtypeattribute (IProxyService_service_30_0) true)
-(expandtypeattribute (accessibility_service_30_0) true)
-(expandtypeattribute (account_service_30_0) true)
-(expandtypeattribute (activity_service_30_0) true)
-(expandtypeattribute (activity_task_service_30_0) true)
-(expandtypeattribute (adb_data_file_30_0) true)
-(expandtypeattribute (adb_keys_file_30_0) true)
-(expandtypeattribute (adb_service_30_0) true)
-(expandtypeattribute (adbd_30_0) true)
-(expandtypeattribute (adbd_exec_30_0) true)
-(expandtypeattribute (adbd_prop_30_0) true)
-(expandtypeattribute (adbd_socket_30_0) true)
-(expandtypeattribute (aidl_lazy_test_server_30_0) true)
-(expandtypeattribute (aidl_lazy_test_server_exec_30_0) true)
-(expandtypeattribute (aidl_lazy_test_service_30_0) true)
-(expandtypeattribute (alarm_service_30_0) true)
-(expandtypeattribute (anr_data_file_30_0) true)
-(expandtypeattribute (apex_data_file_30_0) true)
-(expandtypeattribute (apex_metadata_file_30_0) true)
-(expandtypeattribute (apex_mnt_dir_30_0) true)
-(expandtypeattribute (apex_module_data_file_30_0) true)
-(expandtypeattribute (apex_permission_data_file_30_0) true)
-(expandtypeattribute (apex_rollback_data_file_30_0) true)
-(expandtypeattribute (apex_service_30_0) true)
-(expandtypeattribute (apex_wifi_data_file_30_0) true)
-(expandtypeattribute (apexd_30_0) true)
-(expandtypeattribute (apexd_exec_30_0) true)
-(expandtypeattribute (apexd_prop_30_0) true)
-(expandtypeattribute (apk_data_file_30_0) true)
-(expandtypeattribute (apk_private_data_file_30_0) true)
-(expandtypeattribute (apk_private_tmp_file_30_0) true)
-(expandtypeattribute (apk_tmp_file_30_0) true)
-(expandtypeattribute (apk_verity_prop_30_0) true)
-(expandtypeattribute (app_binding_service_30_0) true)
-(expandtypeattribute (app_data_file_30_0) true)
-(expandtypeattribute (app_fuse_file_30_0) true)
-(expandtypeattribute (app_fusefs_30_0) true)
-(expandtypeattribute (app_integrity_service_30_0) true)
-(expandtypeattribute (app_prediction_service_30_0) true)
-(expandtypeattribute (app_search_service_30_0) true)
-(expandtypeattribute (app_zygote_30_0) true)
-(expandtypeattribute (app_zygote_tmpfs_30_0) true)
-(expandtypeattribute (appdomain_tmpfs_30_0) true)
-(expandtypeattribute (appops_service_30_0) true)
-(expandtypeattribute (appwidget_service_30_0) true)
-(expandtypeattribute (art_apex_dir_30_0) true)
-(expandtypeattribute (asec_apk_file_30_0) true)
-(expandtypeattribute (asec_image_file_30_0) true)
-(expandtypeattribute (asec_public_file_30_0) true)
-(expandtypeattribute (ashmem_device_30_0) true)
-(expandtypeattribute (ashmem_libcutils_device_30_0) true)
-(expandtypeattribute (assetatlas_service_30_0) true)
-(expandtypeattribute (audio_data_file_30_0) true)
-(expandtypeattribute (audio_device_30_0) true)
-(expandtypeattribute (audio_prop_30_0) true)
-(expandtypeattribute (audio_service_30_0) true)
-(expandtypeattribute (audiohal_data_file_30_0) true)
-(expandtypeattribute (audioserver_30_0) true)
-(expandtypeattribute (audioserver_data_file_30_0) true)
-(expandtypeattribute (audioserver_service_30_0) true)
-(expandtypeattribute (audioserver_tmpfs_30_0) true)
-(expandtypeattribute (auth_service_30_0) true)
-(expandtypeattribute (autofill_service_30_0) true)
-(expandtypeattribute (backup_data_file_30_0) true)
-(expandtypeattribute (backup_service_30_0) true)
-(expandtypeattribute (battery_service_30_0) true)
-(expandtypeattribute (batteryproperties_service_30_0) true)
-(expandtypeattribute (batterystats_service_30_0) true)
-(expandtypeattribute (binder_cache_bluetooth_server_prop_30_0) true)
-(expandtypeattribute (binder_cache_system_server_prop_30_0) true)
-(expandtypeattribute (binder_cache_telephony_server_prop_30_0) true)
-(expandtypeattribute (binder_calls_stats_service_30_0) true)
-(expandtypeattribute (binder_device_30_0) true)
-(expandtypeattribute (binderfs_30_0) true)
-(expandtypeattribute (binderfs_logs_30_0) true)
-(expandtypeattribute (binderfs_logs_proc_30_0) true)
-(expandtypeattribute (binfmt_miscfs_30_0) true)
-(expandtypeattribute (biometric_service_30_0) true)
-(expandtypeattribute (blkid_30_0) true)
-(expandtypeattribute (blkid_untrusted_30_0) true)
-(expandtypeattribute (blob_store_service_30_0) true)
-(expandtypeattribute (block_device_30_0) true)
-(expandtypeattribute (bluetooth_30_0) true)
-(expandtypeattribute (bluetooth_a2dp_offload_prop_30_0) true)
-(expandtypeattribute (bluetooth_audio_hal_prop_30_0) true)
-(expandtypeattribute (bluetooth_data_file_30_0) true)
-(expandtypeattribute (bluetooth_efs_file_30_0) true)
-(expandtypeattribute (bluetooth_logs_data_file_30_0) true)
-(expandtypeattribute (bluetooth_manager_service_30_0) true)
-(expandtypeattribute (bluetooth_prop_30_0) true)
-(expandtypeattribute (bluetooth_service_30_0) true)
-(expandtypeattribute (bluetooth_socket_30_0) true)
-(expandtypeattribute (boot_block_device_30_0) true)
-(expandtypeattribute (bootanim_30_0) true)
-(expandtypeattribute (bootanim_exec_30_0) true)
-(expandtypeattribute (bootchart_data_file_30_0) true)
-(expandtypeattribute (bootloader_boot_reason_prop_30_0) true)
-(expandtypeattribute (bootstat_30_0) true)
-(expandtypeattribute (bootstat_data_file_30_0) true)
-(expandtypeattribute (bootstat_exec_30_0) true)
-(expandtypeattribute (boottime_prop_30_0) true)
-(expandtypeattribute (boottime_public_prop_30_0) true)
-(expandtypeattribute (boottrace_data_file_30_0) true)
-(expandtypeattribute (bpf_progs_loaded_prop_30_0) true)
-(expandtypeattribute (bq_config_prop_30_0) true)
-(expandtypeattribute (broadcastradio_service_30_0) true)
-(expandtypeattribute (bufferhubd_30_0) true)
-(expandtypeattribute (bufferhubd_exec_30_0) true)
-(expandtypeattribute (bugreport_service_30_0) true)
-(expandtypeattribute (cache_backup_file_30_0) true)
-(expandtypeattribute (cache_block_device_30_0) true)
-(expandtypeattribute (cache_file_30_0) true)
-(expandtypeattribute (cache_private_backup_file_30_0) true)
-(expandtypeattribute (cache_recovery_file_30_0) true)
-(expandtypeattribute (camera_data_file_30_0) true)
-(expandtypeattribute (camera_device_30_0) true)
-(expandtypeattribute (cameraproxy_service_30_0) true)
-(expandtypeattribute (cameraserver_30_0) true)
-(expandtypeattribute (cameraserver_exec_30_0) true)
-(expandtypeattribute (cameraserver_service_30_0) true)
-(expandtypeattribute (cameraserver_tmpfs_30_0) true)
-(expandtypeattribute (cgroup_30_0) true)
-(expandtypeattribute (cgroup_bpf_30_0) true)
-(expandtypeattribute (cgroup_desc_file_30_0) true)
-(expandtypeattribute (cgroup_rc_file_30_0) true)
-(expandtypeattribute (charger_30_0) true)
-(expandtypeattribute (charger_exec_30_0) true)
-(expandtypeattribute (charger_prop_30_0) true)
-(expandtypeattribute (clipboard_service_30_0) true)
-(expandtypeattribute (cold_boot_done_prop_30_0) true)
-(expandtypeattribute (color_display_service_30_0) true)
-(expandtypeattribute (companion_device_service_30_0) true)
-(expandtypeattribute (config_prop_30_0) true)
-(expandtypeattribute (configfs_30_0) true)
-(expandtypeattribute (connectivity_service_30_0) true)
-(expandtypeattribute (connmetrics_service_30_0) true)
-(expandtypeattribute (console_device_30_0) true)
-(expandtypeattribute (consumer_ir_service_30_0) true)
-(expandtypeattribute (content_capture_service_30_0) true)
-(expandtypeattribute (content_service_30_0) true)
-(expandtypeattribute (content_suggestions_service_30_0) true)
-(expandtypeattribute (contexthub_service_30_0) true)
-(expandtypeattribute (coredump_file_30_0) true)
-(expandtypeattribute (country_detector_service_30_0) true)
-(expandtypeattribute (coverage_service_30_0) true)
-(expandtypeattribute (cppreopt_prop_30_0) true)
-(expandtypeattribute (cpu_variant_prop_30_0) true)
-(expandtypeattribute (cpuinfo_service_30_0) true)
-(expandtypeattribute (crash_dump_30_0) true)
-(expandtypeattribute (crash_dump_exec_30_0) true)
-(expandtypeattribute (credstore_30_0) true)
-(expandtypeattribute (credstore_data_file_30_0) true)
-(expandtypeattribute (credstore_exec_30_0) true)
-(expandtypeattribute (credstore_service_30_0) true)
-(expandtypeattribute (crossprofileapps_service_30_0) true)
-(expandtypeattribute (ctl_adbd_prop_30_0) true)
-(expandtypeattribute (ctl_apexd_prop_30_0) true)
-(expandtypeattribute (ctl_bootanim_prop_30_0) true)
-(expandtypeattribute (ctl_bugreport_prop_30_0) true)
-(expandtypeattribute (ctl_console_prop_30_0) true)
-(expandtypeattribute (ctl_default_prop_30_0) true)
-(expandtypeattribute (ctl_dumpstate_prop_30_0) true)
-(expandtypeattribute (ctl_fuse_prop_30_0) true)
-(expandtypeattribute (ctl_gsid_prop_30_0) true)
-(expandtypeattribute (ctl_interface_restart_prop_30_0) true)
-(expandtypeattribute (ctl_interface_start_prop_30_0) true)
-(expandtypeattribute (ctl_interface_stop_prop_30_0) true)
-(expandtypeattribute (ctl_mdnsd_prop_30_0) true)
-(expandtypeattribute (ctl_restart_prop_30_0) true)
-(expandtypeattribute (ctl_rildaemon_prop_30_0) true)
-(expandtypeattribute (ctl_sigstop_prop_30_0) true)
-(expandtypeattribute (ctl_start_prop_30_0) true)
-(expandtypeattribute (ctl_stop_prop_30_0) true)
-(expandtypeattribute (dalvik_prop_30_0) true)
-(expandtypeattribute (dalvikcache_data_file_30_0) true)
-(expandtypeattribute (dataloader_manager_service_30_0) true)
-(expandtypeattribute (dbinfo_service_30_0) true)
-(expandtypeattribute (debug_prop_30_0) true)
-(expandtypeattribute (debugfs_30_0) true)
-(expandtypeattribute (debugfs_mmc_30_0) true)
-(expandtypeattribute (debugfs_trace_marker_30_0) true)
-(expandtypeattribute (debugfs_tracing_30_0) true)
-(expandtypeattribute (debugfs_tracing_debug_30_0) true)
-(expandtypeattribute (debugfs_tracing_instances_30_0) true)
-(expandtypeattribute (debugfs_wakeup_sources_30_0) true)
-(expandtypeattribute (debugfs_wifi_tracing_30_0) true)
-(expandtypeattribute (debuggerd_prop_30_0) true)
-(expandtypeattribute (default_android_hwservice_30_0) true)
-(expandtypeattribute (default_android_service_30_0) true)
-(expandtypeattribute (default_android_vndservice_30_0) true)
-(expandtypeattribute (default_prop_30_0) true)
-(expandtypeattribute (dev_cpu_variant_30_0) true)
-(expandtypeattribute (device_30_0) true)
-(expandtypeattribute (device_config_activity_manager_native_boot_prop_30_0) true)
-(expandtypeattribute (device_config_boot_count_prop_30_0) true)
-(expandtypeattribute (device_config_configuration_prop_30_0) true)
-(expandtypeattribute (device_config_input_native_boot_prop_30_0) true)
-(expandtypeattribute (device_config_media_native_prop_30_0) true)
-(expandtypeattribute (device_config_netd_native_prop_30_0) true)
-(expandtypeattribute (device_config_reset_performed_prop_30_0) true)
-(expandtypeattribute (device_config_runtime_native_boot_prop_30_0) true)
-(expandtypeattribute (device_config_runtime_native_prop_30_0) true)
-(expandtypeattribute (device_config_service_30_0) true)
-(expandtypeattribute (device_config_storage_native_boot_prop_30_0) true)
-(expandtypeattribute (device_config_sys_traced_prop_30_0) true)
-(expandtypeattribute (device_config_window_manager_native_boot_prop_30_0) true)
-(expandtypeattribute (device_identifiers_service_30_0) true)
-(expandtypeattribute (device_logging_prop_30_0) true)
-(expandtypeattribute (device_policy_service_30_0) true)
-(expandtypeattribute (deviceidle_service_30_0) true)
-(expandtypeattribute (devicestoragemonitor_service_30_0) true)
-(expandtypeattribute (devpts_30_0) true)
-(expandtypeattribute (dhcp_30_0) true)
-(expandtypeattribute (dhcp_data_file_30_0) true)
-(expandtypeattribute (dhcp_exec_30_0) true)
-(expandtypeattribute (dhcp_prop_30_0) true)
-(expandtypeattribute (diskstats_service_30_0) true)
-(expandtypeattribute (display_service_30_0) true)
-(expandtypeattribute (dm_device_30_0) true)
-(expandtypeattribute (dnsmasq_30_0) true)
-(expandtypeattribute (dnsmasq_exec_30_0) true)
-(expandtypeattribute (dnsproxyd_socket_30_0) true)
-(expandtypeattribute (dnsresolver_service_30_0) true)
-(expandtypeattribute (dreams_service_30_0) true)
-(expandtypeattribute (drm_data_file_30_0) true)
-(expandtypeattribute (drmserver_30_0) true)
-(expandtypeattribute (drmserver_exec_30_0) true)
-(expandtypeattribute (drmserver_service_30_0) true)
-(expandtypeattribute (drmserver_socket_30_0) true)
-(expandtypeattribute (dropbox_data_file_30_0) true)
-(expandtypeattribute (dropbox_service_30_0) true)
-(expandtypeattribute (dumpstate_30_0) true)
-(expandtypeattribute (dumpstate_exec_30_0) true)
-(expandtypeattribute (dumpstate_options_prop_30_0) true)
-(expandtypeattribute (dumpstate_prop_30_0) true)
-(expandtypeattribute (dumpstate_service_30_0) true)
-(expandtypeattribute (dumpstate_socket_30_0) true)
-(expandtypeattribute (dynamic_system_prop_30_0) true)
-(expandtypeattribute (e2fs_30_0) true)
-(expandtypeattribute (e2fs_exec_30_0) true)
-(expandtypeattribute (efs_file_30_0) true)
-(expandtypeattribute (emergency_affordance_service_30_0) true)
-(expandtypeattribute (ephemeral_app_30_0) true)
-(expandtypeattribute (ethernet_service_30_0) true)
-(expandtypeattribute (exfat_30_0) true)
-(expandtypeattribute (exported2_config_prop_30_0) true)
-(expandtypeattribute (exported2_default_prop_30_0) true)
-(expandtypeattribute (exported2_radio_prop_30_0) true)
-(expandtypeattribute (exported2_system_prop_30_0) true)
-(expandtypeattribute (exported2_vold_prop_30_0) true)
-(expandtypeattribute (exported3_default_prop_30_0) true)
-(expandtypeattribute (exported3_radio_prop_30_0) true)
-(expandtypeattribute (exported3_system_prop_30_0) true)
-(expandtypeattribute (exported_audio_prop_30_0) true)
-(expandtypeattribute (exported_bluetooth_prop_30_0) true)
-(expandtypeattribute (exported_camera_prop_30_0) true)
-(expandtypeattribute (exported_config_prop_30_0) true)
-(expandtypeattribute (exported_dalvik_prop_30_0) true)
-(expandtypeattribute (exported_default_prop_30_0) true)
-(expandtypeattribute (exported_dumpstate_prop_30_0) true)
-(expandtypeattribute (exported_ffs_prop_30_0) true)
-(expandtypeattribute (exported_fingerprint_prop_30_0) true)
-(expandtypeattribute (exported_overlay_prop_30_0) true)
-(expandtypeattribute (exported_pm_prop_30_0) true)
-(expandtypeattribute (exported_radio_prop_30_0) true)
-(expandtypeattribute (exported_secure_prop_30_0) true)
-(expandtypeattribute (exported_system_prop_30_0) true)
-(expandtypeattribute (exported_system_radio_prop_30_0) true)
-(expandtypeattribute (exported_vold_prop_30_0) true)
-(expandtypeattribute (exported_wifi_prop_30_0) true)
-(expandtypeattribute (external_vibrator_service_30_0) true)
-(expandtypeattribute (face_service_30_0) true)
-(expandtypeattribute (face_vendor_data_file_30_0) true)
-(expandtypeattribute (fastbootd_30_0) true)
-(expandtypeattribute (ffs_prop_30_0) true)
-(expandtypeattribute (file_contexts_file_30_0) true)
-(expandtypeattribute (file_integrity_service_30_0) true)
-(expandtypeattribute (fingerprint_service_30_0) true)
-(expandtypeattribute (fingerprint_vendor_data_file_30_0) true)
-(expandtypeattribute (fingerprintd_30_0) true)
-(expandtypeattribute (fingerprintd_data_file_30_0) true)
-(expandtypeattribute (fingerprintd_exec_30_0) true)
-(expandtypeattribute (fingerprintd_service_30_0) true)
-(expandtypeattribute (firstboot_prop_30_0) true)
-(expandtypeattribute (flags_health_check_30_0) true)
-(expandtypeattribute (flags_health_check_exec_30_0) true)
-(expandtypeattribute (font_service_30_0) true)
-(expandtypeattribute (frp_block_device_30_0) true)
-(expandtypeattribute (fs_bpf_30_0) true)
-(expandtypeattribute (fsck_30_0) true)
-(expandtypeattribute (fsck_exec_30_0) true)
-(expandtypeattribute (fsck_untrusted_30_0) true)
-(expandtypeattribute (fscklogs_30_0) true)
-(expandtypeattribute (functionfs_30_0) true)
-(expandtypeattribute (fuse_30_0) true)
-(expandtypeattribute (fuse_device_30_0) true)
-(expandtypeattribute (fwk_automotive_display_hwservice_30_0) true)
-(expandtypeattribute (fwk_bufferhub_hwservice_30_0) true)
-(expandtypeattribute (fwk_camera_hwservice_30_0) true)
-(expandtypeattribute (fwk_display_hwservice_30_0) true)
-(expandtypeattribute (fwk_scheduler_hwservice_30_0) true)
-(expandtypeattribute (fwk_sensor_hwservice_30_0) true)
-(expandtypeattribute (fwk_stats_hwservice_30_0) true)
-(expandtypeattribute (fwmarkd_socket_30_0) true)
-(expandtypeattribute (gatekeeper_data_file_30_0) true)
-(expandtypeattribute (gatekeeper_service_30_0) true)
-(expandtypeattribute (gatekeeperd_30_0) true)
-(expandtypeattribute (gatekeeperd_exec_30_0) true)
-(expandtypeattribute (gfxinfo_service_30_0) true)
-(expandtypeattribute (gmscore_app_30_0) true)
-(expandtypeattribute (gps_control_30_0) true)
-(expandtypeattribute (gpu_device_30_0) true)
-(expandtypeattribute (gpu_service_30_0) true)
-(expandtypeattribute (gpuservice_30_0) true)
-(expandtypeattribute (graphics_device_30_0) true)
-(expandtypeattribute (graphicsstats_service_30_0) true)
-(expandtypeattribute (gsi_data_file_30_0) true)
-(expandtypeattribute (gsi_metadata_file_30_0) true)
-(expandtypeattribute (gsid_prop_30_0) true)
-(expandtypeattribute (hal_atrace_hwservice_30_0) true)
-(expandtypeattribute (hal_audio_hwservice_30_0) true)
-(expandtypeattribute (hal_audiocontrol_hwservice_30_0) true)
-(expandtypeattribute (hal_authsecret_hwservice_30_0) true)
-(expandtypeattribute (hal_bluetooth_hwservice_30_0) true)
-(expandtypeattribute (hal_bootctl_hwservice_30_0) true)
-(expandtypeattribute (hal_broadcastradio_hwservice_30_0) true)
-(expandtypeattribute (hal_camera_hwservice_30_0) true)
-(expandtypeattribute (hal_can_bus_hwservice_30_0) true)
-(expandtypeattribute (hal_can_controller_hwservice_30_0) true)
-(expandtypeattribute (hal_cas_hwservice_30_0) true)
-(expandtypeattribute (hal_codec2_hwservice_30_0) true)
-(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_30_0) true)
-(expandtypeattribute (hal_confirmationui_hwservice_30_0) true)
-(expandtypeattribute (hal_contexthub_hwservice_30_0) true)
-(expandtypeattribute (hal_drm_hwservice_30_0) true)
-(expandtypeattribute (hal_dumpstate_hwservice_30_0) true)
-(expandtypeattribute (hal_evs_hwservice_30_0) true)
-(expandtypeattribute (hal_face_hwservice_30_0) true)
-(expandtypeattribute (hal_fingerprint_hwservice_30_0) true)
-(expandtypeattribute (hal_fingerprint_service_30_0) true)
-(expandtypeattribute (hal_gatekeeper_hwservice_30_0) true)
-(expandtypeattribute (hal_gnss_hwservice_30_0) true)
-(expandtypeattribute (hal_graphics_allocator_hwservice_30_0) true)
-(expandtypeattribute (hal_graphics_composer_hwservice_30_0) true)
-(expandtypeattribute (hal_graphics_composer_server_tmpfs_30_0) true)
-(expandtypeattribute (hal_graphics_mapper_hwservice_30_0) true)
-(expandtypeattribute (hal_health_hwservice_30_0) true)
-(expandtypeattribute (hal_health_storage_hwservice_30_0) true)
-(expandtypeattribute (hal_identity_service_30_0) true)
-(expandtypeattribute (hal_input_classifier_hwservice_30_0) true)
-(expandtypeattribute (hal_ir_hwservice_30_0) true)
-(expandtypeattribute (hal_keymaster_hwservice_30_0) true)
-(expandtypeattribute (hal_light_hwservice_30_0) true)
-(expandtypeattribute (hal_light_service_30_0) true)
-(expandtypeattribute (hal_lowpan_hwservice_30_0) true)
-(expandtypeattribute (hal_memtrack_hwservice_30_0) true)
-(expandtypeattribute (hal_neuralnetworks_hwservice_30_0) true)
-(expandtypeattribute (hal_nfc_hwservice_30_0) true)
-(expandtypeattribute (hal_oemlock_hwservice_30_0) true)
-(expandtypeattribute (hal_omx_hwservice_30_0) true)
-(expandtypeattribute (hal_power_hwservice_30_0) true)
-(expandtypeattribute (hal_power_service_30_0) true)
-(expandtypeattribute (hal_power_stats_hwservice_30_0) true)
-(expandtypeattribute (hal_rebootescrow_service_30_0) true)
-(expandtypeattribute (hal_renderscript_hwservice_30_0) true)
-(expandtypeattribute (hal_secure_element_hwservice_30_0) true)
-(expandtypeattribute (hal_sensors_hwservice_30_0) true)
-(expandtypeattribute (hal_telephony_hwservice_30_0) true)
-(expandtypeattribute (hal_tetheroffload_hwservice_30_0) true)
-(expandtypeattribute (hal_thermal_hwservice_30_0) true)
-(expandtypeattribute (hal_tv_cec_hwservice_30_0) true)
-(expandtypeattribute (hal_tv_input_hwservice_30_0) true)
-(expandtypeattribute (hal_tv_tuner_hwservice_30_0) true)
-(expandtypeattribute (hal_usb_gadget_hwservice_30_0) true)
-(expandtypeattribute (hal_usb_hwservice_30_0) true)
-(expandtypeattribute (hal_vehicle_hwservice_30_0) true)
-(expandtypeattribute (hal_vibrator_hwservice_30_0) true)
-(expandtypeattribute (hal_vibrator_service_30_0) true)
-(expandtypeattribute (hal_vr_hwservice_30_0) true)
-(expandtypeattribute (hal_weaver_hwservice_30_0) true)
-(expandtypeattribute (hal_wifi_hostapd_hwservice_30_0) true)
-(expandtypeattribute (hal_wifi_hwservice_30_0) true)
-(expandtypeattribute (hal_wifi_supplicant_hwservice_30_0) true)
-(expandtypeattribute (hardware_properties_service_30_0) true)
-(expandtypeattribute (hardware_service_30_0) true)
-(expandtypeattribute (hci_attach_dev_30_0) true)
-(expandtypeattribute (hdmi_control_service_30_0) true)
-(expandtypeattribute (healthd_30_0) true)
-(expandtypeattribute (healthd_exec_30_0) true)
-(expandtypeattribute (heapdump_data_file_30_0) true)
-(expandtypeattribute (heapprofd_30_0) true)
-(expandtypeattribute (heapprofd_enabled_prop_30_0) true)
-(expandtypeattribute (heapprofd_prop_30_0) true)
-(expandtypeattribute (heapprofd_socket_30_0) true)
-(expandtypeattribute (hidl_allocator_hwservice_30_0) true)
-(expandtypeattribute (hidl_base_hwservice_30_0) true)
-(expandtypeattribute (hidl_manager_hwservice_30_0) true)
-(expandtypeattribute (hidl_memory_hwservice_30_0) true)
-(expandtypeattribute (hidl_token_hwservice_30_0) true)
-(expandtypeattribute (hw_random_device_30_0) true)
-(expandtypeattribute (hwbinder_device_30_0) true)
-(expandtypeattribute (hwservice_contexts_file_30_0) true)
-(expandtypeattribute (hwservicemanager_30_0) true)
-(expandtypeattribute (hwservicemanager_exec_30_0) true)
-(expandtypeattribute (hwservicemanager_prop_30_0) true)
-(expandtypeattribute (icon_file_30_0) true)
-(expandtypeattribute (idmap_30_0) true)
-(expandtypeattribute (idmap_exec_30_0) true)
-(expandtypeattribute (idmap_service_30_0) true)
-(expandtypeattribute (iio_device_30_0) true)
-(expandtypeattribute (imms_service_30_0) true)
-(expandtypeattribute (incident_30_0) true)
-(expandtypeattribute (incident_data_file_30_0) true)
-(expandtypeattribute (incident_helper_30_0) true)
-(expandtypeattribute (incident_service_30_0) true)
-(expandtypeattribute (incidentd_30_0) true)
-(expandtypeattribute (incremental_control_file_30_0) true)
-(expandtypeattribute (incremental_prop_30_0) true)
-(expandtypeattribute (incremental_service_30_0) true)
-(expandtypeattribute (init_30_0) true)
-(expandtypeattribute (init_exec_30_0) true)
-(expandtypeattribute (init_perf_lsm_hooks_prop_30_0) true)
-(expandtypeattribute (init_svc_debug_prop_30_0) true)
-(expandtypeattribute (init_tmpfs_30_0) true)
-(expandtypeattribute (inotify_30_0) true)
-(expandtypeattribute (input_device_30_0) true)
-(expandtypeattribute (input_method_service_30_0) true)
-(expandtypeattribute (input_service_30_0) true)
-(expandtypeattribute (inputflinger_30_0) true)
-(expandtypeattribute (inputflinger_exec_30_0) true)
-(expandtypeattribute (inputflinger_service_30_0) true)
-(expandtypeattribute (install_data_file_30_0) true)
-(expandtypeattribute (installd_30_0) true)
-(expandtypeattribute (installd_exec_30_0) true)
-(expandtypeattribute (installd_service_30_0) true)
-(expandtypeattribute (ion_device_30_0) true)
-(expandtypeattribute (iorap_inode2filename_30_0) true)
-(expandtypeattribute (iorap_inode2filename_exec_30_0) true)
-(expandtypeattribute (iorap_inode2filename_tmpfs_30_0) true)
-(expandtypeattribute (iorap_prefetcherd_30_0) true)
-(expandtypeattribute (iorap_prefetcherd_exec_30_0) true)
-(expandtypeattribute (iorap_prefetcherd_tmpfs_30_0) true)
-(expandtypeattribute (iorapd_30_0) true)
-(expandtypeattribute (iorapd_data_file_30_0) true)
-(expandtypeattribute (iorapd_exec_30_0) true)
-(expandtypeattribute (iorapd_service_30_0) true)
-(expandtypeattribute (iorapd_tmpfs_30_0) true)
-(expandtypeattribute (ipsec_service_30_0) true)
-(expandtypeattribute (iris_service_30_0) true)
-(expandtypeattribute (iris_vendor_data_file_30_0) true)
-(expandtypeattribute (isolated_app_30_0) true)
-(expandtypeattribute (jobscheduler_service_30_0) true)
-(expandtypeattribute (kernel_30_0) true)
-(expandtypeattribute (keychain_data_file_30_0) true)
-(expandtypeattribute (keychord_device_30_0) true)
-(expandtypeattribute (keystore_30_0) true)
-(expandtypeattribute (keystore_data_file_30_0) true)
-(expandtypeattribute (keystore_exec_30_0) true)
-(expandtypeattribute (keystore_service_30_0) true)
-(expandtypeattribute (kmsg_debug_device_30_0) true)
-(expandtypeattribute (kmsg_device_30_0) true)
-(expandtypeattribute (labeledfs_30_0) true)
-(expandtypeattribute (last_boot_reason_prop_30_0) true)
-(expandtypeattribute (launcherapps_service_30_0) true)
-(expandtypeattribute (light_service_30_0) true)
-(expandtypeattribute (linkerconfig_file_30_0) true)
-(expandtypeattribute (llkd_30_0) true)
-(expandtypeattribute (llkd_exec_30_0) true)
-(expandtypeattribute (llkd_prop_30_0) true)
-(expandtypeattribute (lmkd_30_0) true)
-(expandtypeattribute (lmkd_exec_30_0) true)
-(expandtypeattribute (lmkd_prop_30_0) true)
-(expandtypeattribute (lmkd_socket_30_0) true)
-(expandtypeattribute (location_service_30_0) true)
-(expandtypeattribute (lock_settings_service_30_0) true)
-(expandtypeattribute (log_prop_30_0) true)
-(expandtypeattribute (log_tag_prop_30_0) true)
-(expandtypeattribute (logcat_exec_30_0) true)
-(expandtypeattribute (logd_30_0) true)
-(expandtypeattribute (logd_exec_30_0) true)
-(expandtypeattribute (logd_prop_30_0) true)
-(expandtypeattribute (logd_socket_30_0) true)
-(expandtypeattribute (logdr_socket_30_0) true)
-(expandtypeattribute (logdw_socket_30_0) true)
-(expandtypeattribute (logpersist_30_0) true)
-(expandtypeattribute (logpersistd_logging_prop_30_0) true)
-(expandtypeattribute (loop_control_device_30_0) true)
-(expandtypeattribute (loop_device_30_0) true)
-(expandtypeattribute (looper_stats_service_30_0) true)
-(expandtypeattribute (lowpan_device_30_0) true)
-(expandtypeattribute (lowpan_prop_30_0) true)
-(expandtypeattribute (lowpan_service_30_0) true)
-(expandtypeattribute (lpdump_service_30_0) true)
-(expandtypeattribute (lpdumpd_prop_30_0) true)
-(expandtypeattribute (mac_perms_file_30_0) true)
-(expandtypeattribute (mdns_socket_30_0) true)
-(expandtypeattribute (mdnsd_30_0) true)
-(expandtypeattribute (mdnsd_socket_30_0) true)
-(expandtypeattribute (media_data_file_30_0) true)
-(expandtypeattribute (media_projection_service_30_0) true)
-(expandtypeattribute (media_router_service_30_0) true)
-(expandtypeattribute (media_rw_data_file_30_0) true)
-(expandtypeattribute (media_session_service_30_0) true)
-(expandtypeattribute (media_variant_prop_30_0) true)
-(expandtypeattribute (mediadrmserver_30_0) true)
-(expandtypeattribute (mediadrmserver_exec_30_0) true)
-(expandtypeattribute (mediadrmserver_service_30_0) true)
-(expandtypeattribute (mediaextractor_30_0) true)
-(expandtypeattribute (mediaextractor_exec_30_0) true)
-(expandtypeattribute (mediaextractor_service_30_0) true)
-(expandtypeattribute (mediaextractor_tmpfs_30_0) true)
-(expandtypeattribute (mediametrics_30_0) true)
-(expandtypeattribute (mediametrics_exec_30_0) true)
-(expandtypeattribute (mediametrics_service_30_0) true)
-(expandtypeattribute (mediaprovider_30_0) true)
-(expandtypeattribute (mediaserver_30_0) true)
-(expandtypeattribute (mediaserver_exec_30_0) true)
-(expandtypeattribute (mediaserver_service_30_0) true)
-(expandtypeattribute (mediaserver_tmpfs_30_0) true)
-(expandtypeattribute (mediaswcodec_30_0) true)
-(expandtypeattribute (mediaswcodec_exec_30_0) true)
-(expandtypeattribute (mediatranscoding_30_0) true)
-(expandtypeattribute (mediatranscoding_exec_30_0) true)
-(expandtypeattribute (mediatranscoding_service_30_0) true)
-(expandtypeattribute (meminfo_service_30_0) true)
-(expandtypeattribute (metadata_block_device_30_0) true)
-(expandtypeattribute (metadata_bootstat_file_30_0) true)
-(expandtypeattribute (metadata_file_30_0) true)
-(expandtypeattribute (method_trace_data_file_30_0) true)
-(expandtypeattribute (midi_service_30_0) true)
-(expandtypeattribute (mirror_data_file_30_0) true)
-(expandtypeattribute (misc_block_device_30_0) true)
-(expandtypeattribute (misc_logd_file_30_0) true)
-(expandtypeattribute (misc_user_data_file_30_0) true)
-(expandtypeattribute (mmc_prop_30_0) true)
-(expandtypeattribute (mnt_expand_file_30_0) true)
-(expandtypeattribute (mnt_media_rw_file_30_0) true)
-(expandtypeattribute (mnt_media_rw_stub_file_30_0) true)
-(expandtypeattribute (mnt_pass_through_file_30_0) true)
-(expandtypeattribute (mnt_product_file_30_0) true)
-(expandtypeattribute (mnt_sdcard_file_30_0) true)
-(expandtypeattribute (mnt_user_file_30_0) true)
-(expandtypeattribute (mnt_vendor_file_30_0) true)
-(expandtypeattribute (mock_ota_prop_30_0) true)
-(expandtypeattribute (modprobe_30_0) true)
-(expandtypeattribute (module_sdkextensions_prop_30_0) true)
-(expandtypeattribute (mount_service_30_0) true)
-(expandtypeattribute (mqueue_30_0) true)
-(expandtypeattribute (mtp_30_0) true)
-(expandtypeattribute (mtp_device_30_0) true)
-(expandtypeattribute (mtp_exec_30_0) true)
-(expandtypeattribute (mtpd_socket_30_0) true)
-(expandtypeattribute (nativetest_data_file_30_0) true)
-(expandtypeattribute (net_data_file_30_0) true)
-(expandtypeattribute (net_dns_prop_30_0) true)
-(expandtypeattribute (net_radio_prop_30_0) true)
-(expandtypeattribute (netd_30_0) true)
-(expandtypeattribute (netd_exec_30_0) true)
-(expandtypeattribute (netd_listener_service_30_0) true)
-(expandtypeattribute (netd_service_30_0) true)
-(expandtypeattribute (netd_stable_secret_prop_30_0) true)
-(expandtypeattribute (netif_30_0) true)
-(expandtypeattribute (netpolicy_service_30_0) true)
-(expandtypeattribute (netstats_service_30_0) true)
-(expandtypeattribute (netutils_wrapper_30_0) true)
-(expandtypeattribute (netutils_wrapper_exec_30_0) true)
-(expandtypeattribute (network_management_service_30_0) true)
-(expandtypeattribute (network_score_service_30_0) true)
-(expandtypeattribute (network_stack_30_0) true)
-(expandtypeattribute (network_stack_service_30_0) true)
-(expandtypeattribute (network_time_update_service_30_0) true)
-(expandtypeattribute (network_watchlist_data_file_30_0) true)
-(expandtypeattribute (network_watchlist_service_30_0) true)
-(expandtypeattribute (nfc_30_0) true)
-(expandtypeattribute (nfc_data_file_30_0) true)
-(expandtypeattribute (nfc_device_30_0) true)
-(expandtypeattribute (nfc_prop_30_0) true)
-(expandtypeattribute (nfc_service_30_0) true)
-(expandtypeattribute (nnapi_ext_deny_product_prop_30_0) true)
-(expandtypeattribute (node_30_0) true)
-(expandtypeattribute (nonplat_service_contexts_file_30_0) true)
-(expandtypeattribute (notification_service_30_0) true)
-(expandtypeattribute (null_device_30_0) true)
-(expandtypeattribute (oem_lock_service_30_0) true)
-(expandtypeattribute (oemfs_30_0) true)
-(expandtypeattribute (ota_data_file_30_0) true)
-(expandtypeattribute (ota_metadata_file_30_0) true)
-(expandtypeattribute (ota_package_file_30_0) true)
-(expandtypeattribute (ota_prop_30_0) true)
-(expandtypeattribute (otadexopt_service_30_0) true)
-(expandtypeattribute (overlay_prop_30_0) true)
-(expandtypeattribute (overlay_service_30_0) true)
-(expandtypeattribute (overlayfs_file_30_0) true)
-(expandtypeattribute (owntty_device_30_0) true)
-(expandtypeattribute (package_native_service_30_0) true)
-(expandtypeattribute (package_service_30_0) true)
-(expandtypeattribute (packages_list_file_30_0) true)
-(expandtypeattribute (pan_result_prop_30_0) true)
-(expandtypeattribute (password_slot_metadata_file_30_0) true)
-(expandtypeattribute (pdx_bufferhub_client_channel_socket_30_0) true)
-(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_30_0) true)
-(expandtypeattribute (pdx_bufferhub_dir_30_0) true)
-(expandtypeattribute (pdx_display_client_channel_socket_30_0) true)
-(expandtypeattribute (pdx_display_client_endpoint_socket_30_0) true)
-(expandtypeattribute (pdx_display_dir_30_0) true)
-(expandtypeattribute (pdx_display_manager_channel_socket_30_0) true)
-(expandtypeattribute (pdx_display_manager_endpoint_socket_30_0) true)
-(expandtypeattribute (pdx_display_screenshot_channel_socket_30_0) true)
-(expandtypeattribute (pdx_display_screenshot_endpoint_socket_30_0) true)
-(expandtypeattribute (pdx_display_vsync_channel_socket_30_0) true)
-(expandtypeattribute (pdx_display_vsync_endpoint_socket_30_0) true)
-(expandtypeattribute (pdx_performance_client_channel_socket_30_0) true)
-(expandtypeattribute (pdx_performance_client_endpoint_socket_30_0) true)
-(expandtypeattribute (pdx_performance_dir_30_0) true)
-(expandtypeattribute (perfetto_30_0) true)
-(expandtypeattribute (performanced_30_0) true)
-(expandtypeattribute (performanced_exec_30_0) true)
-(expandtypeattribute (permission_service_30_0) true)
-(expandtypeattribute (permissionmgr_service_30_0) true)
-(expandtypeattribute (persist_debug_prop_30_0) true)
-(expandtypeattribute (persistent_data_block_service_30_0) true)
-(expandtypeattribute (persistent_properties_ready_prop_30_0) true)
-(expandtypeattribute (pinner_service_30_0) true)
-(expandtypeattribute (pipefs_30_0) true)
-(expandtypeattribute (platform_app_30_0) true)
-(expandtypeattribute (platform_compat_service_30_0) true)
-(expandtypeattribute (pm_prop_30_0) true)
-(expandtypeattribute (pmsg_device_30_0) true)
-(expandtypeattribute (port_30_0) true)
-(expandtypeattribute (port_device_30_0) true)
-(expandtypeattribute (postinstall_30_0) true)
-(expandtypeattribute (postinstall_apex_mnt_dir_30_0) true)
-(expandtypeattribute (postinstall_file_30_0) true)
-(expandtypeattribute (postinstall_mnt_dir_30_0) true)
-(expandtypeattribute (power_service_30_0) true)
-(expandtypeattribute (powerctl_prop_30_0) true)
-(expandtypeattribute (ppp_30_0) true)
-(expandtypeattribute (ppp_device_30_0) true)
-(expandtypeattribute (ppp_exec_30_0) true)
-(expandtypeattribute (preloads_data_file_30_0) true)
-(expandtypeattribute (preloads_media_file_30_0) true)
-(expandtypeattribute (prereboot_data_file_30_0) true)
-(expandtypeattribute (print_service_30_0) true)
-(expandtypeattribute (priv_app_30_0) true)
-(expandtypeattribute (privapp_data_file_30_0) true)
-(expandtypeattribute (proc_30_0) true)
-(expandtypeattribute (proc_abi_30_0) true)
-(expandtypeattribute (proc_asound_30_0) true)
-(expandtypeattribute (proc_bluetooth_writable_30_0) true)
-(expandtypeattribute (proc_buddyinfo_30_0) true)
-(expandtypeattribute (proc_cmdline_30_0) true)
-(expandtypeattribute (proc_cpuinfo_30_0) true)
-(expandtypeattribute (proc_dirty_30_0) true)
-(expandtypeattribute (proc_diskstats_30_0) true)
-(expandtypeattribute (proc_drop_caches_30_0) true)
-(expandtypeattribute (proc_extra_free_kbytes_30_0) true)
-(expandtypeattribute (proc_filesystems_30_0) true)
-(expandtypeattribute (proc_fs_verity_30_0) true)
-(expandtypeattribute (proc_hostname_30_0) true)
-(expandtypeattribute (proc_hung_task_30_0) true)
-(expandtypeattribute (proc_interrupts_30_0) true)
-(expandtypeattribute (proc_iomem_30_0) true)
-(expandtypeattribute (proc_keys_30_0) true)
-(expandtypeattribute (proc_kmsg_30_0) true)
-(expandtypeattribute (proc_kpageflags_30_0) true)
-(expandtypeattribute (proc_loadavg_30_0) true)
-(expandtypeattribute (proc_lowmemorykiller_30_0) true)
-(expandtypeattribute (proc_max_map_count_30_0) true)
-(expandtypeattribute (proc_meminfo_30_0) true)
-(expandtypeattribute (proc_min_free_order_shift_30_0) true)
-(expandtypeattribute (proc_misc_30_0) true)
-(expandtypeattribute (proc_modules_30_0) true)
-(expandtypeattribute (proc_mounts_30_0) true)
-(expandtypeattribute (proc_net_30_0) true)
-(expandtypeattribute (proc_net_tcp_udp_30_0) true)
-(expandtypeattribute (proc_overcommit_memory_30_0) true)
-(expandtypeattribute (proc_page_cluster_30_0) true)
-(expandtypeattribute (proc_pagetypeinfo_30_0) true)
-(expandtypeattribute (proc_panic_30_0) true)
-(expandtypeattribute (proc_perf_30_0) true)
-(expandtypeattribute (proc_pid_max_30_0) true)
-(expandtypeattribute (proc_pipe_conf_30_0) true)
-(expandtypeattribute (proc_pressure_cpu_30_0) true)
-(expandtypeattribute (proc_pressure_io_30_0) true)
-(expandtypeattribute (proc_pressure_mem_30_0) true)
-(expandtypeattribute (proc_qtaguid_ctrl_30_0) true)
-(expandtypeattribute (proc_qtaguid_stat_30_0) true)
-(expandtypeattribute (proc_random_30_0) true)
-(expandtypeattribute (proc_sched_30_0) true)
-(expandtypeattribute (proc_security_30_0) true)
-(expandtypeattribute (proc_slabinfo_30_0) true)
-(expandtypeattribute (proc_stat_30_0) true)
-(expandtypeattribute (proc_swaps_30_0) true)
-(expandtypeattribute (proc_sysrq_30_0) true)
-(expandtypeattribute (proc_timer_30_0) true)
-(expandtypeattribute (proc_tty_drivers_30_0) true)
-(expandtypeattribute (proc_uid_concurrent_active_time_30_0) true)
-(expandtypeattribute (proc_uid_concurrent_policy_time_30_0) true)
-(expandtypeattribute (proc_uid_cpupower_30_0) true)
-(expandtypeattribute (proc_uid_cputime_removeuid_30_0) true)
-(expandtypeattribute (proc_uid_cputime_showstat_30_0) true)
-(expandtypeattribute (proc_uid_io_stats_30_0) true)
-(expandtypeattribute (proc_uid_procstat_set_30_0) true)
-(expandtypeattribute (proc_uid_time_in_state_30_0) true)
-(expandtypeattribute (proc_uptime_30_0) true)
-(expandtypeattribute (proc_version_30_0) true)
-(expandtypeattribute (proc_vmallocinfo_30_0) true)
-(expandtypeattribute (proc_vmstat_30_0) true)
-(expandtypeattribute (proc_zoneinfo_30_0) true)
-(expandtypeattribute (processinfo_service_30_0) true)
-(expandtypeattribute (procstats_service_30_0) true)
-(expandtypeattribute (profman_30_0) true)
-(expandtypeattribute (profman_dump_data_file_30_0) true)
-(expandtypeattribute (profman_exec_30_0) true)
-(expandtypeattribute (properties_device_30_0) true)
-(expandtypeattribute (properties_serial_30_0) true)
-(expandtypeattribute (property_contexts_file_30_0) true)
-(expandtypeattribute (property_data_file_30_0) true)
-(expandtypeattribute (property_info_30_0) true)
-(expandtypeattribute (property_socket_30_0) true)
-(expandtypeattribute (pstorefs_30_0) true)
-(expandtypeattribute (ptmx_device_30_0) true)
-(expandtypeattribute (qtaguid_device_30_0) true)
-(expandtypeattribute (racoon_30_0) true)
-(expandtypeattribute (racoon_exec_30_0) true)
-(expandtypeattribute (racoon_socket_30_0) true)
-(expandtypeattribute (radio_30_0) true)
-(expandtypeattribute (radio_data_file_30_0) true)
-(expandtypeattribute (radio_device_30_0) true)
-(expandtypeattribute (radio_prop_30_0) true)
-(expandtypeattribute (radio_service_30_0) true)
-(expandtypeattribute (ram_device_30_0) true)
-(expandtypeattribute (random_device_30_0) true)
-(expandtypeattribute (rebootescrow_hal_prop_30_0) true)
-(expandtypeattribute (recovery_30_0) true)
-(expandtypeattribute (recovery_block_device_30_0) true)
-(expandtypeattribute (recovery_data_file_30_0) true)
-(expandtypeattribute (recovery_persist_30_0) true)
-(expandtypeattribute (recovery_persist_exec_30_0) true)
-(expandtypeattribute (recovery_refresh_30_0) true)
-(expandtypeattribute (recovery_refresh_exec_30_0) true)
-(expandtypeattribute (recovery_service_30_0) true)
-(expandtypeattribute (recovery_socket_30_0) true)
-(expandtypeattribute (registry_service_30_0) true)
-(expandtypeattribute (resourcecache_data_file_30_0) true)
-(expandtypeattribute (restorecon_prop_30_0) true)
-(expandtypeattribute (restrictions_service_30_0) true)
-(expandtypeattribute (rild_debug_socket_30_0) true)
-(expandtypeattribute (rild_socket_30_0) true)
-(expandtypeattribute (ringtone_file_30_0) true)
-(expandtypeattribute (role_service_30_0) true)
-(expandtypeattribute (rollback_service_30_0) true)
-(expandtypeattribute (root_block_device_30_0) true)
-(expandtypeattribute (rootfs_30_0) true)
-(expandtypeattribute (rpmsg_device_30_0) true)
-(expandtypeattribute (rs_30_0) true)
-(expandtypeattribute (rs_exec_30_0) true)
-(expandtypeattribute (rss_hwm_reset_30_0) true)
-(expandtypeattribute (rtc_device_30_0) true)
-(expandtypeattribute (rttmanager_service_30_0) true)
-(expandtypeattribute (runas_30_0) true)
-(expandtypeattribute (runas_app_30_0) true)
-(expandtypeattribute (runas_exec_30_0) true)
-(expandtypeattribute (runtime_event_log_tags_file_30_0) true)
-(expandtypeattribute (runtime_service_30_0) true)
-(expandtypeattribute (safemode_prop_30_0) true)
-(expandtypeattribute (same_process_hal_file_30_0) true)
-(expandtypeattribute (samplingprofiler_service_30_0) true)
-(expandtypeattribute (scheduling_policy_service_30_0) true)
-(expandtypeattribute (sdcard_block_device_30_0) true)
-(expandtypeattribute (sdcardd_30_0) true)
-(expandtypeattribute (sdcardd_exec_30_0) true)
-(expandtypeattribute (sdcardfs_30_0) true)
-(expandtypeattribute (seapp_contexts_file_30_0) true)
-(expandtypeattribute (search_service_30_0) true)
-(expandtypeattribute (sec_key_att_app_id_provider_service_30_0) true)
-(expandtypeattribute (secure_element_30_0) true)
-(expandtypeattribute (secure_element_device_30_0) true)
-(expandtypeattribute (secure_element_service_30_0) true)
-(expandtypeattribute (securityfs_30_0) true)
-(expandtypeattribute (selinuxfs_30_0) true)
-(expandtypeattribute (sensor_privacy_service_30_0) true)
-(expandtypeattribute (sensors_device_30_0) true)
-(expandtypeattribute (sensorservice_service_30_0) true)
-(expandtypeattribute (sepolicy_file_30_0) true)
-(expandtypeattribute (serial_device_30_0) true)
-(expandtypeattribute (serial_service_30_0) true)
-(expandtypeattribute (serialno_prop_30_0) true)
-(expandtypeattribute (server_configurable_flags_data_file_30_0) true)
-(expandtypeattribute (service_contexts_file_30_0) true)
-(expandtypeattribute (service_manager_service_30_0) true)
-(expandtypeattribute (service_manager_vndservice_30_0) true)
-(expandtypeattribute (servicediscovery_service_30_0) true)
-(expandtypeattribute (servicemanager_30_0) true)
-(expandtypeattribute (servicemanager_exec_30_0) true)
-(expandtypeattribute (settings_service_30_0) true)
-(expandtypeattribute (sgdisk_30_0) true)
-(expandtypeattribute (sgdisk_exec_30_0) true)
-(expandtypeattribute (shared_relro_30_0) true)
-(expandtypeattribute (shared_relro_file_30_0) true)
-(expandtypeattribute (shell_30_0) true)
-(expandtypeattribute (shell_data_file_30_0) true)
-(expandtypeattribute (shell_exec_30_0) true)
-(expandtypeattribute (shell_prop_30_0) true)
-(expandtypeattribute (shm_30_0) true)
-(expandtypeattribute (shortcut_manager_icons_30_0) true)
-(expandtypeattribute (shortcut_service_30_0) true)
-(expandtypeattribute (simpleperf_30_0) true)
-(expandtypeattribute (simpleperf_app_runner_30_0) true)
-(expandtypeattribute (simpleperf_app_runner_exec_30_0) true)
-(expandtypeattribute (slice_service_30_0) true)
-(expandtypeattribute (slideshow_30_0) true)
-(expandtypeattribute (snapshotctl_log_data_file_30_0) true)
-(expandtypeattribute (socket_device_30_0) true)
-(expandtypeattribute (socket_hook_prop_30_0) true)
-(expandtypeattribute (sockfs_30_0) true)
-(expandtypeattribute (sota_prop_30_0) true)
-(expandtypeattribute (soundtrigger_middleware_service_30_0) true)
-(expandtypeattribute (staging_data_file_30_0) true)
-(expandtypeattribute (stats_data_file_30_0) true)
-(expandtypeattribute (statsd_30_0) true)
-(expandtypeattribute (statsd_exec_30_0) true)
-(expandtypeattribute (statsdw_socket_30_0) true)
-(expandtypeattribute (statusbar_service_30_0) true)
-(expandtypeattribute (storage_config_prop_30_0) true)
-(expandtypeattribute (storage_file_30_0) true)
-(expandtypeattribute (storage_stub_file_30_0) true)
-(expandtypeattribute (storaged_service_30_0) true)
-(expandtypeattribute (storagestats_service_30_0) true)
-(expandtypeattribute (su_30_0) true)
-(expandtypeattribute (su_exec_30_0) true)
-(expandtypeattribute (super_block_device_30_0) true)
-(expandtypeattribute (surfaceflinger_30_0) true)
-(expandtypeattribute (surfaceflinger_service_30_0) true)
-(expandtypeattribute (surfaceflinger_tmpfs_30_0) true)
-(expandtypeattribute (swap_block_device_30_0) true)
-(expandtypeattribute (sysfs_30_0) true)
-(expandtypeattribute (sysfs_android_usb_30_0) true)
-(expandtypeattribute (sysfs_batteryinfo_30_0) true)
-(expandtypeattribute (sysfs_bluetooth_writable_30_0) true)
-(expandtypeattribute (sysfs_devices_block_30_0) true)
-(expandtypeattribute (sysfs_devices_system_cpu_30_0) true)
-(expandtypeattribute (sysfs_dm_30_0) true)
-(expandtypeattribute (sysfs_dm_verity_30_0) true)
-(expandtypeattribute (sysfs_dt_firmware_android_30_0) true)
-(expandtypeattribute (sysfs_extcon_30_0) true)
-(expandtypeattribute (sysfs_fs_ext4_features_30_0) true)
-(expandtypeattribute (sysfs_fs_f2fs_30_0) true)
-(expandtypeattribute (sysfs_hwrandom_30_0) true)
-(expandtypeattribute (sysfs_ion_30_0) true)
-(expandtypeattribute (sysfs_ipv4_30_0) true)
-(expandtypeattribute (sysfs_kernel_notes_30_0) true)
-(expandtypeattribute (sysfs_leds_30_0) true)
-(expandtypeattribute (sysfs_loop_30_0) true)
-(expandtypeattribute (sysfs_lowmemorykiller_30_0) true)
-(expandtypeattribute (sysfs_net_30_0) true)
-(expandtypeattribute (sysfs_nfc_power_writable_30_0) true)
-(expandtypeattribute (sysfs_power_30_0) true)
-(expandtypeattribute (sysfs_rtc_30_0) true)
-(expandtypeattribute (sysfs_suspend_stats_30_0) true)
-(expandtypeattribute (sysfs_switch_30_0) true)
-(expandtypeattribute (sysfs_thermal_30_0) true)
-(expandtypeattribute (sysfs_transparent_hugepage_30_0) true)
-(expandtypeattribute (sysfs_uio_30_0) true)
-(expandtypeattribute (sysfs_usb_30_0) true)
-(expandtypeattribute (sysfs_usermodehelper_30_0) true)
-(expandtypeattribute (sysfs_vibrator_30_0) true)
-(expandtypeattribute (sysfs_wake_lock_30_0) true)
-(expandtypeattribute (sysfs_wakeup_30_0) true)
-(expandtypeattribute (sysfs_wakeup_reasons_30_0) true)
-(expandtypeattribute (sysfs_wlan_fwpath_30_0) true)
-(expandtypeattribute (sysfs_zram_30_0) true)
-(expandtypeattribute (sysfs_zram_uevent_30_0) true)
-(expandtypeattribute (system_adbd_prop_30_0) true)
-(expandtypeattribute (system_app_30_0) true)
-(expandtypeattribute (system_app_data_file_30_0) true)
-(expandtypeattribute (system_app_service_30_0) true)
-(expandtypeattribute (system_asan_options_file_30_0) true)
-(expandtypeattribute (system_block_device_30_0) true)
-(expandtypeattribute (system_boot_reason_prop_30_0) true)
-(expandtypeattribute (system_bootstrap_lib_file_30_0) true)
-(expandtypeattribute (system_config_service_30_0) true)
-(expandtypeattribute (system_data_file_30_0) true)
-(expandtypeattribute (system_data_root_file_30_0) true)
-(expandtypeattribute (system_event_log_tags_file_30_0) true)
-(expandtypeattribute (system_file_30_0) true)
-(expandtypeattribute (system_group_file_30_0) true)
-(expandtypeattribute (system_jvmti_agent_prop_30_0) true)
-(expandtypeattribute (system_lib_file_30_0) true)
-(expandtypeattribute (system_linker_config_file_30_0) true)
-(expandtypeattribute (system_linker_exec_30_0) true)
-(expandtypeattribute (system_lmk_prop_30_0) true)
-(expandtypeattribute (system_ndebug_socket_30_0) true)
-(expandtypeattribute (system_net_netd_hwservice_30_0) true)
-(expandtypeattribute (system_passwd_file_30_0) true)
-(expandtypeattribute (system_prop_30_0) true)
-(expandtypeattribute (system_radio_prop_30_0) true)
-(expandtypeattribute (system_seccomp_policy_file_30_0) true)
-(expandtypeattribute (system_security_cacerts_file_30_0) true)
-(expandtypeattribute (system_server_30_0) true)
-(expandtypeattribute (system_server_tmpfs_30_0) true)
-(expandtypeattribute (system_suspend_control_service_30_0) true)
-(expandtypeattribute (system_suspend_hwservice_30_0) true)
-(expandtypeattribute (system_trace_prop_30_0) true)
-(expandtypeattribute (system_unsolzygote_socket_30_0) true)
-(expandtypeattribute (system_update_service_30_0) true)
-(expandtypeattribute (system_wifi_keystore_hwservice_30_0) true)
-(expandtypeattribute (system_wpa_socket_30_0) true)
-(expandtypeattribute (system_zoneinfo_file_30_0) true)
-(expandtypeattribute (systemkeys_data_file_30_0) true)
-(expandtypeattribute (task_profiles_file_30_0) true)
-(expandtypeattribute (task_service_30_0) true)
-(expandtypeattribute (tcpdump_exec_30_0) true)
-(expandtypeattribute (tee_30_0) true)
-(expandtypeattribute (tee_data_file_30_0) true)
-(expandtypeattribute (tee_device_30_0) true)
-(expandtypeattribute (telecom_service_30_0) true)
-(expandtypeattribute (test_boot_reason_prop_30_0) true)
-(expandtypeattribute (test_harness_prop_30_0) true)
-(expandtypeattribute (testharness_service_30_0) true)
-(expandtypeattribute (tethering_service_30_0) true)
-(expandtypeattribute (textclassification_service_30_0) true)
-(expandtypeattribute (textclassifier_data_file_30_0) true)
-(expandtypeattribute (textservices_service_30_0) true)
-(expandtypeattribute (theme_prop_30_0) true)
-(expandtypeattribute (thermal_service_30_0) true)
-(expandtypeattribute (thermalcallback_hwservice_30_0) true)
-(expandtypeattribute (time_prop_30_0) true)
-(expandtypeattribute (timedetector_service_30_0) true)
-(expandtypeattribute (timezone_service_30_0) true)
-(expandtypeattribute (timezonedetector_service_30_0) true)
-(expandtypeattribute (tmpfs_30_0) true)
-(expandtypeattribute (tombstone_data_file_30_0) true)
-(expandtypeattribute (tombstone_wifi_data_file_30_0) true)
-(expandtypeattribute (tombstoned_30_0) true)
-(expandtypeattribute (tombstoned_crash_socket_30_0) true)
-(expandtypeattribute (tombstoned_exec_30_0) true)
-(expandtypeattribute (tombstoned_intercept_socket_30_0) true)
-(expandtypeattribute (tombstoned_java_trace_socket_30_0) true)
-(expandtypeattribute (toolbox_30_0) true)
-(expandtypeattribute (toolbox_exec_30_0) true)
-(expandtypeattribute (trace_data_file_30_0) true)
-(expandtypeattribute (traced_30_0) true)
-(expandtypeattribute (traced_consumer_socket_30_0) true)
-(expandtypeattribute (traced_enabled_prop_30_0) true)
-(expandtypeattribute (traced_lazy_prop_30_0) true)
-(expandtypeattribute (traced_perf_30_0) true)
-(expandtypeattribute (traced_perf_enabled_prop_30_0) true)
-(expandtypeattribute (traced_perf_socket_30_0) true)
-(expandtypeattribute (traced_probes_30_0) true)
-(expandtypeattribute (traced_producer_socket_30_0) true)
-(expandtypeattribute (traceur_app_30_0) true)
-(expandtypeattribute (trust_service_30_0) true)
-(expandtypeattribute (tty_device_30_0) true)
-(expandtypeattribute (tun_device_30_0) true)
-(expandtypeattribute (tv_input_service_30_0) true)
-(expandtypeattribute (tv_tuner_resource_mgr_service_30_0) true)
-(expandtypeattribute (tzdatacheck_30_0) true)
-(expandtypeattribute (tzdatacheck_exec_30_0) true)
-(expandtypeattribute (ueventd_30_0) true)
-(expandtypeattribute (ueventd_tmpfs_30_0) true)
-(expandtypeattribute (uhid_device_30_0) true)
-(expandtypeattribute (uimode_service_30_0) true)
-(expandtypeattribute (uio_device_30_0) true)
-(expandtypeattribute (uncrypt_30_0) true)
-(expandtypeattribute (uncrypt_exec_30_0) true)
-(expandtypeattribute (uncrypt_socket_30_0) true)
-(expandtypeattribute (unencrypted_data_file_30_0) true)
-(expandtypeattribute (unlabeled_30_0) true)
-(expandtypeattribute (untrusted_app_25_30_0) true)
-(expandtypeattribute (untrusted_app_27_30_0) true)
-(expandtypeattribute (untrusted_app_29_30_0) true)
-(expandtypeattribute (untrusted_app_30_0) true)
-(expandtypeattribute (update_engine_30_0) true)
-(expandtypeattribute (update_engine_data_file_30_0) true)
-(expandtypeattribute (update_engine_exec_30_0) true)
-(expandtypeattribute (update_engine_log_data_file_30_0) true)
-(expandtypeattribute (update_engine_service_30_0) true)
-(expandtypeattribute (update_verifier_30_0) true)
-(expandtypeattribute (update_verifier_exec_30_0) true)
-(expandtypeattribute (updatelock_service_30_0) true)
-(expandtypeattribute (uri_grants_service_30_0) true)
-(expandtypeattribute (usagestats_service_30_0) true)
-(expandtypeattribute (usb_device_30_0) true)
-(expandtypeattribute (usb_serial_device_30_0) true)
-(expandtypeattribute (usb_service_30_0) true)
-(expandtypeattribute (usbaccessory_device_30_0) true)
-(expandtypeattribute (usbd_30_0) true)
-(expandtypeattribute (usbd_exec_30_0) true)
-(expandtypeattribute (usbfs_30_0) true)
-(expandtypeattribute (use_memfd_prop_30_0) true)
-(expandtypeattribute (user_profile_data_file_30_0) true)
-(expandtypeattribute (user_service_30_0) true)
-(expandtypeattribute (userdata_block_device_30_0) true)
-(expandtypeattribute (usermodehelper_30_0) true)
-(expandtypeattribute (userspace_reboot_config_prop_30_0) true)
-(expandtypeattribute (userspace_reboot_exported_prop_30_0) true)
-(expandtypeattribute (userspace_reboot_log_prop_30_0) true)
-(expandtypeattribute (userspace_reboot_test_prop_30_0) true)
-(expandtypeattribute (vdc_30_0) true)
-(expandtypeattribute (vdc_exec_30_0) true)
-(expandtypeattribute (vehicle_hal_prop_30_0) true)
-(expandtypeattribute (vendor_apex_file_30_0) true)
-(expandtypeattribute (vendor_app_file_30_0) true)
-(expandtypeattribute (vendor_cgroup_desc_file_30_0) true)
-(expandtypeattribute (vendor_configs_file_30_0) true)
-(expandtypeattribute (vendor_data_file_30_0) true)
-(expandtypeattribute (vendor_default_prop_30_0) true)
-(expandtypeattribute (vendor_file_30_0) true)
-(expandtypeattribute (vendor_framework_file_30_0) true)
-(expandtypeattribute (vendor_hal_file_30_0) true)
-(expandtypeattribute (vendor_idc_file_30_0) true)
-(expandtypeattribute (vendor_init_30_0) true)
-(expandtypeattribute (vendor_keychars_file_30_0) true)
-(expandtypeattribute (vendor_keylayout_file_30_0) true)
-(expandtypeattribute (vendor_misc_writer_30_0) true)
-(expandtypeattribute (vendor_misc_writer_exec_30_0) true)
-(expandtypeattribute (vendor_overlay_file_30_0) true)
-(expandtypeattribute (vendor_public_lib_file_30_0) true)
-(expandtypeattribute (vendor_security_patch_level_prop_30_0) true)
-(expandtypeattribute (vendor_shell_30_0) true)
-(expandtypeattribute (vendor_shell_exec_30_0) true)
-(expandtypeattribute (vendor_socket_hook_prop_30_0) true)
-(expandtypeattribute (vendor_task_profiles_file_30_0) true)
-(expandtypeattribute (vendor_toolbox_exec_30_0) true)
-(expandtypeattribute (vfat_30_0) true)
-(expandtypeattribute (vibrator_service_30_0) true)
-(expandtypeattribute (video_device_30_0) true)
-(expandtypeattribute (virtual_ab_prop_30_0) true)
-(expandtypeattribute (virtual_touchpad_30_0) true)
-(expandtypeattribute (virtual_touchpad_exec_30_0) true)
-(expandtypeattribute (virtual_touchpad_service_30_0) true)
-(expandtypeattribute (vndbinder_device_30_0) true)
-(expandtypeattribute (vndk_prop_30_0) true)
-(expandtypeattribute (vndk_sp_file_30_0) true)
-(expandtypeattribute (vndservice_contexts_file_30_0) true)
-(expandtypeattribute (vndservicemanager_30_0) true)
-(expandtypeattribute (voiceinteraction_service_30_0) true)
-(expandtypeattribute (vold_30_0) true)
-(expandtypeattribute (vold_data_file_30_0) true)
-(expandtypeattribute (vold_device_30_0) true)
-(expandtypeattribute (vold_exec_30_0) true)
-(expandtypeattribute (vold_metadata_file_30_0) true)
-(expandtypeattribute (vold_prepare_subdirs_30_0) true)
-(expandtypeattribute (vold_prepare_subdirs_exec_30_0) true)
-(expandtypeattribute (vold_prop_30_0) true)
-(expandtypeattribute (vold_service_30_0) true)
-(expandtypeattribute (vpn_data_file_30_0) true)
-(expandtypeattribute (vr_hwc_30_0) true)
-(expandtypeattribute (vr_hwc_exec_30_0) true)
-(expandtypeattribute (vr_hwc_service_30_0) true)
-(expandtypeattribute (vr_manager_service_30_0) true)
-(expandtypeattribute (vrflinger_vsync_service_30_0) true)
-(expandtypeattribute (wallpaper_file_30_0) true)
-(expandtypeattribute (wallpaper_service_30_0) true)
-(expandtypeattribute (watchdog_device_30_0) true)
-(expandtypeattribute (watchdogd_30_0) true)
-(expandtypeattribute (watchdogd_exec_30_0) true)
-(expandtypeattribute (webview_zygote_30_0) true)
-(expandtypeattribute (webview_zygote_exec_30_0) true)
-(expandtypeattribute (webview_zygote_tmpfs_30_0) true)
-(expandtypeattribute (webviewupdate_service_30_0) true)
-(expandtypeattribute (wifi_data_file_30_0) true)
-(expandtypeattribute (wifi_log_prop_30_0) true)
-(expandtypeattribute (wifi_prop_30_0) true)
-(expandtypeattribute (wifi_service_30_0) true)
-(expandtypeattribute (wifiaware_service_30_0) true)
-(expandtypeattribute (wificond_30_0) true)
-(expandtypeattribute (wificond_exec_30_0) true)
-(expandtypeattribute (wifinl80211_service_30_0) true)
-(expandtypeattribute (wifip2p_service_30_0) true)
-(expandtypeattribute (wifiscanner_service_30_0) true)
-(expandtypeattribute (window_service_30_0) true)
-(expandtypeattribute (wpa_socket_30_0) true)
-(expandtypeattribute (wpantund_30_0) true)
-(expandtypeattribute (wpantund_exec_30_0) true)
-(expandtypeattribute (wpantund_service_30_0) true)
-(expandtypeattribute (zero_device_30_0) true)
-(expandtypeattribute (zoneinfo_data_file_30_0) true)
-(expandtypeattribute (zygote_30_0) true)
-(expandtypeattribute (zygote_exec_30_0) true)
-(expandtypeattribute (zygote_socket_30_0) true)
-(expandtypeattribute (zygote_tmpfs_30_0) true)
-(typeattributeset DockObserver_service_30_0 (DockObserver_service))
-(typeattributeset IProxyService_service_30_0 (IProxyService_service))
-(typeattributeset accessibility_service_30_0 (accessibility_service))
-(typeattributeset account_service_30_0 (account_service))
-(typeattributeset activity_service_30_0 (activity_service))
-(typeattributeset activity_task_service_30_0 (activity_task_service))
-(typeattributeset adb_data_file_30_0 (adb_data_file))
-(typeattributeset adb_keys_file_30_0 (adb_keys_file))
-(typeattributeset adb_service_30_0 (adb_service))
-(typeattributeset adbd_30_0 (adbd))
-(typeattributeset adbd_exec_30_0 (adbd_exec))
-(typeattributeset adbd_prop_30_0 (adbd_prop))
-(typeattributeset adbd_socket_30_0 (adbd_socket))
-(typeattributeset aidl_lazy_test_server_30_0 (aidl_lazy_test_server))
-(typeattributeset aidl_lazy_test_server_exec_30_0 (aidl_lazy_test_server_exec))
-(typeattributeset aidl_lazy_test_service_30_0 (aidl_lazy_test_service))
-(typeattributeset alarm_service_30_0 (alarm_service))
-(typeattributeset anr_data_file_30_0 (anr_data_file))
-(typeattributeset apex_data_file_30_0 (apex_data_file))
-(typeattributeset apex_metadata_file_30_0 (apex_metadata_file))
-(typeattributeset apex_mnt_dir_30_0 (apex_mnt_dir))
-(typeattributeset apex_module_data_file_30_0 (apex_module_data_file))
-(typeattributeset apex_permission_data_file_30_0 (apex_permission_data_file))
-(typeattributeset apex_rollback_data_file_30_0 (apex_rollback_data_file))
-(typeattributeset apex_service_30_0 (apex_service))
-(typeattributeset apex_wifi_data_file_30_0 (apex_wifi_data_file))
-(typeattributeset apexd_30_0 (apexd))
-(typeattributeset apexd_exec_30_0 (apexd_exec))
-(typeattributeset apexd_prop_30_0 (apexd_prop))
-(typeattributeset apk_data_file_30_0 (apk_data_file))
-(typeattributeset apk_private_data_file_30_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_30_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_30_0 (apk_tmp_file))
-(typeattributeset apk_verity_prop_30_0 (apk_verity_prop))
-(typeattributeset app_binding_service_30_0 (app_binding_service))
-(typeattributeset app_data_file_30_0 (app_data_file))
-(typeattributeset app_fuse_file_30_0 (app_fuse_file))
-(typeattributeset app_fusefs_30_0 (app_fusefs))
-(typeattributeset app_integrity_service_30_0 (app_integrity_service))
-(typeattributeset app_prediction_service_30_0 (app_prediction_service))
-(typeattributeset app_search_service_30_0 (app_search_service))
-(typeattributeset app_zygote_30_0 (app_zygote))
-(typeattributeset app_zygote_tmpfs_30_0 (app_zygote_tmpfs))
-(typeattributeset appdomain_tmpfs_30_0 (appdomain_tmpfs))
-(typeattributeset appops_service_30_0 (appops_service))
-(typeattributeset appwidget_service_30_0 (appwidget_service))
-(typeattributeset art_apex_dir_30_0 (art_apex_dir))
-(typeattributeset asec_apk_file_30_0 (asec_apk_file))
-(typeattributeset asec_image_file_30_0 (asec_image_file))
-(typeattributeset asec_public_file_30_0 (asec_public_file))
-(typeattributeset ashmem_device_30_0 (ashmem_device))
-(typeattributeset ashmem_libcutils_device_30_0 (ashmem_libcutils_device))
-(typeattributeset assetatlas_service_30_0 (assetatlas_service))
-(typeattributeset audio_data_file_30_0 (audio_data_file))
-(typeattributeset audio_device_30_0 (audio_device))
-(typeattributeset audio_prop_30_0 (audio_prop))
-(typeattributeset audio_service_30_0 (audio_service))
-(typeattributeset audiohal_data_file_30_0 (audiohal_data_file))
-(typeattributeset audioserver_30_0 (audioserver))
-(typeattributeset audioserver_data_file_30_0 (audioserver_data_file))
-(typeattributeset audioserver_service_30_0 (audioserver_service))
-(typeattributeset audioserver_tmpfs_30_0 (audioserver_tmpfs))
-(typeattributeset auth_service_30_0 (auth_service))
-(typeattributeset autofill_service_30_0 (autofill_service))
-(typeattributeset backup_data_file_30_0 (backup_data_file))
-(typeattributeset backup_service_30_0 (backup_service))
-(typeattributeset battery_service_30_0 (battery_service))
-(typeattributeset batteryproperties_service_30_0 (batteryproperties_service))
-(typeattributeset batterystats_service_30_0 (batterystats_service))
-(typeattributeset binder_cache_bluetooth_server_prop_30_0 (binder_cache_bluetooth_server_prop))
-(typeattributeset binder_cache_system_server_prop_30_0 (binder_cache_system_server_prop))
-(typeattributeset binder_cache_telephony_server_prop_30_0 (binder_cache_telephony_server_prop))
-(typeattributeset binder_calls_stats_service_30_0 (binder_calls_stats_service))
-(typeattributeset binder_device_30_0 (binder_device))
-(typeattributeset binderfs_30_0 (binderfs))
-(typeattributeset binderfs_logs_30_0 (binderfs_logs))
-(typeattributeset binderfs_logs_proc_30_0 (binderfs_logs_proc))
-(typeattributeset binfmt_miscfs_30_0 (binfmt_miscfs))
-(typeattributeset biometric_service_30_0 (biometric_service))
-(typeattributeset blkid_30_0 (blkid))
-(typeattributeset blkid_untrusted_30_0 (blkid_untrusted))
-(typeattributeset blob_store_service_30_0 (blob_store_service))
-(typeattributeset block_device_30_0 (block_device))
-(typeattributeset bluetooth_30_0 (bluetooth))
-(typeattributeset bluetooth_a2dp_offload_prop_30_0 (bluetooth_a2dp_offload_prop))
-(typeattributeset bluetooth_audio_hal_prop_30_0 (bluetooth_audio_hal_prop))
-(typeattributeset bluetooth_data_file_30_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_30_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_30_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_30_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_30_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_30_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_30_0 (bluetooth_socket))
-(typeattributeset boot_block_device_30_0 (boot_block_device))
-(typeattributeset bootanim_30_0 (bootanim))
-(typeattributeset bootanim_exec_30_0 (bootanim_exec))
-(typeattributeset bootchart_data_file_30_0 (bootchart_data_file))
-(typeattributeset bootloader_boot_reason_prop_30_0 (bootloader_boot_reason_prop))
-(typeattributeset bootstat_30_0 (bootstat))
-(typeattributeset bootstat_data_file_30_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_30_0 (bootstat_exec))
-(typeattributeset boottime_prop_30_0 (boottime_prop))
-(typeattributeset boottime_public_prop_30_0 (boottime_public_prop))
-(typeattributeset boottrace_data_file_30_0 (boottrace_data_file))
-(typeattributeset bpf_progs_loaded_prop_30_0 (bpf_progs_loaded_prop))
-(typeattributeset bq_config_prop_30_0 (bq_config_prop))
-(typeattributeset broadcastradio_service_30_0 (broadcastradio_service))
-(typeattributeset bufferhubd_30_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_30_0 (bufferhubd_exec))
-(typeattributeset bugreport_service_30_0 (bugreport_service))
-(typeattributeset cache_backup_file_30_0 (cache_backup_file))
-(typeattributeset cache_block_device_30_0 (cache_block_device))
-(typeattributeset cache_file_30_0 (cache_file))
-(typeattributeset cache_private_backup_file_30_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_30_0 (cache_recovery_file))
-(typeattributeset camera_data_file_30_0 (camera_data_file))
-(typeattributeset camera_device_30_0 (camera_device))
-(typeattributeset cameraproxy_service_30_0 (cameraproxy_service))
-(typeattributeset cameraserver_30_0 (cameraserver))
-(typeattributeset cameraserver_exec_30_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_30_0 (cameraserver_service))
-(typeattributeset cameraserver_tmpfs_30_0 (cameraserver_tmpfs))
-(typeattributeset cgroup_30_0 (cgroup))
-(typeattributeset cgroup_bpf_30_0 (cgroup_bpf))
-(typeattributeset cgroup_desc_file_30_0 (cgroup_desc_file))
-(typeattributeset cgroup_rc_file_30_0 (cgroup_rc_file))
-(typeattributeset charger_30_0 (charger))
-(typeattributeset charger_exec_30_0 (charger_exec))
-(typeattributeset charger_prop_30_0 (charger_prop))
-(typeattributeset clipboard_service_30_0 (clipboard_service))
-(typeattributeset cold_boot_done_prop_30_0 (cold_boot_done_prop))
-(typeattributeset color_display_service_30_0 (color_display_service))
-(typeattributeset companion_device_service_30_0 (companion_device_service))
-(typeattributeset config_prop_30_0 (config_prop))
-(typeattributeset configfs_30_0 (configfs))
-(typeattributeset connectivity_service_30_0 (connectivity_service))
-(typeattributeset connmetrics_service_30_0 (connmetrics_service))
-(typeattributeset console_device_30_0 (console_device))
-(typeattributeset consumer_ir_service_30_0 (consumer_ir_service))
-(typeattributeset content_capture_service_30_0 (content_capture_service))
-(typeattributeset content_service_30_0 (content_service))
-(typeattributeset content_suggestions_service_30_0 (content_suggestions_service))
-(typeattributeset contexthub_service_30_0 (contexthub_service))
-(typeattributeset coredump_file_30_0 (coredump_file))
-(typeattributeset country_detector_service_30_0 (country_detector_service))
-(typeattributeset coverage_service_30_0 (coverage_service))
-(typeattributeset cppreopt_prop_30_0 (cppreopt_prop))
-(typeattributeset cpu_variant_prop_30_0 (cpu_variant_prop))
-(typeattributeset cpuinfo_service_30_0 (cpuinfo_service))
-(typeattributeset crash_dump_30_0 (crash_dump))
-(typeattributeset crash_dump_exec_30_0 (crash_dump_exec))
-(typeattributeset credstore_30_0 (credstore))
-(typeattributeset credstore_data_file_30_0 (credstore_data_file))
-(typeattributeset credstore_exec_30_0 (credstore_exec))
-(typeattributeset credstore_service_30_0 (credstore_service))
-(typeattributeset crossprofileapps_service_30_0 (crossprofileapps_service))
-(typeattributeset ctl_adbd_prop_30_0 (ctl_adbd_prop))
-(typeattributeset ctl_apexd_prop_30_0 (ctl_apexd_prop))
-(typeattributeset ctl_bootanim_prop_30_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_30_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_30_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_30_0 (ctl_default_prop))
-(typeattributeset ctl_dumpstate_prop_30_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_30_0 (ctl_fuse_prop))
-(typeattributeset ctl_gsid_prop_30_0 (ctl_gsid_prop))
-(typeattributeset ctl_interface_restart_prop_30_0 (ctl_interface_restart_prop))
-(typeattributeset ctl_interface_start_prop_30_0 (ctl_interface_start_prop))
-(typeattributeset ctl_interface_stop_prop_30_0 (ctl_interface_stop_prop))
-(typeattributeset ctl_mdnsd_prop_30_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_restart_prop_30_0 (ctl_restart_prop))
-(typeattributeset ctl_rildaemon_prop_30_0 (ctl_rildaemon_prop))
-(typeattributeset ctl_sigstop_prop_30_0 (ctl_sigstop_prop))
-(typeattributeset ctl_start_prop_30_0 (ctl_start_prop))
-(typeattributeset ctl_stop_prop_30_0 (ctl_stop_prop))
-(typeattributeset dalvik_prop_30_0 (dalvik_prop))
-(typeattributeset dalvikcache_data_file_30_0 (dalvikcache_data_file))
-(typeattributeset dataloader_manager_service_30_0 (dataloader_manager_service))
-(typeattributeset dbinfo_service_30_0 (dbinfo_service))
-(typeattributeset debug_prop_30_0 (debug_prop))
-(typeattributeset debugfs_30_0 (debugfs))
-(typeattributeset debugfs_mmc_30_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_30_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_30_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_debug_30_0 (debugfs_tracing_debug
- debugfs_tracing_printk_formats))
-(typeattributeset debugfs_tracing_instances_30_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wakeup_sources_30_0 (debugfs_wakeup_sources))
-(typeattributeset debugfs_wifi_tracing_30_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_30_0 (debuggerd_prop))
-(typeattributeset default_android_hwservice_30_0 (default_android_hwservice))
-(typeattributeset default_android_service_30_0 (default_android_service))
-(typeattributeset default_android_vndservice_30_0 (default_android_vndservice))
-(typeattributeset default_prop_30_0 (
- default_prop
- audio_config_prop
- build_config_prop
- suspend_prop
- init_service_status_private_prop
- setupwizard_prop
- sqlite_log_prop
- verity_status_prop
- zygote_wrap_prop
-))
-(typeattributeset dev_cpu_variant_30_0 (dev_cpu_variant))
-(typeattributeset device_30_0 (device))
-(typeattributeset device_config_activity_manager_native_boot_prop_30_0 (device_config_activity_manager_native_boot_prop))
-(typeattributeset device_config_boot_count_prop_30_0 (device_config_boot_count_prop))
-(typeattributeset device_config_configuration_prop_30_0 (device_config_configuration_prop))
-(typeattributeset device_config_input_native_boot_prop_30_0 (device_config_input_native_boot_prop))
-(typeattributeset device_config_media_native_prop_30_0 (device_config_media_native_prop))
-(typeattributeset device_config_netd_native_prop_30_0 (device_config_netd_native_prop))
-(typeattributeset device_config_reset_performed_prop_30_0 (device_config_reset_performed_prop))
-(typeattributeset device_config_runtime_native_boot_prop_30_0 (device_config_runtime_native_boot_prop))
-(typeattributeset device_config_runtime_native_prop_30_0 (device_config_runtime_native_prop))
-(typeattributeset device_config_service_30_0 (device_config_service))
-(typeattributeset device_config_storage_native_boot_prop_30_0 (device_config_storage_native_boot_prop))
-(typeattributeset device_config_sys_traced_prop_30_0 (device_config_sys_traced_prop))
-(typeattributeset device_config_window_manager_native_boot_prop_30_0 (device_config_window_manager_native_boot_prop))
-(typeattributeset device_identifiers_service_30_0 (device_identifiers_service))
-(typeattributeset device_logging_prop_30_0 (device_logging_prop))
-(typeattributeset device_policy_service_30_0 (device_policy_service))
-(typeattributeset deviceidle_service_30_0 (deviceidle_service))
-(typeattributeset devicestoragemonitor_service_30_0 (devicestoragemonitor_service))
-(typeattributeset devpts_30_0 (devpts))
-(typeattributeset dhcp_30_0 (dhcp))
-(typeattributeset dhcp_data_file_30_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_30_0 (dhcp_exec))
-(typeattributeset dhcp_prop_30_0 (dhcp_prop))
-(typeattributeset diskstats_service_30_0 (diskstats_service))
-(typeattributeset display_service_30_0 (display_service))
-(typeattributeset dm_device_30_0 (dm_device))
-(typeattributeset dnsmasq_30_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_30_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_30_0 (dnsproxyd_socket))
-(typeattributeset dnsresolver_service_30_0 (dnsresolver_service))
-(typeattributeset dreams_service_30_0 (dreams_service))
-(typeattributeset drm_data_file_30_0 (drm_data_file))
-(typeattributeset drmserver_30_0 (drmserver))
-(typeattributeset drmserver_exec_30_0 (drmserver_exec))
-(typeattributeset drmserver_service_30_0 (drmserver_service))
-(typeattributeset drmserver_socket_30_0 (drmserver_socket))
-(typeattributeset dropbox_data_file_30_0 (dropbox_data_file))
-(typeattributeset dropbox_service_30_0 (dropbox_service))
-(typeattributeset dumpstate_30_0 (dumpstate))
-(typeattributeset dumpstate_exec_30_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_30_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_30_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_30_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_30_0 (dumpstate_socket))
-(typeattributeset dynamic_system_prop_30_0 (dynamic_system_prop))
-(typeattributeset e2fs_30_0 (e2fs))
-(typeattributeset e2fs_exec_30_0 (e2fs_exec))
-(typeattributeset efs_file_30_0 (efs_file))
-(typeattributeset emergency_affordance_service_30_0 (emergency_affordance_service))
-(typeattributeset ephemeral_app_30_0 (ephemeral_app))
-(typeattributeset ethernet_service_30_0 (ethernet_service))
-(typeattributeset exfat_30_0 (exfat))
-(typeattributeset exported2_config_prop_30_0 (exported2_config_prop systemsound_config_prop))
-(typeattributeset exported2_default_prop_30_0
- ( exported2_default_prop
- aac_drc_prop
- bootloader_prop
- build_prop
- hal_instrumentation_prop
- init_service_status_prop
- libc_debug_prop
- property_service_version_prop))
-(typeattributeset exported2_radio_prop_30_0 (exported2_radio_prop))
-(typeattributeset exported2_system_prop_30_0
- ( exported2_system_prop
- dalvik_runtime_prop
- surfaceflinger_color_prop
- zram_control_prop))
-(typeattributeset exported2_vold_prop_30_0
- ( exported2_vold_prop
- vold_config_prop
- vold_post_fs_data_prop))
-(typeattributeset exported3_default_prop_30_0
- ( exported3_default_prop
- camera_calibration_prop
- camera_config_prop
- charger_config_prop
- drm_service_config_prop
- hdmi_config_prop
- keyguard_config_prop
- lmkd_config_prop
- media_config_prop
- mediadrm_config_prop
- oem_unlock_prop
- packagemanager_config_prop
- recovery_config_prop
- sendbug_config_prop
- storagemanager_config_prop
- telephony_config_prop
- tombstone_config_prop
- vts_status_prop
- wifi_config_prop
- zram_config_prop))
-(typeattributeset exported3_radio_prop_30_0 (exported3_radio_prop radio_control_prop))
-(typeattributeset exported3_system_prop_30_0
- ( exported3_system_prop
- boot_status_prop
- provisioned_prop
- retaildemo_prop))
-(typeattributeset exported_audio_prop_30_0 (exported_audio_prop audio_config_prop))
-(typeattributeset exported_bluetooth_prop_30_0 (exported_bluetooth_prop))
-(typeattributeset exported_camera_prop_30_0 (exported_camera_prop))
-(typeattributeset exported_config_prop_30_0 (exported_config_prop))
-(typeattributeset exported_dalvik_prop_30_0 (exported_dalvik_prop dalvik_config_prop))
-(typeattributeset exported_default_prop_30_0
- ( exported_default_prop
- aaudio_config_prop
- build_bootimage_prop
- build_odm_prop
- build_vendor_prop
- surfaceflinger_prop
- vts_config_prop))
-(typeattributeset exported_dumpstate_prop_30_0 (exported_dumpstate_prop))
-(typeattributeset exported_ffs_prop_30_0
- ( exported_ffs_prop
- ffs_config_prop
- ffs_control_prop))
-(typeattributeset exported_fingerprint_prop_30_0 (exported_fingerprint_prop fingerprint_prop))
-(typeattributeset exported_overlay_prop_30_0 (exported_overlay_prop))
-(typeattributeset exported_pm_prop_30_0 (exported_pm_prop))
-(typeattributeset exported_radio_prop_30_0 (exported_radio_prop telephony_status_prop))
-(typeattributeset exported_secure_prop_30_0 (exported_secure_prop))
-(typeattributeset exported_system_prop_30_0 (exported_system_prop charger_status_prop))
-(typeattributeset exported_system_prop_30_0 (exported_system_prop bootanim_system_prop))
-
-(typeattributeset exported_system_radio_prop_30_0
- ( exported_system_radio_prop
- usb_config_prop
- usb_control_prop))
-(typeattributeset exported_vold_prop_30_0 (exported_vold_prop vold_status_prop))
-(typeattributeset exported_wifi_prop_30_0 (exported_wifi_prop wifi_hal_prop))
-(typeattributeset external_vibrator_service_30_0 (external_vibrator_service))
-(typeattributeset face_service_30_0 (face_service))
-(typeattributeset face_vendor_data_file_30_0 (face_vendor_data_file))
-(typeattributeset fastbootd_30_0 (fastbootd))
-(typeattributeset ffs_prop_30_0 (ffs_prop))
-(typeattributeset file_contexts_file_30_0 (file_contexts_file))
-(typeattributeset file_integrity_service_30_0 (file_integrity_service))
-(typeattributeset fingerprint_service_30_0 (fingerprint_service))
-(typeattributeset fingerprint_vendor_data_file_30_0 (fingerprint_vendor_data_file))
-(typeattributeset fingerprintd_30_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_30_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_30_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_30_0 (fingerprintd_service))
-(typeattributeset firstboot_prop_30_0 (firstboot_prop))
-(typeattributeset flags_health_check_30_0 (flags_health_check))
-(typeattributeset flags_health_check_exec_30_0 (flags_health_check_exec))
-(typeattributeset font_service_30_0 (font_service))
-(typeattributeset frp_block_device_30_0 (frp_block_device))
-(typeattributeset fs_bpf_30_0 (fs_bpf))
-(typeattributeset fsck_30_0 (fsck))
-(typeattributeset fsck_exec_30_0 (fsck_exec))
-(typeattributeset fsck_untrusted_30_0 (fsck_untrusted))
-(typeattributeset fscklogs_30_0 (fscklogs))
-(typeattributeset functionfs_30_0 (functionfs))
-(typeattributeset fuse_30_0 (fuse))
-(typeattributeset fuse_device_30_0 (fuse_device))
-(typeattributeset fwk_automotive_display_hwservice_30_0 (fwk_automotive_display_hwservice))
-(typeattributeset fwk_bufferhub_hwservice_30_0 (fwk_bufferhub_hwservice))
-(typeattributeset fwk_camera_hwservice_30_0 (fwk_camera_hwservice))
-(typeattributeset fwk_display_hwservice_30_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_30_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_30_0 (fwk_sensor_hwservice))
-(typeattributeset fwk_stats_hwservice_30_0 (fwk_stats_hwservice))
-(typeattributeset fwmarkd_socket_30_0 (fwmarkd_socket))
-(typeattributeset gatekeeper_data_file_30_0 (gatekeeper_data_file))
-(typeattributeset gatekeeper_service_30_0 (gatekeeper_service))
-(typeattributeset gatekeeperd_30_0 (gatekeeperd))
-(typeattributeset gatekeeperd_exec_30_0 (gatekeeperd_exec))
-(typeattributeset gfxinfo_service_30_0 (gfxinfo_service))
-(typeattributeset gmscore_app_30_0 (gmscore_app))
-(typeattributeset gps_control_30_0 (gps_control))
-(typeattributeset gpu_device_30_0 (gpu_device))
-(typeattributeset gpu_service_30_0 (gpu_service))
-(typeattributeset gpuservice_30_0 (gpuservice))
-(typeattributeset graphics_device_30_0 (graphics_device))
-(typeattributeset graphicsstats_service_30_0 (graphicsstats_service))
-(typeattributeset gsi_data_file_30_0 (gsi_data_file))
-(typeattributeset gsi_metadata_file_30_0
- ( gsi_metadata_file
- gsi_public_metadata_file))
-(typeattributeset gsid_prop_30_0 (gsid_prop))
-(typeattributeset hal_atrace_hwservice_30_0 (hal_atrace_hwservice))
-(typeattributeset hal_audio_hwservice_30_0 (hal_audio_hwservice))
-(typeattributeset hal_audiocontrol_hwservice_30_0 (hal_audiocontrol_hwservice))
-(typeattributeset hal_authsecret_hwservice_30_0 (hal_authsecret_hwservice))
-(typeattributeset hal_bluetooth_hwservice_30_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_30_0 (hal_bootctl_hwservice))
-(typeattributeset hal_broadcastradio_hwservice_30_0 (hal_broadcastradio_hwservice))
-(typeattributeset hal_camera_hwservice_30_0 (hal_camera_hwservice))
-(typeattributeset hal_can_bus_hwservice_30_0 (hal_can_bus_hwservice))
-(typeattributeset hal_can_controller_hwservice_30_0 (hal_can_controller_hwservice))
-(typeattributeset hal_cas_hwservice_30_0 (hal_cas_hwservice))
-(typeattributeset hal_codec2_hwservice_30_0 (hal_codec2_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_30_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_confirmationui_hwservice_30_0 (hal_confirmationui_hwservice))
-(typeattributeset hal_contexthub_hwservice_30_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_30_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_30_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_evs_hwservice_30_0 (hal_evs_hwservice))
-(typeattributeset hal_face_hwservice_30_0 (hal_face_hwservice))
-(typeattributeset hal_fingerprint_hwservice_30_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_30_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_30_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_30_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_30_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_30_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_composer_server_tmpfs_30_0 (hal_graphics_composer_server_tmpfs))
-(typeattributeset hal_graphics_mapper_hwservice_30_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_30_0 (hal_health_hwservice))
-(typeattributeset hal_health_storage_hwservice_30_0 (hal_health_storage_hwservice))
-(typeattributeset hal_identity_service_30_0 (hal_identity_service))
-(typeattributeset hal_input_classifier_hwservice_30_0 (hal_input_classifier_hwservice))
-(typeattributeset hal_ir_hwservice_30_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_30_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_30_0 (hal_light_hwservice))
-(typeattributeset hal_light_service_30_0 (hal_light_service))
-(typeattributeset hal_lowpan_hwservice_30_0 (hal_lowpan_hwservice))
-(typeattributeset hal_memtrack_hwservice_30_0 (hal_memtrack_hwservice))
-(typeattributeset hal_neuralnetworks_hwservice_30_0 (hal_neuralnetworks_hwservice))
-(typeattributeset hal_nfc_hwservice_30_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_30_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_30_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_30_0 (hal_power_hwservice))
-(typeattributeset hal_power_service_30_0 (hal_power_service))
-(typeattributeset hal_power_stats_hwservice_30_0 (hal_power_stats_hwservice))
-(typeattributeset hal_rebootescrow_service_30_0 (hal_rebootescrow_service))
-(typeattributeset hal_renderscript_hwservice_30_0 (hal_renderscript_hwservice))
-(typeattributeset hal_secure_element_hwservice_30_0 (hal_secure_element_hwservice))
-(typeattributeset hal_sensors_hwservice_30_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_30_0 (hal_telephony_hwservice))
-(typeattributeset hal_tetheroffload_hwservice_30_0 (hal_tetheroffload_hwservice))
-(typeattributeset hal_thermal_hwservice_30_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_30_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_30_0 (hal_tv_input_hwservice))
-(typeattributeset hal_tv_tuner_hwservice_30_0 (hal_tv_tuner_hwservice))
-(typeattributeset hal_usb_gadget_hwservice_30_0 (hal_usb_gadget_hwservice))
-(typeattributeset hal_usb_hwservice_30_0 (hal_usb_hwservice))
-(typeattributeset hal_vehicle_hwservice_30_0 (hal_vehicle_hwservice))
-(typeattributeset hal_vibrator_hwservice_30_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vibrator_service_30_0 (hal_vibrator_service))
-(typeattributeset hal_vr_hwservice_30_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_30_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hostapd_hwservice_30_0 (hal_wifi_hostapd_hwservice))
-(typeattributeset hal_wifi_hwservice_30_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_30_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_30_0 (hardware_properties_service))
-(typeattributeset hardware_service_30_0 (hardware_service))
-(typeattributeset hci_attach_dev_30_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_30_0 (hdmi_control_service))
-(typeattributeset healthd_30_0 (healthd))
-(typeattributeset healthd_exec_30_0 (healthd_exec))
-(typeattributeset heapdump_data_file_30_0 (heapdump_data_file))
-(typeattributeset heapprofd_30_0 (heapprofd))
-(typeattributeset heapprofd_enabled_prop_30_0 (heapprofd_enabled_prop))
-(typeattributeset heapprofd_prop_30_0 (heapprofd_prop))
-(typeattributeset heapprofd_socket_30_0 (heapprofd_socket))
-(typeattributeset hidl_allocator_hwservice_30_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_30_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_30_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_30_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_30_0 (hidl_token_hwservice))
-(typeattributeset hw_random_device_30_0 (hw_random_device))
-(typeattributeset hwbinder_device_30_0 (hwbinder_device))
-(typeattributeset hwservice_contexts_file_30_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_30_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_30_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_30_0 (hwservicemanager_prop))
-(typeattributeset icon_file_30_0 (icon_file))
-(typeattributeset idmap_30_0 (idmap))
-(typeattributeset idmap_exec_30_0 (idmap_exec))
-(typeattributeset idmap_service_30_0 (idmap_service))
-(typeattributeset iio_device_30_0 (iio_device))
-(typeattributeset imms_service_30_0 (imms_service))
-(typeattributeset incident_30_0 (incident))
-(typeattributeset incident_data_file_30_0 (incident_data_file))
-(typeattributeset incident_helper_30_0 (incident_helper))
-(typeattributeset incident_service_30_0 (incident_service))
-(typeattributeset incidentd_30_0 (incidentd))
-(typeattributeset incremental_control_file_30_0 (incremental_control_file))
-(typeattributeset incremental_prop_30_0 (incremental_prop))
-(typeattributeset incremental_service_30_0 (incremental_service))
-(typeattributeset init_30_0 (init))
-(typeattributeset init_exec_30_0 (init_exec))
-(typeattributeset init_perf_lsm_hooks_prop_30_0 (init_perf_lsm_hooks_prop))
-(typeattributeset init_svc_debug_prop_30_0 (init_svc_debug_prop))
-(typeattributeset init_tmpfs_30_0 (init_tmpfs))
-(typeattributeset inotify_30_0 (inotify))
-(typeattributeset input_device_30_0 (input_device))
-(typeattributeset input_method_service_30_0 (input_method_service))
-(typeattributeset input_service_30_0 (input_service))
-(typeattributeset inputflinger_30_0 (inputflinger))
-(typeattributeset inputflinger_exec_30_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_30_0 (inputflinger_service))
-(typeattributeset install_data_file_30_0 (install_data_file))
-(typeattributeset installd_30_0 (installd))
-(typeattributeset installd_exec_30_0 (installd_exec))
-(typeattributeset installd_service_30_0 (installd_service))
-(typeattributeset ion_device_30_0 (ion_device))
-(typeattributeset iorap_inode2filename_30_0 (iorap_inode2filename))
-(typeattributeset iorap_inode2filename_exec_30_0 (iorap_inode2filename_exec))
-(typeattributeset iorap_inode2filename_tmpfs_30_0 (iorap_inode2filename_tmpfs))
-(typeattributeset iorap_prefetcherd_30_0 (iorap_prefetcherd))
-(typeattributeset iorap_prefetcherd_exec_30_0 (iorap_prefetcherd_exec))
-(typeattributeset iorap_prefetcherd_tmpfs_30_0 (iorap_prefetcherd_tmpfs))
-(typeattributeset iorapd_30_0 (iorapd))
-(typeattributeset iorapd_data_file_30_0 (iorapd_data_file))
-(typeattributeset iorapd_exec_30_0 (iorapd_exec))
-(typeattributeset iorapd_service_30_0 (iorapd_service))
-(typeattributeset iorapd_tmpfs_30_0 (iorapd_tmpfs))
-(typeattributeset ipsec_service_30_0 (ipsec_service))
-(typeattributeset iris_service_30_0 (iris_service))
-(typeattributeset iris_vendor_data_file_30_0 (iris_vendor_data_file))
-(typeattributeset isolated_app_30_0 (isolated_app))
-(typeattributeset jobscheduler_service_30_0 (jobscheduler_service))
-(typeattributeset kernel_30_0 (kernel))
-(typeattributeset keychain_data_file_30_0 (keychain_data_file))
-(typeattributeset keychord_device_30_0 (keychord_device))
-(typeattributeset keystore_30_0 (keystore))
-(typeattributeset keystore_data_file_30_0 (keystore_data_file))
-(typeattributeset keystore_exec_30_0 (keystore_exec))
-(typeattributeset keystore_service_30_0 (keystore_service))
-(typeattributeset kmsg_debug_device_30_0 (kmsg_debug_device))
-(typeattributeset kmsg_device_30_0 (kmsg_device))
-(typeattributeset labeledfs_30_0 (labeledfs))
-(typeattributeset last_boot_reason_prop_30_0 (last_boot_reason_prop))
-(typeattributeset launcherapps_service_30_0 (launcherapps_service))
-(typeattributeset light_service_30_0 (light_service))
-(typeattributeset linkerconfig_file_30_0 (linkerconfig_file))
-(typeattributeset llkd_30_0 (llkd))
-(typeattributeset llkd_exec_30_0 (llkd_exec))
-(typeattributeset llkd_prop_30_0 (llkd_prop))
-(typeattributeset lmkd_30_0 (lmkd))
-(typeattributeset lmkd_exec_30_0 (lmkd_exec))
-(typeattributeset lmkd_prop_30_0 (lmkd_prop))
-(typeattributeset lmkd_socket_30_0 (lmkd_socket))
-(typeattributeset location_service_30_0 (location_service))
-(typeattributeset lock_settings_service_30_0 (lock_settings_service))
-(typeattributeset log_prop_30_0 (log_prop))
-(typeattributeset log_tag_prop_30_0 (log_tag_prop))
-(typeattributeset logcat_exec_30_0 (logcat_exec))
-(typeattributeset logd_30_0 (logd))
-(typeattributeset logd_exec_30_0 (logd_exec))
-(typeattributeset logd_prop_30_0 (logd_prop))
-(typeattributeset logd_socket_30_0 (logd_socket))
-(typeattributeset logdr_socket_30_0 (logdr_socket))
-(typeattributeset logdw_socket_30_0 (logdw_socket))
-(typeattributeset logpersist_30_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_30_0 (logpersistd_logging_prop))
-(typeattributeset loop_control_device_30_0 (loop_control_device))
-(typeattributeset loop_device_30_0 (loop_device))
-(typeattributeset looper_stats_service_30_0 (looper_stats_service))
-(typeattributeset lowpan_device_30_0 (lowpan_device))
-(typeattributeset lowpan_prop_30_0 (lowpan_prop))
-(typeattributeset lowpan_service_30_0 (lowpan_service))
-(typeattributeset lpdump_service_30_0 (lpdump_service))
-(typeattributeset lpdumpd_prop_30_0 (lpdumpd_prop))
-(typeattributeset mac_perms_file_30_0 (mac_perms_file))
-(typeattributeset mdns_socket_30_0 (mdns_socket))
-(typeattributeset mdnsd_30_0 (mdnsd))
-(typeattributeset mdnsd_socket_30_0 (mdnsd_socket))
-(typeattributeset media_data_file_30_0 (media_data_file))
-(typeattributeset media_projection_service_30_0 (media_projection_service))
-(typeattributeset media_router_service_30_0 (media_router_service))
-(typeattributeset media_rw_data_file_30_0 (media_rw_data_file))
-(typeattributeset media_session_service_30_0 (media_session_service))
-(typeattributeset media_variant_prop_30_0 (media_variant_prop))
-(typeattributeset mediadrmserver_30_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_30_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_30_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_30_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_30_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_30_0 (mediaextractor_service))
-(typeattributeset mediaextractor_tmpfs_30_0 (mediaextractor_tmpfs))
-(typeattributeset mediametrics_30_0 (mediametrics))
-(typeattributeset mediametrics_exec_30_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_30_0 (mediametrics_service))
-(typeattributeset mediaprovider_30_0 (mediaprovider))
-(typeattributeset mediaserver_30_0 (mediaserver))
-(typeattributeset mediaserver_exec_30_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_30_0 (mediaserver_service))
-(typeattributeset mediaserver_tmpfs_30_0 (mediaserver_tmpfs))
-(typeattributeset mediaswcodec_30_0 (mediaswcodec))
-(typeattributeset mediaswcodec_exec_30_0 (mediaswcodec_exec))
-(typeattributeset mediatranscoding_30_0 (mediatranscoding))
-(typeattributeset mediatranscoding_exec_30_0 (mediatranscoding_exec))
-(typeattributeset mediatranscoding_service_30_0 (mediatranscoding_service))
-(typeattributeset meminfo_service_30_0 (meminfo_service))
-(typeattributeset metadata_block_device_30_0 (metadata_block_device))
-(typeattributeset metadata_bootstat_file_30_0 (metadata_bootstat_file))
-(typeattributeset metadata_file_30_0 (metadata_file))
-(typeattributeset method_trace_data_file_30_0 (method_trace_data_file))
-(typeattributeset midi_service_30_0 (midi_service))
-(typeattributeset mirror_data_file_30_0 (mirror_data_file))
-(typeattributeset misc_block_device_30_0 (misc_block_device))
-(typeattributeset misc_logd_file_30_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_30_0 (misc_user_data_file))
-(typeattributeset mmc_prop_30_0 (mmc_prop))
-(typeattributeset mnt_expand_file_30_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_30_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_30_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_pass_through_file_30_0 (mnt_pass_through_file))
-(typeattributeset mnt_product_file_30_0 (mnt_product_file))
-(typeattributeset mnt_sdcard_file_30_0 (mnt_sdcard_file))
-(typeattributeset mnt_user_file_30_0 (mnt_user_file))
-(typeattributeset mnt_vendor_file_30_0 (mnt_vendor_file))
-(typeattributeset mock_ota_prop_30_0 (mock_ota_prop))
-(typeattributeset modprobe_30_0 (modprobe))
-(typeattributeset module_sdkextensions_prop_30_0 (module_sdkextensions_prop))
-(typeattributeset mount_service_30_0 (mount_service))
-(typeattributeset mqueue_30_0 (mqueue))
-(typeattributeset mtp_30_0 (mtp))
-(typeattributeset mtp_device_30_0 (mtp_device))
-(typeattributeset mtp_exec_30_0 (mtp_exec))
-(typeattributeset mtpd_socket_30_0 (mtpd_socket))
-(typeattributeset nativetest_data_file_30_0 (nativetest_data_file))
-(typeattributeset net_data_file_30_0 (net_data_file))
-(typeattributeset net_dns_prop_30_0 (net_dns_prop))
-(typeattributeset net_radio_prop_30_0 (net_radio_prop))
-(typeattributeset netd_30_0 (netd))
-(typeattributeset netd_exec_30_0 (netd_exec))
-(typeattributeset netd_listener_service_30_0 (netd_listener_service))
-(typeattributeset netd_service_30_0 (netd_service))
-(typeattributeset netd_stable_secret_prop_30_0 (netd_stable_secret_prop))
-(typeattributeset netif_30_0 (netif))
-(typeattributeset netpolicy_service_30_0 (netpolicy_service))
-(typeattributeset netstats_service_30_0 (netstats_service))
-(typeattributeset netutils_wrapper_30_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_30_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_30_0 (network_management_service))
-(typeattributeset network_score_service_30_0 (network_score_service))
-(typeattributeset network_stack_30_0 (network_stack))
-(typeattributeset network_stack_service_30_0 (network_stack_service))
-(typeattributeset network_time_update_service_30_0 (network_time_update_service))
-(typeattributeset network_watchlist_data_file_30_0 (network_watchlist_data_file))
-(typeattributeset network_watchlist_service_30_0 (network_watchlist_service))
-(typeattributeset nfc_30_0 (nfc))
-(typeattributeset nfc_data_file_30_0 (nfc_data_file))
-(typeattributeset nfc_device_30_0 (nfc_device))
-(typeattributeset nfc_prop_30_0 (nfc_prop))
-(typeattributeset nfc_service_30_0 (nfc_service))
-(typeattributeset nnapi_ext_deny_product_prop_30_0 (nnapi_ext_deny_product_prop))
-(typeattributeset node_30_0 (node))
-(typeattributeset nonplat_service_contexts_file_30_0 (nonplat_service_contexts_file))
-(typeattributeset notification_service_30_0 (notification_service))
-(typeattributeset null_device_30_0 (null_device))
-(typeattributeset oem_lock_service_30_0 (oem_lock_service))
-(typeattributeset oemfs_30_0 (oemfs))
-(typeattributeset ota_data_file_30_0 (ota_data_file))
-(typeattributeset ota_metadata_file_30_0 (ota_metadata_file))
-(typeattributeset ota_package_file_30_0 (ota_package_file))
-(typeattributeset ota_prop_30_0 (ota_prop))
-(typeattributeset otadexopt_service_30_0 (otadexopt_service))
-(typeattributeset overlay_prop_30_0 (overlay_prop))
-(typeattributeset overlay_service_30_0 (overlay_service))
-(typeattributeset overlayfs_file_30_0 (overlayfs_file))
-(typeattributeset owntty_device_30_0 (owntty_device))
-(typeattributeset package_native_service_30_0 (package_native_service))
-(typeattributeset package_service_30_0 (package_service))
-(typeattributeset packages_list_file_30_0 (packages_list_file))
-(typeattributeset pan_result_prop_30_0 (pan_result_prop))
-(typeattributeset password_slot_metadata_file_30_0 (password_slot_metadata_file))
-(typeattributeset pdx_bufferhub_client_channel_socket_30_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_30_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_30_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_30_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_30_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_30_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_30_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_30_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_30_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_30_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_30_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_30_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_30_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_30_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_30_0 (pdx_performance_dir))
-(typeattributeset perfetto_30_0 (perfetto))
-(typeattributeset performanced_30_0 (performanced))
-(typeattributeset performanced_exec_30_0 (performanced_exec))
-(typeattributeset permission_service_30_0 (permission_service))
-(typeattributeset permissionmgr_service_30_0 (permissionmgr_service))
-(typeattributeset persist_debug_prop_30_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_30_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_30_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_30_0 (pinner_service))
-(typeattributeset pipefs_30_0 (pipefs))
-(typeattributeset platform_app_30_0 (platform_app))
-(typeattributeset platform_compat_service_30_0 (platform_compat_service))
-(typeattributeset pm_prop_30_0 (pm_prop))
-(typeattributeset pmsg_device_30_0 (pmsg_device))
-(typeattributeset port_30_0 (port))
-(typeattributeset port_device_30_0 (port_device))
-(typeattributeset postinstall_30_0 (postinstall))
-(typeattributeset postinstall_apex_mnt_dir_30_0 (postinstall_apex_mnt_dir))
-(typeattributeset postinstall_file_30_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_30_0 (postinstall_mnt_dir))
-(typeattributeset power_service_30_0 (power_service))
-(typeattributeset powerctl_prop_30_0 (powerctl_prop))
-(typeattributeset ppp_30_0 (ppp))
-(typeattributeset ppp_device_30_0 (ppp_device))
-(typeattributeset ppp_exec_30_0 (ppp_exec))
-(typeattributeset preloads_data_file_30_0 (preloads_data_file))
-(typeattributeset preloads_media_file_30_0 (preloads_media_file))
-(typeattributeset prereboot_data_file_30_0 (prereboot_data_file))
-(typeattributeset print_service_30_0 (print_service))
-(typeattributeset priv_app_30_0 (priv_app))
-(typeattributeset privapp_data_file_30_0 (privapp_data_file))
-(typeattributeset proc_30_0
- ( proc
- proc_bootconfig))
-(typeattributeset proc_abi_30_0 (proc_abi))
-(typeattributeset proc_asound_30_0 (proc_asound))
-(typeattributeset proc_bluetooth_writable_30_0 (proc_bluetooth_writable))
-(typeattributeset proc_buddyinfo_30_0 (proc_buddyinfo))
-(typeattributeset proc_cmdline_30_0 (proc_cmdline))
-(typeattributeset proc_cpuinfo_30_0 (proc_cpuinfo))
-(typeattributeset proc_dirty_30_0 (proc_dirty))
-(typeattributeset proc_diskstats_30_0 (proc_diskstats))
-(typeattributeset proc_drop_caches_30_0 (proc_drop_caches))
-(typeattributeset proc_extra_free_kbytes_30_0 (proc_extra_free_kbytes))
-(typeattributeset proc_filesystems_30_0 (proc_filesystems))
-(typeattributeset proc_fs_verity_30_0 (proc_fs_verity))
-(typeattributeset proc_hostname_30_0 (proc_hostname))
-(typeattributeset proc_hung_task_30_0 (proc_hung_task))
-(typeattributeset proc_interrupts_30_0 (proc_interrupts))
-(typeattributeset proc_iomem_30_0 (proc_iomem))
-(typeattributeset proc_keys_30_0 (proc_keys))
-(typeattributeset proc_kmsg_30_0 (proc_kmsg))
-(typeattributeset proc_kpageflags_30_0 (proc_kpageflags))
-(typeattributeset proc_loadavg_30_0 (proc_loadavg))
-(typeattributeset proc_lowmemorykiller_30_0 (proc_lowmemorykiller))
-(typeattributeset proc_max_map_count_30_0 (proc_max_map_count))
-(typeattributeset proc_meminfo_30_0 (proc_meminfo))
-(typeattributeset proc_min_free_order_shift_30_0 (proc_min_free_order_shift))
-(typeattributeset proc_misc_30_0 (proc_misc))
-(typeattributeset proc_modules_30_0 (proc_modules))
-(typeattributeset proc_mounts_30_0 (proc_mounts))
-(typeattributeset proc_net_30_0 (proc_net))
-(typeattributeset proc_net_tcp_udp_30_0 (proc_net_tcp_udp))
-(typeattributeset proc_overcommit_memory_30_0 (proc_overcommit_memory))
-(typeattributeset proc_page_cluster_30_0 (proc_page_cluster))
-(typeattributeset proc_pagetypeinfo_30_0 (proc_pagetypeinfo))
-(typeattributeset proc_panic_30_0 (proc_panic))
-(typeattributeset proc_perf_30_0 (proc_perf))
-(typeattributeset proc_pid_max_30_0 (proc_pid_max))
-(typeattributeset proc_pipe_conf_30_0 (proc_pipe_conf))
-(typeattributeset proc_pressure_cpu_30_0 (proc_pressure_cpu))
-(typeattributeset proc_pressure_io_30_0 (proc_pressure_io))
-(typeattributeset proc_pressure_mem_30_0 (proc_pressure_mem))
-(typeattributeset proc_qtaguid_ctrl_30_0 (proc_qtaguid_ctrl))
-(typeattributeset proc_qtaguid_stat_30_0 (proc_qtaguid_stat))
-(typeattributeset proc_random_30_0 (proc_random))
-(typeattributeset proc_sched_30_0 (proc_sched))
-(typeattributeset proc_security_30_0 (proc_security))
-(typeattributeset proc_slabinfo_30_0 (proc_slabinfo))
-(typeattributeset proc_stat_30_0 (proc_stat))
-(typeattributeset proc_swaps_30_0 (proc_swaps))
-(typeattributeset proc_sysrq_30_0 (proc_sysrq))
-(typeattributeset proc_timer_30_0 (proc_timer))
-(typeattributeset proc_tty_drivers_30_0 (proc_tty_drivers))
-(typeattributeset proc_uid_concurrent_active_time_30_0 (proc_uid_concurrent_active_time))
-(typeattributeset proc_uid_concurrent_policy_time_30_0 (proc_uid_concurrent_policy_time))
-(typeattributeset proc_uid_cpupower_30_0 (proc_uid_cpupower))
-(typeattributeset proc_uid_cputime_removeuid_30_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_30_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_30_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_30_0 (proc_uid_procstat_set))
-(typeattributeset proc_uid_time_in_state_30_0 (proc_uid_time_in_state))
-(typeattributeset proc_uptime_30_0 (proc_uptime))
-(typeattributeset proc_version_30_0 (proc_version))
-(typeattributeset proc_vmallocinfo_30_0 (proc_vmallocinfo))
-(typeattributeset proc_vmstat_30_0 (proc_vmstat))
-(typeattributeset proc_zoneinfo_30_0 (proc_zoneinfo))
-(typeattributeset processinfo_service_30_0 (processinfo_service))
-(typeattributeset procstats_service_30_0 (procstats_service))
-(typeattributeset profman_30_0 (profman))
-(typeattributeset profman_dump_data_file_30_0 (profman_dump_data_file))
-(typeattributeset profman_exec_30_0 (profman_exec))
-(typeattributeset properties_device_30_0 (properties_device))
-(typeattributeset properties_serial_30_0 (properties_serial))
-(typeattributeset property_contexts_file_30_0 (property_contexts_file))
-(typeattributeset property_data_file_30_0 (property_data_file))
-(typeattributeset property_info_30_0 (property_info))
-(typeattributeset property_socket_30_0 (property_socket))
-(typeattributeset pstorefs_30_0 (pstorefs))
-(typeattributeset ptmx_device_30_0 (ptmx_device))
-(typeattributeset qtaguid_device_30_0 (qtaguid_device))
-(typeattributeset racoon_30_0 (racoon))
-(typeattributeset racoon_exec_30_0 (racoon_exec))
-(typeattributeset racoon_socket_30_0 (racoon_socket))
-(typeattributeset radio_30_0 (radio))
-(typeattributeset radio_data_file_30_0 (radio_data_file))
-(typeattributeset radio_device_30_0 (radio_device))
-(typeattributeset radio_prop_30_0 (radio_prop))
-(typeattributeset radio_service_30_0 (radio_service))
-(typeattributeset ram_device_30_0 (ram_device))
-(typeattributeset random_device_30_0 (random_device))
-(typeattributeset rebootescrow_hal_prop_30_0 (rebootescrow_hal_prop))
-(typeattributeset recovery_30_0 (recovery))
-(typeattributeset recovery_block_device_30_0 (recovery_block_device))
-(typeattributeset recovery_data_file_30_0 (recovery_data_file))
-(typeattributeset recovery_persist_30_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_30_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_30_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_30_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_30_0 (recovery_service))
-(typeattributeset recovery_socket_30_0 (recovery_socket))
-(typeattributeset registry_service_30_0 (registry_service))
-(typeattributeset resourcecache_data_file_30_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_30_0 (restorecon_prop))
-(typeattributeset restrictions_service_30_0 (restrictions_service))
-(typeattributeset rild_debug_socket_30_0 (rild_debug_socket))
-(typeattributeset rild_socket_30_0 (rild_socket))
-(typeattributeset ringtone_file_30_0 (ringtone_file))
-(typeattributeset role_service_30_0 (role_service))
-(typeattributeset rollback_service_30_0 (rollback_service))
-(typeattributeset root_block_device_30_0 (root_block_device))
-(typeattributeset rootfs_30_0 (rootfs))
-(typeattributeset rpmsg_device_30_0 (rpmsg_device))
-(typeattributeset rs_30_0 (rs))
-(typeattributeset rs_exec_30_0 (rs_exec))
-(typeattributeset rss_hwm_reset_30_0 (rss_hwm_reset))
-(typeattributeset rtc_device_30_0 (rtc_device))
-(typeattributeset rttmanager_service_30_0 (rttmanager_service))
-(typeattributeset runas_30_0 (runas))
-(typeattributeset runas_app_30_0 (runas_app))
-(typeattributeset runas_exec_30_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_30_0 (runtime_event_log_tags_file))
-(typeattributeset runtime_service_30_0 (runtime_service))
-(typeattributeset safemode_prop_30_0 (safemode_prop))
-(typeattributeset same_process_hal_file_30_0 (same_process_hal_file))
-(typeattributeset samplingprofiler_service_30_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_30_0 (scheduling_policy_service))
-(typeattributeset sdcard_block_device_30_0 (sdcard_block_device))
-(typeattributeset sdcardd_30_0 (sdcardd))
-(typeattributeset sdcardd_exec_30_0 (sdcardd_exec))
-(typeattributeset sdcardfs_30_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_30_0 (seapp_contexts_file))
-(typeattributeset search_service_30_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_30_0 (sec_key_att_app_id_provider_service))
-(typeattributeset secure_element_30_0 (secure_element))
-(typeattributeset secure_element_device_30_0 (secure_element_device))
-(typeattributeset secure_element_service_30_0 (secure_element_service))
-(typeattributeset securityfs_30_0 (securityfs))
-(typeattributeset selinuxfs_30_0 (selinuxfs))
-(typeattributeset sensor_privacy_service_30_0 (sensor_privacy_service))
-(typeattributeset sensors_device_30_0 (sensors_device))
-(typeattributeset sensorservice_service_30_0 (sensorservice_service))
-(typeattributeset sepolicy_file_30_0 (sepolicy_file))
-(typeattributeset serial_device_30_0 (serial_device))
-(typeattributeset serial_service_30_0 (serial_service))
-(typeattributeset serialno_prop_30_0 (serialno_prop))
-(typeattributeset server_configurable_flags_data_file_30_0 (server_configurable_flags_data_file))
-(typeattributeset service_contexts_file_30_0 (service_contexts_file))
-(typeattributeset service_manager_service_30_0 (service_manager_service))
-(typeattributeset service_manager_vndservice_30_0 (service_manager_vndservice))
-(typeattributeset servicediscovery_service_30_0 (servicediscovery_service))
-(typeattributeset servicemanager_30_0 (servicemanager))
-(typeattributeset servicemanager_exec_30_0 (servicemanager_exec))
-(typeattributeset settings_service_30_0 (settings_service))
-(typeattributeset sgdisk_30_0 (sgdisk))
-(typeattributeset sgdisk_exec_30_0 (sgdisk_exec))
-(typeattributeset shared_relro_30_0 (shared_relro))
-(typeattributeset shared_relro_file_30_0 (shared_relro_file))
-(typeattributeset shell_30_0 (shell))
-(typeattributeset shell_data_file_30_0 (shell_data_file))
-(typeattributeset shell_exec_30_0 (shell_exec))
-(typeattributeset shell_prop_30_0 (shell_prop))
-(typeattributeset shm_30_0 (shm))
-(typeattributeset shortcut_manager_icons_30_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_30_0 (shortcut_service))
-(typeattributeset simpleperf_30_0 (simpleperf))
-(typeattributeset simpleperf_app_runner_30_0 (simpleperf_app_runner))
-(typeattributeset simpleperf_app_runner_exec_30_0 (simpleperf_app_runner_exec))
-(typeattributeset slice_service_30_0 (slice_service))
-(typeattributeset slideshow_30_0 (slideshow))
-(typeattributeset snapshotctl_log_data_file_30_0 (snapshotctl_log_data_file))
-(typeattributeset socket_device_30_0 (socket_device))
-(typeattributeset socket_hook_prop_30_0 (socket_hook_prop))
-(typeattributeset sockfs_30_0 (sockfs))
-(typeattributeset sota_prop_30_0 (sota_prop))
-(typeattributeset soundtrigger_middleware_service_30_0 (soundtrigger_middleware_service))
-(typeattributeset staging_data_file_30_0 (staging_data_file))
-(typeattributeset stats_data_file_30_0 (stats_data_file))
-(typeattributeset statsd_30_0 (statsd))
-(typeattributeset statsd_exec_30_0 (statsd_exec))
-(typeattributeset statsdw_socket_30_0 (statsdw_socket))
-(typeattributeset statusbar_service_30_0 (statusbar_service))
-(typeattributeset storage_config_prop_30_0 (storage_config_prop))
-(typeattributeset storage_file_30_0 (storage_file))
-(typeattributeset storage_stub_file_30_0 (storage_stub_file))
-(typeattributeset storaged_service_30_0 (storaged_service))
-(typeattributeset storagestats_service_30_0 (storagestats_service))
-(typeattributeset su_30_0 (su))
-(typeattributeset su_exec_30_0 (su_exec))
-(typeattributeset super_block_device_30_0 (super_block_device))
-(typeattributeset surfaceflinger_30_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_30_0 (surfaceflinger_service))
-(typeattributeset surfaceflinger_tmpfs_30_0 (surfaceflinger_tmpfs))
-(typeattributeset swap_block_device_30_0 (swap_block_device))
-(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_features))
-(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_metrics))
-(typeattributeset sysfs_android_usb_30_0 (sysfs_android_usb))
-(typeattributeset sysfs_batteryinfo_30_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_30_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_block_30_0 (sysfs_devices_block))
-(typeattributeset sysfs_devices_system_cpu_30_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_dm_30_0 (sysfs_dm))
-(typeattributeset sysfs_dm_verity_30_0 (sysfs_dm_verity))
-(typeattributeset sysfs_dt_firmware_android_30_0 (sysfs_dt_firmware_android))
-(typeattributeset sysfs_extcon_30_0 (sysfs_extcon))
-(typeattributeset sysfs_fs_ext4_features_30_0 (sysfs_fs_ext4_features))
-(typeattributeset sysfs_fs_f2fs_30_0 (sysfs_fs_f2fs))
-(typeattributeset sysfs_hwrandom_30_0 (sysfs_hwrandom))
-(typeattributeset sysfs_ion_30_0 (sysfs_ion))
-(typeattributeset sysfs_ipv4_30_0 (sysfs_ipv4))
-(typeattributeset sysfs_kernel_notes_30_0 (sysfs_kernel_notes))
-(typeattributeset sysfs_leds_30_0 (sysfs_leds))
-(typeattributeset sysfs_loop_30_0 (sysfs_loop))
-(typeattributeset sysfs_lowmemorykiller_30_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_net_30_0 (sysfs_net))
-(typeattributeset sysfs_nfc_power_writable_30_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_power_30_0 (sysfs_power))
-(typeattributeset sysfs_rtc_30_0 (sysfs_rtc))
-(typeattributeset sysfs_suspend_stats_30_0 (sysfs_suspend_stats))
-(typeattributeset sysfs_switch_30_0 (sysfs_switch))
-(typeattributeset sysfs_thermal_30_0 (sysfs_thermal))
-(typeattributeset sysfs_transparent_hugepage_30_0 (sysfs_transparent_hugepage))
-(typeattributeset sysfs_uio_30_0 (sysfs_uio))
-(typeattributeset sysfs_usb_30_0 (sysfs_usb))
-(typeattributeset sysfs_usermodehelper_30_0 (sysfs_usermodehelper))
-(typeattributeset sysfs_vibrator_30_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_30_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wakeup_30_0 (sysfs_wakeup))
-(typeattributeset sysfs_wakeup_reasons_30_0 (sysfs_wakeup_reasons))
-(typeattributeset sysfs_wlan_fwpath_30_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_30_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_30_0 (sysfs_zram_uevent))
-(typeattributeset system_adbd_prop_30_0 (system_adbd_prop))
-(typeattributeset system_app_30_0 (system_app))
-(typeattributeset system_app_data_file_30_0 (system_app_data_file))
-(typeattributeset system_app_service_30_0 (system_app_service))
-(typeattributeset system_asan_options_file_30_0 (system_asan_options_file))
-(typeattributeset system_block_device_30_0 (system_block_device))
-(typeattributeset system_boot_reason_prop_30_0 (system_boot_reason_prop))
-(typeattributeset system_bootstrap_lib_file_30_0 (system_bootstrap_lib_file))
-(typeattributeset system_config_service_30_0 (system_config_service))
-(typeattributeset system_data_file_30_0 (system_data_file))
-(typeattributeset system_data_root_file_30_0 (system_data_root_file))
-(typeattributeset system_event_log_tags_file_30_0 (system_event_log_tags_file))
-(typeattributeset system_file_30_0 (system_file))
-(typeattributeset system_group_file_30_0 (system_group_file))
-(typeattributeset system_jvmti_agent_prop_30_0 (system_jvmti_agent_prop))
-(typeattributeset system_lib_file_30_0 (system_lib_file))
-(typeattributeset system_linker_config_file_30_0 (system_linker_config_file))
-(typeattributeset system_linker_exec_30_0 (system_linker_exec))
-(typeattributeset system_lmk_prop_30_0 (system_lmk_prop))
-(typeattributeset system_ndebug_socket_30_0 (system_ndebug_socket))
-(typeattributeset system_net_netd_hwservice_30_0 (system_net_netd_hwservice))
-(typeattributeset system_passwd_file_30_0 (system_passwd_file))
-(typeattributeset system_prop_30_0 (system_prop))
-(typeattributeset system_radio_prop_30_0 (system_radio_prop usb_prop))
-(typeattributeset system_seccomp_policy_file_30_0 (system_seccomp_policy_file))
-(typeattributeset system_security_cacerts_file_30_0 (system_security_cacerts_file))
-(typeattributeset system_server_30_0 (system_server))
-(typeattributeset system_server_tmpfs_30_0 (system_server_tmpfs))
-(typeattributeset system_suspend_control_service_30_0 (system_suspend_control_service))
-(typeattributeset system_suspend_hwservice_30_0 (system_suspend_hwservice))
-(typeattributeset system_trace_prop_30_0 (system_trace_prop))
-(typeattributeset system_unsolzygote_socket_30_0 (system_unsolzygote_socket))
-(typeattributeset system_update_service_30_0 (system_update_service))
-(typeattributeset system_wifi_keystore_hwservice_30_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_30_0 (system_wpa_socket))
-(typeattributeset system_zoneinfo_file_30_0 (system_zoneinfo_file))
-(typeattributeset systemkeys_data_file_30_0 (systemkeys_data_file))
-(typeattributeset task_profiles_file_30_0 (task_profiles_file))
-(typeattributeset task_service_30_0 (task_service))
-(typeattributeset tcpdump_exec_30_0 (tcpdump_exec))
-(typeattributeset tee_30_0 (tee))
-(typeattributeset tee_data_file_30_0 (tee_data_file))
-(typeattributeset tee_device_30_0 (tee_device))
-(typeattributeset telecom_service_30_0 (telecom_service))
-(typeattributeset test_boot_reason_prop_30_0 (test_boot_reason_prop))
-(typeattributeset test_harness_prop_30_0 (test_harness_prop))
-(typeattributeset testharness_service_30_0 (testharness_service))
-(typeattributeset tethering_service_30_0 (tethering_service))
-(typeattributeset textclassification_service_30_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_30_0 (textclassifier_data_file))
-(typeattributeset textservices_service_30_0 (textservices_service))
-(typeattributeset theme_prop_30_0 (theme_prop))
-(typeattributeset thermal_service_30_0 (thermal_service))
-(typeattributeset thermalcallback_hwservice_30_0 (thermalcallback_hwservice))
-(typeattributeset time_prop_30_0 (time_prop))
-(typeattributeset timedetector_service_30_0 (timedetector_service))
-(typeattributeset timezone_service_30_0 (timezone_service))
-(typeattributeset timezonedetector_service_30_0 (timezonedetector_service))
-(typeattributeset tmpfs_30_0 (tmpfs))
-(typeattributeset tombstone_data_file_30_0 (tombstone_data_file))
-(typeattributeset tombstone_wifi_data_file_30_0 (tombstone_wifi_data_file))
-(typeattributeset tombstoned_30_0 (tombstoned))
-(typeattributeset tombstoned_crash_socket_30_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_30_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_30_0 (tombstoned_intercept_socket))
-(typeattributeset tombstoned_java_trace_socket_30_0 (tombstoned_java_trace_socket))
-(typeattributeset toolbox_30_0 (toolbox))
-(typeattributeset toolbox_exec_30_0 (toolbox_exec))
-(typeattributeset trace_data_file_30_0 (trace_data_file))
-(typeattributeset traced_30_0 (traced))
-(typeattributeset traced_consumer_socket_30_0 (traced_consumer_socket))
-(typeattributeset traced_enabled_prop_30_0 (traced_enabled_prop))
-(typeattributeset traced_lazy_prop_30_0 (traced_lazy_prop))
-(typeattributeset traced_perf_30_0 (traced_perf))
-(typeattributeset traced_perf_enabled_prop_30_0 (traced_perf_enabled_prop))
-(typeattributeset traced_perf_socket_30_0 (traced_perf_socket))
-(typeattributeset traced_probes_30_0 (traced_probes))
-(typeattributeset traced_producer_socket_30_0 (traced_producer_socket))
-(typeattributeset traceur_app_30_0 (traceur_app))
-(typeattributeset trust_service_30_0 (trust_service))
-(typeattributeset tty_device_30_0 (tty_device))
-(typeattributeset tun_device_30_0 (tun_device))
-(typeattributeset tv_input_service_30_0 (tv_input_service))
-(typeattributeset tv_tuner_resource_mgr_service_30_0 (tv_tuner_resource_mgr_service))
-(typeattributeset tzdatacheck_30_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_30_0 (tzdatacheck_exec))
-(typeattributeset ueventd_30_0 (ueventd))
-(typeattributeset ueventd_tmpfs_30_0 (ueventd_tmpfs))
-(typeattributeset uhid_device_30_0 (uhid_device))
-(typeattributeset uimode_service_30_0 (uimode_service))
-(typeattributeset uio_device_30_0 (uio_device))
-(typeattributeset uncrypt_30_0 (uncrypt))
-(typeattributeset uncrypt_exec_30_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_30_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_30_0 (unencrypted_data_file))
-(typeattributeset unlabeled_30_0 (unlabeled))
-(typeattributeset untrusted_app_25_30_0 (untrusted_app_25))
-(typeattributeset untrusted_app_27_30_0 (untrusted_app_27))
-(typeattributeset untrusted_app_29_30_0 (untrusted_app_29))
-(typeattributeset untrusted_app_30_0 (untrusted_app))
-(typeattributeset update_engine_30_0 (update_engine))
-(typeattributeset update_engine_data_file_30_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_30_0 (update_engine_exec))
-(typeattributeset update_engine_log_data_file_30_0 (update_engine_log_data_file))
-(typeattributeset update_engine_service_30_0 (update_engine_service))
-(typeattributeset update_verifier_30_0 (update_verifier))
-(typeattributeset update_verifier_exec_30_0 (update_verifier_exec))
-(typeattributeset updatelock_service_30_0 (updatelock_service))
-(typeattributeset uri_grants_service_30_0 (uri_grants_service))
-(typeattributeset usagestats_service_30_0 (usagestats_service))
-(typeattributeset usb_device_30_0 (usb_device))
-(typeattributeset usb_serial_device_30_0 (usb_serial_device))
-(typeattributeset usb_service_30_0 (usb_service))
-(typeattributeset usbaccessory_device_30_0 (usbaccessory_device))
-(typeattributeset usbd_30_0 (usbd))
-(typeattributeset usbd_exec_30_0 (usbd_exec))
-(typeattributeset usbfs_30_0 (usbfs))
-(typeattributeset use_memfd_prop_30_0 (use_memfd_prop))
-(typeattributeset user_profile_data_file_30_0
- ( user_profile_data_file
- user_profile_root_file
-))
-(typeattributeset user_service_30_0 (user_service))
-(typeattributeset userdata_block_device_30_0 (userdata_block_device))
-(typeattributeset usermodehelper_30_0 (usermodehelper))
-(typeattributeset userspace_reboot_config_prop_30_0 (userspace_reboot_config_prop))
-(typeattributeset userspace_reboot_exported_prop_30_0 (userspace_reboot_exported_prop))
-(typeattributeset userspace_reboot_log_prop_30_0 (userspace_reboot_log_prop))
-(typeattributeset userspace_reboot_test_prop_30_0 (userspace_reboot_test_prop))
-(typeattributeset vdc_30_0 (vdc))
-(typeattributeset vdc_exec_30_0 (vdc_exec))
-(typeattributeset vehicle_hal_prop_30_0 (vehicle_hal_prop))
-(typeattributeset vendor_apex_file_30_0 (vendor_apex_file))
-(typeattributeset vendor_app_file_30_0 (vendor_app_file))
-(typeattributeset vendor_cgroup_desc_file_30_0 (vendor_cgroup_desc_file))
-(typeattributeset vendor_configs_file_30_0 (vendor_configs_file))
-(typeattributeset vendor_data_file_30_0 (vendor_data_file))
-(typeattributeset vendor_default_prop_30_0 (vendor_default_prop))
-(typeattributeset vendor_file_30_0 (vendor_file))
-(typeattributeset vendor_framework_file_30_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_30_0 (vendor_hal_file))
-(typeattributeset vendor_idc_file_30_0 (vendor_idc_file))
-(typeattributeset vendor_init_30_0 (vendor_init))
-(typeattributeset vendor_keychars_file_30_0 (vendor_keychars_file))
-(typeattributeset vendor_keylayout_file_30_0 (vendor_keylayout_file))
-(typeattributeset vendor_misc_writer_30_0 (vendor_misc_writer))
-(typeattributeset vendor_misc_writer_exec_30_0 (vendor_misc_writer_exec))
-(typeattributeset vendor_overlay_file_30_0 (vendor_overlay_file))
-(typeattributeset vendor_public_lib_file_30_0
- ( vendor_public_framework_file
- vendor_public_lib_file))
-(typeattributeset vendor_security_patch_level_prop_30_0 (vendor_security_patch_level_prop))
-(typeattributeset vendor_shell_30_0 (vendor_shell))
-(typeattributeset vendor_shell_exec_30_0 (vendor_shell_exec))
-(typeattributeset vendor_socket_hook_prop_30_0 (vendor_socket_hook_prop))
-(typeattributeset vendor_task_profiles_file_30_0 (vendor_task_profiles_file))
-(typeattributeset vendor_toolbox_exec_30_0 (vendor_toolbox_exec))
-(typeattributeset vfat_30_0 (vfat))
-(typeattributeset vibrator_service_30_0 (vibrator_service))
-(typeattributeset video_device_30_0 (video_device))
-(typeattributeset virtual_ab_prop_30_0 (virtual_ab_prop))
-(typeattributeset virtual_touchpad_30_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_30_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_30_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_30_0 (vndbinder_device))
-(typeattributeset vndk_prop_30_0 (vndk_prop))
-(typeattributeset vndk_sp_file_30_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_30_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_30_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_30_0 (voiceinteraction_service))
-(typeattributeset vold_30_0 (vold))
-(typeattributeset vold_data_file_30_0 (vold_data_file))
-(typeattributeset vold_device_30_0 (vold_device))
-(typeattributeset vold_exec_30_0 (vold_exec))
-(typeattributeset vold_metadata_file_30_0 (vold_metadata_file))
-(typeattributeset vold_prepare_subdirs_30_0 (vold_prepare_subdirs))
-(typeattributeset vold_prepare_subdirs_exec_30_0 (vold_prepare_subdirs_exec))
-(typeattributeset vold_prop_30_0 (vold_prop))
-(typeattributeset vold_service_30_0 (vold_service))
-(typeattributeset vpn_data_file_30_0 (vpn_data_file))
-(typeattributeset vr_hwc_30_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_30_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_30_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_30_0 (vr_manager_service))
-(typeattributeset vrflinger_vsync_service_30_0 (vrflinger_vsync_service))
-(typeattributeset wallpaper_file_30_0 (wallpaper_file))
-(typeattributeset wallpaper_service_30_0 (wallpaper_service))
-(typeattributeset watchdog_device_30_0 (watchdog_device))
-(typeattributeset watchdogd_30_0 (watchdogd))
-(typeattributeset watchdogd_exec_30_0 (watchdogd_exec))
-(typeattributeset webview_zygote_30_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_30_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_tmpfs_30_0 (webview_zygote_tmpfs))
-(typeattributeset webviewupdate_service_30_0 (webviewupdate_service))
-(typeattributeset wifi_data_file_30_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_30_0 (wifi_log_prop))
-(typeattributeset wifi_prop_30_0 (wifi_prop))
-(typeattributeset wifi_service_30_0 (wifi_service))
-(typeattributeset wifiaware_service_30_0 (wifiaware_service))
-(typeattributeset wificond_30_0 (wificond))
-(typeattributeset wificond_exec_30_0 (wificond_exec))
-(typeattributeset wifinl80211_service_30_0 (wifinl80211_service))
-(typeattributeset wifip2p_service_30_0 (wifip2p_service))
-(typeattributeset wifiscanner_service_30_0 (wifiscanner_service))
-(typeattributeset window_service_30_0 (window_service))
-(typeattributeset wpa_socket_30_0 (wpa_socket))
-(typeattributeset wpantund_30_0 (wpantund))
-(typeattributeset wpantund_exec_30_0 (wpantund_exec))
-(typeattributeset wpantund_service_30_0 (wpantund_service))
-(typeattributeset zero_device_30_0 (zero_device))
-(typeattributeset zoneinfo_data_file_30_0 (zoneinfo_data_file))
-(typeattributeset zygote_30_0 (zygote))
-(typeattributeset zygote_exec_30_0 (zygote_exec))
-(typeattributeset zygote_socket_30_0 (zygote_socket))
-(typeattributeset zygote_tmpfs_30_0 (zygote_tmpfs))
diff --git a/prebuilts/api/31.0/private/compat/30.0/30.0.compat.cil b/prebuilts/api/31.0/private/compat/30.0/30.0.compat.cil
deleted file mode 100644
index 97c5874..0000000
--- a/prebuilts/api/31.0/private/compat/30.0/30.0.compat.cil
+++ /dev/null
@@ -1,10 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-
-;; TODO: Once 30.0 is no longer supported for vendor images,
-;; mlsvendorcompat can be completely from the system policy.
-(typeattributeset mlsvendorcompat (and appdomain vendordomain))
-(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
-(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil b/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
deleted file mode 100644
index 0c36aed..0000000
--- a/prebuilts/api/31.0/private/compat/30.0/30.0.ignore.cil
+++ /dev/null
@@ -1,154 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(type new_objects)
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( new_objects
- ab_update_gki_prop
- adbd_config_prop
- apc_service
- apex_appsearch_data_file
- apex_art_data_file
- apex_art_staging_data_file
- apex_info_file
- apex_ota_reserved_file
- apex_scheduling_data_file
- apexd_config_prop
- app_hibernation_service
- appcompat_data_file
- arm64_memtag_prop
- authorization_service
- bootanim_config_prop
- camera2_extensions_prop
- camerax_extensions_prop
- cgroup_desc_api_file
- cgroup_v2
- codec2_config_prop
- ctl_snapuserd_prop
- dck_prop
- debugfs_kprobes
- debugfs_mm_events_tracing
- debugfs_bootreceiver_tracing
- debugfs_restriction_prop
- device_config_profcollect_native_boot_prop
- device_config_connectivity_prop
- device_config_swcodec_native_prop
- device_state_service
- dm_user_device
- dmabuf_heap_device
- dmabuf_system_heap_device
- dmabuf_system_secure_heap_device
- domain_verification_service
- dumpstate_tmpfs
- framework_watchdog_config_prop
- fs_bpf_tethering
- fwk_stats_service
- game_service
- font_data_file
- gki_apex_prepostinstall
- gki_apex_prepostinstall_exec
- hal_audio_service
- hal_authsecret_service
- hal_audiocontrol_service
- hal_face_service
- hal_fingerprint_service
- hal_health_storage_service
- hal_memtrack_service
- hal_oemlock_service
- hint_service
- gnss_device
- gnss_time_update_service
- hal_dumpstate_config_prop
- hal_gnss_service
- hal_keymint_service
- hal_neuralnetworks_service
- hal_power_stats_service
- hal_remotelyprovisionedcomponent_service
- hal_secureclock_service
- hal_sharedsecret_service
- hal_uwb_service
- hal_weaver_service
- hw_timeout_multiplier_prop
- keystore_compat_hal_service
- keystore_maintenance_service
- keystore_metrics_service
- keystore2_key_contexts_file
- legacy_permission_service
- legacykeystore_service
- location_time_zone_manager_service
- media_communication_service
- media_metrics_service
- mediatuner_exec
- mediatuner_service
- mediatuner
- mediatranscoding_tmpfs
- memtrackproxy_service
- mm_events_config_prop
- music_recognition_service
- nfc_logs_data_file
- odrefresh
- odrefresh_exec
- odsign
- odsign_data_file
- odsign_exec
- pac_proxy_service
- permission_checker_service
- people_service
- persist_vendor_debug_wifi_prop
- postinstall_dexopt_exec
- postinstall_device_mnt_dir
- postinstall_product_mnt_dir
- postinstall_vendor_mnt_dir
- power_debug_prop
- powerstats_service
- proc_kallsyms
- proc_locks
- profcollectd
- profcollectd_data_file
- profcollectd_exec
- profcollectd_node_id_prop
- profcollectd_service
- qemu_hw_prop
- qemu_sf_lcd_density_prop
- radio_core_data_file
- reboot_readiness_service
- remote_prov_app
- remoteprovisioning_service
- resolver_service
- search_ui_service
- shell_test_data_file
- smartspace_service
- snapuserd
- snapuserd_exec
- snapuserd_socket
- soc_prop
- speech_recognition_service
- sysfs_block
- sysfs_devfreq_cur
- sysfs_devfreq_dir
- sysfs_devices_cs_etm
- sysfs_dma_heap
- sysfs_dmabuf_stats
- sysfs_uhid
- system_server_dumper_service
- system_suspend_control_internal_service
- task_profiles_api_file
- texttospeech_service
- translation_service
- update_engine_stable_service
- userdata_sysdev
- userspace_reboot_metadata_file
- uwb_service
- vcn_management_service
- vd_device
- vendor_kernel_modules
- vendor_modprobe
- vibrator_manager_service
- virtualization_service
- vpn_management_service
- watchdog_metadata_file
- wifi_key
- zygote_config_prop
- proc_vendor_sched
- sysfs_vendor_sched))
diff --git a/prebuilts/api/31.0/private/coredomain.te b/prebuilts/api/31.0/private/coredomain.te
deleted file mode 100644
index b7f4f5d..0000000
--- a/prebuilts/api/31.0/private/coredomain.te
+++ /dev/null
@@ -1,246 +0,0 @@
-get_prop(coredomain, boot_status_prop)
-get_prop(coredomain, camera_config_prop)
-get_prop(coredomain, dalvik_config_prop)
-get_prop(coredomain, dalvik_runtime_prop)
-get_prop(coredomain, exported_pm_prop)
-get_prop(coredomain, ffs_config_prop)
-get_prop(coredomain, graphics_config_prop)
-get_prop(coredomain, hdmi_config_prop)
-get_prop(coredomain, init_service_status_private_prop)
-get_prop(coredomain, lmkd_config_prop)
-get_prop(coredomain, localization_prop)
-get_prop(coredomain, pm_prop)
-get_prop(coredomain, radio_control_prop)
-get_prop(coredomain, rollback_test_prop)
-get_prop(coredomain, setupwizard_prop)
-get_prop(coredomain, sqlite_log_prop)
-get_prop(coredomain, storagemanager_config_prop)
-get_prop(coredomain, surfaceflinger_color_prop)
-get_prop(coredomain, systemsound_config_prop)
-get_prop(coredomain, telephony_config_prop)
-get_prop(coredomain, usb_config_prop)
-get_prop(coredomain, usb_control_prop)
-get_prop(coredomain, userspace_reboot_config_prop)
-get_prop(coredomain, vold_config_prop)
-get_prop(coredomain, vts_status_prop)
-get_prop(coredomain, zygote_config_prop)
-get_prop(coredomain, zygote_wrap_prop)
-
-# TODO(b/170590987): remove this after cleaning up default_prop
-get_prop(coredomain, default_prop)
-
-full_treble_only(`
-neverallow {
- coredomain
-
- # for chowning
- -init
-
- # generic access to sysfs_type
- -ueventd
- -vold
-} sysfs_leds:file *;
-')
-
-# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few allowlisted coredomains to keep system/vendor separation.
-full_treble_only(`
- # Limit access to /vendor/app
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -dexoptanalyzer
- -idmap
- -init
- -installd
- -heapprofd
- -postinstall_dexopt
- -rs # spawned by appdomain, so carryover the exception above
- -system_server
- -traced_perf
- } vendor_app_file:dir { open read getattr search };
-')
-
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -dex2oat
- -dexoptanalyzer
- -idmap
- -init
- -installd
- -heapprofd
- userdebug_or_eng(`-profcollectd')
- -postinstall_dexopt
- -rs # spawned by appdomain, so carryover the exception above
- -system_server
- -traced_perf
- -mediaserver
- } vendor_app_file:file r_file_perms;
-')
-
-full_treble_only(`
- # Limit access to /vendor/overlay
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -iorap_inode2filename
- -iorap_prefetcherd
- -postinstall_dexopt
- -rs # spawned by appdomain, so carryover the exception above
- -system_server
- -traced_perf
- -app_zygote
- -webview_zygote
- -zygote
- -heapprofd
- } vendor_overlay_file:dir { getattr open read search };
-')
-
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -idmap
- -init
- -installd
- -iorap_inode2filename
- -iorap_prefetcherd
- -postinstall_dexopt
- -rs # spawned by appdomain, so carryover the exception above
- -system_server
- -traced_perf
- -app_zygote
- -webview_zygote
- -zygote
- -heapprofd
- userdebug_or_eng(`-profcollectd')
- } vendor_overlay_file:file open;
-')
-
-# Core domains are not permitted to use kernel interfaces which are not
-# explicitly labeled.
-# TODO(b/65643247): Apply these neverallow rules to all coredomain.
-full_treble_only(`
- # /proc
- neverallow {
- coredomain
- -init
- -vold
- } proc:file no_rw_file_perms;
-
- # /sys
- neverallow {
- coredomain
- -init
- -ueventd
- -vold
- } sysfs:file no_rw_file_perms;
-
- # /dev
- neverallow {
- coredomain
- -fsck
- -init
- -ueventd
- } device:{ blk_file file } no_rw_file_perms;
-
- # debugfs
- neverallow {
- coredomain
- no_debugfs_restriction(`
- -dumpstate
- -init
- -system_server
- ')
- } debugfs:file no_rw_file_perms;
-
- # tracefs
- neverallow {
- coredomain
- -atrace
- -dumpstate
- -gpuservice
- -init
- -traced_perf
- -traced_probes
- -shell
- -system_server
- -traceur_app
- userdebug_or_eng(`-profcollectd')
- } debugfs_tracing:file no_rw_file_perms;
-
- # inotifyfs
- neverallow {
- coredomain
- -init
- } inotify:file no_rw_file_perms;
-
- # pstorefs
- neverallow {
- coredomain
- -bootstat
- -charger
- -dumpstate
- -healthd
- userdebug_or_eng(`-incidentd')
- -init
- -logd
- -logpersist
- -recovery_persist
- -recovery_refresh
- -shell
- -system_server
- } pstorefs:file no_rw_file_perms;
-
- # configfs
- neverallow {
- coredomain
- -init
- -system_server
- } configfs:file no_rw_file_perms;
-
- # functionfs
- neverallow {
- coredomain
- -adbd
- -init
- -mediaprovider
- -system_server
- } functionfs:file no_rw_file_perms;
-
- # usbfs and binfmt_miscfs
- neverallow {
- coredomain
- -init
- }{ usbfs binfmt_miscfs }:file no_rw_file_perms;
-
- # dmabuf heaps
- neverallow {
- coredomain
- -init
- -ueventd
- }{
- dmabuf_heap_device_type
- -dmabuf_system_heap_device
- -dmabuf_system_secure_heap_device
- }:chr_file no_rw_file_perms;
-')
-
-# Following /dev nodes must not be directly accessed by coredomain, but should
-# instead be wrapped by HALs.
-neverallow coredomain {
- iio_device
- radio_device
-}:chr_file { open read append write ioctl };
-
-# TODO(b/120243891): HAL permission to tee_device is included into coredomain
-# on non-Treble devices.
-full_treble_only(`
- neverallow coredomain tee_device:chr_file { open read append write ioctl };
-')
diff --git a/prebuilts/api/31.0/private/cppreopts.te b/prebuilts/api/31.0/private/cppreopts.te
deleted file mode 100644
index 1192ba6..0000000
--- a/prebuilts/api/31.0/private/cppreopts.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# cppreopts
-#
-# This command copies preopted files from the system_b partition to the data
-# partition. This domain ensures that we are only copying into specific
-# directories.
-
-type cppreopts, domain, mlstrustedsubject, coredomain;
-type cppreopts_exec, system_file_type, exec_type, file_type;
-
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(cppreopts)
-domain_auto_trans(cppreopts, preopt2cachename_exec, preopt2cachename);
-
-# Allow cppreopts copy files into the dalvik-cache
-allow cppreopts dalvikcache_data_file:dir { add_name remove_name search write };
-allow cppreopts dalvikcache_data_file:file { create getattr open read rename write unlink };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow cppreopts shell_exec:file rx_file_perms;
-
-# Allow us to run find on /postinstall
-allow cppreopts system_file:dir { open read };
-
-# Allow running the cp command using cppreopts permissions. Needed so we can
-# write into dalvik-cache
-allow cppreopts toolbox_exec:file rx_file_perms;
-
-# Silence the denial when /postinstall cannot be mounted, e.g., system_other
-# is wiped, but cppreopts.sh still runs.
-dontaudit cppreopts postinstall_mnt_dir:dir search;
diff --git a/prebuilts/api/31.0/private/crash_dump.te b/prebuilts/api/31.0/private/crash_dump.te
deleted file mode 100644
index 9233a4d..0000000
--- a/prebuilts/api/31.0/private/crash_dump.te
+++ /dev/null
@@ -1,62 +0,0 @@
-typeattribute crash_dump coredomain;
-
-# Crash dump does not need to access devices passed across exec().
-dontaudit crash_dump { devpts dev_type }:chr_file { read write };
-
-allow crash_dump {
- domain
- -apexd
- -bpfloader
- -crash_dump
- -init
- -kernel
- -keystore
- -llkd
- -logd
- -ueventd
- -vendor_init
- -vold
-}:process { ptrace signal sigchld sigstop sigkill };
-
-# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?)
-userdebug_or_eng(`
- allow crash_dump {
- apexd
- keystore
- llkd
- logd
- vold
- }:process { ptrace signal sigchld sigstop sigkill };
-')
-
-###
-### neverallow assertions
-###
-
-# ptrace neverallow assertions are spread throughout the other policy
-# files, so we avoid adding redundant assertions here
-
-neverallow crash_dump {
- apexd
- userdebug_or_eng(`-apexd')
- bpfloader
- init
- kernel
- keystore
- userdebug_or_eng(`-keystore')
- llkd
- userdebug_or_eng(`-llkd')
- logd
- userdebug_or_eng(`-logd')
- ueventd
- vendor_init
- vold
- userdebug_or_eng(`-vold')
-}:process { signal sigstop sigkill };
-
-neverallow crash_dump self:process ptrace;
-neverallow crash_dump gpu_device:chr_file *;
-
-# Read ART APEX data directory
-allow crash_dump apex_art_data_file:dir { getattr search };
-allow crash_dump apex_art_data_file:file r_file_perms;
diff --git a/prebuilts/api/31.0/private/credstore.te b/prebuilts/api/31.0/private/credstore.te
deleted file mode 100644
index 8d87e2f..0000000
--- a/prebuilts/api/31.0/private/credstore.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute credstore coredomain;
-
-init_daemon_domain(credstore)
-
-# talk to Identity Credential
-hal_client_domain(credstore, hal_identity)
diff --git a/prebuilts/api/31.0/private/crosvm.te b/prebuilts/api/31.0/private/crosvm.te
deleted file mode 100644
index 5d7080a..0000000
--- a/prebuilts/api/31.0/private/crosvm.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type crosvm, domain, coredomain;
-type crosvm_exec, system_file_type, exec_type, file_type;
-type crosvm_tmpfs, file_type;
-
-# Let crosvm create temporary files.
-tmpfs_domain(crosvm)
-
-# Let crosvm receive file descriptors from virtmanager.
-allow crosvm virtmanager:fd use;
-
-# Let crosvm open /dev/kvm.
-allow crosvm kvm_device:chr_file rw_file_perms;
-
-# Most other domains shouldn't access /dev/kvm.
-neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
-neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
diff --git a/prebuilts/api/31.0/private/derive_classpath.te b/prebuilts/api/31.0/private/derive_classpath.te
deleted file mode 100644
index 2299ba0..0000000
--- a/prebuilts/api/31.0/private/derive_classpath.te
+++ /dev/null
@@ -1,25 +0,0 @@
-
-# Domain for derive_classpath
-type derive_classpath, domain, coredomain;
-type derive_classpath_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(derive_classpath)
-
-# Read /apex
-allow derive_classpath apex_mnt_dir:dir r_dir_perms;
-
-# Create /data/system/environ/classpath file
-allow derive_classpath environ_system_data_file:dir rw_dir_perms;
-allow derive_classpath environ_system_data_file:file create_file_perms;
-
-# b/183079517 fails on gphone targets otherwise
-allow derive_classpath unlabeled:dir search;
-
-# Allow derive_classpath to write the classpath into ota dexopt
-# - Read the ota's apex dir
-allow derive_classpath postinstall_apex_mnt_dir:dir r_dir_perms;
-# - Report the BCP to the ota's dexopt
-allow derive_classpath postinstall_dexopt:dir search;
-allow derive_classpath postinstall_dexopt:fd use;
-allow derive_classpath postinstall_dexopt:file read;
-allow derive_classpath postinstall_dexopt:lnk_file read;
-allow derive_classpath postinstall_dexopt_tmpfs:file rw_file_perms;
diff --git a/prebuilts/api/31.0/private/derive_sdk.te b/prebuilts/api/31.0/private/derive_sdk.te
deleted file mode 100644
index 1f60e34..0000000
--- a/prebuilts/api/31.0/private/derive_sdk.te
+++ /dev/null
@@ -1,12 +0,0 @@
-
-# Domain for derive_sdk
-type derive_sdk, domain, coredomain;
-type derive_sdk_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(derive_sdk)
-
-# Read /apex
-allow derive_sdk apex_mnt_dir:dir r_dir_perms;
-
-# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
-set_prop(derive_sdk, module_sdkextensions_prop)
-neverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set;
diff --git a/prebuilts/api/31.0/private/dex2oat.te b/prebuilts/api/31.0/private/dex2oat.te
deleted file mode 100644
index e7cdd5f..0000000
--- a/prebuilts/api/31.0/private/dex2oat.te
+++ /dev/null
@@ -1,110 +0,0 @@
-# dex2oat
-type dex2oat, domain, coredomain;
-type dex2oat_exec, system_file_type, exec_type, file_type;
-
-userfaultfd_use(dex2oat)
-
-r_dir_file(dex2oat, apk_data_file)
-# Access to /vendor/app
-r_dir_file(dex2oat, vendor_app_file)
-# Access /vendor/framework
-allow dex2oat vendor_framework_file:dir { getattr search };
-allow dex2oat vendor_framework_file:file { getattr open read map };
-
-allow dex2oat tmpfs:file { read getattr map };
-
-r_dir_file(dex2oat, dalvikcache_data_file)
-allow dex2oat dalvikcache_data_file:file write;
-allow dex2oat installd:fd use;
-
-# Acquire advisory lock on /system/framework/arm/*
-allow dex2oat system_file:file lock;
-allow dex2oat postinstall_file:file lock;
-
-# Read already open asec_apk_file file descriptors passed by installd.
-# Also allow reading unlabeled files, to allow for upgrading forward
-# locked APKs.
-allow dex2oat asec_apk_file:file { read map };
-allow dex2oat unlabeled:file { read map };
-allow dex2oat oemfs:file { read map };
-allow dex2oat apk_tmp_file:dir search;
-allow dex2oat apk_tmp_file:file r_file_perms;
-allow dex2oat user_profile_data_file:file { getattr read lock map };
-
-# Allow dex2oat to compile app's secondary dex files which were reported back to
-# the framework.
-allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
-
-# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
-allow dex2oat apex_module_data_file:dir search;
-
-# Allow dex2oat to use file descriptors passed from odrefresh.
-allow dex2oat odrefresh:fd use;
-
-# Allow dex2oat to use devpts and file descriptors passed from odsign
-allow dex2oat odsign_devpts:chr_file { read write };
-allow dex2oat odsign:fd use;
-
-# Allow dex2oat to write to file descriptors from odrefresh for files
-# in the staging area.
-allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
-allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink };
-
-# Allow dex2oat to read artifacts from odrefresh.
-allow dex2oat apex_art_data_file:dir r_dir_perms;
-allow dex2oat apex_art_data_file:file r_file_perms;
-
-# Allow dex2oat to read runtime native flag properties.
-get_prop(dex2oat, device_config_runtime_native_prop)
-get_prop(dex2oat, device_config_runtime_native_boot_prop)
-
-# Allow dex2oat to read /apex/apex-info-list.xml
-allow dex2oat apex_info_file:file r_file_perms;
-
-##################
-# A/B OTA Dexopt #
-##################
-
-# Allow dex2oat to use file descriptors from otapreopt.
-allow dex2oat postinstall_dexopt:fd use;
-
-# Allow dex2oat to read files under /postinstall (e.g. APKs under /system, /system/bin/linker).
-allow dex2oat postinstall_file:dir r_dir_perms;
-allow dex2oat postinstall_file:filesystem getattr;
-allow dex2oat postinstall_file:lnk_file { getattr read };
-allow dex2oat postinstall_file:file read;
-# Allow dex2oat to use libraries under /postinstall/system (e.g. /system/lib/libc.so).
-# TODO(b/120266448): Remove when Bionic libraries are part of the Runtime APEX.
-allow dex2oat postinstall_file:file { execute getattr open };
-
-# Allow dex2oat access to /postinstall/apex.
-allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
-allow dex2oat postinstall_apex_mnt_dir:file r_file_perms;
-
-# Allow dex2oat access to files in /data/ota.
-allow dex2oat ota_data_file:dir ra_dir_perms;
-allow dex2oat ota_data_file:file r_file_perms;
-
-# Create and read symlinks in /data/ota/dalvik-cache. This is required for PIC mode boot images,
-# where the oat file is symlinked to the original file in /system.
-allow dex2oat ota_data_file:lnk_file { create read };
-
-# It would be nice to tie this down, but currently, because of how images are written, we can't
-# pass file descriptors for the preopted boot image to dex2oat. So dex2oat needs to be able to
-# create them itself (and make them world-readable).
-allow dex2oat ota_data_file:file { create w_file_perms setattr };
-
-###############
-# APEX Update #
-###############
-
-# /dev/zero is inherited.
-allow dex2oat apexd:fd use;
-
-# Allow dex2oat to use file descriptors from preinstall.
-
-##############
-# Neverallow #
-##############
-
-neverallow dex2oat { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/prebuilts/api/31.0/private/dexoptanalyzer.te b/prebuilts/api/31.0/private/dexoptanalyzer.te
deleted file mode 100644
index 8eb1d29..0000000
--- a/prebuilts/api/31.0/private/dexoptanalyzer.te
+++ /dev/null
@@ -1,56 +0,0 @@
-# dexoptanalyzer
-type dexoptanalyzer, domain, coredomain, mlstrustedsubject;
-type dexoptanalyzer_exec, system_file_type, exec_type, file_type;
-type dexoptanalyzer_tmpfs, file_type;
-
-r_dir_file(dexoptanalyzer, apk_data_file)
-# Access to /vendor/app
-r_dir_file(dexoptanalyzer, vendor_app_file)
-
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
-# own label, which differs from other labels created by other processes.
-# This allows to distinguish in policy files created by dexoptanalyzer vs other
-# processes.
-tmpfs_domain(dexoptanalyzer)
-
-userfaultfd_use(dexoptanalyzer)
-
-# Allow dexoptanalyzer to read files in the dalvik cache.
-allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
-allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
-
-# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
-# app_data_file the oat file is symlinked to the original file in /system.
-allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
-
-# Allow dexoptanalyzer to read files in the ART APEX data directory.
-allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search };
-allow dexoptanalyzer apex_art_data_file:file r_file_perms;
-
-# Allow dexoptanalyzer to use file descriptors from odrefresh.
-allow dexoptanalyzer odrefresh:fd use;
-
-# Use devpts and fd from odsign (which exec()'s odrefresh)
-allow dexoptanalyzer odsign:fd use;
-allow dexoptanalyzer odsign_devpts:chr_file { read write };
-
-allow dexoptanalyzer installd:fd use;
-allow dexoptanalyzer installd:fifo_file { getattr write };
-
-# Acquire advisory lock on /system/framework/arm/*
-allow dexoptanalyzer system_file:file lock;
-
-# Allow reading secondary dex files that were reported by the app to the
-# package manager.
-allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
-
-# Allow testing /data/user/0 which symlinks to /data/data
-allow dexoptanalyzer system_data_file:lnk_file { getattr };
-
-# Allow query ART device config properties
-get_prop(dexoptanalyzer, device_config_runtime_native_prop)
-get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
-
-# Allow dexoptanalyzer to read /apex/apex-info-list.xml
-allow dexoptanalyzer apex_info_file:file r_file_perms;
diff --git a/prebuilts/api/31.0/private/dhcp.te b/prebuilts/api/31.0/private/dhcp.te
deleted file mode 100644
index 8ec9111..0000000
--- a/prebuilts/api/31.0/private/dhcp.te
+++ /dev/null
@@ -1,7 +0,0 @@
-typeattribute dhcp coredomain;
-
-init_daemon_domain(dhcp)
-type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
-
-set_prop(dhcp, dhcp_prop)
-set_prop(dhcp, pan_result_prop)
diff --git a/prebuilts/api/31.0/private/dnsmasq.te b/prebuilts/api/31.0/private/dnsmasq.te
deleted file mode 100644
index 96084b4..0000000
--- a/prebuilts/api/31.0/private/dnsmasq.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute dnsmasq coredomain;
diff --git a/prebuilts/api/31.0/private/domain.te b/prebuilts/api/31.0/private/domain.te
deleted file mode 100644
index b91d36d..0000000
--- a/prebuilts/api/31.0/private/domain.te
+++ /dev/null
@@ -1,541 +0,0 @@
-# Transition to crash_dump when /system/bin/crash_dump* is executed.
-# This occurs when the process crashes.
-# We do not apply this to the su domain to avoid interfering with
-# tests (b/114136122)
-domain_auto_trans({ domain userdebug_or_eng(`-su') }, crash_dump_exec, crash_dump);
-allow domain crash_dump:process sigchld;
-
-# Allow every process to check the heapprofd.enable properties to determine
-# whether to load the heap profiling library. This does not necessarily enable
-# heap profiling, as initialization will fail if it does not have the
-# necessary SELinux permissions.
-get_prop(domain, heapprofd_prop);
-# Allow heap profiling on debug builds.
-userdebug_or_eng(`can_profile_heap({
- domain
- -bpfloader
- -init
- -kernel
- -keystore
- -llkd
- -logd
- -logpersist
- -recovery
- -recovery_persist
- -recovery_refresh
- -ueventd
- -vendor_init
- -vold
-})')
-
-# As above, allow perf profiling most processes on debug builds.
-# zygote is excluded as system-wide profiling could end up with it
-# (unexpectedly) holding an open fd across a fork.
-userdebug_or_eng(`can_profile_perf({
- domain
- -bpfloader
- -init
- -kernel
- -keystore
- -llkd
- -logd
- -logpersist
- -recovery
- -recovery_persist
- -recovery_refresh
- -ueventd
- -vendor_init
- -vold
- -zygote
-})')
-
-# Everyone can access the IncFS list of features.
-r_dir_file(domain, sysfs_fs_incfs_features);
-
-# Path resolution access in cgroups.
-allow domain cgroup:dir search;
-allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
-allow { domain -appdomain -rs } cgroup:file w_file_perms;
-
-allow domain cgroup_v2:dir search;
-allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
-allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
-
-allow domain cgroup_rc_file:dir search;
-allow domain cgroup_rc_file:file r_file_perms;
-allow domain task_profiles_file:file r_file_perms;
-allow domain task_profiles_api_file:file r_file_perms;
-allow domain vendor_task_profiles_file:file r_file_perms;
-
-# Allow all domains to read sys.use_memfd to determine
-# if memfd support can be used if device supports it
-get_prop(domain, use_memfd_prop);
-
-# Read access to sdkextensions props
-get_prop(domain, module_sdkextensions_prop)
-
-# Read access to bq configuration values
-get_prop(domain, bq_config_prop);
-
-# For now, everyone can access core property files
-# Device specific properties are not granted by default
-not_compatible_property(`
- # DO NOT ADD ANY PROPERTIES HERE
- get_prop(domain, core_property_type)
- get_prop(domain, exported3_system_prop)
- get_prop(domain, vendor_default_prop)
-')
-compatible_property_only(`
- # DO NOT ADD ANY PROPERTIES HERE
- get_prop({coredomain appdomain shell}, core_property_type)
- get_prop({coredomain appdomain shell}, exported3_system_prop)
- get_prop({coredomain appdomain shell}, exported_camera_prop)
- get_prop({coredomain shell}, userspace_reboot_exported_prop)
- get_prop({coredomain shell}, userspace_reboot_log_prop)
- get_prop({coredomain shell}, userspace_reboot_test_prop)
- get_prop({domain -coredomain -appdomain}, vendor_default_prop)
-')
-
-# Allow access to fsverity keyring.
-allow domain kernel:key search;
-# Allow access to keys in the fsverity keyring that were installed at boot.
-allow domain fsverity_init:key search;
-# For testing purposes, allow access to keys installed with su.
-userdebug_or_eng(`
- allow domain su:key search;
-')
-
-# Allow access to linkerconfig file
-allow domain linkerconfig_file:dir search;
-allow domain linkerconfig_file:file r_file_perms;
-
-# Allow all processes to check for the existence of the boringssl_self_test_marker files.
-allow domain boringssl_self_test_marker:dir search;
-
-# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these allowlisted domains.
-neverallow {
- domain
- -vold
- userdebug_or_eng(`-llkd')
- -dumpstate
- userdebug_or_eng(`-incidentd')
- userdebug_or_eng(`-profcollectd')
- -storaged
- -system_server
-} self:global_capability_class_set sys_ptrace;
-
-# Limit ability to generate hardware unique device ID attestations to priv_apps
-neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
-neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
-neverallow { domain -system_server } *:keystore2_key use_dev_id;
-neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
-
-neverallow {
- domain
- -init
- -vendor_init
- userdebug_or_eng(`-domain')
-} debugfs_tracing_debug:file no_rw_file_perms;
-
-# System_server owns dropbox data, and init creates/restorecons the directory
-# Disallow direct access by other processes.
-neverallow { domain -init -system_server } dropbox_data_file:dir *;
-neverallow { domain -init -system_server } dropbox_data_file:file ~{ getattr read };
-
-###
-# Services should respect app sandboxes
-neverallow {
- domain
- -appdomain
- -installd # creation of sandbox
-} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
-
-# Only the following processes should be directly accessing private app
-# directories.
-neverallow {
- domain
- -adbd
- -appdomain
- -app_zygote
- -dexoptanalyzer
- -installd
- -iorap_inode2filename
- -iorap_prefetcherd
- -profman
- -rs # spawned by appdomain, so carryover the exception above
- -runas
- -system_server
- -viewcompiler
- -zygote
-} { privapp_data_file app_data_file }:dir *;
-
-# Only apps should be modifying app data. installd is exempted for
-# restorecon and package install/uninstall.
-neverallow {
- domain
- -appdomain
- -installd
- -rs # spawned by appdomain, so carryover the exception above
-} { privapp_data_file app_data_file }:dir ~r_dir_perms;
-
-neverallow {
- domain
- -appdomain
- -app_zygote
- -installd
- -iorap_prefetcherd
- -rs # spawned by appdomain, so carryover the exception above
-} { privapp_data_file app_data_file }:file_class_set open;
-
-neverallow {
- domain
- -appdomain
- -installd # creation of sandbox
-} { privapp_data_file app_data_file }:dir_file_class_set { create unlink };
-
-neverallow {
- domain
- -installd
-} { privapp_data_file app_data_file }:dir_file_class_set { relabelfrom relabelto };
-
-# The staging directory contains APEX and APK files. It is important to ensure
-# that these files cannot be accessed by other domains to ensure that the files
-# do not change between system_server staging the files and apexd processing
-# the files.
-neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
-neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
-# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
-# except for `link` and `unlink`.
-neverallow { domain -init -system_server } staging_data_file:file
- { append create relabelfrom rename setattr write no_x_file_perms };
-
-neverallow {
- domain
- -appdomain # for oemfs
- -bootanim # for oemfs
- -recovery # for /tmp/update_binary in tmpfs
-} { fs_type -rootfs }:file execute;
-
-#
-# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few allowlisted domains.
-# Executable files loaded from /data is a persistence vector
-# we want to avoid. See
-# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
-#
-neverallow {
- domain
- -appdomain
- with_asan(`-asan_extract')
- -iorap_prefetcherd
- -shell
- userdebug_or_eng(`-su')
- -system_server_startup # for memfd backed executable regions
- -app_zygote
- -webview_zygote
- -zygote
- userdebug_or_eng(`-mediaextractor')
- userdebug_or_eng(`-mediaswcodec')
-} {
- file_type
- -system_file_type
- -system_lib_file
- -system_linker_exec
- -vendor_file_type
- -exec_type
- -postinstall_file
-}:file execute;
-
-# Only init is allowed to write cgroup.rc file
-neverallow {
- domain
- -init
- -vendor_init
-} cgroup_rc_file:file no_w_file_perms;
-
-# Only authorized processes should be writing to files in /data/dalvik-cache
-neverallow {
- domain
- -init # TODO: limit init to relabelfrom for files
- -zygote
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -otapreopt_slot
-} dalvikcache_data_file:file no_w_file_perms;
-
-neverallow {
- domain
- -init
- -installd
- -postinstall_dexopt
- -cppreopts
- -dex2oat
- -zygote
- -otapreopt_slot
-} dalvikcache_data_file:dir no_w_dir_perms;
-
-# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
-# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
-neverallow {
- domain
- # art processes
- -odrefresh
- -odsign
- # others
- -apexd
- -init
- -vold_prepare_subdirs
-} apex_art_data_file:file no_w_file_perms;
-
-neverallow {
- domain
- # art processes
- -odrefresh
- -odsign
- # others
- -apexd
- -init
- -vold_prepare_subdirs
-} apex_art_data_file:dir no_w_dir_perms;
-
-# Protect most domains from executing arbitrary content from /data.
-neverallow {
- domain
- -appdomain
-} {
- data_file_type
- -apex_art_data_file
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
-# Minimize dac_override and dac_read_search.
-# Instead of granting them it is usually better to add the domain to
-# a Unix group or change the permissions of a file.
-define(`dac_override_allowed', `{
- apexd
- dnsmasq
- dumpstate
- init
- installd
- userdebug_or_eng(`llkd')
- lmkd
- migrate_legacy_obb_data
- netd
- postinstall_dexopt
- recovery
- rss_hwm_reset
- sdcardd
- tee
- ueventd
- uncrypt
- vendor_init
- vold
- vold_prepare_subdirs
- zygote
-}')
-neverallow ~dac_override_allowed self:global_capability_class_set dac_override;
-# Since the kernel checks dac_read_search before dac_override, domains that
-# have dac_override should also have dac_read_search to eliminate spurious
-# denials. Some domains have dac_read_search without having dac_override, so
-# this list should be a superset of the one above.
-neverallow ~{
- dac_override_allowed
- iorap_inode2filename
- iorap_prefetcherd
- traced_perf
- traced_probes
- heapprofd
-} self:global_capability_class_set dac_read_search;
-
-# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
-neverallow {
- domain
- -apexd
- recovery_only(`-fastbootd')
- -init
- -kernel
- -otapreopt_chroot
- -recovery
- -update_engine
- -vold
- -zygote
-} { fs_type
- -sdcard_type
-}:filesystem { mount remount relabelfrom relabelto };
-
-enforce_debugfs_restriction(`
- neverallow {
- domain userdebug_or_eng(`-init')
- } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
-')
-
-# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
-neverallow {
- domain
- userdebug_or_eng(`-domain')
- -kernel
- -gsid
- -init
- -recovery
- -ueventd
- -healthd
- -uncrypt
- -tee
- -hal_bootctl_server
- -fastbootd
-} self:global_capability_class_set sys_rawio;
-
-# Limit directory operations that doesn't need to do app data isolation.
-neverallow {
- domain
- -init
- -installd
- -zygote
-} mirror_data_file:dir *;
-
-# This property is being removed. Remove remaining access.
-neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
-neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
-
-# Only core domains are allowed to access package_manager properties
-neverallow { domain -init -system_server } pm_prop:property_service set;
-neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
-
-# Do not allow reading the last boot timestamp from system properties
-neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
-
-# Kprobes should only be used by adb root
-neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
-
-# On TREBLE devices, most coredomains should not access vendor_files.
-# TODO(b/71553434): Remove exceptions here.
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -bootanim
- -crash_dump
- -heapprofd
- userdebug_or_eng(`-profcollectd')
- -init
- -iorap_inode2filename
- -iorap_prefetcherd
- -kernel
- -traced_perf
- -ueventd
- } vendor_file:file { no_w_file_perms no_x_file_perms open };
-')
-
-# Vendor domains are not permitted to initiate communications to core domain sockets
-full_treble_only(`
- neverallow_establish_socket_comms({
- domain
- -coredomain
- -appdomain
- -socket_between_core_and_vendor_violators
- }, {
- coredomain
- -logd # Logging by writing to logd Unix domain socket is public API
- -netd # netdomain needs this
- -mdnsd # netdomain needs this
- userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
- -init
- -tombstoned # linker to tombstoned
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
- });
-')
-
-full_treble_only(`
- # Do not allow system components access to /vendor files except for the
- # ones allowed here.
- neverallow {
- coredomain
- # TODO(b/37168747): clean up fwk access to /vendor
- -crash_dump
- -init # starts vendor executables
- -iorap_inode2filename
- -iorap_prefetcherd
- -kernel # loads /vendor/firmware
- -heapprofd
- userdebug_or_eng(`-profcollectd')
- -shell
- -system_executes_vendor_violators
- -traced_perf # library/binary access for symbolization
- -ueventd # reads /vendor/ueventd.rc
- -vold # loads incremental fs driver
- } {
- vendor_file_type
- -same_process_hal_file
- -vendor_app_file
- -vendor_apex_file
- -vendor_configs_file
- -vendor_service_contexts_file
- -vendor_framework_file
- -vendor_idc_file
- -vendor_keychars_file
- -vendor_keylayout_file
- -vendor_overlay_file
- -vendor_public_framework_file
- -vendor_public_lib_file
- -vendor_task_profiles_file
- -vndk_sp_file
- }:file *;
-')
-
-# mlsvendorcompat is only for compatibility support for older vendor
-# images, and should not be granted to any domain in current policy.
-# (Every domain is allowed self:fork, so this will trigger if the
-# intsersection of domain & mlsvendorcompat is not empty.)
-neverallow domain mlsvendorcompat:process fork;
-
-# Only init and otapreopt_chroot should be mounting filesystems on locations
-# labeled system or vendor (/product and /vendor respectively).
-neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
-
-# Only allow init and vendor_init to read/write mm_events properties
-# NOTE: dumpstate is allowed to read any system property
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
-} mm_events_config_prop:file no_rw_file_perms;
-
-# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
-# kernel traces. Addresses are not disclosed, they are repalced with symbol
-# names (if available). Traces don't disclose KASLR.
-neverallow {
- domain
- -init
- userdebug_or_eng(`-profcollectd')
- -vendor_init
- -traced_probes
- -traced_perf
-} proc_kallsyms:file { open read };
-
-# debugfs_kcov type is not included in this neverallow statement since the KCOV
-# tool uses it for kernel fuzzing.
-# vendor_modprobe is also exempted since the kernel modules it loads may create
-# debugfs files in its context.
-enforce_debugfs_restriction(`
- neverallow {
- domain
- -vendor_modprobe
- userdebug_or_eng(`
- -init
- -hal_dumpstate
- ')
- } { debugfs_type
- userdebug_or_eng(`-debugfs_kcov')
- -tracefs_type
- }:file no_rw_file_perms;
-')
diff --git a/prebuilts/api/31.0/private/drmserver.te b/prebuilts/api/31.0/private/drmserver.te
deleted file mode 100644
index 8449c3e..0000000
--- a/prebuilts/api/31.0/private/drmserver.te
+++ /dev/null
@@ -1,9 +0,0 @@
-typeattribute drmserver coredomain;
-
-init_daemon_domain(drmserver)
-
-type_transition drmserver apk_data_file:sock_file drmserver_socket;
-
-typeattribute drmserver_socket coredomain_socket;
-
-get_prop(drmserver, drm_service_config_prop)
diff --git a/prebuilts/api/31.0/private/dumpstate.te b/prebuilts/api/31.0/private/dumpstate.te
deleted file mode 100644
index 37a9a0c..0000000
--- a/prebuilts/api/31.0/private/dumpstate.te
+++ /dev/null
@@ -1,115 +0,0 @@
-typeattribute dumpstate coredomain;
-type dumpstate_tmpfs, file_type;
-
-init_daemon_domain(dumpstate)
-
-# Execute and transition to the vdc domain
-domain_auto_trans(dumpstate, vdc_exec, vdc)
-
-# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
-allow dumpstate system_file:file lock;
-
-allow dumpstate storaged_exec:file rx_file_perms;
-
-# /data/misc/a11ytrace for accessibility traces
-userdebug_or_eng(`
- allow dumpstate accessibility_trace_data_file:dir r_dir_perms;
- allow dumpstate accessibility_trace_data_file:file r_file_perms;
-')
-
-# /data/misc/wmtrace for wm traces
-userdebug_or_eng(`
- allow dumpstate wm_trace_data_file:dir r_dir_perms;
- allow dumpstate wm_trace_data_file:file r_file_perms;
-')
-
-# Allow dumpstate to make binder calls to incidentd
-binder_call(dumpstate, incidentd)
-
-# Allow dumpstate to make binder calls to storaged service
-binder_call(dumpstate, storaged)
-
-# Allow dumpstate to make binder calls to statsd
-binder_call(dumpstate, statsd)
-
-# Allow dumpstate to talk to gpuservice over binder
-binder_call(dumpstate, gpuservice);
-
-# Allow dumpstate to talk to idmap over binder
-binder_call(dumpstate, idmap);
-
-# Allow dumpstate to talk to profcollectd over binder
-userdebug_or_eng(`
- binder_call(dumpstate, profcollectd)
-')
-
-# Collect metrics on boot time created by init
-get_prop(dumpstate, boottime_prop)
-
-# Signal native processes to dump their stack.
-allow dumpstate {
- mediatranscoding
- statsd
- netd
-}:process signal;
-
-userdebug_or_eng(`
- allow dumpstate keystore:process signal;
-')
-
-# For collecting bugreports.
-no_debugfs_restriction(`
- allow dumpstate debugfs_wakeup_sources:file r_file_perms;
-')
-
-allow dumpstate dev_type:blk_file getattr;
-allow dumpstate webview_zygote:process signal;
-allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
-dontaudit dumpstate update_engine:binder call;
-
-# Read files in /proc
-allow dumpstate {
- proc_net_tcp_udp
- proc_pid_max
-}:file r_file_perms;
-
-# For comminucating with the system process to do confirmation ui.
-binder_call(dumpstate, incidentcompanion_service)
-
-# Set properties.
-# dumpstate_prop is used to share state with the Shell app.
-set_prop(dumpstate, dumpstate_prop)
-set_prop(dumpstate, exported_dumpstate_prop)
-
-# dumpstate_options_prop is used to pass extra command-line args.
-set_prop(dumpstate, dumpstate_options_prop)
-
-# Allow dumpstate to kill vendor dumpstate service by init
-set_prop(dumpstate, ctl_dumpstate_prop)
-
-# For dumping dynamic partition information.
-set_prop(dumpstate, lpdumpd_prop)
-binder_call(dumpstate, lpdumpd)
-
-# For dumping device-mapper and snapshot information.
-allow dumpstate gsid_exec:file rx_file_perms;
-set_prop(dumpstate, ctl_gsid_prop)
-binder_call(dumpstate, gsid)
-
-r_dir_file(dumpstate, ota_metadata_file)
-
-# For starting (and killing) perfetto --save-for-bugreport. If a labelled trace
-# is being recorded, the command above will serialize it into
-# /data/misc/perfetto-traces/bugreport/*.pftrace .
-domain_auto_trans(dumpstate, perfetto_exec, perfetto)
-allow dumpstate perfetto:process signal;
-allow dumpstate perfetto_traces_data_file:dir { search };
-allow dumpstate perfetto_traces_bugreport_data_file:dir rw_dir_perms;
-allow dumpstate perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
-
-# When exec-ing /system/bin/perfetto, dumpstates redirects stdio to /dev/null
-# (which is labelled as dumpstate_tmpfs) to avoid leaking a FD to the bugreport
-# zip file. These rules are to allow perfetto.te to inherit dumpstate's
-# /dev/null.
-allow perfetto dumpstate_tmpfs:file rw_file_perms;
-allow perfetto dumpstate:fd use;
diff --git a/prebuilts/api/31.0/private/ephemeral_app.te b/prebuilts/api/31.0/private/ephemeral_app.te
deleted file mode 100644
index e004891..0000000
--- a/prebuilts/api/31.0/private/ephemeral_app.te
+++ /dev/null
@@ -1,95 +0,0 @@
-###
-### Ephemeral apps.
-###
-### This file defines the security policy for apps with the ephemeral
-### feature.
-###
-### The ephemeral_app domain is a reduced permissions sandbox allowing
-### ephemeral applications to be safely installed and run. Non ephemeral
-### applications may also opt-in to ephemeral to take advantage of the
-### additional security features.
-###
-### PackageManager flags an app as ephemeral at install time.
-
-typeattribute ephemeral_app coredomain;
-
-net_domain(ephemeral_app)
-app_domain(ephemeral_app)
-
-# Allow ephemeral apps to read/write files in visible storage if provided fds
-allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
-
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow ephemeral_app privapp_data_file:file { r_file_perms execute };
-allow ephemeral_app app_data_file:file { r_file_perms execute };
-
-# Follow priv-app symlinks. This is used for dynamite functionality.
-allow ephemeral_app privapp_data_file:lnk_file r_file_perms;
-
-# Allow the renderscript compiler to be run.
-domain_auto_trans(ephemeral_app, rs_exec, rs)
-
-# Allow loading and deleting shared libraries created by trusted system
-# components within an application home directory.
-allow ephemeral_app app_exec_data_file:file { r_file_perms execute unlink };
-
-# services
-allow ephemeral_app audioserver_service:service_manager find;
-allow ephemeral_app cameraserver_service:service_manager find;
-allow ephemeral_app mediaserver_service:service_manager find;
-allow ephemeral_app mediaextractor_service:service_manager find;
-allow ephemeral_app mediametrics_service:service_manager find;
-allow ephemeral_app mediadrmserver_service:service_manager find;
-allow ephemeral_app drmserver_service:service_manager find;
-allow ephemeral_app radio_service:service_manager find;
-allow ephemeral_app ephemeral_app_api_service:service_manager find;
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(ephemeral_app)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(ephemeral_app)
-can_profile_perf(ephemeral_app)
-
-# allow ephemeral apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow ephemeral_app system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-allow ephemeral_app ashmem_device:chr_file rw_file_perms;
-
-###
-### neverallow rules
-###
-
-neverallow ephemeral_app { app_data_file privapp_data_file }:file execute_no_trans;
-
-# Receive or send uevent messages.
-neverallow ephemeral_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow ephemeral_app domain:netlink_socket *;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow ephemeral_app debugfs:file read;
-
-# execute gpu_device
-neverallow ephemeral_app gpu_device:chr_file execute;
-
-# access files in /sys with the default sysfs label
-neverallow ephemeral_app sysfs:file *;
-
-# Avoid reads from generically labeled /proc files
-# Create a more specific label if needed
-neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
-
-# Directly access external storage
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
-
-# Avoid reads to proc_net, it contains too much device wide information about
-# ongoing connections.
-neverallow ephemeral_app proc_net:file no_rw_file_perms;
diff --git a/prebuilts/api/31.0/private/fastbootd.te b/prebuilts/api/31.0/private/fastbootd.te
deleted file mode 100644
index 40b3945..0000000
--- a/prebuilts/api/31.0/private/fastbootd.te
+++ /dev/null
@@ -1,47 +0,0 @@
-typeattribute fastbootd coredomain;
-
-# The allow rules are only included in the recovery policy.
-# Otherwise fastbootd is only allowed the domain rules.
-recovery_only(`
- # Reboot the device
- set_prop(fastbootd, powerctl_prop)
-
- # Read serial number of the device from system properties
- get_prop(fastbootd, serialno_prop)
-
- # Set sys.usb.ffs.ready.
- get_prop(fastbootd, ffs_config_prop)
- set_prop(fastbootd, ffs_control_prop)
-
- userdebug_or_eng(`
- get_prop(fastbootd, persistent_properties_ready_prop)
- ')
-
- set_prop(fastbootd, gsid_prop)
-
- # Determine allocation scheme (whether B partitions needs to be
- # at the second half of super.
- get_prop(fastbootd, virtual_ab_prop)
-
- # Needed for TCP protocol
- allow fastbootd node:tcp_socket node_bind;
- allow fastbootd port:tcp_socket name_bind;
- allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
-
- # Start snapuserd for merging VABC updates
- set_prop(fastbootd, ctl_snapuserd_prop)
-
- # Needed to communicate with snapuserd to complete merges.
- allow fastbootd snapuserd_socket:sock_file write;
- allow fastbootd snapuserd:unix_stream_socket connectto;
- allow fastbootd dm_user_device:dir r_dir_perms;
-
- # Get fastbootd protocol property
- get_prop(fastbootd, fastbootd_protocol_prop)
-
- # Mount /metadata to interact with Virtual A/B snapshots.
- allow fastbootd labeledfs:filesystem { mount unmount };
-
- # Needed for reading boot properties.
- allow fastbootd proc_bootconfig:file r_file_perms;
-')
diff --git a/prebuilts/api/31.0/private/file.te b/prebuilts/api/31.0/private/file.te
deleted file mode 100644
index a024600..0000000
--- a/prebuilts/api/31.0/private/file.te
+++ /dev/null
@@ -1,64 +0,0 @@
-# /proc/config.gz
-type config_gz, fs_type, proc_type;
-
-# /data/misc/storaged
-type storaged_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/wmtrace for wm traces
-type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/a11ytrace for accessibility traces
-type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/perfetto-traces for perfetto traces
-type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports.
-type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/perfetto-configs for perfetto configs
-type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
-
-# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
-type debugfs_kcov, fs_type, debugfs_type;
-
-# App executable files in /data/data directories
-type app_exec_data_file, file_type, data_file_type, core_data_file_type;
-typealias app_exec_data_file alias rs_data_file;
-
-# /data/misc_[ce|de]/rollback : Used by installd to store snapshots
-# of application data.
-type rollback_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/gsi/ota
-type ota_image_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/gsi_persistent_data
-type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/emergencynumberdb
-type emergency_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/profcollectd
-type profcollectd_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/apexdata/com.android.art
-type apex_art_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/apexdata/com.android.art/staging
-type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/font/files
-type font_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/odrefresh
-type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/odsign
-type odsign_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/system/environ
-type environ_system_data_file, file_type, data_file_type, core_data_file_type;
-
-# /dev/kvm
-type kvm_device, dev_type;
diff --git a/prebuilts/api/31.0/private/file_contexts b/prebuilts/api/31.0/private/file_contexts
deleted file mode 100644
index 351cd7c..0000000
--- a/prebuilts/api/31.0/private/file_contexts
+++ /dev/null
@@ -1,811 +0,0 @@
-###########################################
-# Root
-/ u:object_r:rootfs:s0
-
-# Data files
-/adb_keys u:object_r:adb_keys_file:s0
-/build\.prop u:object_r:rootfs:s0
-/default\.prop u:object_r:rootfs:s0
-/fstab\..* u:object_r:rootfs:s0
-/init\..* u:object_r:rootfs:s0
-/res(/.*)? u:object_r:rootfs:s0
-/selinux_version u:object_r:rootfs:s0
-/ueventd\..* u:object_r:rootfs:s0
-/verity_key u:object_r:rootfs:s0
-
-# Executables
-/init u:object_r:init_exec:s0
-/sbin(/.*)? u:object_r:rootfs:s0
-
-# For kernel modules
-/lib(/.*)? u:object_r:rootfs:s0
-
-# Empty directories
-/lost\+found u:object_r:rootfs:s0
-/acct u:object_r:cgroup:s0
-/config u:object_r:rootfs:s0
-/data_mirror u:object_r:mirror_data_file:s0
-/debug_ramdisk u:object_r:tmpfs:s0
-/mnt u:object_r:tmpfs:s0
-/proc u:object_r:rootfs:s0
-/second_stage_resources u:object_r:tmpfs:s0
-/sys u:object_r:sysfs:s0
-/apex u:object_r:apex_mnt_dir:s0
-
-# Postinstall directories
-/postinstall u:object_r:postinstall_mnt_dir:s0
-/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
-
-/apex/(\.(bootstrap|default)-)?apex-info-list.xml u:object_r:apex_info_file:s0
-
-# Symlinks
-/bin u:object_r:rootfs:s0
-/bugreports u:object_r:rootfs:s0
-/charger u:object_r:rootfs:s0
-/d u:object_r:rootfs:s0
-/etc u:object_r:rootfs:s0
-/sdcard u:object_r:rootfs:s0
-
-# SELinux policy files
-/vendor_file_contexts u:object_r:file_contexts_file:s0
-/nonplat_file_contexts u:object_r:file_contexts_file:s0
-/plat_file_contexts u:object_r:file_contexts_file:s0
-/product_file_contexts u:object_r:file_contexts_file:s0
-/mapping_sepolicy\.cil u:object_r:sepolicy_file:s0
-/nonplat_sepolicy\.cil u:object_r:sepolicy_file:s0
-/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
-/plat_property_contexts u:object_r:property_contexts_file:s0
-/product_property_contexts u:object_r:property_contexts_file:s0
-/nonplat_property_contexts u:object_r:property_contexts_file:s0
-/vendor_property_contexts u:object_r:property_contexts_file:s0
-/seapp_contexts u:object_r:seapp_contexts_file:s0
-/nonplat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/vendor_seapp_contexts u:object_r:seapp_contexts_file:s0
-/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/sepolicy u:object_r:sepolicy_file:s0
-/plat_service_contexts u:object_r:service_contexts_file:s0
-/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
-/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-# Use nonplat_service_contexts_file to allow servicemanager to read it
-# on non full-treble devices.
-/vendor_service_contexts u:object_r:nonplat_service_contexts_file:s0
-/nonplat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/vendor_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/vndservice_contexts u:object_r:vndservice_contexts_file:s0
-
-##########################
-# Devices
-#
-/dev(/.*)? u:object_r:device:s0
-/dev/adf[0-9]* u:object_r:graphics_device:s0
-/dev/adf-interface[0-9]*\.[0-9]* u:object_r:graphics_device:s0
-/dev/adf-overlay-engine[0-9]*\.[0-9]* u:object_r:graphics_device:s0
-/dev/ashmem u:object_r:ashmem_device:s0
-/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0
-/dev/audio.* u:object_r:audio_device:s0
-/dev/binder u:object_r:binder_device:s0
-/dev/block(/.*)? u:object_r:block_device:s0
-/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
-/dev/block/loop[0-9]* u:object_r:loop_device:s0
-/dev/block/vd[a-z][0-9]* u:object_r:vd_device:s0
-/dev/block/vold/.+ u:object_r:vold_device:s0
-/dev/block/ram[0-9]* u:object_r:ram_device:s0
-/dev/block/zram[0-9]* u:object_r:ram_device:s0
-/dev/boringssl/selftest(/.*)? u:object_r:boringssl_self_test_marker:s0
-/dev/bus/usb(.*)? u:object_r:usb_device:s0
-/dev/console u:object_r:console_device:s0
-/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
-/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
-/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
-/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
-/dev/device-mapper u:object_r:dm_device:s0
-/dev/eac u:object_r:audio_device:s0
-/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
-/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
-/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
-/dev/fuse u:object_r:fuse_device:s0
-/dev/gnss[0-9]+ u:object_r:gnss_device:s0
-/dev/graphics(/.*)? u:object_r:graphics_device:s0
-/dev/hw_random u:object_r:hw_random_device:s0
-/dev/hwbinder u:object_r:hwbinder_device:s0
-/dev/input(/.*)? u:object_r:input_device:s0
-/dev/iio:device[0-9]+ u:object_r:iio_device:s0
-/dev/ion u:object_r:ion_device:s0
-/dev/keychord u:object_r:keychord_device:s0
-/dev/loop-control u:object_r:loop_control_device:s0
-/dev/modem.* u:object_r:radio_device:s0
-/dev/mtp_usb u:object_r:mtp_device:s0
-/dev/pmsg0 u:object_r:pmsg_device:s0
-/dev/pn544 u:object_r:nfc_device:s0
-/dev/port u:object_r:port_device:s0
-/dev/ppp u:object_r:ppp_device:s0
-/dev/ptmx u:object_r:ptmx_device:s0
-/dev/pvrsrvkm u:object_r:gpu_device:s0
-/dev/kmsg u:object_r:kmsg_device:s0
-/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
-/dev/kvm u:object_r:kvm_device:s0
-/dev/null u:object_r:null_device:s0
-/dev/nvhdcp1 u:object_r:video_device:s0
-/dev/random u:object_r:random_device:s0
-/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
-/dev/rproc_user u:object_r:rpmsg_device:s0
-/dev/rtc[0-9] u:object_r:rtc_device:s0
-/dev/snd(/.*)? u:object_r:audio_device:s0
-/dev/socket(/.*)? u:object_r:socket_device:s0
-/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/dnsproxyd u:object_r:dnsproxyd_socket:s0
-/dev/socket/dumpstate u:object_r:dumpstate_socket:s0
-/dev/socket/fwmarkd u:object_r:fwmarkd_socket:s0
-/dev/socket/lmkd u:object_r:lmkd_socket:s0
-/dev/socket/logd u:object_r:logd_socket:s0
-/dev/socket/logdr u:object_r:logdr_socket:s0
-/dev/socket/logdw u:object_r:logdw_socket:s0
-/dev/socket/statsdw u:object_r:statsdw_socket:s0
-/dev/socket/mdns u:object_r:mdns_socket:s0
-/dev/socket/mdnsd u:object_r:mdnsd_socket:s0
-/dev/socket/mtpd u:object_r:mtpd_socket:s0
-/dev/socket/pdx/system/buffer_hub u:object_r:pdx_bufferhub_dir:s0
-/dev/socket/pdx/system/buffer_hub/client u:object_r:pdx_bufferhub_client_endpoint_socket:s0
-/dev/socket/pdx/system/performance u:object_r:pdx_performance_dir:s0
-/dev/socket/pdx/system/performance/client u:object_r:pdx_performance_client_endpoint_socket:s0
-/dev/socket/pdx/system/vr/display u:object_r:pdx_display_dir:s0
-/dev/socket/pdx/system/vr/display/client u:object_r:pdx_display_client_endpoint_socket:s0
-/dev/socket/pdx/system/vr/display/manager u:object_r:pdx_display_manager_endpoint_socket:s0
-/dev/socket/pdx/system/vr/display/screenshot u:object_r:pdx_display_screenshot_endpoint_socket:s0
-/dev/socket/pdx/system/vr/display/vsync u:object_r:pdx_display_vsync_endpoint_socket:s0
-/dev/socket/property_service u:object_r:property_socket:s0
-/dev/socket/racoon u:object_r:racoon_socket:s0
-/dev/socket/recovery u:object_r:recovery_socket:s0
-/dev/socket/rild u:object_r:rild_socket:s0
-/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
-/dev/socket/snapuserd u:object_r:snapuserd_socket:s0
-/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
-/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
-/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
-/dev/socket/traced_consumer u:object_r:traced_consumer_socket:s0
-/dev/socket/traced_perf u:object_r:traced_perf_socket:s0
-/dev/socket/traced_producer u:object_r:traced_producer_socket:s0
-/dev/socket/heapprofd u:object_r:heapprofd_socket:s0
-/dev/socket/uncrypt u:object_r:uncrypt_socket:s0
-/dev/socket/wpa_eth[0-9] u:object_r:wpa_socket:s0
-/dev/socket/wpa_wlan[0-9] u:object_r:wpa_socket:s0
-/dev/socket/zygote u:object_r:zygote_socket:s0
-/dev/socket/zygote_secondary u:object_r:zygote_socket:s0
-/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0
-/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0
-/dev/spdif_out.* u:object_r:audio_device:s0
-/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
-/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
-/dev/tty u:object_r:owntty_device:s0
-/dev/tty[0-9]* u:object_r:tty_device:s0
-/dev/ttyS[0-9]* u:object_r:serial_device:s0
-/dev/ttyUSB[0-9]* u:object_r:usb_serial_device:s0
-/dev/ttyACM[0-9]* u:object_r:usb_serial_device:s0
-/dev/tun u:object_r:tun_device:s0
-/dev/uhid u:object_r:uhid_device:s0
-/dev/uinput u:object_r:uhid_device:s0
-/dev/uio[0-9]* u:object_r:uio_device:s0
-/dev/urandom u:object_r:random_device:s0
-/dev/usb_accessory u:object_r:usbaccessory_device:s0
-/dev/v4l-touch[0-9]* u:object_r:input_device:s0
-/dev/vhost-vsock u:object_r:kvm_device:s0
-/dev/video[0-9]* u:object_r:video_device:s0
-/dev/vndbinder u:object_r:vndbinder_device:s0
-/dev/watchdog u:object_r:watchdog_device:s0
-/dev/xt_qtaguid u:object_r:qtaguid_device:s0
-/dev/zero u:object_r:zero_device:s0
-/dev/__properties__ u:object_r:properties_device:s0
-/dev/__properties__/property_info u:object_r:property_info:s0
-#############################
-# Linker configuration
-#
-/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
-#############################
-# System files
-#
-/system(/.*)? u:object_r:system_file:s0
-/system/apex/com.android.art u:object_r:art_apex_dir:s0
-/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
-/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
-/system/bin/mm_events u:object_r:mm_events_exec:s0
-/system/bin/atrace u:object_r:atrace_exec:s0
-/system/bin/auditctl u:object_r:auditctl_exec:s0
-/system/bin/bcc u:object_r:rs_exec:s0
-/system/bin/blank_screen u:object_r:blank_screen_exec:s0
-/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
-/system/bin/charger u:object_r:charger_exec:s0
-/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0
-/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
-/system/bin/mke2fs u:object_r:e2fs_exec:s0
-/system/bin/e2fsck -- u:object_r:fsck_exec:s0
-/system/bin/fsck\.exfat -- u:object_r:fsck_exec:s0
-/system/bin/fsck\.f2fs -- u:object_r:fsck_exec:s0
-/system/bin/init u:object_r:init_exec:s0
-# TODO(/123600489): merge mini-keyctl into toybox
-/system/bin/mini-keyctl -- u:object_r:toolbox_exec:s0
-/system/bin/fsverity_init u:object_r:fsverity_init_exec:s0
-/system/bin/sload_f2fs -- u:object_r:e2fs_exec:s0
-/system/bin/make_f2fs -- u:object_r:e2fs_exec:s0
-/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
-/system/bin/tcpdump -- u:object_r:tcpdump_exec:s0
-/system/bin/tune2fs -- u:object_r:fsck_exec:s0
-/system/bin/resize2fs -- u:object_r:fsck_exec:s0
-/system/bin/toolbox -- u:object_r:toolbox_exec:s0
-/system/bin/toybox -- u:object_r:toolbox_exec:s0
-/system/bin/ld\.mc u:object_r:rs_exec:s0
-/system/bin/logcat -- u:object_r:logcat_exec:s0
-/system/bin/logcatd -- u:object_r:logcat_exec:s0
-/system/bin/sh -- u:object_r:shell_exec:s0
-/system/bin/run-as -- u:object_r:runas_exec:s0
-/system/bin/bootanimation u:object_r:bootanim_exec:s0
-/system/bin/bootstat u:object_r:bootstat_exec:s0
-/system/bin/app_process32 u:object_r:zygote_exec:s0
-/system/bin/app_process64 u:object_r:zygote_exec:s0
-/system/bin/servicemanager u:object_r:servicemanager_exec:s0
-/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
-/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
-/system/bin/gpuservice u:object_r:gpuservice_exec:s0
-/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
-/system/bin/performanced u:object_r:performanced_exec:s0
-/system/bin/drmserver u:object_r:drmserver_exec:s0
-/system/bin/dumpstate u:object_r:dumpstate_exec:s0
-/system/bin/incident u:object_r:incident_exec:s0
-/system/bin/incidentd u:object_r:incidentd_exec:s0
-/system/bin/incident_helper u:object_r:incident_helper_exec:s0
-/system/bin/iw u:object_r:iw_exec:s0
-/system/bin/netutils-wrapper-1\.0 u:object_r:netutils_wrapper_exec:s0
-/system/bin/vold u:object_r:vold_exec:s0
-/system/bin/netd u:object_r:netd_exec:s0
-/system/bin/wificond u:object_r:wificond_exec:s0
-/system/bin/audioserver u:object_r:audioserver_exec:s0
-/system/bin/mediadrmserver u:object_r:mediadrmserver_exec:s0
-/system/bin/mediaserver u:object_r:mediaserver_exec:s0
-/system/bin/mediametrics u:object_r:mediametrics_exec:s0
-/system/bin/cameraserver u:object_r:cameraserver_exec:s0
-/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
-/system/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
-/system/bin/mediatranscoding u:object_r:mediatranscoding_exec:s0
-/system/bin/mediatuner u:object_r:mediatuner_exec:s0
-/system/bin/mdnsd u:object_r:mdnsd_exec:s0
-/system/bin/installd u:object_r:installd_exec:s0
-/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
-/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
-/system/bin/credstore u:object_r:credstore_exec:s0
-/system/bin/keystore u:object_r:keystore_exec:s0
-/system/bin/keystore2 u:object_r:keystore_exec:s0
-/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
-/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
-/system/bin/tombstoned u:object_r:tombstoned_exec:s0
-/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
-/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
-/system/bin/sdcard u:object_r:sdcardd_exec:s0
-/system/bin/snapshotctl u:object_r:snapshotctl_exec:s0
-/system/bin/dhcpcd u:object_r:dhcp_exec:s0
-/system/bin/dhcpcd-6\.8\.2 u:object_r:dhcp_exec:s0
-/system/bin/mtpd u:object_r:mtp_exec:s0
-/system/bin/pppd u:object_r:ppp_exec:s0
-/system/bin/racoon u:object_r:racoon_exec:s0
-/system/xbin/su u:object_r:su_exec:s0
-/system/bin/dnsmasq u:object_r:dnsmasq_exec:s0
-/system/bin/healthd u:object_r:healthd_exec:s0
-/system/bin/clatd u:object_r:clatd_exec:s0
-/system/bin/linker(64)? u:object_r:system_linker_exec:s0
-/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
-/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/llkd u:object_r:llkd_exec:s0
-/system/bin/lmkd u:object_r:lmkd_exec:s0
-/system/bin/usbd u:object_r:usbd_exec:s0
-/system/bin/inputflinger u:object_r:inputflinger_exec:s0
-/system/bin/logd u:object_r:logd_exec:s0
-/system/bin/lpdumpd u:object_r:lpdumpd_exec:s0
-/system/bin/rss_hwm_reset u:object_r:rss_hwm_reset_exec:s0
-/system/bin/perfetto u:object_r:perfetto_exec:s0
-/system/bin/traced u:object_r:traced_exec:s0
-/system/bin/traced_perf u:object_r:traced_perf_exec:s0
-/system/bin/traced_probes u:object_r:traced_probes_exec:s0
-/system/bin/heapprofd u:object_r:heapprofd_exec:s0
-/system/bin/uncrypt u:object_r:uncrypt_exec:s0
-/system/bin/update_verifier u:object_r:update_verifier_exec:s0
-/system/bin/logwrapper u:object_r:system_file:s0
-/system/bin/vdc u:object_r:vdc_exec:s0
-/system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0
-/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
-/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
-/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
-/system/bin/iorapd u:object_r:iorapd_exec:s0
-/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0
-/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
-/system/bin/sgdisk u:object_r:sgdisk_exec:s0
-/system/bin/blkid u:object_r:blkid_exec:s0
-/system/bin/tzdatacheck u:object_r:tzdatacheck_exec:s0
-/system/bin/flags_health_check -- u:object_r:flags_health_check_exec:s0
-/system/bin/idmap u:object_r:idmap_exec:s0
-/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
-/system/bin/update_engine u:object_r:update_engine_exec:s0
-/system/bin/profcollectd u:object_r:profcollectd_exec:s0
-/system/bin/profcollectctl u:object_r:profcollectd_exec:s0
-/system/bin/storaged u:object_r:storaged_exec:s0
-/system/bin/wpantund u:object_r:wpantund_exec:s0
-/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
-/system/bin/hw/android\.frameworks\.bufferhub@1\.0-service u:object_r:fwk_bufferhub_exec:s0
-/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
-/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:system_suspend_exec:s0
-/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
-/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
-/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
-/system/etc/group u:object_r:system_group_file:s0
-/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
-/system/etc/passwd u:object_r:system_passwd_file:s0
-/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
-/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
-/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
-/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
-/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
-/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
-/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
-/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
-/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
-/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
-/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
-/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
-/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
-/system/bin/adbd u:object_r:adbd_exec:s0
-/system/bin/vold_prepare_subdirs u:object_r:vold_prepare_subdirs_exec:s0
-/system/bin/stats u:object_r:stats_exec:s0
-/system/bin/statsd u:object_r:statsd_exec:s0
-/system/bin/bpfloader u:object_r:bpfloader_exec:s0
-/system/bin/wait_for_keymaster u:object_r:wait_for_keymaster_exec:s0
-/system/bin/watchdogd u:object_r:watchdogd_exec:s0
-/system/bin/apexd u:object_r:apexd_exec:s0
-/system/bin/gsid u:object_r:gsid_exec:s0
-/system/bin/simpleperf u:object_r:simpleperf_exec:s0
-/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
-/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
-/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
-/system/bin/snapuserd u:object_r:snapuserd_exec:s0
-/system/bin/odsign u:object_r:odsign_exec:s0
-
-#############################
-# Vendor files
-#
-/(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0
-/(vendor|system/vendor)/bin/sh u:object_r:vendor_shell_exec:s0
-/(vendor|system/vendor)/bin/toybox_vendor u:object_r:vendor_toolbox_exec:s0
-/(vendor|system/vendor)/bin/toolbox u:object_r:vendor_toolbox_exec:s0
-/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
-/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
-/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
-
-/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
-
-/(vendor|system/vendor)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
-
-/(vendor|system/vendor)/manifest\.xml u:object_r:vendor_configs_file:s0
-/(vendor|system/vendor)/compatibility_matrix\.xml u:object_r:vendor_configs_file:s0
-/(vendor|system/vendor)/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
-/(vendor|system/vendor)/app(/.*)? u:object_r:vendor_app_file:s0
-/(vendor|system/vendor)/priv-app(/.*)? u:object_r:vendor_app_file:s0
-/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
-/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
-
-/(vendor|system/vendor)/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
-/(vendor|system/vendor)/bin/misc_writer u:object_r:vendor_misc_writer_exec:s0
-/(vendor|system/vendor)/bin/boringssl_self_test(32|64) u:object_r:vendor_boringssl_self_test_exec:s0
-
-# HAL location
-/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
-
-/(vendor|system/vendor)/etc/selinux/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
-
-/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
-
-#############################
-# OEM and ODM files
-#
-/(odm|vendor/odm)(/.*)? u:object_r:vendor_file:s0
-/(odm|vendor/odm)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
-/(odm|vendor/odm)/lib(64)?/hw u:object_r:vendor_hal_file:s0
-/(odm|vendor/odm)/lib(64)?/vndk-sp(/.*)? u:object_r:vndk_sp_file:s0
-/(odm|vendor/odm)/bin/sh u:object_r:vendor_shell_exec:s0
-/(odm|vendor/odm)/etc(/.*)? u:object_r:vendor_configs_file:s0
-/(odm|vendor/odm)/app(/.*)? u:object_r:vendor_app_file:s0
-/(odm|vendor/odm)/priv-app(/.*)? u:object_r:vendor_app_file:s0
-/(odm|vendor/odm)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
-/(odm|vendor/odm)/framework(/.*)? u:object_r:vendor_framework_file:s0
-
-# Input configuration
-/(odm|vendor/odm|vendor|system/vendor)/usr/keylayout(/.*)?\.kl u:object_r:vendor_keylayout_file:s0
-/(odm|vendor/odm|vendor|system/vendor)/usr/keychars(/.*)?\.kcm u:object_r:vendor_keychars_file:s0
-/(odm|vendor/odm|vendor|system/vendor)/usr/idc(/.*)?\.idc u:object_r:vendor_idc_file:s0
-
-/oem(/.*)? u:object_r:oemfs:s0
-/oem/overlay(/.*)? u:object_r:vendor_overlay_file:s0
-
-# The precompiled monolithic sepolicy will be under /odm only when
-# BOARD_USES_ODMIMAGE is true: a separate odm.img is built.
-/odm/etc/selinux/precompiled_sepolicy u:object_r:sepolicy_file:s0
-/odm/etc/selinux/precompiled_sepolicy\.plat_and_mapping\.sha256 u:object_r:sepolicy_file:s0
-
-/(odm|vendor/odm)/etc/selinux/odm_sepolicy\.cil u:object_r:sepolicy_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_file_contexts u:object_r:file_contexts_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
-
-#############################
-# Product files
-#
-/(product|system/product)(/.*)? u:object_r:system_file:s0
-/(product|system/product)/etc/group u:object_r:system_group_file:s0
-/(product|system/product)/etc/passwd u:object_r:system_passwd_file:s0
-/(product|system/product)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
-
-/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
-/(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/(product|system/product)/etc/selinux/product_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
-/(product|system/product)/etc/selinux/product_property_contexts u:object_r:property_contexts_file:s0
-/(product|system/product)/etc/selinux/product_seapp_contexts u:object_r:seapp_contexts_file:s0
-/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
-/(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
-
-/(product|system/product)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
-
-#############################
-# SystemExt files
-#
-/(system_ext|system/system_ext)(/.*)? u:object_r:system_file:s0
-/(system_ext|system/system_ext)/etc/group u:object_r:system_group_file:s0
-/(system_ext|system/system_ext)/etc/passwd u:object_r:system_passwd_file:s0
-/(system_ext|system/system_ext)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
-
-/(system_ext|system/system_ext)/etc/selinux/system_ext_file_contexts u:object_r:file_contexts_file:s0
-/(system_ext|system/system_ext)/etc/selinux/system_ext_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/(system_ext|system/system_ext)/etc/selinux/system_ext_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
-/(system_ext|system/system_ext)/etc/selinux/system_ext_property_contexts u:object_r:property_contexts_file:s0
-/(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts u:object_r:seapp_contexts_file:s0
-/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0
-/(system_ext|system/system_ext)/etc/selinux/system_ext_mac_permissions\.xml u:object_r:mac_perms_file:s0
-
-/(system_ext|system/system_ext)/bin/aidl_lazy_test_server u:object_r:aidl_lazy_test_server_exec:s0
-/(system_ext|system/system_ext)/bin/hidl_lazy_test_server u:object_r:hidl_lazy_test_server_exec:s0
-
-/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
-
-#############################
-# VendorDlkm files
-# This includes VENDOR Dynamically Loadable Kernel Modules and other misc files.
-#
-/(vendor_dlkm|vendor/vendor_dlkm|system/vendor/vendor_dlkm)(/.*)? u:object_r:vendor_file:s0
-
-#############################
-# OdmDlkm files
-# This includes ODM Dynamically Loadable Kernel Modules and other misc files.
-#
-/(odm_dlkm|vendor/odm_dlkm|system/vendor/odm_dlkm)(/.*)? u:object_r:vendor_file:s0
-
-#############################
-# Vendor files from /(product|system/product)/vendor_overlay
-#
-# NOTE: For additional vendor file contexts for vendor overlay files,
-# use device specific file_contexts.
-#
-/(product|system/product)/vendor_overlay/[0-9]+/.* u:object_r:vendor_file:s0
-
-#############################
-# Data files
-#
-# NOTE: When modifying existing label rules, changes may also need to
-# propagate to the "Expanded data files" section.
-#
-/data u:object_r:system_data_root_file:s0
-/data/(.*)? u:object_r:system_data_file:s0
-/data/system/environ(/.*)? u:object_r:environ_system_data_file:s0
-/data/system/packages\.list u:object_r:packages_list_file:s0
-/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
-/data/backup(/.*)? u:object_r:backup_data_file:s0
-/data/secure/backup(/.*)? u:object_r:backup_data_file:s0
-/data/system/ndebugsocket u:object_r:system_ndebug_socket:s0
-/data/system/unsolzygotesocket u:object_r:system_unsolzygote_socket:s0
-/data/drm(/.*)? u:object_r:drm_data_file:s0
-/data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
-/data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
-/data/ota(/.*)? u:object_r:ota_data_file:s0
-/data/ota_package(/.*)? u:object_r:ota_package_file:s0
-/data/adb(/.*)? u:object_r:adb_data_file:s0
-/data/anr(/.*)? u:object_r:anr_data_file:s0
-/data/apex(/.*)? u:object_r:apex_data_file:s0
-/data/apex/active/(.*)? u:object_r:staging_data_file:s0
-/data/apex/backup/(.*)? u:object_r:staging_data_file:s0
-/data/apex/decompressed/(.*)? u:object_r:staging_data_file:s0
-/data/apex/ota_reserved(/.*)? u:object_r:apex_ota_reserved_file:s0
-/data/app(/.*)? u:object_r:apk_data_file:s0
-# Traditional /data/app/[packageName]-[randomString]/base.apk location
-/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-# /data/app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
-/data/app/[^/]+/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
-/data/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
-/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
-/data/gsi(/.*)? u:object_r:gsi_data_file:s0
-/data/gsi_persistent_data u:object_r:gsi_persistent_data_file:s0
-/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0
-/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
-/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
-/data/local/tests(/.*)? u:object_r:shell_test_data_file:s0
-/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
-/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
-/data/local/traces(/.*)? u:object_r:trace_data_file:s0
-/data/media(/.*)? u:object_r:media_rw_data_file:s0
-/data/mediadrm(/.*)? u:object_r:media_data_file:s0
-/data/nativetest(/.*)? u:object_r:nativetest_data_file:s0
-/data/nativetest64(/.*)? u:object_r:nativetest_data_file:s0
-# This directory was removed after Q Beta 2, but we need to preserve labels for upgrading devices.
-/data/pkg_staging(/.*)? u:object_r:staging_data_file:s0
-/data/property(/.*)? u:object_r:property_data_file:s0
-/data/preloads(/.*)? u:object_r:preloads_data_file:s0
-/data/preloads/media(/.*)? u:object_r:preloads_media_file:s0
-/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
-/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
-/data/app-staging(/.*)? u:object_r:staging_data_file:s0
-# Ensure we have the same labels as /data/app or /data/apex/active
-# to avoid restorecon conflicts
-/data/rollback/\d+/[^/]+/.*\.apk u:object_r:apk_data_file:s0
-/data/rollback/\d+/[^/]+/.*\.apex u:object_r:staging_data_file:s0
-/data/fonts/files(/.*)? u:object_r:font_data_file:s0
-
-# Misc data
-/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
-/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
-/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
-/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
-/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
-/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_scheduling_data_file:s0
-/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
-/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
-/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
-/data/misc/appcompat(/.*)? u:object_r:appcompat_data_file:s0
-/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
-/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
-/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
-/data/misc/bootstat(/.*)? u:object_r:bootstat_data_file:s0
-/data/misc/boottrace(/.*)? u:object_r:boottrace_data_file:s0
-/data/misc/bluetooth(/.*)? u:object_r:bluetooth_data_file:s0
-/data/misc/bluetooth/logs(/.*)? u:object_r:bluetooth_logs_data_file:s0
-/data/misc/bluedroid(/.*)? u:object_r:bluetooth_data_file:s0
-/data/misc/bluedroid/\.a2dp_ctrl u:object_r:bluetooth_socket:s0
-/data/misc/bluedroid/\.a2dp_data u:object_r:bluetooth_socket:s0
-/data/misc/camera(/.*)? u:object_r:camera_data_file:s0
-/data/misc/carrierid(/.*)? u:object_r:radio_data_file:s0
-/data/misc/dhcp(/.*)? u:object_r:dhcp_data_file:s0
-/data/misc/dhcp-6\.8\.2(/.*)? u:object_r:dhcp_data_file:s0
-/data/misc/emergencynumberdb(/.*)? u:object_r:emergency_data_file:s0
-/data/misc/gatekeeper(/.*)? u:object_r:gatekeeper_data_file:s0
-/data/misc/incidents(/.*)? u:object_r:incident_data_file:s0
-/data/misc/installd(/.*)? u:object_r:install_data_file:s0
-/data/misc/keychain(/.*)? u:object_r:keychain_data_file:s0
-/data/misc/credstore(/.*)? u:object_r:credstore_data_file:s0
-/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
-/data/misc/logd(/.*)? u:object_r:misc_logd_file:s0
-/data/misc/media(/.*)? u:object_r:media_data_file:s0
-/data/misc/net(/.*)? u:object_r:net_data_file:s0
-/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
-/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
-/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
-/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
-/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
-/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
-/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
-/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
-/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0
-/data/misc/radio(/.*)? u:object_r:radio_core_data_file:s0
-/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
-/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
-/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
-/data/misc/snapshotctl_log(/.*)? u:object_r:snapshotctl_log_data_file:s0
-/data/misc/stats-active-metric(/.*)? u:object_r:stats_data_file:s0
-/data/misc/stats-data(/.*)? u:object_r:stats_data_file:s0
-/data/misc/stats-service(/.*)? u:object_r:stats_data_file:s0
-/data/misc/stats-metadata(/.*)? u:object_r:stats_data_file:s0
-/data/misc/systemkeys(/.*)? u:object_r:systemkeys_data_file:s0
-/data/misc/textclassifier(/.*)? u:object_r:textclassifier_data_file:s0
-/data/misc/train-info(/.*)? u:object_r:stats_data_file:s0
-/data/misc/user(/.*)? u:object_r:misc_user_data_file:s0
-/data/misc/vpn(/.*)? u:object_r:vpn_data_file:s0
-/data/misc/wifi(/.*)? u:object_r:wifi_data_file:s0
-/data/misc_ce/[0-9]+/wifi(/.*)? u:object_r:wifi_data_file:s0
-/data/misc/wifi/sockets(/.*)? u:object_r:wpa_socket:s0
-/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
-/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
-/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
-/data/misc/iorapd(/.*)? u:object_r:iorapd_data_file:s0
-/data/misc/update_engine(/.*)? u:object_r:update_engine_data_file:s0
-/data/misc/update_engine_log(/.*)? u:object_r:update_engine_log_data_file:s0
-/data/system/dropbox(/.*)? u:object_r:dropbox_data_file:s0
-/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
-/data/misc/trace(/.*)? u:object_r:method_trace_data_file:s0
-/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
-# TODO(calin) label profile reference differently so that only
-# profman run as a special user can write to them
-/data/misc/profiles/cur(/[0-9]+)? u:object_r:user_profile_root_file:s0
-/data/misc/profiles/cur/[0-9]+/.* u:object_r:user_profile_data_file:s0
-/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
-/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
-/data/vendor(/.*)? u:object_r:vendor_data_file:s0
-/data/vendor_ce(/.*)? u:object_r:vendor_data_file:s0
-/data/vendor_de(/.*)? u:object_r:vendor_data_file:s0
-
-# storaged proto files
-/data/misc_de/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
-/data/misc_ce/[0-9]+/storaged(/.*)? u:object_r:storaged_data_file:s0
-
-# Fingerprint data
-/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
-
-# Fingerprint vendor data file
-/data/vendor_de/[0-9]+/fpdata(/.*)? u:object_r:fingerprint_vendor_data_file:s0
-
-# Face vendor data file
-/data/vendor_de/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
-/data/vendor_ce/[0-9]+/facedata(/.*)? u:object_r:face_vendor_data_file:s0
-
-# Iris vendor data file
-/data/vendor_de/[0-9]+/irisdata(/.*)? u:object_r:iris_vendor_data_file:s0
-
-# Bootchart data
-/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
-
-# App data snapshots (managed by installd).
-/data/misc_de/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
-/data/misc_ce/[0-9]+/rollback(/.*)? u:object_r:rollback_data_file:s0
-
-# Apex data directories
-/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
-/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
-/data/misc_ce/[0-9]+/apexdata/com\.android\.appsearch(/.*)? u:object_r:apex_appsearch_data_file:s0
-/data/misc_de/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
-/data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
-/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
-/data/misc_ce/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
-
-# Apex rollback directories
-/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
-/data/misc_ce/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
-
-# Incremental directories
-/data/incremental(/.*)? u:object_r:apk_data_file:s0
-/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
-/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
-/data/incremental/MT_[^/]+/mount/.blocks_written u:object_r:incremental_control_file:s0
-
-#############################
-# Expanded data files
-#
-/mnt/expand(/.*)? u:object_r:mnt_expand_file:s0
-/mnt/expand/[^/]+(/.*)? u:object_r:system_data_file:s0
-/mnt/expand/[^/]+/app(/.*)? u:object_r:apk_data_file:s0
-/mnt/expand/[^/]+/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-# /mnt/expand/..../app/[randomStringA]/[packageName]-[randomStringB]/base.apk layout
-/mnt/expand/[^/]+/app/[^/]+/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0
-/mnt/expand/[^/]+/app/vmdl[^/]+\.tmp/oat(/.*)? u:object_r:dalvikcache_data_file:s0
-/mnt/expand/[^/]+/local/tmp(/.*)? u:object_r:shell_data_file:s0
-/mnt/expand/[^/]+/media(/.*)? u:object_r:media_rw_data_file:s0
-/mnt/expand/[^/]+/misc/vold(/.*)? u:object_r:vold_data_file:s0
-
-# coredump directory for userdebug/eng devices
-/cores(/.*)? u:object_r:coredump_file:s0
-
-# Wallpaper files
-/data/system/users/[0-9]+/wallpaper_lock_orig u:object_r:wallpaper_file:s0
-/data/system/users/[0-9]+/wallpaper_lock u:object_r:wallpaper_file:s0
-/data/system/users/[0-9]+/wallpaper_orig u:object_r:wallpaper_file:s0
-/data/system/users/[0-9]+/wallpaper u:object_r:wallpaper_file:s0
-
-# Ringtone files
-/data/system_de/[0-9]+/ringtones(/.*)? u:object_r:ringtone_file:s0
-
-# ShortcutManager icons, e.g.
-# /data/system_ce/0/shortcut_service/bitmaps/com.example.app/1457472879282.png
-/data/system_ce/[0-9]+/shortcut_service/bitmaps(/.*)? u:object_r:shortcut_manager_icons:s0
-
-# User icon files
-/data/system/users/[0-9]+/photo\.png u:object_r:icon_file:s0
-
-# vold per-user data
-/data/misc_de/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
-/data/misc_ce/[0-9]+/vold(/.*)? u:object_r:vold_data_file:s0
-
-# iorapd per-user data
-/data/misc_ce/[0-9]+/iorapd(/.*)? u:object_r:iorapd_data_file:s0
-
-# Backup service persistent per-user bookkeeping
-/data/system_ce/[0-9]+/backup(/.*)? u:object_r:backup_data_file:s0
-# Backup service temporary per-user data for inter-change with apps
-/data/system_ce/[0-9]+/backup_stage(/.*)? u:object_r:backup_data_file:s0
-
-#############################
-# efs files
-#
-/efs(/.*)? u:object_r:efs_file:s0
-
-#############################
-# Cache files
-#
-/cache(/.*)? u:object_r:cache_file:s0
-/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
-# General backup/restore interchange with apps
-/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
-# LocalTransport (backup) uses this subtree
-/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
-
-#############################
-# Overlayfs support directories
-#
-/cache/overlay(/.*)? u:object_r:overlayfs_file:s0
-/mnt/scratch(/.*)? u:object_r:overlayfs_file:s0
-
-/data/cache(/.*)? u:object_r:cache_file:s0
-/data/cache/recovery(/.*)? u:object_r:cache_recovery_file:s0
-# General backup/restore interchange with apps
-/data/cache/backup_stage(/.*)? u:object_r:cache_backup_file:s0
-# LocalTransport (backup) uses this subtree
-/data/cache/backup(/.*)? u:object_r:cache_private_backup_file:s0
-
-#############################
-# Metadata files
-#
-/metadata(/.*)? u:object_r:metadata_file:s0
-/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
-/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
-/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
-/metadata/gsi/dsu/active u:object_r:gsi_public_metadata_file:s0
-/metadata/gsi/dsu/booted u:object_r:gsi_public_metadata_file:s0
-/metadata/gsi/dsu/lp_names u:object_r:gsi_public_metadata_file:s0
-/metadata/gsi/dsu/[^/]+/metadata_encryption_dir u:object_r:gsi_public_metadata_file:s0
-/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
-/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
-/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
-/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
-/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
-/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
-/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
-
-#############################
-# asec containers
-/mnt/asec(/.*)? u:object_r:asec_apk_file:s0
-/mnt/asec/[^/]+/[^/]+\.zip u:object_r:asec_public_file:s0
-/mnt/asec/[^/]+/lib(/.*)? u:object_r:asec_public_file:s0
-/data/app-asec(/.*)? u:object_r:asec_image_file:s0
-
-#############################
-# external storage
-/mnt/media_rw(/.*)? u:object_r:mnt_media_rw_file:s0
-/mnt/user(/.*)? u:object_r:mnt_user_file:s0
-/mnt/pass_through(/.*)? u:object_r:mnt_pass_through_file:s0
-/mnt/sdcard u:object_r:mnt_sdcard_file:s0
-/mnt/runtime(/.*)? u:object_r:storage_file:s0
-/storage(/.*)? u:object_r:storage_file:s0
-
-#############################
-# mount point for read-write vendor partitions
-/mnt/vendor(/.*)? u:object_r:mnt_vendor_file:s0
-
-#############################
-# mount point for read-write product partitions
-/mnt/product(/.*)? u:object_r:mnt_product_file:s0
-
-#############################
-# /postinstall file contexts
-/(system|product)/bin/check_dynamic_partitions u:object_r:postinstall_exec:s0
-/(system|product)/bin/otapreopt_script u:object_r:postinstall_exec:s0
-/(system|product)/bin/otapreopt u:object_r:postinstall_dexopt_exec:s0
diff --git a/prebuilts/api/31.0/private/file_contexts_asan b/prebuilts/api/31.0/private/file_contexts_asan
deleted file mode 100644
index fd083c2..0000000
--- a/prebuilts/api/31.0/private/file_contexts_asan
+++ /dev/null
@@ -1,16 +0,0 @@
-/data/asan/system/lib(/.*)? u:object_r:system_lib_file:s0
-/data/asan/system/lib64(/.*)? u:object_r:system_lib_file:s0
-/data/asan/vendor/lib(/.*)? u:object_r:system_lib_file:s0
-/data/asan/vendor/lib64(/.*)? u:object_r:system_lib_file:s0
-/data/asan/odm/lib(/.*)? u:object_r:system_lib_file:s0
-/data/asan/odm/lib64(/.*)? u:object_r:system_lib_file:s0
-/data/asan/product/lib(/.*)? u:object_r:system_lib_file:s0
-/data/asan/product/lib64(/.*)? u:object_r:system_lib_file:s0
-/data/asan/system/system_ext/lib(/.*)? u:object_r:system_lib_file:s0
-/data/asan/system/system_ext/lib64(/.*)? u:object_r:system_lib_file:s0
-/system/asan.options u:object_r:system_asan_options_file:s0
-/system/bin/asan_extract u:object_r:asan_extract_exec:s0
-/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
-/system/bin/asan/app_process u:object_r:zygote_exec:s0
-/system/bin/asan/app_process32 u:object_r:zygote_exec:s0
-/system/bin/asan/app_process64 u:object_r:zygote_exec:s0
diff --git a/prebuilts/api/31.0/private/file_contexts_overlayfs b/prebuilts/api/31.0/private/file_contexts_overlayfs
deleted file mode 100644
index e472fad..0000000
--- a/prebuilts/api/31.0/private/file_contexts_overlayfs
+++ /dev/null
@@ -1,9 +0,0 @@
-#############################
-# Overlayfs support directories for userdebug/eng devices
-#
-/cache/overlay/(system|product)/upper u:object_r:system_file:s0
-/cache/overlay/(vendor|odm)/upper u:object_r:vendor_file:s0
-/cache/overlay/oem/upper u:object_r:vendor_file:s0
-/mnt/scratch/overlay/(system|product)/upper u:object_r:system_file:s0
-/mnt/scratch/overlay/(vendor|odm)/upper u:object_r:vendor_file:s0
-/mnt/scratch/overlay/oem/upper u:object_r:vendor_file:s0
diff --git a/prebuilts/api/31.0/private/fingerprintd.te b/prebuilts/api/31.0/private/fingerprintd.te
deleted file mode 100644
index eb73ef8..0000000
--- a/prebuilts/api/31.0/private/fingerprintd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute fingerprintd coredomain;
-
-init_daemon_domain(fingerprintd)
diff --git a/prebuilts/api/31.0/private/flags_health_check.te b/prebuilts/api/31.0/private/flags_health_check.te
deleted file mode 100644
index 55d1a9a..0000000
--- a/prebuilts/api/31.0/private/flags_health_check.te
+++ /dev/null
@@ -1,32 +0,0 @@
-typeattribute flags_health_check coredomain;
-
-init_daemon_domain(flags_health_check)
-
-set_prop(flags_health_check, device_config_boot_count_prop)
-set_prop(flags_health_check, device_config_reset_performed_prop)
-set_prop(flags_health_check, device_config_runtime_native_boot_prop)
-set_prop(flags_health_check, device_config_runtime_native_prop)
-set_prop(flags_health_check, device_config_input_native_boot_prop)
-set_prop(flags_health_check, device_config_netd_native_prop)
-set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
-set_prop(flags_health_check, device_config_media_native_prop)
-set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
-set_prop(flags_health_check, device_config_statsd_native_prop)
-set_prop(flags_health_check, device_config_statsd_native_boot_prop)
-set_prop(flags_health_check, device_config_storage_native_boot_prop)
-set_prop(flags_health_check, device_config_swcodec_native_prop)
-set_prop(flags_health_check, device_config_sys_traced_prop)
-set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
-set_prop(flags_health_check, device_config_configuration_prop)
-set_prop(flags_health_check, device_config_connectivity_prop)
-
-# system property device_config_boot_count_prop is used for deciding when to perform server
-# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
-# wrong timing, trigger server configurable flag related disaster recovery, which will override
-# server configured values of all flags with default values.
-neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
-
-# system property device_config_reset_performed_prop is used for indicating whether server
-# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
-# cause bad server configurable flags synced back to device.
-neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;
diff --git a/prebuilts/api/31.0/private/fs_use b/prebuilts/api/31.0/private/fs_use
deleted file mode 100644
index 93d7f1b..0000000
--- a/prebuilts/api/31.0/private/fs_use
+++ /dev/null
@@ -1,27 +0,0 @@
-# Label inodes via getxattr.
-fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
-fs_use_xattr jffs2 u:object_r:labeledfs:s0;
-fs_use_xattr ext2 u:object_r:labeledfs:s0;
-fs_use_xattr ext3 u:object_r:labeledfs:s0;
-fs_use_xattr ext4 u:object_r:labeledfs:s0;
-fs_use_xattr xfs u:object_r:labeledfs:s0;
-fs_use_xattr btrfs u:object_r:labeledfs:s0;
-fs_use_xattr f2fs u:object_r:labeledfs:s0;
-fs_use_xattr squashfs u:object_r:labeledfs:s0;
-fs_use_xattr overlay u:object_r:labeledfs:s0;
-fs_use_xattr erofs u:object_r:labeledfs:s0;
-fs_use_xattr incremental-fs u:object_r:labeledfs:s0;
-fs_use_xattr virtiofs u:object_r:labeledfs:s0;
-
-# Label inodes from task label.
-fs_use_task pipefs u:object_r:pipefs:s0;
-fs_use_task sockfs u:object_r:sockfs:s0;
-
-# Label inodes from combination of task label and fs label.
-# Define type_transition rules if you want per-domain types.
-fs_use_trans devpts u:object_r:devpts:s0;
-fs_use_trans tmpfs u:object_r:tmpfs:s0;
-fs_use_trans devtmpfs u:object_r:device:s0;
-fs_use_trans shm u:object_r:shm:s0;
-fs_use_trans mqueue u:object_r:mqueue:s0;
-
diff --git a/prebuilts/api/31.0/private/fsck.te b/prebuilts/api/31.0/private/fsck.te
deleted file mode 100644
index f8e09b6..0000000
--- a/prebuilts/api/31.0/private/fsck.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute fsck coredomain;
-
-init_daemon_domain(fsck)
-
-allow fsck metadata_block_device:blk_file rw_file_perms;
diff --git a/prebuilts/api/31.0/private/fsck_untrusted.te b/prebuilts/api/31.0/private/fsck_untrusted.te
deleted file mode 100644
index 9a57bf0..0000000
--- a/prebuilts/api/31.0/private/fsck_untrusted.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute fsck_untrusted coredomain;
diff --git a/prebuilts/api/31.0/private/fsverity_init.te b/prebuilts/api/31.0/private/fsverity_init.te
deleted file mode 100644
index 42d142f..0000000
--- a/prebuilts/api/31.0/private/fsverity_init.te
+++ /dev/null
@@ -1,25 +0,0 @@
-type fsverity_init, domain, coredomain;
-type fsverity_init_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(fsverity_init)
-
-# Allow to read /proc/keys for searching key id.
-allow fsverity_init proc_keys:file r_file_perms;
-
-# Kernel only prints the keys that can be accessed and only kernel keyring is needed here.
-dontaudit fsverity_init init:key view;
-dontaudit fsverity_init vold:key view;
-allow fsverity_init kernel:key { view search write setattr };
-allow fsverity_init fsverity_init:key { view search write };
-
-# Allow init to write to /proc/sys/fs/verity/require_signatures
-allow fsverity_init proc_fs_verity:file w_file_perms;
-
-# Read the on-device signing certificate, to be able to add it to the keyring
-allow fsverity_init odsign:fd use;
-allow fsverity_init odsign_data_file:file { getattr read };
-
-# When kernel requests an algorithm, the crypto API first looks for an
-# already registered algorithm with that name. If it fails, the kernel creates
-# an implementation of the algorithm from templates.
-dontaudit fsverity_init kernel:system module_request;
diff --git a/prebuilts/api/31.0/private/fwk_bufferhub.te b/prebuilts/api/31.0/private/fwk_bufferhub.te
deleted file mode 100644
index 6b69cca..0000000
--- a/prebuilts/api/31.0/private/fwk_bufferhub.te
+++ /dev/null
@@ -1,8 +0,0 @@
-type fwk_bufferhub, domain, coredomain;
-type fwk_bufferhub_exec, system_file_type, exec_type, file_type;
-
-hal_client_domain(fwk_bufferhub, hal_graphics_allocator)
-allow fwk_bufferhub ion_device:chr_file r_file_perms;
-
-hal_server_domain(fwk_bufferhub, hal_bufferhub)
-init_daemon_domain(fwk_bufferhub)
diff --git a/prebuilts/api/31.0/private/gatekeeperd.te b/prebuilts/api/31.0/private/gatekeeperd.te
deleted file mode 100644
index 2fb88a3..0000000
--- a/prebuilts/api/31.0/private/gatekeeperd.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute gatekeeperd coredomain;
-
-init_daemon_domain(gatekeeperd)
-
-# For checking whether GSI is running
-get_prop(gatekeeperd, gsid_prop)
diff --git a/prebuilts/api/31.0/private/genfs_contexts b/prebuilts/api/31.0/private/genfs_contexts
deleted file mode 100644
index 13bfb46..0000000
--- a/prebuilts/api/31.0/private/genfs_contexts
+++ /dev/null
@@ -1,381 +0,0 @@
-# Label inodes with the fs label.
-genfscon rootfs / u:object_r:rootfs:s0
-# proc labeling can be further refined (longest matching prefix).
-genfscon proc / u:object_r:proc:s0
-genfscon proc /asound u:object_r:proc_asound:s0
-genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
-genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
-genfscon proc /cmdline u:object_r:proc_cmdline:s0
-genfscon proc /config.gz u:object_r:config_gz:s0
-genfscon proc /diskstats u:object_r:proc_diskstats:s0
-genfscon proc /filesystems u:object_r:proc_filesystems:s0
-genfscon proc /interrupts u:object_r:proc_interrupts:s0
-genfscon proc /iomem u:object_r:proc_iomem:s0
-genfscon proc /kallsyms u:object_r:proc_kallsyms:s0
-genfscon proc /keys u:object_r:proc_keys:s0
-genfscon proc /kmsg u:object_r:proc_kmsg:s0
-genfscon proc /loadavg u:object_r:proc_loadavg:s0
-genfscon proc /locks u:object_r:proc_locks:s0
-genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
-genfscon proc /meminfo u:object_r:proc_meminfo:s0
-genfscon proc /misc u:object_r:proc_misc:s0
-genfscon proc /modules u:object_r:proc_modules:s0
-genfscon proc /mounts u:object_r:proc_mounts:s0
-genfscon proc /net u:object_r:proc_net:s0
-genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
-genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
-genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
-genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
-genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
-genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
-genfscon proc /pressure/cpu u:object_r:proc_pressure_cpu:s0
-genfscon proc /pressure/io u:object_r:proc_pressure_io:s0
-genfscon proc /pressure/memory u:object_r:proc_pressure_mem:s0
-genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
-genfscon proc /softirqs u:object_r:proc_timer:s0
-genfscon proc /stat u:object_r:proc_stat:s0
-genfscon proc /swaps u:object_r:proc_swaps:s0
-genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
-genfscon proc /kpageflags u:object_r:proc_kpageflags:s0
-genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
-genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
-genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
-genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
-genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
-genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
-genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
-genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
-genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/hung_task_ u:object_r:proc_hung_task:s0
-genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
-genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
-genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0
-genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
-genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0
-genfscon proc /sys/kernel/perf_cpu_time_max_percent u:object_r:proc_perf:s0
-genfscon proc /sys/kernel/perf_event_mlock_kb u:object_r:proc_perf:s0
-genfscon proc /sys/kernel/pid_max u:object_r:proc_pid_max:s0
-genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/random u:object_r:proc_random:s0
-genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
-genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_util_clamp_max u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_util_clamp_min u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
-genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
-genfscon proc /sys/net u:object_r:proc_net:s0
-genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
-genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
-genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
-genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0
-genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
-genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
-genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
-genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
-genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
-genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
-genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
-genfscon proc /timer_list u:object_r:proc_timer:s0
-genfscon proc /timer_stats u:object_r:proc_timer:s0
-genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
-genfscon proc /uid/ u:object_r:proc_uid_time_in_state:s0
-genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
-genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
-genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
-genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
-genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
-genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
-genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
-genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
-genfscon proc /uptime u:object_r:proc_uptime:s0
-genfscon proc /version u:object_r:proc_version:s0
-genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
-genfscon proc /vmstat u:object_r:proc_vmstat:s0
-genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
-genfscon proc /vendor_sched u:object_r:proc_vendor_sched:s0
-
-genfscon fusectl / u:object_r:fusectlfs:s0
-
-# selinuxfs booleans can be individually labeled.
-genfscon selinuxfs / u:object_r:selinuxfs:s0
-genfscon cgroup / u:object_r:cgroup:s0
-genfscon cgroup2 / u:object_r:cgroup_v2:s0
-# sysfs labels can be set by userspace.
-genfscon sysfs / u:object_r:sysfs:s0
-genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_etm:s0
-genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
-genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
-genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
-genfscon sysfs /class/block u:object_r:sysfs_block:s0
-genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
-genfscon sysfs /class/net u:object_r:sysfs_net:s0
-genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /class/rfkill/rfkill1/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /class/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /class/rfkill/rfkill3/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
-genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
-genfscon sysfs /class/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
-genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
-genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
-genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
-genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_loop:s0
-genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
-genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
-genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
-genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
-genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
-genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
-genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
-genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
-genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
-genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
-genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
-genfscon sysfs /fs/incremental-fs/instances u:object_r:sysfs_fs_incfs_metrics:s0
-genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
-genfscon sysfs /power/state u:object_r:sysfs_power:s0
-genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
-genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
-genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
-genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
-genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
-genfscon sysfs /kernel/dma_heap u:object_r:sysfs_dma_heap:s0
-genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
-genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
-genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
-genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
-genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
-genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
-genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0
-genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
-genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
-genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
-genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
-genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
-genfscon sysfs /kernel/vendor_sched u:object_r:sysfs_vendor_sched:s0
-
-genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
-genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
-genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0
-genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0
-genfscon tracefs /trace u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0
-genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0
-
-genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
-genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
-genfscon debugfs /tracing/instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
-genfscon tracefs /instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
-genfscon debugfs /tracing/instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
-genfscon tracefs /instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
-genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
-genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
-genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
-genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
-genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
-genfscon debugfs /tracing/printk_formats u:object_r:debugfs_tracing_printk_formats:s0
-genfscon tracefs /printk_formats u:object_r:debugfs_tracing_printk_formats:s0
-
-genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
-
-genfscon tracefs /events/header_page u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
-
-genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
-genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
-genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
-genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
-genfscon tracefs /options/record-tgid u:object_r:debugfs_tracing:s0
-genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/clock_enable/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/clock_disable/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/dma_fence/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cpuhp/cpuhp_pause/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/irq/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
-
-genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/options/record-tgid u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/clock_enable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/clock_disable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/dma_fence/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
-
-genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
-
-genfscon securityfs / u:object_r:securityfs:s0
-
-genfscon binder /binder u:object_r:binder_device:s0
-genfscon binder /hwbinder u:object_r:hwbinder_device:s0
-genfscon binder /vndbinder u:object_r:vndbinder_device:s0
-genfscon binder /binder_logs u:object_r:binderfs_logs:s0
-genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
-
-genfscon inotifyfs / u:object_r:inotify:s0
-genfscon vfat / u:object_r:vfat:s0
-genfscon binder / u:object_r:binderfs:s0
-genfscon exfat / u:object_r:exfat:s0
-genfscon debugfs / u:object_r:debugfs:s0
-genfscon fuse / u:object_r:fuse:s0
-genfscon configfs / u:object_r:configfs:s0
-genfscon sdcardfs / u:object_r:sdcardfs:s0
-genfscon esdfs / u:object_r:sdcardfs:s0
-genfscon pstore / u:object_r:pstorefs:s0
-genfscon functionfs / u:object_r:functionfs:s0
-genfscon usbfs / u:object_r:usbfs:s0
-genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
-genfscon bpf / u:object_r:fs_bpf:s0
-genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
diff --git a/prebuilts/api/31.0/private/gki_apex_prepostinstall.te b/prebuilts/api/31.0/private/gki_apex_prepostinstall.te
deleted file mode 100644
index 1155389..0000000
--- a/prebuilts/api/31.0/private/gki_apex_prepostinstall.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# GKI pre- & post-install hooks.
-#
-# Allow to run pre- and post-install hooks for GKI APEXes
-
-type gki_apex_prepostinstall, domain, coredomain;
-type gki_apex_prepostinstall_exec, system_file_type, exec_type, file_type;
-
-# Execute /system/bin/sh.
-allow gki_apex_prepostinstall shell_exec:file rx_file_perms;
-
-# Execute various toolsbox utilities.
-allow gki_apex_prepostinstall toolbox_exec:file rx_file_perms;
-
-# Allow preinstall.sh to execute update_engine_stable_client binary.
-allow gki_apex_prepostinstall gki_apex_prepostinstall_exec:file execute_no_trans;
-
-# Allow preinstall hook to communicate with update_engine to execute update.
-binder_use(gki_apex_prepostinstall)
-allow gki_apex_prepostinstall update_engine_stable_service:service_manager find;
-binder_call(gki_apex_prepostinstall, update_engine)
-
-# /dev/zero is inherited although it is not used. See b/126787589.
-allow gki_apex_prepostinstall apexd:fd use;
diff --git a/prebuilts/api/31.0/private/gmscore_app.te b/prebuilts/api/31.0/private/gmscore_app.te
deleted file mode 100644
index 571d155..0000000
--- a/prebuilts/api/31.0/private/gmscore_app.te
+++ /dev/null
@@ -1,140 +0,0 @@
-###
-### A domain for further sandboxing the PrebuiltGMSCore app.
-###
-typeattribute gmscore_app coredomain;
-
-app_domain(gmscore_app)
-
-allow gmscore_app sysfs_type:dir search;
-# Read access to /sys/class/net/wlan*/address
-r_dir_file(gmscore_app, sysfs_net)
-# Read access to /sys/block/zram*/mm_stat
-r_dir_file(gmscore_app, sysfs_zram)
-
-r_dir_file(gmscore_app, rootfs)
-
-# Allow GMS core to open kernel config for OTA matching through libvintf
-allow gmscore_app config_gz:file { open read getattr };
-
-# Allow GMS core to communicate with update_engine for A/B update.
-binder_call(gmscore_app, update_engine)
-allow gmscore_app update_engine_service:service_manager find;
-
-# Allow GMS core to communicate with dumpsys storaged.
-binder_call(gmscore_app, storaged)
-allow gmscore_app storaged_service:service_manager find;
-
-# Allow GMS core to access system_update_service (e.g. to publish pending
-# system update info).
-allow gmscore_app system_update_service:service_manager find;
-
-# Allow GMS core to communicate with statsd.
-binder_call(gmscore_app, statsd)
-
-# Allow GMS core to generate unique hardware IDs
-allow gmscore_app keystore:keystore_key gen_unique_id;
-allow gmscore_app keystore:keystore2_key gen_unique_id;
-
-# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
-allow gmscore_app selinuxfs:file r_file_perms;
-
-# suppress denials for non-API accesses.
-dontaudit gmscore_app exec_type:file r_file_perms;
-dontaudit gmscore_app device:dir r_dir_perms;
-dontaudit gmscore_app fs_bpf:dir r_dir_perms;
-dontaudit gmscore_app net_dns_prop:file r_file_perms;
-dontaudit gmscore_app proc:file r_file_perms;
-dontaudit gmscore_app proc_interrupts:file r_file_perms;
-dontaudit gmscore_app proc_modules:file r_file_perms;
-dontaudit gmscore_app proc_net:file r_file_perms;
-dontaudit gmscore_app proc_stat:file r_file_perms;
-dontaudit gmscore_app proc_version:file r_file_perms;
-dontaudit gmscore_app sysfs:dir r_dir_perms;
-dontaudit gmscore_app sysfs:file r_file_perms;
-dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
-dontaudit gmscore_app sysfs_dm:file r_file_perms;
-dontaudit gmscore_app sysfs_loop:file r_file_perms;
-dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file r_file_perms;
-dontaudit gmscore_app mirror_data_file:dir search;
-dontaudit gmscore_app mnt_vendor_file:dir search;
-
-# Access the network
-net_domain(gmscore_app)
-
-# webview crash handling depends on self ptrace (b/27697529, b/20150694, b/19277529#comment7)
-allow gmscore_app self:process ptrace;
-
-# Allow loading executable code from writable priv-app home
-# directories. This is a W^X violation, however, it needs
-# to be supported for now for the following reasons.
-# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
-# 1) com.android.opengl.shaders_cache
-# 2) com.android.skia.shaders_cache
-# 3) com.android.renderscript.cache
-# * /data/user_de/0/com.google.android.gms/app_chimera
-# TODO: Tighten (b/112357170)
-allow gmscore_app privapp_data_file:file execute;
-
-# Chrome Crashpad uses the the dynamic linker to load native executables
-# from an APK (b/112050209, crbug.com/928422)
-allow gmscore_app system_linker_exec:file execute_no_trans;
-
-allow gmscore_app privapp_data_file:lnk_file create_file_perms;
-
-# /proc access
-allow gmscore_app proc_vmstat:file r_file_perms;
-
-# Allow interaction with gpuservice
-binder_call(gmscore_app, gpuservice)
-allow gmscore_app gpu_service:service_manager find;
-
-# find services that expose both @SystemAPI and normal APIs.
-allow gmscore_app app_api_service:service_manager find;
-allow gmscore_app system_api_service:service_manager find;
-allow gmscore_app audioserver_service:service_manager find;
-allow gmscore_app cameraserver_service:service_manager find;
-allow gmscore_app drmserver_service:service_manager find;
-allow gmscore_app mediadrmserver_service:service_manager find;
-allow gmscore_app mediaextractor_service:service_manager find;
-allow gmscore_app mediametrics_service:service_manager find;
-allow gmscore_app mediaserver_service:service_manager find;
-allow gmscore_app network_watchlist_service:service_manager find;
-allow gmscore_app nfc_service:service_manager find;
-allow gmscore_app oem_lock_service:service_manager find;
-allow gmscore_app persistent_data_block_service:service_manager find;
-allow gmscore_app radio_service:service_manager find;
-allow gmscore_app recovery_service:service_manager find;
-allow gmscore_app stats_service:service_manager find;
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-allow gmscore_app shell_data_file:file r_file_perms;
-allow gmscore_app shell_data_file:dir r_dir_perms;
-
-# Write to /cache.
-allow gmscore_app { cache_file cache_recovery_file }:dir create_dir_perms;
-allow gmscore_app { cache_file cache_recovery_file }:file create_file_perms;
-# /cache is a symlink to /data/cache on some devices. Allow reading the link.
-allow gmscore_app cache_file:lnk_file r_file_perms;
-
-# Write to /data/ota_package for OTA packages.
-allow gmscore_app ota_package_file:dir rw_dir_perms;
-allow gmscore_app ota_package_file:file create_file_perms;
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-allow gmscore_app shell_data_file:file r_file_perms;
-allow gmscore_app shell_data_file:dir r_dir_perms;
-
-# b/18504118: Allow reads from /data/anr/traces.txt
-allow gmscore_app anr_data_file:file r_file_perms;
-
-# b/148974132: com.android.vending needs this
-allow gmscore_app priv_app:tcp_socket { read write };
-
-# b/168059475 Allow GMSCore to read Virtual AB properties to determine
-# if device supports VAB.
-get_prop(gmscore_app, virtual_ab_prop)
-
-# b/186488185: Allow GMSCore to read dck properties
-get_prop(gmscore_app, dck_prop)
diff --git a/prebuilts/api/31.0/private/gpuservice.te b/prebuilts/api/31.0/private/gpuservice.te
deleted file mode 100644
index 2e4254c..0000000
--- a/prebuilts/api/31.0/private/gpuservice.te
+++ /dev/null
@@ -1,66 +0,0 @@
-# gpuservice - server for gpu stats and other gpu related services
-typeattribute gpuservice coredomain;
-type gpuservice_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(gpuservice)
-
-binder_call(gpuservice, adbd)
-binder_call(gpuservice, shell)
-binder_call(gpuservice, system_server)
-binder_use(gpuservice)
-
-# Access the GPU.
-allow gpuservice gpu_device:chr_file rw_file_perms;
-
-# GPU service will need to load GPU driver, for example Vulkan driver in order
-# to get the capability of the driver.
-allow gpuservice same_process_hal_file:file { open read getattr execute map };
-allow gpuservice ion_device:chr_file r_file_perms;
-get_prop(gpuservice, hwservicemanager_prop)
-hwbinder_use(gpuservice)
-
-# Access /dev/graphics/fb0.
-allow gpuservice graphics_device:dir search;
-allow gpuservice graphics_device:chr_file rw_file_perms;
-
-# Needed for dumpsys pipes.
-allow gpuservice shell:fifo_file write;
-
-# Needed for perfetto producer.
-perfetto_producer(gpuservice)
-
-# Use socket supplied by adbd, for cmd gpu vkjson etc.
-allow gpuservice adbd:unix_stream_socket { read write getattr };
-
-# Needed for interactive shell
-allow gpuservice devpts:chr_file { read write getattr };
-
-# Needed for dumpstate to dumpsys gpu.
-allow gpuservice dumpstate:fd use;
-allow gpuservice dumpstate:fifo_file write;
-
-# Needed for stats callback registration to statsd.
-allow gpuservice stats_service:service_manager find;
-allow gpuservice statsmanager_service:service_manager find;
-# TODO(b/146461633): remove this once native pullers talk to StatsManagerService
-binder_call(gpuservice, statsd);
-
-# Needed for reading tracepoint ids in order to attach bpf programs.
-allow gpuservice debugfs_tracing:file r_file_perms;
-allow gpuservice self:perf_event { cpu kernel open write };
-neverallow gpuservice self:perf_event ~{ cpu kernel open write };
-
-# Needed for interact with bpf fs.
-allow gpuservice fs_bpf:dir search;
-allow gpuservice fs_bpf:file read;
-
-# Needed for enable the bpf program and read the map.
-allow gpuservice bpfloader:bpf { map_read prog_run };
-
-# Needed for getting a prop to ensure bpf programs loaded.
-get_prop(gpuservice, bpf_progs_loaded_prop)
-
-add_service(gpuservice, gpu_service)
-
-# Only uncomment below line when in development
-# userdebug_or_eng(`permissive gpuservice;')
diff --git a/prebuilts/api/31.0/private/gsid.te b/prebuilts/api/31.0/private/gsid.te
deleted file mode 100644
index 8a13cb1..0000000
--- a/prebuilts/api/31.0/private/gsid.te
+++ /dev/null
@@ -1,200 +0,0 @@
-# gsid - Manager for GSI Installation
-
-type gsid, domain;
-type gsid_exec, exec_type, file_type, system_file_type;
-typeattribute gsid coredomain;
-
-init_daemon_domain(gsid)
-
-binder_use(gsid)
-binder_service(gsid)
-add_service(gsid, gsi_service)
-
-# Manage DSU metadata encryption key through vold.
-allow gsid vold_service:service_manager find;
-binder_call(gsid, vold)
-
-set_prop(gsid, gsid_prop)
-
-# Needed to create/delete device-mapper nodes, and read/write to them.
-allow gsid dm_device:chr_file rw_file_perms;
-allow gsid dm_device:blk_file rw_file_perms;
-allow gsid self:global_capability_class_set sys_admin;
-dontaudit gsid self:global_capability_class_set dac_override;
-
-# On FBE devices (not using dm-default-key), gsid will use loop devices to map
-# images rather than device-mapper.
-allow gsid loop_control_device:chr_file rw_file_perms;
-allow gsid loop_device:blk_file rw_file_perms;
-allowxperm gsid loop_device:blk_file ioctl {
- LOOP_GET_STATUS64
- LOOP_SET_STATUS64
- LOOP_SET_FD
- LOOP_SET_BLOCK_SIZE
- LOOP_SET_DIRECT_IO
- LOOP_CLR_FD
- BLKFLSBUF
-};
-
-# libfiemap_writer uses sysfs to derive the bottom of a device-mapper stacking.
-# This requires traversing /sys/block/dm-N/slaves/* and reading the list of
-# file names.
-r_dir_file(gsid, sysfs_dm)
-
-# libfiemap_writer needs to read /sys/fs/f2fs/<dev>/features to determine
-# whether pin_file support is enabled.
-r_dir_file(gsid, sysfs_fs_f2fs)
-
-# Needed to read fstab, which is used to validate that system verity does not
-# use check_once_at_most for sdcard installs. (Note: proc_cmdline is needed
-# to get the A/B slot suffix).
-allow gsid proc_cmdline:file r_file_perms;
-allow gsid sysfs_dt_firmware_android:dir r_dir_perms;
-allow gsid sysfs_dt_firmware_android:file r_file_perms;
-
-# Needed to stat /data/gsi/* and realpath on /dev/block/by-name/*
-allow gsid block_device:dir r_dir_perms;
-
-# liblp queries these block alignment properties.
-allowxperm gsid { userdata_block_device sdcard_block_device }:blk_file ioctl {
- BLKIOMIN
- BLKALIGNOFF
-};
-
-# When installing images to an sdcard, gsid needs to be able to stat() the
-# block device. gsid also calls realpath() to remove symlinks.
-allow gsid mnt_media_rw_file:dir r_dir_perms;
-allow gsid mnt_media_rw_stub_file:dir r_dir_perms;
-
-# When installing images to an sdcard, gsid must bypass sdcardfs and install
-# directly to vfat, which supports the FIBMAP ioctl.
-allow gsid vfat:dir create_dir_perms;
-allow gsid vfat:file create_file_perms;
-allow gsid sdcard_block_device:blk_file r_file_perms;
-# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
-# requirement, but the kernel does not implement FIEMAP support for VFAT.
-allow gsid self:global_capability_class_set sys_rawio;
-
-# Allow rules for gsi_tool.
-userdebug_or_eng(`
- # gsi_tool passes the system image over the adb connection, via stdin.
- allow gsid adbd:fd use;
- # Needed when running gsi_tool through "su root" rather than adb root.
- allow gsid adbd:unix_stream_socket rw_socket_perms;
- # gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
- allow gsid { shell su }:fifo_file r_file_perms;
- # Allow installing images from /storage/emulated/...
- allow gsid sdcard_type:file r_file_perms;
-')
-
-neverallow {
- domain
- -gsid
- -init
- -update_engine_common
- -recovery
- -fastbootd
-} gsid_prop:property_service set;
-
-# gsid needs to store images on /data, but cannot use file I/O. If it did, the
-# underlying blocks would be encrypted, and we couldn't mount the GSI image in
-# first-stage init. So instead of directly writing to /data, we:
-#
-# 1. fallocate a file large enough to hold the signed GSI
-# 2. extract its block layout with FIEMAP
-# 3. create a dm-linear device using the FIEMAP, targeting /dev/block/by-name/userdata
-# 4. write system_gsi into that dm device
-#
-# To make this process work, we need to unwrap the device-mapper stacking for
-# userdata to reach the underlying block device. To verify the result we use
-# stat(), which requires read access.
-allow gsid userdata_block_device:blk_file r_file_perms;
-
-# gsid uses /metadata/gsi to communicate GSI boot information to first-stage
-# init. It cannot use userdata since data cannot be decrypted during this
-# stage.
-#
-# gsid uses /metadata/gsi to store three files:
-# install_status - A short string indicating whether a GSI image is bootable.
-# lp_metadata - LpMetadata blob describing the block ranges on userdata
-# where system_gsi resides.
-# booted - An empty file that, if exists, indicates that a GSI is
-# currently running.
-#
-allow gsid metadata_file:dir { search getattr };
-allow gsid {
- gsi_metadata_file_type
-}:dir create_dir_perms;
-
-allow gsid {
- ota_metadata_file
-}:dir rw_dir_perms;
-
-allow gsid {
- gsi_metadata_file_type
- ota_metadata_file
-}:file create_file_perms;
-
-# Allow restorecon to fix context of gsi_public_metadata_file.
-allow gsid file_contexts_file:file r_file_perms;
-allow gsid gsi_metadata_file:file relabelfrom;
-allow gsid gsi_public_metadata_file:file relabelto;
-
-allow gsid {
- gsi_data_file
- ota_image_data_file
-}:dir rw_dir_perms;
-allow gsid {
- gsi_data_file
- ota_image_data_file
-}:file create_file_perms;
-allowxperm gsid {
- gsi_data_file
- ota_image_data_file
-}:file ioctl {
- FS_IOC_FIEMAP
- FS_IOC_GETFLAGS
-};
-
-allow gsid system_server:binder call;
-
-# Prevent most processes from writing to gsi_metadata_file_type, but allow
-# adding rules for path resolution of gsi_public_metadata_file and reading
-# gsi_public_metadata_file.
-neverallow {
- domain
- -init
- -gsid
- -fastbootd
-} gsi_metadata_file_type:dir no_w_dir_perms;
-
-neverallow {
- domain
- -init
- -gsid
- -fastbootd
-} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
-
-neverallow {
- domain
- -init
- -gsid
- -fastbootd
-} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
-
-# Prevent apps from accessing gsi_metadata_file_type.
-neverallow {
- appdomain
- -shell
-} gsi_metadata_file_type:dir_file_class_set *;
-
-neverallow {
- domain
- -init
- -gsid
-} gsi_data_file:dir_file_class_set *;
-
-neverallow {
- domain
- -gsid
-} gsi_data_file:file_class_set ~{ relabelto getattr };
diff --git a/prebuilts/api/31.0/private/hal_allocator_default.te b/prebuilts/api/31.0/private/hal_allocator_default.te
deleted file mode 100644
index 7aa28aa..0000000
--- a/prebuilts/api/31.0/private/hal_allocator_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_allocator_default, domain, coredomain;
-hal_server_domain(hal_allocator_default, hal_allocator)
-
-type hal_allocator_default_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(hal_allocator_default)
diff --git a/prebuilts/api/31.0/private/hal_lazy_test.te b/prebuilts/api/31.0/private/hal_lazy_test.te
deleted file mode 100644
index 93cf235..0000000
--- a/prebuilts/api/31.0/private/hal_lazy_test.te
+++ /dev/null
@@ -1,3 +0,0 @@
-userdebug_or_eng(`
- hal_attribute_hwservice(hal_lazy_test, hal_lazy_test_hwservice)
-')
diff --git a/prebuilts/api/31.0/private/halclientdomain.te b/prebuilts/api/31.0/private/halclientdomain.te
deleted file mode 100644
index 9dcd3ee..0000000
--- a/prebuilts/api/31.0/private/halclientdomain.te
+++ /dev/null
@@ -1,13 +0,0 @@
-###
-### Rules for all domains which are clients of a HAL
-###
-
-# Find out whether a HAL in passthrough/in-process mode or
-# binderized/out-of-process mode
-hwbinder_use(halclientdomain)
-
-# Used to wait for hwservicemanager
-get_prop(halclientdomain, hwservicemanager_prop)
-
-# Wait for HAL server to be up (used by getService)
-allow halclientdomain hidl_manager_hwservice:hwservice_manager find;
diff --git a/prebuilts/api/31.0/private/halserverdomain.te b/prebuilts/api/31.0/private/halserverdomain.te
deleted file mode 100644
index f36e0e7..0000000
--- a/prebuilts/api/31.0/private/halserverdomain.te
+++ /dev/null
@@ -1,12 +0,0 @@
-###
-### Rules for all domains which offer a HAL service over HwBinder
-###
-
-# Register the HAL service with hwservicemanager
-hwbinder_use(halserverdomain)
-
-# Find HAL implementations
-allow halserverdomain system_file:dir r_dir_perms;
-
-# Used to wait for hwservicemanager
-get_prop(halserverdomain, hwservicemanager_prop)
diff --git a/prebuilts/api/31.0/private/healthd.te b/prebuilts/api/31.0/private/healthd.te
deleted file mode 100644
index 93bc3d8..0000000
--- a/prebuilts/api/31.0/private/healthd.te
+++ /dev/null
@@ -1,12 +0,0 @@
-typeattribute healthd coredomain;
-
-init_daemon_domain(healthd)
-
-# Allow healthd to serve health HAL
-hal_server_domain(healthd, hal_health)
-
-# Healthd needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(healthd, system_prop)
-set_prop(healthd, exported_system_prop)
-set_prop(healthd, exported3_system_prop)
diff --git a/prebuilts/api/31.0/private/heapprofd.te b/prebuilts/api/31.0/private/heapprofd.te
deleted file mode 100644
index 246f936..0000000
--- a/prebuilts/api/31.0/private/heapprofd.te
+++ /dev/null
@@ -1,77 +0,0 @@
-# Android heap profiling daemon. go/heapprofd.
-#
-# On user builds, this daemon is responsible for receiving the initial
-# profiling configuration, finding matching target processes (if profiling by
-# process name), and sending the activation signal to them (+ setting system
-# properties for new processes to start profiling from startup). When profiling
-# is triggered in a process, it spawns a private heapprofd subprocess (in its
-# own SELinux domain), which will exclusively handle profiling of its parent.
-#
-# On debug builds, this central daemon performs profiling for all target
-# processes (which talk directly to this daemon).
-type heapprofd_exec, exec_type, file_type, system_file_type;
-type heapprofd_tmpfs, file_type;
-
-init_daemon_domain(heapprofd)
-tmpfs_domain(heapprofd)
-
-# Allow apps in other MLS contexts (for multi-user) to access
-# shared memory buffers created by heapprofd.
-typeattribute heapprofd_tmpfs mlstrustedobject;
-
-set_prop(heapprofd, heapprofd_prop);
-
-# Necessary for /proc/[pid]/cmdline access & sending signals.
-typeattribute heapprofd mlstrustedsubject;
-
-# Allow sending signals to processes. This excludes SIGKILL, SIGSTOP and
-# SIGCHLD, which are controlled by separate permissions.
-allow heapprofd self:capability kill;
-
-# When scanning /proc/[pid]/cmdline to find matching processes for by-name
-# profiling, only allowlisted domains will be allowed by SELinux. Avoid
-# spamming logs with denials for entries that we can not access.
-dontaudit heapprofd domain:dir { search open };
-
-# Write trace data to the Perfetto traced daemon. This requires connecting to
-# its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(heapprofd)
-
-# When handling profiling for all processes, heapprofd needs to read
-# executables/libraries/etc to do stack unwinding.
-r_dir_file(heapprofd, nativetest_data_file)
-r_dir_file(heapprofd, system_file_type)
-r_dir_file(heapprofd, apex_art_data_file)
-r_dir_file(heapprofd, apk_data_file)
-r_dir_file(heapprofd, dalvikcache_data_file)
-r_dir_file(heapprofd, vendor_file_type)
-r_dir_file(heapprofd, shell_test_data_file)
-# Some dex files are not world-readable.
-# We are still constrained by the SELinux rules above.
-allow heapprofd self:global_capability_class_set dac_read_search;
-
-# For checking profileability.
-allow heapprofd packages_list_file:file r_file_perms;
-
-# This is going to happen on user but is benign because central heapprofd
-# does not actually need these permission.
-# If the dac_read_search capability check is rejected, the kernel then tries
-# to perform a dac_override capability check, so we need to dontaudit that
-# as well.
-dontaudit heapprofd self:global_capability_class_set { dac_read_search dac_override };
-
-never_profile_heap(`{
- bpfloader
- init
- kernel
- keystore
- llkd
- logd
- ueventd
- vendor_init
- vold
-}')
-
-full_treble_only(`
- neverallow heapprofd vendor_file:file { no_w_file_perms no_x_file_perms };
-')
diff --git a/prebuilts/api/31.0/private/hidl_lazy_test_server.te b/prebuilts/api/31.0/private/hidl_lazy_test_server.te
deleted file mode 100644
index 04e8c9f..0000000
--- a/prebuilts/api/31.0/private/hidl_lazy_test_server.te
+++ /dev/null
@@ -1,8 +0,0 @@
-type hidl_lazy_test_server, domain;
-type hidl_lazy_test_server_exec, exec_type, file_type, system_file_type;
-
-userdebug_or_eng(`
- typeattribute hidl_lazy_test_server coredomain;
- init_daemon_domain(hidl_lazy_test_server)
- hal_server_domain(hidl_lazy_test_server, hal_lazy_test)
-')
diff --git a/prebuilts/api/31.0/private/hwservice.te b/prebuilts/api/31.0/private/hwservice.te
deleted file mode 100644
index b7ba4d7..0000000
--- a/prebuilts/api/31.0/private/hwservice.te
+++ /dev/null
@@ -1 +0,0 @@
-type hal_lazy_test_hwservice, hwservice_manager_type, protected_hwservice;
diff --git a/prebuilts/api/31.0/private/hwservice_contexts b/prebuilts/api/31.0/private/hwservice_contexts
deleted file mode 100644
index 5b6e79d..0000000
--- a/prebuilts/api/31.0/private/hwservice_contexts
+++ /dev/null
@@ -1,85 +0,0 @@
-android.frameworks.automotive.display::IAutomotiveDisplayProxyService u:object_r:fwk_automotive_display_hwservice:s0
-android.frameworks.bufferhub::IBufferHub u:object_r:fwk_bufferhub_hwservice:s0
-android.frameworks.cameraservice.service::ICameraService u:object_r:fwk_camera_hwservice:s0
-android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
-android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
-android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
-android.frameworks.stats::IStats u:object_r:fwk_stats_hwservice:s0
-android.hardware.atrace::IAtraceDevice u:object_r:hal_atrace_hwservice:s0
-android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
-android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
-android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0
-android.hardware.automotive.audiocontrol::IAudioControl u:object_r:hal_audiocontrol_hwservice:s0
-android.hardware.automotive.can::ICanController u:object_r:hal_can_controller_hwservice:s0
-android.hardware.automotive.can::ICanBus u:object_r:hal_can_bus_hwservice:s0
-android.hardware.automotive.evs::IEvsEnumerator u:object_r:hal_evs_hwservice:s0
-android.hardware.automotive.vehicle::IVehicle u:object_r:hal_vehicle_hwservice:s0
-android.hardware.biometrics.face::IBiometricsFace u:object_r:hal_face_hwservice:s0
-android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
-android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
-android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0
-android.hardware.bluetooth.audio::IBluetoothAudioProvidersFactory u:object_r:hal_audio_hwservice:s0
-android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
-android.hardware.broadcastradio::IBroadcastRadio u:object_r:hal_broadcastradio_hwservice:s0
-android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
-android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
-android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
-android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
-android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
-android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
-android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
-android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
-android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
-android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
-android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
-android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
-android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
-android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
-android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
-android.hardware.health.storage::IStorage u:object_r:hal_health_storage_hwservice:s0
-android.hardware.input.classifier::IInputClassifier u:object_r:hal_input_classifier_hwservice:s0
-android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
-android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
-android.hardware.tests.lazy::ILazy u:object_r:hal_lazy_test_hwservice:s0
-android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
-android.hardware.lowpan::ILowpanDevice u:object_r:hal_lowpan_hwservice:s0
-android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
-android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
-android.hardware.media.c2::IComponentStore u:object_r:hal_codec2_hwservice:s0
-android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
-android.hardware.neuralnetworks::IDevice u:object_r:hal_neuralnetworks_hwservice:s0
-android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
-android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
-android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
-android.hardware.power.stats::IPowerStats u:object_r:hal_power_stats_hwservice:s0
-android.hardware.radio.config::IRadioConfig u:object_r:hal_telephony_hwservice:s0
-android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
-android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
-android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
-android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
-android.hardware.secure_element::ISecureElement u:object_r:hal_secure_element_hwservice:s0
-android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
-android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
-android.hardware.tetheroffload.config::IOffloadConfig u:object_r:hal_tetheroffload_hwservice:s0
-android.hardware.tetheroffload.control::IOffloadControl u:object_r:hal_tetheroffload_hwservice:s0
-android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
-android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
-android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
-android.hardware.tv.tuner::ITuner u:object_r:hal_tv_tuner_hwservice:s0
-android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
-android.hardware.usb.gadget::IUsbGadget u:object_r:hal_usb_gadget_hwservice:s0
-android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
-android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
-android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
-android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
-android.hardware.wifi.hostapd::IHostapd u:object_r:hal_wifi_hostapd_hwservice:s0
-android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
-android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
-android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
-android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
-android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
-android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
-android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0
-android.system.suspend::ISystemSuspend u:object_r:system_suspend_hwservice:s0
-android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
-* u:object_r:default_android_hwservice:s0
diff --git a/prebuilts/api/31.0/private/hwservicemanager.te b/prebuilts/api/31.0/private/hwservicemanager.te
deleted file mode 100644
index e1fde43..0000000
--- a/prebuilts/api/31.0/private/hwservicemanager.te
+++ /dev/null
@@ -1,9 +0,0 @@
-typeattribute hwservicemanager coredomain;
-
-init_daemon_domain(hwservicemanager)
-
-add_hwservice(hwservicemanager, hidl_manager_hwservice)
-add_hwservice(hwservicemanager, hidl_token_hwservice)
-
-set_prop(hwservicemanager, ctl_interface_start_prop)
-set_prop(hwservicemanager, hwservicemanager_prop)
diff --git a/prebuilts/api/31.0/private/idmap.te b/prebuilts/api/31.0/private/idmap.te
deleted file mode 100644
index c982783..0000000
--- a/prebuilts/api/31.0/private/idmap.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute idmap coredomain;
-
-init_daemon_domain(idmap)
diff --git a/prebuilts/api/31.0/private/incident.te b/prebuilts/api/31.0/private/incident.te
deleted file mode 100644
index db9ae86..0000000
--- a/prebuilts/api/31.0/private/incident.te
+++ /dev/null
@@ -1,37 +0,0 @@
-typeattribute incident coredomain;
-
-type incident_exec, system_file_type, exec_type, file_type;
-
-# switch to incident domain for incident command
-domain_auto_trans(shell, incident_exec, incident)
-domain_auto_trans(dumpstate, incident_exec, incident)
-
-# allow incident access to stdout from its parent shell.
-allow incident shell:fd use;
-
-# allow incident to communicate with dumpstate, and write incident report to
-# /data/data/com.android.shell/files/bugreports/tmp_incident_report
-allow incident dumpstate:fd use;
-allow incident dumpstate:unix_stream_socket { read write };
-allow incident shell_data_file:file write;
-
-# allow incident be able to output data for CTS to fetch.
-allow incident devpts:chr_file { read write };
-
-# allow incident to communicate use, read and write over the adb
-# connection.
-allow incident adbd:fd use;
-allow incident adbd:unix_stream_socket { read write };
-
-# allow adbd to reap incident
-allow incident adbd:process { sigchld };
-
-# Allow the incident command to talk to the incidentd over the binder, and get
-# back the incident report data from a ParcelFileDescriptor.
-binder_use(incident)
-allow incident incident_service:service_manager find;
-binder_call(incident, incidentd)
-allow incident incidentd:fifo_file write;
-
-# only allow incident being called by shell or dumpstate
-neverallow { domain -su -shell -incident -dumpstate} incident_exec:file { execute execute_no_trans };
diff --git a/prebuilts/api/31.0/private/incident_helper.te b/prebuilts/api/31.0/private/incident_helper.te
deleted file mode 100644
index b453855..0000000
--- a/prebuilts/api/31.0/private/incident_helper.te
+++ /dev/null
@@ -1,14 +0,0 @@
-typeattribute incident_helper coredomain;
-
-type incident_helper_exec, system_file_type, exec_type, file_type;
-
-# switch to incident_helper domain for incident_helper command
-domain_auto_trans(incidentd, incident_helper_exec, incident_helper)
-
-# use pipe to transmit data from/to incidentd/incident_helper for parsing
-allow incident_helper { shell incident incidentd dumpstate }:fd use;
-allow incident_helper { shell incident incidentd dumpstate }:fifo_file { getattr read write };
-allow incident_helper incidentd:unix_stream_socket { read write };
-
-# only allow incidentd and shell to call incident_helper
-neverallow { domain -incidentd -incident_helper -shell } incident_helper_exec:file { execute execute_no_trans };
diff --git a/prebuilts/api/31.0/private/incidentd.te b/prebuilts/api/31.0/private/incidentd.te
deleted file mode 100644
index 918ffda..0000000
--- a/prebuilts/api/31.0/private/incidentd.te
+++ /dev/null
@@ -1,213 +0,0 @@
-typeattribute incidentd coredomain;
-typeattribute incidentd mlstrustedsubject;
-
-init_daemon_domain(incidentd)
-type incidentd_exec, system_file_type, exec_type, file_type;
-binder_use(incidentd)
-wakelock_use(incidentd)
-
-# Allow incidentd to scan through /proc/pid for all processes
-r_dir_file(incidentd, domain)
-
-# Allow incidentd to kill incident_helper when timeout
-allow incidentd incident_helper:process sigkill;
-
-# Allow executing files on system, such as:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow incidentd system_file:file execute_no_trans;
-allow incidentd toolbox_exec:file rx_file_perms;
-
-# section id 1002, allow reading kernel version /proc/version
-allow incidentd proc_version:file r_file_perms;
-
-# section id 1116, allow accessing statsd socket
-unix_socket_send(incidentd, statsdw, statsd)
-
-# section id 2001, allow reading /proc/pagetypeinfo
-allow incidentd proc_pagetypeinfo:file r_file_perms;
-
-# section id 2002, allow reading /d/wakeup_sources
-no_debugfs_restriction(`
- allow incidentd debugfs_wakeup_sources:file r_file_perms;
-')
-
-# section id 2003, allow executing top
-allow incidentd proc_meminfo:file { open read };
-
-# section id 2004, allow reading /sys/devices/system/cpu/cpufreq/all_time_in_state
-allow incidentd sysfs_devices_system_cpu:file r_file_perms;
-
-# section id 2005, allow reading ps dump in full
-allow incidentd domain:process getattr;
-
-# section id 2006, allow reading /sys/class/power_supply/bms/battery_type
-allow incidentd sysfs_batteryinfo:dir { search };
-allow incidentd sysfs_batteryinfo:file r_file_perms;
-
-# section id 2007, allow reading LAST_KMSG /sys/fs/pstore/console-ramoops
-userdebug_or_eng(`allow incidentd pstorefs:dir search');
-userdebug_or_eng(`allow incidentd pstorefs:file r_file_perms');
-
-# section id 3023, allow obtaining stats report
-allow incidentd stats_service:service_manager find;
-binder_call(incidentd, statsd)
-
-# section id 3026, allow reading /data/misc/perfetto-traces.
-allow incidentd perfetto_traces_data_file:dir r_dir_perms;
-allow incidentd perfetto_traces_data_file:file r_file_perms;
-
-# section id 3052, allow accessing nfc_service
-allow incidentd nfc_service:service_manager find;
-
-# Create and write into /data/misc/incidents
-allow incidentd incident_data_file:dir rw_dir_perms;
-allow incidentd incident_data_file:file create_file_perms;
-
-# Enable incidentd to get stack traces.
-binder_use(incidentd)
-hwbinder_use(incidentd)
-allow incidentd hwservicemanager:hwservice_manager { list };
-get_prop(incidentd, hwservicemanager_prop)
-allow incidentd hidl_manager_hwservice:hwservice_manager { find };
-
-# Read files in /proc
-allow incidentd {
- proc_cmdline
- proc_pid_max
- proc_pipe_conf
- proc_stat
-}:file r_file_perms;
-
-# Signal java processes to dump their stack and get the results
-allow incidentd { appdomain ephemeral_app system_server }:process signal;
-
-# Signal native processes to dump their stack.
-# This list comes from native_processes_to_dump in incidentd/utils.c
-allow incidentd {
- # This list comes from native_processes_to_dump in dumputils/dump_utils.cpp
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediadrmserver
- mediaextractor
- mediametrics
- mediaserver
- sdcardd
- statsd
- surfaceflinger
-
- # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.cpp
- hal_audio_server
- hal_bluetooth_server
- hal_camera_server
- hal_codec2_server
- hal_face_server
- hal_graphics_allocator_server
- hal_graphics_composer_server
- hal_health_server
- hal_omx_server
- hal_sensors_server
- hal_vr_server
-}:process signal;
-
-# Allow incidentd to make binder calls to any binder service
-binder_call(incidentd, system_server)
-binder_call(incidentd, appdomain)
-
-# Reading /proc/PID/maps of other processes
-userdebug_or_eng(`allow incidentd self:global_capability_class_set { sys_ptrace }');
-# incidentd has capability sys_ptrace, but should only use that capability for
-# accessing sensitive /proc/PID files, never for using ptrace attach.
-neverallow incidentd *:process ptrace;
-
-allow incidentd self:global_capability_class_set {
- # Send signals to processes
- kill
-};
-
-# Connect to tombstoned to intercept dumps.
-unix_socket_connect(incidentd, tombstoned_intercept, tombstoned)
-
-# Run a shell.
-allow incidentd shell_exec:file rx_file_perms;
-
-# For running am, incident-helper-cmd and similar framework commands.
-# Run /system/bin/app_process.
-allow incidentd zygote_exec:file { rx_file_perms };
-# Access the runtime feature flag properties.
-get_prop(incidentd, device_config_runtime_native_prop)
-get_prop(incidentd, device_config_runtime_native_boot_prop)
-# Access odsign verification status.
-get_prop(incidentd, odsign_prop)
-# ART locks profile files.
-allow incidentd system_file:file lock;
-# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
-dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
-dontaudit incidentd apex_module_data_file:dir r_dir_perms;
-dontaudit incidentd apex_art_data_file:dir r_dir_perms;
-dontaudit incidentd tmpfs:file rwx_file_perms;
-
-# logd access - work to be done is a PII safe log (possibly an event log?)
-userdebug_or_eng(`read_logd(incidentd)')
-# TODO control_logd(incidentd)
-
-# Access /data/misc/logd
-r_dir_file(incidentd, misc_logd_file)
-
-# Allow incidentd to find these standard groups of services.
-# Others can be allowlisted individually.
-allow incidentd {
- system_server_service
- app_api_service
- system_api_service
- -tracingproxy_service
-}:service_manager find;
-
-# Only incidentd can publish the binder service
-add_service(incidentd, incident_service)
-
-# Allow pipes only from dumpstate and incident
-allow incidentd { dumpstate incident }:fd use;
-allow incidentd { dumpstate incident }:fifo_file write;
-
-# Allow incident to call back to incident with status updates.
-binder_call(incidentd, incident)
-
-# Read device serial number from system properties
-# This is used to track reports from lab testing devices
-userdebug_or_eng(`
- get_prop(incidentd, serialno_prop)
-')
-
-# Read ro.boot.bootreason, persist.sys.boot.bootreason
-# This is used to track reports from lab testing devices
-userdebug_or_eng(`
- get_prop(incidentd, bootloader_boot_reason_prop);
- get_prop(incidentd, system_boot_reason_prop);
- get_prop(incidentd, last_boot_reason_prop);
-')
-
-###
-### neverallow rules
-###
-# only incidentd and the other root services in limited circumstances
-# can get to the files in /data/misc/incidents
-#
-# write, execute, append are forbidden almost everywhere
-neverallow { domain -incidentd -init -vold } incident_data_file:file {
- w_file_perms
- x_file_perms
- create
- rename
- setattr
- unlink
- append
-};
-# read is also allowed by system_server, for when the file is handed to dropbox
-neverallow { domain -incidentd -init -vold -system_server } incident_data_file:file r_file_perms;
-# limited access to the directory itself
-neverallow { domain -incidentd -init -vold } incident_data_file:dir create_dir_perms;
-
diff --git a/prebuilts/api/31.0/private/init.te b/prebuilts/api/31.0/private/init.te
deleted file mode 100644
index f569e0c..0000000
--- a/prebuilts/api/31.0/private/init.te
+++ /dev/null
@@ -1,114 +0,0 @@
-typeattribute init coredomain;
-
-tmpfs_domain(init)
-
-# Transitions to seclabel processes in init.rc
-domain_trans(init, rootfs, healthd)
-domain_trans(init, rootfs, slideshow)
-domain_auto_trans(init, charger_exec, charger)
-domain_auto_trans(init, e2fs_exec, e2fs)
-domain_auto_trans(init, bpfloader_exec, bpfloader)
-
-recovery_only(`
- # Files in recovery image are labeled as rootfs.
- domain_trans(init, rootfs, adbd)
- domain_trans(init, rootfs, charger)
- domain_trans(init, rootfs, fastbootd)
- domain_trans(init, rootfs, recovery)
- domain_trans(init, rootfs, linkerconfig)
- domain_trans(init, rootfs, snapuserd)
-')
-domain_trans(init, shell_exec, shell)
-domain_trans(init, init_exec, ueventd)
-domain_trans(init, init_exec, vendor_init)
-domain_trans(init, { rootfs toolbox_exec }, modprobe)
-userdebug_or_eng(`
- # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
- domain_auto_trans(init, logcat_exec, logpersist)
-
- # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
- allow init su:process transition;
- dontaudit init su:process noatsecure;
- allow init su:process { siginh rlimitinh };
-')
-
-# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
-# This is useful in case of remounting ext4 userdata into checkpointing mode,
-# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
-# that userdata is mounted onto.
-allow init sysfs_dm:file read;
-
-# Allow init to modify the properties of loop devices.
-allow init sysfs_loop:dir r_dir_perms;
-allow init sysfs_loop:file rw_file_perms;
-
-# Allow init to examine the properties of block devices.
-allow init sysfs_block_type:file { getattr read };
-# Allow init access /dev/block
-allow init bdev_type:dir r_dir_perms;
-allow init bdev_type:blk_file getattr;
-
-# Allow init to write to the drop_caches file.
-allow init proc_drop_caches:file rw_file_perms;
-
-# Allow the BoringSSL self test to request a reboot upon failure
-set_prop(init, powerctl_prop)
-
-# Only init is allowed to set userspace reboot related properties.
-set_prop(init, userspace_reboot_exported_prop)
-neverallow { domain -init } userspace_reboot_exported_prop:property_service set;
-
-# Second-stage init performs a test for whether the kernel has SELinux hooks
-# for the perf_event_open() syscall. This is done by testing for the syscall
-# outcomes corresponding to this policy.
-# TODO(b/137092007): this can be removed once the platform stops supporting
-# kernels that precede the perf_event_open hooks (Android common kernels 4.4
-# and 4.9).
-allow init self:perf_event { open cpu };
-allow init self:global_capability2_class_set perfmon;
-neverallow init self:perf_event { kernel tracepoint read write };
-dontaudit init self:perf_event { kernel tracepoint read write };
-
-# Allow init to communicate with snapuserd to transition Virtual A/B devices
-# from the first-stage daemon to the second-stage.
-allow init snapuserd_socket:sock_file write;
-allow init snapuserd:unix_stream_socket connectto;
-# Allow for libsnapshot's use of flock() on /metadata/ota.
-allow init ota_metadata_file:dir lock;
-
-# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
-# /dev/block.
-allow init vd_device:blk_file relabelto;
-
-# Only init is allowed to set the sysprop indicating whether perf_event_open()
-# SELinux hooks were detected.
-set_prop(init, init_perf_lsm_hooks_prop)
-neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
-
-# Only init can write vts.native_server.on
-set_prop(init, vts_status_prop)
-neverallow { domain -init } vts_status_prop:property_service set;
-
-# Only init can write normal ro.boot. properties
-neverallow { domain -init } bootloader_prop:property_service set;
-
-# Only init can write hal.instrumentation.enable
-neverallow { domain -init } hal_instrumentation_prop:property_service set;
-
-# Only init can write ro.property_service.version
-neverallow { domain -init } property_service_version_prop:property_service set;
-
-# Only init can set keystore.boot_level
-neverallow { domain -init } keystore_listen_prop:property_service set;
-
-# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
-allow init debugfs_bootreceiver_tracing:file w_file_perms;
-
-# chown/chmod on devices.
-allow init {
- dev_type
- -hw_random_device
- -keychord_device
- -kvm_device
- -port_device
-}:chr_file setattr;
diff --git a/prebuilts/api/31.0/private/initial_sid_contexts b/prebuilts/api/31.0/private/initial_sid_contexts
deleted file mode 100644
index 9819051..0000000
--- a/prebuilts/api/31.0/private/initial_sid_contexts
+++ /dev/null
@@ -1,27 +0,0 @@
-sid kernel u:r:kernel:s0
-sid security u:object_r:kernel:s0
-sid unlabeled u:object_r:unlabeled:s0
-sid fs u:object_r:labeledfs:s0
-sid file u:object_r:unlabeled:s0
-sid file_labels u:object_r:unlabeled:s0
-sid init u:object_r:unlabeled:s0
-sid any_socket u:object_r:unlabeled:s0
-sid port u:object_r:port:s0
-sid netif u:object_r:netif:s0
-sid netmsg u:object_r:unlabeled:s0
-sid node u:object_r:node:s0
-sid igmp_packet u:object_r:unlabeled:s0
-sid icmp_socket u:object_r:unlabeled:s0
-sid tcp_socket u:object_r:unlabeled:s0
-sid sysctl_modprobe u:object_r:unlabeled:s0
-sid sysctl u:object_r:proc:s0
-sid sysctl_fs u:object_r:unlabeled:s0
-sid sysctl_kernel u:object_r:unlabeled:s0
-sid sysctl_net u:object_r:unlabeled:s0
-sid sysctl_net_unix u:object_r:unlabeled:s0
-sid sysctl_vm u:object_r:unlabeled:s0
-sid sysctl_dev u:object_r:unlabeled:s0
-sid kmod u:object_r:unlabeled:s0
-sid policy u:object_r:unlabeled:s0
-sid scmp_packet u:object_r:unlabeled:s0
-sid devnull u:object_r:null_device:s0
diff --git a/prebuilts/api/31.0/private/initial_sids b/prebuilts/api/31.0/private/initial_sids
deleted file mode 100644
index 91ac816..0000000
--- a/prebuilts/api/31.0/private/initial_sids
+++ /dev/null
@@ -1,35 +0,0 @@
-# FLASK
-
-#
-# Define initial security identifiers
-#
-
-sid kernel
-sid security
-sid unlabeled
-sid fs
-sid file
-sid file_labels
-sid init
-sid any_socket
-sid port
-sid netif
-sid netmsg
-sid node
-sid igmp_packet
-sid icmp_socket
-sid tcp_socket
-sid sysctl_modprobe
-sid sysctl
-sid sysctl_fs
-sid sysctl_kernel
-sid sysctl_net
-sid sysctl_net_unix
-sid sysctl_vm
-sid sysctl_dev
-sid kmod
-sid policy
-sid scmp_packet
-sid devnull
-
-# FLASK
diff --git a/prebuilts/api/31.0/private/inputflinger.te b/prebuilts/api/31.0/private/inputflinger.te
deleted file mode 100644
index 9696b49..0000000
--- a/prebuilts/api/31.0/private/inputflinger.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute inputflinger coredomain;
-
-init_daemon_domain(inputflinger)
diff --git a/prebuilts/api/31.0/private/installd.te b/prebuilts/api/31.0/private/installd.te
deleted file mode 100644
index 726e5aa..0000000
--- a/prebuilts/api/31.0/private/installd.te
+++ /dev/null
@@ -1,48 +0,0 @@
-typeattribute installd coredomain;
-
-init_daemon_domain(installd)
-
-# Run migrate_legacy_obb_data.sh in its own sandbox.
-domain_auto_trans(installd, migrate_legacy_obb_data_exec, migrate_legacy_obb_data)
-allow installd shell_exec:file rx_file_perms;
-
-# Run dex2oat in its own sandbox.
-domain_auto_trans(installd, dex2oat_exec, dex2oat)
-
-# Run dexoptanalyzer in its own sandbox.
-domain_auto_trans(installd, dexoptanalyzer_exec, dexoptanalyzer)
-
-# Run viewcompiler in its own sandbox.
-domain_auto_trans(installd, viewcompiler_exec, viewcompiler)
-
-# Run profman in its own sandbox.
-domain_auto_trans(installd, profman_exec, profman)
-
-# Run idmap in its own sandbox.
-domain_auto_trans(installd, idmap_exec, idmap)
-
-# For collecting bugreports.
-allow installd dumpstate:fd use;
-allow installd dumpstate:fifo_file r_file_perms;
-
-# Delete /system/bin/bcc generated artifacts
-allow installd app_exec_data_file:file unlink;
-
-# Capture userdata snapshots to /data/misc_[ce|de]/rollback and
-# subsequently restore them.
-allow installd rollback_data_file:dir create_dir_perms;
-allow installd rollback_data_file:file create_file_perms;
-
-# Allow installd to access the runtime feature flag properties.
-get_prop(installd, device_config_runtime_native_prop)
-get_prop(installd, device_config_runtime_native_boot_prop)
-
-# Allow installd to access apk verity feature flag (for legacy case).
-get_prop(installd, apk_verity_prop)
-
-# Allow installd to access odsign verification status
-get_prop(installd, odsign_prop)
-
-# Allow installd to delete files in /data/staging
-allow installd staging_data_file:file unlink;
-allow installd staging_data_file:dir { open read remove_name rmdir search write };
diff --git a/prebuilts/api/31.0/private/iorap_inode2filename.te b/prebuilts/api/31.0/private/iorap_inode2filename.te
deleted file mode 100644
index 5acb262..0000000
--- a/prebuilts/api/31.0/private/iorap_inode2filename.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute iorap_inode2filename coredomain;
-
-# Grant access to open most of the files under /
-allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
-allow iorap_inode2filename apex_data_file:file { getattr };
-allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
-allow iorap_inode2filename dalvikcache_data_file:file { getattr };
-allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
-allow iorap_inode2filename dexoptanalyzer_exec:file { getattr };
-allow iorap_inode2filename storaged_data_file:dir { getattr open read search };
-allow iorap_inode2filename storaged_data_file:file { getattr };
diff --git a/prebuilts/api/31.0/private/iorap_prefecherd.te b/prebuilts/api/31.0/private/iorap_prefecherd.te
deleted file mode 100644
index 9ddb512..0000000
--- a/prebuilts/api/31.0/private/iorap_prefecherd.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute iorap_prefetcherd coredomain;
-
-init_daemon_domain(iorap_prefetcherd)
-tmpfs_domain(iorap_prefetcherd)
diff --git a/prebuilts/api/31.0/private/iorapd.te b/prebuilts/api/31.0/private/iorapd.te
deleted file mode 100644
index 73acec9..0000000
--- a/prebuilts/api/31.0/private/iorapd.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute iorapd coredomain;
-
-init_daemon_domain(iorapd)
-tmpfs_domain(iorapd)
-
-domain_auto_trans(iorapd, iorap_prefetcherd_exec, iorap_prefetcherd)
-domain_auto_trans(iorapd, iorap_inode2filename_exec, iorap_inode2filename)
-
-# Allow iorapd to access the runtime native boot feature flag properties.
-get_prop(iorapd, device_config_runtime_native_boot_prop)
diff --git a/prebuilts/api/31.0/private/isolated_app.te b/prebuilts/api/31.0/private/isolated_app.te
deleted file mode 100644
index 71749c0..0000000
--- a/prebuilts/api/31.0/private/isolated_app.te
+++ /dev/null
@@ -1,153 +0,0 @@
-###
-### Services with isolatedProcess=true in their manifest.
-###
-### This file defines the rules for isolated apps. An "isolated
-### app" is an APP with UID between AID_ISOLATED_START (99000)
-### and AID_ISOLATED_END (99999).
-###
-
-typeattribute isolated_app coredomain;
-
-app_domain(isolated_app)
-
-# Access already open app data files received over Binder or local socket IPC.
-allow isolated_app { app_data_file privapp_data_file }:file { append read write getattr lock map };
-
-# Allow access to network sockets received over IPC. New socket creation is not
-# permitted.
-allow isolated_app { ephemeral_app priv_app untrusted_app_all }:{ tcp_socket udp_socket } { rw_socket_perms_no_ioctl };
-
-allow isolated_app activity_service:service_manager find;
-allow isolated_app display_service:service_manager find;
-allow isolated_app webviewupdate_service:service_manager find;
-
-# Google Breakpad (crash reporter for Chrome) relies on ptrace
-# functionality. Without the ability to ptrace, the crash reporter
-# tool is broken.
-# b/20150694
-# https://code.google.com/p/chromium/issues/detail?id=475270
-allow isolated_app self:process ptrace;
-
-# b/32896414: Allow accessing sdcard file descriptors passed to isolated_apps
-# by other processes. Open should never be allowed, and is blocked by
-# neverallow rules below.
-# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
-# is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
-
-# For webviews, isolated_app processes can be forked from the webview_zygote
-# in addition to the zygote. Allow access to resources inherited from the
-# webview_zygote process. These rules are specialized copies of the ones in app.te.
-# Inherit FDs from the webview_zygote.
-allow isolated_app webview_zygote:fd use;
-# Notify webview_zygote of child death.
-allow isolated_app webview_zygote:process sigchld;
-# Inherit logd write socket.
-allow isolated_app webview_zygote:unix_dgram_socket write;
-# Read system properties managed by webview_zygote.
-allow isolated_app webview_zygote_tmpfs:file read;
-
-# Inherit FDs from the app_zygote.
-allow isolated_app app_zygote:fd use;
-# Notify app_zygote of child death.
-allow isolated_app app_zygote:process sigchld;
-# Inherit logd write socket.
-allow isolated_app app_zygote:unix_dgram_socket write;
-
-# TODO (b/63631799) fix this access
-# suppress denials to /data/local/tmp
-dontaudit isolated_app shell_data_file:dir search;
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(isolated_app)
-
-# Allow profiling if the main app has been marked as profileable or
-# debuggable.
-can_profile_heap(isolated_app)
-can_profile_perf(isolated_app)
-
-#####
-##### Neverallow
-#####
-
-# Isolated apps should not directly open app data files themselves.
-neverallow isolated_app { app_data_file privapp_data_file }:file open;
-
-# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
-# TODO: are there situations where isolated_apps write to this file?
-# TODO: should we tighten these restrictions further?
-neverallow isolated_app anr_data_file:file ~{ open append };
-neverallow isolated_app anr_data_file:dir ~search;
-
-# Isolated apps must not be permitted to use HwBinder
-neverallow isolated_app hwbinder_device:chr_file *;
-neverallow isolated_app *:hwservice_manager *;
-
-# Isolated apps must not be permitted to use VndBinder
-neverallow isolated_app vndbinder_device:chr_file *;
-
-# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services allowlisted below.
-neverallow isolated_app *:service_manager ~find;
-
-# b/17487348
-# Isolated apps can only access three services,
-# activity_service, display_service, webviewupdate_service.
-neverallow isolated_app {
- service_manager_type
- -activity_service
- -display_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow isolated_app gpu_device:chr_file { rw_file_perms execute };
-
-# Do not allow isolated_app access to /cache
-neverallow isolated_app cache_file:dir ~{ r_dir_perms };
-neverallow isolated_app cache_file:file ~{ read getattr };
-
-# Do not allow isolated_app to access external storage, except for files passed
-# via file descriptors (b/32896414).
-neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
-neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
-neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
-
-# Do not allow USB access
-neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
-
-# Restrict the webview_zygote control socket.
-neverallow isolated_app webview_zygote:sock_file write;
-
-# Limit the /sys files which isolated_app can access. This is important
-# for controlling isolated_app attack surface.
-neverallow isolated_app {
- sysfs_type
- -sysfs_devices_system_cpu
- -sysfs_transparent_hugepage
- -sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
- -sysfs_fs_incfs_features
-}:file no_rw_file_perms;
-
-# No creation of sockets families other than AF_UNIX sockets.
-# List taken from system/sepolicy/public/global_macros - socket_class_set
-# excluding unix_stream_socket and unix_dgram_socket.
-# Many of these are socket families which have never and will never
-# be compiled into the Android kernel.
-neverallow isolated_app { self ephemeral_app priv_app untrusted_app_all }:{
- socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket
- key_socket appletalk_socket netlink_route_socket
- netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket
- netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket
- netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
- netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
- netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket
- netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket
- netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket
- rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
- bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket
- ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket
- qipcrtr_socket smc_socket xdp_socket
-} create;
diff --git a/prebuilts/api/31.0/private/iw.te b/prebuilts/api/31.0/private/iw.te
deleted file mode 100644
index adc8c96..0000000
--- a/prebuilts/api/31.0/private/iw.te
+++ /dev/null
@@ -1,4 +0,0 @@
-type iw, domain, coredomain;
-type iw_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(iw)
diff --git a/prebuilts/api/31.0/private/kernel.te b/prebuilts/api/31.0/private/kernel.te
deleted file mode 100644
index 5341163..0000000
--- a/prebuilts/api/31.0/private/kernel.te
+++ /dev/null
@@ -1,33 +0,0 @@
-typeattribute kernel coredomain;
-
-domain_auto_trans(kernel, init_exec, init)
-domain_auto_trans(kernel, snapuserd_exec, snapuserd)
-
-# Allow the kernel to read otapreopt_chroot's file descriptors and files under
-# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
-allow kernel otapreopt_chroot:fd use;
-allow kernel postinstall_file:file read;
-
-# The following sections are for the transition period during a Virtual A/B
-# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
-# context, and with properly labelled devices. This must be done before
-# enabling enforcement, eg, in permissive mode while still in the kernel
-# context.
-allow kernel tmpfs:blk_file { getattr relabelfrom };
-allow kernel tmpfs:chr_file { getattr relabelfrom };
-allow kernel tmpfs:lnk_file { getattr relabelfrom };
-allow kernel tmpfs:dir { open read relabelfrom };
-
-allow kernel block_device:blk_file relabelto;
-allow kernel block_device:lnk_file relabelto;
-allow kernel dm_device:chr_file relabelto;
-allow kernel dm_device:blk_file relabelto;
-allow kernel dm_user_device:dir { read open search relabelto };
-allow kernel dm_user_device:chr_file relabelto;
-allow kernel kmsg_device:chr_file relabelto;
-allow kernel null_device:chr_file relabelto;
-allow kernel random_device:chr_file relabelto;
-allow kernel snapuserd_exec:file relabelto;
-
-allow kernel kmsg_device:chr_file write;
-allow kernel gsid:fd use;
diff --git a/prebuilts/api/31.0/private/keys.conf b/prebuilts/api/31.0/private/keys.conf
deleted file mode 100644
index 362e73d..0000000
--- a/prebuilts/api/31.0/private/keys.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-#
-# Maps an arbitrary tag [TAGNAME] with the string contents found in
-# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
-# name it after the base file name of the pem file.
-#
-# Each tag (section) then allows one to specify any string found in
-# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
-# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
-#
-
-[@PLATFORM]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
-
-[@MEDIA]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
-
-[@NETWORK_STACK]
-ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
-
-[@SHARED]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
-
-# Example of ALL TARGET_BUILD_VARIANTS
-[@RELEASE]
-ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-
diff --git a/prebuilts/api/31.0/private/keystore.te b/prebuilts/api/31.0/private/keystore.te
deleted file mode 100644
index 8842224..0000000
--- a/prebuilts/api/31.0/private/keystore.te
+++ /dev/null
@@ -1,36 +0,0 @@
-typeattribute keystore coredomain;
-
-init_daemon_domain(keystore)
-
-# talk to keymaster
-hal_client_domain(keystore, hal_keymaster)
-
-# talk to confirmationui
-hal_client_domain(keystore, hal_confirmationui)
-
-# talk to keymint
-hal_client_domain(keystore, hal_keymint)
-
-# This is used for the ConfirmationUI async callback.
-allow keystore platform_app:binder call;
-
-# Allow to check whether security logging is enabled.
-get_prop(keystore, device_logging_prop)
-
-# Allow keystore to write to statsd.
-unix_socket_send(keystore, statsdw, statsd)
-
-# Keystore need access to the keystore_key context files to load the keystore key backend.
-allow keystore keystore2_key_contexts_file:file r_file_perms;
-
-get_prop(keystore, keystore_listen_prop)
-
-# Keystore needs to transfer binder references to vold and wait_for_keymaster so that they
-# can call keystore methods on those references.
-allow keystore vold:binder transfer;
-allow keystore wait_for_keymaster:binder transfer;
-
-# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
-# system property, an exception is added for init as well.
-set_prop(keystore, keystore_crash_prop)
-neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
diff --git a/prebuilts/api/31.0/private/keystore2_key_contexts b/prebuilts/api/31.0/private/keystore2_key_contexts
deleted file mode 100644
index 3833971..0000000
--- a/prebuilts/api/31.0/private/keystore2_key_contexts
+++ /dev/null
@@ -1,28 +0,0 @@
-# Keystore 2.0 key contexts.
-# This file defines Keystore 2.0 namespaces and maps them to labels.
-# Format:
-# <namespace> <label>
-#
-# <namespace> must be an integer in the interval [0 ... 2^31)
-# su_key is a keystore_key namespace for the su domain intended for native tests.
-0 u:object_r:su_key:s0
-
-# shell_key is a keystore_key namespace for the shell domain intended for native tests.
-1 u:object_r:shell_key:s0
-
-# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
-100 u:object_r:vold_key:s0
-
-# odsign_key is a keystore2_key namespace for the on-device signing daemon.
-101 u:object_r:odsign_key:s0
-
-# wifi_key is a keystore2_key namespace for the WI-FI subsystem. It replaces the WIFI_UID
-# namespace in keystore.
-102 u:object_r:wifi_key:s0
-
-# locksettings_key is a keystore2_key namespace for the LockSettingsService.
-103 u:object_r:locksettings_key:s0
-
-# resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot.
-120 u:object_r:resume_on_reboot_key:s0
-
diff --git a/prebuilts/api/31.0/private/keystore_keys.te b/prebuilts/api/31.0/private/keystore_keys.te
deleted file mode 100644
index 2f97608..0000000
--- a/prebuilts/api/31.0/private/keystore_keys.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# Specify keystore2_key namespaces in this file.
-# Please keep the names in alphabetical order and comment each new entry.
-
-# A keystore2_key namespace for the shell domain. Mainly used for native tests.
-type shell_key, keystore2_key_type;
-
-# A keystore2 namespace for the su domain. Mainly used for native tests.
-type su_key, keystore2_key_type;
-
-# A keystore2 namespace for vold. Vold need special permission to handle
-# its own Keymint blobs.
-type vold_key, keystore2_key_type;
-
-# A keystore2 namespace for the on-device signing daemon.
-type odsign_key, keystore2_key_type;
-
-# A keystore2 namespace for LockSettingsService.
-type locksettings_key, keystore2_key_type;
-
-# A keystore2 namespace for resume on reboot.
-type resume_on_reboot_key, keystore2_key_type;
-
diff --git a/prebuilts/api/31.0/private/linkerconfig.te b/prebuilts/api/31.0/private/linkerconfig.te
deleted file mode 100644
index 2688102..0000000
--- a/prebuilts/api/31.0/private/linkerconfig.te
+++ /dev/null
@@ -1,27 +0,0 @@
-type linkerconfig, domain, coredomain;
-type linkerconfig_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(linkerconfig)
-
-## Read and write linkerconfig subdirectory.
-allow linkerconfig linkerconfig_file:dir create_dir_perms;
-allow linkerconfig linkerconfig_file:file create_file_perms;
-
-# Allow linkerconfig to log to the kernel.
-allow linkerconfig kmsg_device:chr_file w_file_perms;
-
-# Allow linkerconfig to be invoked with logwrapper from init.
-allow linkerconfig devpts:chr_file { read write };
-
-# Allow linkerconfig to scan for apex modules
-allow linkerconfig apex_mnt_dir:dir r_dir_perms;
-
-# Allow linkerconfig to read apex-info-list.xml
-allow linkerconfig apex_info_file:file r_file_perms;
-
-# Allow linkerconfig to be called in the otapreopt_chroot
-allow linkerconfig otapreopt_chroot:fd use;
-allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
-allow linkerconfig postinstall_apex_mnt_dir:file r_file_perms;
-
-neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;
diff --git a/prebuilts/api/31.0/private/llkd.te b/prebuilts/api/31.0/private/llkd.te
deleted file mode 100644
index f218dec..0000000
--- a/prebuilts/api/31.0/private/llkd.te
+++ /dev/null
@@ -1,53 +0,0 @@
-# llkd Live LocK Daemon
-typeattribute llkd coredomain;
-
-init_daemon_domain(llkd)
-
-get_prop(llkd, llkd_prop)
-
-allow llkd self:global_capability_class_set kill;
-userdebug_or_eng(`
- allow llkd self:global_capability_class_set { sys_ptrace sys_admin };
- allow llkd self:global_capability_class_set { dac_override dac_read_search };
-')
-
-# llkd optionally locks itself in memory, to prevent it from being
-# swapped out and unable to discover a kernel in live-lock state.
-allow llkd self:global_capability_class_set ipc_lock;
-
-# Send kill signals to _anyone_ suffering from Live Lock
-allow llkd domain:process sigkill;
-
-# read stack to check for Live Lock
-userdebug_or_eng(`
- allow llkd {
- domain
- -apexd
- -kernel
- -keystore
- -init
- -llkd
- -ueventd
- -vendor_init
- }:process ptrace;
-')
-
-# live lock watchdog process allowed to look through /proc/
-allow llkd domain:dir r_dir_perms;
-allow llkd domain:file r_file_perms;
-allow llkd domain:lnk_file read;
-# Set /proc/sys/kernel/hung_task_*
-allow llkd proc_hung_task:file rw_file_perms;
-
-# live lock watchdog process allowed to dump process trace and
-# reboot because orderly shutdown may not be possible.
-allow llkd proc_sysrq:file w_file_perms;
-allow llkd kmsg_device:chr_file w_file_perms;
-
-### neverallow rules
-
-neverallow { domain -init } llkd:process { dyntransition transition };
-neverallow { domain userdebug_or_eng(`-crash_dump') } llkd:process ptrace;
-
-# never honor LD_PRELOAD
-neverallow * llkd:process noatsecure;
diff --git a/prebuilts/api/31.0/private/lmkd.te b/prebuilts/api/31.0/private/lmkd.te
deleted file mode 100644
index ec9a93e..0000000
--- a/prebuilts/api/31.0/private/lmkd.te
+++ /dev/null
@@ -1,15 +0,0 @@
-typeattribute lmkd coredomain;
-
-init_daemon_domain(lmkd)
-
-# Set sys.lmk.* properties.
-set_prop(lmkd, system_lmk_prop)
-
-# Set lmkd.* properties.
-set_prop(lmkd, lmkd_prop)
-
-allow lmkd fs_bpf:dir search;
-allow lmkd fs_bpf:file read;
-allow lmkd bpfloader:bpf map_read;
-
-neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/prebuilts/api/31.0/private/logd.te b/prebuilts/api/31.0/private/logd.te
deleted file mode 100644
index 7112c4f..0000000
--- a/prebuilts/api/31.0/private/logd.te
+++ /dev/null
@@ -1,41 +0,0 @@
-typeattribute logd coredomain;
-
-init_daemon_domain(logd)
-
-# Access device logging gating property
-get_prop(logd, device_logging_prop)
-
-# logd is not allowed to write anywhere other than /data/misc/logd, and then
-# only on userdebug or eng builds
-neverallow logd {
- file_type
- -runtime_event_log_tags_file
- userdebug_or_eng(`-coredump_file -misc_logd_file')
- with_native_coverage(`-method_trace_data_file')
-}:file { create write append };
-
-# protect the event-log-tags file
-neverallow {
- domain
- -appdomain # covered below
- -bootstat
- -dumpstate
- -init
- -logd
- userdebug_or_eng(`-logpersist')
- -servicemanager
- -system_server
- -surfaceflinger
- -zygote
-} runtime_event_log_tags_file:file no_rw_file_perms;
-
-neverallow {
- appdomain
- -bluetooth
- -platform_app
- -priv_app
- -radio
- -shell
- userdebug_or_eng(`-su')
- -system_app
-} runtime_event_log_tags_file:file no_rw_file_perms;
diff --git a/prebuilts/api/31.0/private/logpersist.te b/prebuilts/api/31.0/private/logpersist.te
deleted file mode 100644
index ab2c9c6..0000000
--- a/prebuilts/api/31.0/private/logpersist.te
+++ /dev/null
@@ -1,30 +0,0 @@
-typeattribute logpersist coredomain;
-
-# android debug log storage in logpersist domains (eng and userdebug only)
-userdebug_or_eng(`
-
- r_dir_file(logpersist, cgroup)
- r_dir_file(logpersist, cgroup_v2)
-
- allow logpersist misc_logd_file:file create_file_perms;
- allow logpersist misc_logd_file:dir rw_dir_perms;
-
- allow logpersist self:global_capability_class_set sys_nice;
- allow logpersist pstorefs:dir search;
- allow logpersist pstorefs:file r_file_perms;
-
- control_logd(logpersist)
- unix_socket_connect(logpersist, logdr, logd)
- read_runtime_log_tags(logpersist)
-
-')
-
-# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
-neverallow logpersist {
- file_type
- userdebug_or_eng(`-misc_logd_file -coredump_file')
- with_native_coverage(`-method_trace_data_file')
-}:file { create write append };
-neverallow { domain -init -dumpstate -incidentd userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms;
-neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_w_file_perms;
-neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/prebuilts/api/31.0/private/lpdumpd.te b/prebuilts/api/31.0/private/lpdumpd.te
deleted file mode 100644
index 9f5f87e..0000000
--- a/prebuilts/api/31.0/private/lpdumpd.te
+++ /dev/null
@@ -1,37 +0,0 @@
-type lpdumpd, domain, coredomain;
-type lpdumpd_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(lpdumpd)
-
-# Allow lpdumpd to register itself as a service.
-binder_use(lpdumpd)
-add_service(lpdumpd, lpdump_service)
-
-# Allow lpdumpd to find the super partition block device.
-allow lpdumpd block_device:dir r_dir_perms;
-
-# Allow lpdumpd to read super partition metadata.
-allow lpdumpd super_block_device_type:blk_file r_file_perms;
-
-# Allow lpdumpd to read fstab.
-allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms;
-allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
-read_fstab(lpdumpd)
-
-### Neverallow rules
-
-# Disallow other domains to get lpdump_service and call lpdumpd.
-neverallow {
- domain
- -dumpstate
- -lpdumpd
- -shell
-} lpdump_service:service_manager find;
-
-neverallow {
- domain
- -dumpstate
- -lpdumpd
- -shell
- -servicemanager
-} lpdumpd:binder call;
diff --git a/prebuilts/api/31.0/private/mac_permissions.xml b/prebuilts/api/31.0/private/mac_permissions.xml
deleted file mode 100644
index 7fc37c1..0000000
--- a/prebuilts/api/31.0/private/mac_permissions.xml
+++ /dev/null
@@ -1,62 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<policy>
-
-<!--
-
- * A signature is a hex encoded X.509 certificate or a tag defined in
- keys.conf and is required for each signer tag. The signature can
- either appear as a set of attached cert child tags or as an attribute.
- * A signer tag must contain a seinfo tag XOR multiple package stanzas.
- * Each signer/package tag is allowed to contain one seinfo tag. This tag
- represents additional info that each app can use in setting a SELinux security
- context on the eventual process as well as the apps data directory.
- * seinfo assignments are made according to the following rules:
- - Stanzas with package name refinements will be checked first.
- - Stanzas w/o package name refinements will be checked second.
- - The "default" seinfo label is automatically applied.
-
- * valid stanzas can take one of the following forms:
-
- // single cert protecting seinfo
- <signer signature="@PLATFORM" >
- <seinfo value="platform" />
- </signer>
-
- // multiple certs protecting seinfo (all contained certs must match)
- <signer>
- <cert signature="@PLATFORM1"/>
- <cert signature="@PLATFORM2"/>
- <seinfo value="platform" />
- </signer>
-
- // single cert protecting explicitly named app
- <signer signature="@PLATFORM" >
- <package name="com.android.foo">
- <seinfo value="bar" />
- </package>
- </signer>
-
- // multiple certs protecting explicitly named app (all certs must match)
- <signer>
- <cert signature="@PLATFORM1"/>
- <cert signature="@PLATFORM2"/>
- <package name="com.android.foo">
- <seinfo value="bar" />
- </package>
- </signer>
--->
-
- <!-- Platform dev key in AOSP -->
- <signer signature="@PLATFORM" >
- <seinfo value="platform" />
- </signer>
-
- <!-- Media key in AOSP -->
- <signer signature="@MEDIA" >
- <seinfo value="media" />
- </signer>
-
- <signer signature="@NETWORK_STACK" >
- <seinfo value="network_stack" />
- </signer>
-</policy>
diff --git a/prebuilts/api/31.0/private/mdnsd.te b/prebuilts/api/31.0/private/mdnsd.te
deleted file mode 100644
index 98e95da..0000000
--- a/prebuilts/api/31.0/private/mdnsd.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# mdns daemon
-
-typeattribute mdnsd coredomain;
-typeattribute mdnsd mlstrustedsubject;
-
-type mdnsd_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(mdnsd)
-
-net_domain(mdnsd)
-
-# Read from /proc/net
-r_dir_file(mdnsd, proc_net_type)
diff --git a/prebuilts/api/31.0/private/mediadrmserver.te b/prebuilts/api/31.0/private/mediadrmserver.te
deleted file mode 100644
index 4e511a8..0000000
--- a/prebuilts/api/31.0/private/mediadrmserver.te
+++ /dev/null
@@ -1,8 +0,0 @@
-typeattribute mediadrmserver coredomain;
-
-init_daemon_domain(mediadrmserver)
-
-# allocate and use graphic buffers
-hal_client_domain(mediadrmserver, hal_graphics_allocator)
-auditallow mediadrmserver hal_graphics_allocator_server:binder call;
-
diff --git a/prebuilts/api/31.0/private/mediaextractor.te b/prebuilts/api/31.0/private/mediaextractor.te
deleted file mode 100644
index 7bcf5c8..0000000
--- a/prebuilts/api/31.0/private/mediaextractor.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute mediaextractor coredomain;
-
-init_daemon_domain(mediaextractor)
-tmpfs_domain(mediaextractor)
-allow mediaextractor appdomain_tmpfs:file { getattr map read write };
-allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
-allow mediaextractor system_server_tmpfs:file { getattr map read write };
-
-get_prop(mediaextractor, device_config_media_native_prop)
-get_prop(mediaextractor, device_config_swcodec_native_prop)
diff --git a/prebuilts/api/31.0/private/mediametrics.te b/prebuilts/api/31.0/private/mediametrics.te
deleted file mode 100644
index 5a6f2e1..0000000
--- a/prebuilts/api/31.0/private/mediametrics.te
+++ /dev/null
@@ -1,8 +0,0 @@
-typeattribute mediametrics coredomain;
-
-init_daemon_domain(mediametrics)
-
-# Needed for stats callback registration to statsd.
-allow mediametrics stats_service:service_manager find;
-allow mediametrics statsmanager_service:service_manager find;
-binder_call(mediametrics, statsd)
diff --git a/prebuilts/api/31.0/private/mediaprovider.te b/prebuilts/api/31.0/private/mediaprovider.te
deleted file mode 100644
index 78bbdb0..0000000
--- a/prebuilts/api/31.0/private/mediaprovider.te
+++ /dev/null
@@ -1,48 +0,0 @@
-###
-### A domain for android.process.media, which contains both
-### MediaProvider and DownloadProvider and associated services.
-###
-
-typeattribute mediaprovider coredomain;
-app_domain(mediaprovider)
-
-# DownloadProvider accesses the network.
-net_domain(mediaprovider)
-
-# DownloadProvider uses /cache.
-allow mediaprovider cache_file:dir create_dir_perms;
-allow mediaprovider cache_file:file create_file_perms;
-# /cache is a symlink to /data/cache on some devices. Allow reading the link.
-allow mediaprovider cache_file:lnk_file r_file_perms;
-# mediaprovider searches through /cache looking for orphans
-# Ignore denials to /cache/recovery and /cache/backup.
-dontaudit mediaprovider cache_private_backup_file:dir getattr;
-dontaudit mediaprovider cache_recovery_file:dir getattr;
-
-# Access external sdcards through /mnt/media_rw
-allow mediaprovider { mnt_media_rw_file }:dir search;
-
-allow mediaprovider app_api_service:service_manager find;
-allow mediaprovider audioserver_service:service_manager find;
-allow mediaprovider cameraserver_service:service_manager find;
-allow mediaprovider drmserver_service:service_manager find;
-allow mediaprovider mediaextractor_service:service_manager find;
-allow mediaprovider mediaserver_service:service_manager find;
-
-# Allow MediaProvider to read/write cached ringtones (opened by system).
-allow mediaprovider ringtone_file:file { getattr read write };
-
-# MtpServer uses /dev/mtp_usb
-allow mediaprovider mtp_device:chr_file rw_file_perms;
-
-# MtpServer uses /dev/usb-ffs/mtp
-allow mediaprovider functionfs:dir search;
-allow mediaprovider functionfs:file rw_file_perms;
-allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
-
-# MtpServer sets sys.usb.ffs.mtp.ready
-get_prop(mediaprovider, ffs_config_prop)
-set_prop(mediaprovider, ffs_control_prop)
-
-# DownloadManager may retrieve DRM status
-get_prop(mediaprovider, drm_service_config_prop)
diff --git a/prebuilts/api/31.0/private/mediaprovider_app.te b/prebuilts/api/31.0/private/mediaprovider_app.te
deleted file mode 100644
index 0e4a50e..0000000
--- a/prebuilts/api/31.0/private/mediaprovider_app.te
+++ /dev/null
@@ -1,56 +0,0 @@
-###
-### A domain for further sandboxing the MediaProvider mainline module.
-###
-type mediaprovider_app, domain, coredomain;
-
-app_domain(mediaprovider_app)
-
-# Access to /mnt/pass_through.
-r_dir_file(mediaprovider_app, mnt_pass_through_file)
-
-# Allow MediaProvider to host a FUSE daemon for external storage
-allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
-
-# Allow MediaProvider to read/write media_rw_data_file files and dirs
-allow mediaprovider_app media_rw_data_file:file create_file_perms;
-allow mediaprovider_app media_rw_data_file:dir create_dir_perms;
-
-# Talk to the DRM service
-allow mediaprovider_app drmserver_service:service_manager find;
-
-# Talk to the MediaServer service
-allow mediaprovider_app mediaserver_service:service_manager find;
-
-# Talk to regular app services
-allow mediaprovider_app app_api_service:service_manager find;
-
-# Talk to the GPU service
-binder_call(mediaprovider_app, gpuservice)
-
-# Talk to statsd
-allow mediaprovider_app statsmanager_service:service_manager find;
-binder_call(mediaprovider_app, statsd)
-
-# read pipe-max-size configuration
-allow mediaprovider_app proc_pipe_conf:file r_file_perms;
-
-# Allow MediaProvider to set extended attributes (such as quota project ID)
-# on media files.
-allowxperm mediaprovider_app media_rw_data_file:{ dir file } ioctl {
- FS_IOC_FSGETXATTR
- FS_IOC_FSSETXATTR
- FS_IOC_GETFLAGS
- FS_IOC_SETFLAGS
-};
-
-# Access external sdcards through /mnt/media_rw
-allow mediaprovider_app { mnt_media_rw_file }:dir search;
-
-allow mediaprovider_app proc_filesystems:file r_file_perms;
-
-#Allow MediaProvider to see if sdcardfs is in use
-get_prop(mediaprovider_app, storage_config_prop)
-
-get_prop(mediaprovider_app, drm_service_config_prop)
-
-allow mediaprovider_app gpu_device:dir search;
diff --git a/prebuilts/api/31.0/private/mediaserver.te b/prebuilts/api/31.0/private/mediaserver.te
deleted file mode 100644
index 6fe460c..0000000
--- a/prebuilts/api/31.0/private/mediaserver.te
+++ /dev/null
@@ -1,20 +0,0 @@
-typeattribute mediaserver coredomain;
-
-init_daemon_domain(mediaserver)
-tmpfs_domain(mediaserver)
-allow mediaserver appdomain_tmpfs:file { getattr map read write };
-
-# allocate and use graphic buffers
-hal_client_domain(mediaserver, hal_graphics_allocator)
-hal_client_domain(mediaserver, hal_configstore)
-hal_client_domain(mediaserver, hal_drm)
-hal_client_domain(mediaserver, hal_omx)
-hal_client_domain(mediaserver, hal_codec2)
-
-set_prop(mediaserver, audio_prop)
-
-get_prop(mediaserver, drm_service_config_prop)
-get_prop(mediaserver, media_config_prop)
-
-# Allow mediaserver to start media.transcoding service via ctl.start.
-set_prop(mediaserver, ctl_mediatranscoding_prop);
diff --git a/prebuilts/api/31.0/private/mediaswcodec.te b/prebuilts/api/31.0/private/mediaswcodec.te
deleted file mode 100644
index 02079c1..0000000
--- a/prebuilts/api/31.0/private/mediaswcodec.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute mediaswcodec coredomain;
-
-init_daemon_domain(mediaswcodec)
-
-get_prop(mediaswcodec, device_config_media_native_prop)
-get_prop(mediaswcodec, device_config_swcodec_native_prop)
diff --git a/prebuilts/api/31.0/private/mediatranscoding.te b/prebuilts/api/31.0/private/mediatranscoding.te
deleted file mode 100644
index 2a43cf9..0000000
--- a/prebuilts/api/31.0/private/mediatranscoding.te
+++ /dev/null
@@ -1,64 +0,0 @@
-# mediatranscoding - daemon for transcoding video and image.
-type mediatranscoding, domain;
-type mediatranscoding_exec, system_file_type, exec_type, file_type;
-type mediatranscoding_tmpfs, file_type;
-typeattribute mediatranscoding coredomain;
-
-init_daemon_domain(mediatranscoding)
-tmpfs_domain(mediatranscoding)
-allow mediatranscoding appdomain_tmpfs:file { getattr map read write };
-
-binder_use(mediatranscoding)
-binder_call(mediatranscoding, binderservicedomain)
-binder_call(mediatranscoding, appdomain)
-binder_service(mediatranscoding)
-
-add_service(mediatranscoding, mediatranscoding_service)
-
-hal_client_domain(mediatranscoding, hal_graphics_allocator)
-hal_client_domain(mediatranscoding, hal_configstore)
-hal_client_domain(mediatranscoding, hal_omx)
-hal_client_domain(mediatranscoding, hal_codec2)
-
-allow mediatranscoding mediaserver_service:service_manager find;
-allow mediatranscoding mediametrics_service:service_manager find;
-allow mediatranscoding mediaextractor_service:service_manager find;
-allow mediatranscoding package_native_service:service_manager find;
-allow mediatranscoding thermal_service:service_manager find;
-
-allow mediatranscoding system_server:fd use;
-allow mediatranscoding activity_service:service_manager find;
-
-# allow mediatranscoding service read/write permissions for file sources
-allow mediatranscoding sdcardfs:file { getattr read write };
-allow mediatranscoding media_rw_data_file:file { getattr read write };
-allow mediatranscoding apk_data_file:file { getattr read };
-allow mediatranscoding app_data_file:file { getattr read write };
-allow mediatranscoding shell_data_file:file { getattr read write };
-
-# allow mediatranscoding service write permission to statsd socket
-unix_socket_send(mediatranscoding, statsdw, statsd)
-
-# Allow mediatranscoding to access the DMA-BUF system heap
-allow mediatranscoding dmabuf_system_heap_device:chr_file r_file_perms;
-
-allow mediatranscoding gpu_device:dir search;
-
-# Allow mediatranscoding service to access media-related system properties
-get_prop(mediatranscoding, media_config_prop)
-
-# mediatranscoding should never execute any executable without a
-# domain transition
-neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/31.0/private/mediatuner.te b/prebuilts/api/31.0/private/mediatuner.te
deleted file mode 100644
index 413d2e5..0000000
--- a/prebuilts/api/31.0/private/mediatuner.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# mediatuner - mediatuner daemon
-type mediatuner, domain;
-type mediatuner_exec, system_file_type, exec_type, file_type;
-
-typeattribute mediatuner coredomain;
-
-init_daemon_domain(mediatuner)
-hal_client_domain(mediatuner, hal_tv_tuner)
-
-binder_use(mediatuner)
-binder_call(mediatuner, appdomain)
-binder_service(mediatuner)
-
-add_service(mediatuner, mediatuner_service)
-allow mediatuner system_server:fd use;
-allow mediatuner tv_tuner_resource_mgr_service:service_manager find;
-allow mediatuner package_native_service:service_manager find;
-binder_call(mediatuner, system_server)
-
-###
-### neverallow rules
-###
-
-# mediatuner should never execute any executable without a
-# domain transition
-neverallow mediatuner { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediatuner domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-
diff --git a/prebuilts/api/31.0/private/migrate_legacy_obb_data.te b/prebuilts/api/31.0/private/migrate_legacy_obb_data.te
deleted file mode 100644
index b2a1fb1..0000000
--- a/prebuilts/api/31.0/private/migrate_legacy_obb_data.te
+++ /dev/null
@@ -1,28 +0,0 @@
-type migrate_legacy_obb_data, domain, coredomain;
-type migrate_legacy_obb_data_exec, system_file_type, exec_type, file_type;
-
-allow migrate_legacy_obb_data media_rw_data_file:dir create_dir_perms;
-allow migrate_legacy_obb_data media_rw_data_file:file create_file_perms;
-
-allow migrate_legacy_obb_data shell_exec:file rx_file_perms;
-
-allow migrate_legacy_obb_data toolbox_exec:file rx_file_perms;
-
-allow migrate_legacy_obb_data self:capability { chown dac_override dac_read_search fowner fsetid };
-
-allow migrate_legacy_obb_data mnt_user_file:dir search;
-allow migrate_legacy_obb_data mnt_user_file:lnk_file read;
-allow migrate_legacy_obb_data storage_file:dir search;
-allow migrate_legacy_obb_data storage_file:lnk_file read;
-
-allow migrate_legacy_obb_data sdcard_type:dir create_dir_perms;
-allow migrate_legacy_obb_data sdcard_type:file create_file_perms;
-
-# TODO: This should not be necessary. We don't deliberately hand over
-# any open file descriptors to this domain, so anything that triggers this
-# should be a candidate for O_CLOEXEC.
-allow migrate_legacy_obb_data installd:fd use;
-
-# This rule is required to let this process read /proc/{parent_pid}/mount.
-# TODO: Why is this required ?
-allow migrate_legacy_obb_data installd:file read;
diff --git a/prebuilts/api/31.0/private/mls b/prebuilts/api/31.0/private/mls
deleted file mode 100644
index 955c27b..0000000
--- a/prebuilts/api/31.0/private/mls
+++ /dev/null
@@ -1,116 +0,0 @@
-#################################################
-# MLS policy constraints
-#
-
-#
-# Process constraints
-#
-
-# Process transition: Require equivalence unless the subject is trusted.
-mlsconstrain process { transition dyntransition }
- ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Process read operations: No read up unless trusted.
-mlsconstrain process { getsched getsession getpgid getcap getattr ptrace share }
- (l1 dom l2 or t1 == mlstrustedsubject);
-
-# Process write operations: Require equivalence unless trusted.
-mlsconstrain process { sigkill sigstop signal setsched setpgid setcap setrlimit ptrace share }
- (l1 eq l2 or t1 == mlstrustedsubject);
-
-#
-# Socket constraints
-#
-
-# Create/relabel operations: Subject must be equivalent to object unless
-# the subject is trusted. Sockets inherit the range of their creator.
-mlsconstrain socket_class_set { create relabelfrom relabelto }
- ((h1 eq h2 and l1 eq l2) or t1 == mlstrustedsubject);
-
-# Datagram send: Sender must be equivalent to the receiver unless one of them
-# is trusted.
-mlsconstrain unix_dgram_socket { sendto }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-# Stream connect: Client must be equivalent to server unless one of them
-# is trusted.
-mlsconstrain unix_stream_socket { connectto }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
-
-#
-# Directory/file constraints
-#
-
-# Create/relabel operations: Subject must be equivalent to object unless
-# the subject is trusted. Also, files should always be single-level.
-# Do NOT exempt mlstrustedobject types from this constraint.
-mlsconstrain dir_file_class_set { create relabelfrom relabelto }
- (l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
-
-#
-# Userfaultfd constraints
-#
-# To enforce that anonymous inodes are self contained in the application's process.
-mlsconstrain anon_inode { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute open execmod }
- (l1 eq l2);
-
-#
-# Constraints for app data files only.
-#
-
-# Only constrain open, not read/write, so already open fds can be used.
-# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
-# Subject must dominate object unless the subject is trusted.
-mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
- (t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject);
-mlsconstrain { file sock_file } { open setattr unlink link rename }
- ( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
-
-# For symlinks in app data files, require equivalence in order to manipulate or follow (read).
-mlsconstrain { lnk_file } { open setattr unlink link rename read }
- ( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
-# But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
-# TODO: Migrate to equivalence when it's no longer needed.
-mlsconstrain { lnk_file } { open setattr unlink link rename read }
- ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
-
-#
-# Constraints for file types other than app data files.
-#
-
-# Read operations: Subject must dominate object unless the subject
-# or the object is trusted.
-mlsconstrain dir { read getattr search }
- (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
- or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Write operations: Subject must be equivalent to the object unless the
-# subject or the object is trusted.
-mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
- (t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
-
-# Special case for FIFOs.
-# These can be unnamed pipes, in which case they will be labeled with the
-# creating process' label. Thus we also have an exemption when the "object"
-# is a domain type, so that processes can communicate via unnamed pipes
-# passed by binder or local socket IPC.
-mlsconstrain fifo_file { read getattr }
- (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
-
-mlsconstrain fifo_file { write setattr append unlink link rename }
- (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject or t2 == domain);
-
-#
-# Binder IPC constraints
-#
-# Presently commented out, as apps are expected to call one another.
-# This would only make sense if apps were assigned categories
-# based on allowable communications rather than per-app categories.
-#mlsconstrain binder call
-# (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedsubject);
diff --git a/prebuilts/api/31.0/private/mls_decl b/prebuilts/api/31.0/private/mls_decl
deleted file mode 100644
index dd53bea..0000000
--- a/prebuilts/api/31.0/private/mls_decl
+++ /dev/null
@@ -1,10 +0,0 @@
-#########################################
-# MLS declarations
-#
-
-# Generate the desired number of sensitivities and categories.
-gen_sens(mls_num_sens)
-gen_cats(mls_num_cats)
-
-# Generate level definitions for each sensitivity and category.
-gen_levels(mls_num_sens,mls_num_cats)
diff --git a/prebuilts/api/31.0/private/mls_macros b/prebuilts/api/31.0/private/mls_macros
deleted file mode 100644
index 83e0542..0000000
--- a/prebuilts/api/31.0/private/mls_macros
+++ /dev/null
@@ -1,54 +0,0 @@
-########################################
-#
-# gen_cats(N)
-#
-# declares categores c0 to c(N-1)
-#
-define(`decl_cats',`dnl
-category c$1;
-ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
-')
-
-define(`gen_cats',`decl_cats(0,decr($1))')
-
-########################################
-#
-# gen_sens(N)
-#
-# declares sensitivites s0 to s(N-1) with dominance
-# in increasing numeric order with s0 lowest, s(N-1) highest
-#
-define(`decl_sens',`dnl
-sensitivity s$1;
-ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
-')
-
-define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
-
-define(`gen_sens',`
-# Each sensitivity has a name and zero or more aliases.
-decl_sens(0,decr($1))
-
-# Define the ordering of the sensitivity levels (least to greatest)
-dominance { gen_dominance(0,decr($1)) }
-')
-
-########################################
-#
-# gen_levels(N,M)
-#
-# levels from s0 to (N-1) with categories c0 to (M-1)
-#
-define(`decl_levels',`dnl
-level s$1:c0.c$3;
-ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
-')
-
-define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
-
-########################################
-#
-# Basic level names for system low and high
-#
-define(`mls_systemlow',`s0')
-define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
diff --git a/prebuilts/api/31.0/private/mlstrustedsubject.te b/prebuilts/api/31.0/private/mlstrustedsubject.te
deleted file mode 100644
index 22482d9..0000000
--- a/prebuilts/api/31.0/private/mlstrustedsubject.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# MLS override can't be used to access private app data.
-
-# Apps should not normally be mlstrustedsubject, but if they must be
-# they cannot use this to access app private data files; their own app
-# data files must use a different label.
-
-neverallow {
- mlstrustedsubject
- -installd
- -iorap_prefetcherd
- -iorap_inode2filename
-} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
-
-neverallow {
- mlstrustedsubject
- -installd
- -iorap_prefetcherd
- -iorap_inode2filename
-} { app_data_file privapp_data_file }:dir ~{ read getattr search };
-
-neverallow {
- mlstrustedsubject
- -installd
- -iorap_prefetcherd
- -iorap_inode2filename
- -system_server
- -adbd
- -runas
- -zygote
-} { app_data_file privapp_data_file }:dir { read getattr search };
diff --git a/prebuilts/api/31.0/private/mm_events.te b/prebuilts/api/31.0/private/mm_events.te
deleted file mode 100644
index 4875d40..0000000
--- a/prebuilts/api/31.0/private/mm_events.te
+++ /dev/null
@@ -1,14 +0,0 @@
-type mm_events, domain, coredomain;
-type mm_events_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(mm_events)
-
-allow mm_events shell_exec:file rx_file_perms;
-
-# Allow running the sleep command to rate limit attempts
-# to arm mm_events on failure.
-allow mm_events toolbox_exec:file rx_file_perms;
-
-allow mm_events perfetto_exec:file rx_file_perms;
-
-domain_auto_trans(mm_events, perfetto_exec, perfetto)
diff --git a/prebuilts/api/31.0/private/modprobe.te b/prebuilts/api/31.0/private/modprobe.te
deleted file mode 100644
index 9858675..0000000
--- a/prebuilts/api/31.0/private/modprobe.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute modprobe coredomain;
diff --git a/prebuilts/api/31.0/private/mtp.te b/prebuilts/api/31.0/private/mtp.te
deleted file mode 100644
index 732e111..0000000
--- a/prebuilts/api/31.0/private/mtp.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute mtp coredomain;
-
-init_daemon_domain(mtp)
diff --git a/prebuilts/api/31.0/private/netd.te b/prebuilts/api/31.0/private/netd.te
deleted file mode 100644
index 670a4bf..0000000
--- a/prebuilts/api/31.0/private/netd.te
+++ /dev/null
@@ -1,44 +0,0 @@
-typeattribute netd coredomain;
-
-init_daemon_domain(netd)
-
-# Allow netd to spawn dnsmasq in it's own domain
-domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
-
-# Allow netd to start clatd in its own domain and kill it
-domain_auto_trans(netd, clatd_exec, clatd)
-allow netd clatd:process signal;
-
-# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
-# the map created by bpfloader
-allow netd bpfloader:bpf { prog_run map_read map_write };
-
-# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
-allow netd self:key_socket create;
-
-set_prop(netd, ctl_mdnsd_prop)
-set_prop(netd, netd_stable_secret_prop)
-
-get_prop(netd, adbd_config_prop)
-get_prop(netd, bpf_progs_loaded_prop)
-get_prop(netd, hwservicemanager_prop)
-get_prop(netd, device_config_netd_native_prop)
-
-# Allow netd to write to statsd.
-unix_socket_send(netd, statsdw, statsd)
-
-# Allow netd to send callbacks to network_stack
-binder_call(netd, network_stack)
-
-# Allow netd to send dump info to dumpstate
-allow netd dumpstate:fd use;
-allow netd dumpstate:fifo_file { getattr write };
-
-# persist.netd.stable_secret contains RFC 7217 secret key which should never be
-# leaked to other processes. Make sure it never leaks.
-neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
-
-# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
-# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
-neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
diff --git a/prebuilts/api/31.0/private/netutils_wrapper.te b/prebuilts/api/31.0/private/netutils_wrapper.te
deleted file mode 100644
index ca3b515..0000000
--- a/prebuilts/api/31.0/private/netutils_wrapper.te
+++ /dev/null
@@ -1,44 +0,0 @@
-typeattribute netutils_wrapper coredomain;
-
-r_dir_file(netutils_wrapper, system_file);
-
-# For netutils (ip, iptables, tc)
-allow netutils_wrapper self:global_capability_class_set net_raw;
-
-allow netutils_wrapper system_file:file { execute execute_no_trans };
-allow netutils_wrapper proc_net_type:file { open read getattr };
-allow netutils_wrapper self:rawip_socket create_socket_perms;
-allow netutils_wrapper self:udp_socket create_socket_perms;
-allow netutils_wrapper self:global_capability_class_set net_admin;
-# ip utils need everything but ioctl
-allow netutils_wrapper self:netlink_route_socket ~ioctl;
-allow netutils_wrapper self:netlink_xfrm_socket ~ioctl;
-
-# For netutils (ndc) to be able to talk to netd
-allow netutils_wrapper netd_service:service_manager find;
-allow netutils_wrapper dnsresolver_service:service_manager find;
-binder_use(netutils_wrapper);
-binder_call(netutils_wrapper, netd);
-
-# For vendor code that update the iptables rules at runtime. They need to reload
-# the whole chain including the xt_bpf rules. They need to access to the pinned
-# program when reloading the rule.
-allow netutils_wrapper fs_bpf:dir search;
-allow netutils_wrapper fs_bpf:file { read write };
-allow netutils_wrapper bpfloader:bpf prog_run;
-
-# For /data/misc/net access to ndc and ip
-r_dir_file(netutils_wrapper, net_data_file)
-
-domain_auto_trans({
- domain
- -coredomain
- -appdomain
-}, netutils_wrapper_exec, netutils_wrapper)
-
-# suppress spurious denials
-dontaudit netutils_wrapper self:global_capability_class_set sys_resource;
-dontaudit netutils_wrapper sysfs_type:file read;
-
-# netutils wrapper may only use the following capabilities.
-neverallow netutils_wrapper self:global_capability_class_set ~{ net_admin net_raw };
diff --git a/prebuilts/api/31.0/private/network_stack.te b/prebuilts/api/31.0/private/network_stack.te
deleted file mode 100644
index 09a98b5..0000000
--- a/prebuilts/api/31.0/private/network_stack.te
+++ /dev/null
@@ -1,62 +0,0 @@
-# Networking service app
-typeattribute network_stack coredomain, mlstrustedsubject;
-
-app_domain(network_stack);
-net_domain(network_stack);
-
-allow network_stack self:global_capability_class_set {
- net_admin
- net_bind_service
- net_broadcast
- net_raw
-};
-
-# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
-allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
-
-# The DhcpClient uses packet_sockets
-allow network_stack self:packet_socket create_socket_perms_no_ioctl;
-
-# Monitor neighbors via netlink.
-allow network_stack self:netlink_route_socket nlmsg_write;
-
-allow network_stack app_api_service:service_manager find;
-allow network_stack dnsresolver_service:service_manager find;
-allow network_stack netd_service:service_manager find;
-allow network_stack network_watchlist_service:service_manager find;
-allow network_stack radio_service:service_manager find;
-allow network_stack system_config_service:service_manager find;
-allow network_stack radio_data_file:dir create_dir_perms;
-allow network_stack radio_data_file:file create_file_perms;
-
-binder_call(network_stack, netd);
-
-# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
-allow network_stack self:key_socket create;
-# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
-# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
-dontaudit network_stack self:key_socket getopt;
-
-# Grant read permission of connectivity namespace system property prefix.
-get_prop(network_stack, device_config_connectivity_prop)
-
-# Create/use netlink_tcpdiag_socket to get tcp info
-allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
-############### Tethering Service app - Tethering.apk ##############
-hal_client_domain(network_stack, hal_tetheroffload)
-# Create and share netlink_netfilter_sockets for tetheroffload.
-allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
-allow network_stack network_stack_service:service_manager find;
-# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
-allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
-allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
-allow network_stack bpfloader:bpf { map_read map_write prog_run };
-
-# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
-# Unfortunately init/vendor_init have all sorts of extra privs
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
-
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
diff --git a/prebuilts/api/31.0/private/nfc.te b/prebuilts/api/31.0/private/nfc.te
deleted file mode 100644
index f1a08f7..0000000
--- a/prebuilts/api/31.0/private/nfc.te
+++ /dev/null
@@ -1,35 +0,0 @@
-# nfc subsystem
-typeattribute nfc coredomain, mlstrustedsubject;
-app_domain(nfc)
-net_domain(nfc)
-
-binder_service(nfc)
-add_service(nfc, nfc_service)
-
-hal_client_domain(nfc, hal_nfc)
-
-# Data file accesses.
-allow nfc nfc_data_file:dir create_dir_perms;
-allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
-allow nfc nfc_logs_data_file:dir rw_dir_perms;
-allow nfc nfc_logs_data_file:file create_file_perms;
-
-# SoundPool loading and playback
-allow nfc audioserver_service:service_manager find;
-allow nfc drmserver_service:service_manager find;
-allow nfc mediametrics_service:service_manager find;
-allow nfc mediaextractor_service:service_manager find;
-allow nfc mediaserver_service:service_manager find;
-
-allow nfc radio_service:service_manager find;
-allow nfc app_api_service:service_manager find;
-allow nfc system_api_service:service_manager find;
-allow nfc vr_manager_service:service_manager find;
-allow nfc secure_element_service:service_manager find;
-
-set_prop(nfc, nfc_prop);
-
-# already open bugreport file descriptors may be shared with
-# the nfc process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow nfc shell_data_file:file read;
diff --git a/prebuilts/api/31.0/private/odrefresh.te b/prebuilts/api/31.0/private/odrefresh.te
deleted file mode 100644
index 3db1ae8..0000000
--- a/prebuilts/api/31.0/private/odrefresh.te
+++ /dev/null
@@ -1,60 +0,0 @@
-# odrefresh
-type odrefresh, domain, coredomain;
-type odrefresh_exec, system_file_type, exec_type, file_type;
-
-# Allow odrefresh to create files and directories for on device signing.
-allow odrefresh apex_module_data_file:dir { getattr search };
-allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
-allow odrefresh apex_art_data_file:file create_file_perms;
-
-# Allow odrefresh to create data files (typically for metrics before statsd starts).
-allow odrefresh odrefresh_data_file:dir create_dir_perms;
-allow odrefresh odrefresh_data_file:file create_file_perms;
-
-userfaultfd_use(odrefresh)
-
-# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
-# sets up files here and passes file descriptors for dex2oat to write to.
-allow odrefresh apex_art_staging_data_file:dir { create_dir_perms relabelto };
-allow odrefresh apex_art_staging_data_file:file create_file_perms;
-
-# Run dex2oat in its own sandbox.
-domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
-
-# Allow odrefresh to kill dex2oat if compilation times out.
-allow odrefresh dex2oat:process sigkill;
-
-# Run dexoptanalyzer in its own sandbox.
-domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
-
-# Allow odrefresh to kill dexoptanalyzer if analysis times out.
-allow odrefresh dexoptanalyzer:process sigkill;
-
-# Use devpts and fd from odsign (which exec()'s odrefresh)
-allow odrefresh odsign_devpts:chr_file { read write };
-allow odrefresh odsign:fd use;
-
-# Do not audit unused resources from parent processes (adb, shell, su).
-# These appear to be unnecessary for odrefresh.
-dontaudit odrefresh { adbd shell }:fd use;
-dontaudit odrefresh devpts:chr_file rw_file_perms;
-dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
-
-# Allow odrefresh to read /apex/apex-info-list.xml to determine
-# whether current apex is in /system or /data.
-allow odrefresh apex_info_file:file r_file_perms;
-
-# No other processes should be creating files in the staging area.
-neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
-
-# No processes other than init, odrefresh and system_server access
-# odrefresh_data_files.
-neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
-neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
-
-# Allow updating boot animation status.
-set_prop(odrefresh, bootanim_system_prop)
-
-# Allow query ART device config properties
-get_prop(odrefresh, device_config_runtime_native_prop)
-get_prop(odrefresh, device_config_runtime_native_boot_prop)
diff --git a/prebuilts/api/31.0/private/odsign.te b/prebuilts/api/31.0/private/odsign.te
deleted file mode 100644
index c6c7808..0000000
--- a/prebuilts/api/31.0/private/odsign.te
+++ /dev/null
@@ -1,62 +0,0 @@
-# odsign - on-device signing.
-type odsign, domain;
-
-# odsign - Binary for signing ART artifacts.
-typeattribute odsign coredomain;
-
-type odsign_exec, exec_type, file_type, system_file_type;
-
-# Allow init to start odsign
-init_daemon_domain(odsign)
-
-# Allow using persistent storage in /data/odsign
-allow odsign odsign_data_file:dir create_dir_perms;
-allow odsign odsign_data_file:file create_file_perms;
-
-# Create and use pty created by android_fork_execvp().
-create_pty(odsign)
-
-# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
-allowxperm odsign apex_art_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
-};
-
-# talk to binder services (for keystore)
-binder_use(odsign);
-
-# talk to keystore specifically
-use_keystore(odsign);
-
-# Use our dedicated keystore key
-allow odsign odsign_key:keystore2_key {
- delete
- get_info
- rebind
- use
-};
-
-# talk to keymaster
-hal_client_domain(odsign, hal_keymaster)
-
-# For ART apex data dir access
-allow odsign apex_module_data_file:dir { getattr search };
-
-allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
-allow odsign apex_art_data_file:file { rw_file_perms unlink };
-
-# Run odrefresh to refresh ART artifacts
-domain_auto_trans(odsign, odrefresh_exec, odrefresh)
-
-# Run fsverity_init to add key to fsverity keyring
-domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
-
-# only odsign can set odsign sysprop
-set_prop(odsign, odsign_prop)
-neverallow { domain -odsign -init } odsign_prop:property_service set;
-
-# Allow odsign to stop itself
-set_prop(odsign, ctl_odsign_prop)
-
-# Neverallows
-neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
-neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
diff --git a/prebuilts/api/31.0/private/otapreopt_chroot.te b/prebuilts/api/31.0/private/otapreopt_chroot.te
deleted file mode 100644
index ea9d4ee..0000000
--- a/prebuilts/api/31.0/private/otapreopt_chroot.te
+++ /dev/null
@@ -1,98 +0,0 @@
-# otapreopt_chroot executable
-typeattribute otapreopt_chroot coredomain;
-type otapreopt_chroot_exec, exec_type, file_type, system_file_type;
-
-# Chroot preparation and execution.
-# We need to create an unshared mount namespace, and then mount /data.
-allow otapreopt_chroot postinstall_file:dir { search mounton };
-allow otapreopt_chroot apex_mnt_dir:dir mounton;
-allow otapreopt_chroot device:dir mounton;
-allow otapreopt_chroot linkerconfig_file:dir mounton;
-allow otapreopt_chroot rootfs:dir mounton;
-allow otapreopt_chroot sysfs:dir mounton;
-allow otapreopt_chroot system_data_root_file:dir mounton;
-allow otapreopt_chroot system_file:dir mounton;
-allow otapreopt_chroot vendor_file:dir mounton;
-allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
-
-# This is required to mount /vendor and mount/unmount ext4 images from
-# APEX packages in /postinstall/apex.
-allow otapreopt_chroot block_device:dir search;
-allow otapreopt_chroot labeledfs:filesystem { mount unmount };
-# This is required for dynamic partitions.
-allow otapreopt_chroot dm_device:chr_file rw_file_perms;
-
-# This is required to unmount flattened APEX packages under
-# /postinstall/system/apex (which are bind-mounted in /postinstall/apex).
-allow otapreopt_chroot postinstall_file:filesystem unmount;
-# Mounting /vendor can have this side-effect. Ignore denial.
-dontaudit otapreopt_chroot kernel:process setsched;
-
-# Allow otapreopt_chroot to read SELinux policy files.
-allow otapreopt_chroot file_contexts_file:file r_file_perms;
-
-# Allow otapreopt_chroot to open and read the contents of /postinstall/system/apex.
-allow otapreopt_chroot postinstall_file:dir r_dir_perms;
-# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
-get_prop(otapreopt_chroot, apexd_prop)
-
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
-allow otapreopt_chroot postinstall:fd use;
-allow otapreopt_chroot update_engine:fd use;
-allow otapreopt_chroot update_engine:fifo_file write;
-
-# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
-domain_auto_trans(otapreopt_chroot, postinstall_dexopt_exec, postinstall_dexopt)
-domain_auto_trans(otapreopt_chroot, linkerconfig_exec, linkerconfig)
-domain_auto_trans(otapreopt_chroot, apexd_exec, apexd)
-
-# Allow otapreopt_chroot to control linkerconfig
-allow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto };
-allow otapreopt_chroot linkerconfig_file:file create_file_perms;
-
-# Allow otapreopt_chroot to create loop devices with /dev/loop-control.
-allow otapreopt_chroot loop_control_device:chr_file rw_file_perms;
-# Allow otapreopt_chroot to access loop devices.
-allow otapreopt_chroot loop_device:blk_file rw_file_perms;
-allowxperm otapreopt_chroot loop_device:blk_file ioctl {
- LOOP_CONFIGURE
- LOOP_GET_STATUS64
- LOOP_SET_STATUS64
- LOOP_SET_FD
- LOOP_SET_BLOCK_SIZE
- LOOP_SET_DIRECT_IO
- LOOP_CLR_FD
- BLKFLSBUF
-};
-
-# Allow otapreopt_chroot to configure read-ahead of loop devices.
-allow otapreopt_chroot sysfs_loop:dir r_dir_perms;
-allow otapreopt_chroot sysfs_loop:file rw_file_perms;
-
-# Allow otapreopt_chroot to mount a tmpfs filesystem in /postinstall/apex.
-allow otapreopt_chroot tmpfs:filesystem mount;
-# Allow otapreopt_chroot to restore the security context of /postinstall/apex.
-allow otapreopt_chroot tmpfs:dir relabelfrom;
-allow otapreopt_chroot postinstall_apex_mnt_dir:dir relabelto;
-
-# Allow otapreopt_chroot to manipulate directory /postinstall/apex.
-allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
-allow otapreopt_chroot postinstall_apex_mnt_dir:file create_file_perms;
-# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
-allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
-
-# Allow otapreopt_chroot to access /dev/block (needed to detach loop
-# devices used by ext4 images from APEX packages).
-allow otapreopt_chroot block_device:dir r_dir_perms;
-
-# Allow to access the linker through the symlink.
-allow otapreopt_chroot postinstall_file:lnk_file r_file_perms;
-
-# Allow otapreopt_chroot to read ro.cold_boot_done prop.
-# This is a temporary solution to make sure that otapreopt_chroot doesn't block indefinetelly.
-# TODO(b/165948777): remove this once otapreopt_chroot is migrated to libapexmount.
-get_prop(otapreopt_chroot, cold_boot_done_prop)
-
-# allow otapreopt_chroot to run the linkerconfig from the new image.
-allow otapreopt_chroot linkerconfig_exec:file rx_file_perms;
diff --git a/prebuilts/api/31.0/private/otapreopt_slot.te b/prebuilts/api/31.0/private/otapreopt_slot.te
deleted file mode 100644
index 27a3b0e..0000000
--- a/prebuilts/api/31.0/private/otapreopt_slot.te
+++ /dev/null
@@ -1,28 +0,0 @@
-# This command set moves the artifact corresponding to the current slot
-# from /data/ota to /data/dalvik-cache.
-
-type otapreopt_slot, domain, mlstrustedsubject, coredomain;
-type otapreopt_slot_exec, system_file_type, exec_type, file_type;
-
-# Technically not a daemon but we do want the transition from init domain to
-# cppreopts to occur.
-init_daemon_domain(otapreopt_slot)
-
-# The otapreopt_slot renames the OTA dalvik-cache to the regular dalvik-cache, and cleans up
-# the directory afterwards. For logging of aggregate size, we need getattr.
-allow otapreopt_slot ota_data_file:dir { rw_dir_perms rename reparent rmdir };
-allow otapreopt_slot ota_data_file:{ file lnk_file } getattr;
-# (du follows symlinks)
-allow otapreopt_slot ota_data_file:lnk_file read;
-
-# Delete old content of the dalvik-cache.
-allow otapreopt_slot dalvikcache_data_file:dir { add_name getattr open read remove_name rmdir search write };
-allow otapreopt_slot dalvikcache_data_file:file { getattr unlink };
-allow otapreopt_slot dalvikcache_data_file:lnk_file { getattr read unlink };
-
-# Allow cppreopts to execute itself using #!/system/bin/sh
-allow otapreopt_slot shell_exec:file rx_file_perms;
-
-# Allow running the mv and rm/rmdir commands using otapreopt_slot permissions.
-# Needed so we can move artifacts into /data/dalvik-cache/dalvik-cache.
-allow otapreopt_slot toolbox_exec:file rx_file_perms;
diff --git a/prebuilts/api/31.0/private/perfetto.te b/prebuilts/api/31.0/private/perfetto.te
deleted file mode 100644
index f9693da..0000000
--- a/prebuilts/api/31.0/private/perfetto.te
+++ /dev/null
@@ -1,102 +0,0 @@
-# Perfetto command-line client. Can be used only from the domains that are
-# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
-# This command line client accesses the privileged socket of the traced
-# daemon.
-
-type perfetto_exec, system_file_type, exec_type, file_type;
-type perfetto_tmpfs, file_type;
-
-tmpfs_domain(perfetto);
-
-# Allow to access traced's privileged consumer socket.
-unix_socket_connect(perfetto, traced_consumer, traced)
-
-# Connect to the Perfetto traced daemon as a producer. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(perfetto)
-
-# Allow to write and unlink traces into /data/misc/perfetto-traces.
-allow perfetto perfetto_traces_data_file:dir rw_dir_perms;
-allow perfetto perfetto_traces_data_file:file create_file_perms;
-
-# Allow to access binder to pass the traces to Dropbox.
-binder_use(perfetto)
-binder_call(perfetto, system_server)
-allow perfetto dropbox_service:service_manager find;
-
-# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
-# shell and adb can write files into that directory.
-allow perfetto perfetto_configs_data_file:dir r_dir_perms;
-allow perfetto perfetto_configs_data_file:file r_file_perms;
-
-# Allow perfetto to read the trace config from statsd, mm_events and shell
-# (both root and non-root) on stdin and also to write the resulting trace to
-# stdout.
-allow perfetto { statsd mm_events shell su }:fd use;
-allow perfetto { statsd mm_events shell su }:fifo_file { getattr read write };
-
-# Allow to communicate use, read and write over the adb connection.
-allow perfetto adbd:fd use;
-allow perfetto adbd:unix_stream_socket { read write };
-
-# Allow adbd to reap perfetto.
-allow perfetto adbd:process { sigchld };
-
-# Allow perfetto to write to statsd.
-unix_socket_send(perfetto, statsdw, statsd)
-
-# Allow to access /dev/pts when launched in an adb shell.
-allow perfetto devpts:chr_file rw_file_perms;
-
-# Allow perfetto to ask incidentd to start a report.
-allow perfetto incident_service:service_manager find;
-binder_call(perfetto, incidentd)
-
-# perfetto log formatter calls isatty() on its stderr. Denial when running
-# under adbd is harmless. Avoid generating denial logs.
-dontaudit perfetto adbd:unix_stream_socket getattr;
-dontauditxperm perfetto adbd:unix_stream_socket ioctl unpriv_tty_ioctls;
-# As above, when adbd is running in "su" domain (only the ioctl is denied in
-# practice).
-dontauditxperm perfetto su:unix_stream_socket ioctl unpriv_tty_ioctls;
-# Similarly, CTS tests end up hitting a denial on shell pipes.
-dontauditxperm perfetto shell:fifo_file ioctl unpriv_tty_ioctls;
-
-###
-### Neverallow rules
-###
-### perfetto should NEVER do any of this
-
-# Disallow mapping executable memory (execstack and exec are already disallowed
-# globally in domain.te).
-neverallow perfetto self:process execmem;
-
-# Block device access.
-neverallow perfetto dev_type:blk_file { read write };
-
-# ptrace any other process
-neverallow perfetto domain:process ptrace;
-
-# Disallows access to other /data files.
-neverallow perfetto {
- data_file_type
- -system_data_file
- -system_data_root_file
- # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
- # neverallow. Currently only getattr and search are allowed.
- -vendor_data_file
- -zoneinfo_data_file
- -perfetto_traces_data_file
- -perfetto_configs_data_file
- with_native_coverage(`-method_trace_data_file')
-}:dir *;
-neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
-neverallow perfetto zoneinfo_data_file:dir ~r_dir_perms;
-neverallow perfetto { data_file_type -zoneinfo_data_file -perfetto_traces_data_file }:lnk_file *;
-neverallow perfetto {
- data_file_type
- -zoneinfo_data_file
- -perfetto_traces_data_file
- -perfetto_configs_data_file
- with_native_coverage(`-method_trace_data_file')
-}:file ~write;
diff --git a/prebuilts/api/31.0/private/performanced.te b/prebuilts/api/31.0/private/performanced.te
deleted file mode 100644
index 792826e..0000000
--- a/prebuilts/api/31.0/private/performanced.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute performanced coredomain;
-
-init_daemon_domain(performanced)
diff --git a/prebuilts/api/31.0/private/permissioncontroller_app.te b/prebuilts/api/31.0/private/permissioncontroller_app.te
deleted file mode 100644
index 5f81875..0000000
--- a/prebuilts/api/31.0/private/permissioncontroller_app.te
+++ /dev/null
@@ -1,22 +0,0 @@
-###
-### A domain for further sandboxing the GooglePermissionController app.
-###
-type permissioncontroller_app, domain, coredomain;
-
-app_domain(permissioncontroller_app)
-
-allow permissioncontroller_app app_api_service:service_manager find;
-allow permissioncontroller_app system_api_service:service_manager find;
-
-# Allow interaction with gpuservice
-binder_call(permissioncontroller_app, gpuservice)
-
-allow permissioncontroller_app radio_service:service_manager find;
-
-# Allow the app to request and collect incident reports.
-# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
-allow permissioncontroller_app incident_service:service_manager find;
-binder_call(permissioncontroller_app, incidentd)
-allow permissioncontroller_app incidentd:fifo_file { read write };
-
-allow permissioncontroller_app gpu_device:dir search;
diff --git a/prebuilts/api/31.0/private/platform_app.te b/prebuilts/api/31.0/private/platform_app.te
deleted file mode 100644
index f746f1c..0000000
--- a/prebuilts/api/31.0/private/platform_app.te
+++ /dev/null
@@ -1,110 +0,0 @@
-###
-### Apps signed with the platform key.
-###
-
-typeattribute platform_app coredomain;
-
-app_domain(platform_app)
-
-# Access the network.
-net_domain(platform_app)
-# Access bluetooth.
-bluetooth_domain(platform_app)
-# Read from /data/local/tmp or /data/data/com.android.shell.
-allow platform_app shell_data_file:dir search;
-allow platform_app shell_data_file:file { open getattr read };
-allow platform_app icon_file:file { open getattr read };
-# Populate /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
-# created by system server.
-allow platform_app { apk_tmp_file apk_private_tmp_file }:dir rw_dir_perms;
-allow platform_app { apk_tmp_file apk_private_tmp_file }:file rw_file_perms;
-allow platform_app apk_private_data_file:dir search;
-# ASEC
-allow platform_app asec_apk_file:dir create_dir_perms;
-allow platform_app asec_apk_file:file create_file_perms;
-
-# Access to /data/media.
-allow platform_app media_rw_data_file:dir create_dir_perms;
-allow platform_app media_rw_data_file:file create_file_perms;
-
-# Write to /cache.
-allow platform_app cache_file:dir create_dir_perms;
-allow platform_app cache_file:file create_file_perms;
-
-# Direct access to vold-mounted storage under /mnt/media_rw
-# This is a performance optimization that allows platform apps to bypass the FUSE layer
-allow platform_app mnt_media_rw_file:dir r_dir_perms;
-allow platform_app sdcard_type:dir create_dir_perms;
-allow platform_app sdcard_type:file create_file_perms;
-
-# com.android.systemui
-allow platform_app rootfs:dir getattr;
-
-# com.android.captiveportallogin reads /proc/vmstat
-allow platform_app {
- proc_vmstat
-}:file r_file_perms;
-
-# /proc/net access.
-# TODO(b/9496886) Audit access for removal.
-r_dir_file(platform_app, proc_net_type)
-userdebug_or_eng(`
- auditallow platform_app proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-allow platform_app audioserver_service:service_manager find;
-allow platform_app cameraserver_service:service_manager find;
-allow platform_app drmserver_service:service_manager find;
-allow platform_app mediaserver_service:service_manager find;
-allow platform_app mediametrics_service:service_manager find;
-allow platform_app mediaextractor_service:service_manager find;
-allow platform_app mediadrmserver_service:service_manager find;
-allow platform_app persistent_data_block_service:service_manager find;
-allow platform_app radio_service:service_manager find;
-allow platform_app thermal_service:service_manager find;
-allow platform_app timezone_service:service_manager find;
-allow platform_app app_api_service:service_manager find;
-allow platform_app system_api_service:service_manager find;
-allow platform_app vr_manager_service:service_manager find;
-allow platform_app stats_service:service_manager find;
-
-# Allow platform apps to log via statsd.
-binder_call(platform_app, statsd)
-
-# Access to /data/preloads
-allow platform_app preloads_data_file:file r_file_perms;
-allow platform_app preloads_data_file:dir r_dir_perms;
-allow platform_app preloads_media_file:file r_file_perms;
-allow platform_app preloads_media_file:dir r_dir_perms;
-
-read_runtime_log_tags(platform_app)
-
-# allow platform apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow platform_app system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# allow platform apps to connect to the property service
-set_prop(platform_app, test_boot_reason_prop)
-
-# allow platform apps to read keyguard.no_require_sim
-get_prop(platform_app, keyguard_config_prop)
-
-# allow platform apps to read qemu.hw.mainkeys
-get_prop(platform_app, qemu_hw_prop)
-
-# allow platform apps to create symbolic link
-allow platform_app app_data_file:lnk_file create_file_perms;
-
-# suppress denials caused by debugfs_tracing
-dontaudit platform_app debugfs_tracing:file rw_file_perms;
-
-# Allow platform apps to act as Perfetto producers.
-perfetto_producer(platform_app)
-
-###
-### Neverallow rules
-###
-
-# app domains which access /dev/fuse should not run as platform_app
-neverallow platform_app fuse_device:chr_file *;
diff --git a/prebuilts/api/31.0/private/policy_capabilities b/prebuilts/api/31.0/private/policy_capabilities
deleted file mode 100644
index 9290e3a..0000000
--- a/prebuilts/api/31.0/private/policy_capabilities
+++ /dev/null
@@ -1,20 +0,0 @@
-# Enable new networking controls.
-policycap network_peer_controls;
-
-# Enable open permission check.
-policycap open_perms;
-
-# Enable separate security classes for
-# all network address families previously
-# mapped to the socket class and for
-# ICMP and SCTP sockets previously mapped
-# to the rawip_socket class.
-policycap extended_socket_class;
-
-# Enable NoNewPrivileges support. Requires libsepol 2.7+
-# and kernel 4.14 (estimated).
-#
-# Checks enabled;
-# process2: nnp_transition, nosuid_transition
-#
-policycap nnp_nosuid_transition;
diff --git a/prebuilts/api/31.0/private/port_contexts b/prebuilts/api/31.0/private/port_contexts
deleted file mode 100644
index b473c0c..0000000
--- a/prebuilts/api/31.0/private/port_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-# portcon statements go here, e.g.
-# portcon tcp 80 u:object_r:http_port:s0
-
diff --git a/prebuilts/api/31.0/private/postinstall.te b/prebuilts/api/31.0/private/postinstall.te
deleted file mode 100644
index 7060c59..0000000
--- a/prebuilts/api/31.0/private/postinstall.te
+++ /dev/null
@@ -1,5 +0,0 @@
-typeattribute postinstall coredomain;
-type postinstall_exec, system_file_type, exec_type, file_type;
-domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
-
-allow postinstall rootfs:dir r_dir_perms;
diff --git a/prebuilts/api/31.0/private/postinstall_dexopt.te b/prebuilts/api/31.0/private/postinstall_dexopt.te
deleted file mode 100644
index 2fdc941..0000000
--- a/prebuilts/api/31.0/private/postinstall_dexopt.te
+++ /dev/null
@@ -1,88 +0,0 @@
-# Domain for the otapreopt executable, running under postinstall_dexopt
-#
-# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
-# this is derived and adapted from installd.te.
-
-type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
-type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
-type postinstall_dexopt_tmpfs, file_type;
-
-# Run dex2oat/patchoat in its own sandbox.
-# We have to manually transition, as we don't have an entrypoint.
-# - Case where dex2oat is in a non-flattened APEX, which has retained
-# the correct type (`dex2oat_exec`).
-domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
-# - Case where dex2oat is in a flattened APEX, which has been tagged
-# with the `postinstall_file` type by update_engine.
-domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
-
-# Run derive_classpath to get the current BCP.
-domain_auto_trans(postinstall_dexopt, derive_classpath_exec, derive_classpath)
-# Allow postinstall_dexopt to make a tempfile for derive_classpath to write into
-tmpfs_domain(postinstall_dexopt);
-allow postinstall_dexopt postinstall_dexopt_tmpfs:file open;
-
-allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
-
-allow postinstall_dexopt postinstall_file:filesystem getattr;
-allow postinstall_dexopt postinstall_file:dir { getattr read search };
-allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
-allow postinstall_dexopt proc_filesystems:file { getattr open read };
-allow postinstall_dexopt rootfs:file r_file_perms;
-
-allow postinstall_dexopt tmpfs:file read;
-
-# Allow access odsign verification status
-get_prop(postinstall_dexopt, odsign_prop)
-
-# Allow access to /postinstall/apex.
-allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
-
-# Note: /data/ota is created by init (see system/core/rootdir/init.rc) to avoid giving access
-# here and having to relabel the directory.
-
-# Read app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, apk_data_file)
-# Read vendor app data (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, vendor_app_file)
-# Read vendor overlay files (APKs) as input to dex2oat.
-r_dir_file(postinstall_dexopt, vendor_overlay_file)
-# Access to app oat directory.
-r_dir_file(postinstall_dexopt, dalvikcache_data_file)
-
-# Read profile data.
-allow postinstall_dexopt { user_profile_root_file user_profile_data_file }:dir { getattr search };
-allow postinstall_dexopt user_profile_data_file:file r_file_perms;
-# Suppress deletion denial (we do not want to update the profile).
-dontaudit postinstall_dexopt user_profile_data_file:file { write };
-
-# Write to /data/ota(/*). Create symlinks in /data/ota(/*)
-allow postinstall_dexopt ota_data_file:dir create_dir_perms;
-allow postinstall_dexopt ota_data_file:file create_file_perms;
-allow postinstall_dexopt ota_data_file:lnk_file create_file_perms;
-
-# Need to write .b files, which are dalvikcache_data_file, not ota_data_file.
-# TODO: See whether we can apply ota_data_file?
-allow postinstall_dexopt dalvikcache_data_file:dir rw_dir_perms;
-allow postinstall_dexopt dalvikcache_data_file:file create_file_perms;
-
-# Allow labeling of files under /data/app/com.example/oat/
-# TODO: Restrict to .b suffix?
-allow postinstall_dexopt dalvikcache_data_file:dir relabelto;
-allow postinstall_dexopt dalvikcache_data_file:file { relabelto link };
-
-# Check validity of SELinux context before use.
-selinux_check_context(postinstall_dexopt)
-selinux_check_access(postinstall_dexopt)
-
-
-# Postinstall wants to know about our child.
-allow postinstall_dexopt postinstall:process sigchld;
-
-# Allow otapreopt to use file descriptors from otapreopt_chroot.
-# TODO: Probably we can actually close file descriptors...
-allow postinstall_dexopt otapreopt_chroot:fd use;
-
-# Allow postinstall_dexopt to access the runtime feature flag properties.
-get_prop(postinstall_dexopt, device_config_runtime_native_prop)
-get_prop(postinstall_dexopt, device_config_runtime_native_boot_prop)
diff --git a/prebuilts/api/31.0/private/ppp.te b/prebuilts/api/31.0/private/ppp.te
deleted file mode 100644
index 968b221..0000000
--- a/prebuilts/api/31.0/private/ppp.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute ppp coredomain;
-
-domain_auto_trans(mtp, ppp_exec, ppp)
diff --git a/prebuilts/api/31.0/private/preloads_copy.te b/prebuilts/api/31.0/private/preloads_copy.te
deleted file mode 100644
index ba54b70..0000000
--- a/prebuilts/api/31.0/private/preloads_copy.te
+++ /dev/null
@@ -1,18 +0,0 @@
-type preloads_copy, domain, coredomain;
-type preloads_copy_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(preloads_copy)
-
-allow preloads_copy shell_exec:file rx_file_perms;
-allow preloads_copy toolbox_exec:file rx_file_perms;
-allow preloads_copy preloads_data_file:dir create_dir_perms;
-allow preloads_copy preloads_data_file:file create_file_perms;
-allow preloads_copy preloads_media_file:dir create_dir_perms;
-allow preloads_copy preloads_media_file:file create_file_perms;
-
-# Allow to copy from /postinstall
-allow preloads_copy system_file:dir r_dir_perms;
-
-# Silence the denial when /postinstall cannot be mounted, e.g., system_other
-# is wiped, but preloads_copy.sh still runs.
-dontaudit preloads_copy postinstall_mnt_dir:dir search;
diff --git a/prebuilts/api/31.0/private/preopt2cachename.te b/prebuilts/api/31.0/private/preopt2cachename.te
deleted file mode 100644
index dcfba14..0000000
--- a/prebuilts/api/31.0/private/preopt2cachename.te
+++ /dev/null
@@ -1,17 +0,0 @@
-# preopt2cachename executable
-#
-# This executable translates names from the preopted versions the build system
-# creates to the names the runtime expects in the data directory.
-
-type preopt2cachename, domain, coredomain;
-type preopt2cachename_exec, system_file_type, exec_type, file_type;
-
-# Allow write to stdout.
-allow preopt2cachename cppreopts:fd use;
-allow preopt2cachename cppreopts:fifo_file { getattr read write };
-
-# Allow write to logcat.
-allow preopt2cachename proc_net_type:file r_file_perms;
-userdebug_or_eng(`
- auditallow preopt2cachename proc_net_type:{ dir file lnk_file } { getattr open read };
-')
diff --git a/prebuilts/api/31.0/private/priv_app.te b/prebuilts/api/31.0/private/priv_app.te
deleted file mode 100644
index 3ceb7a3..0000000
--- a/prebuilts/api/31.0/private/priv_app.te
+++ /dev/null
@@ -1,262 +0,0 @@
-###
-### A domain for further sandboxing privileged apps.
-###
-
-typeattribute priv_app coredomain;
-app_domain(priv_app)
-
-# Access the network.
-net_domain(priv_app)
-# Access bluetooth.
-bluetooth_domain(priv_app)
-
-# Allow the allocation and use of ptys
-# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
-create_pty(priv_app)
-
-# Allow loading executable code from writable priv-app home
-# directories. This is a W^X violation, however, it needs
-# to be supported for now for the following reasons.
-# * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
-# 1) com.android.opengl.shaders_cache
-# 2) com.android.skia.shaders_cache
-# 3) com.android.renderscript.cache
-# * /data/user_de/0/com.google.android.gms/app_chimera
-# TODO: Tighten (b/112357170)
-allow priv_app privapp_data_file:file execute;
-
-# Chrome Crashpad uses the the dynamic linker to load native executables
-# from an APK (b/112050209, crbug.com/928422)
-allow priv_app system_linker_exec:file execute_no_trans;
-
-allow priv_app privapp_data_file:lnk_file create_file_perms;
-
-# Priv apps can find services that expose both @SystemAPI and normal APIs.
-allow priv_app app_api_service:service_manager find;
-allow priv_app system_api_service:service_manager find;
-
-allow priv_app audioserver_service:service_manager find;
-allow priv_app cameraserver_service:service_manager find;
-allow priv_app drmserver_service:service_manager find;
-allow priv_app mediadrmserver_service:service_manager find;
-allow priv_app mediaextractor_service:service_manager find;
-allow priv_app mediametrics_service:service_manager find;
-allow priv_app mediaserver_service:service_manager find;
-allow priv_app music_recognition_service:service_manager find;
-allow priv_app network_watchlist_service:service_manager find;
-allow priv_app nfc_service:service_manager find;
-allow priv_app oem_lock_service:service_manager find;
-allow priv_app persistent_data_block_service:service_manager find;
-allow priv_app radio_service:service_manager find;
-allow priv_app recovery_service:service_manager find;
-allow priv_app stats_service:service_manager find;
-
-# Write to /cache.
-allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
-allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
-# /cache is a symlink to /data/cache on some devices. Allow reading the link.
-allow priv_app cache_file:lnk_file r_file_perms;
-
-# Access to /data/media.
-allow priv_app media_rw_data_file:dir create_dir_perms;
-allow priv_app media_rw_data_file:file create_file_perms;
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-allow priv_app shell_data_file:file r_file_perms;
-allow priv_app shell_data_file:dir r_dir_perms;
-
-# Allow traceur to pass file descriptors through a content provider to betterbug
-allow priv_app trace_data_file:file { getattr read };
-
-# Allow betterbug to read profile reports generated by profcollect.
-userdebug_or_eng(`
- allow priv_app profcollectd_data_file:file r_file_perms;
-')
-
-# Allow the bug reporting frontend to read the presence and timestamp of the
-# trace attached to the bugreport (but not its contents, which will go in the
-# usual bugreport .zip file). This is used by the bug reporting UI to tell if
-# the bugreport will contain a system trace or not while the bugreport is still
-# in progress.
-allow priv_app perfetto_traces_bugreport_data_file:dir r_dir_perms;
-allow priv_app perfetto_traces_bugreport_data_file:file { getattr };
-# Required to traverse the parent dir (/data/misc/perfetto-traces).
-allow priv_app perfetto_traces_data_file:dir { search };
-
-# Allow verifier to access staged apks.
-allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
-allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-
-# For AppFuse.
-allow priv_app vold:fd use;
-allow priv_app fuse_device:chr_file { read write };
-
-# /proc access
-allow priv_app {
- proc_vmstat
-}:file r_file_perms;
-
-allow priv_app sysfs_type:dir search;
-# Read access to /sys/class/net/wlan*/address
-r_dir_file(priv_app, sysfs_net)
-# Read access to /sys/block/zram*/mm_stat
-r_dir_file(priv_app, sysfs_zram)
-
-r_dir_file(priv_app, rootfs)
-
-# access the mac address
-allowxperm priv_app self:udp_socket ioctl SIOCGIFHWADDR;
-
-# Allow com.android.vending to communicate with statsd.
-binder_call(priv_app, statsd)
-
-# Allow Phone to read/write cached ringtones (opened by system).
-allow priv_app ringtone_file:file { getattr read write };
-
-# Access to /data/preloads
-allow priv_app preloads_data_file:file r_file_perms;
-allow priv_app preloads_data_file:dir r_dir_perms;
-allow priv_app preloads_media_file:file r_file_perms;
-allow priv_app preloads_media_file:dir r_dir_perms;
-
-read_runtime_log_tags(priv_app)
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(priv_app)
-
-# Allow priv_apps to request and collect incident reports.
-# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
-allow priv_app incident_service:service_manager find;
-binder_call(priv_app, incidentd)
-allow priv_app incidentd:fifo_file { read write };
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(priv_app)
-can_profile_perf(priv_app)
-
-# Allow priv_apps to check whether Dynamic System Update is enabled
-get_prop(priv_app, dynamic_system_prop)
-
-# suppress denials for non-API accesses.
-dontaudit priv_app exec_type:file getattr;
-dontaudit priv_app device:dir read;
-dontaudit priv_app fs_bpf:dir search;
-dontaudit priv_app net_dns_prop:file read;
-dontaudit priv_app proc:file read;
-dontaudit priv_app proc_interrupts:file read;
-dontaudit priv_app proc_modules:file read;
-dontaudit priv_app proc_net:file read;
-dontaudit priv_app proc_stat:file read;
-dontaudit priv_app proc_version:file read;
-dontaudit priv_app sysfs:dir read;
-dontaudit priv_app sysfs:file read;
-dontaudit priv_app sysfs_android_usb:file read;
-dontaudit priv_app sysfs_dm:file r_file_perms;
-dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
-
-# allow privileged apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow priv_app system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# allow apps like Phonesky to check the file signature of an apk installed on
-# the Incremental File System, fill missing blocks and get the app status and loading progress
-allowxperm priv_app apk_data_file:file ioctl {
- INCFS_IOCTL_READ_SIGNATURE
- INCFS_IOCTL_FILL_BLOCKS
- INCFS_IOCTL_GET_BLOCK_COUNT
- INCFS_IOCTL_GET_FILLED_BLOCKS
-};
-
-# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
-allow priv_app incremental_control_file:file { read getattr ioctl };
-
-# allow apps like Phonesky to request permission to fill blocks of an apk file
-# on the Incremental File System.
-allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;
-
-# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
-get_prop(priv_app, incremental_prop)
-
-# Required for Phonesky to be able to read APEX files under /data/apex/active/.
-allow priv_app apex_data_file:dir search;
-allow priv_app staging_data_file:file r_file_perms;
-# Required for Phonesky to be able to read staged files under /data/app-staging.
-allow priv_app staging_data_file:dir r_dir_perms;
-
-# allow priv app to access the system app data files for ContentProvider case.
-allow priv_app system_app_data_file:file { read getattr };
-
-# Allow the renderscript compiler to be run.
-domain_auto_trans(priv_app, rs_exec, rs)
-
-# Allow loading and deleting executable shared libraries
-# within an application home directory. Such shared libraries would be
-# created by things like renderscript or via other mechanisms.
-allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
-
-###
-### neverallow rules
-###
-
-# Receive or send uevent messages.
-neverallow priv_app domain:netlink_kobject_uevent_socket *;
-
-# Receive or send generic netlink messages
-neverallow priv_app domain:netlink_socket *;
-
-# Read or write kernel printk buffer
-neverallow priv_app kmsg_device:chr_file no_rw_file_perms;
-
-# Too much leaky information in debugfs. It's a security
-# best practice to ensure these files aren't readable.
-neverallow priv_app debugfs:file read;
-
-# Do not allow privileged apps to register services.
-# Only trusted components of Android should be registering
-# services.
-neverallow priv_app service_manager_type:service_manager add;
-
-# Do not allow privileged apps to connect to the property service
-# or set properties. b/10243159
-neverallow priv_app property_socket:sock_file write;
-neverallow priv_app init:unix_stream_socket connectto;
-neverallow priv_app property_type:property_service set;
-
-# Do not allow priv_app to be assigned mlstrustedsubject.
-# This would undermine the per-user isolation model being
-# enforced via levelFrom=user in seapp_contexts and the mls
-# constraints. As there is no direct way to specify a neverallow
-# on attribute assignment, this relies on the fact that fork
-# permission only makes sense within a domain (hence should
-# never be granted to any other domain within mlstrustedsubject)
-# and priv_app is allowed fork permission to itself.
-neverallow priv_app mlstrustedsubject:process fork;
-
-# Do not allow priv_app to hard link to any files.
-# In particular, if priv_app links to other app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure priv_app never has this
-# capability.
-neverallow priv_app file_type:file link;
-
-# priv apps should not be able to open trace data files, they should depend
-# upon traceur to pass a file descriptor which they can then read
-neverallow priv_app trace_data_file:dir *;
-neverallow priv_app trace_data_file:file { no_w_file_perms open };
-
-# Do not allow priv_app access to cgroups.
-neverallow priv_app cgroup:file *;
-neverallow priv_app cgroup_v2:file *;
-
-# Do not allow loading executable code from non-privileged
-# application home directories. Code loading across a security boundary
-# is dangerous and allows a full compromise of a privileged process
-# by an unprivileged process. b/112357170
-neverallow priv_app app_data_file:file no_x_file_perms;
-
-# Do not follow untrusted app provided symlinks
-neverallow priv_app app_data_file:lnk_file { open read getattr };
diff --git a/prebuilts/api/31.0/private/profcollectd.te b/prebuilts/api/31.0/private/profcollectd.te
deleted file mode 100644
index efde321..0000000
--- a/prebuilts/api/31.0/private/profcollectd.te
+++ /dev/null
@@ -1,61 +0,0 @@
-# profcollectd - hardware profile collection daemon
-type profcollectd, domain, coredomain, mlstrustedsubject;
-type profcollectd_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
- init_daemon_domain(profcollectd)
-
- # profcollectd opens a file for writing in /data/misc/profcollectd.
- allow profcollectd profcollectd_data_file:file create_file_perms;
- allow profcollectd profcollectd_data_file:dir create_dir_perms;
-
- # Allow profcollectd full use of perf_event_open(2), to enable system wide profiling.
- allow profcollectd self:perf_event { cpu kernel open read write };
-
- # Allow profcollectd to scan through /proc/pid for all processes.
- r_dir_file(profcollectd, domain)
-
- # Allow profcollectd to read executable binaries.
- allow profcollectd system_file_type:file r_file_perms;
- allow profcollectd vendor_file_type:file r_file_perms;
-
- # Allow profcollectd to search for and read kernel modules.
- allow profcollectd vendor_file:dir r_dir_perms;
- allow profcollectd vendor_kernel_modules:file r_file_perms;
-
- # Allow profcollectd to read system bootstrap libs.
- allow profcollectd system_bootstrap_lib_file:dir search;
- allow profcollectd system_bootstrap_lib_file:file r_file_perms;
-
- # Allow profcollectd to access tracefs.
- allow profcollectd debugfs_tracing:dir r_dir_perms;
- allow profcollectd debugfs_tracing:file rw_file_perms;
- allow profcollectd debugfs_tracing_debug:dir r_dir_perms;
- allow profcollectd debugfs_tracing_debug:file rw_file_perms;
-
- # Allow profcollectd to write to perf_event_paranoid under /proc.
- allow profcollectd proc_perf:file write;
-
- # Allow profcollectd to access cs_etm sysfs.
- r_dir_file(profcollectd, sysfs_devices_cs_etm)
-
- # Allow profcollectd to ptrace.
- allow profcollectd self:global_capability_class_set sys_ptrace;
-
- # Allow profcollectd to read its system properties.
- get_prop(profcollectd, device_config_profcollect_native_boot_prop)
- set_prop(profcollectd, profcollectd_node_id_prop)
-
- # Allow profcollectd to publish a binder service and make binder calls.
- binder_use(profcollectd)
- add_service(profcollectd, profcollectd_service)
-
- # Allow to temporarily lift the kptr_restrict setting and get kernel start address
- # by reading /proc/kallsyms, get module start address by reading /proc/modules.
- set_prop(profcollectd, lower_kptr_restrict_prop)
- allow profcollectd proc_kallsyms:file r_file_perms;
- allow profcollectd proc_modules:file r_file_perms;
-
- # Allow profcollectd to read kernel build id.
- allow profcollectd sysfs_kernel_notes:file r_file_perms;
-')
diff --git a/prebuilts/api/31.0/private/profman.te b/prebuilts/api/31.0/private/profman.te
deleted file mode 100644
index f61d05e..0000000
--- a/prebuilts/api/31.0/private/profman.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute profman coredomain;
diff --git a/prebuilts/api/31.0/private/property.te b/prebuilts/api/31.0/private/property.te
deleted file mode 100644
index 29f4f1a..0000000
--- a/prebuilts/api/31.0/private/property.te
+++ /dev/null
@@ -1,607 +0,0 @@
-# Properties used only in /system
-system_internal_prop(adbd_prop)
-system_internal_prop(ctl_snapuserd_prop)
-system_internal_prop(device_config_profcollect_native_boot_prop)
-system_internal_prop(device_config_statsd_native_prop)
-system_internal_prop(device_config_statsd_native_boot_prop)
-system_internal_prop(device_config_storage_native_boot_prop)
-system_internal_prop(device_config_sys_traced_prop)
-system_internal_prop(device_config_window_manager_native_boot_prop)
-system_internal_prop(device_config_configuration_prop)
-system_internal_prop(device_config_connectivity_prop)
-system_internal_prop(device_config_swcodec_native_prop)
-system_internal_prop(fastbootd_protocol_prop)
-system_internal_prop(gsid_prop)
-system_internal_prop(init_perf_lsm_hooks_prop)
-system_internal_prop(init_service_status_private_prop)
-system_internal_prop(init_svc_debug_prop)
-system_internal_prop(keystore_crash_prop)
-system_internal_prop(keystore_listen_prop)
-system_internal_prop(last_boot_reason_prop)
-system_internal_prop(localization_prop)
-system_internal_prop(lower_kptr_restrict_prop)
-system_internal_prop(net_464xlat_fromvendor_prop)
-system_internal_prop(net_connectivity_prop)
-system_internal_prop(netd_stable_secret_prop)
-system_internal_prop(odsign_prop)
-system_internal_prop(perf_drop_caches_prop)
-system_internal_prop(pm_prop)
-system_internal_prop(profcollectd_node_id_prop)
-system_internal_prop(radio_cdma_ecm_prop)
-system_internal_prop(rollback_test_prop)
-system_internal_prop(setupwizard_prop)
-system_internal_prop(system_adbd_prop)
-system_internal_prop(traced_perf_enabled_prop)
-system_internal_prop(userspace_reboot_log_prop)
-system_internal_prop(userspace_reboot_test_prop)
-system_internal_prop(verity_status_prop)
-system_internal_prop(zygote_wrap_prop)
-system_internal_prop(ctl_mediatranscoding_prop)
-system_internal_prop(ctl_odsign_prop)
-
-###
-### Neverallow rules
-###
-
-treble_sysprop_neverallow(`
-
-enforce_sysprop_owner(`
- neverallow domain {
- property_type
- -system_property_type
- -product_property_type
- -vendor_property_type
- }:file no_rw_file_perms;
-')
-
-neverallow { domain -coredomain } {
- system_property_type
- system_internal_property_type
- -system_restricted_property_type
- -system_public_property_type
-}:file no_rw_file_perms;
-
-neverallow { domain -coredomain } {
- system_property_type
- -system_public_property_type
-}:property_service set;
-
-# init is in coredomain, but should be able to read/write all props.
-# dumpstate is also in coredomain, but should be able to read all props.
-neverallow { coredomain -init -dumpstate } {
- vendor_property_type
- vendor_internal_property_type
- -vendor_restricted_property_type
- -vendor_public_property_type
-}:file no_rw_file_perms;
-
-neverallow { coredomain -init } {
- vendor_property_type
- -vendor_public_property_type
-}:property_service set;
-
-')
-
-# There is no need to perform ioctl or advisory locking operations on
-# property files. If this neverallow is being triggered, it is
-# likely that the policy is using r_file_perms directly instead of
-# the get_prop() macro.
-neverallow domain property_type:file { ioctl lock };
-
-neverallow * {
- core_property_type
- -audio_prop
- -config_prop
- -cppreopt_prop
- -dalvik_prop
- -debuggerd_prop
- -debug_prop
- -dhcp_prop
- -dumpstate_prop
- -fingerprint_prop
- -logd_prop
- -net_radio_prop
- -nfc_prop
- -ota_prop
- -pan_result_prop
- -persist_debug_prop
- -powerctl_prop
- -radio_prop
- -restorecon_prop
- -shell_prop
- -system_prop
- -usb_prop
- -vold_prop
-}:file no_rw_file_perms;
-
-# sigstop property is only used for debugging; should only be set by su which is permissive
-# for userdebug/eng
-neverallow {
- domain
- -init
- -vendor_init
-} ctl_sigstop_prop:property_service set;
-
-# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
-# in the audit log
-dontaudit domain {
- ctl_bootanim_prop
- ctl_bugreport_prop
- ctl_console_prop
- ctl_default_prop
- ctl_dumpstate_prop
- ctl_fuse_prop
- ctl_mdnsd_prop
- ctl_rildaemon_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
-} init_svc_debug_prop:property_service set;
-
-neverallow {
- domain
- -init
- -dumpstate
- userdebug_or_eng(`-su')
-} init_svc_debug_prop:file no_rw_file_perms;
-
-compatible_property_only(`
-# Prevent properties from being set
- neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_init
- } {
- core_property_type
- extended_core_property_type
- exported_config_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_system_prop
- exported3_system_prop
- usb_control_prop
- -nfc_prop
- -powerctl_prop
- -radio_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_nfc_server
- } {
- nfc_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- -vendor_init
- } {
- radio_control_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- } {
- radio_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- } {
- bluetooth_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- -vendor_init
- } {
- exported_bluetooth_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -hal_camera_server
- -cameraserver
- -vendor_init
- } {
- exported_camera_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -hal_wifi_server
- -wificond
- } {
- wifi_prop
- }:property_service set;
-
- neverallow {
- domain
- -init
- -dumpstate
- -hal_wifi_server
- -wificond
- -vendor_init
- } {
- wifi_hal_prop
- }:property_service set;
-
-# Prevent properties from being read
- neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_init
- } {
- core_property_type
- dalvik_config_prop
- extended_core_property_type
- exported3_system_prop
- systemsound_config_prop
- -debug_prop
- -logd_prop
- -nfc_prop
- -powerctl_prop
- -radio_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_nfc_server
- } {
- nfc_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- } {
- radio_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- } {
- bluetooth_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -hal_wifi_server
- -wificond
- } {
- wifi_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -vendor_init
- } {
- suspend_prop
- }:property_service set;
-')
-
-compatible_property_only(`
- # Neverallow coredomain to set vendor properties
- neverallow {
- coredomain
- -init
- -system_writes_vendor_properties_violators
- } {
- property_type
- -system_property_type
- -extended_core_property_type
- }:property_service set;
-')
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} {
- ffs_config_prop
- ffs_control_prop
-}:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -system_server
-} {
- userspace_reboot_log_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and system_server to set system_adbd_prop
- domain
- -init
- -system_server
-} {
- system_adbd_prop
-}:property_service set;
-
-# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
-neverallow {
- domain
- -init
- -vendor_init
- -adbd
- -system_server
-} {
- adbd_config_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and adbd to set adbd_prop
- domain
- -init
- -adbd
-} {
- adbd_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and shell to set userspace_reboot_test_prop
- domain
- -init
- -shell
-} {
- userspace_reboot_test_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -system_server
- -vendor_init
-} {
- surfaceflinger_color_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
-} {
- libc_debug_prop
-}:property_service set;
-
-# Allow the shell to set MTE props, so that non-root users with adb shell
-# access can control the settings on their device.
-neverallow {
- domain
- -init
- -shell
-} {
- arm64_memtag_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -system_server
- -vendor_init
-} zram_control_prop:property_service set;
-
-neverallow {
- domain
- -init
- -system_server
- -vendor_init
-} dalvik_runtime_prop:property_service set;
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} {
- usb_config_prop
- usb_control_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -system_server
-} {
- provisioned_prop
- retaildemo_prop
-}:property_service set;
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} {
- provisioned_prop
- retaildemo_prop
-}:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
-} {
- init_service_status_private_prop
- init_service_status_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -radio
- -appdomain
- -hal_telephony_server
- not_compatible_property(`-vendor_init')
-} telephony_status_prop:property_service set;
-
-neverallow {
- domain
- -init
- -vendor_init
-} {
- graphics_config_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -surfaceflinger
-} {
- surfaceflinger_display_prop
-}:property_service set;
-
-neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_init
-} packagemanager_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} keyguard_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
-} {
- localization_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -system_app
-} oem_unlock_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} storagemanager_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -appdomain
-} sendbug_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -appdomain
-} camera_calibration_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -dumpstate
- -hal_dumpstate_server
- not_compatible_property(`-vendor_init')
-} hal_dumpstate_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- userdebug_or_eng(`-profcollectd')
- userdebug_or_eng(`-traced_probes')
- userdebug_or_eng(`-traced_perf')
-} {
- lower_kptr_restrict_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
-} zygote_wrap_prop:property_service set;
-
-neverallow {
- domain
- -init
-} verity_status_prop:property_service set;
-
-neverallow {
- domain
- -init
-} setupwizard_prop:property_service set;
-
-# ro.product.property_source_order is useless after initialization of ro.product.* props.
-# So making it accessible only from init and vendor_init.
-neverallow {
- domain
- -init
- -dumpstate
- -vendor_init
-} build_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -shell
-} sqlite_log_prop:property_service set;
-
-neverallow {
- domain
- -coredomain
- -appdomain
-} sqlite_log_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
-} default_prop:property_service set;
-
-# Only one of system_property_type and vendor_property_type can be assigned.
-# Property types having both attributes won't be accessible from anywhere.
-neverallow domain system_and_vendor_property_type:{file property_service} *;
-
-neverallow {
- # Only allow init and shell to set rollback_test_prop
- domain
- -init
- -shell
-} rollback_test_prop:property_service set;
-
-neverallow {
- # Only allow init and profcollectd to access profcollectd_node_id_prop
- domain
- -init
- -dumpstate
- -profcollectd
-} profcollectd_node_id_prop:file r_file_perms;
-
diff --git a/prebuilts/api/31.0/private/property_contexts b/prebuilts/api/31.0/private/property_contexts
deleted file mode 100644
index 0009197..0000000
--- a/prebuilts/api/31.0/private/property_contexts
+++ /dev/null
@@ -1,1222 +0,0 @@
-##########################
-# property service keys
-#
-#
-net.rmnet u:object_r:net_radio_prop:s0
-net.gprs u:object_r:net_radio_prop:s0
-net.ppp u:object_r:net_radio_prop:s0
-net.qmi u:object_r:net_radio_prop:s0
-net.lte u:object_r:net_radio_prop:s0
-net.cdma u:object_r:net_radio_prop:s0
-net.dns u:object_r:net_dns_prop:s0
-ril. u:object_r:radio_prop:s0
-ro.ril. u:object_r:radio_prop:s0
-gsm. u:object_r:radio_prop:s0
-persist.radio u:object_r:radio_prop:s0
-
-net. u:object_r:system_prop:s0
-dev. u:object_r:system_prop:s0
-ro.runtime. u:object_r:system_prop:s0
-ro.runtime.firstboot u:object_r:firstboot_prop:s0
-hw. u:object_r:system_prop:s0
-ro.hw. u:object_r:system_prop:s0
-sys. u:object_r:system_prop:s0
-sys.audio. u:object_r:audio_prop:s0
-sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0
-sys.cppreopt u:object_r:cppreopt_prop:s0
-sys.lpdumpd u:object_r:lpdumpd_prop:s0
-sys.powerctl u:object_r:powerctl_prop:s0
-service. u:object_r:system_prop:s0
-dhcp. u:object_r:dhcp_prop:s0
-dhcp.bt-pan.result u:object_r:pan_result_prop:s0
-bluetooth. u:object_r:bluetooth_prop:s0
-
-debug. u:object_r:debug_prop:s0
-debug.db. u:object_r:debuggerd_prop:s0
-dumpstate. u:object_r:dumpstate_prop:s0
-dumpstate.options u:object_r:dumpstate_options_prop:s0
-init.svc_debug_pid. u:object_r:init_svc_debug_prop:s0
-llk. u:object_r:llkd_prop:s0
-khungtask. u:object_r:llkd_prop:s0
-ro.llk. u:object_r:llkd_prop:s0
-ro.khungtask. u:object_r:llkd_prop:s0
-log. u:object_r:log_prop:s0
-log.tag u:object_r:log_tag_prop:s0
-log.tag.WifiHAL u:object_r:wifi_log_prop:s0
-security.perf_harden u:object_r:shell_prop:s0
-security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0
-service.adb.root u:object_r:shell_prop:s0
-service.adb.tls.port u:object_r:adbd_prop:s0
-persist.adb.wifi. u:object_r:adbd_prop:s0
-persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
-
-persist.audio. u:object_r:audio_prop:s0
-persist.bluetooth. u:object_r:bluetooth_prop:s0
-persist.nfc_cfg. u:object_r:nfc_prop:s0
-persist.debug. u:object_r:persist_debug_prop:s0
-logd. u:object_r:logd_prop:s0
-persist.logd. u:object_r:logd_prop:s0
-ro.logd. u:object_r:logd_prop:s0
-persist.logd.security u:object_r:device_logging_prop:s0
-persist.logd.logpersistd u:object_r:logpersistd_logging_prop:s0
-logd.logpersistd u:object_r:logpersistd_logging_prop:s0
-persist.log.tag u:object_r:log_tag_prop:s0
-persist.mmc. u:object_r:mmc_prop:s0
-persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
-persist.pm.mock-upgrade u:object_r:mock_ota_prop:s0
-persist.profcollectd.node_id u:object_r:profcollectd_node_id_prop:s0 exact string
-persist.sys. u:object_r:system_prop:s0
-persist.sys.safemode u:object_r:safemode_prop:s0
-persist.sys.theme u:object_r:theme_prop:s0
-persist.sys.fflag.override.settings_dynamic_system u:object_r:dynamic_system_prop:s0
-ro.sys.safemode u:object_r:safemode_prop:s0
-persist.sys.audit_safemode u:object_r:safemode_prop:s0
-persist.sys.dalvik.jvmtiagent u:object_r:system_jvmti_agent_prop:s0
-persist.service. u:object_r:system_prop:s0
-persist.service.bdroid. u:object_r:bluetooth_prop:s0
-persist.security. u:object_r:system_prop:s0
-persist.traced.enable u:object_r:traced_enabled_prop:s0
-traced.lazy. u:object_r:traced_lazy_prop:s0
-persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0
-persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
-persist.vendor.debug.wifi. u:object_r:persist_vendor_debug_wifi_prop:s0
-persist.vendor.overlay. u:object_r:overlay_prop:s0
-ril.cdma.inecmmode u:object_r:radio_cdma_ecm_prop:s0 exact bool
-ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
-ro.boottime. u:object_r:boottime_prop:s0
-ro.serialno u:object_r:serialno_prop:s0
-ro.boot.btmacaddr u:object_r:bluetooth_prop:s0
-ro.boot.serialno u:object_r:serialno_prop:s0
-ro.bt. u:object_r:bluetooth_prop:s0
-ro.boot.bootreason u:object_r:bootloader_boot_reason_prop:s0
-persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0
-sys.boot.reason u:object_r:system_boot_reason_prop:s0
-sys.boot.reason.last u:object_r:last_boot_reason_prop:s0
-pm. u:object_r:pm_prop:s0
-test.sys.boot.reason u:object_r:test_boot_reason_prop:s0
-test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0
-sys.lmk. u:object_r:system_lmk_prop:s0
-sys.trace. u:object_r:system_trace_prop:s0
-wrap. u:object_r:zygote_wrap_prop:s0 prefix string
-
-# Suspend service properties
-suspend.max_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
-suspend.base_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
-suspend.backoff_threshold_count u:object_r:suspend_prop:s0 exact uint
-suspend.short_suspend_threshold_millis u:object_r:suspend_prop:s0 exact uint
-suspend.sleep_time_scale_factor u:object_r:suspend_prop:s0 exact double
-suspend.failed_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
-suspend.short_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
-
-# Fastbootd protocol control property
-fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
-
-# adbd protoctl configuration property
-service.adb.tcp.port u:object_r:adbd_config_prop:s0 exact int
-service.adb.transport u:object_r:adbd_config_prop:s0 exact string
-
-# Boolean property set by system server upon boot indicating
-# if device is fully owned by organization instead of being
-# a personal device.
-ro.organization_owned u:object_r:device_logging_prop:s0
-
-# selinux non-persistent properties
-selinux.restorecon_recursive u:object_r:restorecon_prop:s0
-
-# default property context
-* u:object_r:default_prop:s0
-
-# data partition encryption properties
-vold. u:object_r:vold_prop:s0
-ro.crypto. u:object_r:vold_prop:s0
-
-# ro.build.fingerprint is either set in /system/build.prop, or is
-# set at runtime by system_server.
-ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
-
-ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
-
-# ctl properties
-ctl.bootanim u:object_r:ctl_bootanim_prop:s0
-ctl.dumpstate u:object_r:ctl_dumpstate_prop:s0
-ctl.fuse_ u:object_r:ctl_fuse_prop:s0
-ctl.mdnsd u:object_r:ctl_mdnsd_prop:s0
-ctl.ril-daemon u:object_r:ctl_rildaemon_prop:s0
-ctl.bugreport u:object_r:ctl_bugreport_prop:s0
-ctl.console u:object_r:ctl_console_prop:s0
-ctl. u:object_r:ctl_default_prop:s0
-
-# Don't allow uncontrolled access to all services
-ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
-ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
-ctl.start$ u:object_r:ctl_start_prop:s0
-ctl.stop$ u:object_r:ctl_stop_prop:s0
-ctl.restart$ u:object_r:ctl_restart_prop:s0
-ctl.interface_start$ u:object_r:ctl_interface_start_prop:s0
-ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0
-ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0
-
- # Restrict access to starting/stopping adbd
-ctl.start$adbd u:object_r:ctl_adbd_prop:s0
-ctl.stop$adbd u:object_r:ctl_adbd_prop:s0
-ctl.restart$adbd u:object_r:ctl_adbd_prop:s0
-
-# Restrict access to starting/stopping gsid.
-ctl.start$gsid u:object_r:ctl_gsid_prop:s0
-ctl.stop$gsid u:object_r:ctl_gsid_prop:s0
-ctl.restart$gsid u:object_r:ctl_gsid_prop:s0
-
-# Restrict access to stopping apexd.
-ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
-
-# Restrict access to stopping odsign
-ctl.stop$odsign u:object_r:ctl_odsign_prop:s0
-
-# Restrict access to starting media.transcoding.
-ctl.start$media.transcoding u:object_r:ctl_mediatranscoding_prop:s0
-
-# Restrict access to restart dumpstate
-ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
-
-# Restrict access to control snapuserd
-ctl.start$snapuserd u:object_r:ctl_snapuserd_prop:s0
-ctl.stop$snapuserd u:object_r:ctl_snapuserd_prop:s0
-ctl.restart$snapuserd u:object_r:ctl_snapuserd_prop:s0
-
-# NFC properties
-nfc. u:object_r:nfc_prop:s0
-
-# These properties are not normally set by processes other than init.
-# They are only distinguished here for setting by qemu-props on the
-# emulator/goldfish.
-config. u:object_r:config_prop:s0
-ro.config. u:object_r:config_prop:s0
-dalvik. u:object_r:dalvik_prop:s0
-ro.dalvik. u:object_r:dalvik_prop:s0
-
-# qemu_hw_prop is read/written by both system and vendor.
-qemu.hw.mainkeys u:object_r:qemu_hw_prop:s0 exact string
-
-# qemu_sf_lcd_density_prop is read/written by both system and vendor.
-qemu.sf.lcd_density u:object_r:qemu_sf_lcd_density_prop:s0 exact int
-
-# Shared between system server and wificond
-wifi. u:object_r:wifi_prop:s0
-wlan. u:object_r:wifi_prop:s0
-
-# Lowpan properties
-lowpan. u:object_r:lowpan_prop:s0
-ro.lowpan. u:object_r:lowpan_prop:s0
-
-# heapprofd properties
-heapprofd. u:object_r:heapprofd_prop:s0
-
-# hwservicemanager properties
-hwservicemanager. u:object_r:hwservicemanager_prop:s0
-
-# Common default properties for vendor, odm, vendor_dlkm, and odm_dlkm.
-init.svc.odm. u:object_r:vendor_default_prop:s0
-init.svc.vendor. u:object_r:vendor_default_prop:s0
-ro.hardware. u:object_r:vendor_default_prop:s0
-ro.odm. u:object_r:vendor_default_prop:s0
-ro.vendor. u:object_r:vendor_default_prop:s0
-ro.vendor_dlkm. u:object_r:vendor_default_prop:s0
-ro.odm_dlkm. u:object_r:vendor_default_prop:s0
-odm. u:object_r:vendor_default_prop:s0
-persist.odm. u:object_r:vendor_default_prop:s0
-persist.vendor. u:object_r:vendor_default_prop:s0
-vendor. u:object_r:vendor_default_prop:s0
-
-# Properties that relate to time / time zone detection behavior.
-persist.time. u:object_r:time_prop:s0
-
-# Properties that relate to server configurable flags
-device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
-persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
-persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
-persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
-persist.device_config.connectivity. u:object_r:device_config_connectivity_prop:s0
-persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
-persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
-persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
-persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0
-persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
-persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
-persist.device_config.statsd_native. u:object_r:device_config_statsd_native_prop:s0
-persist.device_config.statsd_native_boot. u:object_r:device_config_statsd_native_boot_prop:s0
-persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
-persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
-persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
-
-# MM Events config props
-persist.mm_events.enabled u:object_r:mm_events_config_prop:s0 exact bool
-
-# Properties that relate to legacy server configurable flags
-persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
-
-apexd. u:object_r:apexd_prop:s0
-apexd.config.dm_delete.timeout u:object_r:apexd_config_prop:s0 exact uint
-apexd.config.dm_create.timeout u:object_r:apexd_config_prop:s0 exact uint
-persist.apexd. u:object_r:apexd_prop:s0
-
-bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0
-
-gsid. u:object_r:gsid_prop:s0
-ro.gsid. u:object_r:gsid_prop:s0
-
-# Property for disabling NNAPI vendor extensions on product image (used on GSI /product image,
-# which can't use NNAPI vendor extensions).
-ro.nnapi.extensions.deny_on_product u:object_r:nnapi_ext_deny_product_prop:s0
-
-# Property that is set once ueventd finishes cold boot.
-ro.cold_boot_done u:object_r:cold_boot_done_prop:s0
-
-# Properties that control performance operations.
-# Leave space to later set drop_caches to 1, 2, and 4.
-perf.drop_caches u:object_r:perf_drop_caches_prop:s0 exact enum 0 3
-
-# Charger properties
-ro.charger. u:object_r:charger_prop:s0
-sys.boot_from_charger_mode u:object_r:charger_status_prop:s0 exact int
-ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
-
-# Virtual A/B properties
-ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
-ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0 exact bool
-ro.virtual_ab.compression.enabled u:object_r:virtual_ab_prop:s0 exact bool
-
-ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
-# Property to set/clear the warm reset flag after an OTA update.
-ota.warm_reset u:object_r:ota_prop:s0
-# The vbmeta digest for the inactive slot. It can be set after installing
-# ota updates to the b partition of a/b devices.
-ota.other.vbmeta_digest u:object_r:ota_prop:s0 exact string
-
-# Module properties
-com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
-persist.com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
-
-# Connectivity module
-net.464xlat.cellular.enabled u:object_r:net_464xlat_fromvendor_prop:s0 exact bool
-net.tcp_def_init_rwnd u:object_r:net_connectivity_prop:s0 exact int
-
-# Userspace reboot properties
-sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
-persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
-
-# Integer property which is used in libgui to configure the number of frames
-# tracked by buffer queue's frame event timing history. The property is set
-# by devices with video decoding pipelines long enough to overflow the default
-# history size.
-ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
-
-af.fast_track_multiplier u:object_r:audio_config_prop:s0 exact int
-ro.af.client_heap_size_kbyte u:object_r:audio_config_prop:s0 exact int
-ro.audio.flinger_standbytime_ms u:object_r:audio_config_prop:s0 exact int
-
-audio.camerasound.force u:object_r:audio_config_prop:s0 exact bool
-audio.deep_buffer.media u:object_r:audio_config_prop:s0 exact bool
-audio.offload.video u:object_r:audio_config_prop:s0 exact bool
-audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
-
-ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
-ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
-ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
-
-persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
-
-config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
-
-camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
-camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
-ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
-ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
-ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
-
-ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
-
-ro.vendor.camera.extensions.package u:object_r:camera2_extensions_prop:s0 exact string
-ro.vendor.camera.extensions.service u:object_r:camera2_extensions_prop:s0 exact string
-
-# ART properties
-dalvik.vm. u:object_r:dalvik_config_prop:s0
-ro.dalvik.vm. u:object_r:dalvik_config_prop:s0
-ro.zygote u:object_r:dalvik_config_prop:s0 exact string
-
-# A set of ART properties listed explicitly for compatibility purposes.
-ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.always_debuggable u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.appimageformat u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.backgroundgctype u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.boot-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.boot-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.boot-image u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.bgdexopt.new-classes-percent u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.bgdexopt.new-methods-percent u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.checkjni u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dex2oat-Xms u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-Xmx u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-filter u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-flags u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-max-image-block-size u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.dex2oat-minidebuginfo u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dex2oat-resolve-startup-strings u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.dex2oat-updatable-bcp-packages-file u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-very-large u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.dex2oat-swap u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dex2oat64.enabled u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dexopt.secondary u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dexopt.thermal-cutoff u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.execution-mode u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.extra-opts u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.foreground-heap-growth-multiplier u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.gctype u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heapgrowthlimit u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heapmaxfree u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heapminfree u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heapsize u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heapstartsize u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heaptargetutilization u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.hot-startup-method-samples u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.image-dex2oat-Xms u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-Xmx u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-filter u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-flags u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.isa.arm.features u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.arm.variant u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.arm64.features u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.arm64.variant u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.mips.features u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.mips.variant u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.mips64.features u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.mips64.variant u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.unknown.features u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.unknown.variant u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.x86.features u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.x86.variant u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.x86_64.features u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.x86_64.variant u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.jitinitialsize u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.jitmaxsize u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.jitprithreadweight u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.jitthreshold u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.jittransitionweight u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.jniopts u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.lockprof.threshold u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.method-trace u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.method-trace-file u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.method-trace-file-siz u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.method-trace-stream u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.profilesystemserver u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.profilebootclasspath u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.ps-min-save-period-ms u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.ps-resolved-classes-delay-ms u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
-
-persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
-
-keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool
-
-media.c2.dmabuf.padding u:object_r:codec2_config_prop:s0 exact int
-
-media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
-media.stagefright.cache-params u:object_r:media_config_prop:s0 exact string
-media.stagefright.enable-aac u:object_r:media_config_prop:s0 exact bool
-media.stagefright.enable-fma2dp u:object_r:media_config_prop:s0 exact bool
-media.stagefright.enable-http u:object_r:media_config_prop:s0 exact bool
-media.stagefright.enable-player u:object_r:media_config_prop:s0 exact bool
-media.stagefright.enable-qcp u:object_r:media_config_prop:s0 exact bool
-media.stagefright.enable-scan u:object_r:media_config_prop:s0 exact bool
-media.stagefright.thumbnail.prefer_hw_codecs u:object_r:media_config_prop:s0 exact bool
-persist.sys.media.avsync u:object_r:media_config_prop:s0 exact bool
-
-persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
-persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
-persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
-persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
-
-persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
-
-persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.cec_device_types u:object_r:hdmi_config_prop:s0 exact string
-ro.hdmi.device_type u:object_r:hdmi_config_prop:s0 exact string
-ro.hdmi.set_menu_language u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.cec.source.set_menu_language.enabled u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.property_sytem_audio_device_arc_port u:object_r:hdmi_config_prop:s0 exact string
-ro.hdmi.cec_audio_device_forward_volume_keys_system_audio_mode_off u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.property_is_device_hdmi_cec_switch u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.wake_on_hotplug u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
-ro.hdmi.cec.source.playback_device_action_on_routing_control u:object_r:hdmi_config_prop:s0 exact enum none wake_up_only wake_up_and_send_active_source
-
-pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.cmdline u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
-pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
-pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-fast u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-secondary u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-downgraded u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-secondary-downgraded u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
-
-ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
-
-ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
-
-ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
-
-ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
-
-ro.config.alarm_alert u:object_r:systemsound_config_prop:s0 exact string
-ro.config.alarm_vol_default u:object_r:systemsound_config_prop:s0 exact int
-ro.config.alarm_vol_steps u:object_r:systemsound_config_prop:s0 exact int
-ro.config.media_vol_default u:object_r:systemsound_config_prop:s0 exact int
-ro.config.media_vol_steps u:object_r:systemsound_config_prop:s0 exact int
-ro.config.notification_sound u:object_r:systemsound_config_prop:s0 exact string
-ro.config.ringtone u:object_r:systemsound_config_prop:s0 exact string
-ro.config.system_vol_default u:object_r:systemsound_config_prop:s0 exact int
-ro.config.system_vol_steps u:object_r:systemsound_config_prop:s0 exact int
-ro.config.vc_call_vol_default u:object_r:systemsound_config_prop:s0 exact int
-
-ro.control_privapp_permissions u:object_r:packagemanager_config_prop:s0 exact enum disable enforce log
-ro.cp_system_other_odex u:object_r:packagemanager_config_prop:s0 exact bool
-
-ro.crypto.allow_encrypt_override u:object_r:vold_config_prop:s0 exact bool
-ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
-ro.crypto.fde_algorithm u:object_r:vold_config_prop:s0 exact string
-ro.crypto.fde_sector_size u:object_r:vold_config_prop:s0 exact int
-ro.crypto.metadata_init_delete_all_keys.enabled u:object_r:vold_config_prop:s0 exact bool
-ro.crypto.scrypt_params u:object_r:vold_config_prop:s0 exact string
-ro.crypto.set_dun u:object_r:vold_config_prop:s0 exact bool
-ro.crypto.volume.contents_mode u:object_r:vold_config_prop:s0 exact string
-ro.crypto.volume.filenames_mode u:object_r:vold_config_prop:s0 exact string
-ro.crypto.volume.metadata.encryption u:object_r:vold_config_prop:s0 exact string
-ro.crypto.volume.metadata.method u:object_r:vold_config_prop:s0 exact string
-ro.crypto.volume.options u:object_r:vold_config_prop:s0 exact string
-
-external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
-external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
-external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
-external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
-
-ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.critical_upgrade u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.debug u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.downgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.filecache_min_kb u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.kill_heaviest_task u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.kill_timeout_ms u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.log_stats u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.low u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.medium u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.psi_partial_stall_ms u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.psi_complete_stall_ms u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.swap_free_low_percentage u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.swap_util_max u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.thrashing_limit u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.thrashing_limit_critical u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.thrashing_limit_decay u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.use_minfree_levels u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.upgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
-lmkd.reinit u:object_r:lmkd_prop:s0 exact int
-
-ro.media.xml_variant.codecs u:object_r:media_variant_prop:s0 exact string
-ro.media.xml_variant.codecs_performance u:object_r:media_variant_prop:s0 exact string
-ro.media.xml_variant.profiles u:object_r:media_variant_prop:s0 exact string
-
-ro.minui.default_rotation u:object_r:recovery_config_prop:s0 exact string
-ro.minui.overscan_percent u:object_r:recovery_config_prop:s0 exact int
-ro.minui.pixel_format u:object_r:recovery_config_prop:s0 exact string
-
-ro.oem_unlock_supported u:object_r:oem_unlock_prop:s0 exact int
-
-ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
-
-ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool
-ro.storage_manager.show_opt_in u:object_r:storagemanager_config_prop:s0 exact bool
-
-ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string
-
-ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
-
-ro.zram.mark_idle_delay_mins u:object_r:zram_config_prop:s0 exact int
-ro.zram.first_wb_delay_mins u:object_r:zram_config_prop:s0 exact int
-ro.zram.periodic_wb_delay_hours u:object_r:zram_config_prop:s0 exact int
-zram.force_writeback u:object_r:zram_config_prop:s0 exact bool
-persist.sys.zram_enabled u:object_r:zram_control_prop:s0 exact bool
-
-sendbug.preferred.domain u:object_r:sendbug_config_prop:s0 exact string
-
-persist.sys.usb.usbradio.config u:object_r:usb_control_prop:s0 exact string
-
-sys.usb.config u:object_r:usb_control_prop:s0 exact string
-sys.usb.configfs u:object_r:usb_control_prop:s0 exact int
-sys.usb.controller u:object_r:usb_control_prop:s0 exact string
-sys.usb.state u:object_r:usb_control_prop:s0 exact string
-
-sys.usb.mtp.batchcancel u:object_r:usb_config_prop:s0 exact bool
-sys.usb.mtp.device_type u:object_r:usb_config_prop:s0 exact int
-
-sys.usb.config. u:object_r:usb_prop:s0
-
-sys.usb.ffs.aio_compat u:object_r:ffs_config_prop:s0 exact bool
-sys.usb.ffs.max_read u:object_r:ffs_config_prop:s0 exact int
-sys.usb.ffs.max_write u:object_r:ffs_config_prop:s0 exact int
-
-sys.usb.ffs.ready u:object_r:ffs_control_prop:s0 exact bool
-sys.usb.ffs.mtp.ready u:object_r:ffs_control_prop:s0 exact bool
-
-tombstoned.max_tombstone_count u:object_r:tombstone_config_prop:s0 exact int
-
-vold.post_fs_data_done u:object_r:vold_post_fs_data_prop:s0 exact int
-
-apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
-
-odsign.key.done u:object_r:odsign_prop:s0 exact bool
-odsign.verification.done u:object_r:odsign_prop:s0 exact bool
-odsign.verification.success u:object_r:odsign_prop:s0 exact bool
-
-dev.bootcomplete u:object_r:boot_status_prop:s0 exact bool
-sys.boot_completed u:object_r:boot_status_prop:s0 exact bool
-
-persist.sys.device_provisioned u:object_r:provisioned_prop:s0 exact string
-
-persist.sys.theme u:object_r:theme_prop:s0 exact string
-
-sys.retaildemo.enabled u:object_r:retaildemo_prop:s0 exact int
-
-sys.user.0.ce_available u:object_r:exported3_system_prop:s0 exact bool
-
-aac_drc_boost u:object_r:aac_drc_prop:s0 exact int
-aac_drc_cut u:object_r:aac_drc_prop:s0 exact int
-aac_drc_enc_target_level u:object_r:aac_drc_prop:s0 exact int
-aac_drc_heavy u:object_r:aac_drc_prop:s0 exact int
-aac_drc_reference_level u:object_r:aac_drc_prop:s0 exact int
-ro.aac_drc_effect_type u:object_r:aac_drc_prop:s0 exact int
-
-build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
-
-drm.64bit.enabled u:object_r:mediadrm_config_prop:s0 exact bool
-media.mediadrmservice.enable u:object_r:mediadrm_config_prop:s0 exact bool
-
-drm.service.enabled u:object_r:drm_service_config_prop:s0 exact bool
-
-dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
-dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
-persist.dumpstate.verbose_logging.enabled u:object_r:hal_dumpstate_config_prop:s0 exact bool
-
-hal.instrumentation.enable u:object_r:hal_instrumentation_prop:s0 exact bool
-
-# default contexts only accessible by coredomain
-init.svc. u:object_r:init_service_status_private_prop:s0 prefix string
-
-# Globally-readable init service props
-init.svc.adbd u:object_r:init_service_status_prop:s0 exact string
-init.svc.bugreport u:object_r:init_service_status_prop:s0 exact string
-init.svc.bugreportd u:object_r:init_service_status_prop:s0 exact string
-init.svc.console u:object_r:init_service_status_prop:s0 exact string
-init.svc.dumpstatez u:object_r:init_service_status_prop:s0 exact string
-init.svc.mediadrm u:object_r:init_service_status_prop:s0 exact string
-init.svc.statsd u:object_r:init_service_status_prop:s0 exact string
-init.svc.surfaceflinger u:object_r:init_service_status_prop:s0 exact string
-init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
-init.svc.zygote u:object_r:init_service_status_prop:s0 exact string
-
-libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
-libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
-libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
-
-# shell-only props for ARM memory tagging (MTE).
-arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
-
-net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
-
-persist.sys.locale u:object_r:exported_system_prop:s0 exact string
-persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
-persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
-
-ro.arch u:object_r:build_prop:s0 exact string
-
-# ro.boot. properties are set based on kernel commandline arguments, which are vendor owned.
-ro.boot. u:object_r:bootloader_prop:s0
-ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string
-ro.boot.baseband u:object_r:bootloader_prop:s0 exact string
-ro.boot.bootdevice u:object_r:bootloader_prop:s0 exact string
-ro.boot.bootloader u:object_r:bootloader_prop:s0 exact string
-ro.boot.boottime u:object_r:bootloader_prop:s0 exact string
-ro.boot.console u:object_r:bootloader_prop:s0 exact string
-ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
-ro.boot.hardware.color u:object_r:bootloader_prop:s0 exact string
-ro.boot.hardware.sku u:object_r:bootloader_prop:s0 exact string
-ro.boot.keymaster u:object_r:bootloader_prop:s0 exact string
-ro.boot.mode u:object_r:bootloader_prop:s0 exact string
-# Populated on Android Studio Emulator (for emulator specific workarounds)
-ro.boot.qemu u:object_r:bootloader_prop:s0 exact bool
-ro.boot.revision u:object_r:bootloader_prop:s0 exact string
-ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
-ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
-ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
-
-# These ro.X properties are set to values of ro.boot.X by property_service.
-ro.baseband u:object_r:bootloader_prop:s0 exact string
-ro.bootloader u:object_r:bootloader_prop:s0 exact string
-ro.bootmode u:object_r:bootloader_prop:s0 exact string
-ro.hardware u:object_r:bootloader_prop:s0 exact string
-ro.revision u:object_r:bootloader_prop:s0 exact string
-
-ro.boot.dynamic_partitions u:object_r:exported_default_prop:s0 exact string
-ro.boot.dynamic_partitions_retrofit u:object_r:exported_default_prop:s0 exact string
-
-ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
-ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
-
-ro.build.characteristics u:object_r:build_prop:s0 exact string
-ro.build.date u:object_r:build_prop:s0 exact string
-ro.build.date.utc u:object_r:build_prop:s0 exact int
-ro.build.description u:object_r:build_prop:s0 exact string
-ro.build.display.id u:object_r:build_prop:s0 exact string
-ro.build.flavor u:object_r:build_prop:s0 exact string
-ro.build.host u:object_r:build_prop:s0 exact string
-ro.build.id u:object_r:build_prop:s0 exact string
-ro.build.product u:object_r:build_prop:s0 exact string
-ro.build.system_root_image u:object_r:build_prop:s0 exact bool
-ro.build.tags u:object_r:build_prop:s0 exact string
-ro.build.type u:object_r:build_prop:s0 exact string
-ro.build.user u:object_r:build_prop:s0 exact string
-ro.build.version.all_codenames u:object_r:build_prop:s0 exact string
-ro.build.version.base_os u:object_r:build_prop:s0 exact string
-ro.build.version.codename u:object_r:build_prop:s0 exact string
-ro.build.version.incremental u:object_r:build_prop:s0 exact string
-ro.build.version.min_supported_target_sdk u:object_r:build_prop:s0 exact int
-ro.build.version.preview_sdk u:object_r:build_prop:s0 exact int
-ro.build.version.preview_sdk_fingerprint u:object_r:build_prop:s0 exact string
-ro.build.version.release u:object_r:build_prop:s0 exact string
-ro.build.version.release_or_codename u:object_r:build_prop:s0 exact string
-ro.build.version.sdk u:object_r:build_prop:s0 exact int
-ro.build.version.security_patch u:object_r:build_prop:s0 exact string
-
-ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
-
-ro.debuggable u:object_r:build_prop:s0 exact bool
-
-ro.treble.enabled u:object_r:build_prop:s0 exact bool
-
-ro.product.cpu.abi u:object_r:build_prop:s0 exact string
-ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
-ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string
-ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string
-
-ro.product.system.brand u:object_r:build_prop:s0 exact string
-ro.product.system.device u:object_r:build_prop:s0 exact string
-ro.product.system.manufacturer u:object_r:build_prop:s0 exact string
-ro.product.system.model u:object_r:build_prop:s0 exact string
-ro.product.system.name u:object_r:build_prop:s0 exact string
-
-ro.system.build.date u:object_r:build_prop:s0 exact string
-ro.system.build.date.utc u:object_r:build_prop:s0 exact int
-ro.system.build.fingerprint u:object_r:build_prop:s0 exact string
-ro.system.build.id u:object_r:build_prop:s0 exact string
-ro.system.build.tags u:object_r:build_prop:s0 exact string
-ro.system.build.type u:object_r:build_prop:s0 exact string
-ro.system.build.version.incremental u:object_r:build_prop:s0 exact string
-ro.system.build.version.release u:object_r:build_prop:s0 exact string
-ro.system.build.version.release_or_codename u:object_r:build_prop:s0 exact string
-ro.system.build.version.sdk u:object_r:build_prop:s0 exact int
-
-ro.adb.secure u:object_r:build_prop:s0 exact bool
-ro.secure u:object_r:build_prop:s0 exact int
-
-ro.product.system_ext.brand u:object_r:build_prop:s0 exact string
-ro.product.system_ext.device u:object_r:build_prop:s0 exact string
-ro.product.system_ext.manufacturer u:object_r:build_prop:s0 exact string
-ro.product.system_ext.model u:object_r:build_prop:s0 exact string
-ro.product.system_ext.name u:object_r:build_prop:s0 exact string
-
-ro.system_ext.build.date u:object_r:build_prop:s0 exact string
-ro.system_ext.build.date.utc u:object_r:build_prop:s0 exact int
-ro.system_ext.build.fingerprint u:object_r:build_prop:s0 exact string
-ro.system_ext.build.id u:object_r:build_prop:s0 exact string
-ro.system_ext.build.tags u:object_r:build_prop:s0 exact string
-ro.system_ext.build.type u:object_r:build_prop:s0 exact string
-ro.system_ext.build.version.incremental u:object_r:build_prop:s0 exact string
-ro.system_ext.build.version.release u:object_r:build_prop:s0 exact string
-ro.system_ext.build.version.release_or_codename u:object_r:build_prop:s0 exact string
-ro.system_ext.build.version.sdk u:object_r:build_prop:s0 exact int
-
-# These ro.product.product.* and ro.product.build.* are set by /product/etc/build.prop
-ro.product.product.brand u:object_r:build_prop:s0 exact string
-ro.product.product.device u:object_r:build_prop:s0 exact string
-ro.product.product.manufacturer u:object_r:build_prop:s0 exact string
-ro.product.product.model u:object_r:build_prop:s0 exact string
-ro.product.product.name u:object_r:build_prop:s0 exact string
-
-ro.product.build.date u:object_r:build_prop:s0 exact string
-ro.product.build.date.utc u:object_r:build_prop:s0 exact int
-ro.product.build.fingerprint u:object_r:build_prop:s0 exact string
-ro.product.build.id u:object_r:build_prop:s0 exact string
-ro.product.build.tags u:object_r:build_prop:s0 exact string
-ro.product.build.type u:object_r:build_prop:s0 exact string
-ro.product.build.version.incremental u:object_r:build_prop:s0 exact string
-ro.product.build.version.release u:object_r:build_prop:s0 exact string
-ro.product.build.version.release_or_codename u:object_r:build_prop:s0 exact string
-ro.product.build.version.sdk u:object_r:build_prop:s0 exact int
-
-# These 5 properties are set by property_service
-ro.product.brand u:object_r:build_prop:s0 exact string
-ro.product.device u:object_r:build_prop:s0 exact string
-ro.product.manufacturer u:object_r:build_prop:s0 exact string
-ro.product.model u:object_r:build_prop:s0 exact string
-ro.product.name u:object_r:build_prop:s0 exact string
-
-# Sanitizer properties
-ro.sanitize.address u:object_r:build_prop:s0 exact bool
-ro.sanitize.cfi u:object_r:build_prop:s0 exact bool
-ro.sanitize.default-ub u:object_r:build_prop:s0 exact bool
-ro.sanitize.fuzzer u:object_r:build_prop:s0 exact bool
-ro.sanitize.hwaddress u:object_r:build_prop:s0 exact bool
-ro.sanitize.integer_overflow u:object_r:build_prop:s0 exact bool
-ro.sanitize.safe-stack u:object_r:build_prop:s0 exact bool
-ro.sanitize.scudo u:object_r:build_prop:s0 exact bool
-ro.sanitize.thread u:object_r:build_prop:s0 exact bool
-ro.sanitize.undefined u:object_r:build_prop:s0 exact bool
-
-# All odm build props are set by /odm/build.prop
-ro.odm.build.date u:object_r:build_odm_prop:s0 exact string
-ro.odm.build.date.utc u:object_r:build_odm_prop:s0 exact int
-ro.odm.build.fingerprint u:object_r:build_odm_prop:s0 exact string
-ro.odm.build.version.incremental u:object_r:build_odm_prop:s0 exact string
-ro.odm.build.media_performance_class u:object_r:build_odm_prop:s0 exact int
-
-ro.product.odm.brand u:object_r:build_odm_prop:s0 exact string
-ro.product.odm.device u:object_r:build_odm_prop:s0 exact string
-ro.product.odm.manufacturer u:object_r:build_odm_prop:s0 exact string
-ro.product.odm.model u:object_r:build_odm_prop:s0 exact string
-ro.product.odm.name u:object_r:build_odm_prop:s0 exact string
-
-# All vendor_dlkm build props are set by /vendor_dlkm/etc/build.prop
-ro.vendor_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.vendor_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.id u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.tags u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.type u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.version.release u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
-
-# All odm_dlkm build props are set by /odm_dlkm/etc/build.prop
-ro.product.odm_dlkm.brand u:object_r:build_odm_prop:s0 exact string
-ro.product.odm_dlkm.device u:object_r:build_odm_prop:s0 exact string
-ro.product.odm_dlkm.manufacturer u:object_r:build_odm_prop:s0 exact string
-ro.product.odm_dlkm.model u:object_r:build_odm_prop:s0 exact string
-ro.product.odm_dlkm.name u:object_r:build_odm_prop:s0 exact string
-
-ro.odm_dlkm.build.date u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.date.utc u:object_r:build_odm_prop:s0 exact int
-ro.odm_dlkm.build.fingerprint u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.id u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.tags u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.type u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.version.incremental u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.version.release u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.version.release_or_codename u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.version.sdk u:object_r:build_odm_prop:s0 exact int
-
-# enforces debugfs restrictions in non-user builds, set by /vendor/build.prop
-ro.product.debugfs_restrictions.enabled u:object_r:debugfs_restriction_prop:s0 exact bool
-
-# All vendor build props are set by /vendor/build.prop
-ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.id u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.tags u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.type u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.release u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
-
-# All vendor CPU abilist props are set by /vendor/build.prop
-ro.vendor.product.cpu.abilist u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.product.cpu.abilist32 u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.product.cpu.abilist64 u:object_r:build_vendor_prop:s0 exact string
-
-ro.product.board u:object_r:build_vendor_prop:s0 exact string
-ro.product.first_api_level u:object_r:build_vendor_prop:s0 exact int
-ro.product.vendor.brand u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.device u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.manufacturer u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.model u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.name u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor_dlkm.brand u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor_dlkm.device u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor_dlkm.manufacturer u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor_dlkm.model u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor_dlkm.name u:object_r:build_vendor_prop:s0 exact string
-
-# GRF property for the first api level of the vendor partition
-ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
-ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
-
-# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
-ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.date.utc u:object_r:build_bootimage_prop:s0 exact int
-ro.bootimage.build.fingerprint u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.id u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.tags u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.type u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.incremental u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.release u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.release_or_codename u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.sdk u:object_r:build_bootimage_prop:s0 exact int
-
-ro.product.bootimage.brand u:object_r:build_bootimage_prop:s0 exact string
-ro.product.bootimage.device u:object_r:build_bootimage_prop:s0 exact string
-ro.product.bootimage.manufacturer u:object_r:build_bootimage_prop:s0 exact string
-ro.product.bootimage.model u:object_r:build_bootimage_prop:s0 exact string
-ro.product.bootimage.name u:object_r:build_bootimage_prop:s0 exact string
-
-# ro.product.property_source_order is settable from any build.prop
-ro.product.property_source_order u:object_r:build_config_prop:s0 exact string
-
-ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported
-ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file none
-
-ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
-
-ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
-
-service.bootanim.exit u:object_r:bootanim_system_prop:s0 exact int
-service.bootanim.progress u:object_r:bootanim_system_prop:s0 exact int
-
-sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
-sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
-
-vold.decrypt u:object_r:vold_status_prop:s0 exact string
-
-aaudio.hw_burst_min_usec u:object_r:aaudio_config_prop:s0 exact int
-aaudio.minimum_sleep_usec u:object_r:aaudio_config_prop:s0 exact int
-aaudio.mixer_bursts u:object_r:aaudio_config_prop:s0 exact int
-aaudio.mmap_exclusive_policy u:object_r:aaudio_config_prop:s0 exact int
-aaudio.mmap_policy u:object_r:aaudio_config_prop:s0 exact int
-aaudio.wakeup_delay_usec u:object_r:aaudio_config_prop:s0 exact int
-
-persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
-
-ro.bionic.2nd_arch u:object_r:cpu_variant_prop:s0 exact string
-ro.bionic.2nd_cpu_variant u:object_r:cpu_variant_prop:s0 exact string
-ro.bionic.arch u:object_r:cpu_variant_prop:s0 exact string
-ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
-
-ro.board.platform u:object_r:exported_default_prop:s0 exact string
-
-ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
-ro.boot.fstab_suffix u:object_r:exported_default_prop:s0 exact string
-ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
-ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
-ro.boot.product.vendor.sku u:object_r:exported_default_prop:s0 exact string
-ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
-
-ro.boringcrypto.hwrand u:object_r:exported_default_prop:s0 exact bool
-
-# Update related props
-ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
-ro.build.ab_update.gki.prevent_downgrade_version u:object_r:ab_update_gki_prop:s0 exact bool
-ro.build.ab_update.gki.prevent_downgrade_spl u:object_r:ab_update_gki_prop:s0 exact bool
-
-ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string
-ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string
-
-ro.carrier u:object_r:exported_default_prop:s0 exact string
-
-ro.config.low_ram u:object_r:exported_config_prop:s0 exact bool
-ro.config.vc_call_vol_steps u:object_r:exported_config_prop:s0 exact int
-
-ro.frp.pst u:object_r:exported_default_prop:s0 exact string
-
-ro.hardware.activity_recognition u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio.a2dp u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio.hearing_aid u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio.primary u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio.usb u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio_policy u:object_r:exported_default_prop:s0 exact string
-ro.hardware.bootctrl u:object_r:exported_default_prop:s0 exact string
-ro.hardware.camera u:object_r:exported_default_prop:s0 exact string
-ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string
-ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string
-ro.hardware.egl u:object_r:exported_default_prop:s0 exact string
-ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string
-ro.hardware.flp u:object_r:exported_default_prop:s0 exact string
-ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string
-ro.hardware.gps u:object_r:exported_default_prop:s0 exact string
-ro.hardware.gralloc u:object_r:exported_default_prop:s0 exact string
-ro.hardware.hdmi_cec u:object_r:exported_default_prop:s0 exact string
-ro.hardware.hwcomposer u:object_r:exported_default_prop:s0 exact string
-ro.hardware.input u:object_r:exported_default_prop:s0 exact string
-ro.hardware.keystore u:object_r:exported_default_prop:s0 exact string
-ro.hardware.keystore_desede u:object_r:exported_default_prop:s0 exact string
-ro.hardware.lights u:object_r:exported_default_prop:s0 exact string
-ro.hardware.local_time u:object_r:exported_default_prop:s0 exact string
-ro.hardware.memtrack u:object_r:exported_default_prop:s0 exact string
-ro.hardware.nfc u:object_r:exported_default_prop:s0 exact string
-ro.hardware.nfc_nci u:object_r:exported_default_prop:s0 exact string
-ro.hardware.nfc_tag u:object_r:exported_default_prop:s0 exact string
-ro.hardware.nvram u:object_r:exported_default_prop:s0 exact string
-ro.hardware.power u:object_r:exported_default_prop:s0 exact string
-ro.hardware.radio u:object_r:exported_default_prop:s0 exact string
-ro.hardware.sensors u:object_r:exported_default_prop:s0 exact string
-ro.hardware.sound_trigger u:object_r:exported_default_prop:s0 exact string
-ro.hardware.thermal u:object_r:exported_default_prop:s0 exact string
-ro.hardware.tv_input u:object_r:exported_default_prop:s0 exact string
-ro.hardware.type u:object_r:exported_default_prop:s0 exact string
-ro.hardware.vehicle u:object_r:exported_default_prop:s0 exact string
-ro.hardware.vibrator u:object_r:exported_default_prop:s0 exact string
-ro.hardware.virtual_device u:object_r:exported_default_prop:s0 exact string
-ro.hardware.vulkan u:object_r:exported_default_prop:s0 exact string
-
-ro.hw_timeout_multiplier u:object_r:hw_timeout_multiplier_prop:s0 exact int
-
-ro.hwui.use_vulkan u:object_r:exported_default_prop:s0 exact bool
-
-# ro.kernel.* properties are emulator specific and deprecated. Do not use.
-# Should be retired once presubmit allows.
-ro.kernel.qemu u:object_r:exported_default_prop:s0 exact bool
-ro.kernel.qemu. u:object_r:exported_default_prop:s0
-ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
-
-ro.oem.key1 u:object_r:exported_default_prop:s0 exact string
-
-ro.product.vndk.version u:object_r:vndk_prop:s0 exact string
-
-ro.vndk.lite u:object_r:vndk_prop:s0 exact bool
-ro.vndk.version u:object_r:vndk_prop:s0 exact string
-
-ro.vts.coverage u:object_r:vts_config_prop:s0 exact int
-
-vts.native_server.on u:object_r:vts_status_prop:s0 exact bool
-
-wifi.active.interface u:object_r:wifi_hal_prop:s0 exact string
-wifi.aware.interface u:object_r:wifi_hal_prop:s0 exact string
-wifi.concurrent.interface u:object_r:wifi_hal_prop:s0 exact string
-wifi.direct.interface u:object_r:wifi_hal_prop:s0 exact string
-wifi.interface u:object_r:wifi_hal_prop:s0 exact string
-wlan.driver.status u:object_r:wifi_hal_prop:s0 exact enum ok unloaded
-
-ro.boot.wificountrycode u:object_r:wifi_config_prop:s0 exact string
-
-ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
-
-# Property to enable incremental feature
-ro.incremental.enable u:object_r:incremental_prop:s0
-
-# Properties to configure userspace reboot.
-init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool
-init.userspace_reboot.sigkill.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
-init.userspace_reboot.sigterm.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
-init.userspace_reboot.started.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
-init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
-init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
-
-sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
-
-# surfaceflinger properties
-ro.surface_flinger.default_composition_dataspace u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.default_composition_pixel_format u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.force_hwc_copy_for_virtual_displays u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.has_HDR_display u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.has_wide_color_display u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.max_frame_buffer_acquired_buffers u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.max_graphics_height u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.max_graphics_width u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.max_virtual_display_dimension u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.primary_display_orientation u:object_r:surfaceflinger_prop:s0 exact enum ORIENTATION_0 ORIENTATION_180 ORIENTATION_270 ORIENTATION_90
-ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.running_without_sync_framework u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.start_graphics_allocator_service u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.use_color_management u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.use_context_priority u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.use_vr_flinger u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.vsync_event_phase_offset_ns u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.vsync_sf_event_phase_offset_ns u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.wcg_composition_dataspace u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.wcg_composition_pixel_format u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.display_primary_red u:object_r:surfaceflinger_prop:s0 exact string
-ro.surface_flinger.display_primary_green u:object_r:surfaceflinger_prop:s0 exact string
-ro.surface_flinger.display_primary_blue u:object_r:surfaceflinger_prop:s0 exact string
-ro.surface_flinger.display_primary_white u:object_r:surfaceflinger_prop:s0 exact string
-ro.surface_flinger.protected_contents u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.set_idle_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.set_touch_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.set_display_power_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.support_kernel_idle_timer u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.supports_background_blur u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.use_smart_90_for_video u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
-
-ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
-ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
-
-persist.sys.sf.color_mode u:object_r:surfaceflinger_color_prop:s0 exact int
-persist.sys.sf.color_saturation u:object_r:surfaceflinger_color_prop:s0 exact string
-persist.sys.sf.native_mode u:object_r:surfaceflinger_color_prop:s0 exact int
-
-# Binder cache properties. These are world-readable
-cache_key.app_inactive u:object_r:binder_cache_system_server_prop:s0
-cache_key.is_compat_change_enabled u:object_r:binder_cache_system_server_prop:s0
-cache_key.get_packages_for_uid u:object_r:binder_cache_system_server_prop:s0
-cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
-cache_key.is_interactive u:object_r:binder_cache_system_server_prop:s0
-cache_key.is_power_save_mode u:object_r:binder_cache_system_server_prop:s0
-cache_key.is_user_unlocked u:object_r:binder_cache_system_server_prop:s0
-cache_key.volume_list u:object_r:binder_cache_system_server_prop:s0
-cache_key.display_info u:object_r:binder_cache_system_server_prop:s0
-cache_key.location_enabled u:object_r:binder_cache_system_server_prop:s0
-cache_key.package_info u:object_r:binder_cache_system_server_prop:s0
-
-cache_key.bluetooth. u:object_r:binder_cache_bluetooth_server_prop:s0 prefix string
-cache_key.system_server. u:object_r:binder_cache_system_server_prop:s0 prefix string
-cache_key.telephony. u:object_r:binder_cache_telephony_server_prop:s0 prefix string
-
-# Framework watchdog configuration properties.
-framework_watchdog.fatal_count u:object_r:framework_watchdog_config_prop:s0 exact int
-framework_watchdog.fatal_window.second u:object_r:framework_watchdog_config_prop:s0 exact int
-
-gsm.sim.operator.numeric u:object_r:telephony_status_prop:s0 exact string
-persist.radio.airplane_mode_on u:object_r:telephony_status_prop:s0 exact bool
-
-ro.cdma.home.operator.alpha u:object_r:telephony_config_prop:s0 exact string
-ro.cdma.home.operator.numeric u:object_r:telephony_config_prop:s0 exact string
-ro.com.android.dataroaming u:object_r:telephony_config_prop:s0 exact bool
-ro.com.android.prov_mobiledata u:object_r:telephony_config_prop:s0 exact bool
-ro.radio.noril u:object_r:telephony_config_prop:s0 exact string
-ro.telephony.call_ring.multiple u:object_r:telephony_config_prop:s0 exact bool
-ro.telephony.default_cdma_sub u:object_r:telephony_config_prop:s0 exact int
-ro.telephony.default_network u:object_r:telephony_config_prop:s0 exact string
-ro.telephony.iwlan_operation_mode u:object_r:telephony_config_prop:s0 exact enum default legacy AP-assisted
-telephony.active_modems.max_count u:object_r:telephony_config_prop:s0 exact int
-telephony.lteOnCdmaDevice u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.volte_avail_ovr u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.volte_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.volte_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.volte_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.vt_avail_ovr u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.vt_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.vt_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.vt_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.wfc_avail_ovr u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.wfc_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.wfc_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.wfc_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
-
-# System locale list filter configuration
-ro.localization.locale_filter u:object_r:localization_prop:s0 exact string
-
-# Graphics related properties
-ro.opengles.version u:object_r:graphics_config_prop:s0 exact int
-
-ro.gfx.driver.0 u:object_r:graphics_config_prop:s0 exact string
-ro.gfx.driver.1 u:object_r:graphics_config_prop:s0 exact string
-ro.gfx.angle.supported u:object_r:graphics_config_prop:s0 exact bool
-ro.gfx.driver_build_time u:object_r:graphics_config_prop:s0 exact int
-
-graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
-graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
-
-ro.cpuvulkan.version u:object_r:graphics_config_prop:s0 exact int
-
-# surfaceflinger-settable
-graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
-
-# Disable/enable charger input
-power.battery_input.suspended u:object_r:power_debug_prop:s0 exact bool
-
-# zygote config property
-zygote.critical_window.minute u:object_r:zygote_config_prop:s0 exact int
-
-ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
-
-# Broadcast boot stages, which keystore listens to
-keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
-
-# Property that tracks keystore crash counts during a boot cycle.
-keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
-
-partition.system.verified u:object_r:verity_status_prop:s0 exact string
-partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
-partition.product.verified u:object_r:verity_status_prop:s0 exact string
-partition.vendor.verified u:object_r:verity_status_prop:s0 exact string
-
-partition.system.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
-partition.system_ext.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
-partition.product.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
-partition.vendor.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
-
-ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
-ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
-ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
-ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
-
-setupwizard.enable_assist_gesture_training u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.avoid_duplicate_tos u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.baseline_setupwizard_enabled u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.day_night_mode_enabled u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.deferred_setup_low_ram_filter u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.deferred_setup_notification u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.deferred_setup_suggestion u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.device_default_dark_mode u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.esim_enabled u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.google_services_deferred_setup_pretend_not_suw u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.lock_mobile_data u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.lock_mobile_data.carrier-1 u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.portal_notification u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.predeferred_enabled u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.return_partner_customization_bundle u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.show_pixel_tos u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.use_biometric_lock u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.wallpaper_suggestion_after_restore u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.logging u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.metrics_debug_mode u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.theme u:object_r:setupwizard_prop:s0 exact string
-
-db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool
-db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int
-db.log.slow_query_threshold. u:object_r:sqlite_log_prop:s0 prefix int
-
-# SOC related props
-ro.soc.manufacturer u:object_r:soc_prop:s0 exact string
-ro.soc.model u:object_r:soc_prop:s0 exact string
-
-# set to true when running rollback tests to disable fallback-to-copy when enabling rollbacks
-# to detect failures where hard linking should work otherwise
-persist.rollback.is_test u:object_r:rollback_test_prop:s0 exact bool
-
-# bootanimation properties
-ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
-
-# dck properties
-ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
diff --git a/prebuilts/api/31.0/private/racoon.te b/prebuilts/api/31.0/private/racoon.te
deleted file mode 100644
index 42ea7c9..0000000
--- a/prebuilts/api/31.0/private/racoon.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute racoon coredomain;
-
-init_daemon_domain(racoon)
diff --git a/prebuilts/api/31.0/private/radio.te b/prebuilts/api/31.0/private/radio.te
deleted file mode 100644
index 08365f0..0000000
--- a/prebuilts/api/31.0/private/radio.te
+++ /dev/null
@@ -1,36 +0,0 @@
-typeattribute radio coredomain, mlstrustedsubject;
-
-app_domain(radio)
-
-read_runtime_log_tags(radio)
-
-# Property service
-set_prop(radio, radio_control_prop)
-set_prop(radio, radio_prop)
-set_prop(radio, net_radio_prop)
-set_prop(radio, telephony_status_prop)
-set_prop(radio, radio_cdma_ecm_prop)
-
-# ctl interface
-set_prop(radio, ctl_rildaemon_prop)
-
-# Telephony code contains time / time zone detection logic so it reads the associated properties.
-get_prop(radio, time_prop)
-
-# allow telephony to access platform compat to log permission denials
-allow radio platform_compat_service:service_manager find;
-
-allow radio uce_service:service_manager find;
-
-# Manage /data/misc/emergencynumberdb
-allow radio emergency_data_file:dir r_dir_perms;
-allow radio emergency_data_file:file r_file_perms;
-
-# allow telephony to access related cache properties
-set_prop(radio, binder_cache_telephony_server_prop);
-neverallow { domain -radio -init }
- binder_cache_telephony_server_prop:property_service set;
-
-# allow sending pulled atoms to statsd
-binder_call(radio, statsd)
-
diff --git a/prebuilts/api/31.0/private/recovery.te b/prebuilts/api/31.0/private/recovery.te
deleted file mode 100644
index bba2a0d..0000000
--- a/prebuilts/api/31.0/private/recovery.te
+++ /dev/null
@@ -1,49 +0,0 @@
-typeattribute recovery coredomain;
-
-# The allow rules are only included in the recovery policy.
-# Otherwise recovery is only allowed the domain rules.
-recovery_only(`
- # Reboot the device
- set_prop(recovery, powerctl_prop)
-
- # Read serial number of the device from system properties
- get_prop(recovery, serialno_prop)
-
- # Set sys.usb.ffs.ready when starting minadbd for sideload.
- get_prop(recovery, ffs_config_prop)
- set_prop(recovery, ffs_control_prop)
-
- # Set sys.usb.config when switching into fastboot.
- set_prop(recovery, usb_control_prop)
- set_prop(recovery, usb_prop)
-
- # Read ro.boot.bootreason
- get_prop(recovery, bootloader_boot_reason_prop)
-
- # Read storage properties (for correctly formatting filesystems)
- get_prop(recovery, storage_config_prop)
-
- set_prop(recovery, gsid_prop)
-
- # These are needed to allow recovery to manage network
- allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
- allow recovery self:global_capability_class_set net_admin;
- allow recovery self:tcp_socket { create ioctl };
- allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
-
- # Start snapuserd for merging VABC updates
- set_prop(recovery, ctl_snapuserd_prop)
-
- # Needed to communicate with snapuserd to complete merges.
- allow recovery snapuserd_socket:sock_file write;
- allow recovery snapuserd:unix_stream_socket connectto;
- allow recovery dm_user_device:dir r_dir_perms;
-
- # Set fastbootd protocol property
- set_prop(recovery, fastbootd_protocol_prop)
-
- get_prop(recovery, recovery_config_prop)
-
- # Needed to read bootconfig parameters through libfs_mgr
- allow recovery proc_bootconfig:file r_file_perms;
-')
diff --git a/prebuilts/api/31.0/private/recovery_persist.te b/prebuilts/api/31.0/private/recovery_persist.te
deleted file mode 100644
index 7cb2e67..0000000
--- a/prebuilts/api/31.0/private/recovery_persist.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute recovery_persist coredomain;
-
-init_daemon_domain(recovery_persist)
-
-# recovery_persist is not allowed to write anywhere other than recovery_data_file
-neverallow recovery_persist {
- file_type
- -recovery_data_file
- userdebug_or_eng(`-coredump_file')
- with_native_coverage(`-method_trace_data_file')
-}:file write;
diff --git a/prebuilts/api/31.0/private/recovery_refresh.te b/prebuilts/api/31.0/private/recovery_refresh.te
deleted file mode 100644
index 3c095cc..0000000
--- a/prebuilts/api/31.0/private/recovery_refresh.te
+++ /dev/null
@@ -1,10 +0,0 @@
-typeattribute recovery_refresh coredomain;
-
-init_daemon_domain(recovery_refresh)
-
-# recovery_refresh is not allowed to write anywhere
-neverallow recovery_refresh {
- file_type
- userdebug_or_eng(`-coredump_file')
- with_native_coverage(`-method_trace_data_file')
-}:file write;
diff --git a/prebuilts/api/31.0/private/remote_prov_app.te b/prebuilts/api/31.0/private/remote_prov_app.te
deleted file mode 100644
index 010c9bc..0000000
--- a/prebuilts/api/31.0/private/remote_prov_app.te
+++ /dev/null
@@ -1,13 +0,0 @@
-type remote_prov_app, domain;
-typeattribute remote_prov_app coredomain;
-
-app_domain(remote_prov_app)
-net_domain(remote_prov_app)
-
-# The app needs access to properly build a DeviceInfo package for the verifying server
-get_prop(remote_prov_app, vendor_security_patch_level_prop)
-
-allow remote_prov_app {
- app_api_service
- remoteprovisioning_service
-}:service_manager find;
diff --git a/prebuilts/api/31.0/private/roles_decl b/prebuilts/api/31.0/private/roles_decl
deleted file mode 100644
index c84fcba..0000000
--- a/prebuilts/api/31.0/private/roles_decl
+++ /dev/null
@@ -1 +0,0 @@
-role r;
diff --git a/prebuilts/api/31.0/private/rs.te b/prebuilts/api/31.0/private/rs.te
deleted file mode 100644
index 268f040..0000000
--- a/prebuilts/api/31.0/private/rs.te
+++ /dev/null
@@ -1,40 +0,0 @@
-# Any files which would have been created as app_data_file and
-# privapp_data_file will be created as app_exec_data_file instead.
-allow rs { app_data_file privapp_data_file }:dir ra_dir_perms;
-allow rs app_exec_data_file:file create_file_perms;
-type_transition rs app_data_file:file app_exec_data_file;
-type_transition rs privapp_data_file:file app_exec_data_file;
-
-# Follow /data/user/0 symlink
-allow rs system_data_file:lnk_file read;
-
-# Read files from the app home directory.
-allow rs { app_data_file privapp_data_file }:file r_file_perms;
-allow rs { app_data_file privapp_data_file }:dir r_dir_perms;
-
-# Cleanup app_exec_data_file files in the app home directory.
-allow rs { app_data_file privapp_data_file }:dir remove_name;
-
-# Use vendor resources
-allow rs vendor_file:dir r_dir_perms;
-r_dir_file(rs, vendor_overlay_file)
-r_dir_file(rs, vendor_app_file)
-
-# Read contents of app apks
-r_dir_file(rs, apk_data_file)
-
-allow rs gpu_device:chr_file rw_file_perms;
-allow rs ion_device:chr_file r_file_perms;
-allow rs same_process_hal_file:file { r_file_perms execute };
-
-# File descriptors passed from app to renderscript
-allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
-
-# rs can access app data, so ensure it can only be entered via an app domain and cannot have
-# CAP_DAC_OVERRIDE.
-neverallow rs rs:capability_class_set *;
-neverallow { domain -appdomain } rs:process { dyntransition transition };
-neverallow rs { domain -crash_dump }:process { dyntransition transition };
-neverallow rs app_data_file:file_class_set ~r_file_perms;
-# rs should never use network sockets
-neverallow rs *:network_socket_class_set *;
diff --git a/prebuilts/api/31.0/private/rss_hwm_reset.te b/prebuilts/api/31.0/private/rss_hwm_reset.te
deleted file mode 100644
index 30818c2..0000000
--- a/prebuilts/api/31.0/private/rss_hwm_reset.te
+++ /dev/null
@@ -1,14 +0,0 @@
-type rss_hwm_reset_exec, system_file_type, exec_type, file_type;
-
-# Start rss_hwm_reset from init.
-init_daemon_domain(rss_hwm_reset)
-
-# Search /proc/pid directories.
-allow rss_hwm_reset domain:dir search;
-
-# Write to /proc/pid/clear_refs of other processes.
-# /proc/pid/clear_refs is S_IWUSER, see: fs/proc/base.c
-allow rss_hwm_reset self:global_capability_class_set { dac_override };
-
-# Write to /prc/pid/clear_refs.
-allow rss_hwm_reset domain:file w_file_perms;
diff --git a/prebuilts/api/31.0/private/runas.te b/prebuilts/api/31.0/private/runas.te
deleted file mode 100644
index ef31aac..0000000
--- a/prebuilts/api/31.0/private/runas.te
+++ /dev/null
@@ -1,4 +0,0 @@
-typeattribute runas coredomain;
-
-# ndk-gdb invokes adb shell run-as.
-domain_auto_trans(shell, runas_exec, runas)
diff --git a/prebuilts/api/31.0/private/runas_app.te b/prebuilts/api/31.0/private/runas_app.te
deleted file mode 100644
index c1b354a..0000000
--- a/prebuilts/api/31.0/private/runas_app.te
+++ /dev/null
@@ -1,32 +0,0 @@
-typeattribute runas_app coredomain;
-
-app_domain(runas_app)
-untrusted_app_domain(runas_app)
-net_domain(runas_app)
-bluetooth_domain(runas_app)
-
-# The ability to call exec() on files in the apps home directories
-# when using run-as on a debuggable app. Used to run lldb/ndk-gdb/simpleperf,
-# which are copied to the apps home directories.
-allow runas_app app_data_file:file execute_no_trans;
-
-# Allow lldb/ndk-gdb/simpleperf to read maps of debuggable app processes.
-r_dir_file(runas_app, untrusted_app_all)
-
-# Allow lldb/ndk-gdb/simpleperf to ptrace attach to debuggable app processes.
-allow runas_app untrusted_app_all:process { ptrace signal sigstop };
-allow runas_app untrusted_app_all:unix_stream_socket connectto;
-
-# Allow executing system image simpleperf without a domain transition.
-allow runas_app simpleperf_exec:file rx_file_perms;
-
-# Suppress denial logspam when simpleperf is trying to find a matching process
-# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
-# the same domain as their respective process, most of which this domain is not
-# allowed to see.
-dontaudit runas_app domain:dir search;
-
-# Allow runas_app to call perf_event_open for profiling debuggable app
-# processes, but not the whole system.
-allow runas_app self:perf_event { open read write kernel };
-neverallow runas_app self:perf_event ~{ open read write kernel };
diff --git a/prebuilts/api/31.0/private/sdcardd.te b/prebuilts/api/31.0/private/sdcardd.te
deleted file mode 100644
index 126d643..0000000
--- a/prebuilts/api/31.0/private/sdcardd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute sdcardd coredomain;
-
-type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
diff --git a/prebuilts/api/31.0/private/seapp_contexts b/prebuilts/api/31.0/private/seapp_contexts
deleted file mode 100644
index 1d38fd9..0000000
--- a/prebuilts/api/31.0/private/seapp_contexts
+++ /dev/null
@@ -1,177 +0,0 @@
-# The entries in this file define how security contexts for apps are determined.
-# Each entry lists input selectors, used to match the app, and outputs which are
-# used to determine the security contexts for matching apps.
-#
-# Input selectors:
-# isSystemServer (boolean)
-# isEphemeralApp (boolean)
-# isOwner (boolean)
-# user (string)
-# seinfo (string)
-# name (string)
-# path (string)
-# isPrivApp (boolean)
-# minTargetSdkVersion (unsigned integer)
-# fromRunAs (boolean)
-#
-# All specified input selectors in an entry must match (i.e. logical AND).
-# An unspecified string or boolean selector with no default will match any
-# value.
-# A user, name, or path string selector that ends in * will perform a prefix
-# match.
-# String matching is case-insensitive.
-# See external/selinux/libselinux/src/android/android_platform.c,
-# seapp_context_lookup().
-#
-# isSystemServer=true only matches the system server.
-# An unspecified isSystemServer defaults to false.
-# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
-# isOwner=true will only match for the owner/primary user.
-# user=_app will match any regular app process.
-# user=_isolated will match any isolated service process.
-# Other values of user are matched against the name associated with the process
-# UID.
-# seinfo= matches aginst the seinfo tag for the app, determined from
-# mac_permissions.xml files.
-# The ':' character is reserved and may not be used in seinfo.
-# name= matches against the package name of the app.
-# path= matches against the directory path when labeling app directories.
-# isPrivApp=true will only match for applications preinstalled in
-# /system/priv-app.
-# minTargetSdkVersion will match applications with a targetSdkVersion
-# greater than or equal to the specified value. If unspecified,
-# it has a default value of 0.
-# fromRunAs=true means the process being labeled is started by run-as. Default
-# is false.
-#
-# Precedence: entries are compared using the following rules, in the order shown
-# (see external/selinux/libselinux/src/android/android_platform.c,
-# seapp_context_cmp()).
-# (1) isSystemServer=true before isSystemServer=false.
-# (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
-# boolean.
-# (3) Specified isOwner= before unspecified isOwner= boolean.
-# (4) Specified user= string before unspecified user= string;
-# more specific user= string before less specific user= string.
-# (5) Specified seinfo= string before unspecified seinfo= string.
-# (6) Specified name= string before unspecified name= string;
-# more specific name= string before less specific name= string.
-# (7) Specified path= string before unspecified path= string.
-# more specific name= string before less specific name= string.
-# (8) Specified isPrivApp= before unspecified isPrivApp= boolean.
-# (9) Higher value of minTargetSdkVersion= before lower value of
-# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
-# defaults to 0 if unspecified.
-# (10) fromRunAs=true before fromRunAs=false.
-# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
-# longer prefix is more specific than a shorter prefix.)
-# Apps are checked against entries in precedence order until the first match,
-# regardless of their order in this file.
-#
-# Duplicate entries, i.e. with identical input selectors, are not allowed.
-#
-# Outputs:
-# domain (string)
-# type (string)
-# levelFrom (string; one of none, all, app, or user)
-# level (string)
-#
-# domain= determines the label to be used for the app process; entries
-# without domain= are ignored for this purpose.
-# type= specifies the label to be used for the app data directory; entries
-# without type= are ignored for this purpose. The label specified must
-# have the app_data_file_type attribute.
-# levelFrom and level are used to determine the level (sensitivity + categories)
-# for MLS/MCS.
-# levelFrom=none omits the level.
-# levelFrom=app determines the level from the process UID.
-# levelFrom=user determines the level from the user ID.
-# levelFrom=all determines the level from both UID and user ID.
-#
-# levelFrom=user is only supported for _app or _isolated UIDs.
-# levelFrom=app or levelFrom=all is only supported for _app UIDs.
-# level may be used to specify a fixed level for any UID.
-#
-# For backwards compatibility levelFromUid=true is equivalent to levelFrom=app
-# and levelFromUid=false is equivalent to levelFrom=none.
-#
-#
-# Neverallow Assertions
-# Additional compile time assertion checks for the rules in this file can be
-# added as well. The assertion
-# rules are lines beginning with the keyword neverallow. Full support for PCRE
-# regular expressions exists on all input and output selectors. Neverallow
-# rules are never output to the built seapp_contexts file. Like all keywords,
-# neverallows are case-insensitive. A neverallow is asserted when all key value
-# inputs are matched on a key value rule line.
-#
-
-# only the system server can be in system_server domain
-neverallow isSystemServer=false domain=system_server
-neverallow isSystemServer="" domain=system_server
-
-# system domains should never be assigned outside of system uid
-neverallow user=((?!system).)* domain=system_app
-neverallow user=((?!system).)* type=system_app_data_file
-
-# any non priv-app with a non-known uid with a specified name should have a specified
-# seinfo
-neverallow user=_app isPrivApp=false name=.* seinfo=""
-neverallow user=_app isPrivApp=false name=.* seinfo=default
-
-# neverallow shared relro to any other domain
-# and neverallow any other uid into shared_relro
-neverallow user=shared_relro domain=((?!shared_relro).)*
-neverallow user=((?!shared_relro).)* domain=shared_relro
-
-# neverallow non-isolated uids into isolated_app domain
-# and vice versa
-neverallow user=_isolated domain=((?!isolated_app).)*
-neverallow user=((?!_isolated).)* domain=isolated_app
-
-# uid shell should always be in shell domain, however non-shell
-# uid's can be in shell domain
-neverallow user=shell domain=((?!shell).)*
-
-# only the package named com.android.shell can run in the shell domain
-neverallow domain=shell name=((?!com\.android\.shell).)*
-neverallow user=shell name=((?!com\.android\.shell).)*
-
-# Ephemeral Apps must run in the ephemeral_app domain
-neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
-
-isSystemServer=true domain=system_server_startup
-
-user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
-user=system seinfo=platform domain=system_app type=system_app_data_file
-user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
-user=nfc seinfo=platform domain=nfc type=nfc_data_file
-user=secure_element seinfo=platform domain=secure_element levelFrom=all
-user=radio seinfo=platform domain=radio type=radio_data_file
-user=shared_relro domain=shared_relro levelFrom=all
-user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
-user=webview_zygote seinfo=webview_zygote domain=webview_zygote
-user=_isolated domain=isolated_app levelFrom=user
-user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
-user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
-user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
-user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
-user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
-user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
-user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
-user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
-user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
-user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
-user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
-user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
-user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
-user=_app fromRunAs=true domain=runas_app levelFrom=user
diff --git a/prebuilts/api/31.0/private/secure_element.te b/prebuilts/api/31.0/private/secure_element.te
deleted file mode 100644
index 57f512b..0000000
--- a/prebuilts/api/31.0/private/secure_element.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# secure element subsystem
-typeattribute secure_element coredomain;
-app_domain(secure_element)
-
-binder_service(secure_element)
-add_service(secure_element, secure_element_service)
-
-allow secure_element app_api_service:service_manager find;
-hal_client_domain(secure_element, hal_secure_element)
-
-# already open bugreport file descriptors may be shared with
-# the secure element process, from a file in
-# /data/data/com.android.shell/files/bugreports/bugreport-*.
-allow secure_element shell_data_file:file read;
diff --git a/prebuilts/api/31.0/private/security_classes b/prebuilts/api/31.0/private/security_classes
deleted file mode 100644
index 200b030..0000000
--- a/prebuilts/api/31.0/private/security_classes
+++ /dev/null
@@ -1,167 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class security
-class process
-class system
-class capability
-
-# file-related classes
-class filesystem
-class file
-class anon_inode
-class dir
-class fd
-class lnk_file
-class chr_file
-class blk_file
-class sock_file
-class fifo_file
-
-# network-related classes
-class socket
-class tcp_socket
-class udp_socket
-class rawip_socket
-class node
-class netif
-class netlink_socket
-class packet_socket
-class key_socket
-class unix_stream_socket
-class unix_dgram_socket
-
-# sysv-ipc-related classes
-class sem
-class msg
-class msgq
-class shm
-class ipc
-
-# extended netlink sockets
-class netlink_route_socket
-class netlink_tcpdiag_socket
-class netlink_nflog_socket
-class netlink_xfrm_socket
-class netlink_selinux_socket
-class netlink_audit_socket
-class netlink_dnrt_socket
-
-# IPSec association
-class association
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-
-class appletalk_socket
-
-class packet
-
-# Kernel access key retention
-class key
-
-class dccp_socket
-
-class memprotect
-
-# network peer labels
-class peer
-
-# Capabilities >= 32
-class capability2
-
-# kernel services that need to override task security, e.g. cachefiles
-class kernel_service
-
-class tun_socket
-
-class binder
-
-# Updated netlink classes for more recent netlink protocols.
-class netlink_iscsi_socket
-class netlink_fib_lookup_socket
-class netlink_connector_socket
-class netlink_netfilter_socket
-class netlink_generic_socket
-class netlink_scsitransport_socket
-class netlink_rdma_socket
-class netlink_crypto_socket
-
-# Infiniband
-class infiniband_pkey
-class infiniband_endport
-
-# Capability checks when on a non-init user namespace
-class cap_userns
-class cap2_userns
-
-# New socket classes introduced by extended_socket_class policy capability.
-# These two were previously mapped to rawip_socket.
-class sctp_socket
-class icmp_socket
-# These were previously mapped to socket.
-class ax25_socket
-class ipx_socket
-class netrom_socket
-class atmpvc_socket
-class x25_socket
-class rose_socket
-class decnet_socket
-class atmsvc_socket
-class rds_socket
-class irda_socket
-class pppox_socket
-class llc_socket
-class can_socket
-class tipc_socket
-class bluetooth_socket
-class iucv_socket
-class rxrpc_socket
-class isdn_socket
-class phonet_socket
-class ieee802154_socket
-class caif_socket
-class alg_socket
-class nfc_socket
-class vsock_socket
-class kcm_socket
-class qipcrtr_socket
-class smc_socket
-
-class process2
-
-class bpf
-
-class xdp_socket
-
-class perf_event
-
-# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
-class lockdown
-
-# Property service
-class property_service # userspace
-
-# Service manager
-class service_manager # userspace
-
-# hardware service manager # userspace
-class hwservice_manager
-
-# Legacy Keystore key permissions
-class keystore_key # userspace
-
-# Keystore 2.0 permissions
-class keystore2 # userspace
-
-# Keystore 2.0 key permissions
-class keystore2_key # userspace
-
-class drmservice # userspace
-# FLASK
diff --git a/prebuilts/api/31.0/private/service.te b/prebuilts/api/31.0/private/service.te
deleted file mode 100644
index 7f692f3..0000000
--- a/prebuilts/api/31.0/private/service.te
+++ /dev/null
@@ -1,12 +0,0 @@
-type attention_service, system_server_service, service_manager_type;
-type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
-type gsi_service, service_manager_type;
-type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
-type mediatuner_service, app_api_service, service_manager_type;
-type profcollectd_service, service_manager_type;
-type resolver_service, system_server_service, service_manager_type;
-type stats_service, service_manager_type;
-type statscompanion_service, system_server_service, service_manager_type;
-type statsmanager_service, system_api_service, system_server_service, service_manager_type;
-type tracingproxy_service, system_server_service, service_manager_type;
-type uce_service, service_manager_type;
diff --git a/prebuilts/api/31.0/private/service_contexts b/prebuilts/api/31.0/private/service_contexts
deleted file mode 100644
index 3fd342b..0000000
--- a/prebuilts/api/31.0/private/service_contexts
+++ /dev/null
@@ -1,310 +0,0 @@
-android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
-android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
-android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
-android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
-android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
-android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
-android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
-android.hardware.light.ILights/default u:object_r:hal_light_service:s0
-android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
-android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
-android.hardware.power.IPower/default u:object_r:hal_power_service:s0
-android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
-android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
-android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
-android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
-android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
-android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
-android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
-android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
-android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
-android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
-android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
-android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
-
-accessibility u:object_r:accessibility_service:s0
-account u:object_r:account_service:s0
-activity u:object_r:activity_service:s0
-activity_task u:object_r:activity_task_service:s0
-adb u:object_r:adb_service:s0
-aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
-aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
-alarm u:object_r:alarm_service:s0
-android.os.UpdateEngineService u:object_r:update_engine_service:s0
-android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
-android.security.apc u:object_r:apc_service:s0
-android.security.authorization u:object_r:authorization_service:s0
-android.security.compat u:object_r:keystore_compat_hal_service:s0
-android.security.identity u:object_r:credstore_service:s0
-android.security.keystore u:object_r:keystore_service:s0
-android.security.legacykeystore u:object_r:legacykeystore_service:s0
-android.security.maintenance u:object_r:keystore_maintenance_service:s0
-android.security.metrics u:object_r:keystore_metrics_service:s0
-android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
-android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
-app_binding u:object_r:app_binding_service:s0
-app_hibernation u:object_r:app_hibernation_service:s0
-app_integrity u:object_r:app_integrity_service:s0
-app_prediction u:object_r:app_prediction_service:s0
-app_search u:object_r:app_search_service:s0
-apexservice u:object_r:apex_service:s0
-blob_store u:object_r:blob_store_service:s0
-gsiservice u:object_r:gsi_service:s0
-appops u:object_r:appops_service:s0
-appwidget u:object_r:appwidget_service:s0
-assetatlas u:object_r:assetatlas_service:s0
-attention u:object_r:attention_service:s0
-audio u:object_r:audio_service:s0
-auth u:object_r:auth_service:s0
-autofill u:object_r:autofill_service:s0
-backup u:object_r:backup_service:s0
-batteryproperties u:object_r:batteryproperties_service:s0
-batterystats u:object_r:batterystats_service:s0
-battery u:object_r:battery_service:s0
-binder_calls_stats u:object_r:binder_calls_stats_service:s0
-biometric u:object_r:biometric_service:s0
-bluetooth_manager u:object_r:bluetooth_manager_service:s0
-bluetooth u:object_r:bluetooth_service:s0
-broadcastradio u:object_r:broadcastradio_service:s0
-bugreport u:object_r:bugreport_service:s0
-cacheinfo u:object_r:cacheinfo_service:s0
-carrier_config u:object_r:radio_service:s0
-clipboard u:object_r:clipboard_service:s0
-com.android.net.IProxyService u:object_r:IProxyService_service:s0
-android.system.virtmanager u:object_r:virtualization_service:s0
-companiondevice u:object_r:companion_device_service:s0
-platform_compat u:object_r:platform_compat_service:s0
-platform_compat_native u:object_r:platform_compat_service:s0
-connectivity u:object_r:connectivity_service:s0
-connmetrics u:object_r:connmetrics_service:s0
-consumer_ir u:object_r:consumer_ir_service:s0
-content u:object_r:content_service:s0
-content_capture u:object_r:content_capture_service:s0
-content_suggestions u:object_r:content_suggestions_service:s0
-contexthub u:object_r:contexthub_service:s0
-country_detector u:object_r:country_detector_service:s0
-coverage u:object_r:coverage_service:s0
-cpuinfo u:object_r:cpuinfo_service:s0
-crossprofileapps u:object_r:crossprofileapps_service:s0
-dataloader_manager u:object_r:dataloader_manager_service:s0
-dbinfo u:object_r:dbinfo_service:s0
-device_config u:object_r:device_config_service:s0
-device_policy u:object_r:device_policy_service:s0
-device_identifiers u:object_r:device_identifiers_service:s0
-deviceidle u:object_r:deviceidle_service:s0
-device_state u:object_r:device_state_service:s0
-devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
-diskstats u:object_r:diskstats_service:s0
-display u:object_r:display_service:s0
-dnsresolver u:object_r:dnsresolver_service:s0
-domain_verification u:object_r:domain_verification_service:s0
-color_display u:object_r:color_display_service:s0
-netd_listener u:object_r:netd_listener_service:s0
-network_watchlist u:object_r:network_watchlist_service:s0
-DockObserver u:object_r:DockObserver_service:s0
-dreams u:object_r:dreams_service:s0
-drm.drmManager u:object_r:drmserver_service:s0
-dropbox u:object_r:dropbox_service:s0
-dumpstate u:object_r:dumpstate_service:s0
-dynamic_system u:object_r:dynamic_system_service:s0
-econtroller u:object_r:radio_service:s0
-emergency_affordance u:object_r:emergency_affordance_service:s0
-euicc_card_controller u:object_r:radio_service:s0
-external_vibrator_service u:object_r:external_vibrator_service:s0
-lowpan u:object_r:lowpan_service:s0
-ethernet u:object_r:ethernet_service:s0
-face u:object_r:face_service:s0
-file_integrity u:object_r:file_integrity_service:s0
-fingerprint u:object_r:fingerprint_service:s0
-font u:object_r:font_service:s0
-android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
-game u:object_r:game_service:s0
-gfxinfo u:object_r:gfxinfo_service:s0
-gnss_time_update_service u:object_r:gnss_time_update_service:s0
-graphicsstats u:object_r:graphicsstats_service:s0
-gpu u:object_r:gpu_service:s0
-hardware u:object_r:hardware_service:s0
-hardware_properties u:object_r:hardware_properties_service:s0
-hdmi_control u:object_r:hdmi_control_service:s0
-ions u:object_r:radio_service:s0
-idmap u:object_r:idmap_service:s0
-incident u:object_r:incident_service:s0
-incidentcompanion u:object_r:incidentcompanion_service:s0
-inputflinger u:object_r:inputflinger_service:s0
-input_method u:object_r:input_method_service:s0
-input u:object_r:input_service:s0
-installd u:object_r:installd_service:s0
-iorapd u:object_r:iorapd_service:s0
-iphonesubinfo_msim u:object_r:radio_service:s0
-iphonesubinfo2 u:object_r:radio_service:s0
-iphonesubinfo u:object_r:radio_service:s0
-ims u:object_r:radio_service:s0
-imms u:object_r:imms_service:s0
-incremental u:object_r:incremental_service:s0
-ipsec u:object_r:ipsec_service:s0
-ircsmessage u:object_r:radio_service:s0
-iris u:object_r:iris_service:s0
-isms_msim u:object_r:radio_service:s0
-isms2 u:object_r:radio_service:s0
-isms u:object_r:radio_service:s0
-isub u:object_r:radio_service:s0
-jobscheduler u:object_r:jobscheduler_service:s0
-launcherapps u:object_r:launcherapps_service:s0
-legacy_permission u:object_r:legacy_permission_service:s0
-lights u:object_r:light_service:s0
-location u:object_r:location_service:s0
-location_time_zone_manager u:object_r:location_time_zone_manager_service:s0
-lock_settings u:object_r:lock_settings_service:s0
-looper_stats u:object_r:looper_stats_service:s0
-lpdump_service u:object_r:lpdump_service:s0
-media.aaudio u:object_r:audioserver_service:s0
-media.audio_flinger u:object_r:audioserver_service:s0
-media.audio_policy u:object_r:audioserver_service:s0
-media.camera u:object_r:cameraserver_service:s0
-media.camera.proxy u:object_r:cameraproxy_service:s0
-media.log u:object_r:audioserver_service:s0
-media.player u:object_r:mediaserver_service:s0
-media.metrics u:object_r:mediametrics_service:s0
-media.extractor u:object_r:mediaextractor_service:s0
-media.transcoding u:object_r:mediatranscoding_service:s0
-media.resource_manager u:object_r:mediaserver_service:s0
-media.resource_observer u:object_r:mediaserver_service:s0
-media.sound_trigger_hw u:object_r:audioserver_service:s0
-media.drm u:object_r:mediadrmserver_service:s0
-media.tuner u:object_r:mediatuner_service:s0
-media_communication u:object_r:media_communication_service:s0
-media_metrics u:object_r:media_metrics_service:s0
-media_projection u:object_r:media_projection_service:s0
-media_resource_monitor u:object_r:media_session_service:s0
-media_router u:object_r:media_router_service:s0
-media_session u:object_r:media_session_service:s0
-meminfo u:object_r:meminfo_service:s0
-memtrack.proxy u:object_r:memtrackproxy_service:s0
-midi u:object_r:midi_service:s0
-mount u:object_r:mount_service:s0
-music_recognition u:object_r:music_recognition_service:s0
-netd u:object_r:netd_service:s0
-netpolicy u:object_r:netpolicy_service:s0
-netstats u:object_r:netstats_service:s0
-network_stack u:object_r:network_stack_service:s0
-network_management u:object_r:network_management_service:s0
-network_score u:object_r:network_score_service:s0
-network_time_update_service u:object_r:network_time_update_service:s0
-nfc u:object_r:nfc_service:s0
-notification u:object_r:notification_service:s0
-oem_lock u:object_r:oem_lock_service:s0
-otadexopt u:object_r:otadexopt_service:s0
-overlay u:object_r:overlay_service:s0
-pac_proxy u:object_r:pac_proxy_service:s0
-package u:object_r:package_service:s0
-package_native u:object_r:package_native_service:s0
-people u:object_r:people_service:s0
-performance_hint u:object_r:hint_service:s0
-permission u:object_r:permission_service:s0
-permissionmgr u:object_r:permissionmgr_service:s0
-permission_checker u:object_r:permission_checker_service:s0
-persistent_data_block u:object_r:persistent_data_block_service:s0
-phone_msim u:object_r:radio_service:s0
-phone1 u:object_r:radio_service:s0
-phone2 u:object_r:radio_service:s0
-phone u:object_r:radio_service:s0
-pinner u:object_r:pinner_service:s0
-powerstats u:object_r:powerstats_service:s0
-power u:object_r:power_service:s0
-print u:object_r:print_service:s0
-processinfo u:object_r:processinfo_service:s0
-procstats u:object_r:procstats_service:s0
-profcollectd u:object_r:profcollectd_service:s0
-radio.phonesubinfo u:object_r:radio_service:s0
-radio.phone u:object_r:radio_service:s0
-radio.sms u:object_r:radio_service:s0
-rcs u:object_r:radio_service:s0
-reboot_readiness u:object_r:reboot_readiness_service:s0
-recovery u:object_r:recovery_service:s0
-resolver u:object_r:resolver_service:s0
-restrictions u:object_r:restrictions_service:s0
-role u:object_r:role_service:s0
-rollback u:object_r:rollback_service:s0
-rttmanager u:object_r:rttmanager_service:s0
-runtime u:object_r:runtime_service:s0
-samplingprofiler u:object_r:samplingprofiler_service:s0
-scheduling_policy u:object_r:scheduling_policy_service:s0
-search u:object_r:search_service:s0
-search_ui u:object_r:search_ui_service:s0
-secure_element u:object_r:secure_element_service:s0
-sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
-sensorservice u:object_r:sensorservice_service:s0
-sensor_privacy u:object_r:sensor_privacy_service:s0
-serial u:object_r:serial_service:s0
-servicediscovery u:object_r:servicediscovery_service:s0
-manager u:object_r:service_manager_service:s0
-settings u:object_r:settings_service:s0
-shortcut u:object_r:shortcut_service:s0
-simphonebook_msim u:object_r:radio_service:s0
-simphonebook2 u:object_r:radio_service:s0
-simphonebook u:object_r:radio_service:s0
-sip u:object_r:radio_service:s0
-slice u:object_r:slice_service:s0
-smartspace u:object_r:smartspace_service:s0
-speech_recognition u:object_r:speech_recognition_service:s0
-stats u:object_r:stats_service:s0
-statscompanion u:object_r:statscompanion_service:s0
-statsmanager u:object_r:statsmanager_service:s0
-soundtrigger u:object_r:voiceinteraction_service:s0
-soundtrigger_middleware u:object_r:soundtrigger_middleware_service:s0
-statusbar u:object_r:statusbar_service:s0
-storaged u:object_r:storaged_service:s0
-storaged_pri u:object_r:storaged_service:s0
-storagestats u:object_r:storagestats_service:s0
-SurfaceFlinger u:object_r:surfaceflinger_service:s0
-suspend_control u:object_r:system_suspend_control_service:s0
-suspend_control_internal u:object_r:system_suspend_control_internal_service:s0
-system_config u:object_r:system_config_service:s0
-system_server_dumper u:object_r:system_server_dumper_service:s0
-system_update u:object_r:system_update_service:s0
-task u:object_r:task_service:s0
-telecom u:object_r:telecom_service:s0
-telephony.registry u:object_r:registry_service:s0
-telephony_ims u:object_r:radio_service:s0
-testharness u:object_r:testharness_service:s0
-tethering u:object_r:tethering_service:s0
-textclassification u:object_r:textclassification_service:s0
-textservices u:object_r:textservices_service:s0
-texttospeech u:object_r:texttospeech_service:s0
-time_detector u:object_r:timedetector_service:s0
-time_zone_detector u:object_r:timezonedetector_service:s0
-timezone u:object_r:timezone_service:s0
-thermalservice u:object_r:thermal_service:s0
-tracing.proxy u:object_r:tracingproxy_service:s0
-translation u:object_r:translation_service:s0
-trust u:object_r:trust_service:s0
-tv_input u:object_r:tv_input_service:s0
-tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
-uce u:object_r:uce_service:s0
-uimode u:object_r:uimode_service:s0
-updatelock u:object_r:updatelock_service:s0
-uri_grants u:object_r:uri_grants_service:s0
-usagestats u:object_r:usagestats_service:s0
-usb u:object_r:usb_service:s0
-user u:object_r:user_service:s0
-uwb u:object_r:uwb_service:s0
-vcn_management u:object_r:vcn_management_service:s0
-vibrator u:object_r:vibrator_service:s0
-vibrator_manager u:object_r:vibrator_manager_service:s0
-virtual_touchpad u:object_r:virtual_touchpad_service:s0
-voiceinteraction u:object_r:voiceinteraction_service:s0
-vold u:object_r:vold_service:s0
-vpn_management u:object_r:vpn_management_service:s0
-vr_hwc u:object_r:vr_hwc_service:s0
-vrflinger_vsync u:object_r:vrflinger_vsync_service:s0
-vrmanager u:object_r:vr_manager_service:s0
-wallpaper u:object_r:wallpaper_service:s0
-webviewupdate u:object_r:webviewupdate_service:s0
-wifip2p u:object_r:wifip2p_service:s0
-wifiscanner u:object_r:wifiscanner_service:s0
-wifi u:object_r:wifi_service:s0
-wifinl80211 u:object_r:wifinl80211_service:s0
-wifiaware u:object_r:wifiaware_service:s0
-wifirtt u:object_r:rttmanager_service:s0
-window u:object_r:window_service:s0
-* u:object_r:default_android_service:s0
diff --git a/prebuilts/api/31.0/private/servicemanager.te b/prebuilts/api/31.0/private/servicemanager.te
deleted file mode 100644
index 6294452..0000000
--- a/prebuilts/api/31.0/private/servicemanager.te
+++ /dev/null
@@ -1,7 +0,0 @@
-typeattribute servicemanager coredomain;
-
-init_daemon_domain(servicemanager)
-
-read_runtime_log_tags(servicemanager)
-
-set_prop(servicemanager, ctl_interface_start_prop)
diff --git a/prebuilts/api/31.0/private/sgdisk.te b/prebuilts/api/31.0/private/sgdisk.te
deleted file mode 100644
index a17342e..0000000
--- a/prebuilts/api/31.0/private/sgdisk.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute sgdisk coredomain;
diff --git a/prebuilts/api/31.0/private/shared_relro.te b/prebuilts/api/31.0/private/shared_relro.te
deleted file mode 100644
index 31fdb8c..0000000
--- a/prebuilts/api/31.0/private/shared_relro.te
+++ /dev/null
@@ -1,15 +0,0 @@
-typeattribute shared_relro coredomain;
-
-# The shared relro process is a Java program forked from the zygote, so it
-# inherits from app to get basic permissions it needs to run.
-app_domain(shared_relro)
-
-allow shared_relro shared_relro_file:dir rw_dir_perms;
-allow shared_relro shared_relro_file:file create_file_perms;
-
-allow shared_relro activity_service:service_manager find;
-allow shared_relro webviewupdate_service:service_manager find;
-allow shared_relro package_service:service_manager find;
-
-# StrictMode may attempt to find this service, failure is harmless.
-dontaudit shared_relro network_management_service:service_manager find;
diff --git a/prebuilts/api/31.0/private/shell.te b/prebuilts/api/31.0/private/shell.te
deleted file mode 100644
index 40b19fd..0000000
--- a/prebuilts/api/31.0/private/shell.te
+++ /dev/null
@@ -1,207 +0,0 @@
-typeattribute shell coredomain, mlstrustedsubject;
-
-# allow shell input injection
-allow shell uhid_device:chr_file rw_file_perms;
-
-# systrace support - allow atrace to run
-allow shell debugfs_tracing_debug:dir r_dir_perms;
-allow shell debugfs_tracing:dir r_dir_perms;
-allow shell debugfs_tracing:file rw_file_perms;
-allow shell debugfs_trace_marker:file getattr;
-allow shell atrace_exec:file rx_file_perms;
-
-userdebug_or_eng(`
- allow shell debugfs_tracing_debug:file rw_file_perms;
-')
-
-# read config.gz for CTS purposes
-allow shell config_gz:file r_file_perms;
-
-# Run app_process.
-# XXX Transition into its own domain?
-app_domain(shell)
-
-# allow shell to call dumpsys storaged
-binder_call(shell, storaged)
-
-# Perform SELinux access checks, needed for CTS
-selinux_check_access(shell)
-selinux_check_context(shell)
-
-# Control Perfetto traced and obtain traces from it.
-# Needed for Studio and debugging.
-unix_socket_connect(shell, traced_consumer, traced)
-
-# Allow shell binaries to write trace data to Perfetto. Used for testing and
-# cmdline utils.
-perfetto_producer(shell)
-
-domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
-
-# Allow shell binaries to exec the perfetto cmdline util and have that
-# transition into its own domain, so that it behaves consistently to
-# when exec()-d by statsd.
-domain_auto_trans(shell, perfetto_exec, perfetto)
-# Allow to send SIGINT to perfetto when daemonized.
-allow shell perfetto:process signal;
-
-# Allow shell to run adb shell cmd stats commands. Needed for CTS.
-binder_call(shell, statsd);
-
-# Allow shell to read and unlink traces stored in /data/misc/a11ytraces.
-userdebug_or_eng(`
- allow shell accessibility_trace_data_file:dir rw_dir_perms;
- allow shell accessibility_trace_data_file:file { r_file_perms unlink };
-')
-
-# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
-allow shell perfetto_traces_data_file:dir rw_dir_perms;
-allow shell perfetto_traces_data_file:file { r_file_perms unlink };
-# ... and /data/misc/perfetto-traces/bugreport/ .
-allow shell perfetto_traces_bugreport_data_file:dir rw_dir_perms;
-allow shell perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
-
-# Allow shell to create/remove configs stored in /data/misc/perfetto-configs.
-allow shell perfetto_configs_data_file:dir rw_dir_perms;
-allow shell perfetto_configs_data_file:file create_file_perms;
-
-# Allow shell to run adb shell cmd gpu commands.
-binder_call(shell, gpuservice);
-
-# Allow shell to use atrace HAL
-hal_client_domain(shell, hal_atrace)
-
-# For hostside tests such as CTS listening ports test.
-allow shell proc_net_tcp_udp:file r_file_perms;
-
-# The dl.exec_linker* tests need to execute /system/bin/linker
-# b/124789393
-allow shell system_linker_exec:file rx_file_perms;
-
-# Renderscript host side tests depend on being able to execute
-# /system/bin/bcc (b/126388046)
-allow shell rs_exec:file rx_file_perms;
-
-# Allow (host-driven) ART run-tests to execute dex2oat, in order to
-# check ART's compiler.
-allow shell dex2oat_exec:file rx_file_perms;
-
-# Allow shell to start and comminicate with lpdumpd.
-set_prop(shell, lpdumpd_prop);
-binder_call(shell, lpdumpd)
-
-# Allow shell to set and read value of properties used for CTS tests of
-# userspace reboot
-set_prop(shell, userspace_reboot_test_prop)
-
-# Allow shell to set this property used for rollback tests
-set_prop(shell, rollback_test_prop)
-
-# Allow shell to get encryption policy of /data/local/tmp/, for CTS
-allowxperm shell shell_data_file:dir ioctl {
- FS_IOC_GET_ENCRYPTION_POLICY
- FS_IOC_GET_ENCRYPTION_POLICY_EX
-};
-
-# Allow shell to execute simpleperf without a domain transition.
-allow shell simpleperf_exec:file rx_file_perms;
-
-# Allow shell to execute profcollectctl without a domain transition.
-allow shell profcollectd_exec:file rx_file_perms;
-
-# Allow shell to call perf_event_open for profiling other shell processes, but
-# not the whole system.
-allow shell self:perf_event { open read write kernel };
-neverallow shell self:perf_event ~{ open read write kernel };
-
-# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
-allow shell apex_info_file:file r_file_perms;
-allow shell vendor_apex_file:file r_file_perms;
-allow shell vendor_apex_file:dir r_dir_perms;
-
-# Set properties.
-set_prop(shell, shell_prop)
-set_prop(shell, ctl_bugreport_prop)
-set_prop(shell, ctl_dumpstate_prop)
-set_prop(shell, dumpstate_prop)
-set_prop(shell, exported_dumpstate_prop)
-set_prop(shell, debug_prop)
-set_prop(shell, perf_drop_caches_prop)
-set_prop(shell, powerctl_prop)
-set_prop(shell, log_tag_prop)
-set_prop(shell, wifi_log_prop)
-# Allow shell to start/stop traced via the persist.traced.enable
-# property (which also takes care of /data/misc initialization).
-set_prop(shell, traced_enabled_prop)
-# adjust is_loggable properties
-userdebug_or_eng(`set_prop(shell, log_prop)')
-# logpersist script
-userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
-# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
-# property.
-set_prop(shell, heapprofd_enabled_prop)
-# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
-# property.
-set_prop(shell, traced_perf_enabled_prop)
-# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
-set_prop(shell, ctl_gsid_prop)
-set_prop(shell, ctl_snapuserd_prop)
-# Allow shell to enable Dynamic System Update
-set_prop(shell, dynamic_system_prop)
-# Allow shell to mock an OTA using persist.pm.mock-upgrade
-set_prop(shell, mock_ota_prop)
-
-# Read device's serial number from system properties
-get_prop(shell, serialno_prop)
-
-# Allow shell to read the vendor security patch level for CTS
-get_prop(shell, vendor_security_patch_level_prop)
-
-# Read state of logging-related properties
-get_prop(shell, device_logging_prop)
-
-# Read state of boot reason properties
-get_prop(shell, bootloader_boot_reason_prop)
-get_prop(shell, last_boot_reason_prop)
-get_prop(shell, system_boot_reason_prop)
-
-# Allow reading the outcome of perf_event_open LSM support test for CTS.
-get_prop(shell, init_perf_lsm_hooks_prop)
-
-# Allow shell to read boot image timestamps and fingerprints.
-get_prop(shell, build_bootimage_prop)
-
-userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
-
-# Allow to issue control commands to profcollectd binder service.
-userdebug_or_eng(`
- allow shell profcollectd:binder call;
-')
-
-# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
-allow shell keystore2_key_contexts_file:file r_file_perms;
-
-# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
-allow shell shell_key:keystore2_key { delete rebind use get_info update };
-
-# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
-set_prop(shell, sqlite_log_prop)
-
-# Allow shell to write MTE properties even on user builds.
-set_prop(shell, arm64_memtag_prop)
-
-# Allow shell to read the dm-verity props on user builds.
-get_prop(shell, verity_status_prop)
-
-# Allow shell to read Virtual A/B related properties
-get_prop(shell, virtual_ab_prop)
-
-# Never allow others to set or get the perf.drop_caches property.
-neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
-neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
-
-# Allow ReadDefaultFstab() for CTS.
-read_fstab(shell)
-
-# Allow shell read access to /apex/apex-info-list.xml for CTS.
-allow shell apex_info_file:file r_file_perms;
diff --git a/prebuilts/api/31.0/private/simpleperf.te b/prebuilts/api/31.0/private/simpleperf.te
deleted file mode 100644
index 0639c11..0000000
--- a/prebuilts/api/31.0/private/simpleperf.te
+++ /dev/null
@@ -1,37 +0,0 @@
-# Domain used when running /system/bin/simpleperf to profile a specific app.
-# Entered either by the app itself exec-ing the binary, or through
-# simpleperf_app_runner (with shell as its origin). Certain other domains
-# (runas_app, shell) can also exec this binary without a domain transition.
-typeattribute simpleperf coredomain;
-type simpleperf_exec, system_file_type, exec_type, file_type;
-
-domain_auto_trans({ untrusted_app_all -runas_app }, simpleperf_exec, simpleperf)
-
-# When running in this domain, simpleperf is scoped to profiling an individual
-# app. The necessary MAC permissions for profiling are more maintainable and
-# consistent if simpleperf is marked as an app domain as well (as, for example,
-# it will then see the same set of system libraries as the app).
-app_domain(simpleperf)
-untrusted_app_domain(simpleperf)
-
-# Allow ptrace attach to the target app, for reading JIT debug info (using
-# process_vm_readv) during unwinding and symbolization.
-allow simpleperf untrusted_app_all:process ptrace;
-
-# Allow using perf_event_open syscall for profiling the target app.
-allow simpleperf self:perf_event { open read write kernel };
-
-# Allow /proc/<pid> access for the target app (for example, when trying to
-# discover it by cmdline).
-r_dir_file(simpleperf, untrusted_app_all)
-
-# Suppress denial logspam when simpleperf is trying to find a matching process
-# by scanning /proc/<pid>/cmdline files. The /proc/<pid> directories are within
-# the same domain as their respective processes, most of which this domain is
-# not allowed to see.
-dontaudit simpleperf domain:dir search;
-
-# Neverallows:
-
-# Profiling must be confined to the scope of an individual app.
-neverallow simpleperf self:perf_event ~{ open read write kernel };
diff --git a/prebuilts/api/31.0/private/simpleperf_app_runner.te b/prebuilts/api/31.0/private/simpleperf_app_runner.te
deleted file mode 100644
index 8501826..0000000
--- a/prebuilts/api/31.0/private/simpleperf_app_runner.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute simpleperf_app_runner coredomain;
-
-domain_auto_trans(shell, simpleperf_app_runner_exec, simpleperf_app_runner)
diff --git a/prebuilts/api/31.0/private/slideshow.te b/prebuilts/api/31.0/private/slideshow.te
deleted file mode 100644
index 7dfa994..0000000
--- a/prebuilts/api/31.0/private/slideshow.te
+++ /dev/null
@@ -1 +0,0 @@
-typeattribute slideshow coredomain;
diff --git a/prebuilts/api/31.0/private/snapshotctl.te b/prebuilts/api/31.0/private/snapshotctl.te
deleted file mode 100644
index fb2bbca..0000000
--- a/prebuilts/api/31.0/private/snapshotctl.te
+++ /dev/null
@@ -1,45 +0,0 @@
-type snapshotctl, domain, coredomain;
-type snapshotctl_exec, system_file_type, exec_type, file_type;
-
-# Allow init to run snapshotctl and do auto domain transfer.
-init_daemon_domain(snapshotctl);
-
-# Allow to start gsid service.
-set_prop(snapshotctl, ctl_gsid_prop)
-
-# Allow to talk to gsid.
-binder_use(snapshotctl)
-allow snapshotctl gsi_service:service_manager find;
-binder_call(snapshotctl, gsid)
-
-# Allow to create/read/write/delete OTA metadata files for snapshot status and COW file status.
-allow snapshotctl metadata_file:dir search;
-allow snapshotctl ota_metadata_file:dir rw_dir_perms;
-allow snapshotctl ota_metadata_file:file create_file_perms;
-
-# Allow to get A/B slot suffix from device tree or kernel cmdline.
-r_dir_file(snapshotctl, sysfs_dt_firmware_android);
-allow snapshotctl proc_cmdline:file r_file_perms;
-
-# Needed to (re-)map logical partitions.
-allow snapshotctl block_device:dir r_dir_perms;
-allow snapshotctl super_block_device:blk_file r_file_perms;
-
-# Interact with device-mapper to collapse snapshots.
-allow snapshotctl dm_device:chr_file rw_file_perms;
-
-# Needed to mutate device-mapper nodes.
-allow snapshotctl self:global_capability_class_set sys_admin;
-
-# Snapshotctl talk to boot control HAL to set merge status.
-hwbinder_use(snapshotctl)
-hal_client_domain(snapshotctl, hal_bootctl)
-
-# Allow snapshotctl to write to statsd socket.
-unix_socket_send(snapshotctl, statsdw, statsd)
-
-# Logging
-userdebug_or_eng(`
- allow snapshotctl snapshotctl_log_data_file:dir rw_dir_perms;
- allow snapshotctl snapshotctl_log_data_file:file create_file_perms;
-')
diff --git a/prebuilts/api/31.0/private/snapuserd.te b/prebuilts/api/31.0/private/snapuserd.te
deleted file mode 100644
index d96b31e..0000000
--- a/prebuilts/api/31.0/private/snapuserd.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
-type snapuserd, domain;
-type snapuserd_exec, exec_type, file_type, system_file_type;
-
-typeattribute snapuserd coredomain;
-
-init_daemon_domain(snapuserd)
-
-allow snapuserd kmsg_device:chr_file rw_file_perms;
-
-# Reading and writing to /dev/block/dm-* (device-mapper) nodes.
-allow snapuserd block_device:dir r_dir_perms;
-allow snapuserd dm_device:chr_file rw_file_perms;
-allow snapuserd dm_device:blk_file rw_file_perms;
-
-# Reading and writing to dm-user control nodes.
-allow snapuserd dm_user_device:dir r_dir_perms;
-allow snapuserd dm_user_device:chr_file rw_file_perms;
-
-# Reading and writing to /dev/socket/snapuserd.
-allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
-
-# This arises due to first-stage init opening /dev/null without F_CLOEXEC
-# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
-# again, the descriptor leaks into the new process.
-allow snapuserd kernel:fd use;
diff --git a/prebuilts/api/31.0/private/stats.te b/prebuilts/api/31.0/private/stats.te
deleted file mode 100644
index db29072..0000000
--- a/prebuilts/api/31.0/private/stats.te
+++ /dev/null
@@ -1,57 +0,0 @@
-type stats, domain;
-typeattribute stats coredomain;
-type stats_exec, system_file_type, exec_type, file_type;
-
-# switch to stats domain for stats command
-domain_auto_trans(shell, stats_exec, stats)
-
-# allow stats access to stdout from its parent shell.
-allow stats shell:fd use;
-
-# allow stats to communicate use, read and write over the adb
-# connection.
-allow stats adbd:fd use;
-allow stats adbd:unix_stream_socket { read write };
-
-# allow adbd to reap stats
-allow stats adbd:process { sigchld };
-
-# Allow the stats command to talk to the statsd over the binder, and get
-# back the stats report data from a ParcelFileDescriptor.
-binder_use(stats)
-allow stats stats_service:service_manager find;
-binder_call(stats, statsd)
-allow stats statsd:fifo_file write;
-
-# Only statsd can publish the binder service.
-add_service(statsd, stats_service)
-
-# Allow pipes from (and only from) stats.
-allow statsd stats:fd use;
-allow statsd stats:fifo_file write;
-
-# Allow statsd to call back to stats with status updates.
-binder_call(statsd, stats)
-
-###
-### neverallow rules
-###
-
-neverallow {
- domain
- -dumpstate
- -gmscore_app
- -gpuservice
- -incidentd
- -keystore
- -mediametrics
- -platform_app
- -priv_app
- -shell
- -stats
- -statsd
- -surfaceflinger
- -system_app
- -system_server
- -traceur_app
-} stats_service:service_manager find;
diff --git a/prebuilts/api/31.0/private/statsd.te b/prebuilts/api/31.0/private/statsd.te
deleted file mode 100644
index 444d82e..0000000
--- a/prebuilts/api/31.0/private/statsd.te
+++ /dev/null
@@ -1,27 +0,0 @@
-typeattribute statsd coredomain;
-
-init_daemon_domain(statsd)
-
-# Allow to exec the perfetto cmdline client and pass it the trace config on
-# stdint through a pipe. It allows statsd to capture traces and hand them
-# to Android dropbox.
-allow statsd perfetto_exec:file rx_file_perms;
-domain_auto_trans(statsd, perfetto_exec, perfetto)
-
-# Grant statsd with permissions to register the services.
-allow statsd {
- statscompanion_service
-}:service_manager find;
-
-# Allow incidentd to obtain the statsd incident section.
-allow statsd incidentd:fifo_file write;
-
-# Allow StatsCompanionService to pipe data to statsd.
-allow statsd system_server:fifo_file { read getattr };
-
-# Allow statsd to retrieve SF statistics over binder
-binder_call(statsd, surfaceflinger);
-
-# Allow statsd to read its system properties
-get_prop(statsd, device_config_statsd_native_prop)
-get_prop(statsd, device_config_statsd_native_boot_prop)
diff --git a/prebuilts/api/31.0/private/storaged.te b/prebuilts/api/31.0/private/storaged.te
deleted file mode 100644
index bb39e5b..0000000
--- a/prebuilts/api/31.0/private/storaged.te
+++ /dev/null
@@ -1,69 +0,0 @@
-# storaged daemon
-type storaged, domain, coredomain, mlstrustedsubject;
-type storaged_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(storaged)
-
-# Read access to pseudo filesystems
-r_dir_file(storaged, domain)
-
-# Read /proc/uid_io/stats
-allow storaged proc_uid_io_stats:file r_file_perms;
-
-# Read /data/system/packages.list
-allow storaged system_data_file:file r_file_perms;
-allow storaged packages_list_file:file r_file_perms;
-
-# Store storaged proto file
-allow storaged storaged_data_file:dir rw_dir_perms;
-allow storaged storaged_data_file:file create_file_perms;
-
-no_debugfs_restriction(`
- userdebug_or_eng(`
- # Read access to debugfs
- allow storaged debugfs_mmc:dir search;
- allow storaged debugfs_mmc:file r_file_perms;
- ')
-')
-
-# Needed to provide debug dump output via dumpsys pipes.
-allow storaged shell:fd use;
-allow storaged shell:fifo_file write;
-
-# Needed for GMScore to call dumpsys storaged
-allow storaged priv_app:fd use;
-# b/142672293: No other priv-app should need this allow rule now that GMS core runs in its own domain.
-# Remove after no logs are seen for this rule.
-userdebug_or_eng(`
- auditallow storaged priv_app:fd use;
-')
-allow storaged gmscore_app:fd use;
-allow storaged { privapp_data_file app_data_file }:file write;
-allow storaged permission_service:service_manager find;
-
-# Binder permissions
-add_service(storaged, storaged_service)
-
-binder_use(storaged)
-binder_call(storaged, system_server)
-
-hal_client_domain(storaged, hal_health)
-
-# Implements a dumpsys interface.
-allow storaged dumpstate:fd use;
-
-# use a subset of the package manager service
-allow storaged package_native_service:service_manager find;
-
-# Kernel does extra check on CAP_DAC_OVERRIDE for libbinder when storaged is
-# running as root. See b/35323867 #3.
-dontaudit storaged self:global_capability_class_set { dac_override dac_read_search };
-
-# For collecting bugreports.
-allow storaged dumpstate:fifo_file write;
-
-###
-### neverallow
-###
-neverallow storaged domain:process ptrace;
-neverallow storaged self:capability_class_set *;
diff --git a/prebuilts/api/31.0/private/su.te b/prebuilts/api/31.0/private/su.te
deleted file mode 100644
index 587f449..0000000
--- a/prebuilts/api/31.0/private/su.te
+++ /dev/null
@@ -1,30 +0,0 @@
-userdebug_or_eng(`
- typeattribute su coredomain;
-
- domain_auto_trans(shell, su_exec, su)
- # Allow dumpstate to call su on userdebug / eng builds to collect
- # additional information.
- domain_auto_trans(dumpstate, su_exec, su)
-
- # Make sure that dumpstate runs the same from the "su" domain as
- # from the "init" domain.
- domain_auto_trans(su, dumpstate_exec, dumpstate)
-
- # Put the incident command into its domain so it is the same on user, userdebug and eng.
- domain_auto_trans(su, incident_exec, incident)
-
- # Put the odrefresh command into its domain.
- domain_auto_trans(su, odrefresh_exec, odrefresh)
-
- # Put the perfetto command into its domain so it is the same on user, userdebug and eng.
- domain_auto_trans(su, perfetto_exec, perfetto)
-
- # su is also permissive to permit setenforce.
- permissive su;
-
- app_domain(su)
-
- # Do not audit accesses to keystore2 namespace for the su domain.
- dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
-
-')
diff --git a/prebuilts/api/31.0/private/surfaceflinger.te b/prebuilts/api/31.0/private/surfaceflinger.te
deleted file mode 100644
index 7a92bd4..0000000
--- a/prebuilts/api/31.0/private/surfaceflinger.te
+++ /dev/null
@@ -1,148 +0,0 @@
-# surfaceflinger - display compositor service
-
-typeattribute surfaceflinger coredomain;
-
-type surfaceflinger_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(surfaceflinger)
-tmpfs_domain(surfaceflinger)
-
-typeattribute surfaceflinger mlstrustedsubject;
-typeattribute surfaceflinger display_service_server;
-
-read_runtime_log_tags(surfaceflinger)
-
-# Perform HwBinder IPC.
-hal_client_domain(surfaceflinger, hal_graphics_allocator)
-hal_client_domain(surfaceflinger, hal_graphics_composer)
-typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
-hal_client_domain(surfaceflinger, hal_codec2)
-hal_client_domain(surfaceflinger, hal_omx)
-hal_client_domain(surfaceflinger, hal_configstore)
-hal_client_domain(surfaceflinger, hal_power)
-hal_client_domain(surfaceflinger, hal_bufferhub)
-allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
-
-# Perform Binder IPC.
-binder_use(surfaceflinger)
-binder_call(surfaceflinger, binderservicedomain)
-binder_call(surfaceflinger, appdomain)
-binder_call(surfaceflinger, bootanim)
-binder_call(surfaceflinger, system_server);
-binder_service(surfaceflinger)
-
-# Binder IPC to bu, presently runs in adbd domain.
-binder_call(surfaceflinger, adbd)
-
-# Read /proc/pid files for Binder clients.
-r_dir_file(surfaceflinger, binderservicedomain)
-r_dir_file(surfaceflinger, appdomain)
-
-# Access the GPU.
-allow surfaceflinger gpu_device:chr_file rw_file_perms;
-
-# Access /dev/graphics/fb0.
-allow surfaceflinger graphics_device:dir search;
-allow surfaceflinger graphics_device:chr_file rw_file_perms;
-
-# Access /dev/video1.
-allow surfaceflinger video_device:dir r_dir_perms;
-allow surfaceflinger video_device:chr_file rw_file_perms;
-
-# Create and use netlink kobject uevent sockets.
-allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Set properties.
-set_prop(surfaceflinger, system_prop)
-set_prop(surfaceflinger, bootanim_system_prop)
-set_prop(surfaceflinger, exported_system_prop)
-set_prop(surfaceflinger, exported3_system_prop)
-set_prop(surfaceflinger, ctl_bootanim_prop)
-set_prop(surfaceflinger, surfaceflinger_display_prop)
-
-# Get properties.
-get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
-
-# Use open files supplied by an app.
-allow surfaceflinger appdomain:fd use;
-allow surfaceflinger { app_data_file privapp_data_file }:file { read write };
-
-# Allow writing surface traces to /data/misc/wmtrace.
-userdebug_or_eng(`
- allow surfaceflinger wm_trace_data_file:dir rw_dir_perms;
- allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
-')
-
-# Needed to register as a Perfetto producer.
-perfetto_producer(surfaceflinger)
-
-# Use socket supplied by adbd, for cmd gpu vkjson etc.
-allow surfaceflinger adbd:unix_stream_socket { read write getattr };
-
-# Allow a dumpstate triggered screenshot
-binder_call(surfaceflinger, dumpstate)
-binder_call(surfaceflinger, shell)
-r_dir_file(surfaceflinger, dumpstate)
-
-# media.player service
-
-# do not use add_service() as hal_graphics_composer_default may be the
-# provider as well
-#add_service(surfaceflinger, surfaceflinger_service)
-allow surfaceflinger surfaceflinger_service:service_manager { add find };
-
-add_service(surfaceflinger, vrflinger_vsync_service)
-
-allow surfaceflinger mediaserver_service:service_manager find;
-allow surfaceflinger permission_service:service_manager find;
-allow surfaceflinger power_service:service_manager find;
-allow surfaceflinger vr_manager_service:service_manager find;
-allow surfaceflinger window_service:service_manager find;
-allow surfaceflinger inputflinger_service:service_manager find;
-
-
-# allow self to set SCHED_FIFO
-allow surfaceflinger self:global_capability_class_set sys_nice;
-allow surfaceflinger proc_meminfo:file r_file_perms;
-r_dir_file(surfaceflinger, cgroup)
-r_dir_file(surfaceflinger, cgroup_v2)
-r_dir_file(surfaceflinger, system_file)
-allow surfaceflinger tmpfs:dir r_dir_perms;
-allow surfaceflinger system_server:fd use;
-allow surfaceflinger system_server:unix_stream_socket { read write };
-allow surfaceflinger ion_device:chr_file r_file_perms;
-allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms;
-
-# pdx IPC
-pdx_server(surfaceflinger, display_client)
-pdx_server(surfaceflinger, display_manager)
-pdx_server(surfaceflinger, display_screenshot)
-pdx_server(surfaceflinger, display_vsync)
-
-pdx_client(surfaceflinger, bufferhub_client)
-pdx_client(surfaceflinger, performance_client)
-
-# Allow supplying timestats statistics to statsd
-allow surfaceflinger stats_service:service_manager find;
-allow surfaceflinger statsmanager_service:service_manager find;
-# TODO(146461633): remove this once native pullers talk to StatsManagerService
-binder_call(surfaceflinger, statsd);
-
-# Allow pushing jank event atoms to statsd
-userdebug_or_eng(`
- unix_socket_send(surfaceflinger, statsdw, statsd)
-')
-
-# Surfaceflinger should not be reading default vendor-defined properties.
-dontaudit surfaceflinger vendor_default_prop:file read;
-
-###
-### Neverallow rules
-###
-### surfaceflinger should NEVER do any of this
-
-# Do not allow accessing SDcard files as unsafe ejection could
-# cause the kernel to kill the process.
-neverallow surfaceflinger sdcard_type:file rw_file_perms;
-
-# b/68864350
-dontaudit surfaceflinger unlabeled:dir search;
diff --git a/prebuilts/api/31.0/private/system_app.te b/prebuilts/api/31.0/private/system_app.te
deleted file mode 100644
index 239686e..0000000
--- a/prebuilts/api/31.0/private/system_app.te
+++ /dev/null
@@ -1,188 +0,0 @@
-###
-### Apps that run with the system UID, e.g. com.android.system.ui,
-### com.android.settings. These are not as privileged as the system
-### server.
-###
-
-typeattribute system_app coredomain, mlstrustedsubject;
-
-app_domain(system_app)
-net_domain(system_app)
-binder_service(system_app)
-
-# android.ui and system.ui
-allow system_app rootfs:dir getattr;
-
-# Read and write /data/data subdirectory.
-allow system_app system_app_data_file:dir create_dir_perms;
-allow system_app system_app_data_file:{ file lnk_file } create_file_perms;
-
-# Read and write to /data/misc/user.
-allow system_app misc_user_data_file:dir create_dir_perms;
-allow system_app misc_user_data_file:file create_file_perms;
-
-# Access to apex files stored on /data (b/136063500)
-# Needed so that Settings can access NOTICE files inside apex
-# files located in the assets/ directory.
-allow system_app apex_data_file:dir search;
-allow system_app staging_data_file:file r_file_perms;
-
-# Read wallpaper file.
-allow system_app wallpaper_file:file r_file_perms;
-
-# Read icon file.
-allow system_app icon_file:file r_file_perms;
-
-# Write to properties
-set_prop(system_app, bluetooth_a2dp_offload_prop)
-set_prop(system_app, bluetooth_audio_hal_prop)
-set_prop(system_app, bluetooth_prop)
-set_prop(system_app, debug_prop)
-set_prop(system_app, system_prop)
-set_prop(system_app, exported_bluetooth_prop)
-set_prop(system_app, exported_system_prop)
-set_prop(system_app, exported3_system_prop)
-set_prop(system_app, logd_prop)
-set_prop(system_app, net_radio_prop)
-set_prop(system_app, usb_control_prop)
-set_prop(system_app, usb_prop)
-set_prop(system_app, log_tag_prop)
-userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
-auditallow system_app net_radio_prop:property_service set;
-auditallow system_app usb_control_prop:property_service set;
-auditallow system_app usb_prop:property_service set;
-# Allow Settings to enable Dynamic System Update
-set_prop(system_app, dynamic_system_prop)
-
-# ctl interface
-set_prop(system_app, ctl_default_prop)
-set_prop(system_app, ctl_bugreport_prop)
-
-# Allow developer settings to query gsid status
-get_prop(system_app, gsid_prop)
-
-# Create /data/anr/traces.txt.
-allow system_app anr_data_file:dir ra_dir_perms;
-allow system_app anr_data_file:file create_file_perms;
-
-# Settings need to access app name and icon from asec
-allow system_app asec_apk_file:file r_file_perms;
-
-# Allow system apps (like Settings) to interact with statsd
-binder_call(system_app, statsd)
-
-# Allow system apps to interact with incidentd
-binder_call(system_app, incidentd)
-
-# Allow system app to interact with Dumpstate HAL
-hal_client_domain(system_app, hal_dumpstate)
-
-allow system_app servicemanager:service_manager list;
-# TODO: scope this down? Too broad?
-allow system_app {
- service_manager_type
- -apex_service
- -dnsresolver_service
- -dumpstate_service
- -installd_service
- -iorapd_service
- -lpdump_service
- -netd_service
- -system_suspend_control_internal_service
- -system_suspend_control_service
- -tracingproxy_service
- -virtual_touchpad_service
- -vold_service
- -vr_hwc_service
- -default_android_service
-}:service_manager find;
-# suppress denials for services system_app should not be accessing.
-dontaudit system_app {
- dnsresolver_service
- dumpstate_service
- installd_service
- iorapd_service
- netd_service
- virtual_touchpad_service
- vold_service
- vr_hwc_service
-}:service_manager find;
-
-# suppress denials caused by debugfs_tracing
-dontaudit system_app debugfs_tracing:file rw_file_perms;
-
-allow system_app keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- user_changed
-};
-
-allow system_app keystore:keystore2_key {
- delete
- get_info
- grant
- rebind
- update
- use
-};
-
-# Allow Settings to manage WI-FI keys.
-allow system_app wifi_key:keystore2_key {
- delete
- get_info
- rebind
- update
- use
-};
-
-# settings app reads /proc/version
-allow system_app {
- proc_version
-}:file r_file_perms;
-
-# Settings app writes to /dev/stune/foreground/tasks.
-allow system_app cgroup:file w_file_perms;
-allow system_app cgroup_v2:file w_file_perms;
-
-control_logd(system_app)
-read_runtime_log_tags(system_app)
-get_prop(system_app, device_logging_prop)
-
-# allow system apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow system_app system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# Settings app reads ro.oem_unlock_supported
-get_prop(system_app, oem_unlock_prop)
-
-# Allow system apps to act as Perfetto producers.
-perfetto_producer(system_app)
-
-###
-### Neverallow rules
-###
-
-# app domains which access /dev/fuse should not run as system_app
-neverallow system_app fuse_device:chr_file *;
-
-# Apps which run as UID=system should not rely on any attacker controlled
-# filesystem locations, such as /data/local/tmp. For /data/local/tmp, we
-# allow writes to files passed by file descriptor to support dumpstate and
-# bug reports, but not reads.
-neverallow system_app shell_data_file:dir { no_w_dir_perms open search read };
-neverallow system_app shell_data_file:file { open read ioctl lock };
diff --git a/prebuilts/api/31.0/private/system_server.te b/prebuilts/api/31.0/private/system_server.te
deleted file mode 100644
index 73301c1..0000000
--- a/prebuilts/api/31.0/private/system_server.te
+++ /dev/null
@@ -1,1411 +0,0 @@
-#
-# System Server aka system_server spawned by zygote.
-# Most of the framework services run in this process.
-#
-
-typeattribute system_server coredomain;
-typeattribute system_server mlstrustedsubject;
-typeattribute system_server scheduler_service_server;
-typeattribute system_server sensor_service_server;
-typeattribute system_server stats_service_server;
-
-# Define a type for tmpfs-backed ashmem regions.
-tmpfs_domain(system_server)
-
-userfaultfd_use(system_server)
-
-# Create a socket for connections from crash_dump.
-type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
-
-# Create a socket for connections from zygotes.
-type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
-
-allow system_server zygote_tmpfs:file read;
-allow system_server appdomain_tmpfs:file { getattr map read write };
-
-# For Incremental Service to check if incfs is available
-allow system_server proc_filesystems:file r_file_perms;
-
-# To create files, get permission to fill blocks, and configure Incremental File System
-allow system_server incremental_control_file:file { ioctl r_file_perms };
-allowxperm system_server incremental_control_file:file ioctl {
- INCFS_IOCTL_CREATE_FILE
- INCFS_IOCTL_CREATE_MAPPED_FILE
- INCFS_IOCTL_PERMIT_FILL
- INCFS_IOCTL_GET_READ_TIMEOUTS
- INCFS_IOCTL_SET_READ_TIMEOUTS
- INCFS_IOCTL_GET_LAST_READ_ERROR
-};
-
-# To get signature of an APK installed on Incremental File System, and fill in data
-# blocks and get the filesystem state
-allowxperm system_server apk_data_file:file ioctl {
- INCFS_IOCTL_READ_SIGNATURE
- INCFS_IOCTL_FILL_BLOCKS
- INCFS_IOCTL_GET_FILLED_BLOCKS
- INCFS_IOCTL_GET_BLOCK_COUNT
- F2FS_IOC_GET_FEATURES
- F2FS_IOC_GET_COMPRESS_BLOCKS
- F2FS_IOC_COMPRESS_FILE
- F2FS_IOC_DECOMPRESS_FILE
- F2FS_IOC_RELEASE_COMPRESS_BLOCKS
- F2FS_IOC_RESERVE_COMPRESS_BLOCKS
- FS_IOC_SETFLAGS
- FS_IOC_GETFLAGS
-};
-
-allowxperm system_server apk_tmp_file:file ioctl {
- F2FS_IOC_RELEASE_COMPRESS_BLOCKS
- FS_IOC_GETFLAGS
-};
-
-# For Incremental Service to check incfs metrics
-allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
-
-# For f2fs-compression support
-allow system_server sysfs_fs_f2fs:dir r_dir_perms;
-allow system_server sysfs_fs_f2fs:file r_file_perms;
-
-# For art.
-allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
-allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
-
-# When running system server under --invoke-with, we'll try to load the boot image under the
-# system server domain, following links to the system partition.
-with_asan(`allow system_server dalvikcache_data_file:lnk_file r_file_perms;')
-
-# /data/resource-cache
-allow system_server resourcecache_data_file:file r_file_perms;
-allow system_server resourcecache_data_file:dir r_dir_perms;
-
-# ptrace to processes in the same domain for debugging crashes.
-allow system_server self:process ptrace;
-
-# Child of the zygote.
-allow system_server zygote:fd use;
-allow system_server zygote:process sigchld;
-
-# May kill zygote on crashes.
-allow system_server {
- app_zygote
- crash_dump
- webview_zygote
- zygote
-}:process { sigkill signull };
-
-# Read /system/bin/app_process.
-allow system_server zygote_exec:file r_file_perms;
-
-# Needed to close the zygote socket, which involves getopt / getattr
-allow system_server zygote:unix_stream_socket { getopt getattr };
-
-# system server gets network and bluetooth permissions.
-net_domain(system_server)
-# in addition to ioctls allowlisted for all domains, also allow system_server
-# to use privileged ioctls commands. Needed to set up VPNs.
-allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
-bluetooth_domain(system_server)
-
-# Allow setup of tcp keepalive offload. This gives system_server the permission to
-# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
-# be granted individually, except for a small set of safe values allowlisted in
-# public/domain.te.
-allow system_server appdomain:tcp_socket ioctl;
-
-# These are the capabilities assigned by the zygote to the
-# system server.
-allow system_server self:global_capability_class_set {
- ipc_lock
- kill
- net_admin
- net_bind_service
- net_broadcast
- net_raw
- sys_boot
- sys_nice
- sys_ptrace
- sys_time
- sys_tty_config
-};
-
-# Trigger module auto-load.
-allow system_server kernel:system module_request;
-
-# Allow alarmtimers to be set
-allow system_server self:global_capability2_class_set wake_alarm;
-
-# Create and share netlink_netfilter_sockets for tetheroffload.
-allow system_server self:netlink_netfilter_socket create_socket_perms_no_ioctl;
-
-# Create/use netlink_tcpdiag_socket for looking up connection UIDs for VPN apps.
-allow system_server self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
-
-# Use netlink uevent sockets.
-allow system_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Use generic netlink sockets.
-allow system_server self:netlink_socket create_socket_perms_no_ioctl;
-allow system_server self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-# libvintf reads the kernel config to verify vendor interface compatibility.
-allow system_server config_gz:file { read open };
-
-# Use generic "sockets" where the address family is not known
-# to the kernel. The ioctl permission is specifically omitted here, but may
-# be added to device specific policy along with the ioctl commands to be
-# allowlisted.
-allow system_server self:socket create_socket_perms_no_ioctl;
-
-# Set and get routes directly via netlink.
-allow system_server self:netlink_route_socket nlmsg_write;
-
-# Kill apps.
-allow system_server appdomain:process { getpgid sigkill signal };
-# signull allowed for kill(pid, 0) existence test.
-allow system_server appdomain:process { signull };
-
-# Set scheduling info for apps.
-allow system_server appdomain:process { getsched setsched };
-allow system_server audioserver:process { getsched setsched };
-allow system_server hal_audio:process { getsched setsched };
-allow system_server hal_bluetooth:process { getsched setsched };
-allow system_server hal_codec2_server:process { getsched setsched };
-allow system_server hal_omx_server:process { getsched setsched };
-allow system_server mediaswcodec:process { getsched setsched };
-allow system_server cameraserver:process { getsched setsched };
-allow system_server hal_camera:process { getsched setsched };
-allow system_server mediaserver:process { getsched setsched };
-allow system_server bootanim:process { getsched setsched };
-
-# Set scheduling info for psi monitor thread.
-# TODO: delete this line b/131761776
-allow system_server kernel:process { getsched setsched };
-
-# Allow system_server to write to /proc/<pid>/*
-allow system_server domain:file w_file_perms;
-
-# Read /proc/pid data for all domains. This is used by ProcessCpuTracker
-# within system_server to keep track of memory and CPU usage for
-# all processes on the device. In addition, /proc/pid files access is needed
-# for dumping stack traces of native processes.
-r_dir_file(system_server, domain)
-
-# Write /proc/uid_cputime/remove_uid_range.
-allow system_server proc_uid_cputime_removeuid:file { w_file_perms getattr };
-
-# Write /proc/uid_procstat/set.
-allow system_server proc_uid_procstat_set:file { w_file_perms getattr };
-
-# Write to /proc/sysrq-trigger.
-allow system_server proc_sysrq:file rw_file_perms;
-
-# Delete /data/misc/stats-data/ and /data/misc/stats-service/ directories.
-allow system_server stats_data_file:dir { open read remove_name search write };
-allow system_server stats_data_file:file unlink;
-
-# Read /sys/kernel/debug/wakeup_sources.
-no_debugfs_restriction(`
- allow system_server debugfs_wakeup_sources:file r_file_perms;
-')
-
-# Read /sys/kernel/ion/*.
-allow system_server sysfs_ion:file r_file_perms;
-
-# Read /sys/kernel/dma_heap/*.
-allow system_server sysfs_dma_heap:file r_file_perms;
-
-# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf.
-allow system_server sysfs_dmabuf_stats:dir r_dir_perms;
-allow system_server sysfs_dmabuf_stats:file r_file_perms;
-
-# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap
-# for dumpsys meminfo
-allow system_server dmabuf_heap_device:dir r_dir_perms;
-
-# Allow reading /proc/vmstat for the oom kill count
-allow system_server proc_vmstat:file r_file_perms;
-
-# The DhcpClient and WifiWatchdog use packet_sockets
-allow system_server self:packet_socket create_socket_perms_no_ioctl;
-
-# 3rd party VPN clients require a tun_socket to be created
-allow system_server self:tun_socket create_socket_perms_no_ioctl;
-
-# Talk to init and various daemons via sockets.
-unix_socket_connect(system_server, lmkd, lmkd)
-unix_socket_connect(system_server, mtpd, mtp)
-unix_socket_connect(system_server, zygote, zygote)
-unix_socket_connect(system_server, racoon, racoon)
-unix_socket_connect(system_server, uncrypt, uncrypt)
-
-# Allow system_server to write to statsd.
-unix_socket_send(system_server, statsdw, statsd)
-
-# Communicate over a socket created by surfaceflinger.
-allow system_server surfaceflinger:unix_stream_socket { read write setopt };
-
-allow system_server gpuservice:unix_stream_socket { read write setopt };
-
-# Communicate over a socket created by webview_zygote.
-allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
-
-# Communicate over a socket created by app_zygote.
-allow system_server app_zygote:unix_stream_socket { read write connectto setopt };
-
-# Perform Binder IPC.
-binder_use(system_server)
-binder_call(system_server, appdomain)
-binder_call(system_server, binderservicedomain)
-binder_call(system_server, dumpstate)
-binder_call(system_server, fingerprintd)
-binder_call(system_server, gatekeeperd)
-binder_call(system_server, gpuservice)
-binder_call(system_server, idmap)
-binder_call(system_server, installd)
-binder_call(system_server, incidentd)
-binder_call(system_server, iorapd)
-binder_call(system_server, netd)
-userdebug_or_eng(`binder_call(system_server, profcollectd)')
-binder_call(system_server, statsd)
-binder_call(system_server, storaged)
-binder_call(system_server, update_engine)
-binder_call(system_server, vold)
-binder_call(system_server, wificond)
-binder_call(system_server, wpantund)
-binder_service(system_server)
-
-# Use HALs
-hal_client_domain(system_server, hal_allocator)
-hal_client_domain(system_server, hal_audio)
-hal_client_domain(system_server, hal_authsecret)
-hal_client_domain(system_server, hal_broadcastradio)
-hal_client_domain(system_server, hal_codec2)
-hal_client_domain(system_server, hal_configstore)
-hal_client_domain(system_server, hal_contexthub)
-hal_client_domain(system_server, hal_face)
-hal_client_domain(system_server, hal_fingerprint)
-hal_client_domain(system_server, hal_gnss)
-hal_client_domain(system_server, hal_graphics_allocator)
-hal_client_domain(system_server, hal_health)
-hal_client_domain(system_server, hal_input_classifier)
-hal_client_domain(system_server, hal_ir)
-hal_client_domain(system_server, hal_light)
-hal_client_domain(system_server, hal_memtrack)
-hal_client_domain(system_server, hal_neuralnetworks)
-hal_client_domain(system_server, hal_oemlock)
-hal_client_domain(system_server, hal_omx)
-hal_client_domain(system_server, hal_power)
-hal_client_domain(system_server, hal_power_stats)
-hal_client_domain(system_server, hal_rebootescrow)
-hal_client_domain(system_server, hal_sensors)
-hal_client_domain(system_server, hal_tetheroffload)
-hal_client_domain(system_server, hal_thermal)
-hal_client_domain(system_server, hal_tv_cec)
-hal_client_domain(system_server, hal_tv_input)
-hal_client_domain(system_server, hal_usb)
-hal_client_domain(system_server, hal_usb_gadget)
-hal_client_domain(system_server, hal_vibrator)
-hal_client_domain(system_server, hal_vr)
-hal_client_domain(system_server, hal_weaver)
-hal_client_domain(system_server, hal_wifi)
-hal_client_domain(system_server, hal_wifi_hostapd)
-hal_client_domain(system_server, hal_wifi_supplicant)
-# The bootctl is a pass through HAL mode under recovery mode. So we skip the
-# permission for recovery in order not to give system server the access to
-# the low level block devices.
-not_recovery(`hal_client_domain(system_server, hal_bootctl)')
-
-# Talk with graphics composer fences
-allow system_server hal_graphics_composer:fd use;
-
-# Use RenderScript always-passthrough HAL
-allow system_server hal_renderscript_hwservice:hwservice_manager find;
-allow system_server same_process_hal_file:file { execute read open getattr map };
-
-# Talk to tombstoned to get ANR traces.
-unix_socket_connect(system_server, tombstoned_intercept, tombstoned)
-
-# List HAL interfaces to get ANR traces.
-allow system_server hwservicemanager:hwservice_manager list;
-allow system_server servicemanager:service_manager list;
-
-# Send signals to trigger ANR traces.
-allow system_server {
- # This is derived from the list that system server defines as interesting native processes
- # to dump during ANRs or watchdog aborts, defined in NATIVE_STACKS_OF_INTEREST in
- # frameworks/base/services/core/java/com/android/server/Watchdog.java.
- audioserver
- cameraserver
- drmserver
- gpuservice
- inputflinger
- keystore
- mediadrmserver
- mediaextractor
- mediametrics
- mediaserver
- mediaswcodec
- mediatranscoding
- mediatuner
- netd
- sdcardd
- statsd
- surfaceflinger
- vold
-
- # This list comes from HAL_INTERFACES_OF_INTEREST in
- # frameworks/base/services/core/java/com/android/server/Watchdog.java.
- hal_audio_server
- hal_bluetooth_server
- hal_camera_server
- hal_codec2_server
- hal_face_server
- hal_fingerprint_server
- hal_gnss_server
- hal_graphics_allocator_server
- hal_graphics_composer_server
- hal_health_server
- hal_light_server
- hal_neuralnetworks_server
- hal_omx_server
- hal_power_stats_server
- hal_sensors_server
- hal_vr_server
- system_suspend_server
-}:process { signal };
-
-# Use sockets received over binder from various services.
-allow system_server audioserver:tcp_socket rw_socket_perms;
-allow system_server audioserver:udp_socket rw_socket_perms;
-allow system_server mediaserver:tcp_socket rw_socket_perms;
-allow system_server mediaserver:udp_socket rw_socket_perms;
-
-# Use sockets received over binder from various services.
-allow system_server mediadrmserver:tcp_socket rw_socket_perms;
-allow system_server mediadrmserver:udp_socket rw_socket_perms;
-
-userdebug_or_eng(`perfetto_producer({ system_server })')
-
-# Get file context
-allow system_server file_contexts_file:file r_file_perms;
-# access for mac_permissions
-allow system_server mac_perms_file: file r_file_perms;
-# Check SELinux permissions.
-selinux_check_access(system_server)
-
-allow system_server sysfs_type:dir search;
-
-r_dir_file(system_server, sysfs_android_usb)
-allow system_server sysfs_android_usb:file w_file_perms;
-
-allow system_server sysfs_extcon:dir r_dir_perms;
-
-r_dir_file(system_server, sysfs_ipv4)
-allow system_server sysfs_ipv4:file w_file_perms;
-
-r_dir_file(system_server, sysfs_rtc)
-r_dir_file(system_server, sysfs_switch)
-
-allow system_server sysfs_nfc_power_writable:file rw_file_perms;
-allow system_server sysfs_power:dir search;
-allow system_server sysfs_power:file rw_file_perms;
-allow system_server sysfs_thermal:dir search;
-allow system_server sysfs_thermal:file r_file_perms;
-allow system_server sysfs_uhid:dir r_dir_perms;
-allow system_server sysfs_uhid:file rw_file_perms;
-
-# TODO: Remove when HALs are forced into separate processes
-allow system_server sysfs_vibrator:file { write append };
-
-# TODO: added to match above sysfs rule. Remove me?
-allow system_server sysfs_usb:file w_file_perms;
-
-# Access devices.
-allow system_server device:dir r_dir_perms;
-allow system_server mdns_socket:sock_file rw_file_perms;
-allow system_server gpu_device:chr_file rw_file_perms;
-allow system_server input_device:dir r_dir_perms;
-allow system_server input_device:chr_file rw_file_perms;
-allow system_server tty_device:chr_file rw_file_perms;
-allow system_server usbaccessory_device:chr_file rw_file_perms;
-allow system_server video_device:dir r_dir_perms;
-allow system_server video_device:chr_file rw_file_perms;
-allow system_server adbd_socket:sock_file rw_file_perms;
-allow system_server rtc_device:chr_file rw_file_perms;
-allow system_server audio_device:dir r_dir_perms;
-
-# write access to ALSA interfaces (/dev/snd/*) needed for MIDI
-allow system_server audio_device:chr_file rw_file_perms;
-
-# tun device used for 3rd party vpn apps
-allow system_server tun_device:chr_file rw_file_perms;
-allowxperm system_server tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
-
-# Manage data/ota_package
-allow system_server ota_package_file:dir rw_dir_perms;
-allow system_server ota_package_file:file create_file_perms;
-
-# Manage system data files.
-allow system_server system_data_file:dir create_dir_perms;
-allow system_server system_data_file:notdevfile_class_set create_file_perms;
-allow system_server packages_list_file:file create_file_perms;
-allow system_server keychain_data_file:dir create_dir_perms;
-allow system_server keychain_data_file:file create_file_perms;
-allow system_server keychain_data_file:lnk_file create_file_perms;
-
-# Manage /data/app.
-allow system_server apk_data_file:dir create_dir_perms;
-allow system_server apk_data_file:{ file lnk_file } { create_file_perms link };
-allow system_server apk_tmp_file:dir create_dir_perms;
-allow system_server apk_tmp_file:file create_file_perms;
-
-# Access input configuration files in the /vendor directory
-r_dir_file(system_server, vendor_keylayout_file)
-r_dir_file(system_server, vendor_keychars_file)
-r_dir_file(system_server, vendor_idc_file)
-
-# Access /vendor/{app,framework,overlay}
-r_dir_file(system_server, vendor_app_file)
-r_dir_file(system_server, vendor_framework_file)
-r_dir_file(system_server, vendor_overlay_file)
-
-# Manage /data/app-private.
-allow system_server apk_private_data_file:dir create_dir_perms;
-allow system_server apk_private_data_file:file create_file_perms;
-allow system_server apk_private_tmp_file:dir create_dir_perms;
-allow system_server apk_private_tmp_file:file create_file_perms;
-
-# Manage files within asec containers.
-allow system_server asec_apk_file:dir create_dir_perms;
-allow system_server asec_apk_file:file create_file_perms;
-allow system_server asec_public_file:file create_file_perms;
-
-# Manage /data/anr.
-#
-# TODO: Some of these permissions can be withdrawn once we've switched to the
-# new stack dumping mechanism, see b/32064548 and the rules below. In particular,
-# the system_server should never need to create a new anr_data_file:file or write
-# to one, but it will still need to read and append to existing files.
-allow system_server anr_data_file:dir create_dir_perms;
-allow system_server anr_data_file:file create_file_perms;
-
-# New stack dumping scheme : request an output FD from tombstoned via a unix
-# domain socket.
-#
-# Allow system_server to connect and write to the tombstoned java trace socket in
-# order to dump its traces. Also allow the system server to write its traces to
-# dumpstate during bugreport capture and incidentd during incident collection.
-unix_socket_connect(system_server, tombstoned_java_trace, tombstoned)
-allow system_server tombstoned:fd use;
-allow system_server dumpstate:fifo_file append;
-allow system_server incidentd:fifo_file append;
-# Write to a pipe created from `adb shell` (for debuggerd -j `pidof system_server`)
-userdebug_or_eng(`
- allow system_server su:fifo_file append;
-')
-
-# Allow system_server to read pipes from incidentd (used to deliver incident reports
-# to dropbox)
-allow system_server incidentd:fifo_file read;
-
-# Read /data/misc/incidents - only read. The fd will be sent over binder,
-# with no DAC access to it, for dropbox to read.
-allow system_server incident_data_file:file read;
-
-# Manage /data/misc/prereboot.
-allow system_server prereboot_data_file:dir rw_dir_perms;
-allow system_server prereboot_data_file:file create_file_perms;
-
-# Allow dropbox to read /data/misc/perfetto-traces. Only the fd is sent over
-# binder.
-allow system_server perfetto_traces_data_file:file read;
-allow system_server perfetto:fd use;
-
-# Manage /data/backup.
-allow system_server backup_data_file:dir create_dir_perms;
-allow system_server backup_data_file:file create_file_perms;
-
-# Write to /data/system/dropbox
-allow system_server dropbox_data_file:dir create_dir_perms;
-allow system_server dropbox_data_file:file create_file_perms;
-
-# Write to /data/system/heapdump
-allow system_server heapdump_data_file:dir rw_dir_perms;
-allow system_server heapdump_data_file:file create_file_perms;
-
-# Manage /data/misc/adb.
-allow system_server adb_keys_file:dir create_dir_perms;
-allow system_server adb_keys_file:file create_file_perms;
-
-# Manage /data/misc/appcompat.
-allow system_server appcompat_data_file:dir rw_dir_perms;
-allow system_server appcompat_data_file:file create_file_perms;
-
-# Manage /data/misc/emergencynumberdb
-allow system_server emergency_data_file:dir create_dir_perms;
-allow system_server emergency_data_file:file create_file_perms;
-
-# Manage /data/misc/network_watchlist
-allow system_server network_watchlist_data_file:dir create_dir_perms;
-allow system_server network_watchlist_data_file:file create_file_perms;
-
-# Manage /data/misc/sms.
-# TODO: Split into a separate type?
-allow system_server radio_data_file:dir create_dir_perms;
-allow system_server radio_data_file:file create_file_perms;
-
-# Manage /data/misc/systemkeys.
-allow system_server systemkeys_data_file:dir create_dir_perms;
-allow system_server systemkeys_data_file:file create_file_perms;
-
-# Manage /data/misc/textclassifier.
-allow system_server textclassifier_data_file:dir create_dir_perms;
-allow system_server textclassifier_data_file:file create_file_perms;
-
-# Access /data/tombstones.
-allow system_server tombstone_data_file:dir r_dir_perms;
-allow system_server tombstone_data_file:file r_file_perms;
-
-# Allow write access to be able to truncate tombstones.
-allow system_server tombstone_data_file:file write;
-
-# Manage /data/misc/vpn.
-allow system_server vpn_data_file:dir create_dir_perms;
-allow system_server vpn_data_file:file create_file_perms;
-
-# Manage /data/misc/wifi.
-allow system_server wifi_data_file:dir create_dir_perms;
-allow system_server wifi_data_file:file create_file_perms;
-
-# Manage /data/misc/zoneinfo.
-allow system_server zoneinfo_data_file:dir create_dir_perms;
-allow system_server zoneinfo_data_file:file create_file_perms;
-
-# Manage /data/app-staging.
-allow system_server staging_data_file:dir create_dir_perms;
-allow system_server staging_data_file:file create_file_perms;
-
-# Manage /data/rollback.
-allow system_server staging_data_file:{ file lnk_file } { create_file_perms link };
-
-# Walk /data/data subdirectories.
-allow system_server app_data_file_type:dir { getattr read search };
-
-# Also permit for unlabeled /data/data subdirectories and
-# for unlabeled asec containers on upgrades from 4.2.
-allow system_server unlabeled:dir r_dir_perms;
-# Read pkg.apk file before it has been relabeled by vold.
-allow system_server unlabeled:file r_file_perms;
-
-# Populate com.android.providers.settings/databases/settings.db.
-allow system_server system_app_data_file:dir create_dir_perms;
-allow system_server system_app_data_file:file create_file_perms;
-
-# Receive and use open app data files passed over binder IPC.
-allow system_server app_data_file_type:file { getattr read write append map };
-
-# Access to /data/media for measuring disk usage.
-allow system_server media_rw_data_file:dir { search getattr open read };
-
-# Receive and use open /data/media files passed over binder IPC.
-# Also used for measuring disk usage.
-allow system_server media_rw_data_file:file { getattr read write append };
-
-# System server needs to setfscreate to packages_list_file when writing
-# /data/system/packages.list
-allow system_server system_server:process setfscreate;
-
-# Relabel apk files.
-allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
-allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
-# Allow PackageManager to:
-# 1. rename file from /data/app-staging folder to /data/app
-# 2. relabel files (linked to /data/rollback) under /data/app-staging
-# during staged apk/apex install.
-allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto };
-
-# Relabel wallpaper.
-allow system_server system_data_file:file relabelfrom;
-allow system_server wallpaper_file:file relabelto;
-allow system_server wallpaper_file:file { rw_file_perms rename unlink };
-
-# Backup of wallpaper imagery uses temporary hard links to avoid data churn
-allow system_server { system_data_file wallpaper_file }:file link;
-
-# ShortcutManager icons
-allow system_server system_data_file:dir relabelfrom;
-allow system_server shortcut_manager_icons:dir { create_dir_perms relabelto };
-allow system_server shortcut_manager_icons:file create_file_perms;
-
-# Manage ringtones.
-allow system_server ringtone_file:dir { create_dir_perms relabelto };
-allow system_server ringtone_file:file create_file_perms;
-
-# Relabel icon file.
-allow system_server icon_file:file relabelto;
-allow system_server icon_file:file { rw_file_perms unlink };
-
-# FingerprintService.java does a restorecon of the directory /data/system/users/[0-9]+/fpdata(/.*)?
-allow system_server system_data_file:dir relabelfrom;
-
-# server_configurable_flags_data_file is used for storing server configurable flags which
-# have been reset during current booting. system_server needs to read the data to perform related
-# disaster recovery actions.
-allow system_server server_configurable_flags_data_file:dir r_dir_perms;
-allow system_server server_configurable_flags_data_file:file r_file_perms;
-
-# Property Service write
-set_prop(system_server, system_prop)
-set_prop(system_server, bootanim_system_prop)
-set_prop(system_server, exported_system_prop)
-set_prop(system_server, exported3_system_prop)
-set_prop(system_server, safemode_prop)
-set_prop(system_server, theme_prop)
-set_prop(system_server, dhcp_prop)
-set_prop(system_server, net_connectivity_prop)
-set_prop(system_server, net_radio_prop)
-set_prop(system_server, net_dns_prop)
-set_prop(system_server, usb_control_prop)
-set_prop(system_server, usb_prop)
-set_prop(system_server, debug_prop)
-set_prop(system_server, powerctl_prop)
-set_prop(system_server, fingerprint_prop)
-set_prop(system_server, device_logging_prop)
-set_prop(system_server, dumpstate_options_prop)
-set_prop(system_server, overlay_prop)
-set_prop(system_server, exported_overlay_prop)
-set_prop(system_server, pm_prop)
-set_prop(system_server, exported_pm_prop)
-set_prop(system_server, socket_hook_prop)
-set_prop(system_server, audio_prop)
-set_prop(system_server, boot_status_prop)
-set_prop(system_server, surfaceflinger_color_prop)
-set_prop(system_server, provisioned_prop)
-set_prop(system_server, retaildemo_prop)
-userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
-
-# ctl interface
-set_prop(system_server, ctl_default_prop)
-set_prop(system_server, ctl_bugreport_prop)
-set_prop(system_server, ctl_gsid_prop)
-
-# cppreopt property
-set_prop(system_server, cppreopt_prop)
-
-# server configurable flags properties
-set_prop(system_server, device_config_input_native_boot_prop)
-set_prop(system_server, device_config_netd_native_prop)
-set_prop(system_server, device_config_activity_manager_native_boot_prop)
-set_prop(system_server, device_config_runtime_native_boot_prop)
-set_prop(system_server, device_config_runtime_native_prop)
-set_prop(system_server, device_config_media_native_prop)
-set_prop(system_server, device_config_profcollect_native_boot_prop)
-set_prop(system_server, device_config_statsd_native_prop)
-set_prop(system_server, device_config_statsd_native_boot_prop)
-set_prop(system_server, device_config_storage_native_boot_prop)
-set_prop(system_server, device_config_swcodec_native_prop)
-set_prop(system_server, device_config_sys_traced_prop)
-set_prop(system_server, device_config_window_manager_native_boot_prop)
-set_prop(system_server, device_config_configuration_prop)
-set_prop(system_server, device_config_connectivity_prop)
-
-
-# Allow query ART device config properties
-get_prop(system_server, device_config_runtime_native_boot_prop)
-get_prop(system_server, device_config_runtime_native_prop)
-
-# BootReceiver to read ro.boot.bootreason
-get_prop(system_server, bootloader_boot_reason_prop)
-# PowerManager to read sys.boot.reason
-get_prop(system_server, system_boot_reason_prop)
-
-# Collect metrics on boot time created by init
-get_prop(system_server, boottime_prop)
-
-# Read device's serial number from system properties
-get_prop(system_server, serialno_prop)
-
-# Read/write the property which keeps track of whether this is the first start of system_server
-set_prop(system_server, firstboot_prop)
-
-# Audio service in system server can read audio config properties,
-# such as camera shutter enforcement
-get_prop(system_server, audio_config_prop)
-
-# system server reads this property to keep track of whether server configurable flags have been
-# reset during current boot.
-get_prop(system_server, device_config_reset_performed_prop)
-
-# Read/write the property that enables Test Harness Mode
-set_prop(system_server, test_harness_prop)
-
-# Read gsid.image_running.
-get_prop(system_server, gsid_prop)
-
-# Read the property that mocks an OTA
-get_prop(system_server, mock_ota_prop)
-
-# Read the property as feature flag for protecting apks with fs-verity.
-get_prop(system_server, apk_verity_prop)
-
-# Read wifi.interface
-get_prop(system_server, wifi_prop)
-
-# Read the vendor property that indicates if Incremental features is enabled
-get_prop(system_server, incremental_prop)
-
-# Read ro.zram. properties
-get_prop(system_server, zram_config_prop)
-
-# Read/write persist.sys.zram_enabled
-set_prop(system_server, zram_control_prop)
-
-# Read/write persist.sys.dalvik.vm.lib.2
-set_prop(system_server, dalvik_runtime_prop)
-
-# Read ro.control_privapp_permissions and ro.cp_system_other_odex
-get_prop(system_server, packagemanager_config_prop)
-
-# Read the net.464xlat.cellular.enabled property (written by init).
-get_prop(system_server, net_464xlat_fromvendor_prop)
-
-# Create a socket for connections from debuggerd.
-allow system_server system_ndebug_socket:sock_file create_file_perms;
-
-# Create a socket for connections from zygotes.
-allow system_server system_unsolzygote_socket:sock_file create_file_perms;
-
-# Manage cache files.
-allow system_server cache_file:lnk_file r_file_perms;
-allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
-allow system_server { cache_file cache_recovery_file }:file { relabelfrom create_file_perms };
-allow system_server { cache_file cache_recovery_file }:fifo_file create_file_perms;
-
-allow system_server system_file:dir r_dir_perms;
-allow system_server system_file:lnk_file r_file_perms;
-
-# ART locks profile files.
-allow system_server system_file:file lock;
-
-# LocationManager(e.g, GPS) needs to read and write
-# to uart driver and ctrl proc entry
-allow system_server gps_control:file rw_file_perms;
-
-# Allow system_server to use app-created sockets and pipes.
-allow system_server appdomain:{ tcp_socket udp_socket } { getattr getopt setopt read write shutdown };
-allow system_server appdomain:{ fifo_file unix_stream_socket } { getattr read write };
-
-# BackupManagerService needs to manipulate backup data files
-allow system_server cache_backup_file:dir rw_dir_perms;
-allow system_server cache_backup_file:file create_file_perms;
-# LocalTransport works inside /cache/backup
-allow system_server cache_private_backup_file:dir create_dir_perms;
-allow system_server cache_private_backup_file:file create_file_perms;
-
-# Allow system to talk to usb device
-allow system_server usb_device:chr_file rw_file_perms;
-allow system_server usb_device:dir r_dir_perms;
-
-# Read and delete files under /dev/fscklogs.
-r_dir_file(system_server, fscklogs)
-allow system_server fscklogs:dir { write remove_name };
-allow system_server fscklogs:file unlink;
-
-# logd access, system_server inherit logd write socket
-# (urge is to deprecate this long term)
-allow system_server zygote:unix_dgram_socket write;
-
-# Read from log daemon.
-read_logd(system_server)
-read_runtime_log_tags(system_server)
-
-# Be consistent with DAC permissions. Allow system_server to write to
-# /sys/module/lowmemorykiller/parameters/adj
-# /sys/module/lowmemorykiller/parameters/minfree
-allow system_server sysfs_lowmemorykiller:file { getattr w_file_perms };
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow system_server pstorefs:dir r_dir_perms;
-allow system_server pstorefs:file r_file_perms;
-
-# /sys access
-allow system_server sysfs_zram:dir search;
-allow system_server sysfs_zram:file rw_file_perms;
-
-add_service(system_server, system_server_service);
-allow system_server audioserver_service:service_manager find;
-allow system_server authorization_service:service_manager find;
-allow system_server batteryproperties_service:service_manager find;
-allow system_server cameraserver_service:service_manager find;
-allow system_server dataloader_manager_service:service_manager find;
-allow system_server dnsresolver_service:service_manager find;
-allow system_server drmserver_service:service_manager find;
-allow system_server dumpstate_service:service_manager find;
-allow system_server fingerprintd_service:service_manager find;
-allow system_server gatekeeper_service:service_manager find;
-allow system_server gpu_service:service_manager find;
-allow system_server gsi_service:service_manager find;
-allow system_server idmap_service:service_manager find;
-allow system_server incident_service:service_manager find;
-allow system_server incremental_service:service_manager find;
-allow system_server installd_service:service_manager find;
-allow system_server iorapd_service:service_manager find;
-allow system_server keystore_maintenance_service:service_manager find;
-allow system_server keystore_metrics_service:service_manager find;
-allow system_server keystore_service:service_manager find;
-allow system_server mediaserver_service:service_manager find;
-allow system_server mediametrics_service:service_manager find;
-allow system_server mediaextractor_service:service_manager find;
-allow system_server mediadrmserver_service:service_manager find;
-allow system_server mediatuner_service:service_manager find;
-allow system_server netd_service:service_manager find;
-allow system_server nfc_service:service_manager find;
-allow system_server radio_service:service_manager find;
-allow system_server stats_service:service_manager find;
-allow system_server storaged_service:service_manager find;
-allow system_server surfaceflinger_service:service_manager find;
-allow system_server update_engine_service:service_manager find;
-allow system_server vold_service:service_manager find;
-allow system_server wifinl80211_service:service_manager find;
-userdebug_or_eng(`
- allow system_server profcollectd_service:service_manager find;
-')
-
-add_service(system_server, batteryproperties_service)
-
-allow system_server keystore:keystore_key {
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
-};
-
-allow system_server keystore:keystore2 {
- add_auth
- change_password
- change_user
- clear_ns
- clear_uid
- get_state
- lock
- pull_metrics
- reset
- unlock
-};
-
-allow system_server keystore:keystore2_key {
- delete
- use_dev_id
- grant
- get_info
- rebind
- update
- use
-};
-
-# Allow Wifi module to manage Wi-Fi keys.
-allow system_server wifi_key:keystore2_key {
- delete
- get_info
- rebind
- update
- use
-};
-
-# Allow lock_settings service to manage RoR keys.
-allow system_server resume_on_reboot_key:keystore2_key {
- delete
- get_info
- rebind
- update
- use
-};
-
-# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key).
-allow system_server locksettings_key:keystore2_key {
- delete
- get_info
- rebind
- update
- use
-};
-
-
-# Allow system server to search and write to the persistent factory reset
-# protection partition. This block device does not get wiped in a factory reset.
-allow system_server block_device:dir search;
-allow system_server frp_block_device:blk_file rw_file_perms;
-allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
-
-# Create new process groups and clean up old cgroups
-allow system_server cgroup:dir { remove_name rmdir };
-allow system_server cgroup_v2:dir create_dir_perms;
-allow system_server cgroup_v2:file { r_file_perms setattr };
-
-# /oem access
-r_dir_file(system_server, oemfs)
-
-# Allow resolving per-user storage symlinks
-allow system_server { mnt_user_file storage_file }:dir { getattr search };
-allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
-
-# Allow statfs() on storage devices, which happens fast enough that
-# we shouldn't be killed during unsafe removal
-allow system_server sdcard_type:dir { getattr search };
-
-# Traverse into expanded storage
-allow system_server mnt_expand_file:dir r_dir_perms;
-
-# Allow system process to relabel the fingerprint directory after mkdir
-# and delete the directory and files when no longer needed
-allow system_server fingerprintd_data_file:dir { r_dir_perms remove_name rmdir relabelto write };
-allow system_server fingerprintd_data_file:file { getattr unlink };
-
-userdebug_or_eng(`
- # Allow system server to create and write method traces in /data/misc/trace.
- allow system_server method_trace_data_file:dir w_dir_perms;
- allow system_server method_trace_data_file:file { create w_file_perms };
-
- # Allow system server to read dmesg
- allow system_server kernel:system syslog_read;
-
- # Allow writing and removing window traces in /data/misc/wmtrace.
- allow system_server wm_trace_data_file:dir rw_dir_perms;
- allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
-
- # Allow writing and removing accessibility traces in /data/misc/a11ytrace.
- allow system_server accessibility_trace_data_file:dir rw_dir_perms;
- allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms };
-')
-
-# For AppFuse.
-allow system_server vold:fd use;
-allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:file { read write getattr };
-
-# For configuring sdcardfs
-allow system_server configfs:dir { create_dir_perms };
-allow system_server configfs:file { getattr open create unlink write };
-
-# Connect to adbd and use a socket transferred from it.
-# Used for e.g. jdwp.
-allow system_server adbd:unix_stream_socket connectto;
-allow system_server adbd:fd use;
-allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-# Read service.adb.tls.port, persist.adb.wifi. properties
-get_prop(system_server, adbd_prop)
-
-# Set persist.adb.tls_server.enable property
-set_prop(system_server, system_adbd_prop)
-
-# Allow invoking tools like "timeout"
-allow system_server toolbox_exec:file rx_file_perms;
-
-# Allow system process to setup and measure fs-verity
-allowxperm system_server apk_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
-
-# Postinstall
-#
-# For OTA dexopt, allow calls coming from postinstall.
-binder_call(system_server, postinstall)
-
-allow system_server postinstall:fifo_file write;
-allow system_server update_engine:fd use;
-allow system_server update_engine:fifo_file write;
-
-# Access to /data/preloads
-allow system_server preloads_data_file:file { r_file_perms unlink };
-allow system_server preloads_data_file:dir { r_dir_perms write remove_name rmdir };
-allow system_server preloads_media_file:file { r_file_perms unlink };
-allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
-
-r_dir_file(system_server, cgroup)
-r_dir_file(system_server, cgroup_v2)
-allow system_server ion_device:chr_file r_file_perms;
-
-# Access to /dev/dma_heap/system
-allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
-# Access to /dev/dma_heap/system-secure
-allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
-
-r_dir_file(system_server, proc_asound)
-r_dir_file(system_server, proc_net_type)
-r_dir_file(system_server, proc_qtaguid_stat)
-allow system_server {
- proc_cmdline
- proc_loadavg
- proc_locks
- proc_meminfo
- proc_pagetypeinfo
- proc_pipe_conf
- proc_stat
- proc_uid_cputime_showstat
- proc_uid_io_stats
- proc_uid_time_in_state
- proc_uid_concurrent_active_time
- proc_uid_concurrent_policy_time
- proc_version
- proc_vmallocinfo
-}:file r_file_perms;
-
-allow system_server proc_uid_time_in_state:dir r_dir_perms;
-allow system_server proc_uid_cpupower:file r_file_perms;
-
-r_dir_file(system_server, rootfs)
-
-# Allow WifiService to start, stop, and read wifi-specific trace events.
-allow system_server debugfs_tracing_instances:dir search;
-allow system_server debugfs_wifi_tracing:dir search;
-allow system_server debugfs_wifi_tracing:file rw_file_perms;
-
-# Allow BootReceiver to watch trace error_report events.
-allow system_server debugfs_bootreceiver_tracing:dir search;
-allow system_server debugfs_bootreceiver_tracing:file r_file_perms;
-
-# Allow system_server to read tracepoint ids in order to attach BPF programs to them.
-allow system_server debugfs_tracing:file r_file_perms;
-
-# allow system_server to exec shell, asanwrapper & zygote(app_process) on ASAN builds. Needed to run
-# asanwrapper.
-with_asan(`
- allow system_server shell_exec:file rx_file_perms;
- allow system_server asanwrapper_exec:file rx_file_perms;
- allow system_server zygote_exec:file rx_file_perms;
-')
-
-# allow system_server to read the eBPF maps that stores the traffic stats information and update
-# the map after snapshot is recorded, and to read, update and run the maps and programs used for
-# time in state accounting
-allow system_server fs_bpf:dir search;
-allow system_server fs_bpf:file { read write };
-allow system_server bpfloader:bpf { map_read map_write prog_run };
-
-# ART Profiles.
-# Allow system_server to open profile snapshots for read.
-# System server never reads the actual content. It passes the descriptor to
-# to privileged apps which acquire the permissions to inspect the profiles.
-allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
-allow system_server user_profile_data_file:file { getattr open read };
-
-# System server may dump profile data for debuggable apps in the /data/misc/profman.
-# As such it needs to be able create files but it should never read from them.
-allow system_server profman_dump_data_file:file { create getattr setattr w_file_perms};
-allow system_server profman_dump_data_file:dir w_dir_perms;
-
-# On userdebug build we may profile system server. Allow it to write and create its own profile.
-userdebug_or_eng(`
- allow system_server user_profile_data_file:file create_file_perms;
-')
-# Allow system server to load JVMTI agents under control of a property.
-get_prop(system_server,system_jvmti_agent_prop)
-
-# UsbDeviceManager uses /dev/usb-ffs
-allow system_server functionfs:dir search;
-allow system_server functionfs:file rw_file_perms;
-
-# system_server contains time / time zone detection logic so reads the associated properties.
-get_prop(system_server, time_prop)
-
-# system_server reads this property to know it should expect the lmkd sends notification to it
-# on low memory kills.
-get_prop(system_server, system_lmk_prop)
-
-get_prop(system_server, wifi_config_prop)
-
-# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO
-allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
-
-# Watchdog prints debugging log to /dev/kmsg_debug.
-userdebug_or_eng(`
- allow system_server kmsg_debug_device:chr_file { open append getattr };
-')
-# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop.
-get_prop(system_server, framework_watchdog_config_prop)
-
-
-# Font files are written by system server
-allow system_server font_data_file:file create_file_perms;
-allow system_server font_data_file:dir create_dir_perms;
-# Allow system process to setup fs-verity for font files
-allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
-
-# Read qemu.hw.mainkeys property
-get_prop(system_server, qemu_hw_prop)
-
-# Allow system server to read profcollectd reports for upload.
-userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
-
-###
-### Neverallow rules
-###
-### system_server should NEVER do any of this
-
-# Do not allow opening files from external storage as unsafe ejection
-# could cause the kernel to kill the system_server.
-neverallow system_server sdcard_type:dir { open read write };
-neverallow system_server sdcard_type:file rw_file_perms;
-
-# system server should never be operating on zygote spawned app data
-# files directly. Rather, they should always be passed via a
-# file descriptor.
-# Exclude those types that system_server needs to open directly.
-neverallow system_server {
- app_data_file_type
- -system_app_data_file
- -radio_data_file
-}:file { open create unlink link };
-
-# Forking and execing is inherently dangerous and racy. See, for
-# example, https://www.linuxprogrammingblog.com/threads-and-fork-think-twice-before-using-them
-# Prevent the addition of new file execs to stop the problem from
-# getting worse. b/28035297
-neverallow system_server {
- file_type
- -toolbox_exec
- -logcat_exec
- with_asan(`-shell_exec -asanwrapper_exec -zygote_exec')
-}:file execute_no_trans;
-
-# Ensure that system_server doesn't perform any domain transitions other than
-# transitioning to the crash_dump domain when a crash occurs.
-neverallow system_server { domain -crash_dump }:process transition;
-neverallow system_server *:process dyntransition;
-
-# Only allow crash_dump to connect to system_ndebug_socket.
-neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
-
-# Only allow zygotes to connect to system_unsolzygote_socket.
-neverallow {
- domain
- -init
- -system_server
- -zygote
- -app_zygote
- -webview_zygote
-} system_unsolzygote_socket:sock_file { open write };
-
-# Only allow init, system_server, flags_health_check to set properties for server configurable flags
-neverallow {
- domain
- -init
- -system_server
- -flags_health_check
-} {
- device_config_activity_manager_native_boot_prop
- device_config_connectivity_prop
- device_config_input_native_boot_prop
- device_config_netd_native_prop
- device_config_runtime_native_boot_prop
- device_config_runtime_native_prop
- device_config_media_native_prop
- device_config_storage_native_boot_prop
- device_config_sys_traced_prop
- device_config_swcodec_native_prop
- device_config_window_manager_native_boot_prop
-}:property_service set;
-
-# system_server should never be executing dex2oat. This is either
-# a bug (for example, bug 16317188), or represents an attempt by
-# system server to dynamically load a dex file, something we do not
-# want to allow.
-neverallow system_server dex2oat_exec:file no_x_file_perms;
-
-# system_server should never execute or load executable shared libraries
-# in /data. Executable files in /data are a persistence vector.
-# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
-neverallow system_server data_file_type:file no_x_file_perms;
-
-# The only block device system_server should be accessing is
-# the frp_block_device. This helps avoid a system_server to root
-# escalation by writing to raw block devices.
-neverallow system_server { dev_type -frp_block_device }:blk_file no_rw_file_perms;
-
-# system_server should never use JIT functionality
-# See https://googleprojectzero.blogspot.com/2016/12/bitunmap-attacking-android-ashmem.html
-# in the section titled "A Short ROP Chain" for why.
-# However, in emulator builds without OpenGL passthrough, we use software
-# rendering via SwiftShader, which requires JIT support. These builds are
-# never shipped to users.
-ifelse(target_requires_insecure_execmem_for_swiftshader, `true',
- `allow system_server self:process execmem;',
- `neverallow system_server self:process execmem;')
-neverallow system_server { ashmem_device ashmem_libcutils_device }:chr_file execute;
-
-# TODO: deal with tmpfs_domain pub/priv split properly
-neverallow system_server system_server_tmpfs:file execute;
-
-# Resources handed off by system_server_startup
-allow system_server system_server_startup:fd use;
-allow system_server system_server_startup_tmpfs:file { read write map };
-allow system_server system_server_startup:unix_dgram_socket write;
-
-# Allow system server to communicate to apexd
-allow system_server apex_service:service_manager find;
-allow system_server apexd:binder call;
-
-# Allow system server to scan /apex for flattened APEXes
-allow system_server apex_mnt_dir:dir r_dir_perms;
-
-# Allow system server to read /apex/apex-info-list.xml
-allow system_server apex_info_file:file r_file_perms;
-
-# Allow system server to communicate to system-suspend's control interface
-allow system_server system_suspend_control_internal_service:service_manager find;
-allow system_server system_suspend_control_service:service_manager find;
-binder_call(system_server, system_suspend)
-binder_call(system_suspend, system_server)
-
-# Allow system server to communicate to system-suspend's wakelock interface
-wakelock_use(system_server)
-
-# Allow the system server to read files under /data/apex. The system_server
-# needs these privileges to compare file signatures while processing installs.
-#
-# Only apexd is allowed to create new entries or write to any file under /data/apex.
-allow system_server apex_data_file:dir { getattr search };
-allow system_server apex_data_file:file r_file_perms;
-
-# Allow the system server to read files under /vendor/apex. This is where
-# vendor APEX packages might be installed and system_server needs to parse
-# these packages to inspect the signatures and other metadata.
-allow system_server vendor_apex_file:dir { getattr search };
-allow system_server vendor_apex_file:file r_file_perms;
-
-# Allow the system server to manage relevant apex module data files.
-allow system_server apex_module_data_file:dir { getattr search };
-allow system_server apex_appsearch_data_file:dir create_dir_perms;
-allow system_server apex_appsearch_data_file:file create_file_perms;
-allow system_server apex_permission_data_file:dir create_dir_perms;
-allow system_server apex_permission_data_file:file create_file_perms;
-allow system_server apex_scheduling_data_file:dir create_dir_perms;
-allow system_server apex_scheduling_data_file:file create_file_perms;
-allow system_server apex_wifi_data_file:dir create_dir_perms;
-allow system_server apex_wifi_data_file:file create_file_perms;
-
-# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
-# communicate which slots are available for use.
-allow system_server metadata_file:dir search;
-allow system_server password_slot_metadata_file:dir rw_dir_perms;
-allow system_server password_slot_metadata_file:file create_file_perms;
-
-allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
-allow system_server userspace_reboot_metadata_file:file create_file_perms;
-
-# Allow system server rw access to files in /metadata/staged-install folder
-allow system_server staged_install_file:dir rw_dir_perms;
-allow system_server staged_install_file:file create_file_perms;
-
-allow system_server watchdog_metadata_file:dir rw_dir_perms;
-allow system_server watchdog_metadata_file:file create_file_perms;
-
-allow system_server gsi_persistent_data_file:dir rw_dir_perms;
-allow system_server gsi_persistent_data_file:file create_file_perms;
-
-# Allow system server read and remove files under /data/misc/odrefresh
-allow system_server odrefresh_data_file:dir rw_dir_perms;
-allow system_server odrefresh_data_file:file { r_file_perms unlink };
-
-# Allow system server r access to /system/bin/surfaceflinger for PinnerService.
-allow system_server surfaceflinger_exec:file r_file_perms;
-
-# Allow init to set sysprop used to compute stats about userspace reboot.
-set_prop(system_server, userspace_reboot_log_prop)
-
-# JVMTI agent settings are only readable from the system server.
-neverallow {
- domain
- -system_server
- -dumpstate
- -init
- -vendor_init
-} {
- system_jvmti_agent_prop
-}:file no_rw_file_perms;
-
-# Read/Write /proc/pressure/memory
-allow system_server proc_pressure_mem:file rw_file_perms;
-
-# dexoptanalyzer is currently used only for secondary dex files which
-# system_server should never access.
-neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
-
-# No ptracing others
-neverallow system_server { domain -system_server }:process ptrace;
-
-# CAP_SYS_RESOURCE was traditionally needed for sensitive /proc/PID
-# file read access. However, that is now unnecessary (b/34951864)
-neverallow system_server system_server:global_capability_class_set sys_resource;
-
-# Only system_server/init should access /metadata/password_slots.
-neverallow { domain -init -system_server } password_slot_metadata_file:dir *;
-neverallow {
- domain
- -init
- -system_server
-} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
-neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
-
-# Only system_server/init should access /metadata/userspacereboot.
-neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
-neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
-
-# Allow systemserver to read/write the invalidation property
-set_prop(system_server, binder_cache_system_server_prop)
-neverallow { domain -system_server -init }
- binder_cache_system_server_prop:property_service set;
-
-# Allow system server to attach BPF programs to tracepoints. Deny read permission so that
-# system_server cannot use this access to read perf event data like process stacks.
-allow system_server self:perf_event { open write cpu kernel };
-neverallow system_server self:perf_event ~{ open write cpu kernel };
-
-# Do not allow any domain other than init or system server to set the property
-neverallow { domain -init -system_server } socket_hook_prop:property_service set;
-
-neverallow { domain -init -system_server } boot_status_prop:property_service set;
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -system_server
-} wifi_config_prop:file no_rw_file_perms;
-
-# Only allow system server to write uhid sysfs files
-neverallow {
- domain
- -init
- -system_server
- -ueventd
- -vendor_init
-} sysfs_uhid:file no_w_file_perms;
-
-# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
-# can be accessed by system_server only (b/143717177)
-# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
-# interface
-neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
-
-# Only system server can write the font files.
-neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
-neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
diff --git a/prebuilts/api/31.0/private/system_server_startup.te b/prebuilts/api/31.0/private/system_server_startup.te
deleted file mode 100644
index 064e038..0000000
--- a/prebuilts/api/31.0/private/system_server_startup.te
+++ /dev/null
@@ -1,24 +0,0 @@
-type system_server_startup, domain, coredomain;
-type system_server_startup_tmpfs, file_type;
-
-tmpfs_domain(system_server_startup)
-
-# Create JIT memory
-allow system_server_startup self:process execmem;
-allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
-
-# Allow to pick up integrity-checked artifacts from the ART APEX dalvik cache.
-allow system_server_startup apex_art_data_file:dir r_dir_perms;
-allow system_server_startup apex_art_data_file:file { r_file_perms execute };
-
-# Allow system_server_startup to run setcon() and enter the
-# system_server domain
-allow system_server_startup self:process setcurrent;
-allow system_server_startup system_server:process dyntransition;
-
-# Child of the zygote.
-allow system_server_startup zygote:process sigchld;
-
-# Allow query ART device config properties
-get_prop(system_server_startup, device_config_runtime_native_boot_prop)
-get_prop(system_server_startup, device_config_runtime_native_prop)
diff --git a/prebuilts/api/31.0/private/system_suspend.te b/prebuilts/api/31.0/private/system_suspend.te
deleted file mode 100644
index caf8955..0000000
--- a/prebuilts/api/31.0/private/system_suspend.te
+++ /dev/null
@@ -1,38 +0,0 @@
-type system_suspend, domain, coredomain, system_suspend_server, system_suspend_internal_server;
-
-type system_suspend_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(system_suspend)
-
-# To serve ISuspendControlService.
-binder_use(system_suspend)
-add_service(system_suspend, system_suspend_control_service)
-
-# Access to /sys/power/{ wakeup_count, state } suspend interface.
-allow system_suspend sysfs_power:file rw_file_perms;
-
-# Access to wakeup, suspend stats, and wakeup reasons.
-r_dir_file(system_suspend, sysfs_suspend_stats)
-r_dir_file(system_suspend, sysfs_wakeup)
-r_dir_file(system_suspend, sysfs_wakeup_reasons)
-# To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks.
-allow system_suspend sysfs_type:dir search;
-
-# Access to suspend_hal system properties
-get_prop(system_suspend, suspend_prop)
-
-# To call BTAA registered callbacks
-allow system_suspend bluetooth:binder call;
-
-# For adding `dumpsys syspend_control` output to bugreport
-allow system_suspend dumpstate:fd use;
-allow system_suspend dumpstate:fifo_file write;
-
-neverallow {
- domain
- -atrace # tracing
- -bluetooth # support Bluetooth activity attribution (BTAA)
- -dumpstate # bug reports
- -system_suspend # implements system_suspend_control_service
- -system_server # configures system_suspend via ISuspendControlService
- -traceur_app # tracing
-} system_suspend_control_service:service_manager find;
diff --git a/prebuilts/api/31.0/private/technical_debt.cil b/prebuilts/api/31.0/private/technical_debt.cil
deleted file mode 100644
index 9b3e3c6..0000000
--- a/prebuilts/api/31.0/private/technical_debt.cil
+++ /dev/null
@@ -1,71 +0,0 @@
-; THIS IS A WORKAROUND for the current limitations of the module policy language
-; This should be used sparingly until we figure out a saner way to achieve the
-; stuff below, for example, by improving typeattribute statement of module
-; language.
-;
-; NOTE: This file has no effect on recovery policy.
-
-; Apps, except isolated apps, are clients of Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_allocator_client;
-; typeattribute hal_allocator_client halclientdomain;
-(typeattributeset hal_allocator_client ((and (appdomain) ((not (isolated_app))))))
-(typeattributeset halclientdomain (hal_allocator_client))
-
-; Apps, except isolated apps, are clients of OMX-related services
-; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_omx_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Codec2-related services
-; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_codec2_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Drm-related services
-; Unfortunately, we can't currently express this in module policy language:
-(typeattributeset hal_drm_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Configstore HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_configstore_client;
-(typeattributeset hal_configstore_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Graphics Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_graphics_allocator_client;
-(typeattributeset hal_graphics_allocator_client ((and (appdomain) ((not (isolated_app))))))
-
-; Apps, except isolated apps, are clients of Cas HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_cas_client;
-(typeattributeset hal_cas_client ((and (appdomain) ((not (isolated_app))))))
-
-; Domains hosting Camera HAL implementations are clients of Allocator HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute hal_camera hal_allocator_client;
-(typeattributeset hal_allocator_client (hal_camera))
-
-; Apps, except isolated apps, are clients of Neuralnetworks HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_neuralnetworks_client;
-(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))
-
-; TODO(b/112056006): move these to mapping files when/if we implement 'versioned' attributes.
-; Rename untrusted_app_visible_* to untrusted_app_visible_*_violators.
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute untrusted_app_visible_hwservice untrusted_app_visible_hwservice_violators;
-; typeattribute untrusted_app_visible_halserver untrusted_app_visible_halserver_violators;
-(typeattribute untrusted_app_visible_hwservice)
-(typeattributeset untrusted_app_visible_hwservice_violators (untrusted_app_visible_hwservice))
-(typeattribute untrusted_app_visible_halserver)
-(typeattributeset untrusted_app_visible_halserver_violators (untrusted_app_visible_halserver))
-
-; Apps, except isolated apps, are clients of BufferHub HAL
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { appdomain -isolated_app } hal_cas_client;
-(typeattributeset hal_bufferhub_client ((and (appdomain) ((not (isolated_app))))))
-
-; Properties having both system_property_type and vendor_property_type are illegal
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { system_property_type && vendor_property_type } system_and_vendor_property_type;
-(typeattribute system_and_vendor_property_type)
-(typeattributeset system_and_vendor_property_type ((and (system_property_type) (vendor_property_type))))
diff --git a/prebuilts/api/31.0/private/tombstoned.te b/prebuilts/api/31.0/private/tombstoned.te
deleted file mode 100644
index b6dfd1e..0000000
--- a/prebuilts/api/31.0/private/tombstoned.te
+++ /dev/null
@@ -1,13 +0,0 @@
-typeattribute tombstoned coredomain;
-
-init_daemon_domain(tombstoned)
-
-get_prop(tombstoned, tombstone_config_prop)
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -tombstoned
-} tombstone_config_prop:file no_rw_file_perms;
diff --git a/prebuilts/api/31.0/private/toolbox.te b/prebuilts/api/31.0/private/toolbox.te
deleted file mode 100644
index a2b958d..0000000
--- a/prebuilts/api/31.0/private/toolbox.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute toolbox coredomain;
-
-init_daemon_domain(toolbox)
diff --git a/prebuilts/api/31.0/private/traced.te b/prebuilts/api/31.0/private/traced.te
deleted file mode 100644
index fc9a245..0000000
--- a/prebuilts/api/31.0/private/traced.te
+++ /dev/null
@@ -1,121 +0,0 @@
-# Perfetto user-space tracing daemon (unprivileged)
-
-# type traced is defined under /public (because iorapd rules
-# under public/ need to refer to it).
-type traced_exec, system_file_type, exec_type, file_type;
-
-# Allow init to exec the daemon.
-init_daemon_domain(traced)
-tmpfs_domain(traced)
-
-# Allow apps in other MLS contexts (for multi-user) to access
-# share memory buffers created by traced.
-typeattribute traced_tmpfs mlstrustedobject;
-
-# Allow traced to start with a lower scheduling class and change
-# class accordingly to what defined in the config provided by
-# the privileged process that controls it.
-allow traced self:global_capability_class_set { sys_nice };
-
-# Allow to pass a file descriptor for the output trace from "perfetto" (the
-# cmdline client) and other shell binaries to traced and let traced write
-# directly into that (rather than returning the trace contents over the socket).
-allow traced perfetto:fd use;
-allow traced shell:fd use;
-allow traced shell:fifo_file { read write };
-
-# Allow the service to create new files within /data/misc/perfetto-traces.
-allow traced perfetto_traces_data_file:file create_file_perms;
-allow traced perfetto_traces_data_file:dir rw_dir_perms;
-# ... and /data/misc/perfetto-traces/bugreport*
-allow traced perfetto_traces_bugreport_data_file:file create_file_perms;
-allow traced perfetto_traces_bugreport_data_file:dir rw_dir_perms;
-
-# Allow traceur to pass open file descriptors to traced, so traced can directly
-# write into the output file without doing roundtrips over IPC.
-allow traced traceur_app:fd use;
-allow traced trace_data_file:file { read write };
-
-# Allow perfetto to access the proxy service for notifying Traceur.
-allow traced tracingproxy_service:service_manager find;
-binder_use(traced);
-binder_call(traced, system_server);
-
-# Allow iorapd to pass memfd descriptors to traced, so traced can directly
-# write into the shmem buffer file without doing roundtrips over IPC.
-allow traced iorapd:fd use;
-allow traced iorapd_tmpfs:file { read write };
-
-# Allow traced to use shared memory supplied by producers. Typically, traced
-# (i.e. the tracing service) creates the shared memory used for data transfer
-# from the producer. This rule allows an alternative scheme, where the producer
-# creates the shared memory, that is then adopted by traced (after validating
-# that it is appropriately sealed).
-# This list has to replicate the tmpfs domains of all applicable domains that
-# have perfetto_producer() macro applied to them.
-# perfetto_tmpfs excluded as it should never need to use the producer-supplied
-# shared memory scheme.
-allow traced {
- appdomain_tmpfs
- heapprofd_tmpfs
- surfaceflinger_tmpfs
- traced_probes_tmpfs
- userdebug_or_eng(`system_server_tmpfs')
-}:file { getattr map read write };
-
-# Allow traced to notify Traceur when a trace ends by setting the
-# sys.trace.trace_end_signal property.
-set_prop(traced, system_trace_prop)
-# Allow to lazily start producers.
-set_prop(traced, traced_lazy_prop)
-
-# Allow traced to talk to statsd for logging metrics.
-unix_socket_send(traced, statsdw, statsd)
-
-###
-### Neverallow rules
-###
-### traced should NEVER do any of this
-
-# Disallow mapping executable memory (execstack and exec are already disallowed
-# globally in domain.te).
-neverallow traced self:process execmem;
-
-# Block device access.
-neverallow traced dev_type:blk_file { read write };
-
-# ptrace any other process
-neverallow traced domain:process ptrace;
-
-# Disallows access to /data files, still allowing to write to file descriptors
-# passed through the socket.
-neverallow traced {
- data_file_type
- -perfetto_traces_data_file
- -perfetto_traces_bugreport_data_file
- -system_data_file
- -system_data_root_file
- # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
- # subsequent neverallow. Currently only getattr and search are allowed.
- -vendor_data_file
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
-}:dir *;
-neverallow traced { system_data_file }:dir ~{ getattr search };
-neverallow traced zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced { data_file_type -zoneinfo_data_file }:lnk_file *;
-neverallow traced {
- data_file_type
- -zoneinfo_data_file
- -perfetto_traces_data_file
- -perfetto_traces_bugreport_data_file
- -trace_data_file
- with_native_coverage(`-method_trace_data_file')
-}:file ~write;
-
-# Only init is allowed to enter the traced domain via exec()
-neverallow { domain -init } traced:process transition;
-neverallow * traced:process dyntransition;
-
-# Limit the processes that can access tracingproxy_service.
-neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
diff --git a/prebuilts/api/31.0/private/traced_perf.te b/prebuilts/api/31.0/private/traced_perf.te
deleted file mode 100644
index 96a7263..0000000
--- a/prebuilts/api/31.0/private/traced_perf.te
+++ /dev/null
@@ -1,72 +0,0 @@
-# Performance profiler, backed by perf_event_open(2).
-# See go/perfetto-perf-android.
-typeattribute traced_perf coredomain;
-typeattribute traced_perf mlstrustedsubject;
-
-type traced_perf_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(traced_perf)
-perfetto_producer(traced_perf)
-
-# Allow traced_perf full use of perf_event_open(2). It will perform cpu-wide
-# profiling, but retain samples only for profileable processes.
-# Thread-specific profiling is still disallowed due to a PTRACE_MODE_ATTACH
-# check (which would require a process:attach SELinux allow-rule).
-allow traced_perf self:perf_event { open cpu kernel read write tracepoint };
-
-# Allow CAP_KILL for delivery of dedicated signal to obtain proc-fds from a
-# process. Allow CAP_DAC_READ_SEARCH for stack unwinding and symbolization of
-# sampled stacks, which requires opening the backing libraries/executables (as
-# symbols are usually not mapped into the process space). Not all such files
-# are world-readable, e.g. odex files that included user profiles during
-# profile-guided optimization.
-allow traced_perf self:capability { kill dac_read_search };
-
-# Allow reading /system/data/packages.list.
-allow traced_perf packages_list_file:file r_file_perms;
-
-# Allow reading files for stack unwinding and symbolization.
-r_dir_file(traced_perf, nativetest_data_file)
-r_dir_file(traced_perf, system_file_type)
-r_dir_file(traced_perf, apex_art_data_file)
-r_dir_file(traced_perf, apk_data_file)
-r_dir_file(traced_perf, dalvikcache_data_file)
-r_dir_file(traced_perf, vendor_file_type)
-
-# Allow to temporarily lift the kptr_restrict setting and build a symbolization
-# map reading /proc/kallsyms.
-userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)')
-allow traced_perf proc_kallsyms:file r_file_perms;
-
-# Allow reading tracefs files to get the format and numeric ids of tracepoints.
-allow traced_perf debugfs_tracing:dir r_dir_perms;
-allow traced_perf debugfs_tracing:file r_file_perms;
-userdebug_or_eng(`
- allow traced_perf debugfs_tracing_debug:dir r_dir_perms;
- allow traced_perf debugfs_tracing_debug:file r_file_perms;
-')
-
-# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
-# domains that it cannot read.
-dontaudit traced_perf domain:dir { search getattr open };
-
-# Do not audit failures to signal a process, as there are cases when this is
-# expected (native processes on debug builds use the policy for enforcing which
-# processes are profileable).
-dontaudit traced_perf domain:process signal;
-
-# Never allow access to app data files
-neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
-
-# Never allow profiling highly privileged processes.
-never_profile_perf(`{
- bpfloader
- init
- kernel
- keystore
- llkd
- logd
- ueventd
- vendor_init
- vold
-}')
diff --git a/prebuilts/api/31.0/private/traced_probes.te b/prebuilts/api/31.0/private/traced_probes.te
deleted file mode 100644
index 730a45c..0000000
--- a/prebuilts/api/31.0/private/traced_probes.te
+++ /dev/null
@@ -1,152 +0,0 @@
-# Perfetto tracing probes, has tracefs access.
-type traced_probes_exec, system_file_type, exec_type, file_type;
-type traced_probes_tmpfs, file_type;
-
-# Allow init to exec the daemon.
-init_daemon_domain(traced_probes)
-tmpfs_domain(traced_probes)
-
-# Write trace data to the Perfetto traced damon. This requires connecting to its
-# producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(traced_probes)
-
-# Allow traced_probes to access tracefs.
-allow traced_probes debugfs_tracing:dir r_dir_perms;
-allow traced_probes debugfs_tracing:file rw_file_perms;
-allow traced_probes debugfs_trace_marker:file getattr;
-allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
-
-# Allow traced_probes to access mm_events trace instance
-allow traced_probes debugfs_tracing_instances:dir search;
-allow traced_probes debugfs_mm_events_tracing:dir search;
-allow traced_probes debugfs_mm_events_tracing:file rw_file_perms;
-
-# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the denylist/allowlist.
-userdebug_or_eng(`
-allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
-allow traced_probes debugfs_tracing_debug:file rw_file_perms;
-')
-
-# Allow traced_probes to start with a higher scheduling class and then downgrade
-# itself.
-allow traced_probes self:global_capability_class_set { sys_nice };
-
-# Allow procfs access
-r_dir_file(traced_probes, domain)
-
-# Allow to temporarily lift the kptr_restrict setting and build a symbolization
-# map reading /proc/kallsyms.
-userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)')
-allow traced_probes proc_kallsyms:file r_file_perms;
-
-# Allow to read packages.list file.
-allow traced_probes packages_list_file:file r_file_perms;
-
-# Allow to log to kernel dmesg when starting / stopping ftrace.
-allow traced_probes kmsg_device:chr_file write;
-
-# Allow traced_probes to list the system partition.
-allow traced_probes system_file:dir { open read };
-
-# Allow traced_probes to list some of the data partition.
-allow traced_probes self:global_capability_class_set dac_read_search;
-
-allow traced_probes apk_data_file:dir { getattr open read search };
-allow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search };
-allow traced_probes dalvikcache_data_file:dir { getattr open read search };
-userdebug_or_eng(`
-# search and getattr are granted via domain and coredomain, respectively.
-allow traced_probes system_data_file:dir { open read };
-')
-allow traced_probes system_app_data_file:dir { getattr open read search };
-allow traced_probes backup_data_file:dir { getattr open read search };
-allow traced_probes bootstat_data_file:dir { getattr open read search };
-allow traced_probes update_engine_data_file:dir { getattr open read search };
-allow traced_probes update_engine_log_data_file:dir { getattr open read search };
-allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search };
-
-# Allow traced_probes to run atrace. atrace pokes at system services to enable
-# their userspace TRACE macros.
-domain_auto_trans(traced_probes, atrace_exec, atrace);
-
-# Allow traced_probes to kill atrace on timeout.
-allow traced_probes atrace:process sigkill;
-
-# Allow traced_probes to access /proc files for system stats.
-# Note: trace data is NOT exposed to anything other than shell and privileged
-# system apps that have access to the traced consumer socket.
-allow traced_probes {
- proc_meminfo
- proc_vmstat
- proc_stat
-}:file r_file_perms;
-
-# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
-allow traced_probes sysfs_devfreq_dir:dir r_dir_perms;
-allow traced_probes sysfs_devfreq_cur:file r_file_perms;
-
-# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
-hal_client_domain(traced_probes, hal_health)
-hal_client_domain(traced_probes, hal_power_stats)
-
-# Allow access to Atrace HAL for enabling vendor/device specific tracing categories.
-hal_client_domain(traced_probes, hal_atrace)
-
-# On debug builds allow to ingest system logs into the trace.
-userdebug_or_eng(`read_logd(traced_probes)')
-
-# Allow traced_probes to talk to statsd for logging metrics.
-unix_socket_send(traced_probes, statsdw, statsd)
-
-###
-### Neverallow rules
-###
-### traced_probes should NEVER do any of this
-
-# Disallow mapping executable memory (execstack and exec are already disallowed
-# globally in domain.te).
-neverallow traced_probes self:process execmem;
-
-# Block device access.
-neverallow traced_probes dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow traced_probes domain:process ptrace;
-
-# Disallows access to /data files.
-neverallow traced_probes {
- data_file_type
- -apex_module_data_file
- -apex_art_data_file
- -apk_data_file
- -dalvikcache_data_file
- -system_data_file
- -system_data_root_file
- -system_app_data_file
- -backup_data_file
- -bootstat_data_file
- -update_engine_data_file
- -update_engine_log_data_file
- -user_profile_root_file
- -user_profile_data_file
- # TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
- # subsequent neverallow. Currently only getattr and search are allowed.
- -vendor_data_file
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
-}:dir *;
-neverallow traced_probes system_data_file:dir ~{ getattr userdebug_or_eng(`open read') search };
-neverallow traced_probes zoneinfo_data_file:dir ~r_dir_perms;
-neverallow traced_probes { data_file_type -zoneinfo_data_file }:lnk_file *;
-neverallow traced_probes {
- data_file_type
- -zoneinfo_data_file
- -packages_list_file
- with_native_coverage(`-method_trace_data_file')
-}:file *;
-
-# Only init is allowed to enter the traced_probes domain via exec()
-neverallow { domain -init } traced_probes:process transition;
-neverallow * traced_probes:process dyntransition;
-
diff --git a/prebuilts/api/31.0/private/traceur_app.te b/prebuilts/api/31.0/private/traceur_app.te
deleted file mode 100644
index 2937e26..0000000
--- a/prebuilts/api/31.0/private/traceur_app.te
+++ /dev/null
@@ -1,24 +0,0 @@
-typeattribute traceur_app coredomain;
-
-app_domain(traceur_app);
-allow traceur_app debugfs_tracing:file rw_file_perms;
-allow traceur_app debugfs_tracing_debug:dir r_dir_perms;
-
-userdebug_or_eng(`
- allow traceur_app debugfs_tracing_debug:file rw_file_perms;
-')
-
-allow traceur_app trace_data_file:file create_file_perms;
-allow traceur_app trace_data_file:dir rw_dir_perms;
-allow traceur_app atrace_exec:file rx_file_perms;
-
-# To exec the perfetto cmdline client and pass it the trace config on
-# stdint through a pipe.
-allow traceur_app perfetto_exec:file rx_file_perms;
-
-# Allow to access traced's privileged consumer socket.
-unix_socket_connect(traceur_app, traced_consumer, traced)
-
-dontaudit traceur_app debugfs_tracing_debug:file audit_access;
-
-set_prop(traceur_app, debug_prop)
diff --git a/prebuilts/api/31.0/private/tzdatacheck.te b/prebuilts/api/31.0/private/tzdatacheck.te
deleted file mode 100644
index 502735c..0000000
--- a/prebuilts/api/31.0/private/tzdatacheck.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute tzdatacheck coredomain;
-
-init_daemon_domain(tzdatacheck)
diff --git a/prebuilts/api/31.0/private/ueventd.te b/prebuilts/api/31.0/private/ueventd.te
deleted file mode 100644
index 8bcdbf9..0000000
--- a/prebuilts/api/31.0/private/ueventd.te
+++ /dev/null
@@ -1,7 +0,0 @@
-typeattribute ueventd coredomain;
-
-tmpfs_domain(ueventd)
-
-# ueventd can set properties, particularly it sets ro.cold_boot_done to signal
-# to init that cold boot has completed.
-set_prop(ueventd, cold_boot_done_prop)
diff --git a/prebuilts/api/31.0/private/uncrypt.te b/prebuilts/api/31.0/private/uncrypt.te
deleted file mode 100644
index 1a94cd1..0000000
--- a/prebuilts/api/31.0/private/uncrypt.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute uncrypt coredomain;
-
-init_daemon_domain(uncrypt)
-
-# Set a property to reboot the device.
-set_prop(uncrypt, powerctl_prop)
diff --git a/prebuilts/api/31.0/private/untrusted_app.te b/prebuilts/api/31.0/private/untrusted_app.te
deleted file mode 100644
index 6e7a99c..0000000
--- a/prebuilts/api/31.0/private/untrusted_app.te
+++ /dev/null
@@ -1,16 +0,0 @@
-###
-### Untrusted apps.
-###
-### This file defines the rules for untrusted apps running with
-### targetSdkVersion >= 30.
-###
-### See public/untrusted_app.te for more information about which apps are
-### placed in this selinux domain.
-###
-
-typeattribute untrusted_app coredomain;
-
-app_domain(untrusted_app)
-untrusted_app_domain(untrusted_app)
-net_domain(untrusted_app)
-bluetooth_domain(untrusted_app)
diff --git a/prebuilts/api/31.0/private/untrusted_app_25.te b/prebuilts/api/31.0/private/untrusted_app_25.te
deleted file mode 100644
index 41cabe8..0000000
--- a/prebuilts/api/31.0/private/untrusted_app_25.te
+++ /dev/null
@@ -1,54 +0,0 @@
-###
-### Untrusted_app_25
-###
-### This file defines the rules for untrusted apps running with
-### targetSdkVersion <= 25.
-###
-### See public/untrusted_app.te for more information about which apps are
-### placed in this selinux domain.
-###
-
-typeattribute untrusted_app_25 coredomain;
-
-app_domain(untrusted_app_25)
-untrusted_app_domain(untrusted_app_25)
-net_domain(untrusted_app_25)
-bluetooth_domain(untrusted_app_25)
-
-# b/35917228 - /proc/misc access
-# This will go away in a future Android release
-allow untrusted_app_25 proc_misc:file r_file_perms;
-
-# Access to /proc/tty/drivers, to allow apps to determine if they
-# are running in an emulated environment.
-# b/33214085 b/33814662 b/33791054 b/33211769
-# https://github.com/strazzere/anti-emulator/blob/master/AntiEmulator/src/diff/strazzere/anti/emulator/FindEmulator.java
-# This will go away in a future Android release
-allow untrusted_app_25 proc_tty_drivers:file r_file_perms;
-
-# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
-# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
-allow untrusted_app_25 { apk_data_file app_data_file asec_public_file }:file execmod;
-
-# The ability to call exec() on files in the apps home directories
-# for targetApi<=25. This is also allowed for targetAPIs 26, 27,
-# and 28 in untrusted_app_27.te.
-allow untrusted_app_25 app_data_file:file execute_no_trans;
-auditallow untrusted_app_25 app_data_file:file { execute execute_no_trans };
-
-# The ability to invoke dex2oat. Historically required by ART, now only
-# allowed for targetApi<=28 for compat reasons.
-allow untrusted_app_25 dex2oat_exec:file rx_file_perms;
-userdebug_or_eng(`auditallow untrusted_app_25 dex2oat_exec:file rx_file_perms;')
-
-# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
-# ASharedMemory instead.
-allow untrusted_app_25 ashmem_device:chr_file rw_file_perms;
-auditallow untrusted_app_25 ashmem_device:chr_file open;
-
-# Read /mnt/sdcard symlink.
-allow untrusted_app_25 mnt_sdcard_file:lnk_file r_file_perms;
-
-# allow binding to netlink route sockets and sending RTM_GETLINK messages.
-allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/prebuilts/api/31.0/private/untrusted_app_27.te b/prebuilts/api/31.0/private/untrusted_app_27.te
deleted file mode 100644
index 0993faa..0000000
--- a/prebuilts/api/31.0/private/untrusted_app_27.te
+++ /dev/null
@@ -1,42 +0,0 @@
-###
-### Untrusted_27.
-###
-### This file defines the rules for untrusted apps running with
-### 25 < targetSdkVersion <= 28.
-###
-### See public/untrusted_app.te for more information about which apps are
-### placed in this selinux domain.
-###
-
-typeattribute untrusted_app_27 coredomain;
-
-app_domain(untrusted_app_27)
-untrusted_app_domain(untrusted_app_27)
-net_domain(untrusted_app_27)
-bluetooth_domain(untrusted_app_27)
-
-# Text relocation support for API < 23. This is now disallowed for targetSdkVersion>=Q.
-# https://android.googlesource.com/platform/bionic/+/master/android-changes-for-ndk-developers.md#text-relocations-enforced-for-api-level-23
-allow untrusted_app_27 { apk_data_file app_data_file asec_public_file }:file execmod;
-
-# The ability to call exec() on files in the apps home directories
-# for targetApi 26, 27, and 28.
-allow untrusted_app_27 app_data_file:file execute_no_trans;
-auditallow untrusted_app_27 app_data_file:file { execute execute_no_trans };
-
-# The ability to invoke dex2oat. Historically required by ART, now only
-# allowed for targetApi<=28 for compat reasons.
-allow untrusted_app_27 dex2oat_exec:file rx_file_perms;
-userdebug_or_eng(`auditallow untrusted_app_27 dex2oat_exec:file rx_file_perms;')
-
-# The ability to talk to /dev/ashmem directly. targetApi>=29 must use
-# ASharedMemory instead.
-allow untrusted_app_27 ashmem_device:chr_file rw_file_perms;
-auditallow untrusted_app_27 ashmem_device:chr_file open;
-
-# Read /mnt/sdcard symlink.
-allow untrusted_app_27 mnt_sdcard_file:lnk_file r_file_perms;
-
-# allow binding to netlink route sockets and sending RTM_GETLINK messages.
-allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/prebuilts/api/31.0/private/untrusted_app_29.te b/prebuilts/api/31.0/private/untrusted_app_29.te
deleted file mode 100644
index c5652b1..0000000
--- a/prebuilts/api/31.0/private/untrusted_app_29.te
+++ /dev/null
@@ -1,20 +0,0 @@
-###
-### Untrusted_29.
-###
-### This file defines the rules for untrusted apps running with
-### targetSdkVersion = 29.
-###
-### See public/untrusted_app.te for more information about which apps are
-### placed in this selinux domain.
-###
-
-typeattribute untrusted_app_29 coredomain;
-
-app_domain(untrusted_app_29)
-untrusted_app_domain(untrusted_app_29)
-net_domain(untrusted_app_29)
-bluetooth_domain(untrusted_app_29)
-
-# allow binding to netlink route sockets and sending RTM_GETLINK messages.
-allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/prebuilts/api/31.0/private/untrusted_app_all.te b/prebuilts/api/31.0/private/untrusted_app_all.te
deleted file mode 100644
index 6064c14..0000000
--- a/prebuilts/api/31.0/private/untrusted_app_all.te
+++ /dev/null
@@ -1,177 +0,0 @@
-###
-### Untrusted_app_all.
-###
-### This file defines the rules shared by all untrusted app domains except
-### ephemeral_app for instant apps and isolated_app (which has a reduced
-### permission set).
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app_all attribute is assigned to all default
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### attribute is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-### Note that rules that should apply to all untrusted apps must be in app.te or also
-### added to ephemeral_app.te.
-
-# Some apps ship with shared libraries and binaries that they write out
-# to their sandbox directory and then execute.
-allow untrusted_app_all privapp_data_file:file { r_file_perms execute };
-allow untrusted_app_all app_data_file:file { r_file_perms execute };
-auditallow untrusted_app_all app_data_file:file execute;
-
-# Chrome Crashpad uses the the dynamic linker to load native executables
-# from an APK (b/112050209, crbug.com/928422)
-allow untrusted_app_all system_linker_exec:file execute_no_trans;
-
-# Follow priv-app symlinks. This is used for dynamite functionality.
-allow untrusted_app_all privapp_data_file:lnk_file r_file_perms;
-
-# Allow handling of less common filesystem objects
-allow untrusted_app_all app_data_file:{ lnk_file sock_file fifo_file } create_file_perms;
-
-# Allow loading and deleting executable shared libraries
-# within an application home directory. Such shared libraries would be
-# created by things like renderscript or via other mechanisms.
-allow untrusted_app_all app_exec_data_file:file { r_file_perms execute unlink };
-
-# ASEC
-allow untrusted_app_all asec_apk_file:file r_file_perms;
-allow untrusted_app_all asec_apk_file:dir r_dir_perms;
-# Execute libs in asec containers.
-allow untrusted_app_all asec_public_file:file { execute };
-
-# Used by Finsky / Android "Verify Apps" functionality when
-# running "adb install foo.apk".
-# TODO: Long term, we don't want apps probing into shell data files.
-# Figure out a way to remove these rules.
-allow untrusted_app_all shell_data_file:file r_file_perms;
-allow untrusted_app_all shell_data_file:dir r_dir_perms;
-
-# Allow traceur to pass file descriptors through a content provider to untrusted apps
-# for the purpose of sharing files through e.g. gmail
-allow untrusted_app_all trace_data_file:file { getattr read };
-
-# untrusted apps should not be able to open trace data files, they should depend
-# upon traceur to pass a file descriptor
-neverallow untrusted_app_all trace_data_file:dir *;
-neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
-
-# neverallow untrusted apps accessing debugfs_tracing
-neverallow untrusted_app_all debugfs_tracing:file no_rw_file_perms;
-
-# Allow to read staged apks.
-allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
-
-# Read and write system app data files passed over Binder.
-# Motivating case was /data/data/com.android.settings/cache/*.jpg for
-# cropping or taking user photos.
-allow untrusted_app_all system_app_data_file:file { read write getattr };
-
-#
-# Rules migrated from old app domains coalesced into untrusted_app.
-# This includes what used to be media_app, shared_app, and release_app.
-#
-
-# Access to /data/media.
-allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
-allow untrusted_app_all media_rw_data_file:file create_file_perms;
-
-# allow cts to query all services
-allow untrusted_app_all servicemanager:service_manager list;
-
-allow untrusted_app_all audioserver_service:service_manager find;
-allow untrusted_app_all cameraserver_service:service_manager find;
-allow untrusted_app_all drmserver_service:service_manager find;
-allow untrusted_app_all mediaserver_service:service_manager find;
-allow untrusted_app_all mediaextractor_service:service_manager find;
-allow untrusted_app_all mediametrics_service:service_manager find;
-allow untrusted_app_all mediadrmserver_service:service_manager find;
-allow untrusted_app_all nfc_service:service_manager find;
-allow untrusted_app_all radio_service:service_manager find;
-allow untrusted_app_all app_api_service:service_manager find;
-allow untrusted_app_all vr_manager_service:service_manager find;
-
-# gdbserver for ndk-gdb ptrace attaches to app process.
-allow untrusted_app_all self:process ptrace;
-
-# Android Studio Instant Run has the application connect to a
-# runas_app socket listening in the abstract namespace.
-# https://developer.android.com/studio/run/
-# b/123297648
-allow untrusted_app_all runas_app:unix_stream_socket connectto;
-
-# Untrusted apps need to be able to send a SIGCHLD to runas_app
-# when running under a debugger (b/123612207)
-allow untrusted_app_all runas_app:process sigchld;
-
-# Cts: HwRngTest
-allow untrusted_app_all sysfs_hwrandom:dir search;
-allow untrusted_app_all sysfs_hwrandom:file r_file_perms;
-
-# Allow apps to view preloaded media content
-allow untrusted_app_all preloads_media_file:dir r_dir_perms;
-allow untrusted_app_all preloads_media_file:file r_file_perms;
-allow untrusted_app_all preloads_data_file:dir search;
-
-# Allow untrusted apps read / execute access to /vendor/app for there can
-# be pre-installed vendor apps that package a library within themselves.
-# TODO (b/37784178) Consider creating a special type for /vendor/app installed
-# apps.
-allow untrusted_app_all vendor_app_file:dir { open getattr read search };
-allow untrusted_app_all vendor_app_file:file { r_file_perms execute };
-allow untrusted_app_all vendor_app_file:lnk_file { open getattr read };
-
-# Write app-specific trace data to the Perfetto traced damon. This requires
-# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
-perfetto_producer(untrusted_app_all)
-
-# Allow profiling if the app opts in by being marked profileable/debuggable.
-can_profile_heap(untrusted_app_all)
-can_profile_perf(untrusted_app_all)
-
-# allow untrusted apps to use UDP sockets provided by the system server but not
-# modify them other than to connect
-allow untrusted_app_all system_server:udp_socket {
- connect getattr read recvfrom sendto write getopt setopt };
-
-# Allow the renderscript compiler to be run.
-domain_auto_trans(untrusted_app_all, rs_exec, rs)
-
-# suppress denials caused by debugfs_tracing
-dontaudit untrusted_app_all debugfs_tracing:file rw_file_perms;
-
-# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
-dontaudit untrusted_app_all net_dns_prop:file read;
-
-# These have been disallowed since Android O.
-# For P, we assume that apps are safely handling the denial.
-dontaudit untrusted_app_all proc_stat:file read;
-dontaudit untrusted_app_all proc_vmstat:file read;
-dontaudit untrusted_app_all proc_uptime:file read;
-
-# Allow the allocation and use of ptys
-# Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
-create_pty(untrusted_app_all)
-
-# Allow access to kcov via its ioctl interface for coverage
-# guided kernel fuzzing.
-userdebug_or_eng(`
- allow untrusted_app_all debugfs_kcov:file rw_file_perms;
- allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
- # The use of debugfs kcov is considered a breach of the kernel integrity
- # according to the heuristic of lockdown.
- allow untrusted_app_all self:lockdown integrity;
-')
-
-# Allow signalling simpleperf domain, which is the domain that the simpleperf
-# profiler runs as when executed by the app. The signals are used to control
-# the profiler (which would be profiling the app that is sending the signal).
-allow untrusted_app_all simpleperf:process signal;
diff --git a/prebuilts/api/31.0/private/update_engine.te b/prebuilts/api/31.0/private/update_engine.te
deleted file mode 100644
index d828e1f..0000000
--- a/prebuilts/api/31.0/private/update_engine.te
+++ /dev/null
@@ -1,31 +0,0 @@
-typeattribute update_engine coredomain;
-
-init_daemon_domain(update_engine);
-
-# Allow to talk to gsid.
-allow update_engine gsi_service:service_manager find;
-binder_call(update_engine, gsid)
-
-# Allow to start gsid service.
-set_prop(update_engine, ctl_gsid_prop)
-
-# Allow to start snapuserd for dm-user communication.
-set_prop(update_engine, ctl_snapuserd_prop)
-
-# Allow to set the OTA related properties, e.g. ota.warm_reset.
-set_prop(update_engine, ota_prop)
-
-# Allow to get the DSU status
-get_prop(update_engine, gsid_prop)
-
-# Allow update_engine to call the callback function provided by GKI update hook.
-binder_call(update_engine, gki_apex_prepostinstall)
-
-# Allow to communicate with the snapuserd service, for dm-user snapshots.
-allow update_engine snapuserd:unix_stream_socket connectto;
-allow update_engine snapuserd_socket:sock_file write;
-
-# Allow to communicate with apexd for calculating and reserving space for
-# capex decompression
-allow update_engine apex_service:service_manager find;
-binder_call(update_engine, apexd)
diff --git a/prebuilts/api/31.0/private/update_engine_common.te b/prebuilts/api/31.0/private/update_engine_common.te
deleted file mode 100644
index 8571ff6..0000000
--- a/prebuilts/api/31.0/private/update_engine_common.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# type_transition must be private policy the domain_trans rules could stay
-# public, but conceptually should go with this
-# The postinstall program is run by update_engine_common and must be tagged
-# with postinstall_exec in the new filesystem.
-# TODO Have build system attempt to verify this
-domain_auto_trans(update_engine_common, postinstall_exec, postinstall)
-
-# Vendor directories can have the transition as well during OTA. This is caused
-# by update_engine execing scripts in vendor to perform any update tasks needed
-# there.
-domain_auto_trans(update_engine_common, postinstall_file, postinstall)
-
-allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
diff --git a/prebuilts/api/31.0/private/update_verifier.te b/prebuilts/api/31.0/private/update_verifier.te
deleted file mode 100644
index 5e1b27b..0000000
--- a/prebuilts/api/31.0/private/update_verifier.te
+++ /dev/null
@@ -1,9 +0,0 @@
-typeattribute update_verifier coredomain;
-
-init_daemon_domain(update_verifier)
-
-# Allow update_verifier to reboot the device.
-set_prop(update_verifier, powerctl_prop)
-
-# Allow to set the OTA related properties e.g. ota.warm_reset.
-set_prop(update_verifier, ota_prop)
diff --git a/prebuilts/api/31.0/private/usbd.te b/prebuilts/api/31.0/private/usbd.te
deleted file mode 100644
index 42f2324..0000000
--- a/prebuilts/api/31.0/private/usbd.te
+++ /dev/null
@@ -1,15 +0,0 @@
-typeattribute usbd coredomain;
-
-init_daemon_domain(usbd)
-
-# Access usb gadget hal
-hal_client_domain(usbd, hal_usb_gadget)
-
-# Access persist.sys.usb.config
-get_prop(usbd, system_prop)
-
-# start adbd during boot if adb is enabled
-set_prop(usbd, ctl_default_prop)
-
-# Start/stop adbd via ctl.start adbd
-set_prop(usbd, ctl_adbd_prop)
diff --git a/prebuilts/api/31.0/private/users b/prebuilts/api/31.0/private/users
deleted file mode 100644
index 51b7b57..0000000
--- a/prebuilts/api/31.0/private/users
+++ /dev/null
@@ -1 +0,0 @@
-user u roles { r } level s0 range s0 - mls_systemhigh;
diff --git a/prebuilts/api/31.0/private/vdc.te b/prebuilts/api/31.0/private/vdc.te
deleted file mode 100644
index bc7409e..0000000
--- a/prebuilts/api/31.0/private/vdc.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute vdc coredomain;
-
-init_daemon_domain(vdc)
diff --git a/prebuilts/api/31.0/private/vendor_init.te b/prebuilts/api/31.0/private/vendor_init.te
deleted file mode 100644
index 2e616f3..0000000
--- a/prebuilts/api/31.0/private/vendor_init.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# Creating files on sysfs is impossible so this isn't a threat
-# Sometimes we have to write to non-existent files to avoid conditional
-# init behavior. See b/35303861 for an example.
-dontaudit vendor_init sysfs:dir write;
-
-# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
-allow vendor_init system_data_root_file:dir rw_dir_perms;
-
-# Let vendor_init set service.adb.tcp.port.
-set_prop(vendor_init, adbd_config_prop)
-
-# chown/chmod on devices, e.g. /dev/ttyHS0
-allow vendor_init {
- dev_type
- -keychord_device
- -kvm_device
- -port_device
- -lowpan_device
- -hw_random_device
-}:chr_file setattr;
diff --git a/prebuilts/api/31.0/private/viewcompiler.te b/prebuilts/api/31.0/private/viewcompiler.te
deleted file mode 100644
index d1f0964..0000000
--- a/prebuilts/api/31.0/private/viewcompiler.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# viewcompiler
-type viewcompiler, domain, coredomain, mlstrustedsubject;
-type viewcompiler_exec, system_file_type, exec_type, file_type;
-type viewcompiler_tmpfs, file_type;
-
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-# Use tmpfs_domain() which will give tmpfs files created by viewcompiler their
-# own label, which differs from other labels created by other processes.
-# This allows to distinguish in policy files created by viewcompiler vs other
-# processes.
-tmpfs_domain(viewcompiler)
-
-allow viewcompiler installd:fd use;
-
-# Include write permission for app data files so viewcompiler can generate
-# compiled layout dex files
-allow viewcompiler app_data_file:file { getattr write };
-
-# Allow the view compiler to read resources from the apps APK.
-allow viewcompiler apk_data_file:file { read map };
-
-# priv-apps are moving to a world where they can only execute
-# signed code. Make sure viewcompiler never can write to privapp
-# directories to avoid introducing unsigned executable code
-neverallow viewcompiler privapp_data_file:file no_w_file_perms;
diff --git a/prebuilts/api/31.0/private/virtmanager.te b/prebuilts/api/31.0/private/virtmanager.te
deleted file mode 100644
index 467f7d4..0000000
--- a/prebuilts/api/31.0/private/virtmanager.te
+++ /dev/null
@@ -1,17 +0,0 @@
-type virtmanager, domain, coredomain;
-type virtmanager_exec, system_file_type, exec_type, file_type;
-
-# When init runs a file labelled with virtmanager_exec, run it in the virtmanager domain.
-init_daemon_domain(virtmanager)
-
-# Let the virtmanager domain use Binder.
-binder_use(virtmanager)
-
-# Let the virtmanager domain register the virtualization_service with ServiceManager.
-add_service(virtmanager, virtualization_service)
-
-# When virtmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
-domain_auto_trans(virtmanager, crosvm_exec, crosvm)
-
-# Let virtmanager kill crosvm.
-allow virtmanager crosvm:process sigkill;
diff --git a/prebuilts/api/31.0/private/virtual_touchpad.te b/prebuilts/api/31.0/private/virtual_touchpad.te
deleted file mode 100644
index e735172..0000000
--- a/prebuilts/api/31.0/private/virtual_touchpad.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute virtual_touchpad coredomain;
-
-init_daemon_domain(virtual_touchpad)
diff --git a/prebuilts/api/31.0/private/vold.te b/prebuilts/api/31.0/private/vold.te
deleted file mode 100644
index de0fde4..0000000
--- a/prebuilts/api/31.0/private/vold.te
+++ /dev/null
@@ -1,68 +0,0 @@
-typeattribute vold coredomain;
-
-init_daemon_domain(vold)
-
-# Switch to more restrictive domains when executing common tools
-domain_auto_trans(vold, sgdisk_exec, sgdisk);
-domain_auto_trans(vold, sdcardd_exec, sdcardd);
-
-# For a handful of probing tools, we choose an even more restrictive
-# domain when working with untrusted block devices
-domain_trans(vold, blkid_exec, blkid);
-domain_trans(vold, blkid_exec, blkid_untrusted);
-domain_trans(vold, fsck_exec, fsck);
-domain_trans(vold, fsck_exec, fsck_untrusted);
-
-# Newly created storage dirs are always treated as mount stubs to prevent us
-# from accidentally writing when the mount point isn't present.
-type_transition vold storage_file:dir storage_stub_file;
-type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
-
-# Property Service
-get_prop(vold, vold_config_prop)
-get_prop(vold, storage_config_prop);
-get_prop(vold, incremental_prop);
-
-set_prop(vold, vold_post_fs_data_prop)
-set_prop(vold, vold_prop)
-set_prop(vold, vold_status_prop)
-set_prop(vold, powerctl_prop)
-set_prop(vold, ctl_fuse_prop)
-set_prop(vold, restorecon_prop)
-set_prop(vold, ota_prop)
-set_prop(vold, boottime_prop)
-set_prop(vold, boottime_public_prop)
-
-# Vold will use Keystore instead of using Keymint directly. But it still needs
-# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
-allow vold vold_key:keystore2_key {
- convert_storage_key_to_ephemeral
- delete
- get_info
- manage_blob
- rebind
- req_forced_op
- update
- use
-};
-
-# vold needs to call keystore methods
-allow vold keystore:binder call;
-
-# vold needs to find keystore2 services
-allow vold keystore_service:service_manager find;
-allow vold keystore_maintenance_service:service_manager find;
-
-# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
-allow vold keystore:keystore2 early_boot_ended;
-allow vold keystore:keystore2 delete_all_keys;
-
-neverallow {
- domain
- -system_server
- -vdc
- -vold
- -update_verifier
- -apexd
- -gsid
-} vold_service:service_manager find;
diff --git a/prebuilts/api/31.0/private/vold_prepare_subdirs.te b/prebuilts/api/31.0/private/vold_prepare_subdirs.te
deleted file mode 100644
index 956e94e..0000000
--- a/prebuilts/api/31.0/private/vold_prepare_subdirs.te
+++ /dev/null
@@ -1,60 +0,0 @@
-domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
-
-typeattribute vold_prepare_subdirs mlstrustedsubject;
-
-allow vold_prepare_subdirs system_file:file execute_no_trans;
-allow vold_prepare_subdirs shell_exec:file rx_file_perms;
-allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
-allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
-allow vold_prepare_subdirs vold:fd use;
-allow vold_prepare_subdirs vold:fifo_file { read write };
-allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
-allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
-allow vold_prepare_subdirs self:process setfscreate;
-allow vold_prepare_subdirs {
- system_data_file
- vendor_data_file
-}:dir { open read write add_name remove_name rmdir relabelfrom };
-allow vold_prepare_subdirs {
- apex_appsearch_data_file
- apex_art_data_file
- apex_module_data_file
- apex_permission_data_file
- apex_rollback_data_file
- apex_scheduling_data_file
- apex_wifi_data_file
- backup_data_file
- face_vendor_data_file
- fingerprint_vendor_data_file
- iris_vendor_data_file
- rollback_data_file
- storaged_data_file
- system_data_file
- vold_data_file
-}:dir { create_dir_perms relabelto };
-allow vold_prepare_subdirs {
- apex_appsearch_data_file
- apex_art_data_file
- apex_art_staging_data_file
- apex_module_data_file
- apex_permission_data_file
- apex_rollback_data_file
- apex_scheduling_data_file
- apex_wifi_data_file
- backup_data_file
- face_vendor_data_file
- fingerprint_vendor_data_file
- iris_vendor_data_file
- rollback_data_file
- storaged_data_file
- system_data_file
- vold_data_file
-}:file { getattr unlink };
-allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
-allow vold_prepare_subdirs mnt_expand_file:dir search;
-allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
-allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
-# /data/misc is unlabeled during early boot.
-allow vold_prepare_subdirs unlabeled:dir search;
-
-dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/prebuilts/api/31.0/private/vr_hwc.te b/prebuilts/api/31.0/private/vr_hwc.te
deleted file mode 100644
index 053c03d..0000000
--- a/prebuilts/api/31.0/private/vr_hwc.te
+++ /dev/null
@@ -1,6 +0,0 @@
-typeattribute vr_hwc coredomain;
-
-# Daemon started by init.
-init_daemon_domain(vr_hwc)
-
-hal_server_domain(vr_hwc, hal_graphics_composer)
diff --git a/prebuilts/api/31.0/private/vzwomatrigger_app.te b/prebuilts/api/31.0/private/vzwomatrigger_app.te
deleted file mode 100644
index 8deb22b..0000000
--- a/prebuilts/api/31.0/private/vzwomatrigger_app.te
+++ /dev/null
@@ -1,6 +0,0 @@
-###
-### A domain for further sandboxing the VzwOmaTrigger app.
-###
-type vzwomatrigger_app, domain;
-
-app_domain(vzwomatrigger_app)
diff --git a/prebuilts/api/31.0/private/wait_for_keymaster.te b/prebuilts/api/31.0/private/wait_for_keymaster.te
deleted file mode 100644
index da98e2e..0000000
--- a/prebuilts/api/31.0/private/wait_for_keymaster.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# wait_for_keymaster service
-type wait_for_keymaster, domain, coredomain;
-type wait_for_keymaster_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(wait_for_keymaster)
-
-hal_client_domain(wait_for_keymaster, hal_keymaster)
-
-allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
-
-# wait_for_keymaster needs to find keystore and call methods with the returned
-# binder reference.
-binder_use(wait_for_keymaster)
-allow wait_for_keymaster keystore_service:service_manager find;
-binder_call(wait_for_keymaster, keystore)
diff --git a/prebuilts/api/31.0/private/watchdogd.te b/prebuilts/api/31.0/private/watchdogd.te
deleted file mode 100644
index 91ece70..0000000
--- a/prebuilts/api/31.0/private/watchdogd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute watchdogd coredomain;
-
-init_daemon_domain(watchdogd)
diff --git a/prebuilts/api/31.0/private/webview_zygote.te b/prebuilts/api/31.0/private/webview_zygote.te
deleted file mode 100644
index 3473eca..0000000
--- a/prebuilts/api/31.0/private/webview_zygote.te
+++ /dev/null
@@ -1,155 +0,0 @@
-# webview_zygote is an auxiliary zygote process that is used to spawn
-# isolated_app processes for rendering untrusted web content.
-
-typeattribute webview_zygote coredomain;
-
-# The webview_zygote needs to be able to transition domains.
-typeattribute webview_zygote mlstrustedsubject;
-
-# Allow access to temporary files, which is normally permitted through
-# a domain macro.
-tmpfs_domain(webview_zygote);
-
-userfaultfd_use(webview_zygote)
-
-# Allow reading/executing installed binaries to enable preloading the
-# installed WebView implementation.
-allow webview_zygote apk_data_file:dir r_dir_perms;
-allow webview_zygote apk_data_file:file { r_file_perms execute };
-
-# Access to the WebView relro file.
-allow webview_zygote shared_relro_file:dir search;
-allow webview_zygote shared_relro_file:file r_file_perms;
-
-# Set the UID/GID of the process.
-allow webview_zygote self:global_capability_class_set { setgid setuid };
-# Drop capabilities from bounding set.
-allow webview_zygote self:global_capability_class_set setpcap;
-# Switch SELinux context to app domains.
-allow webview_zygote self:process setcurrent;
-allow webview_zygote isolated_app:process dyntransition;
-
-# For art.
-allow webview_zygote { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
-allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
-allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { r_file_perms execute };
-allow webview_zygote apex_module_data_file:dir search;
-
-# Allow webview_zygote to create JIT memory.
-allow webview_zygote self:process execmem;
-
-# Allow webview_zygote to stat the files that it opens. It must
-# be able to inspect them so that it can reopen them on fork
-# if necessary: b/30963384.
-allow webview_zygote debugfs_trace_marker:file getattr;
-
-# Allow webview_zygote to manage the pgroup of its children.
-allow webview_zygote system_server:process getpgid;
-
-# Interaction between the webview_zygote and its children.
-allow webview_zygote isolated_app:process setpgid;
-
-# TODO (b/63631799) fix this access
-# Suppress denials to storage. Webview zygote should not be accessing.
-dontaudit webview_zygote mnt_expand_file:dir getattr;
-
-# TODO (b/72957399) remove this when webview_zygote is reparented to
-# app_process zygote
-dontaudit webview_zygote dex2oat_exec:file execute;
-
-# Get seapp_contexts
-allow webview_zygote seapp_contexts_file:file r_file_perms;
-# Check validity of SELinux context before use.
-selinux_check_context(webview_zygote)
-# Check SELinux permissions.
-selinux_check_access(webview_zygote)
-
-# Directory listing in /system.
-allow webview_zygote system_file:dir r_dir_perms;
-
-# Read and inspect temporary files (like system properties) managed by zygote.
-allow webview_zygote zygote_tmpfs:file { read getattr };
-# Child of zygote.
-allow webview_zygote zygote:fd use;
-allow webview_zygote zygote:process sigchld;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(webview_zygote, vendor_overlay_file)
-
-allow webview_zygote same_process_hal_file:file { execute read open getattr map };
-
-allow webview_zygote system_data_file:lnk_file r_file_perms;
-
-# Send unsolicited message to system_server
-unix_socket_send(webview_zygote, system_unsolzygote, system_server)
-
-# Allow the webview_zygote to access the runtime feature flag properties.
-get_prop(webview_zygote, device_config_runtime_native_prop)
-get_prop(webview_zygote, device_config_runtime_native_boot_prop)
-
-# Allow webview_zygote to access odsign verification status
-get_prop(zygote, odsign_prop)
-
-#####
-##### Neverallow
-#####
-
-# Only permit transition to isolated_app.
-neverallow webview_zygote { domain -isolated_app }:process dyntransition;
-
-# Only setcon() transitions, no exec() based transitions, except for crash_dump.
-neverallow webview_zygote { domain -crash_dump }:process transition;
-
-# Must not exec() a program without changing domains.
-# Having said that, exec() above is not allowed.
-neverallow webview_zygote *:file execute_no_trans;
-
-# The only way to enter this domain is for the zygote to fork a new
-# webview_zygote child.
-neverallow { domain -zygote } webview_zygote:process dyntransition;
-
-# Disallow write access to properties.
-neverallow webview_zygote property_socket:sock_file write;
-neverallow webview_zygote property_type:property_service set;
-
-# Should not have any access to app data files.
-neverallow webview_zygote app_data_file_type:file { rwx_file_perms };
-
-neverallow webview_zygote {
- service_manager_type
- -activity_service
- -webviewupdate_service
-}:service_manager find;
-
-# Isolated apps shouldn't be able to access the driver directly.
-neverallow webview_zygote gpu_device:chr_file { rwx_file_perms };
-
-# Do not allow webview_zygote access to /cache.
-neverallow webview_zygote cache_file:dir ~{ r_dir_perms };
-neverallow webview_zygote cache_file:file ~{ read getattr };
-
-# Do not allow most socket access. This is socket_class_set, excluding unix_dgram_socket,
-# unix_stream_socket, and netlink_selinux_socket.
-neverallow webview_zygote domain:{
- socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket
- appletalk_socket netlink_route_socket netlink_tcpdiag_socket
- netlink_nflog_socket netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket
- netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket
- netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket
- sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket
- x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket
- pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket
- rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
- alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket
- xdp_socket
-} *;
-
-# Do not allow access to Bluetooth-related system properties.
-# neverallow rules for Bluetooth-related data files are listed above.
-neverallow webview_zygote {
- bluetooth_a2dp_offload_prop
- bluetooth_audio_hal_prop
- bluetooth_prop
- exported_bluetooth_prop
-}:file create_file_perms;
diff --git a/prebuilts/api/31.0/private/wificond.te b/prebuilts/api/31.0/private/wificond.te
deleted file mode 100644
index 3fdaca2..0000000
--- a/prebuilts/api/31.0/private/wificond.te
+++ /dev/null
@@ -1,11 +0,0 @@
-typeattribute wificond coredomain;
-
-set_prop(wificond, wifi_hal_prop)
-set_prop(wificond, wifi_prop)
-set_prop(wificond, ctl_default_prop)
-
-get_prop(wificond, hwservicemanager_prop)
-
-allow wificond legacykeystore_service:service_manager find;
-
-init_daemon_domain(wificond)
diff --git a/prebuilts/api/31.0/private/wpantund.te b/prebuilts/api/31.0/private/wpantund.te
deleted file mode 100644
index e91662c..0000000
--- a/prebuilts/api/31.0/private/wpantund.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute wpantund coredomain;
-
-init_daemon_domain(wpantund)
diff --git a/prebuilts/api/31.0/private/zygote.te b/prebuilts/api/31.0/private/zygote.te
deleted file mode 100644
index 090e121..0000000
--- a/prebuilts/api/31.0/private/zygote.te
+++ /dev/null
@@ -1,268 +0,0 @@
-# zygote
-typeattribute zygote coredomain;
-typeattribute zygote mlstrustedsubject;
-
-init_daemon_domain(zygote)
-tmpfs_domain(zygote)
-
-read_runtime_log_tags(zygote)
-
-# Override DAC on files and switch uid/gid.
-allow zygote self:global_capability_class_set { dac_override dac_read_search setgid setuid fowner chown };
-
-# Drop capabilities from bounding set.
-allow zygote self:global_capability_class_set setpcap;
-
-# Switch SELinux context to app domains.
-allow zygote self:process setcurrent;
-allow zygote system_server_startup:process dyntransition;
-allow zygote appdomain:process dyntransition;
-allow zygote webview_zygote:process dyntransition;
-allow zygote app_zygote:process dyntransition;
-
-# Allow zygote to read app /proc/pid dirs (b/10455872).
-allow zygote appdomain:dir { getattr search };
-allow zygote appdomain:file { r_file_perms };
-
-userfaultfd_use(zygote)
-
-# Move children into the peer process group.
-allow zygote system_server:process { getpgid setpgid };
-allow zygote appdomain:process { getpgid setpgid };
-allow zygote webview_zygote:process { getpgid setpgid };
-allow zygote app_zygote:process { getpgid setpgid };
-
-# Read system data.
-allow zygote system_data_file:dir r_dir_perms;
-allow zygote system_data_file:file r_file_perms;
-
-# Write to /data/dalvik-cache.
-allow zygote dalvikcache_data_file:dir create_dir_perms;
-allow zygote dalvikcache_data_file:file create_file_perms;
-
-# Create symlinks in /data/dalvik-cache.
-allow zygote dalvikcache_data_file:lnk_file create_file_perms;
-
-# Write to /data/resource-cache.
-allow zygote resourcecache_data_file:dir rw_dir_perms;
-allow zygote resourcecache_data_file:file create_file_perms;
-
-# For updateability, the zygote may fetch the current boot
-# classpath from the dalvik cache. Integrity of the files
-# is ensured by fsverity protection (checked in art_apex_boot_integrity).
-allow zygote dalvikcache_data_file:file execute;
-
-# Allow zygote to find files in APEX data directories.
-allow zygote apex_module_data_file:dir search;
-
-# Allow zygote to find and map files created by on device signing.
-allow zygote apex_art_data_file:dir { getattr search };
-allow zygote apex_art_data_file:file { r_file_perms execute };
-
-# Bind mount on /data/data and mounted volumes
-allow zygote { system_data_file mnt_expand_file }:dir mounton;
-
-# Relabel /data/user /data/user_de and /data/data
-allow zygote tmpfs:{ dir lnk_file } relabelfrom;
-allow zygote system_data_file:{ dir lnk_file } relabelto;
-
-# Zygote opens /mnt/expand to mount CE DE storage on each vol
-allow zygote mnt_expand_file:dir { open read search relabelto };
-
-# Bind mount subdirectories on /data/misc/profiles/cur and /data/misc/profiles/ref
-allow zygote { user_profile_root_file user_profile_data_file }:dir { mounton search };
-
-# Create and bind dirs on /data/data
-allow zygote tmpfs:dir { create_dir_perms mounton };
-
-# Goes into media directory and bind mount obb directory
-allow zygote media_rw_data_file:dir { getattr search };
-
-# Bind mount on top of existing mounted obb and data directory
-allow zygote media_rw_data_file:dir { mounton };
-
-# Read if sdcardfs is supported
-allow zygote proc_filesystems:file r_file_perms;
-
-# Create symlink for /data/user/0
-allow zygote tmpfs:lnk_file create;
-
-allow zygote mirror_data_file:dir r_dir_perms;
-
-# Get inode of directories for app data isolation
-allow zygote {
- app_data_file_type
- system_data_file
- mnt_expand_file
-}:dir getattr;
-
-# Allow zygote to create JIT memory.
-allow zygote self:process execmem;
-allow zygote zygote_tmpfs:file execute;
-allow zygote ashmem_libcutils_device:chr_file execute;
-
-# Execute idmap and dex2oat within zygote's own domain.
-# TODO: Should either of these be transitioned to the same domain
-# used by installd or stay in-domain for zygote?
-allow zygote idmap_exec:file rx_file_perms;
-allow zygote dex2oat_exec:file rx_file_perms;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(zygote, vendor_overlay_file)
-
-# Control cgroups.
-allow zygote cgroup:dir create_dir_perms;
-allow zygote cgroup:{ file lnk_file } r_file_perms;
-allow zygote cgroup_v2:dir create_dir_perms;
-allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
-allow zygote self:global_capability_class_set sys_admin;
-
-# Allow zygote to stat the files that it opens. The zygote must
-# be able to inspect them so that it can reopen them on fork
-# if necessary: b/30963384.
-allow zygote pmsg_device:chr_file getattr;
-allow zygote debugfs_trace_marker:file getattr;
-
-# Get seapp_contexts
-allow zygote seapp_contexts_file:file r_file_perms;
-# Check validity of SELinux context before use.
-selinux_check_context(zygote)
-# Check SELinux permissions.
-selinux_check_access(zygote)
-
-# Native bridge functionality requires that zygote replaces
-# /proc/cpuinfo with /system/lib/<ISA>/cpuinfo using a bind mount
-allow zygote proc_cpuinfo:file mounton;
-
-# Allow remounting rootfs as MS_SLAVE.
-allow zygote rootfs:dir mounton;
-allow zygote tmpfs:filesystem { mount unmount };
-allow zygote fuse:filesystem { unmount };
-allow zygote sdcardfs:filesystem { unmount };
-
-# Allow creating user-specific storage source if started before vold.
-allow zygote mnt_user_file:dir { create_dir_perms mounton };
-allow zygote mnt_user_file:lnk_file create_file_perms;
-allow zygote mnt_user_file:file create_file_perms;
-
-# Allow mounting user-specific storage source if started before vold.
-allow zygote mnt_pass_through_file:dir { create_dir_perms mounton };
-
-# Allowed to mount user-specific storage into place
-allow zygote storage_file:dir { search mounton };
-
-# Allow mounting and creating files, dirs on sdcardfs.
-allow zygote { sdcard_type }:dir { create_dir_perms mounton };
-allow zygote { sdcard_type }:file { create_file_perms };
-
-# Handle --invoke-with command when launching Zygote with a wrapper command.
-allow zygote zygote_exec:file rx_file_perms;
-
-# Allow zygote to write to statsd.
-unix_socket_send(zygote, statsdw, statsd)
-
-# Root fs.
-r_dir_file(zygote, rootfs)
-
-# System file accesses.
-r_dir_file(zygote, system_file)
-
-# /oem accesses.
-allow zygote oemfs:dir search;
-
-userdebug_or_eng(`
- # Allow zygote to create and write method traces in /data/misc/trace.
- allow zygote method_trace_data_file:dir w_dir_perms;
- allow zygote method_trace_data_file:file { create w_file_perms };
-')
-
-allow zygote ion_device:chr_file r_file_perms;
-allow zygote tmpfs:dir r_dir_perms;
-
-allow zygote same_process_hal_file:file { execute read open getattr map };
-
-# Allow the zygote to access storage properties to check if sdcardfs is enabled.
-get_prop(zygote, storage_config_prop);
-
-# Let the zygote access overlays so it can initialize the AssetManager.
-get_prop(zygote, overlay_prop)
-get_prop(zygote, exported_overlay_prop)
-
-# Allow the zygote to access the runtime feature flag properties.
-get_prop(zygote, device_config_runtime_native_prop)
-get_prop(zygote, device_config_runtime_native_boot_prop)
-
-# Allow the zygote to access window manager native boot feature flags
-# to initialize WindowManager static properties.
-get_prop(zygote, device_config_window_manager_native_boot_prop)
-
-# ingore spurious denials
-# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
-# done to determine if the file should inherit setgid. In this case, setgid on the file is
-# undesirable, so suppress the denial.
-dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
-
-# Ignore spurious denials calling access() on fuse.
-# Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that
-# doesn't exist.
-# TODO(b/151316657): avoid the denials
-dontaudit zygote media_rw_data_file:dir { read open setattr };
-
-# Allow zygote to use ashmem fds from system_server.
-allow zygote system_server:fd use;
-
-# Send unsolicited message to system_server
-unix_socket_send(zygote, system_unsolzygote, system_server)
-
-# Allow zygote to access media_variant_prop for static initialization
-get_prop(zygote, media_variant_prop)
-
-# Allow zygote to access odsign verification status
-get_prop(zygote, odsign_prop)
-
-# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
-get_prop(zygote, packagemanager_config_prop)
-
-# Allow zygote to read qemu.sf.lcd_density
-get_prop(zygote, qemu_sf_lcd_density_prop)
-
-# Allow zygote to read /apex/apex-info-list.xml
-allow zygote apex_info_file:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# Ensure that all types assigned to app processes are included
-# in the appdomain attribute, so that all allow and neverallow rules
-# written on appdomain are applied to all app processes.
-# This is achieved by ensuring that it is impossible for zygote to
-# setcon (dyntransition) to any types other than those associated
-# with appdomain plus system_server_startup, webview_zygote and
-# app_zygote.
-neverallow zygote ~{
- appdomain
- system_server_startup
- webview_zygote
- app_zygote
-}:process dyntransition;
-
-# Zygote should never execute anything from /data except for
-# /data/dalvik-cache files or files generated during on-device
-# signing under /data/misc/apexdata/com.android.art/.
-neverallow zygote {
- data_file_type
- -apex_art_data_file # map PROT_EXEC
- -dalvikcache_data_file # map PROT_EXEC
-}:file no_x_file_perms;
-
-# Do not allow access to Bluetooth-related system properties and files
-neverallow zygote {
- bluetooth_a2dp_offload_prop
- bluetooth_audio_hal_prop
- bluetooth_prop
- exported_bluetooth_prop
-}:file create_file_perms;
-
-# Zygote should not be able to access app private data.
-neverallow zygote app_data_file_type:dir ~getattr;
diff --git a/prebuilts/api/31.0/public/adbd.te b/prebuilts/api/31.0/public/adbd.te
deleted file mode 100644
index 5056b35..0000000
--- a/prebuilts/api/31.0/public/adbd.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# adbd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type adbd, domain;
-type adbd_exec, exec_type, file_type, system_file_type;
-
-# Only init is allowed to enter the adbd domain via exec()
-neverallow { domain -init } adbd:process transition;
-neverallow * adbd:process dyntransition;
-
-# Access /data/local/tests.
-allow adbd shell_test_data_file:dir create_dir_perms;
-allow adbd shell_test_data_file:file create_file_perms;
-allow adbd shell_test_data_file:lnk_file create_file_perms;
diff --git a/prebuilts/api/31.0/public/aidl_lazy_test_server.te b/prebuilts/api/31.0/public/aidl_lazy_test_server.te
deleted file mode 100644
index 626d008..0000000
--- a/prebuilts/api/31.0/public/aidl_lazy_test_server.te
+++ /dev/null
@@ -1,9 +0,0 @@
-type aidl_lazy_test_server, domain;
-type aidl_lazy_test_server_exec, exec_type, file_type, system_file_type;
-
-userdebug_or_eng(`
- binder_use(aidl_lazy_test_server)
- binder_call(aidl_lazy_test_server, binderservicedomain)
-
- add_service(aidl_lazy_test_server, aidl_lazy_test_service)
-')
diff --git a/prebuilts/api/31.0/public/apexd.te b/prebuilts/api/31.0/public/apexd.te
deleted file mode 100644
index 53bc569..0000000
--- a/prebuilts/api/31.0/public/apexd.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# apexd -- manager for APEX packages
-type apexd, domain;
-type apexd_exec, exec_type, file_type, system_file_type;
-
-binder_use(apexd)
-add_service(apexd, apex_service)
-
-neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
-
-neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/prebuilts/api/31.0/public/app.te b/prebuilts/api/31.0/public/app.te
deleted file mode 100644
index 5527f99..0000000
--- a/prebuilts/api/31.0/public/app.te
+++ /dev/null
@@ -1,603 +0,0 @@
-###
-### Domain for all zygote spawned apps
-###
-### This file is the base policy for all zygote spawned apps.
-### Other policy files, such as isolated_app.te, untrusted_app.te, etc
-### extend from this policy. Only policies which should apply to ALL
-### zygote spawned apps should be added here.
-###
-type appdomain_tmpfs, file_type;
-
-# WebView and other application-specific JIT compilers
-allow appdomain self:process execmem;
-
-allow appdomain { ashmem_device ashmem_libcutils_device }:chr_file execute;
-
-# Receive and use open file descriptors inherited from zygote.
-allow appdomain zygote:fd use;
-
-# Receive and use open file descriptors inherited from app zygote.
-allow appdomain app_zygote:fd use;
-
-# gdbserver for ndk-gdb reads the zygote.
-# valgrind needs mmap exec for zygote
-allow appdomain zygote_exec:file rx_file_perms;
-
-# Notify zygote of death;
-allow appdomain zygote:process sigchld;
-
-# Read /data/dalvik-cache.
-allow appdomain dalvikcache_data_file:dir { search getattr };
-allow appdomain dalvikcache_data_file:file r_file_perms;
-
-# Read the /sdcard and /mnt/sdcard symlinks
-allow { appdomain -isolated_app } rootfs:lnk_file r_file_perms;
-allow { appdomain -isolated_app } tmpfs:lnk_file r_file_perms;
-
-# Search /storage/emulated tmpfs mount.
-allow appdomain tmpfs:dir r_dir_perms;
-
-# Notify zygote of the wrapped process PID when using --invoke-with.
-allow appdomain zygote:fifo_file write;
-
-userdebug_or_eng(`
- # Allow apps to create and write method traces in /data/misc/trace.
- allow appdomain method_trace_data_file:dir w_dir_perms;
- allow appdomain method_trace_data_file:file { create w_file_perms };
-')
-
-# Notify shell and adbd of death when spawned via runas for ndk-gdb.
-allow appdomain shell:process sigchld;
-allow appdomain adbd:process sigchld;
-
-# child shell or gdbserver pty access for runas.
-allow appdomain devpts:chr_file { getattr read write ioctl };
-
-# Use pipes and sockets provided by system_server via binder or local socket.
-allow appdomain system_server:fd use;
-allow appdomain system_server:fifo_file rw_file_perms;
-allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
-allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
-
-# For AppFuse.
-allow appdomain vold:fd use;
-
-# Communication with other apps via fifos
-allow appdomain appdomain:fifo_file rw_file_perms;
-
-# Communicate with surfaceflinger.
-allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
-
-# App sandbox file accesses.
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
-
-# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
-
-# Traverse into expanded storage
-allow appdomain mnt_expand_file:dir r_dir_perms;
-
-# Keychain and user-trusted credentials
-r_dir_file(appdomain, keychain_data_file)
-allow appdomain misc_user_data_file:dir r_dir_perms;
-allow appdomain misc_user_data_file:file r_file_perms;
-
-# TextClassifier
-r_dir_file({ appdomain -isolated_app }, textclassifier_data_file)
-
-# Access to OEM provided data and apps
-allow appdomain oemfs:dir r_dir_perms;
-allow appdomain oemfs:file rx_file_perms;
-
-# Execute the shell or other system executables.
-allow { appdomain -ephemeral_app } shell_exec:file rx_file_perms;
-allow { appdomain -ephemeral_app } toolbox_exec:file rx_file_perms;
-allow appdomain system_file:file x_file_perms;
-not_full_treble(`allow { appdomain -ephemeral_app } vendor_file:file x_file_perms;')
-
-# Renderscript needs the ability to read directories on /system
-allow appdomain system_file:dir r_dir_perms;
-allow appdomain system_file:lnk_file { getattr open read };
-# Renderscript specific permissions to open /system/vendor/lib64.
-not_full_treble(`
- allow appdomain vendor_file_type:dir r_dir_perms;
- allow appdomain vendor_file_type:lnk_file { getattr open read };
-')
-
-full_treble_only(`
- # For looking up Renderscript vendor drivers
- allow { appdomain -isolated_app } vendor_file:dir { open read };
-')
-
-# Allow apps access to /vendor/app except for privileged
-# apps which cannot be in /vendor.
-r_dir_file({ appdomain -ephemeral_app }, vendor_app_file)
-allow { appdomain -ephemeral_app } vendor_app_file:file execute;
-
-# Allow apps access to /vendor/overlay
-r_dir_file(appdomain, vendor_overlay_file)
-
-# Allow apps access to /vendor/framework
-# for vendor provided libraries.
-r_dir_file(appdomain, vendor_framework_file)
-
-# Allow apps read / execute access to vendor public libraries.
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
-
-# Read/write wallpaper file (opened by system).
-allow appdomain wallpaper_file:file { getattr read write map };
-
-# Read/write cached ringtones (opened by system).
-allow appdomain ringtone_file:file { getattr read write map };
-
-# Read ShortcutManager icon files (opened by system).
-allow appdomain shortcut_manager_icons:file { getattr read map };
-
-# Read icon file (opened by system).
-allow appdomain icon_file:file { getattr read map };
-
-# Old stack dumping scheme : append to a global trace file (/data/anr/traces.txt).
-#
-# TODO: All of these permissions except for anr_data_file:file append can be
-# withdrawn once we've switched to the new stack dumping mechanism, see b/32064548
-# and the rules below.
-allow appdomain anr_data_file:dir search;
-allow appdomain anr_data_file:file { open append };
-
-# New stack dumping scheme : request an output FD from tombstoned via a unix
-# domain socket.
-#
-# Allow apps to connect and write to the tombstoned java trace socket in
-# order to dump their traces. Also allow them to append traces to pipes
-# created by dumptrace. (Also see the rules below where they are given
-# additional permissions to dumpstate pipes for other aspects of bug report
-# creation).
-unix_socket_connect(appdomain, tombstoned_java_trace, tombstoned)
-allow appdomain tombstoned:fd use;
-allow appdomain dumpstate:fifo_file append;
-allow appdomain incidentd:fifo_file append;
-
-# Allow apps to send dump information to dumpstate
-allow appdomain dumpstate:fd use;
-allow appdomain dumpstate:unix_stream_socket { read write getopt getattr shutdown };
-allow appdomain dumpstate:fifo_file { write getattr };
-allow appdomain shell_data_file:file { write getattr };
-
-# Allow apps to send dump information to incidentd
-allow appdomain incidentd:fd use;
-allow appdomain incidentd:fifo_file { write getattr };
-
-# Allow apps to send information to statsd socket.
-unix_socket_send(appdomain, statsdw, statsd)
-
-# Write profiles /data/misc/profiles
-allow appdomain user_profile_root_file:dir search;
-allow appdomain user_profile_data_file:dir { search write add_name };
-allow appdomain user_profile_data_file:file create_file_perms;
-
-# Send heap dumps to system_server via an already open file descriptor
-# % adb shell am set-watch-heap com.android.systemui 1048576
-# % adb shell dumpsys procstats --start-testing
-# debuggable builds only.
-userdebug_or_eng(`
- allow appdomain heapdump_data_file:file append;
-')
-
-# /proc/net access.
-# TODO(b/9496886) Audit access for removal.
-# proc_net access for the negated domains below is granted (or not) in their
-# individual .te files.
-r_dir_file({
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -system_app
- -untrusted_app_all
-}, proc_net_type)
-# audit access for all these non-core app domains.
-userdebug_or_eng(`
- auditallow {
- appdomain
- -ephemeral_app
- -isolated_app
- -platform_app
- -priv_app
- -shell
- -su
- -system_app
- -untrusted_app_all
- } proc_net_type:{ dir file lnk_file } { getattr open read };
-')
-
-# Grant GPU access to all processes started by Zygote.
-# They need that to render the standard UI.
-allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
-
-# Use the Binder.
-binder_use(appdomain)
-# Perform binder IPC to binder services.
-binder_call(appdomain, binderservicedomain)
-# Perform binder IPC to other apps.
-binder_call(appdomain, appdomain)
-# Perform binder IPC to ephemeral apps.
-binder_call(appdomain, ephemeral_app)
-# Perform binder IPC to gpuservice.
-binder_call({ appdomain -isolated_app }, gpuservice)
-
-# Talk with graphics composer fences
-allow appdomain hal_graphics_composer:fd use;
-
-# Already connected, unnamed sockets being passed over some other IPC
-# hence no sock_file or connectto permission. This appears to be how
-# Chrome works, may need to be updated as more apps using isolated services
-# are examined.
-allow appdomain appdomain:unix_stream_socket { getopt getattr read write shutdown };
-
-# Backup ability for every app. BMS opens and passes the fd
-# to any app that has backup ability. Hence, no open permissions here.
-allow appdomain backup_data_file:file { read write getattr map };
-allow appdomain cache_backup_file:file { read write getattr map };
-allow appdomain cache_backup_file:dir getattr;
-# Backup ability using 'adb backup'
-allow appdomain system_data_file:lnk_file r_file_perms;
-allow appdomain system_data_file:file { getattr read map };
-
-# Allow read/stat of /data/media files passed by Binder or local socket IPC.
-allow { appdomain -isolated_app } media_rw_data_file:file { read getattr };
-
-# Read and write /data/data/com.android.providers.telephony files passed over Binder.
-allow { appdomain -isolated_app } radio_data_file:file { read write getattr };
-
-# Allow access to external storage; we have several visible mount points under /storage
-# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
-allow { appdomain -isolated_app -ephemeral_app } storage_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } storage_file:lnk_file r_file_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
-
-# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:file create_file_perms;
-
-# Allow apps to use the USB Accessory interface.
-# http://developer.android.com/guide/topics/connectivity/usb/accessory.html
-#
-# USB devices are first opened by the system server (USBDeviceManagerService)
-# and the file descriptor is passed to the right Activity via binder.
-allow { appdomain -isolated_app -ephemeral_app } usb_device:chr_file { read write getattr ioctl };
-allow { appdomain -isolated_app -ephemeral_app } usbaccessory_device:chr_file { read write getattr };
-
-# For art.
-allow appdomain dalvikcache_data_file:file execute;
-allow appdomain dalvikcache_data_file:lnk_file r_file_perms;
-
-# Allow any app to read shared RELRO files.
-allow appdomain shared_relro_file:dir search;
-allow appdomain shared_relro_file:file r_file_perms;
-
-# Allow apps to read/execute installed binaries
-allow appdomain apk_data_file:dir r_dir_perms;
-allow appdomain apk_data_file:file rx_file_perms;
-
-# /data/resource-cache
-allow appdomain resourcecache_data_file:file r_file_perms;
-allow appdomain resourcecache_data_file:dir r_dir_perms;
-
-# logd access
-read_logd(appdomain)
-control_logd({ appdomain -ephemeral_app })
-# application inherit logd write socket (urge is to deprecate this long term)
-allow appdomain zygote:unix_dgram_socket write;
-
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
-
-allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
-
-use_keystore({ appdomain -isolated_app -ephemeral_app })
-
-use_credstore({ appdomain -isolated_app -ephemeral_app })
-
-allow appdomain console_device:chr_file { read write };
-
-# only allow unprivileged socket ioctl commands
-allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
-
-# Allow AAudio apps to use shared memory file descriptors from the HAL
-allow { appdomain -isolated_app } hal_audio:fd use;
-
-# Allow app to access shared memory created by camera HAL1
-allow { appdomain -isolated_app } hal_camera:fd use;
-
-# Allow apps to access shared memory file descriptor from the tuner HAL
-allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
-
-# RenderScript always-passthrough HAL
-allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
-allow appdomain same_process_hal_file:file { execute read open getattr map };
-
-# TODO: switch to meminfo service
-allow appdomain proc_meminfo:file r_file_perms;
-
-# For app fuse.
-allow appdomain app_fuse_file:file { getattr read append write map };
-
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_client)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_manager)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, display_vsync)
-pdx_client({ appdomain -isolated_app -ephemeral_app }, performance_client)
-# Apps do not directly open the IPC socket for bufferhubd.
-pdx_use({ appdomain -isolated_app -ephemeral_app }, bufferhub_client)
-
-###
-### CTS-specific rules
-###
-
-# For cts/tests/tests/permission/src/android/permission/cts/FileSystemPermissionTest.java.
-# testRunAsHasCorrectCapabilities
-allow appdomain runas_exec:file getattr;
-# Others are either allowed elsewhere or not desired.
-
-# Apps receive an open tun fd from the framework for
-# device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
-allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow appdomain adbd:unix_stream_socket connectto;
-allow appdomain adbd:fd use;
-allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-allow appdomain cache_file:dir getattr;
-
-# Allow apps to run with asanwrapper.
-with_asan(`allow appdomain asanwrapper_exec:file rx_file_perms;')
-
-# Read access to FDs from the DropboxManagerService.
-allow appdomain dropbox_data_file:file { getattr read };
-
-# Read tmpfs types from these processes.
-allow appdomain audioserver_tmpfs:file { getattr map read write };
-allow appdomain system_server_tmpfs:file { getattr map read write };
-allow appdomain zygote_tmpfs:file { map read };
-
-###
-### Neverallow rules
-###
-### These are things that Android apps should NEVER be able to do
-###
-
-# Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
-neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
-
-# Block device access.
-neverallow appdomain dev_type:blk_file { read write };
-
-# Access to any of the following character devices.
-neverallow appdomain {
- audio_device
- camera_device
- dm_device
- radio_device
- rpmsg_device
- video_device
-}:chr_file { read write };
-
-# Note: Try expanding list of app domains in the future.
-neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
-
-neverallow { appdomain -nfc } nfc_device:chr_file
- { read write };
-neverallow { appdomain -bluetooth } hci_attach_dev:chr_file
- { read write };
-neverallow appdomain tee_device:chr_file { read write };
-
-# Privileged netlink socket interfaces.
-neverallow { appdomain -network_stack }
- domain:{
- netlink_tcpdiag_socket
- netlink_nflog_socket
- netlink_xfrm_socket
- netlink_audit_socket
- netlink_dnrt_socket
- } *;
-
-# These messages are broadcast messages from the kernel to userspace.
-# Do not allow the writing of netlink messages, which has been a source
-# of rooting vulns in the past.
-neverallow appdomain domain:netlink_kobject_uevent_socket { write append };
-
-# Sockets under /dev/socket that are not specifically typed.
-neverallow appdomain socket_device:sock_file write;
-
-# Unix domain sockets.
-neverallow appdomain adbd_socket:sock_file write;
-neverallow { appdomain -radio } rild_socket:sock_file write;
-
-# ptrace access to non-app domains.
-neverallow appdomain { domain -appdomain }:process ptrace;
-
-# The Android security model guarantees the confidentiality and integrity
-# of application data and execution state. Ptrace bypasses those
-# confidentiality guarantees. Disallow ptrace access from system components
-# to apps. Crash_dump is excluded, as it needs ptrace access to
-# produce stack traces. llkd is excluded, as it needs ptrace access to
-# inspect stack traces for live lock conditions.
-
-neverallow {
- domain
- -appdomain
- -crash_dump
- userdebug_or_eng(`-llkd')
-} appdomain:process ptrace;
-
-# Read or write access to /proc/pid entries for any non-app domain.
-# A different form of hidepid=2 like protections
-neverallow appdomain { domain -appdomain }:file no_w_file_perms;
-neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
-
-# signal access to non-app domains.
-# sigchld allowed for parent death notification.
-# signull allowed for kill(pid, 0) existence test.
-# All others prohibited.
-# -perfetto is to allow shell (which is an appdomain) to kill perfetto
-# (see private/shell.te).
-neverallow appdomain { domain -appdomain -perfetto }:process
- { sigkill sigstop signal };
-
-# Write to rootfs.
-neverallow appdomain rootfs:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to /system.
-neverallow appdomain system_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to entrypoint executables.
-neverallow appdomain exec_type:file
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to system-owned parts of /data.
-# This is the default type for anything under /data not otherwise
-# specified in file_contexts. Define a different type for portions
-# that should be writable by apps.
-neverallow appdomain system_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# Write to various other parts of /data.
-neverallow appdomain drm_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_private_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
- apk_private_tmp_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -shell }
- shell_data_file:dir_file_class_set
- { create setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -bluetooth }
- bluetooth_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { domain -credstore -init } credstore_data_file:dir_file_class_set *;
-neverallow appdomain
- keystore_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- systemkeys_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- wifi_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-neverallow appdomain
- dhcp_data_file:dir_file_class_set
- { create write setattr relabelfrom relabelto append unlink link rename };
-
-# access tmp apk files
-neverallow { appdomain -untrusted_app_all -platform_app -priv_app }
- { apk_tmp_file apk_private_tmp_file }:dir_file_class_set *;
-
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:{ devfile_class_set dir fifo_file lnk_file sock_file } *;
-neverallow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file ~{ getattr read };
-
-# Access to factory files.
-neverallow appdomain efs_file:dir_file_class_set write;
-neverallow { appdomain -shell } efs_file:dir_file_class_set read;
-
-# Write to various pseudo file systems.
-neverallow { appdomain -bluetooth -nfc }
- sysfs:dir_file_class_set write;
-neverallow appdomain
- proc:dir_file_class_set write;
-
-# Access to syslog(2) or /proc/kmsg.
-neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
-
-# SELinux is not an API for apps to use
-neverallow { appdomain -shell } *:security { compute_av check_context };
-neverallow { appdomain -shell } *:netlink_selinux_socket *;
-
-# Ability to perform any filesystem operation other than statfs(2).
-# i.e. no mount(2), unmount(2), etc.
-neverallow appdomain fs_type:filesystem ~getattr;
-
-# prevent creation/manipulation of globally readable symlinks
-neverallow appdomain {
- apk_data_file
- cache_file
- cache_recovery_file
- dev_type
- rootfs
- system_file
- tmpfs
-}:lnk_file no_w_file_perms;
-
-# Applications should use the activity model for receiving events
-neverallow {
- appdomain
- -shell # bugreport
-} input_device:chr_file ~getattr;
-
-# Do not allow access to Bluetooth-related system properties except for a few allowed domains.
-# neverallow rules for access to Bluetooth-related data files are above.
-neverallow {
- appdomain
- -bluetooth
- -system_app
-} { bluetooth_audio_hal_prop bluetooth_a2dp_offload_prop bluetooth_prop exported_bluetooth_prop }:file create_file_perms;
-
-# Apps cannot access proc_uid_time_in_state
-neverallow appdomain proc_uid_time_in_state:file *;
-
-# Apps cannot access proc_uid_concurrent_active_time
-neverallow appdomain proc_uid_concurrent_active_time:file *;
-
-# Apps cannot access proc_uid_concurrent_policy_time
-neverallow appdomain proc_uid_concurrent_policy_time:file *;
-
-# Apps cannot access proc_uid_cpupower
-neverallow appdomain proc_uid_cpupower:file *;
-
-# Apps may not read /proc/net/{tcp,tcp6,udp,udp6}. These files leak information across the
-# application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to
-# perform UID lookups.
-neverallow { appdomain -shell } proc_net_tcp_udp:file *;
-
-# Apps cannot access bootstrap files. The bootstrap files are only for
-# extremely early processes (like init, etc.) which are started before
-# the runtime APEX is activated and Bionic libs are provided from there.
-# If app process accesses (or even load/execute) the bootstrap files,
-# it might cause problems such as ODR violation, etc.
-neverallow appdomain system_bootstrap_lib_file:file
- { open read write append execute execute_no_trans map };
-neverallow appdomain system_bootstrap_lib_file:dir
- { open read getattr search };
-
-# Allow to read ro.vendor.camera.extensions.enabled
-get_prop(appdomain, camera2_extensions_prop)
-
-# Allow to ro.camerax.extensions.enabled
-get_prop(appdomain, camerax_extensions_prop)
diff --git a/prebuilts/api/31.0/public/app_zygote.te b/prebuilts/api/31.0/public/app_zygote.te
deleted file mode 100644
index 4c1ec96..0000000
--- a/prebuilts/api/31.0/public/app_zygote.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# app_zygote is an auxiliary zygote process that is used to spawn
-# isolated service processes for individual applications. It is
-# spawned from the regular zygote process as a "child zygote".
-
-type app_zygote, domain;
-type app_zygote_tmpfs, file_type;
diff --git a/prebuilts/api/31.0/public/asan_extract.te b/prebuilts/api/31.0/public/asan_extract.te
deleted file mode 100644
index d8a1b73..0000000
--- a/prebuilts/api/31.0/public/asan_extract.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# asan_extract
-#
-# This command set moves the artifact corresponding to the current slot
-# from /data/ota to /data/dalvik-cache.
-
-with_asan(`
- type asan_extract, domain, coredomain;
- type asan_extract_exec, exec_type, file_type, system_file_type;
-
- # Allow asan_extract to execute itself using #!/system/bin/sh
- allow asan_extract shell_exec:file rx_file_perms;
-
- # We execute log, rm, gzip and tar.
- allow asan_extract toolbox_exec:file rx_file_perms;
- allow asan_extract system_file:file execute_no_trans;
-
- # asan_extract deletes old /data/lib.
- allow asan_extract system_file:dir { open read remove_name rmdir write };
- allow asan_extract system_file:file unlink;
-
- # asan_extract untars ASAN libraries into /data.
- allow asan_extract system_data_file:dir create_dir_perms ;
- allow asan_extract system_data_file:{ file lnk_file } create_file_perms ;
-
- # Relabel the libraries with restorecon.
- allow asan_extract file_contexts_file:file r_file_perms;
- allow asan_extract system_data_file:{ dir file } relabelfrom;
- allow asan_extract system_file:dir { relabelto setattr };
- allow asan_extract system_file:file relabelto;
-
- # Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
- allow asan_extract system_data_file:file execute;
-')
diff --git a/prebuilts/api/31.0/public/atrace.te b/prebuilts/api/31.0/public/atrace.te
deleted file mode 100644
index 7327f84..0000000
--- a/prebuilts/api/31.0/public/atrace.te
+++ /dev/null
@@ -1 +0,0 @@
-type atrace, domain, coredomain;
diff --git a/prebuilts/api/31.0/public/attributes b/prebuilts/api/31.0/public/attributes
deleted file mode 100644
index b60c9cc..0000000
--- a/prebuilts/api/31.0/public/attributes
+++ /dev/null
@@ -1,401 +0,0 @@
-######################################
-# Attribute declarations
-#
-
-# All types used for devices.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# in tools/checkfc.c
-attribute dev_type;
-
-# Attribute for block devices.
-attribute bdev_type;
-
-# All types used for processes.
-attribute domain;
-
-# All types used for filesystems.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute fs_type;
-
-# All types used for context= mounts.
-attribute contextmount_type;
-
-# All types used for files that can exist on a labeled fs.
-# Do not use for pseudo file types.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute file_type;
-
-# All types used for domain entry points.
-attribute exec_type;
-
-# All types used for /data files.
-attribute data_file_type;
-expandattribute data_file_type false;
-# All types in /data, not in /data/vendor
-attribute core_data_file_type;
-expandattribute core_data_file_type false;
-
-# All types used for app private data files in seapp_contexts.
-# Such types should not be applied to any other files.
-attribute app_data_file_type;
-expandattribute app_data_file_type false;
-
-# All types in /system
-attribute system_file_type;
-
-# All types in /vendor
-attribute vendor_file_type;
-
-# All types used for procfs files.
-attribute proc_type;
-expandattribute proc_type false;
-
-# Types in /proc/net, excluding qtaguid types.
-# TODO(b/9496886) Lock down access to /proc/net.
-# This attribute is used to audit access to proc_net. it is temporary and will
-# be removed.
-attribute proc_net_type;
-expandattribute proc_net_type true;
-
-# All types used for sysfs files.
-attribute sysfs_type;
-
-# Attribute for /sys/class/block files.
-attribute sysfs_block_type;
-
-# All types use for debugfs files.
-attribute debugfs_type;
-
-# All types used for tracefs files.
-attribute tracefs_type;
-
-# Attribute used for all sdcards
-attribute sdcard_type;
-
-# All types used for nodes/hosts.
-attribute node_type;
-
-# All types used for network interfaces.
-attribute netif_type;
-
-# All types used for network ports.
-attribute port_type;
-
-# All types used for property service
-# On change, update CHECK_PC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute property_type;
-
-# All properties defined in core SELinux policy. Should not be
-# used by device specific properties
-attribute core_property_type;
-
-# All properties used to configure log filtering.
-attribute log_property_type;
-
-# All properties that are not specific to device but are added from
-# outside of AOSP. (e.g. OEM-specific properties)
-# These properties are not accessible from device-specific domains
-attribute extended_core_property_type;
-
-# Properties used for representing ownership. All properties should have one
-# of: system_property_type, product_property_type, or vendor_property_type.
-
-# All properties defined by /system.
-attribute system_property_type;
-expandattribute system_property_type false;
-
-# All /system-defined properties used only in /system.
-attribute system_internal_property_type;
-expandattribute system_internal_property_type false;
-
-# All /system-defined properties which can't be written outside /system.
-attribute system_restricted_property_type;
-expandattribute system_restricted_property_type false;
-
-# All /system-defined properties with no restrictions.
-attribute system_public_property_type;
-expandattribute system_public_property_type false;
-
-# All keystore2_key labels.
-attribute keystore2_key_type;
-
-# All properties defined by /product.
-# Currently there are no enforcements between /system and /product, so for now
-# /product attributes are just replaced to /system attributes.
-define(`product_property_type', `system_property_type')
-define(`product_internal_property_type', `system_internal_property_type')
-define(`product_restricted_property_type', `system_restricted_property_type')
-define(`product_public_property_type', `system_public_property_type')
-
-# All properties defined by /vendor.
-attribute vendor_property_type;
-expandattribute vendor_property_type false;
-
-# All /vendor-defined properties used only in /vendor.
-attribute vendor_internal_property_type;
-expandattribute vendor_internal_property_type false;
-
-# All /vendor-defined properties which can't be written outside /vendor.
-attribute vendor_restricted_property_type;
-expandattribute vendor_restricted_property_type false;
-
-# All /vendor-defined properties with no restrictions.
-attribute vendor_public_property_type;
-expandattribute vendor_public_property_type false;
-
-# All service_manager types created by system_server
-attribute system_server_service;
-
-# services which should be available to all but isolated apps
-attribute app_api_service;
-
-# services which should be available to all ephemeral apps
-attribute ephemeral_app_api_service;
-
-# services which export only system_api
-attribute system_api_service;
-
-# services which are explicitly disallowed for untrusted apps to access
-attribute protected_service;
-
-# services which served by vendor and also using the copy of libbinder on
-# system (for instance via libbinder_ndk). services using a different copy
-# of libbinder currently need their own context manager (e.g.
-# vndservicemanager)
-attribute vendor_service;
-
-# All types used for services managed by servicemanager.
-# On change, update CHECK_SC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute service_manager_type;
-
-# All types used for services managed by hwservicemanager
-attribute hwservice_manager_type;
-
-# All HwBinder services guaranteed to be passthrough. These services always run
-# in the process of their clients, and thus operate with the same access as
-# their clients.
-attribute same_process_hwservice;
-
-# All HwBinder services guaranteed to be offered only by core domain components
-attribute coredomain_hwservice;
-
-# All HwBinder services that untrusted apps can't directly access
-attribute protected_hwservice;
-
-# All types used for services managed by vndservicemanager
-attribute vndservice_manager_type;
-
-
-# All domains that can override MLS restrictions.
-# i.e. processes that can read up and write down.
-attribute mlstrustedsubject;
-
-# All types that can override MLS restrictions.
-# i.e. files that can be read by lower and written by higher
-attribute mlstrustedobject;
-
-# All domains used for apps.
-attribute appdomain;
-
-# All third party apps (except isolated_app and ephemeral_app)
-attribute untrusted_app_all;
-
-# All domains used for apps with network access.
-attribute netdomain;
-
-# All domains used for apps with bluetooth access.
-attribute bluetoothdomain;
-
-# All domains used for binder service domains.
-attribute binderservicedomain;
-
-# update_engine related domains that need to apply an update and run
-# postinstall. This includes the background daemon and the sideload tool from
-# recovery for A/B devices.
-attribute update_engine_common;
-
-# All core domains (as opposed to vendor/device-specific domains)
-attribute coredomain;
-
-# All vendor hwservice.
-attribute vendor_hwservice_type;
-
-# All socket devices owned by core domain components
-attribute coredomain_socket;
-expandattribute coredomain_socket false;
-
-# All vendor domains which violate the requirement of not using sockets for
-# communicating with core components
-# TODO(b/36577153): Remove this once there are no violations
-attribute socket_between_core_and_vendor_violators;
-expandattribute socket_between_core_and_vendor_violators false;
-
-# All vendor domains which violate the requirement of not executing
-# system processes
-# TODO(b/36463595)
-attribute vendor_executes_system_violators;
-expandattribute vendor_executes_system_violators false;
-
-# All domains which violate the requirement of not sharing files by path
-# between between vendor and core domains.
-# TODO(b/34980020)
-attribute data_between_core_and_vendor_violators;
-expandattribute data_between_core_and_vendor_violators false;
-
-# All system domains which violate the requirement of not executing vendor
-# binaries/libraries.
-# TODO(b/62041836)
-attribute system_executes_vendor_violators;
-expandattribute system_executes_vendor_violators false;
-
-# All system domains which violate the requirement of not writing vendor
-# properties.
-# TODO(b/78598545): Remove this once there are no violations
-attribute system_writes_vendor_properties_violators;
-expandattribute system_writes_vendor_properties_violators false;
-
-# All system domains which violate the requirement of not writing to
-# /mnt/vendor/*. Must not be used on devices launched with P or later.
-attribute system_writes_mnt_vendor_violators;
-expandattribute system_writes_mnt_vendor_violators false;
-
-# hwservices that are accessible from untrusted applications
-# WARNING: Use of this attribute should be avoided unless
-# absolutely necessary. It is a temporary allowance to aid the
-# transition to treble and will be removed in a future platform
-# version, requiring all hwservices that are labeled with this
-# attribute to be submitted to AOSP in order to maintain their
-# app-visibility.
-attribute untrusted_app_visible_hwservice_violators;
-expandattribute untrusted_app_visible_hwservice_violators false;
-
-# halserver domains that are accessible to untrusted applications. These
-# domains are typically those hosting hwservices attributed by the
-# untrusted_app_visible_hwservice_violators.
-# WARNING: Use of this attribute should be avoided unless absolutely necessary.
-# It is a temporary allowance to aid the transition to treble and will be
-# removed in the future platform version, requiring all halserver domains that
-# are labeled with this attribute to be submitted to AOSP in order to maintain
-# their app-visibility.
-attribute untrusted_app_visible_halserver_violators;
-expandattribute untrusted_app_visible_halserver_violators false;
-
-# PDX services
-attribute pdx_endpoint_dir_type;
-attribute pdx_endpoint_socket_type;
-expandattribute pdx_endpoint_socket_type false;
-attribute pdx_channel_socket_type;
-expandattribute pdx_channel_socket_type false;
-
-pdx_service_attributes(display_client)
-pdx_service_attributes(display_manager)
-pdx_service_attributes(display_screenshot)
-pdx_service_attributes(display_vsync)
-pdx_service_attributes(performance_client)
-pdx_service_attributes(bufferhub_client)
-
-# All HAL servers
-attribute halserverdomain;
-# All HAL clients
-attribute halclientdomain;
-expandattribute halclientdomain true;
-
-# Exempt for halserverdomain to access sockets. Only builds for automotive
-# device types are allowed to use this attribute (enforced by CTS).
-# Unlike phone, in a car many modules are external from Android perspective and
-# HALs should be able to communicate with those devices through sockets.
-attribute hal_automotive_socket_exemption;
-
-# HALs
-hal_attribute(allocator);
-hal_attribute(atrace);
-hal_attribute(audio);
-hal_attribute(audiocontrol);
-hal_attribute(authsecret);
-hal_attribute(bluetooth);
-hal_attribute(bootctl);
-hal_attribute(bufferhub);
-hal_attribute(broadcastradio);
-hal_attribute(camera);
-hal_attribute(can_bus);
-hal_attribute(can_controller);
-hal_attribute(cas);
-hal_attribute(codec2);
-hal_attribute(configstore);
-hal_attribute(confirmationui);
-hal_attribute(contexthub);
-hal_attribute(drm);
-hal_attribute(dumpstate);
-hal_attribute(evs);
-hal_attribute(face);
-hal_attribute(fingerprint);
-hal_attribute(gatekeeper);
-hal_attribute(gnss);
-hal_attribute(graphics_allocator);
-hal_attribute(graphics_composer);
-hal_attribute(health);
-hal_attribute(health_storage);
-hal_attribute(identity);
-hal_attribute(input_classifier);
-hal_attribute(ir);
-hal_attribute(keymaster);
-hal_attribute(keymint);
-hal_attribute(light);
-hal_attribute(lowpan);
-hal_attribute(memtrack);
-hal_attribute(neuralnetworks);
-hal_attribute(nfc);
-hal_attribute(oemlock);
-hal_attribute(omx);
-hal_attribute(power);
-hal_attribute(power_stats);
-hal_attribute(rebootescrow);
-hal_attribute(secure_element);
-hal_attribute(sensors);
-hal_attribute(telephony);
-hal_attribute(tetheroffload);
-hal_attribute(thermal);
-hal_attribute(tv_cec);
-hal_attribute(tv_input);
-hal_attribute(tv_tuner);
-hal_attribute(usb);
-hal_attribute(usb_gadget);
-hal_attribute(uwb);
-hal_attribute(vehicle);
-hal_attribute(vibrator);
-hal_attribute(vr);
-hal_attribute(weaver);
-hal_attribute(wifi);
-hal_attribute(wifi_hostapd);
-hal_attribute(wifi_supplicant);
-
-# HwBinder services offered across the core-vendor boundary
-#
-# We annotate server domains with x_server to loosen the coupling between
-# system and vendor images. For example, it should be possible to move a service
-# from one core domain to another, without having to update the vendor image
-# which contains clients of this service.
-
-attribute automotive_display_service_server;
-attribute camera_service_server;
-attribute display_service_server;
-attribute scheduler_service_server;
-attribute sensor_service_server;
-attribute stats_service_server;
-attribute system_suspend_internal_server;
-attribute system_suspend_server;
-attribute wifi_keystore_service_server;
-
-# All types used for super partition block devices.
-attribute super_block_device_type;
-
-# All types used for DMA-BUF heaps
-attribute dmabuf_heap_device_type;
-expandattribute dmabuf_heap_device_type false;
-
-# All types used for DSU metadata files.
-attribute gsi_metadata_file_type;
diff --git a/prebuilts/api/31.0/public/audioserver.te b/prebuilts/api/31.0/public/audioserver.te
deleted file mode 100644
index a8a33cc..0000000
--- a/prebuilts/api/31.0/public/audioserver.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# audioserver - audio services daemon
-type audioserver, domain;
-type audioserver_tmpfs, file_type;
-
-# Allow audioserver to signal audio HAL processes and dump their stacks.
-allow audioserver hal_audio_server:process signal;
diff --git a/prebuilts/api/31.0/public/blkid.te b/prebuilts/api/31.0/public/blkid.te
deleted file mode 100644
index dabe014..0000000
--- a/prebuilts/api/31.0/public/blkid.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# blkid called from vold
-type blkid, domain;
diff --git a/prebuilts/api/31.0/public/blkid_untrusted.te b/prebuilts/api/31.0/public/blkid_untrusted.te
deleted file mode 100644
index 4be4c0c..0000000
--- a/prebuilts/api/31.0/public/blkid_untrusted.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# blkid for untrusted block devices
-type blkid_untrusted, domain;
diff --git a/prebuilts/api/31.0/public/bluetooth.te b/prebuilts/api/31.0/public/bluetooth.te
deleted file mode 100644
index 9b3442a..0000000
--- a/prebuilts/api/31.0/public/bluetooth.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# bluetooth subsystem
-type bluetooth, domain;
diff --git a/prebuilts/api/31.0/public/bootanim.te b/prebuilts/api/31.0/public/bootanim.te
deleted file mode 100644
index 88fe173..0000000
--- a/prebuilts/api/31.0/public/bootanim.te
+++ /dev/null
@@ -1,43 +0,0 @@
-# bootanimation oneshot service
-type bootanim, domain;
-type bootanim_exec, system_file_type, exec_type, file_type;
-
-hal_client_domain(bootanim, hal_configstore)
-hal_client_domain(bootanim, hal_graphics_allocator)
-hal_client_domain(bootanim, hal_graphics_composer)
-
-binder_use(bootanim)
-binder_call(bootanim, surfaceflinger)
-binder_call(bootanim, audioserver)
-
-hwbinder_use(bootanim)
-
-allow bootanim gpu_device:chr_file rw_file_perms;
-
-# /oem access
-allow bootanim oemfs:dir search;
-allow bootanim oemfs:file r_file_perms;
-
-allow bootanim audio_device:dir r_dir_perms;
-allow bootanim audio_device:chr_file rw_file_perms;
-
-allow bootanim audioserver_service:service_manager find;
-allow bootanim surfaceflinger_service:service_manager find;
-allow bootanim surfaceflinger:unix_stream_socket { read write };
-
-# Allow access to ion memory allocation device
-allow bootanim ion_device:chr_file rw_file_perms;
-
-# Allow access to DMA-BUF system heap
-allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;
-
-allow bootanim hal_graphics_allocator:fd use;
-
-# Fences
-allow bootanim hal_graphics_composer:fd use;
-
-# Read access to pseudo filesystems.
-allow bootanim proc_meminfo:file r_file_perms;
-
-# System file accesses.
-allow bootanim system_file:dir r_dir_perms;
diff --git a/prebuilts/api/31.0/public/bootstat.te b/prebuilts/api/31.0/public/bootstat.te
deleted file mode 100644
index 5079c28..0000000
--- a/prebuilts/api/31.0/public/bootstat.te
+++ /dev/null
@@ -1,32 +0,0 @@
-# bootstat command
-type bootstat, domain;
-type bootstat_exec, system_file_type, exec_type, file_type;
-
-read_runtime_log_tags(bootstat)
-
-# Allow persistent storage in /data/misc/bootstat.
-allow bootstat bootstat_data_file:dir rw_dir_perms;
-allow bootstat bootstat_data_file:file create_file_perms;
-
-allow bootstat metadata_file:dir search;
-allow bootstat metadata_bootstat_file:dir rw_dir_perms;
-allow bootstat metadata_bootstat_file:file create_file_perms;
-
-# ToDo: TBI move access for the following to a system health HAL
-
-# Allow access to /sys/fs/pstore/ and syslog
-allow bootstat pstorefs:dir search;
-allow bootstat pstorefs:file r_file_perms;
-allow bootstat kernel:system syslog_read;
-
-# Allow access to reading the logs to read aspects of system health
-read_logd(bootstat)
-
-# Allow bootstat write to statsd.
-unix_socket_send(bootstat, statsdw, statsd)
-
-neverallow {
- domain
- -bootstat
- -init
-} system_boot_reason_prop:property_service set;
diff --git a/prebuilts/api/31.0/public/bufferhubd.te b/prebuilts/api/31.0/public/bufferhubd.te
deleted file mode 100644
index 37edb5d..0000000
--- a/prebuilts/api/31.0/public/bufferhubd.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# bufferhubd
-type bufferhubd, domain, mlstrustedsubject;
-type bufferhubd_exec, system_file_type, exec_type, file_type;
-
-hal_client_domain(bufferhubd, hal_graphics_allocator)
-
-# TODO(b/112338294): remove these after migrate to Binder
-pdx_server(bufferhubd, bufferhub_client)
-pdx_client(bufferhubd, performance_client)
-
-# Access the GPU.
-allow bufferhubd gpu_device:chr_file rw_file_perms;
-
-# Access /dev/ion
-allow bufferhubd ion_device:chr_file r_file_perms;
-
-# Receive sync fence FDs from hal_omx_server. Note that hal_omx_server never directly
-# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
-# those two: it talks to hal_omx_server via Binder and talks to bufferhubd via PDX.
-# Thus, there is no need to use pdx_client macro.
-allow bufferhubd hal_omx_server:fd use;
-
-# Codec2 is similar to OMX
-allow bufferhubd hal_codec2_server:fd use;
-
diff --git a/prebuilts/api/31.0/public/camera_service_server.te b/prebuilts/api/31.0/public/camera_service_server.te
deleted file mode 100644
index 352e1b7..0000000
--- a/prebuilts/api/31.0/public/camera_service_server.te
+++ /dev/null
@@ -1 +0,0 @@
-add_hwservice(camera_service_server, fwk_camera_hwservice)
diff --git a/prebuilts/api/31.0/public/cameraserver.te b/prebuilts/api/31.0/public/cameraserver.te
deleted file mode 100644
index 7a29240..0000000
--- a/prebuilts/api/31.0/public/cameraserver.te
+++ /dev/null
@@ -1,76 +0,0 @@
-# cameraserver - camera daemon
-type cameraserver, domain;
-type cameraserver_exec, system_file_type, exec_type, file_type;
-type cameraserver_tmpfs, file_type;
-
-binder_use(cameraserver)
-binder_call(cameraserver, binderservicedomain)
-binder_call(cameraserver, appdomain)
-binder_service(cameraserver)
-
-hal_client_domain(cameraserver, hal_camera)
-
-hal_client_domain(cameraserver, hal_graphics_allocator)
-
-allow cameraserver ion_device:chr_file rw_file_perms;
-allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms;
-
-# Talk with graphics composer fences
-allow cameraserver hal_graphics_composer:fd use;
-
-add_service(cameraserver, cameraserver_service)
-add_hwservice(cameraserver, fwk_camera_hwservice)
-
-allow cameraserver activity_service:service_manager find;
-allow cameraserver appops_service:service_manager find;
-allow cameraserver audioserver_service:service_manager find;
-allow cameraserver batterystats_service:service_manager find;
-allow cameraserver cameraproxy_service:service_manager find;
-allow cameraserver mediaserver_service:service_manager find;
-allow cameraserver package_native_service:service_manager find;
-allow cameraserver processinfo_service:service_manager find;
-allow cameraserver scheduling_policy_service:service_manager find;
-allow cameraserver sensor_privacy_service:service_manager find;
-allow cameraserver surfaceflinger_service:service_manager find;
-
-allow cameraserver hidl_token_hwservice:hwservice_manager find;
-
-###
-### neverallow rules
-###
-
-# cameraserver should never execute any executable without a
-# domain transition
-neverallow cameraserver { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
-
-# Allow shell commands from ADB for CTS testing/dumping
-allow cameraserver adbd:fd use;
-allow cameraserver adbd:unix_stream_socket { read write };
-allow cameraserver shell:fd use;
-allow cameraserver shell:unix_stream_socket { read write };
-allow cameraserver shell:fifo_file { read write };
-
-# Allow to talk with media codec
-allow cameraserver mediametrics_service:service_manager find;
-hal_client_domain(cameraserver, hal_codec2)
-hal_client_domain(cameraserver, hal_omx)
-hal_client_domain(cameraserver, hal_allocator)
-
-# Allow shell commands from ADB for CTS testing/dumping
-userdebug_or_eng(`
- allow cameraserver su:fd use;
- allow cameraserver su:fifo_file { read write };
- allow cameraserver su:unix_stream_socket { read write };
-')
diff --git a/prebuilts/api/31.0/public/charger.te b/prebuilts/api/31.0/public/charger.te
deleted file mode 100644
index 37359e3..0000000
--- a/prebuilts/api/31.0/public/charger.te
+++ /dev/null
@@ -1,40 +0,0 @@
-type charger, domain;
-type charger_exec, system_file_type, exec_type, file_type;
-
-# Write to /dev/kmsg
-allow charger kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(charger, rootfs)
-r_dir_file(charger, cgroup)
-r_dir_file(charger, cgroup_v2)
-
-# Allow to read /sys/class/power_supply directory
-allow charger sysfs_type:dir r_dir_perms;
-
-allow charger self:global_capability_class_set { sys_tty_config };
-allow charger self:global_capability_class_set sys_boot;
-
-wakelock_use(charger)
-
-allow charger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Read/write to /sys/power/state
-allow charger sysfs_power:file rw_file_perms;
-
-r_dir_file(charger, sysfs_batteryinfo)
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow charger pstorefs:dir r_dir_perms;
-allow charger pstorefs:file r_file_perms;
-
-allow charger graphics_device:dir r_dir_perms;
-allow charger graphics_device:chr_file rw_file_perms;
-allow charger input_device:dir r_dir_perms;
-allow charger input_device:chr_file r_file_perms;
-allow charger tty_device:chr_file rw_file_perms;
-allow charger proc_sysrq:file rw_file_perms;
-
-hal_client_domain(charger, hal_health)
diff --git a/prebuilts/api/31.0/public/crash_dump.te b/prebuilts/api/31.0/public/crash_dump.te
deleted file mode 100644
index a6f0a94..0000000
--- a/prebuilts/api/31.0/public/crash_dump.te
+++ /dev/null
@@ -1,78 +0,0 @@
-type crash_dump, domain;
-type crash_dump_exec, system_file_type, exec_type, file_type;
-
-# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
-# which will result in an audit log even when it's allowed to trace.
-dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
-
-userdebug_or_eng(`
- allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
-
- # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
- allow crash_dump kmsg_debug_device:chr_file { open append };
-')
-
-# Use inherited file descriptors
-allow crash_dump domain:fd use;
-
-# Read/write IPC pipes inherited from crashing processes.
-allow crash_dump domain:fifo_file { read write };
-
-# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
-allow crash_dump domain:fifo_file { append };
-
-# Read information from /proc/$PID.
-allow crash_dump domain:process getattr;
-
-r_dir_file(crash_dump, domain)
-allow crash_dump exec_type:file r_file_perms;
-
-# Read /data/dalvik-cache.
-allow crash_dump dalvikcache_data_file:dir { search getattr };
-allow crash_dump dalvikcache_data_file:file r_file_perms;
-
-# Read APEX data directories.
-allow crash_dump apex_module_data_file:dir { getattr search };
-
-# Read APK files.
-r_dir_file(crash_dump, apk_data_file);
-
-# Read all /vendor
-r_dir_file(crash_dump, { vendor_file same_process_hal_file })
-
-# Talk to tombstoned
-unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
-
-# Talk to ActivityManager.
-unix_socket_connect(crash_dump, system_ndebug, system_server)
-
-# Append to ANR files.
-allow crash_dump anr_data_file:file { append getattr };
-
-# Append to tombstone files.
-allow crash_dump tombstone_data_file:file { append getattr };
-
-# crash_dump writes out logcat logs at the bottom of tombstones,
-# which is super useful in some cases.
-unix_socket_connect(crash_dump, logdr, logd)
-
-# Crash dump is not intended to access the following files. Since these
-# are WAI, suppress the denials to clean up the logs.
-dontaudit crash_dump {
- core_data_file_type
- vendor_file_type
-}:dir search;
-dontaudit crash_dump system_data_file:{ lnk_file file } read;
-dontaudit crash_dump property_type:file read;
-
-# Suppress denials for files in /proc that are passed
-# across exec().
-dontaudit crash_dump proc_type:file rw_file_perms;
-
-###
-### neverallow assertions
-###
-
-# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
-# Do not allow the execution of crash_dump without a domain transition.
-neverallow domain crash_dump_exec:file execute_no_trans;
diff --git a/prebuilts/api/31.0/public/credstore.te b/prebuilts/api/31.0/public/credstore.te
deleted file mode 100644
index 97d942d..0000000
--- a/prebuilts/api/31.0/public/credstore.te
+++ /dev/null
@@ -1,19 +0,0 @@
-type credstore, domain;
-type credstore_exec, system_file_type, exec_type, file_type;
-
-# credstore daemon
-binder_use(credstore)
-binder_service(credstore)
-binder_call(credstore, system_server)
-
-allow credstore credstore_data_file:dir create_dir_perms;
-allow credstore credstore_data_file:file create_file_perms;
-
-add_service(credstore, credstore_service)
-allow credstore sec_key_att_app_id_provider_service:service_manager find;
-allow credstore dropbox_service:service_manager find;
-allow credstore authorization_service:service_manager find;
-allow credstore keystore:keystore2 get_auth_token;
-
-r_dir_file(credstore, cgroup)
-r_dir_file(credstore, cgroup_v2)
diff --git a/prebuilts/api/31.0/public/device.te b/prebuilts/api/31.0/public/device.te
deleted file mode 100644
index cc2ef57..0000000
--- a/prebuilts/api/31.0/public/device.te
+++ /dev/null
@@ -1,123 +0,0 @@
-# Device types
-type device, dev_type, fs_type;
-type ashmem_device, dev_type, mlstrustedobject;
-type ashmem_libcutils_device, dev_type, mlstrustedobject;
-type audio_device, dev_type;
-type binder_device, dev_type, mlstrustedobject;
-type hwbinder_device, dev_type, mlstrustedobject;
-type vndbinder_device, dev_type;
-type block_device, dev_type, bdev_type;
-type camera_device, dev_type;
-type dm_device, dev_type, bdev_type;
-type dm_user_device, dev_type, bdev_type;
-type keychord_device, dev_type;
-type loop_control_device, dev_type;
-type loop_device, dev_type, bdev_type;
-type pmsg_device, dev_type, mlstrustedobject;
-type radio_device, dev_type;
-type ram_device, dev_type, bdev_type;
-type rtc_device, dev_type;
-type vd_device, dev_type;
-type vold_device, dev_type;
-type console_device, dev_type;
-type fscklogs, dev_type;
-# GPU (used by most UI apps)
-type gpu_device, dev_type, mlstrustedobject;
-type graphics_device, dev_type;
-type hw_random_device, dev_type;
-type input_device, dev_type;
-type port_device, dev_type;
-type lowpan_device, dev_type;
-type mtp_device, dev_type, mlstrustedobject;
-type nfc_device, dev_type;
-type ptmx_device, dev_type, mlstrustedobject;
-type kmsg_device, dev_type, mlstrustedobject;
-type kmsg_debug_device, dev_type;
-type null_device, dev_type, mlstrustedobject;
-type random_device, dev_type, mlstrustedobject;
-type secure_element_device, dev_type;
-type sensors_device, dev_type;
-type serial_device, dev_type;
-type socket_device, dev_type;
-type owntty_device, dev_type, mlstrustedobject;
-type tty_device, dev_type;
-type video_device, dev_type;
-type zero_device, dev_type, mlstrustedobject;
-type fuse_device, dev_type, mlstrustedobject;
-type iio_device, dev_type;
-type ion_device, dev_type, mlstrustedobject;
-type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
-type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
-type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
-type qtaguid_device, dev_type;
-type watchdog_device, dev_type;
-type uhid_device, dev_type, mlstrustedobject;
-type uio_device, dev_type;
-type tun_device, dev_type, mlstrustedobject;
-type usbaccessory_device, dev_type, mlstrustedobject;
-type usb_device, dev_type, mlstrustedobject;
-type usb_serial_device, dev_type;
-type gnss_device, dev_type;
-type properties_device, dev_type;
-type properties_serial, dev_type;
-type property_info, dev_type;
-
-# All devices have a uart for the hci
-# attach service. The uart dev node
-# varies per device. This type
-# is used in per device policy
-type hci_attach_dev, dev_type;
-
-# All devices have a rpmsg device for
-# achieving remoteproc and rpmsg modules
-type rpmsg_device, dev_type;
-
-# Partition layout block device
-type root_block_device, dev_type, bdev_type;
-
-# factory reset protection block device
-type frp_block_device, dev_type, bdev_type;
-
-# System block device mounted on /system.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type system_block_device, dev_type, bdev_type;
-
-# Recovery block device.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type recovery_block_device, dev_type, bdev_type;
-
-# boot block device.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type boot_block_device, dev_type, bdev_type;
-
-# Userdata block device mounted on /data.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type userdata_block_device, dev_type, bdev_type;
-
-# Cache block device mounted on /cache.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type cache_block_device, dev_type, bdev_type;
-
-# Block device for any swap partition.
-type swap_block_device, dev_type, bdev_type;
-
-# Metadata block device used for encryption metadata.
-# Assign this type to the partition specified by the encryptable=
-# mount option in your fstab file in the entry for userdata.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type metadata_block_device, dev_type, bdev_type;
-
-# The 'misc' partition used by recovery and A/B.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type misc_block_device, dev_type, bdev_type;
-
-# 'super' partition to be used for logical partitioning.
-type super_block_device, super_block_device_type, dev_type, bdev_type;
-
-# sdcard devices; normally vold uses the vold_block_device label and creates a
-# separate device node. gsid, however, accesses the original devide node
-# created through uevents, so we use a separate label.
-type sdcard_block_device, dev_type, bdev_type;
-
-# Userdata device file for filesystem tunables
-type userdata_sysdev, dev_type;
diff --git a/prebuilts/api/31.0/public/dhcp.te b/prebuilts/api/31.0/public/dhcp.te
deleted file mode 100644
index 1d875ab..0000000
--- a/prebuilts/api/31.0/public/dhcp.te
+++ /dev/null
@@ -1,28 +0,0 @@
-type dhcp, domain;
-type dhcp_exec, system_file_type, exec_type, file_type;
-
-net_domain(dhcp)
-
-allow dhcp cgroup:dir { create write add_name };
-allow dhcp cgroup_v2:dir { create write add_name };
-allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
-allow dhcp self:packet_socket create_socket_perms_no_ioctl;
-allow dhcp self:netlink_route_socket nlmsg_write;
-allow dhcp shell_exec:file rx_file_perms;
-allow dhcp system_file:file rx_file_perms;
-not_full_treble(`allow dhcp vendor_file:file rx_file_perms;')
-
-# dhcpcd runs dhcpcd-hooks/*, which runs getprop / setprop (toolbox_exec)
-allow dhcp toolbox_exec:file rx_file_perms;
-
-# For /proc/sys/net/ipv4/conf/*/promote_secondaries
-allow dhcp proc_net_type:file write;
-
-allow dhcp dhcp_data_file:dir create_dir_perms;
-allow dhcp dhcp_data_file:file create_file_perms;
-
-# PAN connections
-allow dhcp netd:fd use;
-allow dhcp netd:fifo_file rw_file_perms;
-allow dhcp netd:{ dgram_socket_class_set unix_stream_socket } { read write };
-allow dhcp netd:{ netlink_kobject_uevent_socket netlink_route_socket netlink_nflog_socket } { read write };
diff --git a/prebuilts/api/31.0/public/display_service_server.te b/prebuilts/api/31.0/public/display_service_server.te
deleted file mode 100644
index c5839fa..0000000
--- a/prebuilts/api/31.0/public/display_service_server.te
+++ /dev/null
@@ -1 +0,0 @@
-add_hwservice(display_service_server, fwk_display_hwservice)
diff --git a/prebuilts/api/31.0/public/dnsmasq.te b/prebuilts/api/31.0/public/dnsmasq.te
deleted file mode 100644
index 86f1eb1..0000000
--- a/prebuilts/api/31.0/public/dnsmasq.te
+++ /dev/null
@@ -1,28 +0,0 @@
-# DNS, DHCP services
-type dnsmasq, domain;
-type dnsmasq_exec, system_file_type, exec_type, file_type;
-
-net_domain(dnsmasq)
-allowxperm dnsmasq self:udp_socket ioctl priv_sock_ioctls;
-
-# TODO: Run with dhcp group to avoid need for dac_override.
-allow dnsmasq self:global_capability_class_set { dac_override dac_read_search };
-
-allow dnsmasq self:global_capability_class_set { net_admin net_raw net_bind_service setgid setuid };
-
-allow dnsmasq dhcp_data_file:dir w_dir_perms;
-allow dnsmasq dhcp_data_file:file create_file_perms;
-
-# Inherit and use open files from netd.
-allow dnsmasq netd:fd use;
-allow dnsmasq netd:fifo_file { getattr read write };
-# TODO: Investigate whether these inherited sockets should be closed on exec.
-allow dnsmasq netd:netlink_kobject_uevent_socket { read write };
-allow dnsmasq netd:netlink_nflog_socket { read write };
-allow dnsmasq netd:netlink_route_socket { read write };
-allow dnsmasq netd:unix_stream_socket { getattr read write };
-allow dnsmasq netd:unix_dgram_socket { read write };
-allow dnsmasq netd:udp_socket { read write };
-
-# sometimes a network device vanishes and we try to load module netdev-{devicename}
-dontaudit dnsmasq kernel:system module_request;
diff --git a/prebuilts/api/31.0/public/domain.te b/prebuilts/api/31.0/public/domain.te
deleted file mode 100644
index 799a2f1..0000000
--- a/prebuilts/api/31.0/public/domain.te
+++ /dev/null
@@ -1,1400 +0,0 @@
-# Rules for all domains.
-
-# Allow reaping by init.
-allow domain init:process sigchld;
-
-# Intra-domain accesses.
-allow domain self:process {
- fork
- sigchld
- sigkill
- sigstop
- signull
- signal
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- getattr
- setrlimit
-};
-allow domain self:fd use;
-allow domain proc:dir r_dir_perms;
-allow domain proc_net_type:dir search;
-r_dir_file(domain, self)
-allow domain self:{ fifo_file file } rw_file_perms;
-allow domain self:unix_dgram_socket { create_socket_perms sendto };
-allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
-
-# Inherit or receive open files from others.
-allow domain init:fd use;
-
-userdebug_or_eng(`
- allow domain su:fd use;
- allow domain su:unix_stream_socket { connectto getattr getopt read write shutdown };
- allow domain su:unix_dgram_socket sendto;
-
- allow { domain -init } su:binder { call transfer };
-
- # Running something like "pm dump com.android.bluetooth" requires
- # fifo writes
- allow domain su:fifo_file { write getattr };
-
- # allow "gdbserver --attach" to work for su.
- allow domain su:process sigchld;
-
- # Allow writing coredumps to /cores/*
- allow domain coredump_file:file create_file_perms;
- allow domain coredump_file:dir ra_dir_perms;
-')
-
-with_native_coverage(`
- # Allow writing coverage information to /data/misc/trace
- allow domain method_trace_data_file:dir create_dir_perms;
- allow domain method_trace_data_file:file create_file_perms;
-')
-
-# Root fs.
-allow domain tmpfs:dir { getattr search };
-allow domain rootfs:dir search;
-allow domain rootfs:lnk_file { read getattr };
-
-# Device accesses.
-allow domain device:dir search;
-allow domain dev_type:lnk_file r_file_perms;
-allow domain devpts:dir search;
-allow domain dmabuf_heap_device:dir r_dir_perms;
-allow domain socket_device:dir r_dir_perms;
-allow domain owntty_device:chr_file rw_file_perms;
-allow domain null_device:chr_file rw_file_perms;
-allow domain zero_device:chr_file rw_file_perms;
-
-# /dev/ashmem is being deprecated by means of constraining and eventually
-# removing all "open" permissions. We preserve the other permissions.
-allow domain ashmem_device:chr_file { getattr read ioctl lock map append write };
-# This device is used by libcutils, which is accessible to everyone.
-allow domain ashmem_libcutils_device:chr_file rw_file_perms;
-
-# /dev/binder can be accessed by ... everyone! :)
-allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
-
-# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
-# added to individual domains, but this sets safe defaults for all processes.
-allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
-
-# /dev/binderfs needs to be accessed by everyone too!
-allow domain binderfs:dir { getattr search };
-allow domain binderfs_logs_proc:dir search;
-
-allow { domain -servicemanager -vndservicemanager -isolated_app } hwbinder_device:chr_file rw_file_perms;
-allow domain ptmx_device:chr_file rw_file_perms;
-allow domain random_device:chr_file rw_file_perms;
-allow domain proc_random:dir r_dir_perms;
-allow domain proc_random:file r_file_perms;
-allow domain properties_device:dir { search getattr };
-allow domain properties_serial:file r_file_perms;
-allow domain property_info:file r_file_perms;
-
-# Public readable properties
-get_prop(domain, aaudio_config_prop)
-get_prop(domain, arm64_memtag_prop)
-get_prop(domain, bootloader_prop)
-get_prop(domain, build_odm_prop)
-get_prop(domain, build_prop)
-get_prop(domain, build_vendor_prop)
-get_prop(domain, debug_prop)
-get_prop(domain, exported_config_prop)
-get_prop(domain, exported_default_prop)
-get_prop(domain, exported_dumpstate_prop)
-get_prop(domain, exported_secure_prop)
-get_prop(domain, exported_system_prop)
-get_prop(domain, fingerprint_prop)
-get_prop(domain, hal_instrumentation_prop)
-get_prop(domain, hw_timeout_multiplier_prop)
-get_prop(domain, init_service_status_prop)
-get_prop(domain, libc_debug_prop)
-get_prop(domain, logd_prop)
-get_prop(domain, mediadrm_config_prop)
-get_prop(domain, property_service_version_prop)
-get_prop(domain, soc_prop)
-get_prop(domain, socket_hook_prop)
-get_prop(domain, surfaceflinger_prop)
-get_prop(domain, telephony_status_prop)
-get_prop(domain, vendor_socket_hook_prop)
-get_prop(domain, vndk_prop)
-get_prop(domain, vold_status_prop)
-get_prop(domain, vts_config_prop)
-
-# Binder cache properties are world-readable
-get_prop(domain, binder_cache_bluetooth_server_prop)
-get_prop(domain, binder_cache_system_server_prop)
-get_prop(domain, binder_cache_telephony_server_prop)
-
-# Let everyone read log properties, so that liblog can avoid sending unloggable
-# messages to logd.
-get_prop(domain, log_property_type)
-dontaudit domain property_type:file audit_access;
-allow domain property_contexts_file:file r_file_perms;
-
-allow domain init:key search;
-allow domain vold:key search;
-
-# logd access
-write_logd(domain)
-
-# Directory/link file access for path resolution.
-allow domain {
- system_file
- system_lib_file
- system_seccomp_policy_file
- system_security_cacerts_file
-}:dir r_dir_perms;
-allow domain system_file:lnk_file { getattr read };
-
-# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
-# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
-allow domain system_seccomp_policy_file:file r_file_perms;
-# cacerts are accessible from public Java API.
-allow domain system_security_cacerts_file:file r_file_perms;
-allow domain system_group_file:file r_file_perms;
-allow domain system_passwd_file:file r_file_perms;
-allow domain system_linker_exec:file { execute read open getattr map };
-allow domain system_linker_config_file:file r_file_perms;
-allow domain system_lib_file:file { execute read open getattr map };
-# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
-allow domain system_linker_exec:lnk_file { read open getattr };
-allow domain system_lib_file:lnk_file { read open getattr };
-
-allow domain system_event_log_tags_file:file r_file_perms;
-
-allow { appdomain coredomain } system_file:file { execute read open getattr map };
-
-# Make sure system/vendor split doesn not affect non-treble
-# devices
-not_full_treble(`
- allow domain system_file:file { execute read open getattr map };
- allow domain vendor_file_type:dir { search getattr };
- allow domain vendor_file_type:file { execute read open getattr map };
- allow domain vendor_file_type:lnk_file { getattr read };
-')
-
-# All domains are allowed to open and read directories
-# that contain HAL implementations (e.g. passthrough
-# HALs require clients to have these permissions)
-allow domain vendor_hal_file:dir r_dir_perms;
-
-# Everyone can read and execute all same process HALs
-allow domain same_process_hal_file:dir r_dir_perms;
-allow {
- domain
- -coredomain # access is explicitly granted to individual coredomains
-} same_process_hal_file:file { execute read open getattr map };
-
-# Any process can load vndk-sp libraries, which are system libraries
-# used by same process HALs
-allow domain vndk_sp_file:dir r_dir_perms;
-allow domain vndk_sp_file:file { execute read open getattr map };
-
-# All domains get access to /vendor/etc
-allow domain vendor_configs_file:dir r_dir_perms;
-allow domain vendor_configs_file:file { read open getattr map };
-
-full_treble_only(`
- # Allow all domains to be able to follow /system/vendor and/or
- # /vendor/odm symlinks.
- allow domain vendor_file_type:lnk_file { getattr open read };
-
- # This is required to be able to search & read /vendor/lib64
- # in order to lookup vendor libraries. The execute permission
- # for coredomains is granted *only* for same process HALs
- allow domain vendor_file:dir { getattr search };
-
- # Allow reading and executing out of /vendor to all vendor domains
- allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
- allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
- allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
-')
-
-# read and stat any sysfs symlinks
-allow domain sysfs:lnk_file { getattr read };
-
-# libc references /data/misc/zoneinfo and /system/usr/share/zoneinfo for
-# timezone related information.
-# This directory is considered to be a VNDK-stable
-allow domain { system_zoneinfo_file zoneinfo_data_file }:file r_file_perms;
-allow domain { system_zoneinfo_file zoneinfo_data_file }:dir r_dir_perms;
-
-# Lots of processes access current CPU information
-r_dir_file(domain, sysfs_devices_system_cpu)
-
-r_dir_file(domain, sysfs_usb);
-
-# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
-# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
-allow domain sysfs_transparent_hugepage:dir search;
-allow domain sysfs_transparent_hugepage:file r_file_perms;
-
-# files under /data.
-not_full_treble(`
- allow domain system_data_file:dir getattr;
-')
-allow { coredomain appdomain } system_data_file:dir getattr;
-# /data has the label system_data_root_file. Vendor components need the search
-# permission on system_data_root_file for path traversal to /data/vendor.
-allow domain system_data_root_file:dir { search getattr } ;
-allow domain system_data_file:dir search;
-# TODO restrict this to non-coredomain
-allow domain vendor_data_file:dir { getattr search };
-
-# required by the dynamic linker
-allow domain proc:lnk_file { getattr read };
-
-# /proc/cpuinfo
-allow domain proc_cpuinfo:file r_file_perms;
-
-# /dev/cpu_variant:.*
-allow domain dev_cpu_variant:file r_file_perms;
-
-# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
-allow domain proc_perf:file r_file_perms;
-
-# toybox loads libselinux which stats /sys/fs/selinux/
-allow domain selinuxfs:dir search;
-allow domain selinuxfs:file getattr;
-allow domain sysfs:dir search;
-allow domain selinuxfs:filesystem getattr;
-
-# Almost all processes log tracing information to
-# /sys/kernel/debug/tracing/trace_marker
-# The reason behind this is documented in b/6513400
-allow domain debugfs:dir search;
-allow domain debugfs_tracing:dir search;
-allow domain debugfs_tracing_debug:dir search;
-allow domain debugfs_trace_marker:file w_file_perms;
-
-# Linux lockdown mode offers coarse-grained definitions for access controls.
-# The "confidentiality" level detects access to tracefs or the perf subsystem.
-# This overlaps with more precise declarations in Android's policy. The
-# debugfs_trace_marker above is an example in which all processes should have
-# some access to tracefs. Therefore, allow all domains to access this level.
-# The "integrity" level is however enforced.
-allow domain self:lockdown confidentiality;
-
-# Filesystem access.
-allow domain fs_type:filesystem getattr;
-allow domain fs_type:dir getattr;
-
-# Restrict all domains to an allowlist for common socket types. Additional
-# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this allowlist to domain does
-# not grant the ioctl permission on these socket types. That must be granted
-# separately.
-allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default allowlist for unix sockets.
-allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
- ioctl unpriv_unix_sock_ioctls;
-
-# Restrict PTYs to only allowed ioctls.
-# Note that granting this allowlist to domain does
-# not grant the wider ioctl permission. That must be granted
-# separately.
-allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
-
-# All domains must clearly enumerate what ioctls they use
-# on filesystem objects (plain files, directories, symbolic links,
-# named pipes, and named sockets). We start off with a safe set.
-allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
-
-# If a domain has ioctl access to tun_device, it must clearly enumerate the
-# ioctls used. Safe defaults are listed below.
-allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
-
-# Allow a process to make a determination whether a file descriptor
-# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this allowlist to domain does not grant the ioctl permission to
-# these files. That must be granted separately.
-allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
-allowxperm domain domain:fifo_file ioctl { TCGETS };
-
-# If a domain has access to perform an ioctl on a block device, allow these
-# very common, benign ioctls
-allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
-
-# Support sqlite F2FS specific optimizations
-# ioctl permission on the specific file type is still required
-# TODO: consider only compiling these rules if we know the
-# /data partition is F2FS
-allowxperm domain { file_type sdcard_type }:file ioctl {
- F2FS_IOC_ABORT_VOLATILE_WRITE
- F2FS_IOC_COMMIT_ATOMIC_WRITE
- F2FS_IOC_GET_FEATURES
- F2FS_IOC_GET_PIN_FILE
- F2FS_IOC_SET_PIN_FILE
- F2FS_IOC_START_ATOMIC_WRITE
-};
-
-# Workaround for policy compiler being too aggressive and removing hwservice_manager_type
-# when it's not explicitly used in allow rules
-allow { domain -domain } hwservice_manager_type:hwservice_manager { add find };
-# Workaround for policy compiler being too aggressive and removing vndservice_manager_type
-# when it's not explicitly used in allow rules
-allow { domain -domain } vndservice_manager_type:service_manager { add find };
-
-# Under ASAN, processes will try to read /data, as the sanitized libraries are there.
-with_asan(`allow domain system_data_file:dir getattr;')
-# Under ASAN, /system/asan.options needs to be globally accessible.
-with_asan(`allow domain system_asan_options_file:file r_file_perms;')
-
-# read APEX dir and stat any symlink pointing to APEXs.
-allow domain apex_mnt_dir:dir { getattr search };
-allow domain apex_mnt_dir:lnk_file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to an allowlist.
-neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
-
-# b/68014825 and https://android-review.googlesource.com/516535
-# rfc6093 says that processes should not use the TCP urgent mechanism
-neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
-
-# TIOCSTI is only ever used for exploits. Block it.
-# b/33073072, b/7530569
-# http://www.openwall.com/lists/oss-security/2016/09/26/14
-neverallowxperm * devpts:chr_file ioctl TIOCSTI;
-
-# Do not allow any domain other than init to create unlabeled files.
-neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-
-# Limit device node creation to these allowed domains.
-neverallow {
- domain
- -kernel
- -init
- -ueventd
- -vold
-} self:global_capability_class_set mknod;
-
-# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
-neverallow * self:memprotect mmap_zero;
-
-# No domain needs mac_override as it is unused by SELinux.
-neverallow * self:global_capability2_class_set mac_override;
-
-# Disallow attempts to set contexts not defined in current policy
-# This helps guarantee that unknown or dangerous contents will not ever
-# be set.
-neverallow * self:global_capability2_class_set mac_admin;
-
-# Once the policy has been loaded there shall be none to modify the policy.
-# It is sealed.
-neverallow * kernel:security load_policy;
-
-# Only init prior to switching context should be able to set enforcing mode.
-# init starts in kernel domain and switches to init domain via setcon in
-# the init.rc, so the setenforce occurs while still in kernel. After
-# switching domains, there is never any need to setenforce again by init.
-neverallow * kernel:security setenforce;
-neverallow { domain -kernel } kernel:security setcheckreqprot;
-
-# No booleans in AOSP policy, so no need to ever set them.
-neverallow * kernel:security setbool;
-
-# Adjusting the AVC cache threshold.
-# Not presently allowed to anything in policy, but possibly something
-# that could be set from init.rc.
-neverallow { domain -init } kernel:security setsecparam;
-
-# Only the kernel hwrng thread should be able to read from the HW RNG.
-neverallow {
- domain
- -shell # For CTS, restricted to just getattr in shell.te
- -ueventd # To create the /dev/hw_random file
-} hw_random_device:chr_file *;
-# b/78174219 b/64114943
-neverallow {
- domain
- -shell # stat of /dev, getattr only
- -ueventd
-} keychord_device:chr_file *;
-
-# Ensure that all entrypoint executables are in exec_type or postinstall_file.
-neverallow * { file_type -exec_type -postinstall_file }:file entrypoint;
-
-# The dynamic linker always calls access(2) on the path. Don't generate SElinux
-# denials since the linker does not actually access the path in case the path
-# does not exist or isn't accessible for the process.
-dontaudit domain postinstall_mnt_dir:dir audit_access;
-
-#Ensure that nothing in userspace can access /dev/port
-neverallow {
- domain
- -shell # Shell user should not have any abilities outside of getattr
- -ueventd
-} port_device:chr_file *;
-neverallow * port_device:chr_file ~{ create relabelto unlink setattr getattr };
-# Only init should be able to configure kernel usermodehelpers or
-# security-sensitive proc settings.
-neverallow { domain -init } usermodehelper:file { append write };
-neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
-neverallow { domain -init -vendor_init } proc_security:file { append open read write };
-
-# Init can't do anything with binder calls. If this neverallow rule is being
-# triggered, it's probably due to a service with no SELinux domain.
-neverallow * init:binder *;
-neverallow * vendor_init:binder *;
-
-# Don't allow raw read/write/open access to block_device
-# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery } block_device:blk_file { open read write };
-
-# Do not allow renaming of block files or character files
-# Ability to do so can lead to possible use in an exploit chain
-# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
-neverallow * *:{ blk_file chr_file } rename;
-
-# Don't allow raw read/write/open access to generic devices.
-# Rather force a relabel to a more specific type.
-neverallow domain device:chr_file { open read write };
-
-# Files from cache should never be executed
-neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
-
-# The test files and executables MUST not be accessible to any domain
-neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
-neverallow domain nativetest_data_file:dir no_w_dir_perms;
-neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
-
-neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
-neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
-neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *;
-neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
-
-# Only the init property service should write to /data/property and /dev/__properties__
-neverallow { domain -init } property_data_file:dir no_w_dir_perms;
-neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
-
-# Nobody should be doing writes to /system & /vendor
-# These partitions are intended to be read-only and must never be
-# modified. Doing so would violate important Android security guarantees
-# and invalidate dm-verity signatures.
-neverallow {
- domain
- with_asan(`-asan_extract')
- recovery_only(`userdebug_or_eng(`-fastbootd')')
-} {
- system_file_type
- vendor_file_type
- exec_type
-}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
-
-# Don't allow mounting on top of /system files or directories
-neverallow * exec_type:dir_file_class_set mounton;
-
-# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
-
-# Restrict context mounts to specific types marked with
-# the contextmount_type attribute.
-neverallow * {fs_type -contextmount_type}:filesystem relabelto;
-
-# Ensure that context mount types are not writable, to ensure that
-# the write to /system restriction above is not bypassed via context=
-# mount to another type.
-neverallow * contextmount_type:dir_file_class_set
- { create setattr relabelfrom relabelto append link rename };
-neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } contextmount_type:dir_file_class_set { write unlink };
-
-# Do not allow service_manager add for default service labels.
-# Instead domains should use a more specific type such as
-# system_app_service rather than the generic type.
-# New service_types are defined in {,hw,vnd}service.te and new mappings
-# from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager *;
-neverallow * default_android_vndservice:service_manager *;
-neverallow * default_android_hwservice:hwservice_manager *;
-
-# Looking up the base class/interface of all HwBinder services is a bad idea.
-# hwservicemanager currently offer such lookups only to make it so that security
-# decisions are expressed in SELinux policy. However, it's unclear whether this
-# lookup has security implications. If it doesn't, hwservicemanager should be
-# modified to not offer this lookup.
-# This rule can be removed if hwservicemanager is modified to not permit these
-# lookups.
-neverallow * hidl_base_hwservice:hwservice_manager find;
-
-# Require that domains explicitly label unknown properties, and do not allow
-# anyone but init to modify unknown properties.
-neverallow { domain -init -vendor_init } mmc_prop:property_service set;
-neverallow { domain -init -vendor_init } vndk_prop:property_service set;
-
-compatible_property_only(`
- neverallow { domain -init } mmc_prop:property_service set;
- neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
- neverallow { domain -init } exported_secure_prop:property_service set;
- neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
- neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
- neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set;
-')
-
-compatible_property_only(`
- neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
- neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
-')
-
-neverallow { domain -init } aac_drc_prop:property_service set;
-neverallow { domain -init } build_prop:property_service set;
-
-# Do not allow reading device's serial number from system properties except form
-# a few allowed domains.
-neverallow {
- domain
- -adbd
- -dumpstate
- -fastbootd
- -hal_camera_server
- -hal_cas_server
- -hal_drm_server
- userdebug_or_eng(`-incidentd')
- -init
- -mediadrmserver
- -mediaserver
- -recovery
- -shell
- -system_server
- -vendor_init
-} serialno_prop:file r_file_perms;
-
-neverallow {
- domain
- -init
- -recovery
- -system_server
- -shell # Shell is further restricted in shell.te
- -ueventd # Further restricted in ueventd.te
-} frp_block_device:blk_file no_rw_file_perms;
-
-# The metadata block device is set aside for device encryption and
-# verified boot metadata. It may be reset at will and should not
-# be used by other domains.
-neverallow {
- domain
- -init
- -recovery
- -vold
- -e2fs
- -fsck
- -fastbootd
-} metadata_block_device:blk_file { append link rename write open read ioctl lock };
-
-# No domain other than recovery, update_engine and fastbootd can write to system partition(s).
-neverallow {
- domain
- -fastbootd
- userdebug_or_eng(`-fsck')
- userdebug_or_eng(`-init')
- -recovery
- -update_engine
-} system_block_device:blk_file { write append };
-
-# No domains other than a select few can access the misc_block_device. This
-# block device is reserved for OTA use.
-# Do not assert this rule on userdebug/eng builds, due to some devices using
-# this partition for testing purposes.
-neverallow {
- domain
- userdebug_or_eng(`-domain') # exclude debuggable builds
- -fastbootd
- -hal_bootctl_server
- -init
- -uncrypt
- -update_engine
- -vendor_init
- -vendor_misc_writer
- -vold
- -recovery
- -ueventd
-} misc_block_device:blk_file { append link relabelfrom rename write open read ioctl lock };
-
-# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
-neverallow { domain -servicemanager -hwservicemanager -vndservicemanager } *:binder set_context_mgr;
-# The service managers are only allowed to access their own device node
-neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
-neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow hwservicemanager vndbinder_device:chr_file no_rw_file_perms;
-neverallow vndservicemanager binder_device:chr_file no_rw_file_perms;
-neverallow vndservicemanager hwbinder_device:chr_file no_rw_file_perms;
-
-# system services cant add vendor services
-neverallow {
- coredomain
-} vendor_service:service_manager add;
-
-full_treble_only(`
- # vendor services cant add system services
- neverallow {
- domain
- -coredomain
- } {
- service_manager_type
- -vendor_service
- }:service_manager add;
-')
-
-full_treble_only(`
- # Vendor apps are permited to use only stable public services. If they were to use arbitrary
- # services which can change any time framework/core is updated, breakage is likely.
- #
- # Note, this same logic applies to untrusted apps, but neverallows for these are separate.
- neverallow {
- appdomain
- -coredomain
- } {
- service_manager_type
-
- -app_api_service
- -vendor_service # must be @VintfStability to be used by an app
- -ephemeral_app_api_service
-
- -apc_service
- -audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
- -cameraserver_service
- -drmserver_service
- -credstore_service
- -keystore_maintenance_service
- -keystore_service
- -legacykeystore_service
- -mediadrmserver_service
- -mediaextractor_service
- -mediametrics_service
- -mediaserver_service
- -nfc_service
- -radio_service
- -virtual_touchpad_service
- -vr_hwc_service
- -vr_manager_service
- userdebug_or_eng(`-hal_face_service')
- }:service_manager find;
-')
-
-# On full TREBLE devices, only vendor components, shell, and su can use VendorBinder.
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- -ueventd # uevent is granted create for this device, but we still neverallow I/O below
- } vndbinder_device:chr_file rw_file_perms;
-')
-full_treble_only(`
- neverallow ueventd vndbinder_device:chr_file { read write append ioctl };
-')
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- } vndservice_manager_type:service_manager *;
-')
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- userdebug_or_eng(`-su')
- } vndservicemanager:binder *;
-')
-
-# On full TREBLE devices, socket communications between core components and vendor components are
-# not permitted.
- # Most general rules first, more specific rules below.
-
- # Core domains are not permitted to initiate communications to vendor domain sockets.
- # We are not restricting the use of already established sockets because it is fine for a process
- # to obtain an already established socket via some public/official/stable API and then exchange
- # data with its peer over that socket. The wire format in this scenario is dicatated by the API
- # and thus does not break the core-vendor separation.
-full_treble_only(`
- neverallow_establish_socket_comms({
- coredomain
- -init
- -adbd
- }, {
- domain
- -coredomain
- -socket_between_core_and_vendor_violators
- });
-')
-
- # Vendor domains are not permitted to initiate create/open sockets owned by core domains
-full_treble_only(`
- neverallow {
- domain
- -coredomain
- -appdomain # appdomain restrictions below
- -data_between_core_and_vendor_violators # b/70393317
- -socket_between_core_and_vendor_violators
- -vendor_init
- } {
- coredomain_socket
- core_data_file_type
- unlabeled # used only by core domains
- }:sock_file ~{ append getattr ioctl read write };
-')
-full_treble_only(`
- neverallow {
- appdomain
- -coredomain
- } {
- coredomain_socket
- unlabeled # used only by core domains
- core_data_file_type
- -app_data_file
- -privapp_data_file
- -pdx_endpoint_socket_type # used by VR layer
- -pdx_channel_socket_type # used by VR layer
- }:sock_file ~{ append getattr ioctl read write };
-')
-
- # Core domains are not permitted to create/open sockets owned by vendor domains
-full_treble_only(`
- neverallow {
- coredomain
- -init
- -ueventd
- -socket_between_core_and_vendor_violators
- } {
- file_type
- dev_type
- -coredomain_socket
- -core_data_file_type
- -app_data_file_type
- -unlabeled
- }:sock_file ~{ append getattr ioctl read write };
-')
-
-# On TREBLE devices, vendor and system components are only allowed to share
-# files by passing open FDs over hwbinder. Ban all directory access and all file
-# accesses other than what can be applied to an open FD such as
-# ioctl/stat/read/write/append. This is enforced by segregating /data.
-# Vendor domains may directly access file in /data/vendor by path, but may only
-# access files outside of /data/vendor via an open FD passed over hwbinder.
-# Likewise, core domains may only directly access files outside /data/vendor by
-# path and files in /data/vendor by open FD.
-full_treble_only(`
- # only coredomains may only access core_data_file_type, particularly not
- # /data/vendor
- neverallow {
- coredomain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -data_between_core_and_vendor_violators
- -init
- -vold_prepare_subdirs
- } {
- data_file_type
- -core_data_file_type
- -app_data_file_type
- }:file_class_set ~{ append getattr ioctl read write map };
-')
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -data_between_core_and_vendor_violators
- -init
- -vold_prepare_subdirs
- } {
- data_file_type
- -core_data_file_type
- -app_data_file_type
- # TODO(b/72998741) Remove exemption. Further restricted in a subsequent
- # neverallow. Currently only getattr and search are allowed.
- -vendor_data_file
- }:dir *;
-
-')
-full_treble_only(`
- # vendor domains may only access files in /data/vendor, never core_data_file_types
- neverallow {
- domain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -coredomain
- -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
- -vendor_init
- } {
- core_data_file_type
- # libc includes functions like mktime and localtime which attempt to access
- # files in /data/misc/zoneinfo/tzdata and /system/usr/share/zoneinfo/tzdata.
- # These functions are considered vndk-stable and thus must be allowed for
- # all processes.
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
- }:file_class_set ~{ append getattr ioctl read write map };
- neverallow {
- vendor_init
- -data_between_core_and_vendor_violators
- } {
- core_data_file_type
- -unencrypted_data_file
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
- }:file_class_set ~{ append getattr ioctl read write map };
- # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
- # The vendor init binary lives on the system partition so there is not a concern with stability.
- neverallow vendor_init unencrypted_data_file:file ~r_file_perms;
-')
-full_treble_only(`
- # vendor domains may only access dirs in /data/vendor, never core_data_file_types
- neverallow {
- domain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -coredomain
- -data_between_core_and_vendor_violators
- -vendor_init
- } {
- core_data_file_type
- -system_data_file # default label for files on /data. Covered below...
- -system_data_root_file
- -vendor_data_file
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
- }:dir *;
- neverallow {
- vendor_init
- -data_between_core_and_vendor_violators
- } {
- core_data_file_type
- -unencrypted_data_file
- -system_data_file
- -system_data_root_file
- -vendor_data_file
- -zoneinfo_data_file
- with_native_coverage(`-method_trace_data_file')
- }:dir *;
- # vendor init needs to be able to read unencrypted_data_file to create directories with FBE.
- # The vendor init binary lives on the system partition so there is not a concern with stability.
- neverallow vendor_init unencrypted_data_file:dir ~search;
-')
-full_treble_only(`
- # vendor domains may only access dirs in /data/vendor, never core_data_file_types
- neverallow {
- domain
- -appdomain # TODO(b/34980020) remove exemption for appdomain
- -coredomain
- -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
- } {
- system_data_file # default label for files on /data. Covered below
- }:dir ~{ getattr search };
-')
-
-full_treble_only(`
- # coredomains may not access dirs in /data/vendor.
- neverallow {
- coredomain
- -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
- -init
- -vold # vold creates per-user storage for both system and vendor
- -vold_prepare_subdirs
- } {
- vendor_data_file # default label for files on /data. Covered below
- }:dir ~{ getattr search };
-')
-
-full_treble_only(`
- # coredomains may not access dirs in /data/vendor.
- neverallow {
- coredomain
- -data_between_core_and_vendor_violators # TODO(b/34980020) Remove once all violators have been cleaned up
- -init
- } {
- vendor_data_file # default label for files on /data/vendor{,_ce,_de}.
- }:file_class_set ~{ append getattr ioctl read write map };
-')
-
-full_treble_only(`
- # Non-vendor domains are not allowed to file execute shell
- # from vendor
- neverallow {
- coredomain
- -init
- -shell
- -ueventd
- } vendor_shell_exec:file { execute execute_no_trans };
-')
-
-full_treble_only(`
- # Do not allow vendor components to execute files from system
- # except for the ones allowed here.
- neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_executes_system_violators
- -vendor_init
- } {
- system_file_type
- -system_lib_file
- -system_linker_exec
- -crash_dump_exec
- -iorap_prefetcherd_exec
- -iorap_inode2filename_exec
- -netutils_wrapper_exec
- userdebug_or_eng(`-tcpdump_exec')
- }:file { entrypoint execute execute_no_trans };
-')
-
-full_treble_only(`
- # Do not allow coredomain to access entrypoint for files other
- # than system_file_type and postinstall_file
- neverallow coredomain {
- file_type
- -system_file_type
- -postinstall_file
- }:file entrypoint;
- # Do not allow domains other than coredomain to access entrypoint
- # for anything but vendor_file_type and init_exec for vendor_init.
- neverallow { domain -coredomain } {
- file_type
- -vendor_file_type
- -init_exec
- }:file entrypoint;
-')
-
-full_treble_only(`
- # Do not allow system components to execute files from vendor
- # except for the ones allowed here.
- neverallow {
- coredomain
- -init
- -shell
- -system_executes_vendor_violators
- -ueventd
- } {
- vendor_file_type
- -same_process_hal_file
- -vndk_sp_file
- -vendor_app_file
- -vendor_public_framework_file
- -vendor_public_lib_file
- }:file execute;
-')
-
-full_treble_only(`
- neverallow {
- coredomain
- -shell
- -system_executes_vendor_violators
- } {
- vendor_file_type
- -same_process_hal_file
- }:file execute_no_trans;
-')
-
-full_treble_only(`
- # Do not allow vendor components access to /system files except for the
- # ones allowed here.
- neverallow {
- domain
- -appdomain
- -coredomain
- -vendor_executes_system_violators
- # vendor_init needs access to init_exec for domain transition. vendor_init
- # neverallows are covered in public/vendor_init.te
- -vendor_init
- } {
- system_file_type
- -crash_dump_exec
- -file_contexts_file
- -iorap_inode2filename_exec
- -netutils_wrapper_exec
- -property_contexts_file
- -system_event_log_tags_file
- -system_group_file
- -system_lib_file
- with_asan(`-system_asan_options_file')
- -system_linker_exec
- -system_linker_config_file
- -system_passwd_file
- -system_seccomp_policy_file
- -system_security_cacerts_file
- -system_zoneinfo_file
- -task_profiles_api_file
- -task_profiles_file
- userdebug_or_eng(`-tcpdump_exec')
- }:file *;
-')
-
-# Only system_server should be able to send commands via the zygote socket
-neverallow { domain -zygote -system_server } zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } zygote_socket:sock_file write;
-
-neverallow { domain -system_server -webview_zygote -app_zygote } webview_zygote:unix_stream_socket connectto;
-neverallow { domain -system_server } webview_zygote:sock_file write;
-neverallow { domain -system_server } app_zygote:sock_file write;
-
-neverallow {
- domain
- -tombstoned
- -crash_dump
- -dumpstate
- -incidentd
- -system_server
-
- # Processes that can't exec crash_dump
- -hal_codec2_server
- -hal_omx_server
- -mediaextractor
-} tombstoned_crash_socket:unix_stream_socket connectto;
-
-# Never allow anyone except dumpstate, incidentd, or the system server to connect or write to
-# the tombstoned intercept socket.
-neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
-neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
-
-# Never allow anyone but system_server to read heapdumps in /data/system/heapdump.
-neverallow { domain -init -system_server } heapdump_data_file:file read;
-
-# Android does not support System V IPCs.
-#
-# The reason for this is due to the fact that, by design, they lead to global
-# kernel resource leakage.
-#
-# For example, there is no way to automatically release a SysV semaphore
-# allocated in the kernel when:
-#
-# - a buggy or malicious process exits
-# - a non-buggy and non-malicious process crashes or is explicitly killed.
-#
-# Killing processes automatically to make room for new ones is an
-# important part of Android's application lifecycle implementation. This means
-# that, even assuming only non-buggy and non-malicious code, it is very likely
-# that over time, the kernel global tables used to implement SysV IPCs will fill
-# up.
-neverallow * *:{ shm sem msg msgq } *;
-
-# Do not mount on top of symlinks, fifos, or sockets.
-# Feature parity with Chromium LSM.
-neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only dumpstate, shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
-
-# Do not allow the introduction of new execmod rules. Text relocations
-# and modification of executable pages are unsafe.
-# The only exceptions are for NDK text relocations associated with
-# https://code.google.com/p/android/issues/detail?id=23203
-# which, long term, need to go away.
-neverallow * {
- file_type
- -apk_data_file
- -app_data_file
- -asec_public_file
-}:file execmod;
-
-# Do not allow making the stack or heap executable.
-# We would also like to minimize execmem but it seems to be
-# required by some device-specific service domains.
-neverallow * self:process { execstack execheap };
-
-# Do not allow the introduction of new execmod rules. Text relocations
-# and modification of executable pages are unsafe.
-neverallow { domain -untrusted_app_25 -untrusted_app_27 } file_type:file execmod;
-
-neverallow { domain -init } proc:{ file dir } mounton;
-
-# Ensure that all types assigned to processes are included
-# in the domain attribute, so that all allow and neverallow rules
-# written on domain are applied to all processes.
-# This is achieved by ensuring that it is impossible to transition
-# from a domain to a non-domain type and vice versa.
-# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
-neverallow ~domain domain:process { transition dyntransition };
-
-#
-# Only system_app and system_server should be creating or writing
-# their files. The proper way to share files is to setup
-# type transitions to a more specific type or assigning a type
-# to its parent directory via a file_contexts entry.
-# Example type transition:
-# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
-#
-neverallow {
- domain
- -system_server
- -system_app
- -init
- -toolbox # TODO(b/141108496) We want to remove toolbox
- -installd # for relabelfrom and unlink, check for this in explicit neverallow
- -vold_prepare_subdirs # For unlink
- with_asan(`-asan_extract')
-} system_data_file:file no_w_file_perms;
-# do not grant anything greater than r_file_perms and relabelfrom unlink
-# to installd
-neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
-
-# respect system_app sandboxes
-neverallow {
- domain
- -appdomain # finer-grained rules for appdomain are listed below
- -system_server #populate com.android.providers.settings/databases/settings.db.
- -installd # creation of app sandbox
- -iorap_inode2filename
- -traced_probes # resolve inodes for i/o tracing.
- # only needs open and read, the rest is neverallow in
- # traced_probes.te.
-} system_app_data_file:dir_file_class_set { create unlink open };
-neverallow {
- isolated_app
- untrusted_app_all # finer-grained rules for appdomain are listed below
- ephemeral_app
- priv_app
-} system_app_data_file:dir_file_class_set { create unlink open };
-
-#
-# Only these domains should transition to shell domain. This domain is
-# permissible for the "shell user". If you need a process to exec a shell
-# script with differing privilege, define a domain and set up a transition.
-#
-neverallow {
- domain
- -adbd
- -init
- -runas
- -zygote
-} shell:process { transition dyntransition };
-
-# Only domains spawned from zygote, runas and simpleperf_app_runner may have
-# the appdomain attribute. simpleperf is excluded as a domain transitioned to
-# when running an app-scoped profiling session.
-neverallow { domain -simpleperf_app_runner -runas -app_zygote -webview_zygote -zygote } {
- appdomain -shell -simpleperf userdebug_or_eng(`-su')
-}:process { transition dyntransition };
-
-# Minimize read access to shell- or app-writable symlinks.
-# This is to prevent malicious symlink attacks.
-neverallow {
- domain
- -appdomain
- -installd
-} { app_data_file privapp_data_file }:lnk_file read;
-
-neverallow {
- domain
- -shell
- userdebug_or_eng(`-uncrypt')
- -installd
-} shell_data_file:lnk_file read;
-
-# In addition to the symlink reading restrictions above, restrict
-# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowed domains should
-# not be trusting any content in those directories.
-neverallow {
- domain
- -adbd
- -dumpstate
- -installd
- -init
- -shell
- -vold
-} shell_data_file:dir no_w_dir_perms;
-
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -init
- -installd
- -iorap_inode2filename
- -simpleperf_app_runner
- -system_server # why?
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:dir { open search };
-
-# Same as above for /data/local/tmp files. We allow shell files
-# to be passed around by file descriptor, but not directly opened.
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -installd
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:file open;
-
-# servicemanager and vndservicemanager are the only processes which handle the
-# service_manager list request
-neverallow * ~{
- servicemanager
- vndservicemanager
- }:service_manager list;
-
-# hwservicemanager is the only process which handles hw list requests
-neverallow * ~{
- hwservicemanager
- }:hwservice_manager list;
-
-# only service_manager_types can be added to service_manager
-# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
-
-# Prevent assigning non property types to properties
-# TODO - rework this: neverallow * ~property_type:property_service set;
-
-# Domain types should never be assigned to any files other
-# than the /proc/pid files associated with a process. The
-# executable file used to enter a domain should be labeled
-# with its own _exec type, not with the domain type.
-# Conventionally, this looks something like:
-# $ cat mydaemon.te
-# type mydaemon, domain;
-# type mydaemon_exec, exec_type, file_type;
-# init_daemon_domain(mydaemon)
-# $ grep mydaemon file_contexts
-# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
-neverallow * domain:file { execute execute_no_trans entrypoint };
-
-# Do not allow access to the generic debugfs label. This is too broad.
-# Instead, if access to part of debugfs is desired, it should have a
-# more specific label.
-# TODO: fix dumpstate
-neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no_rw_file_perms;
-
-# Do not allow executable files in debugfs.
-neverallow domain debugfs_type:file { execute execute_no_trans };
-
-# Don't allow access to the FUSE control filesystem, except to vold and init's
-neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
-
-# Profiles contain untrusted data and profman parses that. We should only run
-# in from installd forked processes.
-neverallow {
- domain
- -installd
- -profman
-} profman_exec:file no_x_file_perms;
-
-# Enforce restrictions on kernel module origin.
-# Do not allow kernel module loading except from system,
-# vendor, and boot partitions.
-neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load;
-
-# Only allow filesystem caps to be set at build time. Runtime changes
-# to filesystem capabilities are not permitted.
-neverallow * self:global_capability_class_set setfcap;
-
-# Enforce AT_SECURE for executing crash_dump.
-neverallow domain crash_dump:process noatsecure;
-
-# Do not permit non-core domains to register HwBinder services which are
-# guaranteed to be provided by core domains only.
-neverallow ~coredomain coredomain_hwservice:hwservice_manager add;
-
-# Do not permit the registeration of HwBinder services which are guaranteed to
-# be passthrough only (i.e., run in the process of their clients instead of a
-# separate server process).
-neverallow * same_process_hwservice:hwservice_manager add;
-
-# If an already existing file is opened with O_CREAT, the kernel might generate
-# a false report of a create denial. Silence these denials and make sure that
-# inappropriate permissions are not granted.
-
-# These filesystems don't allow files or directories to be created, so the permission
-# to do so should never be granted.
-neverallow domain {
- proc_type
- sysfs_type
-}:dir { add_name create link remove_name rename reparent rmdir write };
-
-# cgroupfs directories can be created, but not files within them.
-neverallow domain cgroup:file create;
-neverallow domain cgroup_v2:file create;
-
-dontaudit domain proc_type:dir write;
-dontaudit domain sysfs_type:dir write;
-dontaudit domain cgroup:file create;
-dontaudit domain cgroup_v2:file create;
-
-# These are only needed in permissive mode - in enforcing mode the
-# directory write check fails and so these are never attempted.
-userdebug_or_eng(`
- dontaudit domain proc_type:dir add_name;
- dontaudit domain sysfs_type:dir add_name;
- dontaudit domain proc_type:file create;
- dontaudit domain sysfs_type:file create;
-')
-
-# Platform must not have access to /mnt/vendor.
-neverallow {
- coredomain
- -init
- -ueventd
- -vold
- -system_writes_mnt_vendor_violators
-} mnt_vendor_file:dir *;
-
-# Only apps are allowed access to vendor public libraries.
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
-')
-
-# Vendor domian must not have access to /mnt/product.
-neverallow {
- domain
- -coredomain
-} mnt_product_file:dir *;
-
-# Platform must not have access to sysfs_batteryinfo, but should do it via health HAL and healthd
-full_treble_only(`
- neverallow {
- coredomain
- -healthd
- -shell
- # Generate uevents for health info
- -ueventd
- # Recovery uses health HAL passthrough implementation.
- -recovery
- # Charger uses health HAL passthrough implementation.
- -charger
- # TODO(b/110891300): remove this exception
- -incidentd
- } sysfs_batteryinfo:file { open read };
-')
-
-neverallow {
- domain
- -hal_codec2_server
- -hal_omx_server
-} hal_codec2_hwservice:hwservice_manager add;
-
-# Only apps targetting < Q are allowed to open /dev/ashmem directly.
-# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
-neverallow {
- domain
- -ephemeral_app # We don't distinguish ephemeral apps based on target API.
- -untrusted_app_25
- -untrusted_app_27
-} ashmem_device:chr_file open;
-
-neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
-
-# Linux lockdown "integrity" level is enforced for user builds.
-neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/prebuilts/api/31.0/public/drmserver.te b/prebuilts/api/31.0/public/drmserver.te
deleted file mode 100644
index eede0fc..0000000
--- a/prebuilts/api/31.0/public/drmserver.te
+++ /dev/null
@@ -1,65 +0,0 @@
-# drmserver - DRM service
-type drmserver, domain;
-type drmserver_exec, system_file_type, exec_type, file_type;
-
-typeattribute drmserver mlstrustedsubject;
-
-net_domain(drmserver)
-
-# Perform Binder IPC to system server.
-binder_use(drmserver)
-binder_call(drmserver, system_server)
-binder_call(drmserver, appdomain)
-binder_call(drmserver, mediametrics)
-binder_service(drmserver)
-# Inherit or receive open files from system_server.
-allow drmserver system_server:fd use;
-
-# Perform Binder IPC to mediaserver
-binder_call(drmserver, mediaserver)
-
-allow drmserver sdcard_type:dir search;
-allow drmserver drm_data_file:dir create_dir_perms;
-allow drmserver drm_data_file:file create_file_perms;
-allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
-allow drmserver sdcard_type:file { read write getattr map };
-r_dir_file(drmserver, efs_file)
-
-type drmserver_socket, file_type;
-
-# /data/app/tlcd_sock socket file.
-# Clearly, /data/app is the most logical place to create a socket. Not.
-allow drmserver apk_data_file:dir rw_dir_perms;
-auditallow drmserver apk_data_file:dir { add_name write };
-allow drmserver drmserver_socket:sock_file create_file_perms;
-auditallow drmserver drmserver_socket:sock_file create;
-# Delete old socket file if present.
-allow drmserver apk_data_file:sock_file unlink;
-
-# After taking a video, drmserver looks at the video file.
-r_dir_file(drmserver, media_rw_data_file)
-
-# Read resources from open apk files passed over Binder.
-allow drmserver apk_data_file:file { read getattr map };
-allow drmserver asec_apk_file:file { read getattr map };
-allow drmserver ringtone_file:file { read getattr map };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow drmserver radio_data_file:file { read getattr map };
-
-# /oem access
-allow drmserver oemfs:dir search;
-allow drmserver oemfs:file r_file_perms;
-
-# overlay package access
-allow drmserver vendor_overlay_file:file { read map };
-
-add_service(drmserver, drmserver_service)
-allow drmserver permission_service:service_manager find;
-allow drmserver mediametrics_service:service_manager find;
-
-selinux_check_access(drmserver)
-
-r_dir_file(drmserver, cgroup)
-r_dir_file(drmserver, cgroup_v2)
-r_dir_file(drmserver, system_file)
diff --git a/prebuilts/api/31.0/public/dumpstate.te b/prebuilts/api/31.0/public/dumpstate.te
deleted file mode 100644
index 85a5796..0000000
--- a/prebuilts/api/31.0/public/dumpstate.te
+++ /dev/null
@@ -1,394 +0,0 @@
-# dumpstate
-type dumpstate, domain, mlstrustedsubject;
-type dumpstate_exec, system_file_type, exec_type, file_type;
-
-net_domain(dumpstate)
-binder_use(dumpstate)
-wakelock_use(dumpstate)
-
-# Allow setting process priority, protect from OOM killer, and dropping
-# privileges by switching UID / GID
-allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
-
-# Allow dumpstate to scan through /proc/pid for all processes
-r_dir_file(dumpstate, domain)
-
-allow dumpstate self:global_capability_class_set {
- # Send signals to processes
- kill
- # Run iptables
- net_raw
- net_admin
-};
-
-# Allow executing files on system, such as:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow dumpstate system_file:file execute_no_trans;
-not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
-allow dumpstate toolbox_exec:file rx_file_perms;
-
-# hidl searches for files in /system/lib(64)/hw/
-allow dumpstate system_file:dir r_dir_perms;
-
-# Create and write into /data/anr/
-allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
-allow dumpstate anr_data_file:dir rw_dir_perms;
-allow dumpstate anr_data_file:file create_file_perms;
-
-# Allow reading /data/system/uiderrors.txt
-# TODO: scope this down.
-allow dumpstate system_data_file:file r_file_perms;
-
-# Allow dumpstate to append into apps' private files.
-allow dumpstate { privapp_data_file app_data_file }:file append;
-
-# Read dmesg
-allow dumpstate self:global_capability2_class_set syslog;
-allow dumpstate kernel:system syslog_read;
-
-# Read /sys/fs/pstore/console-ramoops
-allow dumpstate pstorefs:dir r_dir_perms;
-allow dumpstate pstorefs:file r_file_perms;
-
-# Get process attributes
-allow dumpstate domain:process getattr;
-
-# Signal java processes to dump their stack
-allow dumpstate { appdomain system_server zygote }:process signal;
-
-# Signal native processes to dump their stack.
-allow dumpstate {
- # This list comes from native_processes_to_dump in dumputils/dump_utils.c
- audioserver
- cameraserver
- drmserver
- inputflinger
- mediadrmserver
- mediaextractor
- mediametrics
- mediaserver
- mediaswcodec
- sdcardd
- surfaceflinger
- vold
-
- # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
- hal_audio_server
- hal_audiocontrol_server
- hal_bluetooth_server
- hal_camera_server
- hal_codec2_server
- hal_drm_server
- hal_evs_server
- hal_face_server
- hal_fingerprint_server
- hal_graphics_allocator_server
- hal_graphics_composer_server
- hal_health_server
- hal_neuralnetworks_server
- hal_omx_server
- hal_power_server
- hal_power_stats_server
- hal_sensors_server
- hal_thermal_server
- hal_vehicle_server
- hal_vr_server
- system_suspend_server
-}:process signal;
-
-# Connect to tombstoned to intercept dumps.
-unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
-
-# Access to /sys
-allow dumpstate sysfs_type:dir r_dir_perms;
-
-allow dumpstate {
- sysfs_devices_block
- sysfs_dm
- sysfs_loop
- sysfs_usb
- sysfs_zram
-}:file r_file_perms;
-
-# Other random bits of data we want to collect
-no_debugfs_restriction(`
- allow dumpstate debugfs:file r_file_perms;
- auditallow dumpstate debugfs:file r_file_perms;
-
- allow dumpstate debugfs_mmc:file r_file_perms;
-')
-
-# df for
-allow dumpstate {
- block_device
- cache_file
- metadata_file
- rootfs
- selinuxfs
- storage_file
- tmpfs
-}:dir { search getattr };
-allow dumpstate fuse_device:chr_file getattr;
-allow dumpstate { dm_device cache_block_device }:blk_file getattr;
-allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
-
-# Read /dev/cpuctl and /dev/cpuset
-r_dir_file(dumpstate, cgroup)
-r_dir_file(dumpstate, cgroup_v2)
-
-# Allow dumpstate to make binder calls to any binder service
-binder_call(dumpstate, binderservicedomain)
-binder_call(dumpstate, { appdomain netd wificond })
-
-dump_hal(hal_dumpstate)
-dump_hal(hal_wifi)
-dump_hal(hal_graphics_allocator)
-dump_hal(hal_light)
-dump_hal(hal_neuralnetworks)
-dump_hal(hal_thermal)
-dump_hal(hal_power)
-dump_hal(hal_power_stats)
-dump_hal(hal_identity)
-dump_hal(hal_face)
-dump_hal(hal_fingerprint)
-dump_hal(hal_gnss)
-
-# Vibrate the device after we are done collecting the bugreport
-hal_client_domain(dumpstate, hal_vibrator)
-
-# Reading /proc/PID/maps of other processes
-allow dumpstate self:global_capability_class_set sys_ptrace;
-
-# Allow the bugreport service to create a file in
-# /data/data/com.android.shell/files/bugreports/bugreport
-allow dumpstate shell_data_file:dir create_dir_perms;
-allow dumpstate shell_data_file:file create_file_perms;
-
-# Run a shell.
-allow dumpstate shell_exec:file rx_file_perms;
-
-# For running am and similar framework commands.
-# Run /system/bin/app_process.
-allow dumpstate zygote_exec:file rx_file_perms;
-
-# For Bluetooth
-allow dumpstate bluetooth_data_file:dir search;
-allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
-allow dumpstate bluetooth_logs_data_file:file r_file_perms;
-
-# For Nfc
-allow dumpstate nfc_logs_data_file:dir r_dir_perms;
-allow dumpstate nfc_logs_data_file:file r_file_perms;
-
-# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
-allow dumpstate gpu_device:chr_file rw_file_perms;
-
-# logd access
-read_logd(dumpstate)
-control_logd(dumpstate)
-read_runtime_log_tags(dumpstate)
-
-# Read files in /proc
-allow dumpstate {
- proc_buddyinfo
- proc_cmdline
- proc_meminfo
- proc_modules
- proc_net_type
- proc_pipe_conf
- proc_pagetypeinfo
- proc_qtaguid_ctrl
- proc_qtaguid_stat
- proc_slabinfo
- proc_version
- proc_vmallocinfo
- proc_vmstat
-}:file r_file_perms;
-
-# Read network state info files.
-allow dumpstate net_data_file:dir search;
-allow dumpstate net_data_file:file r_file_perms;
-
-# List sockets via ss.
-allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
-
-# Access /data/tombstones.
-allow dumpstate tombstone_data_file:dir r_dir_perms;
-allow dumpstate tombstone_data_file:file r_file_perms;
-
-# Access /cache/recovery
-allow dumpstate cache_recovery_file:dir r_dir_perms;
-allow dumpstate cache_recovery_file:file r_file_perms;
-
-# Access /data/misc/recovery
-allow dumpstate recovery_data_file:dir r_dir_perms;
-allow dumpstate recovery_data_file:file r_file_perms;
-
-#Access /data/misc/update_engine_log
-allow dumpstate update_engine_log_data_file:dir r_dir_perms;
-allow dumpstate update_engine_log_data_file:file r_file_perms;
-
-# Access /data/misc/profiles/{cur,ref}/
-userdebug_or_eng(`
- allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
- allow dumpstate user_profile_data_file:file r_file_perms;
-')
-
-# Access /data/misc/logd
-allow dumpstate misc_logd_file:dir r_dir_perms;
-allow dumpstate misc_logd_file:file r_file_perms;
-
-# Access /data/misc/prereboot
-allow dumpstate prereboot_data_file:dir r_dir_perms;
-allow dumpstate prereboot_data_file:file r_file_perms;
-
-allow dumpstate app_fuse_file:dir r_dir_perms;
-allow dumpstate overlayfs_file:dir r_dir_perms;
-
-allow dumpstate {
- service_manager_type
- -apex_service
- -dumpstate_service
- -gatekeeper_service
- -virtual_touchpad_service
- -vold_service
- -vr_hwc_service
- -default_android_service
-}:service_manager find;
-# suppress denials for services dumpstate should not be accessing.
-dontaudit dumpstate {
- apex_service
- dumpstate_service
- gatekeeper_service
- virtual_touchpad_service
- vold_service
- vr_hwc_service
-}:service_manager find;
-
-# Most of these are neverallowed.
-dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
-
-allow dumpstate servicemanager:service_manager list;
-allow dumpstate hwservicemanager:hwservice_manager list;
-
-allow dumpstate devpts:chr_file rw_file_perms;
-
-# Read any system properties
-get_prop(dumpstate, property_type)
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow dumpstate media_rw_data_file:dir getattr;
-allow dumpstate proc_interrupts:file r_file_perms;
-allow dumpstate proc_zoneinfo:file r_file_perms;
-
-# Create a service for talking back to system_server
-add_service(dumpstate, dumpstate_service)
-
-# use /dev/ion for screen capture
-allow dumpstate ion_device:chr_file r_file_perms;
-
-# Allow dumpstate to run top
-allow dumpstate proc_stat:file r_file_perms;
-
-allow dumpstate proc_pressure_cpu:file r_file_perms;
-allow dumpstate proc_pressure_mem:file r_file_perms;
-allow dumpstate proc_pressure_io:file r_file_perms;
-
-# Allow dumpstate to run ps
-allow dumpstate proc_pid_max:file r_file_perms;
-
-# Allow dumpstate to talk to installd over binder
-binder_call(dumpstate, installd);
-
-# Allow dumpstate to talk to iorapd over binder.
-binder_call(dumpstate, iorapd)
-
-# Allow dumpstate to run ip xfrm policy
-allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
-
-# Allow dumpstate to run iotop
-allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4) have a new class for sockets
-allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-# Allow dumpstate to run ss
-allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
-
-# Allow dumpstate to read linkerconfig directory
-allow dumpstate linkerconfig_file:dir { read open };
-
-# For when dumpstate runs df
-dontaudit dumpstate {
- mnt_vendor_file
- mirror_data_file
- mnt_user_file
-}:dir search;
-dontaudit dumpstate {
- apex_mnt_dir
- linkerconfig_file
- mirror_data_file
- mnt_user_file
-}:dir getattr;
-
-# Allow dumpstate to talk to bufferhubd over binder
-binder_call(dumpstate, bufferhubd);
-
-# Allow dumpstate to talk to mediaswcodec over binder
-binder_call(dumpstate, mediaswcodec);
-
-# Allow dumpstate to talk to these stable AIDL services over binder
-binder_call(dumpstate, hal_rebootescrow_server)
-allow hal_rebootescrow_server dumpstate:fifo_file write;
-allow hal_rebootescrow_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_authsecret_server)
-allow hal_authsecret_server dumpstate:fifo_file write;
-allow hal_authsecret_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_keymint_server)
-allow hal_keymint_server dumpstate:fifo_file write;
-allow hal_keymint_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_memtrack_server)
-allow hal_memtrack_server dumpstate:fifo_file write;
-allow hal_memtrack_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_oemlock_server)
-allow hal_oemlock_server dumpstate:fifo_file write;
-allow hal_oemlock_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_weaver_server)
-allow hal_weaver_server dumpstate:fifo_file write;
-allow hal_weaver_server dumpstate:fd use;
-
-#Access /data/misc/snapshotctl_log
-allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
-allow dumpstate snapshotctl_log_data_file:file r_file_perms;
-
-#Allow access to /dev/binderfs/binder_logs
-allow dumpstate binderfs_logs:dir r_dir_perms;
-allow dumpstate binderfs_logs:file r_file_perms;
-allow dumpstate binderfs_logs_proc:file r_file_perms;
-
-allow dumpstate apex_info_file:file getattr;
-
-###
-### neverallow rules
-###
-
-# dumpstate has capability sys_ptrace, but should only use that capability for
-# accessing sensitive /proc/PID files, never for using ptrace attach.
-neverallow dumpstate *:process ptrace;
-
-# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
-neverallow {
- domain
- -system_server
- -shell
- -traceur_app
- -dumpstate
-} dumpstate_service:service_manager find;
diff --git a/prebuilts/api/31.0/public/e2fs.te b/prebuilts/api/31.0/public/e2fs.te
deleted file mode 100644
index dd5bd69..0000000
--- a/prebuilts/api/31.0/public/e2fs.te
+++ /dev/null
@@ -1,26 +0,0 @@
-type e2fs, domain, coredomain;
-type e2fs_exec, system_file_type, exec_type, file_type;
-
-allow e2fs devpts:chr_file { read write getattr ioctl };
-
-allow e2fs dev_type:blk_file getattr;
-allow e2fs block_device:dir search;
-allow e2fs userdata_block_device:blk_file rw_file_perms;
-allow e2fs metadata_block_device:blk_file rw_file_perms;
-allow e2fs dm_device:blk_file rw_file_perms;
-allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_file ioctl {
- BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
-};
-
-allow e2fs {
- proc_filesystems
- proc_mounts
- proc_swaps
-}:file r_file_perms;
-
-# access /sys/fs/ext4/features
-allow e2fs sysfs_fs_ext4_features:dir search;
-allow e2fs sysfs_fs_ext4_features:file r_file_perms;
-
-# access SELinux context files
-allow e2fs file_contexts_file:file r_file_perms;
diff --git a/prebuilts/api/31.0/public/ephemeral_app.te b/prebuilts/api/31.0/public/ephemeral_app.te
deleted file mode 100644
index dc39a22..0000000
--- a/prebuilts/api/31.0/public/ephemeral_app.te
+++ /dev/null
@@ -1,14 +0,0 @@
-###
-### Ephemeral apps.
-###
-### This file defines the security policy for apps with the ephemeral
-### feature.
-###
-### The ephemeral_app domain is a reduced permissions sandbox allowing
-### ephemeral applications to be safely installed and run. Non ephemeral
-### applications may also opt-in to ephemeral to take advantage of the
-### additional security features.
-###
-### PackageManager flags an app as ephemeral at install time.
-
-type ephemeral_app, domain;
diff --git a/prebuilts/api/31.0/public/fastbootd.te b/prebuilts/api/31.0/public/fastbootd.te
deleted file mode 100644
index e167a5e..0000000
--- a/prebuilts/api/31.0/public/fastbootd.te
+++ /dev/null
@@ -1,118 +0,0 @@
-# fastbootd (used in recovery init.rc for /sbin/fastbootd)
-
-# Declare the domain unconditionally so we can always reference it
-# in neverallow rules.
-type fastbootd, domain;
-
-# But the allow rules are only included in the recovery policy.
-# Otherwise fastbootd is only allowed the domain rules.
-recovery_only(`
- # fastbootd can only use HALs in passthrough mode
- passthrough_hal_client_domain(fastbootd, hal_bootctl)
-
- # Access /dev/usb-ffs/fastbootd/ep0
- allow fastbootd functionfs:dir search;
- allow fastbootd functionfs:file rw_file_perms;
-
- allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
- # Log to serial
- allow fastbootd kmsg_device:chr_file { open getattr write };
-
- # battery info
- allow fastbootd sysfs_batteryinfo:file r_file_perms;
-
- allow fastbootd device:dir r_dir_perms;
-
- # For dev/block/by-name dir
- allow fastbootd block_device:dir r_dir_perms;
-
- # Needed for DM_DEV_CREATE ioctl call
- allow fastbootd self:capability sys_admin;
-
- unix_socket_connect(fastbootd, recovery, recovery)
-
- # Required for flashing
- allow fastbootd dm_device:chr_file rw_file_perms;
- allow fastbootd dm_device:blk_file rw_file_perms;
-
- allow fastbootd cache_block_device:blk_file rw_file_perms;
- allow fastbootd super_block_device_type:blk_file rw_file_perms;
- allow fastbootd {
- boot_block_device
- metadata_block_device
- system_block_device
- userdata_block_device
- }:blk_file { w_file_perms getattr ioctl };
-
- # For disabling/wiping GSI, and for modifying/deleting files created via
- # libfiemap.
- allow fastbootd metadata_block_device:blk_file r_file_perms;
- allow fastbootd {rootfs tmpfs}:dir mounton;
- allow fastbootd metadata_file:dir { search getattr mounton };
- allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
- allow fastbootd gsi_metadata_file_type:file create_file_perms;
-
- allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
-
- allowxperm fastbootd {
- metadata_block_device
- userdata_block_device
- dm_device
- cache_block_device
- }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
-
- allow fastbootd misc_block_device:blk_file rw_file_perms;
-
- allow fastbootd proc_cmdline:file r_file_perms;
- allow fastbootd rootfs:dir r_dir_perms;
-
- # Needed to read fstab node from device tree.
- allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
- allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;
-
- # Needed because libdm reads sysfs to validate when a dm path is ready.
- r_dir_file(fastbootd, sysfs_dm)
-
- # Needed for realpath() call to resolve symlinks.
- allow fastbootd block_device:dir getattr;
- userdebug_or_eng(`
- # Refined manipulation of /mnt/scratch, without these perms resorts
- # to deleting scratch partition when partition(s) are flashed.
- allow fastbootd self:process setfscreate;
- allow fastbootd cache_file:dir search;
- allow fastbootd proc_filesystems:file { getattr open read };
- allow fastbootd self:capability sys_rawio;
- dontaudit fastbootd kernel:system module_request;
- allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
- allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
- allow fastbootd {
- system_file_type
- unlabeled
- vendor_file_type
- }:dir { remove_name rmdir search write };
- allow fastbootd {
- overlayfs_file
- system_file_type
- unlabeled
- vendor_file_type
- }:{ file lnk_file } unlink;
- allow fastbootd tmpfs:dir rw_dir_perms;
- # Fetch vendor_boot partition
- allow fastbootd boot_block_device:blk_file r_file_perms;
- ')
-
- # Allow using libfiemap/gsid directly (no binder in recovery).
- allow fastbootd gsi_metadata_file_type:dir search;
- allow fastbootd ota_metadata_file:dir rw_dir_perms;
- allow fastbootd ota_metadata_file:file create_file_perms;
-')
-
-###
-### neverallow rules
-###
-
-# Write permission is required to wipe userdata
-# until recovery supports vold.
-neverallow fastbootd {
- data_file_type
-}:file { no_x_file_perms };
diff --git a/prebuilts/api/31.0/public/file.te b/prebuilts/api/31.0/public/file.te
deleted file mode 100644
index dc788ac..0000000
--- a/prebuilts/api/31.0/public/file.te
+++ /dev/null
@@ -1,606 +0,0 @@
-# Filesystem types
-type labeledfs, fs_type;
-type pipefs, fs_type;
-type sockfs, fs_type;
-type rootfs, fs_type;
-type proc, fs_type, proc_type;
-type binderfs, fs_type;
-type binderfs_logs, fs_type;
-type binderfs_logs_proc, fs_type;
-# Security-sensitive proc nodes that should not be writable to most.
-type proc_security, fs_type, proc_type;
-type proc_drop_caches, fs_type, proc_type;
-type proc_overcommit_memory, fs_type, proc_type;
-type proc_min_free_order_shift, fs_type, proc_type;
-type proc_kpageflags, fs_type, proc_type;
-# proc, sysfs, or other nodes that permit configuration of kernel usermodehelpers.
-type usermodehelper, fs_type, proc_type;
-type sysfs_usermodehelper, fs_type, sysfs_type;
-type proc_qtaguid_ctrl, fs_type, mlstrustedobject, proc_type;
-type proc_qtaguid_stat, fs_type, mlstrustedobject, proc_type;
-type proc_bluetooth_writable, fs_type, proc_type;
-type proc_abi, fs_type, proc_type;
-type proc_asound, fs_type, proc_type;
-type proc_bootconfig, fs_type, proc_type;
-type proc_buddyinfo, fs_type, proc_type;
-type proc_cmdline, fs_type, proc_type;
-type proc_cpuinfo, fs_type, proc_type;
-type proc_dirty, fs_type, proc_type;
-type proc_diskstats, fs_type, proc_type;
-type proc_extra_free_kbytes, fs_type, proc_type;
-type proc_filesystems, fs_type, proc_type;
-type proc_fs_verity, fs_type, proc_type;
-type proc_hostname, fs_type, proc_type;
-type proc_hung_task, fs_type, proc_type;
-type proc_interrupts, fs_type, proc_type;
-type proc_iomem, fs_type, proc_type;
-type proc_kallsyms, fs_type, proc_type;
-type proc_keys, fs_type, proc_type;
-type proc_kmsg, fs_type, proc_type;
-type proc_loadavg, fs_type, proc_type;
-type proc_locks, fs_type, proc_type;
-type proc_lowmemorykiller, fs_type, proc_type;
-type proc_max_map_count, fs_type, proc_type;
-type proc_meminfo, fs_type, proc_type;
-type proc_misc, fs_type, proc_type;
-type proc_modules, fs_type, proc_type;
-type proc_mounts, fs_type, proc_type;
-type proc_net, fs_type, proc_type, proc_net_type;
-type proc_net_tcp_udp, fs_type, proc_type;
-type proc_page_cluster, fs_type, proc_type;
-type proc_pagetypeinfo, fs_type, proc_type;
-type proc_panic, fs_type, proc_type;
-type proc_perf, fs_type, proc_type;
-type proc_pid_max, fs_type, proc_type;
-type proc_pipe_conf, fs_type, proc_type;
-type proc_pressure_cpu, fs_type, proc_type;
-type proc_pressure_io, fs_type, proc_type;
-type proc_pressure_mem, fs_type, proc_type;
-type proc_random, fs_type, proc_type;
-type proc_sched, fs_type, proc_type;
-type proc_slabinfo, fs_type, proc_type;
-type proc_stat, fs_type, proc_type;
-type proc_swaps, fs_type, proc_type;
-type proc_sysrq, fs_type, proc_type;
-type proc_timer, fs_type, proc_type;
-type proc_tty_drivers, fs_type, proc_type;
-type proc_uid_cputime_showstat, fs_type, proc_type;
-type proc_uid_cputime_removeuid, fs_type, proc_type;
-type proc_uid_io_stats, fs_type, proc_type;
-type proc_uid_procstat_set, fs_type, proc_type;
-type proc_uid_time_in_state, fs_type, proc_type;
-type proc_uid_concurrent_active_time, fs_type, proc_type;
-type proc_uid_concurrent_policy_time, fs_type, proc_type;
-type proc_uid_cpupower, fs_type, proc_type;
-type proc_uptime, fs_type, proc_type;
-type proc_version, fs_type, proc_type;
-type proc_vmallocinfo, fs_type, proc_type;
-type proc_vmstat, fs_type, proc_type;
-type proc_zoneinfo, fs_type, proc_type;
-type proc_vendor_sched, proc_type, fs_type;
-type selinuxfs, fs_type, mlstrustedobject;
-type fusectlfs, fs_type;
-type cgroup, fs_type, mlstrustedobject;
-type cgroup_v2, fs_type;
-type sysfs, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_android_usb, fs_type, sysfs_type;
-type sysfs_uio, sysfs_type, fs_type;
-type sysfs_batteryinfo, fs_type, sysfs_type;
-type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
-type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_devfreq_cur, fs_type, sysfs_type;
-type sysfs_devfreq_dir, fs_type, sysfs_type;
-type sysfs_devices_block, fs_type, sysfs_type;
-type sysfs_dm, fs_type, sysfs_type;
-type sysfs_dm_verity, fs_type, sysfs_type;
-type sysfs_dma_heap, fs_type, sysfs_type;
-type sysfs_dmabuf_stats, fs_type, sysfs_type;
-type sysfs_dt_firmware_android, fs_type, sysfs_type;
-type sysfs_extcon, fs_type, sysfs_type;
-type sysfs_ion, fs_type, sysfs_type;
-type sysfs_ipv4, fs_type, sysfs_type;
-type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_leds, fs_type, sysfs_type;
-type sysfs_loop, fs_type, sysfs_type;
-type sysfs_hwrandom, fs_type, sysfs_type;
-type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_wake_lock, fs_type, sysfs_type;
-type sysfs_net, fs_type, sysfs_type;
-type sysfs_power, fs_type, sysfs_type;
-type sysfs_rtc, fs_type, sysfs_type;
-type sysfs_suspend_stats, fs_type, sysfs_type;
-type sysfs_switch, fs_type, sysfs_type;
-type sysfs_transparent_hugepage, fs_type, sysfs_type;
-type sysfs_usb, fs_type, sysfs_type;
-type sysfs_wakeup, fs_type, sysfs_type;
-type sysfs_wakeup_reasons, fs_type, sysfs_type;
-type sysfs_fs_ext4_features, sysfs_type, fs_type;
-type sysfs_fs_f2fs, sysfs_type, fs_type;
-type sysfs_fs_incfs_features, sysfs_type, fs_type;
-type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
-type sysfs_vendor_sched, sysfs_type, fs_type;
-userdebug_or_eng(`
- typeattribute sysfs_vendor_sched mlstrustedobject;
-')
-type fs_bpf, fs_type;
-type fs_bpf_tethering, fs_type;
-type configfs, fs_type;
-# /sys/devices/cs_etm
-type sysfs_devices_cs_etm, fs_type, sysfs_type;
-# /sys/devices/system/cpu
-type sysfs_devices_system_cpu, fs_type, sysfs_type;
-# /sys/module/lowmemorykiller
-type sysfs_lowmemorykiller, fs_type, sysfs_type;
-# /sys/module/wlan/parameters/fwpath
-type sysfs_wlan_fwpath, fs_type, sysfs_type;
-type sysfs_vibrator, fs_type, sysfs_type;
-type sysfs_uhid, fs_type, sysfs_type;
-type sysfs_thermal, sysfs_type, fs_type;
-
-type sysfs_zram, fs_type, sysfs_type;
-type sysfs_zram_uevent, fs_type, sysfs_type;
-type inotify, fs_type, mlstrustedobject;
-type devpts, fs_type, mlstrustedobject;
-type tmpfs, fs_type;
-type shm, fs_type;
-type mqueue, fs_type;
-type fuse, sdcard_type, fs_type, mlstrustedobject;
-type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
-type vfat, sdcard_type, fs_type, mlstrustedobject;
-type exfat, sdcard_type, fs_type, mlstrustedobject;
-type debugfs, fs_type, debugfs_type;
-type debugfs_kprobes, fs_type, debugfs_type;
-type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
-type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
-type debugfs_wakeup_sources, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
-type securityfs, fs_type;
-
-type pstorefs, fs_type;
-type functionfs, fs_type, mlstrustedobject;
-type oemfs, fs_type, contextmount_type;
-type usbfs, fs_type;
-type binfmt_miscfs, fs_type;
-type app_fusefs, fs_type, contextmount_type;
-
-# File types
-type unlabeled, file_type;
-
-# Default type for anything under /system.
-type system_file, system_file_type, file_type;
-# Default type for /system/asan.options
-type system_asan_options_file, system_file_type, file_type;
-# Type for /system/etc/event-log-tags (liblog implementation detail)
-type system_event_log_tags_file, system_file_type, file_type;
-# Default type for anything under /system/lib[64].
-type system_lib_file, system_file_type, file_type;
-# system libraries that are available only to bootstrap processes
-type system_bootstrap_lib_file, system_file_type, file_type;
-# Default type for the group file /system/etc/group.
-type system_group_file, system_file_type, file_type;
-# Default type for linker executable /system/bin/linker[64].
-type system_linker_exec, system_file_type, file_type;
-# Default type for linker config /system/etc/ld.config.*.
-type system_linker_config_file, system_file_type, file_type;
-# Default type for the passwd file /system/etc/passwd.
-type system_passwd_file, system_file_type, file_type;
-# Default type for linker config /system/etc/seccomp_policy/*.
-type system_seccomp_policy_file, system_file_type, file_type;
-# Default type for cacerts in /system/etc/security/cacerts/*.
-type system_security_cacerts_file, system_file_type, file_type;
-# Default type for /system/bin/tcpdump.
-type tcpdump_exec, system_file_type, exec_type, file_type;
-# Default type for zoneinfo files in /system/usr/share/zoneinfo/*.
-type system_zoneinfo_file, system_file_type, file_type;
-# Cgroups description file under /system/etc/cgroups.json
-type cgroup_desc_file, system_file_type, file_type;
-# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
-type cgroup_desc_api_file, system_file_type, file_type;
-# Vendor cgroups description file under /vendor/etc/cgroups.json
-type vendor_cgroup_desc_file, vendor_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles.json
-type task_profiles_file, system_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
-type task_profiles_api_file, system_file_type, file_type;
-# Vendor task profiles file under /vendor/etc/task_profiles.json
-type vendor_task_profiles_file, vendor_file_type, file_type;
-# Type for /system/apex/com.android.art
-type art_apex_dir, system_file_type, file_type;
-# /linkerconfig(/.*)?
-type linkerconfig_file, file_type;
-# Control files under /data/incremental
-type incremental_control_file, file_type, data_file_type, core_data_file_type;
-
-# Default type for directories search for
-# HAL implementations
-type vendor_hal_file, vendor_file_type, file_type;
-# Default type for under /vendor or /system/vendor
-type vendor_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/app
-type vendor_app_file, vendor_file_type, file_type;
-# Default type for everything under /vendor/etc/
-type vendor_configs_file, vendor_file_type, file_type;
-# Default type for all *same process* HALs and their lib/bin dependencies.
-# e.g. libEGL_xxx.so, android.hardware.graphics.mapper@2.0-impl.so
-type same_process_hal_file, vendor_file_type, file_type;
-# Default type for vndk-sp libs. /vendor/lib/vndk-sp
-type vndk_sp_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/framework
-type vendor_framework_file, vendor_file_type, file_type;
-# Default type for everything in /vendor/overlay
-type vendor_overlay_file, vendor_file_type, file_type;
-# Type for all vendor public libraries. These libs should only be exposed to
-# apps. ABI stability of these libs is vendor's responsibility.
-type vendor_public_lib_file, vendor_file_type, file_type;
-# Type for all vendor public libraries for system. These libs should only be exposed to
-# system. ABI stability of these libs is vendor's responsibility.
-type vendor_public_framework_file, vendor_file_type, file_type;
-
-# Input configuration
-type vendor_keylayout_file, vendor_file_type, file_type;
-type vendor_keychars_file, vendor_file_type, file_type;
-type vendor_idc_file, vendor_file_type, file_type;
-
-# /metadata partition itself
-type metadata_file, file_type;
-# Vold files within /metadata
-type vold_metadata_file, file_type;
-# GSI files within /metadata
-type gsi_metadata_file, gsi_metadata_file_type, file_type;
-# DSU (GSI) files within /metadata that are globally readable.
-type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
-# system_server shares Weaver slot information in /metadata
-type password_slot_metadata_file, file_type;
-# APEX files within /metadata
-type apex_metadata_file, file_type;
-# libsnapshot files within /metadata
-type ota_metadata_file, file_type;
-# property files within /metadata/bootstat
-type metadata_bootstat_file, file_type;
-# userspace reboot files within /metadata/userspacereboot
-type userspace_reboot_metadata_file, file_type;
-# Staged install files within /metadata/staged-install
-type staged_install_file, file_type;
-# Metadata information within /metadata/watchdog
-type watchdog_metadata_file, file_type;
-
-# Type for /dev/cpu_variant:.*.
-type dev_cpu_variant, file_type;
-# Speedup access for trusted applications to the runtime event tags
-type runtime_event_log_tags_file, file_type;
-# Type for /system/bin/logcat.
-type logcat_exec, system_file_type, exec_type, file_type;
-# Speedup access to cgroup map file
-type cgroup_rc_file, file_type;
-# /cores for coredumps on userdebug / eng builds
-type coredump_file, file_type;
-# Type of /data itself
-type system_data_root_file, file_type, data_file_type, core_data_file_type;
-# Default type for anything under /data.
-type system_data_file, file_type, data_file_type, core_data_file_type;
-# Type for /data/system/packages.list.
-# TODO(b/129332765): Narrow down permissions to this.
-# Find out users of system_data_file that should be granted only this.
-type packages_list_file, file_type, data_file_type, core_data_file_type;
-# Default type for anything under /data/vendor{_ce,_de}.
-type vendor_data_file, file_type, data_file_type;
-# Unencrypted data
-type unencrypted_data_file, file_type, data_file_type, core_data_file_type;
-# installd-create files in /data/misc/installd such as layout_version
-type install_data_file, file_type, data_file_type, core_data_file_type;
-# /data/drm - DRM plugin data
-type drm_data_file, file_type, data_file_type, core_data_file_type;
-# /data/adb - adb debugging files
-type adb_data_file, file_type, data_file_type, core_data_file_type;
-# /data/anr - ANR traces
-type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/tombstones - core dumps
-type tombstone_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/vendor/tombstones/wifi - vendor wifi dumps
-type tombstone_wifi_data_file, file_type, data_file_type;
-# /data/apex - APEX data files
-type apex_data_file, file_type, data_file_type, core_data_file_type;
-# /data/app - user-installed apps
-type apk_data_file, file_type, data_file_type, core_data_file_type;
-type apk_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/app-private - forward-locked apps
-type apk_private_data_file, file_type, data_file_type, core_data_file_type;
-type apk_private_tmp_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/dalvik-cache
-type dalvikcache_data_file, file_type, data_file_type, core_data_file_type;
-# /data/ota
-type ota_data_file, file_type, data_file_type, core_data_file_type;
-# /data/ota_package
-type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/misc/profiles
-type user_profile_root_file, file_type, data_file_type, core_data_file_type;
-type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/misc/profman
-type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/prereboot
-type prereboot_data_file, file_type, data_file_type, core_data_file_type;
-# /data/resource-cache
-type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
-# /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
-# /data/property
-type property_data_file, file_type, data_file_type, core_data_file_type;
-# /data/bootchart
-type bootchart_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system/dropbox
-type dropbox_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system/heapdump
-type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/nativetest
-type nativetest_data_file, file_type, data_file_type, core_data_file_type;
-# /data/local/tests
-type shell_test_data_file, file_type, data_file_type, core_data_file_type;
-# /data/system_de/0/ringtones
-type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# /data/preloads
-type preloads_data_file, file_type, data_file_type, core_data_file_type;
-# /data/preloads/media
-type preloads_media_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/dhcp and /data/misc/dhcp-6.8.2
-type dhcp_data_file, file_type, data_file_type, core_data_file_type;
-# /data/server_configurable_flags
-type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
-# /data/app-staging
-type staging_data_file, file_type, data_file_type, core_data_file_type;
-# /vendor/apex
-type vendor_apex_file, vendor_file_type, file_type;
-
-# Mount locations managed by vold
-type mnt_media_rw_file, file_type;
-type mnt_user_file, file_type;
-type mnt_pass_through_file, file_type;
-type mnt_expand_file, file_type;
-type mnt_sdcard_file, file_type;
-type storage_file, file_type;
-
-# Label for storage dirs which are just mount stubs
-type mnt_media_rw_stub_file, file_type;
-type storage_stub_file, file_type;
-
-# Mount location for read-write vendor partitions.
-type mnt_vendor_file, file_type;
-
-# Mount location for read-write product partitions.
-type mnt_product_file, file_type;
-
-# Mount point used for APEX images
-type apex_mnt_dir, file_type;
-
-# /apex/apex-info-list.xml created by apexd
-type apex_info_file, file_type;
-
-# /postinstall: Mount point used by update_engine to run postinstall.
-type postinstall_mnt_dir, file_type;
-# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
-type postinstall_file, file_type;
-# /postinstall/apex: Mount point used for APEX images within /postinstall.
-type postinstall_apex_mnt_dir, file_type;
-
-# /data_mirror: Contains mirror directory for storing all apps data.
-type mirror_data_file, file_type, core_data_file_type;
-
-# /data/misc subdirectories
-type adb_keys_file, file_type, data_file_type, core_data_file_type;
-type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type;
-type apex_module_data_file, file_type, data_file_type, core_data_file_type;
-type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
-type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
-type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
-type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type;
-type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
-type appcompat_data_file, file_type, data_file_type, core_data_file_type;
-type audio_data_file, file_type, data_file_type, core_data_file_type;
-type audioserver_data_file, file_type, data_file_type, core_data_file_type;
-type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
-type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
-type bootstat_data_file, file_type, data_file_type, core_data_file_type;
-type boottrace_data_file, file_type, data_file_type, core_data_file_type;
-type camera_data_file, file_type, data_file_type, core_data_file_type;
-type credstore_data_file, file_type, data_file_type, core_data_file_type;
-type gatekeeper_data_file, file_type, data_file_type, core_data_file_type;
-type incident_data_file, file_type, data_file_type, core_data_file_type;
-type keychain_data_file, file_type, data_file_type, core_data_file_type;
-type keystore_data_file, file_type, data_file_type, core_data_file_type;
-type media_data_file, file_type, data_file_type, core_data_file_type;
-type media_rw_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type misc_user_data_file, file_type, data_file_type, core_data_file_type;
-type net_data_file, file_type, data_file_type, core_data_file_type;
-type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
-type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
-type nfc_logs_data_file, file_type, data_file_type, core_data_file_type;
-type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
-type recovery_data_file, file_type, data_file_type, core_data_file_type;
-type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
-type stats_data_file, file_type, data_file_type, core_data_file_type;
-type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
-type textclassifier_data_file, file_type, data_file_type, core_data_file_type;
-type trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type vpn_data_file, file_type, data_file_type, core_data_file_type;
-type wifi_data_file, file_type, data_file_type, core_data_file_type;
-type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
-type vold_data_file, file_type, data_file_type, core_data_file_type;
-type iorapd_data_file, file_type, data_file_type, core_data_file_type;
-type tee_data_file, file_type, data_file_type;
-type update_engine_data_file, file_type, data_file_type, core_data_file_type;
-type update_engine_log_data_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/trace for method traces on userdebug / eng builds
-type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type gsi_data_file, file_type, data_file_type, core_data_file_type;
-type radio_core_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
-# /data/data subdirectories - priv-app sandboxes
-type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
-# /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
-# Compatibility with type name used in Android 4.3 and 4.4.
-# Default type for anything under /cache
-type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for /cache/overlay /mnt/scratch/overlay
-type overlayfs_file, file_type, data_file_type, core_data_file_type;
-# Type for /cache/backup_stage/* (fd interchange with apps)
-type cache_backup_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# type for anything under /cache/backup (local transport storage)
-type cache_private_backup_file, file_type, data_file_type, core_data_file_type;
-# Type for anything under /cache/recovery
-type cache_recovery_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Default type for anything under /efs
-type efs_file, file_type;
-# Type for wallpaper file.
-type wallpaper_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for shortcut manager icon file.
-type shortcut_manager_icons, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for user icon file.
-type icon_file, file_type, data_file_type, core_data_file_type;
-# /mnt/asec
-type asec_apk_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Elements of asec files (/mnt/asec) that are world readable
-type asec_public_file, file_type, data_file_type, core_data_file_type;
-# /data/app-asec
-type asec_image_file, file_type, data_file_type, core_data_file_type;
-# /data/backup and /data/secure/backup
-type backup_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# All devices have bluetooth efs files. But they
-# vary per device, so this type is used in per
-# device policy
-type bluetooth_efs_file, file_type;
-# Type for fingerprint template file
-type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
-# Type for _new_ fingerprint template file
-type fingerprint_vendor_data_file, file_type, data_file_type;
-# Type for appfuse file.
-type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-# Type for face template file
-type face_vendor_data_file, file_type, data_file_type;
-# Type for iris template file
-type iris_vendor_data_file, file_type, data_file_type;
-
-# Socket types
-type adbd_socket, file_type, coredomain_socket;
-type bluetooth_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
-type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
-type dumpstate_socket, file_type, coredomain_socket;
-type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
-type lmkd_socket, file_type, coredomain_socket;
-type logd_socket, file_type, coredomain_socket, mlstrustedobject;
-type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
-type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
-type mdns_socket, file_type, coredomain_socket;
-type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
-type misc_logd_file, coredomain_socket, file_type, data_file_type, core_data_file_type;
-type mtpd_socket, file_type, coredomain_socket;
-type property_socket, file_type, coredomain_socket, mlstrustedobject;
-type racoon_socket, file_type, coredomain_socket;
-type recovery_socket, file_type, coredomain_socket;
-type rild_socket, file_type;
-type rild_debug_socket, file_type;
-type snapuserd_socket, file_type, coredomain_socket;
-type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
-type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
-type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
-type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
-type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
-type tombstoned_java_trace_socket, file_type, mlstrustedobject;
-type tombstoned_intercept_socket, file_type, coredomain_socket;
-type traced_consumer_socket, file_type, coredomain_socket, mlstrustedobject;
-type traced_perf_socket, file_type, coredomain_socket, mlstrustedobject;
-type traced_producer_socket, file_type, coredomain_socket, mlstrustedobject;
-type uncrypt_socket, file_type, coredomain_socket;
-type wpa_socket, file_type, data_file_type, core_data_file_type;
-type zygote_socket, file_type, coredomain_socket;
-type heapprofd_socket, file_type, coredomain_socket, mlstrustedobject;
-# UART (for GPS) control proc file
-type gps_control, file_type;
-
-# PDX endpoint types
-type pdx_display_dir, pdx_endpoint_dir_type, file_type;
-type pdx_performance_dir, pdx_endpoint_dir_type, file_type;
-type pdx_bufferhub_dir, pdx_endpoint_dir_type, file_type;
-
-pdx_service_socket_types(display_client, pdx_display_dir)
-pdx_service_socket_types(display_manager, pdx_display_dir)
-pdx_service_socket_types(display_screenshot, pdx_display_dir)
-pdx_service_socket_types(display_vsync, pdx_display_dir)
-pdx_service_socket_types(performance_client, pdx_performance_dir)
-pdx_service_socket_types(bufferhub_client, pdx_bufferhub_dir)
-
-# file_contexts files
-type file_contexts_file, system_file_type, file_type;
-
-# mac_permissions file
-type mac_perms_file, system_file_type, file_type;
-
-# property_contexts file
-type property_contexts_file, system_file_type, file_type;
-
-# seapp_contexts file
-type seapp_contexts_file, system_file_type, file_type;
-
-# sepolicy files binary and others
-type sepolicy_file, system_file_type, file_type;
-
-# service_contexts file
-type service_contexts_file, system_file_type, file_type;
-
-# keystore2_key_contexts_file
-type keystore2_key_contexts_file, system_file_type, file_type;
-
-# vendor service_contexts file
-type vendor_service_contexts_file, vendor_file_type, file_type;
-
-# nonplat service_contexts file (only accessible on non full-treble devices)
-type nonplat_service_contexts_file, vendor_file_type, file_type;
-
-# hwservice_contexts file
-type hwservice_contexts_file, system_file_type, file_type;
-
-# vndservice_contexts file
-type vndservice_contexts_file, file_type;
-
-# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
-type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
-
-# kernel modules
-type vendor_kernel_modules, vendor_file_type, file_type;
-
-# Allow files to be created in their appropriate filesystems.
-allow fs_type self:filesystem associate;
-allow cgroup tmpfs:filesystem associate;
-allow cgroup_v2 tmpfs:filesystem associate;
-allow cgroup_rc_file tmpfs:filesystem associate;
-allow sysfs_type sysfs:filesystem associate;
-allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
-allow file_type labeledfs:filesystem associate;
-allow file_type tmpfs:filesystem associate;
-allow file_type rootfs:filesystem associate;
-allow dev_type tmpfs:filesystem associate;
-allow app_fuse_file app_fusefs:filesystem associate;
-allow postinstall_file self:filesystem associate;
-allow proc_net proc:filesystem associate;
-
-# asanwrapper (run a sanitized app_process, to be used with wrap properties)
-with_asan(`type asanwrapper_exec, exec_type, file_type;')
-
-# Deprecated in SDK version 28
-type audiohal_data_file, file_type, data_file_type, core_data_file_type;
-
-# It's a bug to assign the file_type attribute and fs_type attribute
-# to any type. Do not allow it.
-#
-# For example, the following is a bug:
-# type apk_data_file, file_type, data_file_type, fs_type;
-# Should be:
-# type apk_data_file, file_type, data_file_type;
-neverallow fs_type file_type:filesystem associate;
diff --git a/prebuilts/api/31.0/public/fingerprintd.te b/prebuilts/api/31.0/public/fingerprintd.te
deleted file mode 100644
index 8cf2411..0000000
--- a/prebuilts/api/31.0/public/fingerprintd.te
+++ /dev/null
@@ -1,27 +0,0 @@
-type fingerprintd, domain;
-type fingerprintd_exec, system_file_type, exec_type, file_type;
-
-binder_use(fingerprintd)
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow fingerprintd system_file:dir r_dir_perms;
-
-# need to find KeyStore and add self
-add_service(fingerprintd, fingerprintd_service)
-
-# allow HAL module to read dir contents
-allow fingerprintd fingerprintd_data_file:file { create_file_perms };
-
-# allow HAL module to read/write/unlink contents of this dir
-allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
-
-# Need to add auth tokens to KeyStore
-use_keystore(fingerprintd)
-allow fingerprintd keystore:keystore_key { add_auth };
-allow fingerprintd keystore:keystore2 { add_auth };
-
-# For permissions checking
-binder_call(fingerprintd, system_server);
-allow fingerprintd permission_service:service_manager find;
-
-allow fingerprintd ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/31.0/public/flags_health_check.te b/prebuilts/api/31.0/public/flags_health_check.te
deleted file mode 100644
index 25a7768..0000000
--- a/prebuilts/api/31.0/public/flags_health_check.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# The flags_health_check command run by init.
-type flags_health_check, domain, coredomain;
-type flags_health_check_exec, system_file_type, exec_type, file_type;
-
-allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
-allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
-
-# server_configurable_flags_data_file is used for storing whether server configurable flags which
-# have been reset during current booting. Mistakenly modified by unrelated components can
-# cause bad server configurable flags synced back to device.
-neverallow { domain -init -flags_health_check } server_configurable_flags_data_file:file no_w_file_perms;
diff --git a/prebuilts/api/31.0/public/fsck.te b/prebuilts/api/31.0/public/fsck.te
deleted file mode 100644
index 7a9fbee..0000000
--- a/prebuilts/api/31.0/public/fsck.te
+++ /dev/null
@@ -1,68 +0,0 @@
-# Any fsck program run by init
-type fsck, domain;
-type fsck_exec, system_file_type, exec_type, file_type;
-
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by fsck.
-allow fsck tmpfs:chr_file { read write ioctl };
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow fsck devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow fsck vold:fd use;
-allow fsck vold:fifo_file { read write getattr };
-
-# Run fsck on certain block devices
-allow fsck block_device:dir search;
-allow fsck userdata_block_device:blk_file rw_file_perms;
-allow fsck cache_block_device:blk_file rw_file_perms;
-allow fsck dm_device:blk_file rw_file_perms;
-userdebug_or_eng(`
-allow fsck system_block_device:blk_file rw_file_perms;
-')
-
-# For the block devices where we have ioctl access,
-# allow at a minimum the following common fsck ioctls.
-allowxperm fsck dev_type:blk_file ioctl {
- BLKDISCARDZEROES
- BLKROGET
-};
-
-# To determine if it is safe to run fsck on a filesystem, e2fsck
-# must first determine if the filesystem is mounted. To do that,
-# e2fsck scans through /proc/mounts and collects all the mounted
-# block devices. With that information, it runs stat() on each block
-# device, comparing the major and minor numbers to the filesystem
-# passed in on the command line. If there is a match, then the filesystem
-# is currently mounted and running fsck is dangerous.
-# Allow stat access to all block devices so that fsck can compare
-# major/minor values.
-allow fsck dev_type:blk_file getattr;
-
-allow fsck {
- proc_mounts
- proc_swaps
-}:file r_file_perms;
-allow fsck rootfs:dir r_dir_perms;
-
-###
-### neverallow rules
-###
-
-# fsck should never be run on these block devices
-neverallow fsck {
- boot_block_device
- frp_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdebug_or_eng(`-system_block_device')
- vold_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from init or vold via fsck binaries
-neverallow { domain -init -vold } fsck:process transition;
-neverallow * fsck:process dyntransition;
-neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/prebuilts/api/31.0/public/fsck_untrusted.te b/prebuilts/api/31.0/public/fsck_untrusted.te
deleted file mode 100644
index 8510c94..0000000
--- a/prebuilts/api/31.0/public/fsck_untrusted.te
+++ /dev/null
@@ -1,49 +0,0 @@
-# Any fsck program run on untrusted block devices
-type fsck_untrusted, domain;
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow fsck_untrusted vold:fd use;
-allow fsck_untrusted vold:fifo_file { read write getattr };
-
-# Run fsck on vold block devices
-allow fsck_untrusted block_device:dir search;
-allow fsck_untrusted vold_device:blk_file rw_file_perms;
-
-allow fsck_untrusted proc_mounts:file r_file_perms;
-
-# To determine if it is safe to run fsck on a filesystem, e2fsck
-# must first determine if the filesystem is mounted. To do that,
-# e2fsck scans through /proc/mounts and collects all the mounted
-# block devices. With that information, it runs stat() on each block
-# device, comparing the major and minor numbers to the filesystem
-# passed in on the command line. If there is a match, then the filesystem
-# is currently mounted and running fsck is dangerous.
-# Allow stat access to all block devices so that fsck can compare
-# major/minor values.
-allow fsck_untrusted dev_type:blk_file getattr;
-
-###
-### neverallow rules
-###
-
-# Untrusted fsck should never be run on block devices holding sensitive data
-neverallow fsck_untrusted {
- boot_block_device
- frp_block_device
- metadata_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdata_block_device
- cache_block_device
- dm_device
-}:blk_file no_rw_file_perms;
-
-# Only allow entry from vold via fsck binaries
-neverallow { domain -vold } fsck_untrusted:process transition;
-neverallow * fsck_untrusted:process dyntransition;
-neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
diff --git a/prebuilts/api/31.0/public/fwk_bufferhub.te b/prebuilts/api/31.0/public/fwk_bufferhub.te
deleted file mode 100644
index 03486bd..0000000
--- a/prebuilts/api/31.0/public/fwk_bufferhub.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_bufferhub_client, hal_bufferhub_server)
-binder_call(hal_bufferhub_server, hal_bufferhub_client)
-
-hal_attribute_hwservice(hal_bufferhub, fwk_bufferhub_hwservice)
diff --git a/prebuilts/api/31.0/public/gatekeeperd.te b/prebuilts/api/31.0/public/gatekeeperd.te
deleted file mode 100644
index d48c5f8..0000000
--- a/prebuilts/api/31.0/public/gatekeeperd.te
+++ /dev/null
@@ -1,42 +0,0 @@
-type gatekeeperd, domain;
-type gatekeeperd_exec, system_file_type, exec_type, file_type;
-
-# gatekeeperd
-binder_service(gatekeeperd)
-binder_use(gatekeeperd)
-
-### Rules needed when Gatekeeper HAL runs inside gatekeeperd process.
-### These rules should eventually be granted only when needed.
-allow gatekeeperd ion_device:chr_file r_file_perms;
-# Load HAL implementation
-allow gatekeeperd system_file:dir r_dir_perms;
-###
-
-### Rules needed when Gatekeeper HAL runs outside of gatekeeperd process.
-### These rules should eventually be granted only when needed.
-hal_client_domain(gatekeeperd, hal_gatekeeper)
-###
-
-# need to find KeyStore and add self
-add_service(gatekeeperd, gatekeeper_service)
-
-# Need to add auth tokens to KeyStore
-use_keystore(gatekeeperd)
-allow gatekeeperd keystore:keystore_key { add_auth };
-allow gatekeeperd keystore:keystore2 { add_auth };
-allow gatekeeperd authorization_service:service_manager find;
-
-
-# For permissions checking
-allow gatekeeperd system_server:binder call;
-allow gatekeeperd permission_service:service_manager find;
-
-# for SID file access
-allow gatekeeperd gatekeeper_data_file:dir rw_dir_perms;
-allow gatekeeperd gatekeeper_data_file:file create_file_perms;
-
-# For hardware properties retrieval
-allow gatekeeperd hardware_properties_service:service_manager find;
-
-r_dir_file(gatekeeperd, cgroup)
-r_dir_file(gatekeeperd, cgroup_v2)
diff --git a/prebuilts/api/31.0/public/global_macros b/prebuilts/api/31.0/public/global_macros
deleted file mode 100644
index 2c87fde..0000000
--- a/prebuilts/api/31.0/public/global_macros
+++ /dev/null
@@ -1,51 +0,0 @@
-#####################################
-# Common groupings of object classes.
-#
-define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }')
-define(`global_capability_class_set', `{ capability cap_userns }')
-define(`global_capability2_class_set', `{ capability2 cap2_userns }')
-
-define(`devfile_class_set', `{ chr_file blk_file }')
-define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
-define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
-define(`dir_file_class_set', `{ dir file_class_set }')
-
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }')
-define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
-define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
-define(`network_socket_class_set', `{ icmp_socket rawip_socket tcp_socket udp_socket }')
-
-define(`ipc_class_set', `{ sem msgq shm ipc }')
-
-#####################################
-# Common groupings of permissions.
-#
-define(`x_file_perms', `{ getattr execute execute_no_trans map }')
-define(`r_file_perms', `{ getattr open read ioctl lock map watch watch_reads }')
-define(`w_file_perms', `{ open append write lock map }')
-define(`rx_file_perms', `{ r_file_perms x_file_perms }')
-define(`ra_file_perms', `{ r_file_perms append }')
-define(`rw_file_perms', `{ r_file_perms w_file_perms }')
-define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
-define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
-
-define(`r_dir_perms', `{ open getattr read search ioctl lock watch watch_reads }')
-define(`w_dir_perms', `{ open search write add_name remove_name lock }')
-define(`ra_dir_perms', `{ r_dir_perms add_name write }')
-define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
-define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
-
-define(`r_ipc_perms', `{ getattr read associate unix_read }')
-define(`w_ipc_perms', `{ write unix_write }')
-define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
-define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
-
-#####################################
-# Common socket permission sets.
-define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }')
-define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }')
-define(`create_socket_perms', `{ create rw_socket_perms }')
-define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
-define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
-define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/prebuilts/api/31.0/public/gmscore_app.te b/prebuilts/api/31.0/public/gmscore_app.te
deleted file mode 100644
index b574bf3..0000000
--- a/prebuilts/api/31.0/public/gmscore_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-###
-### A domain for further sandboxing the PrebuiltGMSCore app.
-###
-
-type gmscore_app, domain;
diff --git a/prebuilts/api/31.0/public/gpuservice.te b/prebuilts/api/31.0/public/gpuservice.te
deleted file mode 100644
index c862d0b..0000000
--- a/prebuilts/api/31.0/public/gpuservice.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# gpuservice - server for gpu stats and other gpu related services
-type gpuservice, domain;
diff --git a/prebuilts/api/31.0/public/hal_allocator.te b/prebuilts/api/31.0/public/hal_allocator.te
deleted file mode 100644
index 6417b62..0000000
--- a/prebuilts/api/31.0/public/hal_allocator.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_allocator_client, hal_allocator_server)
-
-hal_attribute_hwservice(hal_allocator, hidl_allocator_hwservice)
-allow hal_allocator_client hidl_memory_hwservice:hwservice_manager find;
-allow hal_allocator_client same_process_hal_file:file { execute read open getattr map };
diff --git a/prebuilts/api/31.0/public/hal_atrace.te b/prebuilts/api/31.0/public/hal_atrace.te
deleted file mode 100644
index 51d9237..0000000
--- a/prebuilts/api/31.0/public/hal_atrace.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_atrace_client, hal_atrace_server)
-
-hal_attribute_hwservice(hal_atrace, hal_atrace_hwservice)
diff --git a/prebuilts/api/31.0/public/hal_audio.te b/prebuilts/api/31.0/public/hal_audio.te
deleted file mode 100644
index d1970b9..0000000
--- a/prebuilts/api/31.0/public/hal_audio.te
+++ /dev/null
@@ -1,39 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_audio_client, hal_audio_server)
-binder_call(hal_audio_server, hal_audio_client)
-
-hal_attribute_hwservice(hal_audio, hal_audio_hwservice)
-hal_attribute_service(hal_audio, hal_audio_service)
-
-allow hal_audio ion_device:chr_file r_file_perms;
-
-r_dir_file(hal_audio, proc)
-r_dir_file(hal_audio, proc_asound)
-allow hal_audio_server audio_device:dir r_dir_perms;
-allow hal_audio_server audio_device:chr_file rw_file_perms;
-
-# Needed to provide debug dump output via dumpsys' pipes.
-allow hal_audio shell:fd use;
-allow hal_audio shell:fifo_file write;
-allow hal_audio dumpstate:fd use;
-allow hal_audio dumpstate:fifo_file write;
-
-# Needed to allow sound trigger hal to access shared memory from apps.
-allow hal_audio_server appdomain:fd use;
-
-# allow hal audio to use vnbinder
-vndbinder_use(hal_audio)
-
-###
-### neverallow rules
-###
-
-# Should never execute any executable without a domain transition
-neverallow hal_audio_server { file_type fs_type }:file execute_no_trans;
-
-# Only audio HAL may directly access the audio hardware
-neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
-
-get_prop(hal_audio, audio_config_prop)
-get_prop(hal_audio, bluetooth_a2dp_offload_prop)
-get_prop(hal_audio, bluetooth_audio_hal_prop)
diff --git a/prebuilts/api/31.0/public/hal_audiocontrol.te b/prebuilts/api/31.0/public/hal_audiocontrol.te
deleted file mode 100644
index 6f45b0e..0000000
--- a/prebuilts/api/31.0/public/hal_audiocontrol.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_audiocontrol_client, hal_audiocontrol_server)
-binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
-
-hal_attribute_hwservice(hal_audiocontrol, hal_audiocontrol_hwservice)
-hal_attribute_service(hal_audiocontrol, hal_audiocontrol_service)
-
-binder_call(hal_audiocontrol_server, servicemanager)
diff --git a/prebuilts/api/31.0/public/hal_authsecret.te b/prebuilts/api/31.0/public/hal_authsecret.te
deleted file mode 100644
index bbcdb9a..0000000
--- a/prebuilts/api/31.0/public/hal_authsecret.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_authsecret_client, hal_authsecret_server)
-
-hal_attribute_hwservice(hal_authsecret, hal_authsecret_hwservice)
-hal_attribute_service(hal_authsecret, hal_authsecret_service)
-
-binder_call(hal_authsecret_server, servicemanager)
diff --git a/prebuilts/api/31.0/public/hal_bluetooth.te b/prebuilts/api/31.0/public/hal_bluetooth.te
deleted file mode 100644
index 97177ba..0000000
--- a/prebuilts/api/31.0/public/hal_bluetooth.te
+++ /dev/null
@@ -1,32 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_bluetooth_client, hal_bluetooth_server)
-binder_call(hal_bluetooth_server, hal_bluetooth_client)
-
-hal_attribute_hwservice(hal_bluetooth, hal_bluetooth_hwservice)
-
-wakelock_use(hal_bluetooth);
-
-# The HAL toggles rfkill to power the chip off/on.
-allow hal_bluetooth self:global_capability_class_set net_admin;
-
-# bluetooth factory file accesses.
-r_dir_file(hal_bluetooth, bluetooth_efs_file)
-
-allow hal_bluetooth { uhid_device hci_attach_dev }:chr_file rw_file_perms;
-
-# sysfs access.
-r_dir_file(hal_bluetooth, sysfs_type)
-allow hal_bluetooth sysfs_bluetooth_writable:file rw_file_perms;
-allow hal_bluetooth self:global_capability2_class_set wake_alarm;
-
-# Allow write access to bluetooth-specific properties
-set_prop(hal_bluetooth, bluetooth_a2dp_offload_prop)
-set_prop(hal_bluetooth, bluetooth_audio_hal_prop)
-set_prop(hal_bluetooth, bluetooth_prop)
-set_prop(hal_bluetooth, exported_bluetooth_prop)
-
-# /proc access (bluesleep etc.).
-allow hal_bluetooth proc_bluetooth_writable:file rw_file_perms;
-
-# allow to run with real-time scheduling policy
-allow hal_bluetooth self:global_capability_class_set sys_nice;
diff --git a/prebuilts/api/31.0/public/hal_bootctl.te b/prebuilts/api/31.0/public/hal_bootctl.te
deleted file mode 100644
index a1f3d7f..0000000
--- a/prebuilts/api/31.0/public/hal_bootctl.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_bootctl_client, hal_bootctl_server)
-binder_call(hal_bootctl_server, hal_bootctl_client)
-
-hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
-allow hal_bootctl_server proc_bootconfig:file r_file_perms;
diff --git a/prebuilts/api/31.0/public/hal_broadcastradio.te b/prebuilts/api/31.0/public/hal_broadcastradio.te
deleted file mode 100644
index 84a2597..0000000
--- a/prebuilts/api/31.0/public/hal_broadcastradio.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_broadcastradio_client, hal_broadcastradio_server)
-binder_call(hal_broadcastradio_server, hal_broadcastradio_client)
-
-hal_attribute_hwservice(hal_broadcastradio, hal_broadcastradio_hwservice)
diff --git a/prebuilts/api/31.0/public/hal_camera.te b/prebuilts/api/31.0/public/hal_camera.te
deleted file mode 100644
index 45fad56..0000000
--- a/prebuilts/api/31.0/public/hal_camera.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# HwBinder IPC from clients to server and callbacks
-binder_call(hal_camera_client, hal_camera_server)
-binder_call(hal_camera_server, hal_camera_client)
-
-hal_attribute_hwservice(hal_camera, hal_camera_hwservice)
-
-allow hal_camera device:dir r_dir_perms;
-allow hal_camera video_device:dir r_dir_perms;
-allow hal_camera video_device:chr_file rw_file_perms;
-allow hal_camera camera_device:chr_file rw_file_perms;
-allow hal_camera ion_device:chr_file rw_file_perms;
-allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms;
-
-# Both the client and the server need to use the graphics allocator
-allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
-
-# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
-allow hal_camera { appdomain -isolated_app }:fd use;
-allow hal_camera surfaceflinger:fd use;
-allow hal_camera hal_allocator_server:fd use;
-
-# Needed to provide debug dump output via dumpsys' pipes.
-allow hal_camera shell:fd use;
-allow hal_camera shell:fifo_file write;
-
-###
-### neverallow rules
-###
-
-# hal_camera should never execute any executable without a
-# domain transition
-neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
-
-# hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
-
-# Only camera HAL may directly access the camera hardware
-neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/prebuilts/api/31.0/public/hal_can.te b/prebuilts/api/31.0/public/hal_can.te
deleted file mode 100644
index 959d1d9..0000000
--- a/prebuilts/api/31.0/public/hal_can.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# CAN controller
-binder_call(hal_can_controller_client, hal_can_controller_server)
-binder_call(hal_can_controller_server, hal_can_controller_client)
-hal_attribute_hwservice(hal_can_controller, hal_can_controller_hwservice)
-
-# CAN bus
-binder_call(hal_can_bus_client, hal_can_bus_server)
-binder_call(hal_can_bus_server, hal_can_bus_client)
-hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice)
diff --git a/prebuilts/api/31.0/public/hal_cas.te b/prebuilts/api/31.0/public/hal_cas.te
deleted file mode 100644
index e699a6b..0000000
--- a/prebuilts/api/31.0/public/hal_cas.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_cas_client, hal_cas_server)
-binder_call(hal_cas_server, hal_cas_client)
-
-hal_attribute_hwservice(hal_cas, hal_cas_hwservice)
-allow hal_cas_server hidl_memory_hwservice:hwservice_manager find;
-
-# Permit reading device's serial number from system properties
-get_prop(hal_cas_server, serialno_prop)
-
-# Read files already opened under /data
-allow hal_cas system_data_file:file { getattr read };
-
-# Read access to pseudo filesystems
-r_dir_file(hal_cas, cgroup)
-allow hal_cas cgroup:dir { search write };
-allow hal_cas cgroup:file w_file_perms;
-
-r_dir_file(hal_cas, cgroup_v2)
-allow hal_cas cgroup_v2:dir { search write };
-allow hal_cas cgroup_v2:file w_file_perms;
-
-# Allow access to ion memory allocation device
-allow hal_cas ion_device:chr_file rw_file_perms;
-allow hal_cas hal_graphics_allocator:fd use;
-
-allow hal_cas tee_device:chr_file rw_file_perms;
-
-###
-### neverallow rules
-###
-
-# hal_cas should never execute any executable without a
-# domain transition
-neverallow hal_cas_server { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm hal_cas_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/31.0/public/hal_codec2.te b/prebuilts/api/31.0/public/hal_codec2.te
deleted file mode 100644
index a379bb3..0000000
--- a/prebuilts/api/31.0/public/hal_codec2.te
+++ /dev/null
@@ -1,27 +0,0 @@
-get_prop(hal_codec2_client, media_variant_prop)
-get_prop(hal_codec2_server, media_variant_prop)
-get_prop(hal_codec2_client, codec2_config_prop)
-get_prop(hal_codec2_server, codec2_config_prop)
-
-binder_call(hal_codec2_client, hal_codec2_server)
-binder_call(hal_codec2_server, hal_codec2_client)
-
-hal_attribute_hwservice(hal_codec2, hal_codec2_hwservice)
-
-# The following permissions are added to hal_codec2_server because vendor and
-# vndk libraries provided for Codec2 implementation need them.
-
-# Allow server access to composer sync fences
-allow hal_codec2_server hal_graphics_composer:fd use;
-
-# Allow both server and client access to ion
-allow hal_codec2_server ion_device:chr_file r_file_perms;
-
-# Allow server access to camera HAL's fences
-allow hal_codec2_server hal_camera:fd use;
-
-# Receive gralloc buffer FDs from bufferhubd.
-allow hal_codec2_server bufferhubd:fd use;
-
-allow hal_codec2_client ion_device:chr_file r_file_perms;
-
diff --git a/prebuilts/api/31.0/public/hal_configstore.te b/prebuilts/api/31.0/public/hal_configstore.te
deleted file mode 100644
index 069da47..0000000
--- a/prebuilts/api/31.0/public/hal_configstore.te
+++ /dev/null
@@ -1,69 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_configstore_client, hal_configstore_server)
-
-hal_attribute_hwservice(hal_configstore, hal_configstore_ISurfaceFlingerConfigs)
-
-# hal_configstore runs with a strict seccomp filter. Use crash_dump's
-# fallback path to collect crash data.
-crash_dump_fallback(hal_configstore_server)
-
-###
-### neverallow rules
-###
-
-# Should never execute an executable without a domain transition
-neverallow hal_configstore_server { file_type fs_type }:file execute_no_trans;
-
-# Should never need network access. Disallow sockets except for
-# for unix stream/dgram sockets used for logging/debugging.
-neverallow hal_configstore_server domain:{
- rawip_socket tcp_socket udp_socket
- netlink_route_socket netlink_selinux_socket
- socket netlink_socket packet_socket key_socket appletalk_socket
- netlink_tcpdiag_socket netlink_nflog_socket
- netlink_xfrm_socket netlink_audit_socket
- netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
- netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
- netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
- netlink_rdma_socket netlink_crypto_socket
-} *;
-neverallow hal_configstore_server {
- domain
- -hal_configstore_server
- -logd
- userdebug_or_eng(`-su')
- -tombstoned
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
-}:{ unix_dgram_socket unix_stream_socket } *;
-
-# Should never need access to anything on /data
-neverallow hal_configstore_server {
- data_file_type
- -anr_data_file # for crash dump collection
- -tombstone_data_file # for crash dump collection
- -zoneinfo_data_file # granted to domain
- with_native_coverage(`-method_trace_data_file')
-}:{ file fifo_file sock_file } *;
-
-# Should never need sdcard access
-neverallow hal_configstore_server {
- sdcard_type
- fuse sdcardfs vfat exfat # manual expansion for completeness
-}:dir ~getattr;
-neverallow hal_configstore_server {
- sdcard_type
- fuse sdcardfs vfat exfat # manual expansion for completeness
-}:file *;
-
-# Do not permit access to service_manager and vndservice_manager
-neverallow hal_configstore_server *:service_manager *;
-
-# No privileged capabilities
-neverallow hal_configstore_server self:capability_class_set *;
-
-# No ptracing other processes
-neverallow hal_configstore_server *:process ptrace;
-
-# no relabeling
-neverallow hal_configstore_server *:dir_file_class_set { relabelfrom relabelto };
diff --git a/prebuilts/api/31.0/public/hal_confirmationui.te b/prebuilts/api/31.0/public/hal_confirmationui.te
deleted file mode 100644
index 5d2e4b7..0000000
--- a/prebuilts/api/31.0/public/hal_confirmationui.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_confirmationui_client, hal_confirmationui_server)
-
-hal_attribute_hwservice(hal_confirmationui, hal_confirmationui_hwservice)
diff --git a/prebuilts/api/31.0/public/hal_contexthub.te b/prebuilts/api/31.0/public/hal_contexthub.te
deleted file mode 100644
index 34acb38..0000000
--- a/prebuilts/api/31.0/public/hal_contexthub.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_contexthub_client, hal_contexthub_server)
-binder_call(hal_contexthub_server, hal_contexthub_client)
-
-hal_attribute_hwservice(hal_contexthub, hal_contexthub_hwservice)
diff --git a/prebuilts/api/31.0/public/hal_drm.te b/prebuilts/api/31.0/public/hal_drm.te
deleted file mode 100644
index bb1bd91..0000000
--- a/prebuilts/api/31.0/public/hal_drm.te
+++ /dev/null
@@ -1,56 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_drm_client, hal_drm_server)
-binder_call(hal_drm_server, hal_drm_client)
-
-hal_attribute_hwservice(hal_drm, hal_drm_hwservice)
-
-allow hal_drm hidl_memory_hwservice:hwservice_manager find;
-
-# Required by Widevine DRM (b/22990512)
-allow hal_drm self:process execmem;
-
-# Permit reading device's serial number from system properties
-get_prop(hal_drm, serialno_prop)
-
-# Read files already opened under /data
-allow hal_drm system_data_file:file { getattr read };
-
-# Read access to pseudo filesystems
-r_dir_file(hal_drm, cgroup)
-allow hal_drm cgroup:dir { search write };
-allow hal_drm cgroup:file w_file_perms;
-
-r_dir_file(hal_drm, cgroup_v2)
-allow hal_drm cgroup_v2:dir { search write };
-allow hal_drm cgroup_v2:file w_file_perms;
-
-# Allow access to ion memory allocation device
-allow hal_drm ion_device:chr_file rw_file_perms;
-allow hal_drm hal_graphics_allocator:fd use;
-
-# Allow access to hidl_memory allocation service
-allow hal_drm hal_allocator_server:fd use;
-
-# Allow access to fds allocated by mediaserver
-allow hal_drm mediaserver:fd use;
-
-allow hal_drm sysfs:file r_file_perms;
-
-allow hal_drm tee_device:chr_file rw_file_perms;
-
-allow hal_drm_server { appdomain -isolated_app }:fd use;
-
-# only allow unprivileged socket ioctl commands
-allowxperm hal_drm self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-###
-### neverallow rules
-###
-
-# hal_drm should never execute any executable without a
-# domain transition
-neverallow hal_drm_server { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm hal_drm_server domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/31.0/public/hal_dumpstate.te b/prebuilts/api/31.0/public/hal_dumpstate.te
deleted file mode 100644
index 9f854e3..0000000
--- a/prebuilts/api/31.0/public/hal_dumpstate.te
+++ /dev/null
@@ -1,12 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_dumpstate_client, hal_dumpstate_server)
-binder_call(hal_dumpstate_server, hal_dumpstate_client)
-
-set_prop(hal_dumpstate_server, hal_dumpstate_config_prop)
-
-hal_attribute_hwservice(hal_dumpstate, hal_dumpstate_hwservice)
-
-# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
-allow hal_dumpstate shell_data_file:file write;
-# allow reading /proc/interrupts for all hal impls
-allow hal_dumpstate proc_interrupts:file r_file_perms;
diff --git a/prebuilts/api/31.0/public/hal_evs.te b/prebuilts/api/31.0/public/hal_evs.te
deleted file mode 100644
index 789333a..0000000
--- a/prebuilts/api/31.0/public/hal_evs.te
+++ /dev/null
@@ -1,5 +0,0 @@
-hwbinder_use(hal_evs_client)
-hwbinder_use(hal_evs_server)
-binder_call(hal_evs_client, hal_evs_server)
-binder_call(hal_evs_server, hal_evs_client)
-hal_attribute_hwservice(hal_evs, hal_evs_hwservice)
diff --git a/prebuilts/api/31.0/public/hal_face.te b/prebuilts/api/31.0/public/hal_face.te
deleted file mode 100644
index 0134576..0000000
--- a/prebuilts/api/31.0/public/hal_face.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# Allow HwBinder IPC from client to server, and vice versa for callbacks.
-binder_call(hal_face_client, hal_face_server)
-binder_call(hal_face_server, hal_face_client)
-
-hal_attribute_hwservice(hal_face, hal_face_hwservice)
-hal_attribute_service(hal_face, hal_face_service)
-
-binder_call(hal_face_server, servicemanager)
-
-# Allow access to the ion memory allocation device.
-allow hal_face ion_device:chr_file r_file_perms;
-
-# Allow read/write access to the face template directory.
-allow hal_face face_vendor_data_file:file create_file_perms;
-allow hal_face face_vendor_data_file:dir rw_dir_perms;
diff --git a/prebuilts/api/31.0/public/hal_fingerprint.te b/prebuilts/api/31.0/public/hal_fingerprint.te
deleted file mode 100644
index 444cfda..0000000
--- a/prebuilts/api/31.0/public/hal_fingerprint.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_fingerprint_client, hal_fingerprint_server)
-binder_call(hal_fingerprint_server, hal_fingerprint_client)
-
-hal_attribute_hwservice(hal_fingerprint, hal_fingerprint_hwservice)
-hal_attribute_service(hal_fingerprint, hal_fingerprint_service)
-
-binder_call(hal_fingerprint_server, servicemanager)
-
-# For memory allocation
-allow hal_fingerprint ion_device:chr_file r_file_perms;
-
-allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
-allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
-
-r_dir_file(hal_fingerprint, cgroup)
-r_dir_file(hal_fingerprint, cgroup_v2)
-r_dir_file(hal_fingerprint, sysfs)
-
-
diff --git a/prebuilts/api/31.0/public/hal_gatekeeper.te b/prebuilts/api/31.0/public/hal_gatekeeper.te
deleted file mode 100644
index b918f88..0000000
--- a/prebuilts/api/31.0/public/hal_gatekeeper.te
+++ /dev/null
@@ -1,7 +0,0 @@
-binder_call(hal_gatekeeper_client, hal_gatekeeper_server)
-
-hal_attribute_hwservice(hal_gatekeeper, hal_gatekeeper_hwservice)
-
-# TEE access.
-allow hal_gatekeeper tee_device:chr_file rw_file_perms;
-allow hal_gatekeeper ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/31.0/public/hal_gnss.te b/prebuilts/api/31.0/public/hal_gnss.te
deleted file mode 100644
index 832bc8d..0000000
--- a/prebuilts/api/31.0/public/hal_gnss.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_gnss_client, hal_gnss_server)
-binder_call(hal_gnss_server, hal_gnss_client)
-
-hal_attribute_hwservice(hal_gnss, hal_gnss_hwservice)
-hal_attribute_service(hal_gnss, hal_gnss_service)
-binder_call(hal_gnss_server, servicemanager)
-binder_call(hal_gnss_client, servicemanager)
-
diff --git a/prebuilts/api/31.0/public/hal_graphics_allocator.te b/prebuilts/api/31.0/public/hal_graphics_allocator.te
deleted file mode 100644
index 3ec6b96..0000000
--- a/prebuilts/api/31.0/public/hal_graphics_allocator.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
-
-hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice)
-allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
-allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map };
-
-# GPU device access
-allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
-allow hal_graphics_allocator ion_device:chr_file r_file_perms;
-allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
-
-# allow to run with real-time scheduling policy
-allow hal_graphics_allocator self:global_capability_class_set sys_nice;
diff --git a/prebuilts/api/31.0/public/hal_graphics_composer.te b/prebuilts/api/31.0/public/hal_graphics_composer.te
deleted file mode 100644
index 1c69c99..0000000
--- a/prebuilts/api/31.0/public/hal_graphics_composer.te
+++ /dev/null
@@ -1,32 +0,0 @@
-type hal_graphics_composer_server_tmpfs, file_type;
-attribute hal_graphics_composer_client_tmpfs;
-expandattribute hal_graphics_composer_client_tmpfs true;
-
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
-binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
-allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write };
-allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write };
-
-hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice)
-
-# Coordinate with hal_graphics_mapper
-allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
-
-# GPU device access
-allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
-allow hal_graphics_composer ion_device:chr_file r_file_perms;
-allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
-allow hal_graphics_composer hal_graphics_allocator:fd use;
-
-# Access /dev/graphics/fb0.
-allow hal_graphics_composer graphics_device:dir search;
-allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
-
-# Fences
-allow hal_graphics_composer system_server:fd use;
-allow hal_graphics_composer bootanim:fd use;
-allow hal_graphics_composer appdomain:fd use;
-
-# allow self to set SCHED_FIFO
-allow hal_graphics_composer self:global_capability_class_set sys_nice;
diff --git a/prebuilts/api/31.0/public/hal_health.te b/prebuilts/api/31.0/public/hal_health.te
deleted file mode 100644
index dc7d083..0000000
--- a/prebuilts/api/31.0/public/hal_health.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_health_client, hal_health_server)
-binder_call(hal_health_server, hal_health_client)
-
-hal_attribute_hwservice(hal_health, hal_health_hwservice)
-
-# Common rules for a health service.
-
-# Allow to listen to uevents for updates
-allow hal_health_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Allow to read /sys/class/power_supply directory
-allow hal_health_server sysfs:dir r_dir_perms;
-
-# Allow to read files under /sys/class/power_supply. Implementations typically have symlinks
-# to vendor specific files. Vendors should mark sysfs_batteryinfo on all files read by health
-# HAL service.
-r_dir_file(hal_health_server, sysfs_batteryinfo)
-
-# Allow to wake up to send periodic events
-wakelock_use(hal_health_server)
-
-# Write to /dev/kmsg
-allow hal_health_server kmsg_device:chr_file { getattr w_file_perms };
-
-# Allow to use timerfd to wake itself up periodically to send health info.
-allow hal_health_server self:capability2 wake_alarm;
diff --git a/prebuilts/api/31.0/public/hal_health_storage.te b/prebuilts/api/31.0/public/hal_health_storage.te
deleted file mode 100644
index 4938a16..0000000
--- a/prebuilts/api/31.0/public/hal_health_storage.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_health_storage_client, hal_health_storage_server)
-binder_call(hal_health_storage_server, hal_health_storage_client)
-
-binder_use(hal_health_storage_server)
-
-hal_attribute_hwservice(hal_health_storage, hal_health_storage_hwservice)
-hal_attribute_service(hal_health_storage, hal_health_storage_service)
-
-# Allow ReadDefaultFstab().
-read_fstab(hal_health_storage_server)
diff --git a/prebuilts/api/31.0/public/hal_identity.te b/prebuilts/api/31.0/public/hal_identity.te
deleted file mode 100644
index 8d558ad..0000000
--- a/prebuilts/api/31.0/public/hal_identity.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_identity_client, hal_identity_server)
-
-hal_attribute_service(hal_identity, hal_identity_service)
-
-binder_call(hal_identity_server, servicemanager)
diff --git a/prebuilts/api/31.0/public/hal_input_classifier.te b/prebuilts/api/31.0/public/hal_input_classifier.te
deleted file mode 100644
index 70a4b7d..0000000
--- a/prebuilts/api/31.0/public/hal_input_classifier.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_input_classifier_client, hal_input_classifier_server)
-
-hal_attribute_hwservice(hal_input_classifier, hal_input_classifier_hwservice)
diff --git a/prebuilts/api/31.0/public/hal_ir.te b/prebuilts/api/31.0/public/hal_ir.te
deleted file mode 100644
index 29555f7..0000000
--- a/prebuilts/api/31.0/public/hal_ir.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_ir_client, hal_ir_server)
-binder_call(hal_ir_server, hal_ir_client)
-
-hal_attribute_hwservice(hal_ir, hal_ir_hwservice)
diff --git a/prebuilts/api/31.0/public/hal_keymaster.te b/prebuilts/api/31.0/public/hal_keymaster.te
deleted file mode 100644
index 3e164ad..0000000
--- a/prebuilts/api/31.0/public/hal_keymaster.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_keymaster_client, hal_keymaster_server)
-
-hal_attribute_hwservice(hal_keymaster, hal_keymaster_hwservice)
-
-allow hal_keymaster tee_device:chr_file rw_file_perms;
-allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/31.0/public/hal_keymint.te b/prebuilts/api/31.0/public/hal_keymint.te
deleted file mode 100644
index 9c65e22..0000000
--- a/prebuilts/api/31.0/public/hal_keymint.te
+++ /dev/null
@@ -1,8 +0,0 @@
-binder_call(hal_keymint_client, hal_keymint_server)
-
-hal_attribute_service(hal_keymint, hal_keymint_service)
-hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
-binder_call(hal_keymint_server, servicemanager)
-
-allow hal_keymint tee_device:chr_file rw_file_perms;
-allow hal_keymint ion_device:chr_file r_file_perms;
diff --git a/prebuilts/api/31.0/public/hal_light.te b/prebuilts/api/31.0/public/hal_light.te
deleted file mode 100644
index 40829b6..0000000
--- a/prebuilts/api/31.0/public/hal_light.te
+++ /dev/null
@@ -1,15 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_light_client, hal_light_server)
-binder_call(hal_light_server, hal_light_client)
-
-hal_attribute_hwservice(hal_light, hal_light_hwservice)
-hal_attribute_service(hal_light, hal_light_service)
-
-binder_call(hal_light_server, servicemanager)
-binder_use(hal_light_client)
-
-allow hal_light_server dumpstate:fifo_file write;
-
-allow hal_light sysfs_leds:lnk_file read;
-allow hal_light sysfs_leds:file rw_file_perms;
-allow hal_light sysfs_leds:dir r_dir_perms;
diff --git a/prebuilts/api/31.0/public/hal_lowpan.te b/prebuilts/api/31.0/public/hal_lowpan.te
deleted file mode 100644
index 6fb95e9..0000000
--- a/prebuilts/api/31.0/public/hal_lowpan.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_lowpan_client, hal_lowpan_server)
-binder_call(hal_lowpan_server, hal_lowpan_client)
-
-
-# Allow hal_lowpan_client to be able to find the hal_lowpan_server
-hal_attribute_hwservice(hal_lowpan, hal_lowpan_hwservice)
-
-# hal_lowpan domain can write/read to/from lowpan_prop
-set_prop(hal_lowpan_server, lowpan_prop)
-
-# Allow hal_lowpan_server to open lowpan_devices
-allow hal_lowpan_server lowpan_device:chr_file rw_file_perms;
-
-###
-### neverallow rules
-###
-
-# Only LoWPAN HAL may directly access LoWPAN hardware
-neverallow { domain -hal_lowpan_server -init -ueventd } lowpan_device:chr_file ~getattr;
diff --git a/prebuilts/api/31.0/public/hal_memtrack.te b/prebuilts/api/31.0/public/hal_memtrack.te
deleted file mode 100644
index 30a4480..0000000
--- a/prebuilts/api/31.0/public/hal_memtrack.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_memtrack_client, hal_memtrack_server)
-
-hal_attribute_hwservice(hal_memtrack, hal_memtrack_hwservice)
-
-hal_attribute_service(hal_memtrack, hal_memtrack_service)
-binder_call(hal_memtrack_server, servicemanager)
diff --git a/prebuilts/api/31.0/public/hal_neuralnetworks.te b/prebuilts/api/31.0/public/hal_neuralnetworks.te
deleted file mode 100644
index 7497dec..0000000
--- a/prebuilts/api/31.0/public/hal_neuralnetworks.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server)
-binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client)
-
-hal_attribute_hwservice(hal_neuralnetworks, hal_neuralnetworks_hwservice)
-allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
-allow hal_neuralnetworks hal_allocator:fd use;
-allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find;
-allow hal_neuralnetworks hal_graphics_allocator:fd use;
-
-# Allow NN HAL service to use a client-provided fd residing in /data/data/.
-allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
-allow hal_neuralnetworks_server privapp_data_file:file { read write getattr map };
-
-# Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
-allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };
-
-# Allow NN HAL service to read a client-provided ION memory fd.
-allow hal_neuralnetworks_server ion_device:chr_file r_file_perms;
-
-# Allow NN HAL service to use a client-provided fd residing in /storage
-allow hal_neuralnetworks_server storage_file:file { getattr map read };
-
-# Allow NN HAL service to read a client-provided fd residing in /data/app/.
-allow hal_neuralnetworks_server apk_data_file:file { getattr map read };
-
-# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
-# property to determine whether to deny NNAPI extensions use for apps
-# on product partition (apps in GSI are not allowed to use NNAPI extensions).
-get_prop(hal_neuralnetworks_client, nnapi_ext_deny_product_prop);
-# This property is only expected to be found in /product/build.prop,
-# allow to be set only by init.
-neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
-
-# Define sepolicy for NN AIDL HAL service
-hal_attribute_service(hal_neuralnetworks, hal_neuralnetworks_service)
-binder_call(hal_neuralnetworks_server, servicemanager)
-
-binder_use(hal_neuralnetworks_server)
-
-allow hal_neuralnetworks_server dumpstate:fifo_file write;
diff --git a/prebuilts/api/31.0/public/hal_neverallows.te b/prebuilts/api/31.0/public/hal_neverallows.te
deleted file mode 100644
index 105689b..0000000
--- a/prebuilts/api/31.0/public/hal_neverallows.te
+++ /dev/null
@@ -1,71 +0,0 @@
-# only HALs responsible for network hardware should have privileged
-# network capabilities
-neverallow {
- halserverdomain
- -hal_bluetooth_server
- -hal_can_controller_server
- -hal_wifi_server
- -hal_wifi_hostapd_server
- -hal_wifi_supplicant_server
- -hal_telephony_server
- -hal_uwb_server
-} self:global_capability_class_set { net_admin net_raw };
-
-# Unless a HAL's job is to communicate over the network, or control network
-# hardware, it should not be using network sockets.
-# NOTE: HALs for automotive devices have an exemption from this rule because in
-# a car it is common to have external modules and HALs need to communicate to
-# those modules using network. Using this exemption for non-automotive builds
-# will result in CTS failure.
-neverallow {
- halserverdomain
- -hal_automotive_socket_exemption
- -hal_can_controller_server
- -hal_tetheroffload_server
- -hal_wifi_server
- -hal_wifi_hostapd_server
- -hal_wifi_supplicant_server
- -hal_telephony_server
- -hal_uwb_server
-} domain:{ tcp_socket udp_socket rawip_socket } *;
-
-# The UWB HAL is not actually a networking HAL but may need to bring up and down
-# interfaces. Restrict it to only these networking operations.
-neverallow hal_uwb_server self:global_capability_class_set { net_raw };
-
-# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
-# udp_socket is required to use interface ioctls.
-neverallow hal_uwb_server domain:{ socket tcp_socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
-
-###
-# HALs are defined as an attribute and so a given domain could hypothetically
-# have multiple HALs in it (or even all of them) with the subsequent policy of
-# the domain comprised of the union of all the HALs.
-#
-# This is a problem because
-# 1) Security sensitive components should only be accessed by specific HALs.
-# 2) hwbinder_call and the restrictions it provides cannot be reasoned about in
-# the platform.
-# 3) The platform cannot reason about defense in depth if there are
-# monolithic domains etc.
-#
-# As an example, hal_keymaster and hal_gatekeeper can access the TEE and while
-# its OK for them to share a process its not OK with them to share processes
-# with other hals.
-#
-# The following neverallow rules, in conjuntion with CTS tests, assert that
-# these security principles are adhered to.
-#
-# Do not allow a hal to exec another process without a domain transition.
-# TODO remove exemptions.
-neverallow {
- halserverdomain
- -hal_dumpstate_server
- -hal_telephony_server
-} { file_type fs_type }:file execute_no_trans;
-# Do not allow a process other than init to transition into a HAL domain.
-neverallow { domain -init } halserverdomain:process transition;
-# Only allow transitioning to a domain by running its executable. Do not
-# allow transitioning into a HAL domain by use of seclabel in an
-# init.*.rc script.
-neverallow * halserverdomain:process dyntransition;
diff --git a/prebuilts/api/31.0/public/hal_nfc.te b/prebuilts/api/31.0/public/hal_nfc.te
deleted file mode 100644
index 7cef4a1..0000000
--- a/prebuilts/api/31.0/public/hal_nfc.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_nfc_client, hal_nfc_server)
-binder_call(hal_nfc_server, hal_nfc_client)
-
-hal_attribute_hwservice(hal_nfc, hal_nfc_hwservice)
-
-# Set NFC properties (used by bcm2079x HAL).
-set_prop(hal_nfc, nfc_prop)
-
-# NFC device access.
-allow hal_nfc nfc_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/31.0/public/hal_oemlock.te b/prebuilts/api/31.0/public/hal_oemlock.te
deleted file mode 100644
index 9f38fa5..0000000
--- a/prebuilts/api/31.0/public/hal_oemlock.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_oemlock_client, hal_oemlock_server)
-
-hal_attribute_hwservice(hal_oemlock, hal_oemlock_hwservice)
-hal_attribute_service(hal_oemlock, hal_oemlock_service)
-
-binder_call(hal_oemlock_server, servicemanager)
diff --git a/prebuilts/api/31.0/public/hal_omx.te b/prebuilts/api/31.0/public/hal_omx.te
deleted file mode 100644
index 8e74383..0000000
--- a/prebuilts/api/31.0/public/hal_omx.te
+++ /dev/null
@@ -1,49 +0,0 @@
-# applies all permissions to hal_omx NOT hal_omx_server
-# since OMX must always be in its own process.
-
-binder_call(hal_omx_server, binderservicedomain)
-binder_call(hal_omx_server, { appdomain -isolated_app })
-
-# Allow hal_omx_server access to composer sync fences
-allow hal_omx_server hal_graphics_composer:fd use;
-
-allow hal_omx_server ion_device:chr_file rw_file_perms;
-allow hal_omx_server hal_camera:fd use;
-
-crash_dump_fallback(hal_omx_server)
-
-# Recieve gralloc buffer FDs from bufferhubd. Note that hal_omx_server never
-# directly connects to bufferhubd via PDX. Instead, a VR app acts as a bridge
-# between those two: it talks to hal_omx_server via Binder and talks to bufferhubd
-# via PDX. Thus, there is no need to use pdx_client macro.
-allow hal_omx_server bufferhubd:fd use;
-
-hal_attribute_hwservice(hal_omx, hal_omx_hwservice)
-
-allow hal_omx_client hidl_token_hwservice:hwservice_manager find;
-
-get_prop(hal_omx_client, media_variant_prop)
-get_prop(hal_omx_server, media_variant_prop)
-
-binder_call(hal_omx_client, hal_omx_server)
-binder_call(hal_omx_server, hal_omx_client)
-
-###
-### neverallow rules
-###
-
-# hal_omx_server should never execute any executable without a
-# domain transition
-neverallow hal_omx_server { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow hal_omx_server domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/31.0/public/hal_power.te b/prebuilts/api/31.0/public/hal_power.te
deleted file mode 100644
index aae32a0..0000000
--- a/prebuilts/api/31.0/public/hal_power.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_power_client, hal_power_server)
-binder_call(hal_power_server, hal_power_client)
-
-hal_attribute_hwservice(hal_power, hal_power_hwservice)
-hal_attribute_service(hal_power, hal_power_service)
-
-binder_call(hal_power_server, servicemanager)
-binder_call(hal_power_client, servicemanager)
diff --git a/prebuilts/api/31.0/public/hal_power_stats.te b/prebuilts/api/31.0/public/hal_power_stats.te
deleted file mode 100644
index 4076eff..0000000
--- a/prebuilts/api/31.0/public/hal_power_stats.te
+++ /dev/null
@@ -1,9 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_power_stats_client, hal_power_stats_server)
-binder_call(hal_power_stats_server, hal_power_stats_client)
-
-hal_attribute_hwservice(hal_power_stats, hal_power_stats_hwservice)
-hal_attribute_service(hal_power_stats, hal_power_stats_service)
-
-binder_call(hal_power_stats_server, servicemanager)
-binder_call(hal_power_stats_client, servicemanager)
diff --git a/prebuilts/api/31.0/public/hal_rebootescrow.te b/prebuilts/api/31.0/public/hal_rebootescrow.te
deleted file mode 100644
index d16333b..0000000
--- a/prebuilts/api/31.0/public/hal_rebootescrow.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_rebootescrow_client, hal_rebootescrow_server)
-
-hal_attribute_service(hal_rebootescrow, hal_rebootescrow_service)
-
-binder_use(hal_rebootescrow_server)
diff --git a/prebuilts/api/31.0/public/hal_secure_element.te b/prebuilts/api/31.0/public/hal_secure_element.te
deleted file mode 100644
index 3724d35..0000000
--- a/prebuilts/api/31.0/public/hal_secure_element.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_secure_element_client, hal_secure_element_server)
-binder_call(hal_secure_element_server, hal_secure_element_client)
-
-hal_attribute_hwservice(hal_secure_element, hal_secure_element_hwservice)
diff --git a/prebuilts/api/31.0/public/hal_sensors.te b/prebuilts/api/31.0/public/hal_sensors.te
deleted file mode 100644
index 06e76f1..0000000
--- a/prebuilts/api/31.0/public/hal_sensors.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_sensors_client, hal_sensors_server)
-
-hal_attribute_hwservice(hal_sensors, hal_sensors_hwservice)
-
-# Allow sensor hals to access ashmem memory allocated by apps
-allow hal_sensors { appdomain -isolated_app }:fd use;
-
-# Allow sensor hals to access ashmem memory allocated by android.hidl.allocator
-# fd is passed in from framework sensorservice HAL.
-allow hal_sensors hal_allocator:fd use;
-
-# allow to run with real-time scheduling policy
-allow hal_sensors self:global_capability_class_set sys_nice;
diff --git a/prebuilts/api/31.0/public/hal_telephony.te b/prebuilts/api/31.0/public/hal_telephony.te
deleted file mode 100644
index f0cf075..0000000
--- a/prebuilts/api/31.0/public/hal_telephony.te
+++ /dev/null
@@ -1,44 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_telephony_client, hal_telephony_server)
-binder_call(hal_telephony_server, hal_telephony_client)
-
-hal_attribute_hwservice(hal_telephony, hal_telephony_hwservice)
-
-allowxperm hal_telephony_server self:udp_socket ioctl priv_sock_ioctls;
-
-allow hal_telephony_server self:netlink_route_socket nlmsg_write;
-allow hal_telephony_server kernel:system module_request;
-allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
-allow hal_telephony_server cgroup:dir create_dir_perms;
-allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
-allow hal_telephony_server cgroup_v2:dir create_dir_perms;
-allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
-allow hal_telephony_server radio_device:chr_file rw_file_perms;
-allow hal_telephony_server radio_device:blk_file r_file_perms;
-allow hal_telephony_server efs_file:dir create_dir_perms;
-allow hal_telephony_server efs_file:file create_file_perms;
-allow hal_telephony_server vendor_shell_exec:file rx_file_perms;
-allow hal_telephony_server bluetooth_efs_file:file r_file_perms;
-allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms;
-
-# property service
-get_prop(hal_telephony_server, telephony_config_prop)
-set_prop(hal_telephony_server, radio_control_prop)
-set_prop(hal_telephony_server, radio_prop)
-set_prop(hal_telephony_server, telephony_status_prop)
-
-allow hal_telephony_server tty_device:chr_file rw_file_perms;
-
-# Allow hal_telephony_server to create and use netlink sockets.
-allow hal_telephony_server self:netlink_socket create_socket_perms_no_ioctl;
-allow hal_telephony_server self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hal_telephony_server self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Access to wake locks
-wakelock_use(hal_telephony_server)
-
-r_dir_file(hal_telephony_server, proc_net_type)
-r_dir_file(hal_telephony_server, sysfs_type)
-
-# granting the ioctl permission for hal_telephony_server should be device specific
-allow hal_telephony_server self:socket create_socket_perms_no_ioctl;
diff --git a/prebuilts/api/31.0/public/hal_tetheroffload.te b/prebuilts/api/31.0/public/hal_tetheroffload.te
deleted file mode 100644
index cf51723..0000000
--- a/prebuilts/api/31.0/public/hal_tetheroffload.te
+++ /dev/null
@@ -1,8 +0,0 @@
-## HwBinder IPC from client to server, and callbacks
-binder_call(hal_tetheroffload_client, hal_tetheroffload_server)
-binder_call(hal_tetheroffload_server, hal_tetheroffload_client)
-
-hal_attribute_hwservice(hal_tetheroffload, hal_tetheroffload_hwservice)
-
-# allow the client to pass the server already open netlink sockets
-allow hal_tetheroffload_server hal_tetheroffload_client:netlink_netfilter_socket { getattr read setopt write };
diff --git a/prebuilts/api/31.0/public/hal_thermal.te b/prebuilts/api/31.0/public/hal_thermal.te
deleted file mode 100644
index 2115da1..0000000
--- a/prebuilts/api/31.0/public/hal_thermal.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_thermal_client, hal_thermal_server)
-binder_call(hal_thermal_server, hal_thermal_client)
-
-hal_attribute_hwservice(hal_thermal, hal_thermal_hwservice)
diff --git a/prebuilts/api/31.0/public/hal_tv_cec.te b/prebuilts/api/31.0/public/hal_tv_cec.te
deleted file mode 100644
index 6584904..0000000
--- a/prebuilts/api/31.0/public/hal_tv_cec.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_tv_cec_client, hal_tv_cec_server)
-binder_call(hal_tv_cec_server, hal_tv_cec_client)
-
-hal_attribute_hwservice(hal_tv_cec, hal_tv_cec_hwservice)
diff --git a/prebuilts/api/31.0/public/hal_tv_input.te b/prebuilts/api/31.0/public/hal_tv_input.te
deleted file mode 100644
index 5a5bdda..0000000
--- a/prebuilts/api/31.0/public/hal_tv_input.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from clients into server, and callbacks
-binder_call(hal_tv_input_client, hal_tv_input_server)
-binder_call(hal_tv_input_server, hal_tv_input_client)
-
-hal_attribute_hwservice(hal_tv_input, hal_tv_input_hwservice)
diff --git a/prebuilts/api/31.0/public/hal_tv_tuner.te b/prebuilts/api/31.0/public/hal_tv_tuner.te
deleted file mode 100644
index 0da4ec7..0000000
--- a/prebuilts/api/31.0/public/hal_tv_tuner.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_tv_tuner_client, hal_tv_tuner_server)
-binder_call(hal_tv_tuner_server, hal_tv_tuner_client)
-
-hal_attribute_hwservice(hal_tv_tuner, hal_tv_tuner_hwservice)
diff --git a/prebuilts/api/31.0/public/hal_usb.te b/prebuilts/api/31.0/public/hal_usb.te
deleted file mode 100644
index 38bc49a..0000000
--- a/prebuilts/api/31.0/public/hal_usb.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_usb_client, hal_usb_server)
-binder_call(hal_usb_server, hal_usb_client)
-
-hal_attribute_hwservice(hal_usb, hal_usb_hwservice)
-
-allow hal_usb self:netlink_kobject_uevent_socket create;
-allow hal_usb self:netlink_kobject_uevent_socket setopt;
-allow hal_usb self:netlink_kobject_uevent_socket getopt;
-allow hal_usb self:netlink_kobject_uevent_socket bind;
-allow hal_usb self:netlink_kobject_uevent_socket read;
-allow hal_usb sysfs:dir open;
-allow hal_usb sysfs:dir read;
-allow hal_usb sysfs:file read;
-allow hal_usb sysfs:file open;
-allow hal_usb sysfs:file write;
-allow hal_usb sysfs:file getattr;
-
diff --git a/prebuilts/api/31.0/public/hal_usb_gadget.te b/prebuilts/api/31.0/public/hal_usb_gadget.te
deleted file mode 100644
index a474652..0000000
--- a/prebuilts/api/31.0/public/hal_usb_gadget.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_usb_gadget_client, hal_usb_gadget_server)
-binder_call(hal_usb_gadget_server, hal_usb_gadget_client)
-
-hal_attribute_hwservice(hal_usb_gadget, hal_usb_gadget_hwservice)
-
-# Configuring usb gadget functions
-allow hal_usb_gadget_server configfs:lnk_file { read create unlink};
-allow hal_usb_gadget_server configfs:dir rw_dir_perms;
-allow hal_usb_gadget_server configfs:file create_file_perms;
-allow hal_usb_gadget_server functionfs:dir { read search };
-allow hal_usb_gadget_server functionfs:file read;
-
diff --git a/prebuilts/api/31.0/public/hal_vehicle.te b/prebuilts/api/31.0/public/hal_vehicle.te
deleted file mode 100644
index 6855d14..0000000
--- a/prebuilts/api/31.0/public/hal_vehicle.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_vehicle_client, hal_vehicle_server)
-binder_call(hal_vehicle_server, hal_vehicle_client)
-
-
-hal_attribute_hwservice(hal_vehicle, hal_vehicle_hwservice)
diff --git a/prebuilts/api/31.0/public/hal_vibrator.te b/prebuilts/api/31.0/public/hal_vibrator.te
deleted file mode 100644
index c902495..0000000
--- a/prebuilts/api/31.0/public/hal_vibrator.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# HwBinder IPC client/server
-binder_call(hal_vibrator_client, hal_vibrator_server)
-binder_call(hal_vibrator_server, hal_vibrator_client);
-
-hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice)
-hal_attribute_service(hal_vibrator, hal_vibrator_service)
-
-binder_call(hal_vibrator_server, servicemanager)
-
-allow hal_vibrator_server dumpstate:fifo_file write;
-
-# vibrator sysfs rw access
-allow hal_vibrator sysfs_vibrator:file rw_file_perms;
-allow hal_vibrator sysfs_vibrator:dir search;
diff --git a/prebuilts/api/31.0/public/hal_vr.te b/prebuilts/api/31.0/public/hal_vr.te
deleted file mode 100644
index e52c77f..0000000
--- a/prebuilts/api/31.0/public/hal_vr.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_vr_client, hal_vr_server)
-binder_call(hal_vr_server, hal_vr_client)
-
-hal_attribute_hwservice(hal_vr, hal_vr_hwservice)
diff --git a/prebuilts/api/31.0/public/hal_weaver.te b/prebuilts/api/31.0/public/hal_weaver.te
deleted file mode 100644
index 2b34989..0000000
--- a/prebuilts/api/31.0/public/hal_weaver.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_weaver_client, hal_weaver_server)
-
-hal_attribute_hwservice(hal_weaver, hal_weaver_hwservice)
-hal_attribute_service(hal_weaver, hal_weaver_service)
-
-binder_call(hal_weaver_server, servicemanager)
diff --git a/prebuilts/api/31.0/public/hal_wifi.te b/prebuilts/api/31.0/public/hal_wifi.te
deleted file mode 100644
index 2e4fa78..0000000
--- a/prebuilts/api/31.0/public/hal_wifi.te
+++ /dev/null
@@ -1,32 +0,0 @@
-# HwBinder IPC from client to server, and callbacks
-binder_call(hal_wifi_client, hal_wifi_server)
-binder_call(hal_wifi_server, hal_wifi_client)
-
-hal_attribute_hwservice(hal_wifi, hal_wifi_hwservice)
-
-r_dir_file(hal_wifi, proc_net_type)
-r_dir_file(hal_wifi, sysfs_type)
-
-set_prop(hal_wifi_server, wifi_hal_prop)
-set_prop(hal_wifi, wifi_prop)
-userdebug_or_eng(`get_prop(hal_wifi, persist_vendor_debug_wifi_prop)')
-
-# allow hal wifi set interfaces up and down and get the factory MAC
-allow hal_wifi self:udp_socket create_socket_perms;
-allowxperm hal_wifi self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR SIOCETHTOOL };
-
-allow hal_wifi self:global_capability_class_set { net_admin net_raw };
-# allow hal_wifi to speak to nl80211 in the kernel
-allow hal_wifi self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
-allow hal_wifi self:netlink_generic_socket create_socket_perms_no_ioctl;
-# hal_wifi writes firmware paths to this file.
-allow hal_wifi sysfs_wlan_fwpath:file { w_file_perms };
-# allow hal_wifi to access /proc/modules to check if Wi-Fi driver is loaded
-allow hal_wifi proc_modules:file { getattr open read };
-# Allow hal_wifi to send dump info to dumpstate
-allow hal_wifi dumpstate:fifo_file write;
-
-# allow hal_wifi to write into /data/vendor/tombstones/wifi
-allow hal_wifi_server tombstone_wifi_data_file:dir rw_dir_perms;
-allow hal_wifi_server tombstone_wifi_data_file:file create_file_perms;
diff --git a/prebuilts/api/31.0/public/hal_wifi_hostapd.te b/prebuilts/api/31.0/public/hal_wifi_hostapd.te
deleted file mode 100644
index 12d72b6..0000000
--- a/prebuilts/api/31.0/public/hal_wifi_hostapd.te
+++ /dev/null
@@ -1,27 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_wifi_hostapd_client, hal_wifi_hostapd_server)
-binder_call(hal_wifi_hostapd_server, hal_wifi_hostapd_client)
-
-hal_attribute_hwservice(hal_wifi_hostapd, hal_wifi_hostapd_hwservice)
-
-allow hal_wifi_hostapd_server self:global_capability_class_set { net_admin net_raw };
-
-allow hal_wifi_hostapd_server sysfs_net:dir search;
-
-# Allow hal_wifi_hostapd to access /proc/net/psched
-allow hal_wifi_hostapd_server proc_net_type:file { getattr open read };
-
-# Various socket permissions.
-allowxperm hal_wifi_hostapd_server self:udp_socket ioctl priv_sock_ioctls;
-allow hal_wifi_hostapd_server self:netlink_socket create_socket_perms_no_ioctl;
-allow hal_wifi_hostapd_server self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hal_wifi_hostapd_server self:packet_socket create_socket_perms_no_ioctl;
-allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
-
-###
-### neverallow rules
-###
-
-# hal_wifi_hostapd should not trust any data from sdcards
-neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_hostapd_server sdcard_type:file *;
diff --git a/prebuilts/api/31.0/public/hal_wifi_supplicant.te b/prebuilts/api/31.0/public/hal_wifi_supplicant.te
deleted file mode 100644
index 7361af1..0000000
--- a/prebuilts/api/31.0/public/hal_wifi_supplicant.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# HwBinder IPC from client to server
-binder_call(hal_wifi_supplicant_client, hal_wifi_supplicant_server)
-binder_call(hal_wifi_supplicant_server, hal_wifi_supplicant_client)
-
-hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
-
-# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
-allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
-
-r_dir_file(hal_wifi_supplicant, sysfs_type)
-r_dir_file(hal_wifi_supplicant, proc_net_type)
-
-allow hal_wifi_supplicant kernel:system module_request;
-allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
-allow hal_wifi_supplicant cgroup:dir create_dir_perms;
-allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
-allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
-allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
-allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow hal_wifi_supplicant self:packet_socket create_socket_perms;
-allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
-
-use_keystore(hal_wifi_supplicant)
-binder_use(hal_wifi_supplicant_server)
-
-# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
-allow hal_wifi_supplicant wifi_key:keystore2_key {
- get_info
- use
-};
-
-###
-### neverallow rules
-###
-
-# wpa_supplicant should not trust any data from sdcards
-neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_supplicant_server sdcard_type:file *;
diff --git a/prebuilts/api/31.0/public/healthd.te b/prebuilts/api/31.0/public/healthd.te
deleted file mode 100644
index 05acb84..0000000
--- a/prebuilts/api/31.0/public/healthd.te
+++ /dev/null
@@ -1,50 +0,0 @@
-# healthd - battery/charger monitoring service daemon
-type healthd, domain;
-type healthd_exec, system_file_type, exec_type, file_type;
-
-# Write to /dev/kmsg
-allow healthd kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-allow healthd sysfs_type:dir search;
-# Allow to read /sys/class/power_supply directory.
-allow healthd sysfs:dir r_dir_perms;
-r_dir_file(healthd, rootfs)
-r_dir_file(healthd, cgroup)
-r_dir_file(healthd, cgroup_v2)
-
-allow healthd self:global_capability_class_set { sys_tty_config };
-allow healthd self:global_capability_class_set sys_boot;
-dontaudit healthd self:global_capability_class_set sys_resource;
-
-allow healthd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-wakelock_use(healthd)
-
-hal_client_domain(healthd, hal_health)
-
-# Read/write to /sys/power/state
-allow healthd sysfs_power:file rw_file_perms;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow healthd sysfs_usb:file write;
-
-r_dir_file(healthd, sysfs_batteryinfo)
-
-###
-### healthd: charger mode
-###
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow healthd pstorefs:dir r_dir_perms;
-allow healthd pstorefs:file r_file_perms;
-
-allow healthd graphics_device:dir r_dir_perms;
-allow healthd graphics_device:chr_file rw_file_perms;
-allow healthd input_device:dir r_dir_perms;
-allow healthd input_device:chr_file r_file_perms;
-allow healthd tty_device:chr_file rw_file_perms;
-allow healthd ashmem_device:chr_file execute;
-allow healthd proc_sysrq:file rw_file_perms;
diff --git a/prebuilts/api/31.0/public/heapprofd.te b/prebuilts/api/31.0/public/heapprofd.te
deleted file mode 100644
index 7ceb23f..0000000
--- a/prebuilts/api/31.0/public/heapprofd.te
+++ /dev/null
@@ -1 +0,0 @@
-type heapprofd, domain, coredomain;
diff --git a/prebuilts/api/31.0/public/hwservice.te b/prebuilts/api/31.0/public/hwservice.te
deleted file mode 100644
index 11b77f0..0000000
--- a/prebuilts/api/31.0/public/hwservice.te
+++ /dev/null
@@ -1,101 +0,0 @@
-# hwservice types. By default most of the HALs are protected_hwservice, which means
-# access from untrusted apps is prohibited.
-type default_android_hwservice, hwservice_manager_type, protected_hwservice;
-type fwk_camera_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type fwk_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type fwk_scheduler_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type fwk_sensor_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type fwk_stats_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type fwk_automotive_display_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type hal_atrace_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_audio_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_audiocontrol_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_authsecret_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_bluetooth_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_bootctl_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_broadcastradio_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_camera_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_can_bus_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_can_controller_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_confirmationui_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_contexthub_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_dumpstate_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_evs_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_face_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_fingerprint_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_gatekeeper_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_gnss_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_graphics_composer_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_health_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_health_storage_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_input_classifier_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_ir_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_keymaster_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_light_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_lowpan_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_memtrack_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_nfc_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_oemlock_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_power_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_power_stats_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_secure_element_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_sensors_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_telephony_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_tetheroffload_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_thermal_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_tv_cec_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_tv_input_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_tv_tuner_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_usb_gadget_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_usb_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_vehicle_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_vibrator_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_vr_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_weaver_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_wifi_hostapd_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_wifi_hwservice, hwservice_manager_type, protected_hwservice;
-type hal_wifi_supplicant_hwservice, hwservice_manager_type, protected_hwservice;
-type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
-
-# Following is the hwservices that are explicitly not marked with protected_hwservice.
-# These are directly accessible from untrusted apps.
-# - same process services: because they by definition run in the process
-# of the client and thus have the same access as the client domain in which
-# the process runs
-# - coredomain_hwservice: are considered safer than ordinary hwservices which
-# are from vendor partition
-# - hal_configstore_ISurfaceFlingerConfigs: becuase it has specifically been
-# designed for use by any domain.
-# - hal_graphics_allocator_hwservice: because these operations are also offered
-# by surfaceflinger Binder service, which apps are permitted to access
-# - hal_omx_hwservice: because this is a HwBinder version of the mediacodec
-# Binder service which apps were permitted to access.
-# - hal_codec2_hwservice: because this is a newer version of hal_omx_hwservice.
-# - hal_drm_hwservice: versions > API 29 are designed specifically with
-# untrusted app access in mind.
-type fwk_bufferhub_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hal_cas_hwservice, hwservice_manager_type;
-type hal_codec2_hwservice, hwservice_manager_type;
-type hal_configstore_ISurfaceFlingerConfigs, hwservice_manager_type;
-type hal_drm_hwservice, hwservice_manager_type;
-type hal_graphics_allocator_hwservice, hwservice_manager_type;
-type hal_graphics_mapper_hwservice, hwservice_manager_type, same_process_hwservice;
-type hal_neuralnetworks_hwservice, hwservice_manager_type;
-type hal_omx_hwservice, hwservice_manager_type;
-type hal_renderscript_hwservice, hwservice_manager_type, same_process_hwservice;
-type hidl_allocator_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_base_hwservice, hwservice_manager_type;
-type hidl_manager_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_memory_hwservice, hwservice_manager_type, coredomain_hwservice;
-type hidl_token_hwservice, hwservice_manager_type, coredomain_hwservice;
-
-###
-### Neverallow rules
-###
-
-# hwservicemanager handles registering or looking up named services.
-# It does not make sense to register or lookup something which is not a
-# hwservice. Trigger a compile error if this occurs.
-neverallow domain ~hwservice_manager_type:hwservice_manager { add find };
diff --git a/prebuilts/api/31.0/public/hwservicemanager.te b/prebuilts/api/31.0/public/hwservicemanager.te
deleted file mode 100644
index 7ec1872..0000000
--- a/prebuilts/api/31.0/public/hwservicemanager.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# hwservicemanager - the Binder context manager for HAL services
-type hwservicemanager, domain, mlstrustedsubject;
-type hwservicemanager_exec, system_file_type, exec_type, file_type;
-
-# Note that we do not use the binder_* macros here.
-# hwservicemanager provides name service (aka context manager)
-# for hwbinder.
-# Additionally, it initiates binder IPC calls to
-# clients who request service notifications. The permission
-# to do this is granted in the hwbinder_use macro.
-allow hwservicemanager self:binder set_context_mgr;
-
-# Scan through /system/lib64/hw looking for installed HALs
-allow hwservicemanager system_file:dir r_dir_perms;
-
-# Read hwservice_contexts
-allow hwservicemanager hwservice_contexts_file:file r_file_perms;
-
-# Check SELinux permissions.
-selinux_check_access(hwservicemanager)
diff --git a/prebuilts/api/31.0/public/idmap.te b/prebuilts/api/31.0/public/idmap.te
deleted file mode 100644
index f41f573..0000000
--- a/prebuilts/api/31.0/public/idmap.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# idmap, when executed by installd
-type idmap, domain;
-type idmap_exec, system_file_type, exec_type, file_type;
-
-# TODO remove /system/bin/idmap and the link between idmap and installd (b/118711077)
-# Use open file to /data/resource-cache file inherited from installd.
-allow idmap installd:fd use;
-allow idmap resourcecache_data_file:file create_file_perms;
-allow idmap resourcecache_data_file:dir rw_dir_perms;
-
-# Ignore reading /proc/<pid>/maps after a fork.
-dontaudit idmap installd:file read;
-
-# Open and read from target and overlay apk files passed by argument.
-allow idmap apk_data_file:file r_file_perms;
-allow idmap apk_data_file:dir search;
-
-# Allow /data/app/vmdl*.tmp, /data/app-private/vmdl*.tmp files
-allow idmap { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
-allow idmap { apk_tmp_file apk_private_tmp_file }:dir search;
-
-# Allow apps access to /vendor/app
-r_dir_file(idmap, vendor_app_file)
-
-# Allow apps access to /vendor/overlay
-r_dir_file(idmap, vendor_overlay_file)
-
-# Allow the idmap2d binary to register as a service and communicate via AIDL
-binder_use(idmap)
-binder_service(idmap)
-add_service(idmap, idmap_service)
diff --git a/prebuilts/api/31.0/public/incident.te b/prebuilts/api/31.0/public/incident.te
deleted file mode 100644
index ce57bf6..0000000
--- a/prebuilts/api/31.0/public/incident.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# The incident command is used to call into the incidentd service to
-# take an incident report (binary, shared bugreport), download incident
-# reports that have already been taken, and monitor for new ones.
-# It doesn't do anything else.
-
-# incident
-type incident, domain;
-
diff --git a/prebuilts/api/31.0/public/incident_helper.te b/prebuilts/api/31.0/public/incident_helper.te
deleted file mode 100644
index bca1018..0000000
--- a/prebuilts/api/31.0/public/incident_helper.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# The incident_helper is called by incidentd and
-# can only read/write data from/to incidentd
-
-# incident_helper
-type incident_helper, domain;
diff --git a/prebuilts/api/31.0/public/incidentd.te b/prebuilts/api/31.0/public/incidentd.te
deleted file mode 100644
index b03249c..0000000
--- a/prebuilts/api/31.0/public/incidentd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# incidentd
-type incidentd, domain;
-
diff --git a/prebuilts/api/31.0/public/init.te b/prebuilts/api/31.0/public/init.te
deleted file mode 100644
index ea5a979..0000000
--- a/prebuilts/api/31.0/public/init.te
+++ /dev/null
@@ -1,659 +0,0 @@
-# init is its own domain.
-type init, domain, mlstrustedsubject;
-type init_exec, system_file_type, exec_type, file_type;
-type init_tmpfs, file_type;
-
-# /dev/__null__ node created by init.
-allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
-
-#
-# init direct restorecon calls.
-#
-# /dev/kmsg
-allow init tmpfs:chr_file relabelfrom;
-allow init kmsg_device:chr_file { getattr write relabelto };
-# /dev/kmsg_debug
-userdebug_or_eng(`
- allow init kmsg_debug_device:chr_file { open write relabelto };
-')
-
-# allow init to mount and unmount debugfs in debug builds
-userdebug_or_eng(`
- allow init debugfs:dir mounton;
-')
-
-# /dev/__properties__
-allow init properties_device:dir relabelto;
-allow init properties_serial:file { write relabelto };
-allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
-allow init properties_device:file create_file_perms;
-allow init property_info:file relabelto;
-# /dev/event-log-tags
-allow init device:file relabelfrom;
-allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
-# /dev/socket
-allow init { device socket_device dm_user_device }:dir relabelto;
-# allow init to establish connection and communicate with lmkd
-unix_socket_connect(init, lmkd, lmkd)
-# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
-allow init { null_device ptmx_device random_device } : chr_file relabelto;
-# /dev/device-mapper, /dev/block(/.*)?
-allow init tmpfs:{ chr_file blk_file } relabelfrom;
-allow init tmpfs:blk_file getattr;
-allow init block_device:{ dir blk_file lnk_file } relabelto;
-allow init dm_device:{ chr_file blk_file } relabelto;
-allow init dm_user_device:chr_file relabelto;
-allow init kernel:fd use;
-# restorecon for early mount device symlinks
-allow init tmpfs:lnk_file { getattr read relabelfrom };
-allow init {
- metadata_block_device
- misc_block_device
- recovery_block_device
- system_block_device
- userdata_block_device
-}:{ blk_file lnk_file } relabelto;
-
-allow init super_block_device:lnk_file relabelto;
-
-# Create /mnt/sdcard -> /storage/self/primary symlink.
-allow init mnt_sdcard_file:lnk_file create;
-
-# setrlimit
-allow init self:global_capability_class_set sys_resource;
-
-# Remove /dev/.booting and load /debug_ramdisk/* files
-allow init tmpfs:file { getattr unlink };
-
-# Access pty created for fsck.
-allow init devpts:chr_file { read write open };
-
-# Create /dev/fscklogs files.
-allow init fscklogs:file create_file_perms;
-
-# Access /dev/__null__ node created prior to initial policy load.
-allow init tmpfs:chr_file write;
-
-# Access /dev/console.
-allow init console_device:chr_file rw_file_perms;
-
-# Access /dev/tty0.
-allow init tty_device:chr_file rw_file_perms;
-
-# Call mount(2).
-allow init self:global_capability_class_set sys_admin;
-
-# Call setns(2).
-allow init self:global_capability_class_set sys_chroot;
-
-# Create and mount on directories in /.
-allow init rootfs:dir create_dir_perms;
-allow init {
- rootfs
- cache_file
- cgroup
- linkerconfig_file
- storage_file
- mnt_user_file
- system_data_file
- system_data_root_file
- system_file
- vendor_file
- postinstall_mnt_dir
- mirror_data_file
-}:dir mounton;
-
-# Mount bpf fs on sys/fs/bpf
-allow init fs_bpf:dir mounton;
-
-# Mount on /dev/usb-ffs/adb.
-allow init device:dir mounton;
-
-# Mount tmpfs on /apex
-allow init apex_mnt_dir:dir mounton;
-
-# Bind-mount on /system/apex/com.android.art
-allow init art_apex_dir:dir mounton;
-
-# Create and remove symlinks in /.
-allow init rootfs:lnk_file { create unlink };
-
-# Mount debugfs on /sys/kernel/debug.
-allow init sysfs:dir mounton;
-
-# Create cgroups mount points in tmpfs and mount cgroups on them.
-allow init tmpfs:dir create_dir_perms;
-allow init tmpfs:dir mounton;
-allow init cgroup:dir create_dir_perms;
-allow init cgroup:file rw_file_perms;
-allow init cgroup_rc_file:file rw_file_perms;
-allow init cgroup_desc_file:file r_file_perms;
-allow init cgroup_desc_api_file:file r_file_perms;
-allow init vendor_cgroup_desc_file:file r_file_perms;
-allow init cgroup_v2:dir { mounton create_dir_perms};
-allow init cgroup_v2:file rw_file_perms;
-
-# /config
-allow init configfs:dir mounton;
-allow init configfs:dir create_dir_perms;
-allow init configfs:{ file lnk_file } create_file_perms;
-
-# /metadata
-allow init metadata_file:dir mounton;
-
-# Use tmpfs as /data, used for booting when /data is encrypted
-allow init tmpfs:dir relabelfrom;
-
-# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:global_capability_class_set { dac_override dac_read_search };
-
-# Set system clock.
-allow init self:global_capability_class_set sys_time;
-
-allow init self:global_capability_class_set { sys_rawio mknod };
-
-# Mounting filesystems from block devices.
-allow init dev_type:blk_file r_file_perms;
-allowxperm init dev_type:blk_file ioctl BLKROSET;
-
-# Mounting filesystems.
-# Only allow relabelto for types used in context= mount options,
-# which should all be assigned the contextmount_type attribute.
-# This can be done in device-specific policy via type or typeattribute
-# declarations.
-allow init {
- fs_type
- enforce_debugfs_restriction(`-debugfs_type')
-}:filesystem ~relabelto;
-
-# Allow init to mount/unmount debugfs in non-user builds.
-enforce_debugfs_restriction(`
- userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
-')
-
-# Allow init to mount tracefs in /sys/kernel/tracing
-allow init debugfs_tracing_debug:filesystem mount;
-
-allow init unlabeled:filesystem ~relabelto;
-allow init contextmount_type:filesystem relabelto;
-
-# Allow read-only access to context= mounted filesystems.
-allow init contextmount_type:dir r_dir_perms;
-allow init contextmount_type:notdevfile_class_set r_file_perms;
-
-# restorecon /adb_keys or any other rootfs files and directories to a more
-# specific type.
-allow init rootfs:{ dir file } relabelfrom;
-
-# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
-# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
-# system/core/init.rc requires at least cache_file and data_file_type.
-# init.<board>.rc files often include device-specific types, so
-# we just allow all file types except /system files here.
-allow init self:global_capability_class_set { chown fowner fsetid };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -system_app_data_file
- -system_file_type
- -vendor_file_type
-}:dir { create search getattr open read setattr ioctl };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -iorapd_data_file
- -credstore_data_file
- -keystore_data_file
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -shell_data_file
- -system_app_data_file
- -system_file_type
- -vendor_file_type
- -vold_data_file
-}:dir { write add_name remove_name rmdir relabelfrom };
-
-allow init {
- file_type
- -apex_info_file
- -app_data_file
- -exec_type
- -gsi_data_file
- -iorapd_data_file
- -credstore_data_file
- -keystore_data_file
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -runtime_event_log_tags_file
- -shell_data_file
- -system_app_data_file
- -system_file_type
- -vendor_file_type
- -vold_data_file
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { create getattr open read write setattr relabelfrom unlink map };
-
-allow init tracefs_type:file { create_file_perms relabelfrom };
-
-allow init {
- file_type
- -app_data_file
- -exec_type
- -gsi_data_file
- -iorapd_data_file
- -credstore_data_file
- -keystore_data_file
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -shell_data_file
- -system_app_data_file
- -system_file_type
- -vendor_file_type
- -vold_data_file
-}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-
-allow init {
- file_type
- -apex_mnt_dir
- -app_data_file
- -exec_type
- -gsi_data_file
- -iorapd_data_file
- -credstore_data_file
- -keystore_data_file
- -misc_logd_file
- -nativetest_data_file
- -privapp_data_file
- -shell_data_file
- -system_app_data_file
- -system_file_type
- -vendor_file_type
- -vold_data_file
-}:lnk_file { create getattr setattr relabelfrom unlink };
-
-allow init cache_file:lnk_file r_file_perms;
-
-allow init {
- file_type
- -system_file_type
- -vendor_file_type
- -exec_type
- -app_data_file
- -privapp_data_file
-}:dir_file_class_set relabelto;
-
-allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
-allow init dev_type:dir create_dir_perms;
-allow init dev_type:lnk_file create;
-
-# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow init debugfs_tracing:file w_file_perms;
-
-# Setup and control wifi event tracing (see wifi-events.rc)
-allow init debugfs_tracing_instances:dir create_dir_perms;
-allow init debugfs_tracing_instances:file w_file_perms;
-allow init debugfs_wifi_tracing:file w_file_perms;
-
-# chown/chmod on pseudo files.
-allow init {
- fs_type
- -contextmount_type
- -keychord_device
- -proc_type
- -sdcard_type
- -sysfs_type
- -rootfs
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { open read setattr };
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
-
-allow init {
- binder_device
- console_device
- devpts
- dm_device
- hwbinder_device
- input_device
- kmsg_device
- null_device
- owntty_device
- pmsg_device
- ptmx_device
- random_device
- tty_device
- zero_device
-}:chr_file { read open };
-
-# Unlabeled file access for upgrades from 4.2.
-allow init unlabeled:dir { create_dir_perms relabelfrom };
-allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
-
-# Any operation that can modify the kernel ring buffer, e.g. clear
-# or a read that consumes the messages that were read.
-allow init kernel:system syslog_mod;
-allow init self:global_capability2_class_set syslog;
-
-# init access to /proc.
-r_dir_file(init, proc_net_type)
-allow init proc_filesystems:file r_file_perms;
-
-userdebug_or_eng(`
- # Overlayfs workdir write access check during mount to permit remount,rw
- allow init overlayfs_file:dir { relabelfrom mounton write };
- allow init overlayfs_file:file { append };
- allow init system_block_device:blk_file { write };
-')
-
-allow init {
- proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
- proc_bootconfig
- proc_cmdline
- proc_diskstats
- proc_kmsg # Open /proc/kmsg for logd service.
- proc_meminfo
- proc_stat # Read /proc/stat for bootchart.
- proc_uptime
- proc_version
-}:file r_file_perms;
-
-allow init {
- proc_abi
- proc_dirty
- proc_hostname
- proc_hung_task
- proc_extra_free_kbytes
- proc_net_type
- proc_max_map_count
- proc_min_free_order_shift
- proc_overcommit_memory # /proc/sys/vm/overcommit_memory
- proc_panic
- proc_page_cluster
- proc_perf
- proc_sched
- proc_sysrq
-}:file w_file_perms;
-
-allow init {
- proc_security
-}:file rw_file_perms;
-
-# init chmod/chown access to /proc files.
-allow init {
- proc_cmdline
- proc_bootconfig
- proc_kmsg
- proc_net
- proc_pagetypeinfo
- proc_qtaguid_stat
- proc_slabinfo
- proc_sysrq
- proc_qtaguid_ctrl
- proc_vmallocinfo
-}:file setattr;
-
-# init access to /sys files.
-allow init {
- sysfs_android_usb
- sysfs_dm_verity
- sysfs_leds
- sysfs_power
- sysfs_fs_f2fs
- sysfs_dm
-}:file w_file_perms;
-
-allow init {
- sysfs_dt_firmware_android
- sysfs_fs_ext4_features
-}:file r_file_perms;
-
-allow init {
- sysfs_zram
-}:file rw_file_perms;
-
-# allow init to create loop devices with /dev/loop-control
-allow init loop_control_device:chr_file rw_file_perms;
-allow init loop_device:blk_file rw_file_perms;
-allowxperm init loop_device:blk_file ioctl {
- LOOP_SET_FD
- LOOP_CLR_FD
- LOOP_CTL_GET_FREE
- LOOP_SET_BLOCK_SIZE
- LOOP_SET_DIRECT_IO
- LOOP_GET_STATUS
-};
-
-# Allow init to write to vibrator/trigger
-allow init sysfs_vibrator:file w_file_perms;
-
-# init chmod/chown access to /sys files.
-allow init {
- sysfs_android_usb
- sysfs_devices_system_cpu
- sysfs_ipv4
- sysfs_leds
- sysfs_lowmemorykiller
- sysfs_power
- sysfs_vibrator
- sysfs_wake_lock
- sysfs_zram
-}:file setattr;
-
-# Set usermodehelpers.
-allow init { usermodehelper sysfs_usermodehelper }:file rw_file_perms;
-
-allow init self:global_capability_class_set net_admin;
-
-# Reboot.
-allow init self:global_capability_class_set sys_boot;
-
-# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
-# Init will also walk through the directory as part of a recursive restorecon.
-allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
-allow init misc_logd_file:file { open create getattr setattr write };
-
-# Support "adb shell stop"
-allow init self:global_capability_class_set kill;
-allow init domain:process { getpgid sigkill signal };
-
-# Init creates credstore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init credstore_data_file:dir { open create read getattr setattr search };
-allow init credstore_data_file:file { getattr };
-
-# Init creates keystore's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init keystore_data_file:dir { open create read getattr setattr search };
-allow init keystore_data_file:file { getattr };
-
-# Init creates vold's directory on boot, and walks through
-# the directory as part of a recursive restorecon.
-allow init vold_data_file:dir { open create read getattr setattr search };
-allow init vold_data_file:file { getattr };
-
-# Init creates /data/local/tmp at boot
-allow init shell_data_file:dir { open create read getattr setattr search };
-allow init shell_data_file:file { getattr };
-
-# Set UID, GID, and adjust capability bounding set for services.
-allow init self:global_capability_class_set { setuid setgid setpcap };
-
-# For bootchart to read the /proc/$pid/cmdline file of each process,
-# we need to have following line to allow init to have access
-# to different domains.
-r_dir_file(init, domain)
-
-# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
-# setexec is for services with seclabel options.
-# setfscreate is for labeling directories and socket files.
-# setsockcreate is for labeling local/unix domain sockets.
-allow init self:process { setexec setfscreate setsockcreate };
-
-# Get file context
-allow init file_contexts_file:file r_file_perms;
-
-# sepolicy access
-allow init sepolicy_file:file r_file_perms;
-
-# Perform SELinux access checks on setting properties.
-selinux_check_access(init)
-
-# Ask the kernel for the new context on services to label their sockets.
-allow init kernel:security compute_create;
-
-# Create sockets for the services.
-allow init domain:unix_stream_socket { create bind setopt };
-allow init domain:unix_dgram_socket { create bind setopt };
-
-# Create /data/property and files within it.
-allow init property_data_file:dir create_dir_perms;
-allow init property_data_file:file create_file_perms;
-
-# Set any property.
-allow init property_type:property_service set;
-
-# Send an SELinux userspace denial to the kernel audit subsystem,
-# so it can be picked up and processed by logd. These denials are
-# generated when an attempt to set a property is denied by policy.
-allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
-allow init self:global_capability_class_set audit_write;
-
-# Run "ifup lo" to bring up the localhost interface
-allow init self:udp_socket { create ioctl };
-# in addition to unpriv ioctls granted to all domains, init also needs:
-allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
-allow init self:global_capability_class_set net_raw;
-
-# Set scheduling info for psi monitor thread.
-# TODO: delete or revise this line b/131761776
-allow init kernel:process { getsched setsched };
-
-# swapon() needs write access to swap device
-# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
-allow init swap_block_device:blk_file rw_file_perms;
-
-# Create and access /dev files without a specific type,
-# e.g. /dev/.coldboot_done, /dev/.booting
-# TODO: Move these files into their own type unless they are
-# only ever accessed by init.
-allow init device:file create_file_perms;
-
-# keychord retrieval from /dev/input/ devices
-allow init input_device:dir r_dir_perms;
-allow init input_device:chr_file rw_file_perms;
-
-# Access device mapper for setting up dm-verity
-allow init dm_device:chr_file rw_file_perms;
-allow init dm_device:blk_file rw_file_perms;
-
-# Access dm-user for OTA boot
-allow init dm_user_device:chr_file rw_file_perms;
-
-# Access metadata block device for storing dm-verity state
-allow init metadata_block_device:blk_file rw_file_perms;
-
-# Read /sys/fs/pstore/console-ramoops to detect restarts caused
-# by dm-verity detecting corrupted blocks
-allow init pstorefs:dir search;
-allow init pstorefs:file r_file_perms;
-allow init kernel:system syslog_read;
-
-# linux keyring configuration
-allow init init:key { write search setattr };
-
-# Allow init to create /data/unencrypted
-allow init unencrypted_data_file:dir create_dir_perms;
-
-# Set encryption policy on dirs in /data
-allowxperm init { data_file_type unlabeled }:dir ioctl {
- FS_IOC_GET_ENCRYPTION_POLICY
- FS_IOC_SET_ENCRYPTION_POLICY
-};
-
-# Raw writes to misc block device
-allow init misc_block_device:blk_file w_file_perms;
-
-r_dir_file(init, system_file)
-r_dir_file(init, vendor_file_type)
-
-allow init system_data_file:file { getattr read };
-allow init system_data_file:lnk_file r_file_perms;
-
-# For init to be able to run shell scripts from vendor
-allow init vendor_shell_exec:file execute;
-
-# Metadata setup
-allow init vold_metadata_file:dir create_dir_perms;
-allow init vold_metadata_file:file getattr;
-allow init metadata_bootstat_file:dir create_dir_perms;
-allow init metadata_bootstat_file:file w_file_perms;
-allow init userspace_reboot_metadata_file:file w_file_perms;
-
-# Allow init to touch PSI monitors
-allow init proc_pressure_mem:file { rw_file_perms setattr };
-
-# init is using bootstrap bionic
-allow init system_bootstrap_lib_file:dir r_dir_perms;
-allow init system_bootstrap_lib_file:file { execute read open getattr map };
-
-# stat the root dir of fuse filesystems (for the mount handler)
-allow init fuse:dir { search getattr };
-
-# allow filesystem tuning
-allow init userdata_sysdev:file create_file_perms;
-
-###
-### neverallow rules
-###
-
-# The init domain is only entered via an exec based transition from the
-# kernel domain, never via setcon().
-neverallow domain init:process dyntransition;
-neverallow { domain -kernel } init:process transition;
-neverallow init { file_type fs_type -init_exec }:file entrypoint;
-
-# Never read/follow symlinks created by shell or untrusted apps.
-neverallow init shell_data_file:lnk_file read;
-neverallow init { app_data_file privapp_data_file }:lnk_file read;
-
-# init should never execute a program without changing to another domain.
-neverallow init { file_type fs_type }:file execute_no_trans;
-
-# The use of sensitive environment variables, such as LD_PRELOAD, is disallowed
-# when init is executing other binaries. The use of LD_PRELOAD for init spawned
-# services is generally considered a no-no, as it injects libraries which the
-# binary was not expecting. This is especially problematic for APEXes. The use
-# of LD_PRELOAD via APEXes is a layering violation, and inappropriately loads
-# code into a process which wasn't expecting that code, with potentially
-# unexpected side effects. (b/140789528)
-neverallow init *:process noatsecure;
-
-# init can never add binder services
-neverallow init service_manager_type:service_manager { add find };
-# init can never list binder services
-neverallow init servicemanager:service_manager list;
-
-# Init should not be creating subdirectories in /data/local/tmp
-neverallow init shell_data_file:dir { write add_name remove_name };
-
-# Init should not access sysfs node that are not explicitly labeled.
-neverallow init sysfs:file { open read write };
-
-# No domain should be allowed to ptrace init.
-neverallow * init:process ptrace;
-
-# init owns the root of /data
-# TODO(b/140259336) We want to remove vendor_init
-# TODO(b/141108496) We want to remove toolbox
-neverallow { domain -init -toolbox -vendor_init -vold } system_data_root_file:dir { write add_name remove_name };
diff --git a/prebuilts/api/31.0/public/inputflinger.te b/prebuilts/api/31.0/public/inputflinger.te
deleted file mode 100644
index b62c06d..0000000
--- a/prebuilts/api/31.0/public/inputflinger.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# inputflinger
-type inputflinger, domain;
-type inputflinger_exec, system_file_type, exec_type, file_type;
-
-binder_use(inputflinger)
-binder_service(inputflinger)
-
-binder_call(inputflinger, system_server)
-
-wakelock_use(inputflinger)
-
-allow inputflinger input_device:dir r_dir_perms;
-allow inputflinger input_device:chr_file rw_file_perms;
-
-r_dir_file(inputflinger, cgroup)
-r_dir_file(inputflinger, cgroup_v2)
diff --git a/prebuilts/api/31.0/public/installd.te b/prebuilts/api/31.0/public/installd.te
deleted file mode 100644
index 08060e3..0000000
--- a/prebuilts/api/31.0/public/installd.te
+++ /dev/null
@@ -1,179 +0,0 @@
-# installer daemon
-type installd, domain;
-type installd_exec, system_file_type, exec_type, file_type;
-typeattribute installd mlstrustedsubject;
-allow installd self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid sys_admin };
-
-# Allow labeling of files under /data/app/com.example/oat/
-allow installd dalvikcache_data_file:dir relabelto;
-allow installd dalvikcache_data_file:file { relabelto link };
-
-# Allow movement of APK files between volumes
-allow installd apk_data_file:dir { create_dir_perms relabelfrom };
-allow installd apk_data_file:file { create_file_perms relabelfrom link };
-allow installd apk_data_file:lnk_file { create r_file_perms unlink };
-
-# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY (or in old implementation used in installd,
-# FS_IOC_SET_VERITY_MEASUREMENT) ioctls on APKs in /data/app, to support fsverity.
-# TODO(b/120629632): this path is deprecated, remove when possible.
-allowxperm installd apk_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
-};
-
-allow installd asec_apk_file:file r_file_perms;
-allow installd apk_tmp_file:file { r_file_perms unlink };
-allow installd apk_tmp_file:dir { relabelfrom create_dir_perms };
-allow installd oemfs:dir r_dir_perms;
-allow installd oemfs:file r_file_perms;
-allow installd cgroup:dir create_dir_perms;
-allow installd cgroup_v2:dir create_dir_perms;
-allow installd mnt_expand_file:dir { search getattr };
-# Check validity of SELinux context before use.
-selinux_check_context(installd)
-
-r_dir_file(installd, rootfs)
-# Scan through APKs in /system/app and /system/priv-app
-r_dir_file(installd, system_file)
-# Scan through APKs in /vendor/app
-r_dir_file(installd, vendor_app_file)
-# Scan through JARs in /vendor/framework
-r_dir_file(installd, vendor_framework_file)
-# Scan through Runtime Resource Overlay APKs in /vendor/overlay
-r_dir_file(installd, vendor_overlay_file)
-# Get file context
-allow installd file_contexts_file:file r_file_perms;
-# Get seapp_context
-allow installd seapp_contexts_file:file r_file_perms;
-
-# Search /data/app-asec and stat files in it.
-allow installd asec_image_file:dir search;
-allow installd asec_image_file:file getattr;
-
-# Create /data/user and /data/user/0 if necessary.
-# Also required to initially create /data/data subdirectories
-# and lib symlinks before the setfilecon call. May want to
-# move symlink creation after setfilecon in installd.
-allow installd system_data_file:dir create_dir_perms;
-# Also, allow read for lnk_file so that we can process /data/user/0 links when
-# optimizing application code.
-allow installd system_data_file:lnk_file { create getattr read setattr unlink };
-
-# Manage lower filesystem via pass_through mounts
-allow installd mnt_pass_through_file:dir r_dir_perms;
-
-# Upgrade /data/media for multi-user if necessary.
-allow installd media_rw_data_file:dir create_dir_perms;
-allow installd media_rw_data_file:file { getattr unlink };
-# restorecon new /data/media directory.
-allow installd system_data_file:dir relabelfrom;
-allow installd media_rw_data_file:dir relabelto;
-
-# Delete /data/media files through sdcardfs, instead of going behind its back
-allow installd tmpfs:dir r_dir_perms;
-allow installd storage_file:dir search;
-allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
-allow installd sdcard_type:file { getattr unlink };
-
-# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
-allow installd mirror_data_file:dir { create_dir_perms mounton };
-
-# Upgrade /data/misc/keychain for multi-user if necessary.
-allow installd misc_user_data_file:dir create_dir_perms;
-allow installd misc_user_data_file:file create_file_perms;
-allow installd keychain_data_file:dir create_dir_perms;
-allow installd keychain_data_file:file {r_file_perms unlink};
-
-# Create /data/misc/installd/layout_version.* file
-allow installd install_data_file:file create_file_perms;
-allow installd install_data_file:dir rw_dir_perms;
-
-# Create files under /data/dalvik-cache.
-allow installd dalvikcache_data_file:dir create_dir_perms;
-allow installd dalvikcache_data_file:file create_file_perms;
-allow installd dalvikcache_data_file:lnk_file getattr;
-
-# Create files under /data/resource-cache.
-allow installd resourcecache_data_file:dir rw_dir_perms;
-allow installd resourcecache_data_file:file create_file_perms;
-
-# Upgrade from unlabeled userdata.
-# Just need enough to remove and/or relabel it.
-allow installd unlabeled:dir { getattr search relabelfrom rw_dir_perms rmdir };
-allow installd unlabeled:notdevfile_class_set { getattr relabelfrom rename unlink setattr };
-# Read pkg.apk file for input during dexopt.
-allow installd unlabeled:file r_file_perms;
-
-# Upgrade from before system_app_data_file was used for system UID apps.
-# Just need enough to relabel it and to unlink removed package files.
-# Directory access covered by earlier rule above.
-allow installd system_data_file:notdevfile_class_set { getattr relabelfrom unlink };
-
-# Manage /data/data subdirectories, including initially labeling them
-# upon creation via setfilecon or running restorecon_recursive,
-# setting owner/mode, creating symlinks within them, and deleting them
-# upon package uninstall.
-allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
-allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
-
-# Similar for the files under /data/misc/profiles/
-allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
-allow installd user_profile_data_file:dir { create_dir_perms relabelto };
-allow installd user_profile_data_file:file create_file_perms;
-allow installd user_profile_data_file:file unlink;
-
-# Allow zygote to unmount mirror directories
-allow installd labeledfs:filesystem unmount;
-
-# Files created/updated by profman dumps.
-allow installd profman_dump_data_file:dir { search add_name write };
-allow installd profman_dump_data_file:file { create setattr open write };
-
-# Create and use pty created by android_fork_execvp().
-allow installd devpts:chr_file rw_file_perms;
-
-# execute toybox for app relocation
-allow installd toolbox_exec:file rx_file_perms;
-
-# Allow installd to publish a binder service and make binder calls.
-binder_use(installd)
-add_service(installd, installd_service)
-allow installd dumpstate:fifo_file { getattr write };
-
-# Allow installd to call into the system server so it can check permissions.
-binder_call(installd, system_server)
-allow installd permission_service:service_manager find;
-
-# Allow installd to read and write quotas
-allow installd block_device:dir { search };
-allow installd labeledfs:filesystem { quotaget quotamod };
-
-# Allow installd to delete from /data/preloads when trimming data caches
-# TODO b/34690396 Remove when time-based purge policy for preloads is implemented in system_server
-allow installd preloads_data_file:file { r_file_perms unlink };
-allow installd preloads_data_file:dir { r_dir_perms write remove_name rmdir };
-allow installd preloads_media_file:file { r_file_perms unlink };
-allow installd preloads_media_file:dir { r_dir_perms write remove_name rmdir };
-
-# Allow installd to read /proc/filesystems
-allow installd proc_filesystems:file r_file_perms;
-
-#add for move app to sd card
-get_prop(installd, storage_config_prop)
-
-# Allow installd to access apps installed on the Incremental File System
-# Accessing files on the Incremental File System uses fds opened in the context of vold.
-allow installd vold:fd use;
-
-###
-### Neverallow rules
-###
-
-# only system_server, installd, dumpstate, and servicemanager may interact with installd over binder
-neverallow { domain -system_server -dumpstate -installd } installd_service:service_manager find;
-neverallow { domain -system_server -dumpstate -servicemanager } installd:binder call;
-neverallow installd {
- domain
- -system_server
- -servicemanager
- userdebug_or_eng(`-su')
-}:binder call;
diff --git a/prebuilts/api/31.0/public/ioctl_defines b/prebuilts/api/31.0/public/ioctl_defines
deleted file mode 100644
index 5ac4d94..0000000
--- a/prebuilts/api/31.0/public/ioctl_defines
+++ /dev/null
@@ -1,2751 +0,0 @@
-define(`ADD_NEW_DISK', `0x40140921')
-define(`ADV7842_CMD_RAM_TEST', `0x000056c0')
-define(`AGPIOC_ACQUIRE', `0x00004101')
-define(`AGPIOC_ALLOCATE', `0xc0084106')
-define(`AGPIOC_BIND', `0x40084108')
-define(`AGPIOC_CHIPSET_FLUSH', `0x0000410a')
-define(`AGPIOC_DEALLOCATE', `0x40044107')
-define(`AGPIOC_INFO', `0x80084100')
-define(`AGPIOC_PROTECT', `0x40084105')
-define(`AGPIOC_RELEASE', `0x00004102')
-define(`AGPIOC_RESERVE', `0x40084104')
-define(`AGPIOC_SETUP', `0x40084103')
-define(`AGPIOC_UNBIND', `0x40084109')
-define(`AMDKFD_IOC_CREATE_QUEUE', `0xc0584b02')
-define(`AMDKFD_IOC_DESTROY_QUEUE', `0xc0084b03')
-define(`AMDKFD_IOC_GET_CLOCK_COUNTERS', `0xc0284b05')
-define(`AMDKFD_IOC_GET_PROCESS_APERTURES', `0x81904b06')
-define(`AMDKFD_IOC_GET_VERSION', `0x80084b01')
-define(`AMDKFD_IOC_SET_MEMORY_POLICY', `0x40204b04')
-define(`AMDKFD_IOC_UPDATE_QUEUE', `0x40184b07')
-define(`ANDROID_ALARM_SET_RTC', `0x40106105')
-define(`ANDROID_ALARM_WAIT', `0x00006101')
-define(`APEI_ERST_CLEAR_RECORD', `0x40084501')
-define(`APEI_ERST_GET_RECORD_COUNT', `0x80044502')
-define(`APM_IOC_STANDBY', `0x00004101')
-define(`APM_IOC_SUSPEND', `0x00004102')
-define(`ASHMEM_GET_NAME', `0x81007702')
-define(`ASHMEM_GET_PIN_STATUS', `0x00007709')
-define(`ASHMEM_GET_PROT_MASK', `0x00007706')
-define(`ASHMEM_GET_SIZE', `0x00007704')
-define(`ASHMEM_PIN', `0x40087707')
-define(`ASHMEM_PURGE_ALL_CACHES', `0x0000770a')
-define(`ASHMEM_SET_NAME', `0x41007701')
-define(`ASHMEM_SET_PROT_MASK', `0x40087705')
-define(`ASHMEM_SET_SIZE', `0x40087703')
-define(`ASHMEM_UNPIN', `0x40087708')
-define(`ATM_ADDADDR', `0x40106188')
-define(`ATM_ADDLECSADDR', `0x4010618e')
-define(`ATM_ADDPARTY', `0x401061f4')
-define(`ATMARPD_CTRL', `0x000061e1')
-define(`ATMARP_ENCAP', `0x000061e5')
-define(`ATMARP_MKIP', `0x000061e2')
-define(`ATMARP_SETENTRY', `0x000061e3')
-define(`ATM_DELADDR', `0x40106189')
-define(`ATM_DELLECSADDR', `0x4010618f')
-define(`ATM_DROPPARTY', `0x400461f5')
-define(`ATM_GETADDR', `0x40106186')
-define(`ATM_GETCIRANGE', `0x4010618a')
-define(`ATM_GETESI', `0x40106185')
-define(`ATM_GETLECSADDR', `0x40106190')
-define(`ATM_GETLINKRATE', `0x40106181')
-define(`ATM_GETLOOP', `0x40106152')
-define(`ATM_GETNAMES', `0x40106183')
-define(`ATM_GETSTAT', `0x40106150')
-define(`ATM_GETSTATZ', `0x40106151')
-define(`ATM_GETTYPE', `0x40106184')
-define(`ATMLEC_CTRL', `0x000061d0')
-define(`ATMLEC_DATA', `0x000061d1')
-define(`ATMLEC_MCAST', `0x000061d2')
-define(`ATMMPC_CTRL', `0x000061d8')
-define(`ATMMPC_DATA', `0x000061d9')
-define(`ATM_NEWBACKENDIF', `0x400261f3')
-define(`ATM_QUERYLOOP', `0x40106154')
-define(`ATM_RSTADDR', `0x40106187')
-define(`ATM_SETBACKEND', `0x400261f2')
-define(`ATM_SETCIRANGE', `0x4010618b')
-define(`ATM_SETESI', `0x4010618c')
-define(`ATM_SETESIF', `0x4010618d')
-define(`ATM_SETLOOP', `0x40106153')
-define(`ATM_SETSC', `0x400461f1')
-define(`ATMSIGD_CTRL', `0x000061f0')
-define(`ATMTCP_CREATE', `0x0000618e')
-define(`ATMTCP_REMOVE', `0x0000618f')
-define(`AUDIO_BILINGUAL_CHANNEL_SELECT', `0x00006f14')
-define(`AUDIO_CHANNEL_SELECT', `0x00006f09')
-define(`AUDIO_CLEAR_BUFFER', `0x00006f0c')
-define(`AUDIO_CONTINUE', `0x00006f04')
-define(`AUDIO_GET_CAPABILITIES', `0x80046f0b')
-define(`AUDIO_GET_PTS', `0x80086f13')
-define(`AUDIO_GET_STATUS', `0x80206f0a')
-define(`AUDIO_PAUSE', `0x00006f03')
-define(`AUDIO_PLAY', `0x00006f02')
-define(`AUDIO_SELECT_SOURCE', `0x00006f05')
-define(`AUDIO_SET_ATTRIBUTES', `0x40026f11')
-define(`AUDIO_SET_AV_SYNC', `0x00006f07')
-define(`AUDIO_SET_BYPASS_MODE', `0x00006f08')
-define(`AUDIO_SET_EXT_ID', `0x00006f10')
-define(`AUDIO_SET_ID', `0x00006f0d')
-define(`AUDIO_SET_KARAOKE', `0x400c6f12')
-define(`AUDIO_SET_MIXER', `0x40086f0e')
-define(`AUDIO_SET_MUTE', `0x00006f06')
-define(`AUDIO_SET_STREAMTYPE', `0x00006f0f')
-define(`AUDIO_STOP', `0x00006f01')
-define(`AUTOFS_DEV_IOCTL_ASKUMOUNT', `0xc018937d')
-define(`AUTOFS_DEV_IOCTL_CATATONIC', `0xc0189379')
-define(`AUTOFS_DEV_IOCTL_CLOSEMOUNT', `0xc0189375')
-define(`AUTOFS_DEV_IOCTL_EXPIRE', `0xc018937c')
-define(`AUTOFS_DEV_IOCTL_FAIL', `0xc0189377')
-define(`AUTOFS_DEV_IOCTL_ISMOUNTPOINT', `0xc018937e')
-define(`AUTOFS_DEV_IOCTL_OPENMOUNT', `0xc0189374')
-define(`AUTOFS_DEV_IOCTL_PROTOSUBVER', `0xc0189373')
-define(`AUTOFS_DEV_IOCTL_PROTOVER', `0xc0189372')
-define(`AUTOFS_DEV_IOCTL_READY', `0xc0189376')
-define(`AUTOFS_DEV_IOCTL_REQUESTER', `0xc018937b')
-define(`AUTOFS_DEV_IOCTL_SETPIPEFD', `0xc0189378')
-define(`AUTOFS_DEV_IOCTL_TIMEOUT', `0xc018937a')
-define(`AUTOFS_DEV_IOCTL_VERSION', `0xc0189371')
-define(`AUTOFS_IOC_ASKUMOUNT', `0x80049370')
-define(`AUTOFS_IOC_CATATONIC', `0x00009362')
-define(`AUTOFS_IOC_EXPIRE', `0x810c9365')
-define(`AUTOFS_IOC_EXPIRE_MULTI', `0x40049366')
-define(`AUTOFS_IOC_FAIL', `0x00009361')
-define(`AUTOFS_IOC_PROTOSUBVER', `0x80049367')
-define(`AUTOFS_IOC_PROTOVER', `0x80049363')
-define(`AUTOFS_IOC_READY', `0x00009360')
-define(`AUTOFS_IOC_SETTIMEOUT', `0xc0089364')
-define(`AUTOFS_IOC_SETTIMEOUT32', `0xc0049364')
-define(`BC_ACQUIRE', `0x40046305')
-define(`BC_ACQUIRE_DONE', `0x40106309')
-define(`BC_ACQUIRE_RESULT', `0x40046302')
-define(`BC_ATTEMPT_ACQUIRE', `0x4008630a')
-define(`BC_CLEAR_DEATH_NOTIFICATION', `0x400c630f')
-define(`BC_DEAD_BINDER_DONE', `0x40086310')
-define(`BC_DECREFS', `0x40046307')
-define(`BC_ENTER_LOOPER', `0x0000630c')
-define(`BC_EXIT_LOOPER', `0x0000630d')
-define(`BC_FREE_BUFFER', `0x40086303')
-define(`BC_INCREFS', `0x40046304')
-define(`BC_INCREFS_DONE', `0x40106308')
-define(`BC_REGISTER_LOOPER', `0x0000630b')
-define(`BC_RELEASE', `0x40046306')
-define(`BC_REPLY', `0x40406301')
-define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
-define(`BC_TRANSACTION', `0x40406300')
-define(`BINDER_ENABLE_ONEWAY_SPAM_DETECTION', `0x40046210')
-define(`BINDER_FREEZE', `0x400c620e')
-define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
-define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
-define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c')
-define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
-define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d')
-define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
-define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
-define(`BINDER_SET_MAX_THREADS', `0x40046205')
-define(`BINDER_THREAD_EXIT', `0x40046208')
-define(`BINDER_VERSION', `0xc0046209')
-define(`BINDER_WRITE_READ', `0xc0306201')
-define(`BLKALIGNOFF', `0x0000127a')
-define(`BLKBSZGET', `0x80081270')
-define(`BLKBSZSET', `0x40081271')
-define(`BLKDISCARD', `0x00001277')
-define(`BLKDISCARDZEROES', `0x0000127c')
-define(`BLKFLSBUF', `0x00001261')
-define(`BLKFRAGET', `0x00001265')
-define(`BLKFRASET', `0x00001264')
-define(`BLKGETSIZE', `0x00001260')
-define(`BLKGETSIZE64', `0x80081272')
-define(`BLKI2OGRSTRAT', `0x80043201')
-define(`BLKI2OGWSTRAT', `0x80043202')
-define(`BLKI2OSRSTRAT', `0x40043203')
-define(`BLKI2OSWSTRAT', `0x40043204')
-define(`BLKIOMIN', `0x00001278')
-define(`BLKIOOPT', `0x00001279')
-define(`BLKPBSZGET', `0x0000127b')
-define(`BLKPG', `0x00001269')
-define(`BLKRAGET', `0x00001263')
-define(`BLKRASET', `0x00001262')
-define(`BLKROGET', `0x0000125e')
-define(`BLKROSET', `0x0000125d')
-define(`BLKROTATIONAL', `0x0000127e')
-define(`BLKRRPART', `0x0000125f')
-define(`BLKSECDISCARD', `0x0000127d')
-define(`BLKSECTGET', `0x00001267')
-define(`BLKSECTSET', `0x00001266')
-define(`BLKSSZGET', `0x00001268')
-define(`BLKTRACESETUP', `0xc0481273')
-define(`BLKTRACESTART', `0x00001274')
-define(`BLKTRACESTOP', `0x00001275')
-define(`BLKTRACETEARDOWN', `0x00001276')
-define(`BLKZEROOUT', `0x0000127f')
-define(`BR2684_SETFILT', `0x401c6190')
-define(`BR_ACQUIRE', `0x80107208')
-define(`BR_ACQUIRE_RESULT', `0x80047204')
-define(`BR_ATTEMPT_ACQUIRE', `0x8018720b')
-define(`BR_CLEAR_DEATH_NOTIFICATION_DONE', `0x80087210')
-define(`BR_DEAD_BINDER', `0x8008720f')
-define(`BR_DEAD_REPLY', `0x00007205')
-define(`BR_DECREFS', `0x8010720a')
-define(`BR_ERROR', `0x80047200')
-define(`BR_FAILED_REPLY', `0x00007211')
-define(`BR_FINISHED', `0x0000720e')
-define(`BR_INCREFS', `0x80107207')
-define(`BR_NOOP', `0x0000720c')
-define(`BR_OK', `0x00007201')
-define(`BR_ONEWAY_SPAM_SUSPECT', `0x00007213')
-define(`BR_RELEASE', `0x80107209')
-define(`BR_REPLY', `0x80407203')
-define(`BR_SPAWN_LOOPER', `0x0000720d')
-define(`BR_TRANSACTION', `0x80407202')
-define(`BR_TRANSACTION_COMPLETE', `0x00007206')
-define(`BT819_FIFO_RESET_HIGH', `0x00006201')
-define(`BT819_FIFO_RESET_LOW', `0x00006200')
-define(`BTRFS_IOC_ADD_DEV', `0x5000940a')
-define(`BTRFS_IOC_BALANCE', `0x5000940c')
-define(`BTRFS_IOC_BALANCE_CTL', `0x40049421')
-define(`BTRFS_IOC_BALANCE_PROGRESS', `0x84009422')
-define(`BTRFS_IOC_BALANCE_V2', `0xc4009420')
-define(`BTRFS_IOC_CLONE', `0x40049409')
-define(`BTRFS_IOC_CLONE_RANGE', `0x4020940d')
-define(`BTRFS_IOC_DEFAULT_SUBVOL', `0x40089413')
-define(`BTRFS_IOC_DEFRAG', `0x50009402')
-define(`BTRFS_IOC_DEFRAG_RANGE', `0x40309410')
-define(`BTRFS_IOC_DEVICES_READY', `0x90009427')
-define(`BTRFS_IOC_DEV_INFO', `0xd000941e')
-define(`BTRFS_IOC_DEV_REPLACE', `0xca289435')
-define(`BTRFS_IOC_FILE_EXTENT_SAME', `0xc0189436')
-define(`BTRFS_IOC_FS_INFO', `0x8400941f')
-define(`BTRFS_IOC_GET_DEV_STATS', `0xc4089434')
-define(`BTRFS_IOC_GET_FEATURES', `0x80189439')
-define(`BTRFS_IOC_GET_FSLABEL', `0x81009431')
-define(`BTRFS_IOC_GET_SUPPORTED_FEATURES', `0x80489439')
-define(`BTRFS_IOC_INO_LOOKUP', `0xd0009412')
-define(`BTRFS_IOC_INO_PATHS', `0xc0389423')
-define(`BTRFS_IOC_LOGICAL_INO', `0xc0389424')
-define(`BTRFS_IOC_QGROUP_ASSIGN', `0x40189429')
-define(`BTRFS_IOC_QGROUP_CREATE', `0x4010942a')
-define(`BTRFS_IOC_QGROUP_LIMIT', `0x8030942b')
-define(`BTRFS_IOC_QUOTA_CTL', `0xc0109428')
-define(`BTRFS_IOC_QUOTA_RESCAN', `0x4040942c')
-define(`BTRFS_IOC_QUOTA_RESCAN_STATUS', `0x8040942d')
-define(`BTRFS_IOC_QUOTA_RESCAN_WAIT', `0x0000942e')
-define(`BTRFS_IOC_RESIZE', `0x50009403')
-define(`BTRFS_IOC_RM_DEV', `0x5000940b')
-define(`BTRFS_IOC_SCAN_DEV', `0x50009404')
-define(`BTRFS_IOC_SCRUB', `0xc400941b')
-define(`BTRFS_IOC_SCRUB_CANCEL', `0x0000941c')
-define(`BTRFS_IOC_SCRUB_PROGRESS', `0xc400941d')
-define(`BTRFS_IOC_SEND', `0x40489426')
-define(`BTRFS_IOC_SET_FEATURES', `0x40309439')
-define(`BTRFS_IOC_SET_FSLABEL', `0x41009432')
-define(`BTRFS_IOC_SET_RECEIVED_SUBVOL', `0xc0c89425')
-define(`BTRFS_IOC_SNAP_CREATE', `0x50009401')
-define(`BTRFS_IOC_SNAP_CREATE_V2', `0x50009417')
-define(`BTRFS_IOC_SNAP_DESTROY', `0x5000940f')
-define(`BTRFS_IOC_SPACE_INFO', `0xc0109414')
-define(`BTRFS_IOC_START_SYNC', `0x80089418')
-define(`BTRFS_IOC_SUBVOL_CREATE', `0x5000940e')
-define(`BTRFS_IOC_SUBVOL_CREATE_V2', `0x50009418')
-define(`BTRFS_IOC_SUBVOL_GETFLAGS', `0x80089419')
-define(`BTRFS_IOC_SUBVOL_SETFLAGS', `0x4008941a')
-define(`BTRFS_IOC_SYNC', `0x00009408')
-define(`BTRFS_IOC_TRANS_END', `0x00009407')
-define(`BTRFS_IOC_TRANS_START', `0x00009406')
-define(`BTRFS_IOC_TREE_SEARCH', `0xd0009411')
-define(`BTRFS_IOC_TREE_SEARCH_V2', `0xc0709411')
-define(`BTRFS_IOC_WAIT_SYNC', `0x40089416')
-define(`CA_GET_CAP', `0x80106f81')
-define(`CA_GET_DESCR_INFO', `0x80086f83')
-define(`CA_GET_MSG', `0x810c6f84')
-define(`CA_GET_SLOT_INFO', `0x800c6f82')
-define(`CAPI_CLR_FLAGS', `0x80044325')
-define(`CAPI_GET_ERRCODE', `0x80024321')
-define(`CAPI_GET_FLAGS', `0x80044323')
-define(`CAPI_GET_MANUFACTURER', `0xc0044306')
-define(`CAPI_GET_PROFILE', `0xc0404309')
-define(`CAPI_GET_SERIAL', `0xc0044308')
-define(`CAPI_GET_VERSION', `0xc0104307')
-define(`CAPI_INSTALLED', `0x80024322')
-define(`CAPI_MANUFACTURER_CMD', `0xc0104320')
-define(`CAPI_NCCI_GETUNIT', `0x80044327')
-define(`CAPI_NCCI_OPENCOUNT', `0x80044326')
-define(`CAPI_REGISTER', `0x400c4301')
-define(`CAPI_SET_FLAGS', `0x80044324')
-define(`CA_RESET', `0x00006f80')
-define(`CA_SEND_MSG', `0x410c6f85')
-define(`CA_SET_DESCR', `0x40106f86')
-define(`CA_SET_PID', `0x40086f87')
-define(`CCISS_BIG_PASSTHRU', `0xc0604212')
-define(`CCISS_DEREGDISK', `0x0000420c')
-define(`CCISS_GETBUSTYPES', `0x80044207')
-define(`CCISS_GETDRIVVER', `0x80044209')
-define(`CCISS_GETFIRMVER', `0x80044208')
-define(`CCISS_GETHEARTBEAT', `0x80044206')
-define(`CCISS_GETINTINFO', `0x80084202')
-define(`CCISS_GETLUNINFO', `0x800c4211')
-define(`CCISS_GETNODENAME', `0x80104204')
-define(`CCISS_GETPCIINFO', `0x80084201')
-define(`CCISS_PASSTHRU', `0xc058420b')
-define(`CCISS_REGNEWD', `0x0000420e')
-define(`CCISS_REGNEWDISK', `0x4004420d')
-define(`CCISS_RESCANDISK', `0x00004210')
-define(`CCISS_REVALIDVOLS', `0x0000420a')
-define(`CCISS_SETINTINFO', `0x40084203')
-define(`CCISS_SETNODENAME', `0x40104205')
-define(`CDROMAUDIOBUFSIZ', `0x00005382')
-define(`CDROM_CHANGER_NSLOTS', `0x00005328')
-define(`CDROM_CLEAR_OPTIONS', `0x00005321')
-define(`CDROMCLOSETRAY', `0x00005319')
-define(`CDROM_DEBUG', `0x00005330')
-define(`CDROM_DISC_STATUS', `0x00005327')
-define(`CDROM_DRIVE_STATUS', `0x00005326')
-define(`CDROMEJECT', `0x00005309')
-define(`CDROMEJECT_SW', `0x0000530f')
-define(`CDROM_GET_CAPABILITY', `0x00005331')
-define(`CDROM_GET_MCN', `0x00005311')
-define(`CDROMGETSPINDOWN', `0x0000531d')
-define(`CDROM_LAST_WRITTEN', `0x00005395')
-define(`CDROM_LOCKDOOR', `0x00005329')
-define(`CDROM_MEDIA_CHANGED', `0x00005325')
-define(`CDROMMULTISESSION', `0x00005310')
-define(`CDROM_NEXT_WRITABLE', `0x00005394')
-define(`CDROMPAUSE', `0x00005301')
-define(`CDROMPLAYBLK', `0x00005317')
-define(`CDROMPLAYMSF', `0x00005303')
-define(`CDROMPLAYTRKIND', `0x00005304')
-define(`CDROMREADALL', `0x00005318')
-define(`CDROMREADAUDIO', `0x0000530e')
-define(`CDROMREADCOOKED', `0x00005315')
-define(`CDROMREADMODE1', `0x0000530d')
-define(`CDROMREADMODE2', `0x0000530c')
-define(`CDROMREADRAW', `0x00005314')
-define(`CDROMREADTOCENTRY', `0x00005306')
-define(`CDROMREADTOCHDR', `0x00005305')
-define(`CDROMRESET', `0x00005312')
-define(`CDROMRESUME', `0x00005302')
-define(`CDROMSEEK', `0x00005316')
-define(`CDROM_SELECT_DISC', `0x00005323')
-define(`CDROM_SELECT_SPEED', `0x00005322')
-define(`CDROM_SEND_PACKET', `0x00005393')
-define(`CDROM_SET_OPTIONS', `0x00005320')
-define(`CDROMSETSPINDOWN', `0x0000531e')
-define(`CDROMSTART', `0x00005308')
-define(`CDROMSTOP', `0x00005307')
-define(`CDROMSUBCHNL', `0x0000530b')
-define(`CDROMVOLCTRL', `0x0000530a')
-define(`CDROMVOLREAD', `0x00005313')
-define(`CHIOEXCHANGE', `0x401c6302')
-define(`CHIOGELEM', `0x406c6310')
-define(`CHIOGPARAMS', `0x80146306')
-define(`CHIOGPICKER', `0x80046304')
-define(`CHIOGSTATUS', `0x40106308')
-define(`CHIOGVPARAMS', `0x80706313')
-define(`CHIOINITELEM', `0x00006311')
-define(`CHIOMOVE', `0x40146301')
-define(`CHIOPOSITION', `0x400c6303')
-define(`CHIOSPICKER', `0x40046305')
-define(`CHIOSVOLTAG', `0x40306312')
-define(`CIOC_KERNEL_VERSION', `0xc008630a')
-define(`CLEAR_ARRAY', `0x00000920')
-define(`CM_IOCARDOFF', `0x00006304')
-define(`CM_IOCGATR', `0xc0086301')
-define(`CM_IOCGSTATUS', `0x80086300')
-define(`CM_IOCSPTS', `0x40086302')
-define(`CM_IOCSRDR', `0x00006303')
-define(`CM_IOSDBGLVL', `0x400863fa')
-define(`CXL_IOCTL_GET_PROCESS_ELEMENT', `0x8004ca01')
-define(`CXL_IOCTL_START_WORK', `0x4040ca00')
-define(`DM_DEV_CREATE', `0xc138fd03')
-define(`DM_DEV_REMOVE', `0xc138fd04')
-define(`DM_DEV_RENAME', `0xc138fd05')
-define(`DM_DEV_SET_GEOMETRY', `0xc138fd0f')
-define(`DM_DEV_STATUS', `0xc138fd07')
-define(`DM_DEV_SUSPEND', `0xc138fd06')
-define(`DM_DEV_WAIT', `0xc138fd08')
-define(`DM_LIST_DEVICES', `0xc138fd02')
-define(`DM_LIST_VERSIONS', `0xc138fd0d')
-define(`DM_REMOVE_ALL', `0xc138fd01')
-define(`DM_TABLE_CLEAR', `0xc138fd0a')
-define(`DM_TABLE_DEPS', `0xc138fd0b')
-define(`DM_TABLE_LOAD', `0xc138fd09')
-define(`DM_TABLE_STATUS', `0xc138fd0c')
-define(`DM_TARGET_MSG', `0xc138fd0e')
-define(`DM_VERSION', `0xc138fd00')
-define(`DMX_ADD_PID', `0x40026f33')
-define(`DMX_GET_CAPS', `0x80086f30')
-define(`DMX_GET_PES_PIDS', `0x800a6f2f')
-define(`DMX_GET_STC', `0xc0106f32')
-define(`DMX_REMOVE_PID', `0x40026f34')
-define(`DMX_SET_BUFFER_SIZE', `0x00006f2d')
-define(`DMX_SET_FILTER', `0x403c6f2b')
-define(`DMX_SET_PES_FILTER', `0x40146f2c')
-define(`DMX_SET_SOURCE', `0x40046f31')
-define(`DMX_START', `0x00006f29')
-define(`DMX_STOP', `0x00006f2a')
-define(`DRM_IOCTL_ADD_BUFS', `0xc0206416')
-define(`DRM_IOCTL_ADD_CTX', `0xc0086420')
-define(`DRM_IOCTL_ADD_DRAW', `0xc0046427')
-define(`DRM_IOCTL_ADD_MAP', `0xc0286415')
-define(`DRM_IOCTL_AGP_ACQUIRE', `0x00006430')
-define(`DRM_IOCTL_AGP_ALLOC', `0xc0206434')
-define(`DRM_IOCTL_AGP_BIND', `0x40106436')
-define(`DRM_IOCTL_AGP_ENABLE', `0x40086432')
-define(`DRM_IOCTL_AGP_FREE', `0x40206435')
-define(`DRM_IOCTL_AGP_INFO', `0x80386433')
-define(`DRM_IOCTL_AGP_RELEASE', `0x00006431')
-define(`DRM_IOCTL_AGP_UNBIND', `0x40106437')
-define(`DRM_IOCTL_AUTH_MAGIC', `0x40046411')
-define(`DRM_IOCTL_BLOCK', `0xc0046412')
-define(`DRM_IOCTL_CONTROL', `0x40086414')
-define(`DRM_IOCTL_DMA', `0xc0406429')
-define(`DRM_IOCTL_DROP_MASTER', `0x0000641f')
-define(`DRM_IOCTL_EXYNOS_G2D_EXEC', `0xc0086462')
-define(`DRM_IOCTL_EXYNOS_G2D_GET_VER', `0xc0086460')
-define(`DRM_IOCTL_EXYNOS_G2D_SET_CMDLIST', `0xc0286461')
-define(`DRM_IOCTL_EXYNOS_GEM_CREATE', `0xc0106440')
-define(`DRM_IOCTL_EXYNOS_GEM_GET', `0xc0106444')
-define(`DRM_IOCTL_EXYNOS_IPP_CMD_CTRL', `0xc0086473')
-define(`DRM_IOCTL_EXYNOS_IPP_GET_PROPERTY', `0xc0506470')
-define(`DRM_IOCTL_EXYNOS_IPP_QUEUE_BUF', `0xc0286472')
-define(`DRM_IOCTL_EXYNOS_IPP_SET_PROPERTY', `0xc0606471')
-define(`DRM_IOCTL_EXYNOS_VIDI_CONNECTION', `0xc0106447')
-define(`DRM_IOCTL_FINISH', `0x4008642c')
-define(`DRM_IOCTL_FREE_BUFS', `0x4010641a')
-define(`DRM_IOCTL_GEM_CLOSE', `0x40086409')
-define(`DRM_IOCTL_GEM_FLINK', `0xc008640a')
-define(`DRM_IOCTL_GEM_OPEN', `0xc010640b')
-define(`DRM_IOCTL_GET_CAP', `0xc010640c')
-define(`DRM_IOCTL_GET_CLIENT', `0xc0286405')
-define(`DRM_IOCTL_GET_CTX', `0xc0086423')
-define(`DRM_IOCTL_GET_MAGIC', `0x80046402')
-define(`DRM_IOCTL_GET_MAP', `0xc0286404')
-define(`DRM_IOCTL_GET_SAREA_CTX', `0xc010641d')
-define(`DRM_IOCTL_GET_STATS', `0x80f86406')
-define(`DRM_IOCTL_GET_UNIQUE', `0xc0106401')
-define(`DRM_IOCTL_I810_CLEAR', `0x400c6442')
-define(`DRM_IOCTL_I810_COPY', `0x40106447')
-define(`DRM_IOCTL_I810_DOCOPY', `0x00006448')
-define(`DRM_IOCTL_I810_FLIP', `0x0000644e')
-define(`DRM_IOCTL_I810_FLUSH', `0x00006443')
-define(`DRM_IOCTL_I810_FSTATUS', `0x0000644a')
-define(`DRM_IOCTL_I810_GETAGE', `0x00006444')
-define(`DRM_IOCTL_I810_GETBUF', `0xc0186445')
-define(`DRM_IOCTL_I810_INIT', `0x40406440')
-define(`DRM_IOCTL_I810_MC', `0x4020644c')
-define(`DRM_IOCTL_I810_OV0FLIP', `0x0000644b')
-define(`DRM_IOCTL_I810_OV0INFO', `0x80086449')
-define(`DRM_IOCTL_I810_RSTATUS', `0x0000644d')
-define(`DRM_IOCTL_I810_SWAP', `0x00006446')
-define(`DRM_IOCTL_I810_VERTEX', `0x400c6441')
-define(`DRM_IOCTL_I915_ALLOC', `0xc0186448')
-define(`DRM_IOCTL_I915_BATCHBUFFER', `0x40206443')
-define(`DRM_IOCTL_I915_CMDBUFFER', `0x4020644b')
-define(`DRM_IOCTL_I915_DESTROY_HEAP', `0x4004644c')
-define(`DRM_IOCTL_I915_FLIP', `0x00006442')
-define(`DRM_IOCTL_I915_FLUSH', `0x00006441')
-define(`DRM_IOCTL_I915_FREE', `0x40086449')
-define(`DRM_IOCTL_I915_GEM_BUSY', `0xc0086457')
-define(`DRM_IOCTL_I915_GEM_CONTEXT_CREATE', `0xc008646d')
-define(`DRM_IOCTL_I915_GEM_CONTEXT_DESTROY', `0x4008646e')
-define(`DRM_IOCTL_I915_GEM_CREATE', `0xc010645b')
-define(`DRM_IOCTL_I915_GEM_ENTERVT', `0x00006459')
-define(`DRM_IOCTL_I915_GEM_EXECBUFFER', `0x40286454')
-define(`DRM_IOCTL_I915_GEM_EXECBUFFER2', `0x40406469')
-define(`DRM_IOCTL_I915_GEM_GET_APERTURE', `0x80106463')
-define(`DRM_IOCTL_I915_GEM_GET_CACHING', `0xc0086470')
-define(`DRM_IOCTL_I915_GEM_GET_TILING', `0xc0106462')
-define(`DRM_IOCTL_I915_GEM_INIT', `0x40106453')
-define(`DRM_IOCTL_I915_GEM_LEAVEVT', `0x0000645a')
-define(`DRM_IOCTL_I915_GEM_MADVISE', `0xc00c6466')
-define(`DRM_IOCTL_I915_GEM_MMAP', `0xc020645e')
-define(`DRM_IOCTL_I915_GEM_MMAP_GTT', `0xc0106464')
-define(`DRM_IOCTL_I915_GEM_PIN', `0xc0186455')
-define(`DRM_IOCTL_I915_GEM_PREAD', `0x4020645c')
-define(`DRM_IOCTL_I915_GEM_PWRITE', `0x4020645d')
-define(`DRM_IOCTL_I915_GEM_SET_CACHING', `0x4008646f')
-define(`DRM_IOCTL_I915_GEM_SET_DOMAIN', `0x400c645f')
-define(`DRM_IOCTL_I915_GEM_SET_TILING', `0xc0106461')
-define(`DRM_IOCTL_I915_GEM_SW_FINISH', `0x40046460')
-define(`DRM_IOCTL_I915_GEM_THROTTLE', `0x00006458')
-define(`DRM_IOCTL_I915_GEM_UNPIN', `0x40086456')
-define(`DRM_IOCTL_I915_GEM_USERPTR', `0xc0186473')
-define(`DRM_IOCTL_I915_GEM_WAIT', `0xc010646c')
-define(`DRM_IOCTL_I915_GETPARAM', `0xc0106446')
-define(`DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID', `0xc0086465')
-define(`DRM_IOCTL_I915_GET_RESET_STATS', `0xc0186472')
-define(`DRM_IOCTL_I915_GET_SPRITE_COLORKEY', `0xc014646b')
-define(`DRM_IOCTL_I915_GET_VBLANK_PIPE', `0x8004644e')
-define(`DRM_IOCTL_I915_HWS_ADDR', `0x40106451')
-define(`DRM_IOCTL_I915_INIT', `0x40446440')
-define(`DRM_IOCTL_I915_INIT_HEAP', `0x400c644a')
-define(`DRM_IOCTL_I915_IRQ_EMIT', `0xc0086444')
-define(`DRM_IOCTL_I915_IRQ_WAIT', `0x40046445')
-define(`DRM_IOCTL_I915_OVERLAY_ATTRS', `0xc02c6468')
-define(`DRM_IOCTL_I915_OVERLAY_PUT_IMAGE', `0x402c6467')
-define(`DRM_IOCTL_I915_REG_READ', `0xc0106471')
-define(`DRM_IOCTL_I915_SETPARAM', `0x40086447')
-define(`DRM_IOCTL_I915_SET_SPRITE_COLORKEY', `0xc014646b')
-define(`DRM_IOCTL_I915_SET_VBLANK_PIPE', `0x4004644d')
-define(`DRM_IOCTL_I915_VBLANK_SWAP', `0xc00c644f')
-define(`DRM_IOCTL_INFO_BUFS', `0xc0106418')
-define(`DRM_IOCTL_IRQ_BUSID', `0xc0106403')
-define(`DRM_IOCTL_LOCK', `0x4008642a')
-define(`DRM_IOCTL_MAP_BUFS', `0xc0186419')
-define(`DRM_IOCTL_MARK_BUFS', `0x40206417')
-define(`DRM_IOCTL_MGA_BLIT', `0x40346448')
-define(`DRM_IOCTL_MGA_CLEAR', `0x40146444')
-define(`DRM_IOCTL_MGA_DMA_BOOTSTRAP', `0xc020644c')
-define(`DRM_IOCTL_MGA_FLUSH', `0x40086441')
-define(`DRM_IOCTL_MGA_GETPARAM', `0xc0106449')
-define(`DRM_IOCTL_MGA_ILOAD', `0x400c6447')
-define(`DRM_IOCTL_MGA_INDICES', `0x40106446')
-define(`DRM_IOCTL_MGA_INIT', `0x40806440')
-define(`DRM_IOCTL_MGA_RESET', `0x00006442')
-define(`DRM_IOCTL_MGA_SET_FENCE', `0x4004644a')
-define(`DRM_IOCTL_MGA_SWAP', `0x00006443')
-define(`DRM_IOCTL_MGA_VERTEX', `0x400c6445')
-define(`DRM_IOCTL_MGA_WAIT_FENCE', `0xc004644b')
-define(`DRM_IOCTL_MOD_CTX', `0x40086422')
-define(`DRM_IOCTL_MODE_ADDFB', `0xc01c64ae')
-define(`DRM_IOCTL_MODE_ADDFB2', `0xc04464b8')
-define(`DRM_IOCTL_MODE_ATTACHMODE', `0xc04864a8')
-define(`DRM_IOCTL_MODE_CREATE_DUMB', `0xc02064b2')
-define(`DRM_IOCTL_MODE_CURSOR', `0xc01c64a3')
-define(`DRM_IOCTL_MODE_CURSOR2', `0xc02464bb')
-define(`DRM_IOCTL_MODE_DESTROY_DUMB', `0xc00464b4')
-define(`DRM_IOCTL_MODE_DETACHMODE', `0xc04864a9')
-define(`DRM_IOCTL_MODE_DIRTYFB', `0xc01864b1')
-define(`DRM_IOCTL_MODE_GETCONNECTOR', `0xc05064a7')
-define(`DRM_IOCTL_MODE_GETCRTC', `0xc06864a1')
-define(`DRM_IOCTL_MODE_GETENCODER', `0xc01464a6')
-define(`DRM_IOCTL_MODE_GETFB', `0xc01c64ad')
-define(`DRM_IOCTL_MODE_GETGAMMA', `0xc02064a4')
-define(`DRM_IOCTL_MODE_GETPLANE', `0xc02064b6')
-define(`DRM_IOCTL_MODE_GETPLANERESOURCES', `0xc01064b5')
-define(`DRM_IOCTL_MODE_GETPROPBLOB', `0xc01064ac')
-define(`DRM_IOCTL_MODE_GETPROPERTY', `0xc04064aa')
-define(`DRM_IOCTL_MODE_GETRESOURCES', `0xc04064a0')
-define(`DRM_IOCTL_MODE_MAP_DUMB', `0xc01064b3')
-define(`DRM_IOCTL_MODE_OBJ_GETPROPERTIES', `0xc02064b9')
-define(`DRM_IOCTL_MODE_OBJ_SETPROPERTY', `0xc01864ba')
-define(`DRM_IOCTL_MODE_PAGE_FLIP', `0xc01864b0')
-define(`DRM_IOCTL_MODE_RMFB', `0xc00464af')
-define(`DRM_IOCTL_MODE_SETCRTC', `0xc06864a2')
-define(`DRM_IOCTL_MODESET_CTL', `0x40086408')
-define(`DRM_IOCTL_MODE_SETGAMMA', `0xc02064a5')
-define(`DRM_IOCTL_MODE_SETPLANE', `0xc03064b7')
-define(`DRM_IOCTL_MODE_SETPROPERTY', `0xc01064ab')
-define(`DRM_IOCTL_MSM_GEM_CPU_FINI', `0x40046445')
-define(`DRM_IOCTL_MSM_GEM_CPU_PREP', `0x40186444')
-define(`DRM_IOCTL_MSM_GEM_INFO', `0xc0106443')
-define(`DRM_IOCTL_MSM_GEM_NEW', `0xc0106442')
-define(`DRM_IOCTL_MSM_GEM_SUBMIT', `0xc0206446')
-define(`DRM_IOCTL_MSM_GET_PARAM', `0xc0106440')
-define(`DRM_IOCTL_MSM_WAIT_FENCE', `0x40186447')
-define(`DRM_IOCTL_NEW_CTX', `0x40086425')
-define(`DRM_IOCTL_NOUVEAU_GEM_CPU_FINI', `0x40046483')
-define(`DRM_IOCTL_NOUVEAU_GEM_CPU_PREP', `0x40086482')
-define(`DRM_IOCTL_NOUVEAU_GEM_INFO', `0xc0286484')
-define(`DRM_IOCTL_NOUVEAU_GEM_NEW', `0xc0306480')
-define(`DRM_IOCTL_NOUVEAU_GEM_PUSHBUF', `0xc0406481')
-define(`DRM_IOCTL_OMAP_GEM_CPU_FINI', `0x40106445')
-define(`DRM_IOCTL_OMAP_GEM_CPU_PREP', `0x40086444')
-define(`DRM_IOCTL_OMAP_GEM_INFO', `0xc0186446')
-define(`DRM_IOCTL_OMAP_GEM_NEW', `0xc0106443')
-define(`DRM_IOCTL_OMAP_GET_PARAM', `0xc0106440')
-define(`DRM_IOCTL_OMAP_SET_PARAM', `0x40106441')
-define(`DRM_IOCTL_PRIME_FD_TO_HANDLE', `0xc00c642e')
-define(`DRM_IOCTL_PRIME_HANDLE_TO_FD', `0xc00c642d')
-define(`DRM_IOCTL_QXL_ALLOC', `0xc0086440')
-define(`DRM_IOCTL_QXL_ALLOC_SURF', `0xc0186446')
-define(`DRM_IOCTL_QXL_CLIENTCAP', `0x40086445')
-define(`DRM_IOCTL_QXL_EXECBUFFER', `0x40106442')
-define(`DRM_IOCTL_QXL_GETPARAM', `0xc0106444')
-define(`DRM_IOCTL_QXL_MAP', `0xc0106441')
-define(`DRM_IOCTL_QXL_UPDATE_AREA', `0x40186443')
-define(`DRM_IOCTL_R128_BLIT', `0x4018644b')
-define(`DRM_IOCTL_R128_CCE_IDLE', `0x00006444')
-define(`DRM_IOCTL_R128_CCE_RESET', `0x00006443')
-define(`DRM_IOCTL_R128_CCE_START', `0x00006441')
-define(`DRM_IOCTL_R128_CCE_STOP', `0x40086442')
-define(`DRM_IOCTL_R128_CLEAR', `0x40146448')
-define(`DRM_IOCTL_R128_DEPTH', `0x4028644c')
-define(`DRM_IOCTL_R128_FLIP', `0x00006453')
-define(`DRM_IOCTL_R128_FULLSCREEN', `0x40046450')
-define(`DRM_IOCTL_R128_GETPARAM', `0xc0106452')
-define(`DRM_IOCTL_R128_INDICES', `0x4014644a')
-define(`DRM_IOCTL_R128_INDIRECT', `0xc010644f')
-define(`DRM_IOCTL_R128_INIT', `0x40786440')
-define(`DRM_IOCTL_R128_RESET', `0x00006446')
-define(`DRM_IOCTL_R128_STIPPLE', `0x4008644d')
-define(`DRM_IOCTL_R128_SWAP', `0x00006447')
-define(`DRM_IOCTL_R128_VERTEX', `0x40106449')
-define(`DRM_IOCTL_RADEON_ALLOC', `0xc0186453')
-define(`DRM_IOCTL_RADEON_CLEAR', `0x40206448')
-define(`DRM_IOCTL_RADEON_CMDBUF', `0x40206450')
-define(`DRM_IOCTL_RADEON_CP_IDLE', `0x00006444')
-define(`DRM_IOCTL_RADEON_CP_INIT', `0x40786440')
-define(`DRM_IOCTL_RADEON_CP_RESET', `0x00006443')
-define(`DRM_IOCTL_RADEON_CP_RESUME', `0x00006458')
-define(`DRM_IOCTL_RADEON_CP_START', `0x00006441')
-define(`DRM_IOCTL_RADEON_CP_STOP', `0x40086442')
-define(`DRM_IOCTL_RADEON_CS', `0xc0206466')
-define(`DRM_IOCTL_RADEON_FLIP', `0x00006452')
-define(`DRM_IOCTL_RADEON_FREE', `0x40086454')
-define(`DRM_IOCTL_RADEON_FULLSCREEN', `0x40046446')
-define(`DRM_IOCTL_RADEON_GEM_BUSY', `0xc008646a')
-define(`DRM_IOCTL_RADEON_GEM_CREATE', `0xc020645d')
-define(`DRM_IOCTL_RADEON_GEM_GET_TILING', `0xc00c6469')
-define(`DRM_IOCTL_RADEON_GEM_INFO', `0xc018645c')
-define(`DRM_IOCTL_RADEON_GEM_MMAP', `0xc020645e')
-define(`DRM_IOCTL_RADEON_GEM_OP', `0xc010646c')
-define(`DRM_IOCTL_RADEON_GEM_PREAD', `0xc0206461')
-define(`DRM_IOCTL_RADEON_GEM_PWRITE', `0xc0206462')
-define(`DRM_IOCTL_RADEON_GEM_SET_DOMAIN', `0xc00c6463')
-define(`DRM_IOCTL_RADEON_GEM_SET_TILING', `0xc00c6468')
-define(`DRM_IOCTL_RADEON_GEM_USERPTR', `0xc018646d')
-define(`DRM_IOCTL_RADEON_GEM_VA', `0xc018646b')
-define(`DRM_IOCTL_RADEON_GEM_WAIT_IDLE', `0x40086464')
-define(`DRM_IOCTL_RADEON_GETPARAM', `0xc0106451')
-define(`DRM_IOCTL_RADEON_INDICES', `0x4014644a')
-define(`DRM_IOCTL_RADEON_INDIRECT', `0xc010644d')
-define(`DRM_IOCTL_RADEON_INFO', `0xc0106467')
-define(`DRM_IOCTL_RADEON_INIT_HEAP', `0x400c6455')
-define(`DRM_IOCTL_RADEON_IRQ_EMIT', `0xc0086456')
-define(`DRM_IOCTL_RADEON_IRQ_WAIT', `0x40046457')
-define(`DRM_IOCTL_RADEON_RESET', `0x00006445')
-define(`DRM_IOCTL_RADEON_SETPARAM', `0x40106459')
-define(`DRM_IOCTL_RADEON_STIPPLE', `0x4008644c')
-define(`DRM_IOCTL_RADEON_SURF_ALLOC', `0x400c645a')
-define(`DRM_IOCTL_RADEON_SURF_FREE', `0x4004645b')
-define(`DRM_IOCTL_RADEON_SWAP', `0x00006447')
-define(`DRM_IOCTL_RADEON_TEXTURE', `0xc020644e')
-define(`DRM_IOCTL_RADEON_VERTEX', `0x40106449')
-define(`DRM_IOCTL_RADEON_VERTEX2', `0x4028644f')
-define(`DRM_IOCTL_RES_CTX', `0xc0106426')
-define(`DRM_IOCTL_RM_CTX', `0xc0086421')
-define(`DRM_IOCTL_RM_DRAW', `0xc0046428')
-define(`DRM_IOCTL_RM_MAP', `0x4028641b')
-define(`DRM_IOCTL_SAVAGE_BCI_CMDBUF', `0x40386441')
-define(`DRM_IOCTL_SAVAGE_BCI_EVENT_EMIT', `0xc0086442')
-define(`DRM_IOCTL_SAVAGE_BCI_EVENT_WAIT', `0x40086443')
-define(`DRM_IOCTL_SAVAGE_BCI_INIT', `0x40606440')
-define(`DRM_IOCTL_SET_CLIENT_CAP', `0x4010640d')
-define(`DRM_IOCTL_SET_MASTER', `0x0000641e')
-define(`DRM_IOCTL_SET_SAREA_CTX', `0x4010641c')
-define(`DRM_IOCTL_SET_UNIQUE', `0x40106410')
-define(`DRM_IOCTL_SET_VERSION', `0xc0106407')
-define(`DRM_IOCTL_SG_ALLOC', `0xc0106438')
-define(`DRM_IOCTL_SG_FREE', `0x40106439')
-define(`DRM_IOCTL_SIS_AGP_ALLOC', `0xc0206454')
-define(`DRM_IOCTL_SIS_AGP_FREE', `0x40206455')
-define(`DRM_IOCTL_SIS_AGP_INIT', `0xc0106453')
-define(`DRM_IOCTL_SIS_FB_ALLOC', `0xc0206444')
-define(`DRM_IOCTL_SIS_FB_FREE', `0x40206445')
-define(`DRM_IOCTL_SIS_FB_INIT', `0x40106456')
-define(`DRM_IOCTL_SWITCH_CTX', `0x40086424')
-define(`DRM_IOCTL_TEGRA_CLOSE_CHANNEL', `0xc0106446')
-define(`DRM_IOCTL_TEGRA_GEM_CREATE', `0xc0106440')
-define(`DRM_IOCTL_TEGRA_GEM_GET_FLAGS', `0xc008644d')
-define(`DRM_IOCTL_TEGRA_GEM_GET_TILING', `0xc010644b')
-define(`DRM_IOCTL_TEGRA_GEM_MMAP', `0xc0086441')
-define(`DRM_IOCTL_TEGRA_GEM_SET_FLAGS', `0xc008644c')
-define(`DRM_IOCTL_TEGRA_GEM_SET_TILING', `0xc010644a')
-define(`DRM_IOCTL_TEGRA_GET_SYNCPT', `0xc0106447')
-define(`DRM_IOCTL_TEGRA_GET_SYNCPT_BASE', `0xc0106449')
-define(`DRM_IOCTL_TEGRA_OPEN_CHANNEL', `0xc0106445')
-define(`DRM_IOCTL_TEGRA_SUBMIT', `0xc0586448')
-define(`DRM_IOCTL_TEGRA_SYNCPT_INCR', `0xc0086443')
-define(`DRM_IOCTL_TEGRA_SYNCPT_READ', `0xc0086442')
-define(`DRM_IOCTL_TEGRA_SYNCPT_WAIT', `0xc0106444')
-define(`DRM_IOCTL_UNBLOCK', `0xc0046413')
-define(`DRM_IOCTL_UNLOCK', `0x4008642b')
-define(`DRM_IOCTL_UPDATE_DRAW', `0x4018643f')
-define(`DRM_IOCTL_VERSION', `0xc0406400')
-define(`DRM_IOCTL_VIA_AGP_INIT', `0xc0086442')
-define(`DRM_IOCTL_VIA_ALLOCMEM', `0xc0206440')
-define(`DRM_IOCTL_VIA_BLIT_SYNC', `0x4008644f')
-define(`DRM_IOCTL_VIA_CMDBUFFER', `0x40106448')
-define(`DRM_IOCTL_VIA_CMDBUF_SIZE', `0xc00c644b')
-define(`DRM_IOCTL_VIA_DEC_FUTEX', `0x40106445')
-define(`DRM_IOCTL_VIA_DMA_BLIT', `0x4030644e')
-define(`DRM_IOCTL_VIA_DMA_INIT', `0xc0206447')
-define(`DRM_IOCTL_VIA_FB_INIT', `0xc0086443')
-define(`DRM_IOCTL_VIA_FLUSH', `0x00006449')
-define(`DRM_IOCTL_VIA_FREEMEM', `0x40206441')
-define(`DRM_IOCTL_VIA_MAP_INIT', `0xc0286444')
-define(`DRM_IOCTL_VIA_PCICMD', `0x4010644a')
-define(`DRM_IOCTL_VIA_WAIT_IRQ', `0xc018644d')
-define(`DRM_IOCTL_WAIT_VBLANK', `0xc018643a')
-define(`DVD_AUTH', `0x00005392')
-define(`DVD_READ_STRUCT', `0x00005390')
-define(`DVD_WRITE_STRUCT', `0x00005391')
-define(`ECCGETLAYOUT', `0x81484d11')
-define(`ECCGETSTATS', `0x80104d12')
-define(`ENI_MEMDUMP', `0x40106160')
-define(`ENI_SETMULT', `0x40106167')
-define(`EVIOCGEFFECTS', `0x80044584')
-define(`EVIOCGID', `0x80084502')
-define(`EVIOCGKEYCODE', `0x80084504')
-define(`EVIOCGKEYCODE_V2', `0x80284504')
-define(`EVIOCGRAB', `0x40044590')
-define(`EVIOCGREP', `0x80084503')
-define(`EVIOCGVERSION', `0x80044501')
-define(`EVIOCREVOKE', `0x40044591')
-define(`EVIOCRMFF', `0x40044581')
-define(`EVIOCSCLOCKID', `0x400445a0')
-define(`EVIOCSFF', `0x40304580')
-define(`EVIOCSKEYCODE', `0x40084504')
-define(`EVIOCSKEYCODE_V2', `0x40284504')
-define(`EVIOCSREP', `0x40084503')
-define(`F2FS_IOC_START_ATOMIC_WRITE', `0xf501')
-define(`F2FS_IOC_COMMIT_ATOMIC_WRITE', `0xf502')
-define(`F2FS_IOC_START_VOLATILE_WRITE', `0xf503')
-define(`F2FS_IOC_RELEASE_VOLATILE_WRITE', `0xf504')
-define(`F2FS_IOC_ABORT_VOLATILE_WRITE', `0xf505')
-define(`F2FS_IOC_GARBAGE_COLLECT', `0xf506')
-define(`F2FS_IOC_WRITE_CHECKPOINT', `0xf507')
-define(`F2FS_IOC_DEFRAGMENT', `0xf508')
-define(`F2FS_IOC_MOVE_RANGE', `0xf509')
-define(`F2FS_IOC_FLUSH_DEVICE', `0xf50a')
-define(`F2FS_IOC_GARBAGE_COLLECT_RANGE', `0xf50b')
-define(`F2FS_IOC_GET_FEATURES', `0xf50c')
-define(`F2FS_IOC_SET_PIN_FILE', `0xf50d')
-define(`F2FS_IOC_GET_PIN_FILE', `0xf50e')
-define(`F2FS_IOC_PRECACHE_EXTENTS', `0xf50f')
-define(`F2FS_IOC_RESIZE_FS', `0xf510')
-define(`F2FS_IOC_GET_COMPRESS_BLOCKS', `0xf511')
-define(`F2FS_IOC_RELEASE_COMPRESS_BLOCKS', `0xf512')
-define(`F2FS_IOC_RESERVE_COMPRESS_BLOCKS', `0xf513')
-define(`F2FS_IOC_SEC_TRIM_FILE', `0xf514')
-define(`F2FS_IOC_GET_COMPRESS_OPTION', `0xf515')
-define(`F2FS_IOC_SET_COMPRESS_OPTION', `0xf516')
-define(`F2FS_IOC_DECOMPRESS_FILE', `0xf517')
-define(`F2FS_IOC_COMPRESS_FILE', `0xf518')
-define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
-define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
-define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
-define(`FBIGET_BRIGHTNESS', `0x80044603')
-define(`FBIGET_COLOR', `0x80044605')
-define(`FBIO_ALLOC', `0x00004613')
-define(`FBIOBLANK', `0x00004611')
-define(`FBIO_CURSOR', `0xc0684608')
-define(`FBIO_FREE', `0x00004614')
-define(`FBIOGETCMAP', `0x00004604')
-define(`FBIOGET_CON2FBMAP', `0x0000460f')
-define(`FBIOGET_CONTRAST', `0x80044601')
-define(`FBIO_GETCONTROL2', `0x80084689')
-define(`FBIOGET_DISPINFO', `0x00004618')
-define(`FBIOGET_FSCREENINFO', `0x00004602')
-define(`FBIOGET_GLYPH', `0x00004615')
-define(`FBIOGET_HWCINFO', `0x00004616')
-define(`FBIOGET_VBLANK', `0x80204612')
-define(`FBIOGET_VSCREENINFO', `0x00004600')
-define(`FBIOPAN_DISPLAY', `0x00004606')
-define(`FBIOPUTCMAP', `0x00004605')
-define(`FBIOPUT_CON2FBMAP', `0x00004610')
-define(`FBIOPUT_CONTRAST', `0x40044602')
-define(`FBIOPUT_MODEINFO', `0x00004617')
-define(`FBIOPUT_VSCREENINFO', `0x00004601')
-define(`FBIO_RADEON_GET_MIRROR', `0x80084003')
-define(`FBIO_RADEON_SET_MIRROR', `0x40084004')
-define(`FBIO_WAITEVENT', `0x00004688')
-define(`FBIO_WAITFORVSYNC', `0x40044620')
-define(`FBIPUT_BRIGHTNESS', `0x40044603')
-define(`FBIPUT_COLOR', `0x40044606')
-define(`FBIPUT_HSYNC', `0x40044609')
-define(`FBIPUT_VSYNC', `0x4004460a')
-define(`FDCLRPRM', `0x00000241')
-define(`FDDEFPRM', `0x40200243')
-define(`FDEJECT', `0x0000025a')
-define(`FDFLUSH', `0x0000024b')
-define(`FDFMTBEG', `0x00000247')
-define(`FDFMTEND', `0x00000249')
-define(`FDFMTTRK', `0x400c0248')
-define(`FDGETDRVPRM', `0x80800211')
-define(`FDGETDRVSTAT', `0x80500212')
-define(`FDGETDRVTYP', `0x8010020f')
-define(`FDGETFDCSTAT', `0x80280215')
-define(`FDGETMAXERRS', `0x8014020e')
-define(`FDGETPRM', `0x80200204')
-define(`FDMSGOFF', `0x00000246')
-define(`FDMSGON', `0x00000245')
-define(`FDPOLLDRVSTAT', `0x80500213')
-define(`FDRAWCMD', `0x00000258')
-define(`FDRESET', `0x00000254')
-define(`FDSETDRVPRM', `0x40800290')
-define(`FDSETEMSGTRESH', `0x0000024a')
-define(`FDSETMAXERRS', `0x4014024c')
-define(`FDSETPRM', `0x40200242')
-define(`FDTWADDLE', `0x00000259')
-define(`FDWERRORCLR', `0x00000256')
-define(`FDWERRORGET', `0x80280217')
-define(`FE_DISEQC_RECV_SLAVE_REPLY', `0x800c6f40')
-define(`FE_DISEQC_RESET_OVERLOAD', `0x00006f3e')
-define(`FE_DISEQC_SEND_BURST', `0x00006f41')
-define(`FE_DISEQC_SEND_MASTER_CMD', `0x40076f3f')
-define(`FE_DISHNETWORK_SEND_LEGACY_CMD', `0x00006f50')
-define(`FE_ENABLE_HIGH_LNB_VOLTAGE', `0x00006f44')
-define(`FE_GET_EVENT', `0x80286f4e')
-define(`FE_GET_FRONTEND', `0x80246f4d')
-define(`FE_GET_INFO', `0x80a86f3d')
-define(`FE_GET_PROPERTY', `0x80106f53')
-define(`FE_READ_BER', `0x80046f46')
-define(`FE_READ_SIGNAL_STRENGTH', `0x80026f47')
-define(`FE_READ_SNR', `0x80026f48')
-define(`FE_READ_STATUS', `0x80046f45')
-define(`FE_READ_UNCORRECTED_BLOCKS', `0x80046f49')
-define(`FE_SET_FRONTEND', `0x40246f4c')
-define(`FE_SET_FRONTEND_TUNE_MODE', `0x00006f51')
-define(`FE_SET_PROPERTY', `0x40106f52')
-define(`FE_SET_TONE', `0x00006f42')
-define(`FE_SET_VOLTAGE', `0x00006f43')
-define(`FIBMAP', `0x00000001')
-define(`FIFREEZE', `0xc0045877')
-define(`FIGETBSZ', `0x00000002')
-define(`FIOASYNC', `0x00005452')
-define(`FIOCLEX', ifelse(target_arch, mips, 0x00006601, 0x00005451))
-define(`FIOGETOWN', `0x00008903')
-define(`FIONBIO', `0x00005421')
-define(`FIONCLEX', ifelse(target_arch, mips, 0x00006602, 0x00005450))
-define(`FIONREAD', ifelse(target_arch, mips, 0x0000467f, 0x0000541b))
-define(`FIOQSIZE', `0x00005460')
-define(`FIOSETOWN', `0x00008901')
-define(`FITHAW', `0xc0045878')
-define(`FITRIM', `0xc0185879')
-define(`FS_IOC32_GETFLAGS', `0x80046601')
-define(`FS_IOC32_GETVERSION', `0x80047601')
-define(`FS_IOC32_SETFLAGS', `0x40046602')
-define(`FS_IOC32_SETVERSION', `0x40047602')
-define(`FS_IOC_ADD_ENCRYPTION_KEY', `0xc0506617')
-define(`FS_IOC_ENABLE_VERITY', `0x6685')
-define(`FS_IOC_FIEMAP', `0xc020660b')
-define(`FS_IOC_FSGETXATTR', `0x801c581f')
-define(`FS_IOC_FSSETXATTR', `0x401c5820')
-define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
-define(`FS_IOC_GET_ENCRYPTION_POLICY_EX', `0xc0096616')
-define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
-define(`FS_IOC_GETFLAGS', `0x80086601')
-define(`FS_IOC_GETVERSION', `0x80087601')
-define(`FS_IOC_MEASURE_VERITY', `0x6686')
-define(`FS_IOC_REMOVE_ENCRYPTION_KEY', `0xc0406618')
-define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
-define(`FS_IOC_SETFLAGS', `0x40086602')
-define(`FS_IOC_SETVERSION', `0x40087602')
-define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
-define(`FSL_HV_IOCTL_GETPROP', `0xc028af07')
-define(`FSL_HV_IOCTL_MEMCPY', `0xc028af05')
-define(`FSL_HV_IOCTL_PARTITION_GET_STATUS', `0xc00caf02')
-define(`FSL_HV_IOCTL_PARTITION_RESTART', `0xc008af01')
-define(`FSL_HV_IOCTL_PARTITION_START', `0xc010af03')
-define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04')
-define(`FSL_HV_IOCTL_SETPROP', `0xc028af08')
-define(`FUNCTIONFS_CLEAR_HALT', `0x00006703')
-define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782')
-define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781')
-define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702')
-define(`FUNCTIONFS_FIFO_STATUS', `0x00006701')
-define(`FUNCTIONFS_INTERFACE_REVMAP', `0x00006780')
-define(`FW_CDEV_IOC_ADD_DESCRIPTOR', `0xc0182306')
-define(`FW_CDEV_IOC_ALLOCATE', `0xc0202302')
-define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE', `0xc018230d')
-define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE_ONCE', `0x4018230f')
-define(`FW_CDEV_IOC_CREATE_ISO_CONTEXT', `0xc0202308')
-define(`FW_CDEV_IOC_DEALLOCATE', `0x40042303')
-define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE', `0x4004230e')
-define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE_ONCE', `0x40182310')
-define(`FW_CDEV_IOC_FLUSH_ISO', `0x40042318')
-define(`FW_CDEV_IOC_GET_CYCLE_TIMER', `0x8010230c')
-define(`FW_CDEV_IOC_GET_CYCLE_TIMER2', `0xc0182314')
-define(`FW_CDEV_IOC_GET_INFO', `0xc0282300')
-define(`FW_CDEV_IOC_GET_SPEED', `0x00002311')
-define(`FW_CDEV_IOC_INITIATE_BUS_RESET', `0x40042305')
-define(`FW_CDEV_IOC_QUEUE_ISO', `0xc0182309')
-define(`FW_CDEV_IOC_RECEIVE_PHY_PACKETS', `0x40082316')
-define(`FW_CDEV_IOC_REMOVE_DESCRIPTOR', `0x40042307')
-define(`FW_CDEV_IOC_SEND_BROADCAST_REQUEST', `0x40282312')
-define(`FW_CDEV_IOC_SEND_PHY_PACKET', `0xc0182315')
-define(`FW_CDEV_IOC_SEND_REQUEST', `0x40282301')
-define(`FW_CDEV_IOC_SEND_RESPONSE', `0x40182304')
-define(`FW_CDEV_IOC_SEND_STREAM_PACKET', `0x40282313')
-define(`FW_CDEV_IOC_SET_ISO_CHANNELS', `0x40102317')
-define(`FW_CDEV_IOC_START_ISO', `0x4010230a')
-define(`FW_CDEV_IOC_STOP_ISO', `0x4004230b')
-define(`GADGETFS_CLEAR_HALT', `0x00006703')
-define(`GADGETFS_FIFO_FLUSH', `0x00006702')
-define(`GADGETFS_FIFO_STATUS', `0x00006701')
-define(`GADGET_GET_PRINTER_STATUS', `0x80016721')
-define(`GADGET_SET_PRINTER_STATUS', `0xc0016722')
-define(`GENWQE_EXECUTE_DDCB', `0xc0e8a532')
-define(`GENWQE_EXECUTE_RAW_DDCB', `0xc0e8a533')
-define(`GENWQE_GET_CARD_STATE', `0x8004a524')
-define(`GENWQE_PIN_MEM', `0xc020a528')
-define(`GENWQE_READ_REG16', `0x8010a522')
-define(`GENWQE_READ_REG32', `0x8010a520')
-define(`GENWQE_READ_REG64', `0x8010a51e')
-define(`GENWQE_SLU_READ', `0xc038a551')
-define(`GENWQE_SLU_UPDATE', `0xc038a550')
-define(`GENWQE_UNPIN_MEM', `0xc020a529')
-define(`GENWQE_WRITE_REG16', `0x4010a523')
-define(`GENWQE_WRITE_REG32', `0x4010a521')
-define(`GENWQE_WRITE_REG64', `0x4010a51f')
-define(`GET_ARRAY_INFO', `0x80480911')
-define(`GET_BITMAP_FILE', `0x90000915')
-define(`GET_DISK_INFO', `0x80140912')
-define(`GIGASET_BRKCHARS', `0x40064702')
-define(`GIGASET_CONFIG', `0xc0044701')
-define(`GIGASET_REDIR', `0xc0044700')
-define(`GIGASET_VERSION', `0xc0104703')
-define(`GIO_CMAP', `0x00004b70')
-define(`GIO_FONT', `0x00004b60')
-define(`GIO_FONTX', `0x00004b6b')
-define(`GIO_SCRNMAP', `0x00004b40')
-define(`GIO_UNIMAP', `0x00004b66')
-define(`GIO_UNISCRNMAP', `0x00004b69')
-define(`GSMIOC_DISABLE_NET', `0x00004703')
-define(`GSMIOC_ENABLE_NET', `0x40344702')
-define(`GSMIOC_GETCONF', `0x804c4700')
-define(`GSMIOC_SETCONF', `0x404c4701')
-define(`HCIBLOCKADDR', `0x400448e6')
-define(`HCIDEVDOWN', `0x400448ca')
-define(`HCIDEVRESET', `0x400448cb')
-define(`HCIDEVRESTAT', `0x400448cc')
-define(`HCIDEVUP', `0x400448c9')
-define(`HCIGETAUTHINFO', `0x800448d7')
-define(`HCIGETCONNINFO', `0x800448d5')
-define(`HCIGETCONNLIST', `0x800448d4')
-define(`HCIGETDEVINFO', `0x800448d3')
-define(`HCIGETDEVLIST', `0x800448d2')
-define(`HCIINQUIRY', `0x800448f0')
-define(`HCISETACLMTU', `0x400448e3')
-define(`HCISETAUTH', `0x400448de')
-define(`HCISETENCRYPT', `0x400448df')
-define(`HCISETLINKMODE', `0x400448e2')
-define(`HCISETLINKPOL', `0x400448e1')
-define(`HCISETPTYPE', `0x400448e0')
-define(`HCISETRAW', `0x400448dc')
-define(`HCISETSCAN', `0x400448dd')
-define(`HCISETSCOMTU', `0x400448e4')
-define(`HCIUNBLOCKADDR', `0x400448e7')
-define(`HDA_IOCTL_GET_WCAP', `0xc0084812')
-define(`HDA_IOCTL_PVERSION', `0x80044810')
-define(`HDA_IOCTL_VERB_WRITE', `0xc0084811')
-define(`HDIO_DRIVE_CMD', `0x0000031f')
-define(`HDIO_DRIVE_RESET', `0x0000031c')
-define(`HDIO_DRIVE_TASK', `0x0000031e')
-define(`HDIO_DRIVE_TASKFILE', `0x0000031d')
-define(`HDIO_GET_32BIT', `0x00000309')
-define(`HDIO_GET_ACOUSTIC', `0x0000030f')
-define(`HDIO_GET_ADDRESS', `0x00000310')
-define(`HDIO_GET_BUSSTATE', `0x0000031a')
-define(`HDIO_GET_DMA', `0x0000030b')
-define(`HDIO_GETGEO', `0x00000301')
-define(`HDIO_GET_IDENTITY', `0x0000030d')
-define(`HDIO_GET_KEEPSETTINGS', `0x00000308')
-define(`HDIO_GET_MULTCOUNT', `0x00000304')
-define(`HDIO_GET_NICE', `0x0000030c')
-define(`HDIO_GET_NOWERR', `0x0000030a')
-define(`HDIO_GET_QDMA', `0x00000305')
-define(`HDIO_GET_UNMASKINTR', `0x00000302')
-define(`HDIO_GET_WCACHE', `0x0000030e')
-define(`HDIO_OBSOLETE_IDENTITY', `0x00000307')
-define(`HDIO_SCAN_HWIF', `0x00000328')
-define(`HDIO_SET_32BIT', `0x00000324')
-define(`HDIO_SET_ACOUSTIC', `0x0000032c')
-define(`HDIO_SET_ADDRESS', `0x0000032f')
-define(`HDIO_SET_BUSSTATE', `0x0000032d')
-define(`HDIO_SET_DMA', `0x00000326')
-define(`HDIO_SET_KEEPSETTINGS', `0x00000323')
-define(`HDIO_SET_MULTCOUNT', `0x00000321')
-define(`HDIO_SET_NICE', `0x00000329')
-define(`HDIO_SET_NOWERR', `0x00000325')
-define(`HDIO_SET_PIO_MODE', `0x00000327')
-define(`HDIO_SET_QDMA', `0x0000032e')
-define(`HDIO_SET_UNMASKINTR', `0x00000322')
-define(`HDIO_SET_WCACHE', `0x0000032b')
-define(`HDIO_SET_XFER', `0x00000306')
-define(`HDIO_TRISTATE_HWIF', `0x0000031b')
-define(`HDIO_UNREGISTER_HWIF', `0x0000032a')
-define(`HE_GET_REG', `0x40106160')
-define(`HIDIOCAPPLICATION', `0x00004802')
-define(`HIDIOCGCOLLECTIONINDEX', `0x40184810')
-define(`HIDIOCGCOLLECTIONINFO', `0xc0104811')
-define(`HIDIOCGDEVINFO', `0x801c4803')
-define(`HIDIOCGFIELDINFO', `0xc038480a')
-define(`HIDIOCGFLAG', `0x8004480e')
-define(`HIDIOCGRAWINFO', `0x80084803')
-define(`HIDIOCGRDESC', `0x90044802')
-define(`HIDIOCGRDESCSIZE', `0x80044801')
-define(`HIDIOCGREPORT', `0x400c4807')
-define(`HIDIOCGREPORTINFO', `0xc00c4809')
-define(`HIDIOCGSTRING', `0x81044804')
-define(`HIDIOCGUCODE', `0xc018480d')
-define(`HIDIOCGUSAGE', `0xc018480b')
-define(`HIDIOCGUSAGES', `0xd01c4813')
-define(`HIDIOCGVERSION', `0x80044801')
-define(`HIDIOCINITREPORT', `0x00004805')
-define(`HIDIOCSFLAG', `0x4004480f')
-define(`HIDIOCSREPORT', `0x400c4808')
-define(`HIDIOCSUSAGE', `0x4018480c')
-define(`HIDIOCSUSAGES', `0x501c4814')
-define(`HOT_ADD_DISK', `0x00000928')
-define(`HOT_GENERATE_ERROR', `0x0000092a')
-define(`HOT_REMOVE_DISK', `0x00000922')
-define(`HPET_DPI', `0x00006805')
-define(`HPET_EPI', `0x00006804')
-define(`HPET_IE_OFF', `0x00006802')
-define(`HPET_IE_ON', `0x00006801')
-define(`HPET_INFO', `0x80186803')
-define(`HPET_IRQFREQ', `0x40086806')
-define(`HSC_GET_RX', `0x400c6b14')
-define(`HSC_GET_TX', `0x40106b16')
-define(`HSC_RESET', `0x00006b10')
-define(`HSC_SEND_BREAK', `0x00006b12')
-define(`HSC_SET_PM', `0x00006b11')
-define(`HSC_SET_RX', `0x400c6b13')
-define(`HSC_SET_TX', `0x40106b15')
-define(`I2OEVTGET', `0x8068690b')
-define(`I2OEVTREG', `0x400c690a')
-define(`I2OGETIOPS', `0x80206900')
-define(`I2OHRTGET', `0xc0186901')
-define(`I2OHTML', `0xc0306909')
-define(`I2OLCTGET', `0xc0186902')
-define(`I2OPARMGET', `0xc0286904')
-define(`I2OPARMSET', `0xc0286903')
-define(`I2OPASSTHRU', `0x8010690c')
-define(`I2OPASSTHRU32', `0x8008690c')
-define(`I2OSWDEL', `0xc0306907')
-define(`I2OSWDL', `0xc0306905')
-define(`I2OSWUL', `0xc0306906')
-define(`I2OVALIDATE', `0x80046908')
-define(`I8K_BIOS_VERSION', `0x80046980')
-define(`I8K_FN_STATUS', `0x80086983')
-define(`I8K_GET_FAN', `0xc0086986')
-define(`I8K_GET_SPEED', `0xc0086985')
-define(`I8K_GET_TEMP', `0x80086984')
-define(`I8K_MACHINE_ID', `0x80046981')
-define(`I8K_POWER_STATUS', `0x80086982')
-define(`I8K_SET_FAN', `0xc0086987')
-define(`IB_USER_MAD_ENABLE_PKEY', `0x00001b03')
-define(`IB_USER_MAD_REGISTER_AGENT', `0xc01c1b01')
-define(`IB_USER_MAD_REGISTER_AGENT2', `0xc0281b04')
-define(`IB_USER_MAD_UNREGISTER_AGENT', `0x40041b02')
-define(`IDT77105_GETSTAT', `0x40106132')
-define(`IDT77105_GETSTATZ', `0x40106133')
-define(`IIOCDBGVAR', `0x0000497f')
-define(`IIOCDRVCTL', `0x00004980')
-define(`IIOCGETCPS', `0x00004915')
-define(`IIOCGETDVR', `0x00004916')
-define(`IIOCGETMAP', `0x00004911')
-define(`IIOCGETPRF', `0x0000490f')
-define(`IIOCGETSET', `0x00004908')
-define(`IIOCNETAIF', `0x00004901')
-define(`IIOCNETALN', `0x00004920')
-define(`IIOCNETANM', `0x00004905')
-define(`IIOCNETASL', `0x00004913')
-define(`IIOCNETDIF', `0x00004902')
-define(`IIOCNETDIL', `0x00004914')
-define(`IIOCNETDLN', `0x00004921')
-define(`IIOCNETDNM', `0x00004906')
-define(`IIOCNETDWRSET', `0x00004918')
-define(`IIOCNETGCF', `0x00004904')
-define(`IIOCNETGNM', `0x00004907')
-define(`IIOCNETGPN', `0x00004922')
-define(`IIOCNETHUP', `0x0000490b')
-define(`IIOCNETLCR', `0x00004917')
-define(`IIOCNETSCF', `0x00004903')
-define(`IIOCSETBRJ', `0x0000490d')
-define(`IIOCSETGST', `0x0000490c')
-define(`IIOCSETMAP', `0x00004912')
-define(`IIOCSETPRF', `0x00004910')
-define(`IIOCSETSET', `0x00004909')
-define(`IIOCSETVER', `0x0000490a')
-define(`IIOCSIGPRF', `0x0000490e')
-define(`IIO_GET_EVENT_FD_IOCTL', `0x80046990')
-define(`IMADDTIMER', `0x80044940')
-define(`IMCLEAR_L2', `0x80044946')
-define(`IMCTRLREQ', `0x80044945')
-define(`IMDELTIMER', `0x80044941')
-define(`IMGETCOUNT', `0x80044943')
-define(`IMGETDEVINFO', `0x80044944')
-define(`IMGETVERSION', `0x80044942')
-define(`IMHOLD_L1', `0x80044948')
-define(`IMSETDEVNAME', `0x80184947')
-define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e')
-define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
-define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
-define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
-define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
-define(`INCFS_IOCTL_CREATE_MAPPED_FILE', `0x00006723')
-define(`INCFS_IOCTL_GET_BLOCK_COUNT', `0x00006724')
-define(`INCFS_IOCTL_GET_READ_TIMEOUTS', `0x00006725')
-define(`INCFS_IOCTL_SET_READ_TIMEOUTS', `0x00006726')
-define(`INCFS_IOCTL_GET_LAST_READ_ERROR', `0x00006727')
-define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
-define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
-define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
-define(`IOCTL_EVTCHN_NOTIFY', `0x00044504')
-define(`IOCTL_EVTCHN_RESET', `0x00004505')
-define(`IOCTL_EVTCHN_UNBIND', `0x00044503')
-define(`IOCTL_MEI_CONNECT_CLIENT', `0xc0104801')
-define(`IOCTL_VMCI_CTX_ADD_NOTIFICATION', `0x000007af')
-define(`IOCTL_VMCI_CTX_GET_CPT_STATE', `0x000007b1')
-define(`IOCTL_VMCI_CTX_REMOVE_NOTIFICATION', `0x000007b0')
-define(`IOCTL_VMCI_CTX_SET_CPT_STATE', `0x000007b2')
-define(`IOCTL_VMCI_DATAGRAM_RECEIVE', `0x000007ac')
-define(`IOCTL_VMCI_DATAGRAM_SEND', `0x000007ab')
-define(`IOCTL_VMCI_GET_CONTEXT_ID', `0x000007b3')
-define(`IOCTL_VMCI_INIT_CONTEXT', `0x000007a0')
-define(`IOCTL_VMCI_NOTIFICATIONS_RECEIVE', `0x000007a6')
-define(`IOCTL_VMCI_NOTIFY_RESOURCE', `0x000007a5')
-define(`IOCTL_VMCI_QUEUEPAIR_ALLOC', `0x000007a8')
-define(`IOCTL_VMCI_QUEUEPAIR_DETACH', `0x000007aa')
-define(`IOCTL_VMCI_QUEUEPAIR_SETPAGEFILE', `0x000007a9')
-define(`IOCTL_VMCI_QUEUEPAIR_SETVA', `0x000007a4')
-define(`IOCTL_VMCI_SET_NOTIFY', `0x000007cb')
-define(`IOCTL_VMCI_SOCKETS_GET_AF_VALUE', `0x000007b8')
-define(`IOCTL_VMCI_SOCKETS_GET_LOCAL_CID', `0x000007b9')
-define(`IOCTL_VMCI_SOCKETS_VERSION', `0x000007b4')
-define(`IOCTL_VMCI_VERSION', `0x0000079f')
-define(`IOCTL_VMCI_VERSION2', `0x000007a7')
-define(`IOCTL_VM_SOCKETS_GET_LOCAL_CID', `0x000007b9')
-define(`IOCTL_WDM_MAX_COMMAND', `0x800248a0')
-define(`IOCTL_XENBUS_BACKEND_EVTCHN', `0x00004200')
-define(`IOCTL_XENBUS_BACKEND_SETUP', `0x00004201')
-define(`ION_IOC_ALLOC', `0xc0204900')
-define(`ION_IOC_CUSTOM', `0xc0104906')
-define(`ION_IOC_FREE', `0xc0044901')
-define(`ION_IOC_IMPORT', `0xc0084905')
-define(`ION_IOC_MAP', `0xc0084902')
-define(`ION_IOC_SHARE', `0xc0084904')
-define(`ION_IOC_SYNC', `0xc0084907')
-define(`ION_IOC_TEST_DMA_MAPPING', `0x402049f1')
-define(`ION_IOC_TEST_KERNEL_MAPPING', `0x402049f2')
-define(`ION_IOC_TEST_SET_FD', `0x000049f0')
-define(`IOW_GETINFO', `0x8028c003')
-define(`IOW_READ', `0x4008c002')
-define(`IOW_WRITE', `0x4008c001')
-define(`IPMICTL_GET_MAINTENANCE_MODE_CMD', `0x8004691e')
-define(`IPMICTL_GET_MY_ADDRESS_CMD', `0x80046912')
-define(`IPMICTL_GET_MY_CHANNEL_ADDRESS_CMD', `0x80046919')
-define(`IPMICTL_GET_MY_CHANNEL_LUN_CMD', `0x8004691b')
-define(`IPMICTL_GET_MY_LUN_CMD', `0x80046914')
-define(`IPMICTL_GET_TIMING_PARMS_CMD', `0x80086917')
-define(`IPMICTL_RECEIVE_MSG', `0xc030690c')
-define(`IPMICTL_RECEIVE_MSG_TRUNC', `0xc030690b')
-define(`IPMICTL_REGISTER_FOR_CMD', `0x8002690e')
-define(`IPMICTL_REGISTER_FOR_CMD_CHANS', `0x800c691c')
-define(`IPMICTL_SEND_COMMAND', `0x8028690d')
-define(`IPMICTL_SEND_COMMAND_SETTIME', `0x80306915')
-define(`IPMICTL_SET_GETS_EVENTS_CMD', `0x80046910')
-define(`IPMICTL_SET_MAINTENANCE_MODE_CMD', `0x4004691f')
-define(`IPMICTL_SET_MY_ADDRESS_CMD', `0x80046911')
-define(`IPMICTL_SET_MY_CHANNEL_ADDRESS_CMD', `0x80046918')
-define(`IPMICTL_SET_MY_CHANNEL_LUN_CMD', `0x8004691a')
-define(`IPMICTL_SET_MY_LUN_CMD', `0x80046913')
-define(`IPMICTL_SET_TIMING_PARMS_CMD', `0x80086916')
-define(`IPMICTL_UNREGISTER_FOR_CMD', `0x8002690f')
-define(`IPMICTL_UNREGISTER_FOR_CMD_CHANS', `0x800c691d')
-define(`IVTVFB_IOC_DMA_FRAME', `0x401856c0')
-define(`IVTV_IOC_DMA_FRAME', `0x404056c0')
-define(`IVTV_IOC_PASSTHROUGH_MODE', `0x400456c1')
-define(`IXJCTL_AEC_GET_LEVEL', `0x000071cd')
-define(`IXJCTL_AEC_START', `0x400471cb')
-define(`IXJCTL_AEC_STOP', `0x000071cc')
-define(`IXJCTL_CARDTYPE', `0x800471c1')
-define(`IXJCTL_CID', `0x800871d4')
-define(`IXJCTL_CIDCW', `0x400871d9')
-define(`IXJCTL_DAA_AGAIN', `0x400471d2')
-define(`IXJCTL_DAA_COEFF_SET', `0x400471d0')
-define(`IXJCTL_DRYBUFFER_CLEAR', `0x000071e7')
-define(`IXJCTL_DRYBUFFER_READ', `0x800871e6')
-define(`IXJCTL_DSP_IDLE', `0x000071c5')
-define(`IXJCTL_DSP_RESET', `0x000071c0')
-define(`IXJCTL_DSP_TYPE', `0x800471c3')
-define(`IXJCTL_DSP_VERSION', `0x800471c4')
-define(`IXJCTL_DTMF_PRESCALE', `0x400471e8')
-define(`IXJCTL_FILTER_CADENCE', `0x400871d6')
-define(`IXJCTL_FRAMES_READ', `0x800871e2')
-define(`IXJCTL_FRAMES_WRITTEN', `0x800871e3')
-define(`IXJCTL_GET_FILTER_HIST', `0x400471c8')
-define(`IXJCTL_HZ', `0x400471e0')
-define(`IXJCTL_INIT_TONE', `0x400871c9')
-define(`IXJCTL_INTERCOM_START', `0x400471fd')
-define(`IXJCTL_INTERCOM_STOP', `0x400471fe')
-define(`IXJCTL_MIXER', `0x400471cf')
-define(`IXJCTL_PLAY_CID', `0x000071d7')
-define(`IXJCTL_PORT', `0x400471d1')
-define(`IXJCTL_POTS_PSTN', `0x400471d5')
-define(`IXJCTL_PSTN_LINETEST', `0x000071d3')
-define(`IXJCTL_RATE', `0x400471e1')
-define(`IXJCTL_READ_WAIT', `0x800871e4')
-define(`IXJCTL_SC_RXG', `0x400471ea')
-define(`IXJCTL_SC_TXG', `0x400471eb')
-define(`IXJCTL_SERIAL', `0x800471c2')
-define(`IXJCTL_SET_FILTER', `0x400871c7')
-define(`IXJCTL_SET_FILTER_RAW', `0x400871dd')
-define(`IXJCTL_SET_LED', `0x400471ce')
-define(`IXJCTL_SIGCTL', `0x400871e9')
-define(`IXJCTL_TESTRAM', `0x000071c6')
-define(`IXJCTL_TONE_CADENCE', `0x400871ca')
-define(`IXJCTL_VERSION', `0x800871da')
-define(`IXJCTL_VMWI', `0x800471d8')
-define(`IXJCTL_WRITE_WAIT', `0x800871e5')
-define(`JSIOCGAXES', `0x80016a11')
-define(`JSIOCGAXMAP', `0x80406a32')
-define(`JSIOCGBTNMAP', `0x84006a34')
-define(`JSIOCGBUTTONS', `0x80016a12')
-define(`JSIOCGCORR', `0x80246a22')
-define(`JSIOCGVERSION', `0x80046a01')
-define(`JSIOCSAXMAP', `0x40406a31')
-define(`JSIOCSBTNMAP', `0x44006a33')
-define(`JSIOCSCORR', `0x40246a21')
-define(`KCOV_DISABLE', `0x00006365')
-define(`KCOV_ENABLE', `0x00006364')
-define(`KCOV_INIT_TRACE', `0x80086301')
-define(`KDADDIO', `0x00004b34')
-define(`KDDELIO', `0x00004b35')
-define(`KDDISABIO', `0x00004b37')
-define(`KDENABIO', `0x00004b36')
-define(`KDFONTOP', `0x00004b72')
-define(`KDGETKEYCODE', `0x00004b4c')
-define(`KDGETLED', `0x00004b31')
-define(`KDGETMODE', `0x00004b3b')
-define(`KDGKBDIACR', `0x00004b4a')
-define(`KDGKBDIACRUC', `0x00004bfa')
-define(`KDGKBENT', `0x00004b46')
-define(`KDGKBLED', `0x00004b64')
-define(`KDGKBMETA', `0x00004b62')
-define(`KDGKBMODE', `0x00004b44')
-define(`KDGKBSENT', `0x00004b48')
-define(`KDGKBTYPE', `0x00004b33')
-define(`KDKBDREP', `0x00004b52')
-define(`KDMAPDISP', `0x00004b3c')
-define(`KDMKTONE', `0x00004b30')
-define(`KDSETKEYCODE', `0x00004b4d')
-define(`KDSETLED', `0x00004b32')
-define(`KDSETMODE', `0x00004b3a')
-define(`KDSIGACCEPT', `0x00004b4e')
-define(`KDSKBDIACR', `0x00004b4b')
-define(`KDSKBDIACRUC', `0x00004bfb')
-define(`KDSKBENT', `0x00004b47')
-define(`KDSKBLED', `0x00004b65')
-define(`KDSKBMETA', `0x00004b63')
-define(`KDSKBMODE', `0x00004b45')
-define(`KDSKBSENT', `0x00004b49')
-define(`KDUNMAPDISP', `0x00004b3d')
-define(`KIOCSOUND', `0x00004b2f')
-define(`KVM_ALLOCATE_RMA', `0x8008aea9')
-define(`KVM_ARM_PREFERRED_TARGET', `0x8020aeaf')
-define(`KVM_ARM_SET_DEVICE_ADDR', `0x4010aeab')
-define(`KVM_ARM_VCPU_INIT', `0x4020aeae')
-define(`KVM_ASSIGN_DEV_IRQ', `0x4040ae70')
-define(`KVM_ASSIGN_PCI_DEVICE', `0x8040ae69')
-define(`KVM_ASSIGN_SET_INTX_MASK', `0x4040aea4')
-define(`KVM_ASSIGN_SET_MSIX_ENTRY', `0x4010ae74')
-define(`KVM_ASSIGN_SET_MSIX_NR', `0x4008ae73')
-define(`KVM_CHECK_EXTENSION', `0x0000ae03')
-define(`KVM_CREATE_DEVICE', `0xc00caee0')
-define(`KVM_CREATE_IRQCHIP', `0x0000ae60')
-define(`KVM_CREATE_PIT', `0x0000ae64')
-define(`KVM_CREATE_PIT2', `0x4040ae77')
-define(`KVM_CREATE_SPAPR_TCE', `0x400caea8')
-define(`KVM_CREATE_VCPU', `0x0000ae41')
-define(`KVM_CREATE_VM', `0x0000ae01')
-define(`KVM_DEASSIGN_DEV_IRQ', `0x4040ae75')
-define(`KVM_DEASSIGN_PCI_DEVICE', `0x4040ae72')
-define(`KVM_DIRTY_TLB', `0x4010aeaa')
-define(`KVM_ENABLE_CAP', `0x4068aea3')
-define(`KVM_GET_API_VERSION', `0x0000ae00')
-define(`KVM_GET_CLOCK', `0x8030ae7c')
-define(`KVM_GET_CPUID2', `0xc008ae91')
-define(`KVM_GET_DEBUGREGS', `0x8080aea1')
-define(`KVM_GET_DEVICE_ATTR', `0x4018aee2')
-define(`KVM_GET_DIRTY_LOG', `0x4010ae42')
-define(`KVM_GET_EMULATED_CPUID', `0xc008ae09')
-define(`KVM_GET_FPU', `0x81a0ae8c')
-define(`KVM_GET_IRQCHIP', `0xc208ae62')
-define(`KVM_GET_LAPIC', `0x8400ae8e')
-define(`KVM_GET_MP_STATE', `0x8004ae98')
-define(`KVM_GET_MSR_INDEX_LIST', `0xc004ae02')
-define(`KVM_GET_MSRS', `0xc008ae88')
-define(`KVM_GET_NR_MMU_PAGES', `0x0000ae45')
-define(`KVM_GET_ONE_REG', `0x4010aeab')
-define(`KVM_GET_PIT', `0xc048ae65')
-define(`KVM_GET_PIT2', `0x8070ae9f')
-define(`KVM_GET_REG_LIST', `0xc008aeb0')
-define(`KVM_GET_REGS', `0x8090ae81')
-define(`KVM_GET_SREGS', `0x8138ae83')
-define(`KVM_GET_SUPPORTED_CPUID', `0xc008ae05')
-define(`KVM_GET_TSC_KHZ', `0x0000aea3')
-define(`KVM_GET_VCPU_EVENTS', `0x8040ae9f')
-define(`KVM_GET_VCPU_MMAP_SIZE', `0x0000ae04')
-define(`KVM_GET_XCRS', `0x8188aea6')
-define(`KVM_GET_XSAVE', `0x9000aea4')
-define(`KVM_HAS_DEVICE_ATTR', `0x4018aee3')
-define(`KVM_INTERRUPT', `0x4004ae86')
-define(`KVM_IOEVENTFD', `0x4040ae79')
-define(`KVM_IRQFD', `0x4020ae76')
-define(`KVM_IRQ_LINE', `0x4008ae61')
-define(`KVM_IRQ_LINE_STATUS', `0xc008ae67')
-define(`KVM_KVMCLOCK_CTRL', `0x0000aead')
-define(`KVM_NMI', `0x0000ae9a')
-define(`KVM_PPC_ALLOCATE_HTAB', `0xc004aea7')
-define(`KVM_PPC_GET_HTAB_FD', `0x4020aeaa')
-define(`KVM_PPC_GET_PVINFO', `0x4080aea1')
-define(`KVM_PPC_GET_SMMU_INFO', `0x8250aea6')
-define(`KVM_PPC_RTAS_DEFINE_TOKEN', `0x4080aeac')
-define(`KVM_REGISTER_COALESCED_MMIO', `0x4010ae67')
-define(`KVM_REINJECT_CONTROL', `0x0000ae71')
-define(`KVM_RUN', `0x0000ae80')
-define(`KVM_S390_ENABLE_SIE', `0x0000ae06')
-define(`KVM_S390_INITIAL_RESET', `0x0000ae97')
-define(`KVM_S390_INTERRUPT', `0x4010ae94')
-define(`KVM_S390_SET_INITIAL_PSW', `0x4010ae96')
-define(`KVM_S390_STORE_STATUS', `0x4008ae95')
-define(`KVM_S390_UCAS_MAP', `0x4018ae50')
-define(`KVM_S390_UCAS_UNMAP', `0x4018ae51')
-define(`KVM_S390_VCPU_FAULT', `0x4008ae52')
-define(`KVM_SET_BOOT_CPU_ID', `0x0000ae78')
-define(`KVM_SET_CLOCK', `0x4030ae7b')
-define(`KVM_SET_CPUID', `0x4008ae8a')
-define(`KVM_SET_CPUID2', `0x4008ae90')
-define(`KVM_SET_DEBUGREGS', `0x4080aea2')
-define(`KVM_SET_DEVICE_ATTR', `0x4018aee1')
-define(`KVM_SET_FPU', `0x41a0ae8d')
-define(`KVM_SET_GSI_ROUTING', `0x4008ae6a')
-define(`KVM_SET_GUEST_DEBUG', `0x4048ae9b')
-define(`KVM_SET_IDENTITY_MAP_ADDR', `0x4008ae48')
-define(`KVM_SET_IRQCHIP', `0x8208ae63')
-define(`KVM_SET_LAPIC', `0x4400ae8f')
-define(`KVM_SET_MEMORY_ALIAS', `0x4020ae43')
-define(`KVM_SET_MEMORY_REGION', `0x4018ae40')
-define(`KVM_SET_MP_STATE', `0x4004ae99')
-define(`KVM_SET_MSRS', `0x4008ae89')
-define(`KVM_SET_NR_MMU_PAGES', `0x0000ae44')
-define(`KVM_SET_ONE_REG', `0x4010aeac')
-define(`KVM_SET_PIT', `0x8048ae66')
-define(`KVM_SET_PIT2', `0x4070aea0')
-define(`KVM_SET_REGS', `0x4090ae82')
-define(`KVM_SET_SIGNAL_MASK', `0x4004ae8b')
-define(`KVM_SET_SREGS', `0x4138ae84')
-define(`KVM_SET_TSC_KHZ', `0x0000aea2')
-define(`KVM_SET_TSS_ADDR', `0x0000ae47')
-define(`KVM_SET_USER_MEMORY_REGION', `0x4020ae46')
-define(`KVM_SET_VAPIC_ADDR', `0x4008ae93')
-define(`KVM_SET_VCPU_EVENTS', `0x4040aea0')
-define(`KVM_SET_XCRS', `0x4188aea7')
-define(`KVM_SET_XSAVE', `0x5000aea5')
-define(`KVM_SIGNAL_MSI', `0x4020aea5')
-define(`KVM_TPR_ACCESS_REPORTING', `0xc028ae92')
-define(`KVM_TRANSLATE', `0xc018ae85')
-define(`KVM_UNREGISTER_COALESCED_MMIO', `0x4010ae68')
-define(`KVM_X86_GET_MCE_CAP_SUPPORTED', `0x8008ae9d')
-define(`KVM_X86_SET_MCE', `0x4040ae9e')
-define(`KVM_X86_SETUP_MCE', `0x4008ae9c')
-define(`KVM_XEN_HVM_CONFIG', `0x4038ae7a')
-define(`KYRO_IOCTL_OVERLAY_CREATE', `0x00006b00')
-define(`KYRO_IOCTL_OVERLAY_OFFSET', `0x00006b04')
-define(`KYRO_IOCTL_OVERLAY_VIEWPORT_SET', `0x00006b01')
-define(`KYRO_IOCTL_SET_VIDEO_MODE', `0x00006b02')
-define(`KYRO_IOCTL_STRIDE', `0x00006b05')
-define(`KYRO_IOCTL_UVSTRIDE', `0x00006b03')
-define(`LIRC_GET_FEATURES', `0x80046900')
-define(`LIRC_GET_LENGTH', `0x8004690f')
-define(`LIRC_GET_MAX_FILTER_PULSE', `0x8004690b')
-define(`LIRC_GET_MAX_FILTER_SPACE', `0x8004690d')
-define(`LIRC_GET_MAX_TIMEOUT', `0x80046909')
-define(`LIRC_GET_MIN_FILTER_PULSE', `0x8004690a')
-define(`LIRC_GET_MIN_FILTER_SPACE', `0x8004690c')
-define(`LIRC_GET_MIN_TIMEOUT', `0x80046908')
-define(`LIRC_GET_REC_CARRIER', `0x80046904')
-define(`LIRC_GET_REC_DUTY_CYCLE', `0x80046906')
-define(`LIRC_GET_REC_MODE', `0x80046902')
-define(`LIRC_GET_REC_RESOLUTION', `0x80046907')
-define(`LIRC_GET_SEND_CARRIER', `0x80046903')
-define(`LIRC_GET_SEND_DUTY_CYCLE', `0x80046905')
-define(`LIRC_GET_SEND_MODE', `0x80046901')
-define(`LIRC_NOTIFY_DECODE', `0x00006920')
-define(`LIRC_SET_MEASURE_CARRIER_MODE', `0x4004691d')
-define(`LIRC_SET_REC_CARRIER', `0x40046914')
-define(`LIRC_SET_REC_CARRIER_RANGE', `0x4004691f')
-define(`LIRC_SET_REC_DUTY_CYCLE', `0x40046916')
-define(`LIRC_SET_REC_DUTY_CYCLE_RANGE', `0x4004691e')
-define(`LIRC_SET_REC_FILTER', `0x4004691c')
-define(`LIRC_SET_REC_FILTER_PULSE', `0x4004691a')
-define(`LIRC_SET_REC_FILTER_SPACE', `0x4004691b')
-define(`LIRC_SET_REC_MODE', `0x40046912')
-define(`LIRC_SET_REC_TIMEOUT', `0x40046918')
-define(`LIRC_SET_REC_TIMEOUT_REPORTS', `0x40046919')
-define(`LIRC_SET_SEND_CARRIER', `0x40046913')
-define(`LIRC_SET_SEND_DUTY_CYCLE', `0x40046915')
-define(`LIRC_SET_SEND_MODE', `0x40046911')
-define(`LIRC_SET_TRANSMITTER_MASK', `0x40046917')
-define(`LIRC_SETUP_END', `0x00006922')
-define(`LIRC_SETUP_START', `0x00006921')
-define(`LIRC_SET_WIDEBAND_RECEIVER', `0x40046923')
-define(`LOGGER_FLUSH_LOG', `0x0000ae04')
-define(`LOGGER_GET_LOG_BUF_SIZE', `0x0000ae01')
-define(`LOGGER_GET_LOG_LEN', `0x0000ae02')
-define(`LOGGER_GET_NEXT_ENTRY_LEN', `0x0000ae03')
-define(`LOGGER_GET_VERSION', `0x0000ae05')
-define(`LOGGER_SET_VERSION', `0x0000ae06')
-define(`LOOP_CHANGE_FD', `0x00004c06')
-define(`LOOP_CLR_FD', `0x00004c01')
-define(`LOOP_CONFIGURE', `0x00004c0a')
-define(`LOOP_CTL_ADD', `0x00004c80')
-define(`LOOP_CTL_GET_FREE', `0x00004c82')
-define(`LOOP_CTL_REMOVE', `0x00004c81')
-define(`LOOP_GET_STATUS', `0x00004c03')
-define(`LOOP_GET_STATUS64', `0x00004c05')
-define(`LOOP_SET_BLOCK_SIZE', `0x00004c09')
-define(`LOOP_SET_CAPACITY', `0x00004c07')
-define(`LOOP_SET_DIRECT_IO', `0x00004c08')
-define(`LOOP_SET_FD', `0x00004c00')
-define(`LOOP_SET_STATUS', `0x00004c02')
-define(`LOOP_SET_STATUS64', `0x00004c04')
-define(`MATROXFB_GET_ALL_OUTPUTS', `0x80086efb')
-define(`MATROXFB_GET_AVAILABLE_OUTPUTS', `0x80086ef9')
-define(`MATROXFB_GET_OUTPUT_CONNECTION', `0x80086ef8')
-define(`MATROXFB_GET_OUTPUT_MODE', `0xc0086efa')
-define(`MATROXFB_SET_OUTPUT_CONNECTION', `0x40086ef8')
-define(`MATROXFB_SET_OUTPUT_MODE', `0x40086efa')
-define(`MBXFB_IOCG_ALPHA', `0x8018f401')
-define(`MBXFB_IOCS_ALPHA', `0x4018f402')
-define(`MBXFB_IOCS_PLANEORDER', `0x8002f403')
-define(`MBXFB_IOCS_REG', `0x400cf404')
-define(`MBXFB_IOCX_OVERLAY', `0xc030f400')
-define(`MBXFB_IOCX_REG', `0xc00cf405')
-define(`MCE_GETCLEAR_FLAGS', `0x80044d03')
-define(`MCE_GET_LOG_LEN', `0x80044d02')
-define(`MCE_GET_RECORD_LEN', `0x80044d01')
-define(`MEDIA_IOC_DEVICE_INFO', `0xc1007c00')
-define(`MEDIA_IOC_ENUM_ENTITIES', `0xc1007c01')
-define(`MEDIA_IOC_ENUM_LINKS', `0xc0287c02')
-define(`MEDIA_IOC_SETUP_LINK', `0xc0347c03')
-define(`MEMERASE', `0x40084d02')
-define(`MEMERASE64', `0x40104d14')
-define(`MEMGETBADBLOCK', `0x40084d0b')
-define(`MEMGETINFO', `0x80204d01')
-define(`MEMGETOOBSEL', `0x80c84d0a')
-define(`MEMGETREGIONCOUNT', `0x80044d07')
-define(`MEMGETREGIONINFO', `0xc0104d08')
-define(`MEMISLOCKED', `0x80084d17')
-define(`MEMLOCK', `0x40084d05')
-define(`MEMREADOOB', `0xc0104d04')
-define(`MEMREADOOB64', `0xc0184d16')
-define(`MEMSETBADBLOCK', `0x40084d0c')
-define(`MEMUNLOCK', `0x40084d06')
-define(`MEMWRITE', `0xc0304d18')
-define(`MEMWRITEOOB', `0xc0104d03')
-define(`MEMWRITEOOB64', `0xc0184d15')
-define(`MEYEIOC_G_PARAMS', `0x800676c0')
-define(`MEYEIOC_QBUF_CAPT', `0x400476c2')
-define(`MEYEIOC_S_PARAMS', `0x400676c1')
-define(`MEYEIOC_STILLCAPT', `0x000076c4')
-define(`MEYEIOC_STILLJCAPT', `0x800476c5')
-define(`MEYEIOC_SYNC', `0xc00476c3')
-define(`MFB_GET_ALPHA', `0x80014d00')
-define(`MFB_GET_AOID', `0x80084d04')
-define(`MFB_GET_GAMMA', `0x80014d01')
-define(`MFB_GET_PIXFMT', `0x80044d08')
-define(`MFB_SET_ALPHA', `0x40014d00')
-define(`MFB_SET_AOID', `0x40084d04')
-define(`MFB_SET_BRIGHTNESS', `0x40014d03')
-define(`MFB_SET_CHROMA_KEY', `0x400c4d01')
-define(`MFB_SET_GAMMA', `0x40014d01')
-define(`MFB_SET_PIXFMT', `0x40044d08')
-define(`MGSL_IOCCLRMODCOUNT', `0x00006d0f')
-define(`MGSL_IOCGGPIO', `0x80106d11')
-define(`MGSL_IOCGIF', `0x00006d0b')
-define(`MGSL_IOCGPARAMS', `0x80306d01')
-define(`MGSL_IOCGSTATS', `0x00006d07')
-define(`MGSL_IOCGTXIDLE', `0x00006d03')
-define(`MGSL_IOCGXCTRL', `0x00006d16')
-define(`MGSL_IOCGXSYNC', `0x00006d14')
-define(`MGSL_IOCLOOPTXDONE', `0x00006d09')
-define(`MGSL_IOCRXENABLE', `0x00006d05')
-define(`MGSL_IOCSGPIO', `0x40106d10')
-define(`MGSL_IOCSIF', `0x00006d0a')
-define(`MGSL_IOCSPARAMS', `0x40306d00')
-define(`MGSL_IOCSTXIDLE', `0x00006d02')
-define(`MGSL_IOCSXCTRL', `0x00006d15')
-define(`MGSL_IOCSXSYNC', `0x00006d13')
-define(`MGSL_IOCTXABORT', `0x00006d06')
-define(`MGSL_IOCTXENABLE', `0x00006d04')
-define(`MGSL_IOCWAITEVENT', `0xc0046d08')
-define(`MGSL_IOCWAITGPIO', `0xc0106d12')
-define(`MIC_VIRTIO_ADD_DEVICE', `0xc0087301')
-define(`MIC_VIRTIO_CONFIG_CHANGE', `0xc0087305')
-define(`MIC_VIRTIO_COPY_DESC', `0xc0087302')
-define(`MMC_IOC_CMD', `0xc048b300')
-define(`MMTIMER_GETBITS', `0x00006d04')
-define(`MMTIMER_GETCOUNTER', `0x80086d09')
-define(`MMTIMER_GETFREQ', `0x80086d02')
-define(`MMTIMER_GETOFFSET', `0x00006d00')
-define(`MMTIMER_GETRES', `0x80086d01')
-define(`MMTIMER_MMAPAVAIL', `0x00006d06')
-define(`MSMFB_BLIT', `0x40046d02')
-define(`MSMFB_GRP_DISP', `0x40046d01')
-define(`MTDFILEMODE', `0x00004d13')
-define(`MTIOCGET', `0x80306d02')
-define(`MTIOCPOS', `0x80086d03')
-define(`MTIOCTOP', `0x40086d01')
-define(`MTRRIOC_ADD_ENTRY', `0x40104d00')
-define(`MTRRIOC_ADD_PAGE_ENTRY', `0x40104d05')
-define(`MTRRIOC_DEL_ENTRY', `0x40104d02')
-define(`MTRRIOC_DEL_PAGE_ENTRY', `0x40104d07')
-define(`MTRRIOC_GET_ENTRY', `0xc0184d03')
-define(`MTRRIOC_GET_PAGE_ENTRY', `0xc0184d08')
-define(`MTRRIOC_KILL_ENTRY', `0x40104d04')
-define(`MTRRIOC_KILL_PAGE_ENTRY', `0x40104d09')
-define(`MTRRIOC_SET_ENTRY', `0x40104d01')
-define(`MTRRIOC_SET_PAGE_ENTRY', `0x40104d06')
-define(`NBD_CLEAR_QUE', `0x0000ab05')
-define(`NBD_CLEAR_SOCK', `0x0000ab04')
-define(`NBD_DISCONNECT', `0x0000ab08')
-define(`NBD_DO_IT', `0x0000ab03')
-define(`NBD_PRINT_DEBUG', `0x0000ab06')
-define(`NBD_SET_BLKSIZE', `0x0000ab01')
-define(`NBD_SET_FLAGS', `0x0000ab0a')
-define(`NBD_SET_SIZE', `0x0000ab02')
-define(`NBD_SET_SIZE_BLOCKS', `0x0000ab07')
-define(`NBD_SET_SOCK', `0x0000ab00')
-define(`NBD_SET_TIMEOUT', `0x0000ab09')
-define(`NCP_IOC_CONN_LOGGED_IN', `0x00006e03')
-define(`NCP_IOC_GETCHARSETS', `0xc02a6e0b')
-define(`NCP_IOC_GETDENTRYTTL', `0x40046e0c')
-define(`NCP_IOC_GET_FS_INFO', `0xc0286e04')
-define(`NCP_IOC_GET_FS_INFO_V2', `0xc0306e04')
-define(`NCP_IOC_GETMOUNTUID', `0x40026e02')
-define(`NCP_IOC_GETMOUNTUID2', `0x40086e02')
-define(`NCP_IOC_GETOBJECTNAME', `0xc0186e09')
-define(`NCP_IOC_GETPRIVATEDATA', `0xc0106e0a')
-define(`NCP_IOC_GETROOT', `0x400c6e08')
-define(`NCP_IOC_LOCKUNLOCK', `0x80146e07')
-define(`NCP_IOC_NCPREQUEST', `0x80106e01')
-define(`NCP_IOC_SETCHARSETS', `0x802a6e0b')
-define(`NCP_IOC_SETDENTRYTTL', `0x80046e0c')
-define(`NCP_IOC_SETOBJECTNAME', `0x80186e09')
-define(`NCP_IOC_SETPRIVATEDATA', `0x80106e0a')
-define(`NCP_IOC_SETROOT', `0x800c6e08')
-define(`NCP_IOC_SET_SIGN_WANTED', `0x40046e06')
-define(`NCP_IOC_SIGN_INIT', `0x80186e05')
-define(`NCP_IOC_SIGN_WANTED', `0x80046e06')
-define(`NET_ADD_IF', `0xc0066f34')
-define(`NET_GET_IF', `0xc0066f36')
-define(`NET_REMOVE_IF', `0x00006f35')
-define(`NILFS_IOCTL_CHANGE_CPMODE', `0x40106e80')
-define(`NILFS_IOCTL_CLEAN_SEGMENTS', `0x40786e88')
-define(`NILFS_IOCTL_DELETE_CHECKPOINT', `0x40086e81')
-define(`NILFS_IOCTL_GET_BDESCS', `0xc0186e87')
-define(`NILFS_IOCTL_GET_CPINFO', `0x80186e82')
-define(`NILFS_IOCTL_GET_CPSTAT', `0x80186e83')
-define(`NILFS_IOCTL_GET_SUINFO', `0x80186e84')
-define(`NILFS_IOCTL_GET_SUSTAT', `0x80306e85')
-define(`NILFS_IOCTL_GET_VINFO', `0xc0186e86')
-define(`NILFS_IOCTL_RESIZE', `0x40086e8b')
-define(`NILFS_IOCTL_SET_ALLOC_RANGE', `0x40106e8c')
-define(`NILFS_IOCTL_SET_SUINFO', `0x40186e8d')
-define(`NILFS_IOCTL_SYNC', `0x80086e8a')
-define(`NS_ADJBUFLEV', `0x00006163')
-define(`NS_GETPSTAT', `0xc0106161')
-define(`NS_SETBUFLEV', `0x40106162')
-define(`NVME_IOCTL_ADMIN_CMD', `0xc0484e41')
-define(`NVME_IOCTL_ID', `0x00004e40')
-define(`NVME_IOCTL_IO_CMD', `0xc0484e43')
-define(`NVME_IOCTL_SUBMIT_IO', `0x40304e42')
-define(`NVRAM_INIT', `0x00007040')
-define(`NVRAM_SETCKS', `0x00007041')
-define(`OLD_PHONE_RING_START', `0x00007187')
-define(`OMAPFB_CTRL_TEST', `0x40044f2e')
-define(`OMAPFB_GET_CAPS', `0x800c4f2a')
-define(`OMAPFB_GET_COLOR_KEY', `0x40104f33')
-define(`OMAPFB_GET_DISPLAY_INFO', `0x80204f3f')
-define(`OMAPFB_GET_OVERLAY_COLORMODE', `0x803c4f3b')
-define(`OMAPFB_GET_UPDATE_MODE', `0x40044f2b')
-define(`OMAPFB_GET_VRAM_INFO', `0x80204f3d')
-define(`OMAPFB_LCD_TEST', `0x40044f2d')
-define(`OMAPFB_MEMORY_READ', `0x80184f3a')
-define(`OMAPFB_MIRROR', `0x40044f1f')
-define(`OMAPFB_QUERY_MEM', `0x40084f38')
-define(`OMAPFB_QUERY_PLANE', `0x40444f35')
-define(`OMAPFB_SET_COLOR_KEY', `0x40104f32')
-define(`OMAPFB_SET_TEARSYNC', `0x40084f3e')
-define(`OMAPFB_SET_UPDATE_MODE', `0x40044f28')
-define(`OMAPFB_SETUP_MEM', `0x40084f37')
-define(`OMAPFB_SETUP_PLANE', `0x40444f34')
-define(`OMAPFB_SYNC_GFX', `0x00004f25')
-define(`OMAPFB_UPDATE_WINDOW', `0x40444f36')
-define(`OMAPFB_UPDATE_WINDOW_OLD', `0x40144f2f')
-define(`OMAPFB_VSYNC', `0x00004f26')
-define(`OMAPFB_WAITFORGO', `0x00004f3c')
-define(`OMAPFB_WAITFORVSYNC', `0x00004f39')
-define(`OSD_GET_CAPABILITY', `0x80106fa1')
-define(`OSD_SEND_CMD', `0x40206fa0')
-define(`OSIOCGNETADDR', `0x800489e1')
-define(`OSIOCSNETADDR', `0x400489e0')
-define(`OSS_GETVERSION', `0x80044d76')
-define(`OTPGETREGIONCOUNT', `0x40044d0e')
-define(`OTPGETREGIONINFO', `0x400c4d0f')
-define(`OTPLOCK', `0x800c4d10')
-define(`OTPSELECT', `0x80044d0d')
-define(`PACKET_CTRL_CMD', `0xc0185801')
-define(`PERF_EVENT_IOC_DISABLE', `0x00002401')
-define(`PERF_EVENT_IOC_ENABLE', `0x00002400')
-define(`PERF_EVENT_IOC_ID', `0x80082407')
-define(`PERF_EVENT_IOC_PERIOD', `0x40082404')
-define(`PERF_EVENT_IOC_REFRESH', `0x00002402')
-define(`PERF_EVENT_IOC_RESET', `0x00002403')
-define(`PERF_EVENT_IOC_SET_FILTER', `0x40082406')
-define(`PERF_EVENT_IOC_SET_OUTPUT', `0x00002405')
-define(`PHN_GET_REG', `0xc0087000')
-define(`PHN_GETREG', `0xc0087005')
-define(`PHN_GET_REGS', `0xc0087002')
-define(`PHN_GETREGS', `0xc0287007')
-define(`PHN_NOT_OH', `0x00007004')
-define(`PHN_SET_REG', `0x40087001')
-define(`PHN_SETREG', `0x40087006')
-define(`PHN_SET_REGS', `0x40087003')
-define(`PHN_SETREGS', `0x40287008')
-define(`PHONE_BUSY', `0x000071a1')
-define(`PHONE_CAPABILITIES', `0x00007180')
-define(`PHONE_CAPABILITIES_CHECK', `0x40087182')
-define(`PHONE_CAPABILITIES_LIST', `0x80087181')
-define(`PHONE_CPT_STOP', `0x000071a4')
-define(`PHONE_DIALTONE', `0x000071a3')
-define(`PHONE_DTMF_OOB', `0x40047199')
-define(`PHONE_DTMF_READY', `0x80047196')
-define(`PHONE_EXCEPTION', `0x8004719a')
-define(`PHONE_FRAME', `0x4004718d')
-define(`PHONE_GET_DTMF', `0x80047197')
-define(`PHONE_GET_DTMF_ASCII', `0x80047198')
-define(`PHONE_GET_TONE_OFF_TIME', `0x0000719f')
-define(`PHONE_GET_TONE_ON_TIME', `0x0000719e')
-define(`PHONE_GET_TONE_STATE', `0x000071a0')
-define(`PHONE_HOOKSTATE', `0x00007184')
-define(`PHONE_MAXRINGS', `0x40017185')
-define(`PHONE_PLAY_CODEC', `0x40047190')
-define(`PHONE_PLAY_DEPTH', `0x40047193')
-define(`PHONE_PLAY_LEVEL', `0x00007195')
-define(`PHONE_PLAY_START', `0x00007191')
-define(`PHONE_PLAY_STOP', `0x00007192')
-define(`PHONE_PLAY_TONE', `0x4001719b')
-define(`PHONE_PLAY_VOLUME', `0x40047194')
-define(`PHONE_PLAY_VOLUME_LINEAR', `0x400471dc')
-define(`PHONE_PSTN_GET_STATE', `0x000071a5')
-define(`PHONE_PSTN_LINETEST', `0x000071a8')
-define(`PHONE_PSTN_SET_STATE', `0x400471a4')
-define(`PHONE_QUERY_CODEC', `0xc00871a7')
-define(`PHONE_REC_CODEC', `0x40047189')
-define(`PHONE_REC_DEPTH', `0x4004718c')
-define(`PHONE_REC_LEVEL', `0x0000718f')
-define(`PHONE_REC_START', `0x0000718a')
-define(`PHONE_REC_STOP', `0x0000718b')
-define(`PHONE_REC_VOLUME', `0x4004718e')
-define(`PHONE_REC_VOLUME_LINEAR', `0x400471db')
-define(`PHONE_RING', `0x00007183')
-define(`PHONE_RINGBACK', `0x000071a2')
-define(`PHONE_RING_CADENCE', `0x40027186')
-define(`PHONE_RING_START', `0x40087187')
-define(`PHONE_RING_STOP', `0x00007188')
-define(`PHONE_SET_TONE_OFF_TIME', `0x4004719d')
-define(`PHONE_SET_TONE_ON_TIME', `0x4004719c')
-define(`PHONE_VAD', `0x400471a9')
-define(`PHONE_WINK', `0x400471aa')
-define(`PHONE_WINK_DURATION', `0x400471a6')
-define(`PIO_CMAP', `0x00004b71')
-define(`PIO_FONT', `0x00004b61')
-define(`PIO_FONTRESET', `0x00004b6d')
-define(`PIO_FONTX', `0x00004b6c')
-define(`PIO_SCRNMAP', `0x00004b41')
-define(`PIO_UNIMAP', `0x00004b67')
-define(`PIO_UNIMAPCLR', `0x00004b68')
-define(`PIO_UNISCRNMAP', `0x00004b6a')
-define(`PMU_IOC_CAN_SLEEP', `0x80084205')
-define(`PMU_IOC_GET_BACKLIGHT', `0x80084201')
-define(`PMU_IOC_GET_MODEL', `0x80084203')
-define(`PMU_IOC_GRAB_BACKLIGHT', `0x80084206')
-define(`PMU_IOC_HAS_ADB', `0x80084204')
-define(`PMU_IOC_SET_BACKLIGHT', `0x40084202')
-define(`PMU_IOC_SLEEP', `0x00004200')
-define(`PPCLAIM', `0x0000708b')
-define(`PPCLRIRQ', `0x80047093')
-define(`PPDATADIR', `0x40047090')
-define(`PPEXCL', `0x0000708f')
-define(`PPFCONTROL', `0x4002708e')
-define(`PPGETFLAGS', `0x8004709a')
-define(`PPGETMODE', `0x80047098')
-define(`PPGETMODES', `0x80047097')
-define(`PPGETPHASE', `0x80047099')
-define(`PPGETTIME', `0x80107095')
-define(`PPNEGOT', `0x40047091')
-define(`PPPIOCATTACH', `0x743d')
-define(`PPPIOCATTCHAN', `0x7438')
-define(`PPPIOCBUNDLE', `0x7481')
-define(`PPPIOCCONNECT', `0x743a')
-define(`PPPIOCDETACH', `0x743c')
-define(`PPPIOCDISCONN', `0x7439')
-define(`PPPIOCGASYNCMAP', `0x7458')
-define(`PPPIOCGCALLINFO', `0x7480')
-define(`PPPIOCGCHAN', `0x7437')
-define(`PPPIOCGCOMPRESSORS', `0x7486')
-define(`PPPIOCGDEBUG', `0x7441')
-define(`PPPIOCGFLAGS', `0x745a')
-define(`PPPIOCGIDLE', `0x743f')
-define(`PPPIOCGIFNAME', `0x7488')
-define(`PPPIOCGL2TPSTATS', `0x7436')
-define(`PPPIOCGMPFLAGS', `0x7482')
-define(`PPPIOCGMRU', `0x7453')
-define(`PPPIOCGNPMODE', `0x744c')
-define(`PPPIOCGRASYNCMAP', `0x7455')
-define(`PPPIOCGUNIT', `0x7456')
-define(`PPPIOCGXASYNCMAP', `0x7450')
-define(`PPPIOCNEWUNIT', `0x743e')
-define(`PPPIOCSACTIVE', `0x7446')
-define(`PPPIOCSASYNCMAP', `0x7457')
-define(`PPPIOCSCOMPRESS', `0x744d')
-define(`PPPIOCSCOMPRESSOR', `0x7487')
-define(`PPPIOCSDEBUG', `0x7440')
-define(`PPPIOCSFLAGS', `0x7459')
-define(`PPPIOCSMAXCID', `0x7451')
-define(`PPPIOCSMPFLAGS', `0x7483')
-define(`PPPIOCSMPMRU', `0x7485')
-define(`PPPIOCSMPMTU', `0x7484')
-define(`PPPIOCSMRRU', `0x743b')
-define(`PPPIOCSMRU', `0x7452')
-define(`PPPIOCSNPMODE', `0x744b')
-define(`PPPIOCSPASS', `0x7447')
-define(`PPPIOCSRASYNCMAP', `0x7454')
-define(`PPPIOCSXASYNCMAP', `0x744f')
-define(`PPPIOCXFERUNIT', `0x744e')
-define(`PPPOEIOCDFWD', `0x0000b101')
-define(`PPPOEIOCSFWD', `0x4008b100')
-define(`PPRCONTROL', `0x80017083')
-define(`PPRDATA', `0x80017085')
-define(`PPRELEASE', `0x0000708c')
-define(`PPRSTATUS', `0x80017081')
-define(`PPSETFLAGS', `0x4004709b')
-define(`PPSETMODE', `0x40047080')
-define(`PPSETPHASE', `0x40047094')
-define(`PPSETTIME', `0x40107096')
-define(`PPS_FETCH', `0xc00870a4')
-define(`PPS_GETCAP', `0x800870a3')
-define(`PPS_GETPARAMS', `0x800870a1')
-define(`PPS_KC_BIND', `0x400870a5')
-define(`PPS_SETPARAMS', `0x400870a2')
-define(`PPWCONTROL', `0x40017084')
-define(`PPWCTLONIRQ', `0x40017092')
-define(`PPWDATA', `0x40017086')
-define(`PPYIELD', `0x0000708d')
-define(`PROTECT_ARRAY', `0x00000927')
-define(`PTP_CLOCK_GETCAPS', `0x80503d01')
-define(`PTP_ENABLE_PPS', `0x40043d04')
-define(`PTP_EXTTS_REQUEST', `0x40103d02')
-define(`PTP_PEROUT_REQUEST', `0x40383d03')
-define(`PTP_PIN_GETFUNC', `0xc0603d06')
-define(`PTP_PIN_SETFUNC', `0x40603d07')
-define(`PTP_SYS_OFFSET', `0x43403d05')
-define(`RAID_AUTORUN', `0x00000914')
-define(`RAID_VERSION', `0x800c0910')
-define(`RAW_GETBIND', `0x0000ac01')
-define(`RAW_SETBIND', `0x0000ac00')
-define(`REISERFS_IOC_UNPACK', `0x4008cd01')
-define(`RESTART_ARRAY_RW', `0x00000934')
-define(`RFCOMMCREATEDEV', `0x400452c8')
-define(`RFCOMMGETDEVINFO', `0x800452d3')
-define(`RFCOMMGETDEVLIST', `0x800452d2')
-define(`RFCOMMRELEASEDEV', `0x400452c9')
-define(`RFCOMMSTEALDLC', `0x400452dc')
-define(`RFKILL_IOCTL_NOINPUT', `0x00005201')
-define(`RNDADDENTROPY', `0x40085203')
-define(`RNDADDTOENTCNT', `0x40045201')
-define(`RNDCLEARPOOL', `0x00005206')
-define(`RNDGETENTCNT', `0x80045200')
-define(`RNDGETPOOL', `0x80085202')
-define(`RNDZAPENTCNT', `0x00005204')
-define(`ROCCATIOCGREPSIZE', `0x800448f1')
-define(`RTC_AIE_OFF', `0x00007002')
-define(`RTC_AIE_ON', `0x00007001')
-define(`RTC_ALM_READ', `0x80247008')
-define(`RTC_ALM_SET', `0x40247007')
-define(`RTC_EPOCH_READ', `0x8008700d')
-define(`RTC_EPOCH_SET', `0x4008700e')
-define(`RTC_IRQP_READ', `0x8008700b')
-define(`RTC_IRQP_SET', `0x4008700c')
-define(`RTC_PIE_OFF', `0x00007006')
-define(`RTC_PIE_ON', `0x00007005')
-define(`RTC_PLL_GET', `0x80207011')
-define(`RTC_PLL_SET', `0x40207012')
-define(`RTC_RD_TIME', `0x80247009')
-define(`RTC_SET_TIME', `0x4024700a')
-define(`RTC_UIE_OFF', `0x00007004')
-define(`RTC_UIE_ON', `0x00007003')
-define(`RTC_VL_CLR', `0x00007014')
-define(`RTC_VL_READ', `0x80047013')
-define(`RTC_WIE_OFF', `0x00007010')
-define(`RTC_WIE_ON', `0x0000700f')
-define(`RTC_WKALM_RD', `0x80287010')
-define(`RTC_WKALM_SET', `0x4028700f')
-define(`RUN_ARRAY', `0x400c0930')
-define(`S5P_FIMC_TX_END_NOTIFY', `0x00006500')
-define(`SAA6588_CMD_CLOSE', `0x40045202')
-define(`SAA6588_CMD_POLL', `0x80045204')
-define(`SAA6588_CMD_READ', `0x80045203')
-define(`SCSI_IOCTL_DOORLOCK', `0x00005380')
-define(`SCSI_IOCTL_DOORUNLOCK', `0x00005381')
-define(`SCSI_IOCTL_GET_BUS_NUMBER', `0x00005386')
-define(`SCSI_IOCTL_GET_IDLUN', `0x00005382')
-define(`SCSI_IOCTL_GET_PCI', `0x00005387')
-define(`SCSI_IOCTL_PROBE_HOST', `0x00005385')
-define(`SET_ARRAY_INFO', `0x40480923')
-define(`SET_BITMAP_FILE', `0x4004092b')
-define(`SET_DISK_FAULTY', `0x00000929')
-define(`SET_DISK_INFO', `0x00000924')
-define(`SG_EMULATED_HOST', `0x00002203')
-define(`SG_GET_ACCESS_COUNT', `0x00002289')
-define(`SG_GET_COMMAND_Q', `0x00002270')
-define(`SG_GET_KEEP_ORPHAN', `0x00002288')
-define(`SG_GET_LOW_DMA', `0x0000227a')
-define(`SG_GET_NUM_WAITING', `0x0000227d')
-define(`SG_GET_PACK_ID', `0x0000227c')
-define(`SG_GET_REQUEST_TABLE', `0x00002286')
-define(`SG_GET_RESERVED_SIZE', `0x00002272')
-define(`SG_GET_SCSI_ID', `0x00002276')
-define(`SG_GET_SG_TABLESIZE', `0x0000227f')
-define(`SG_GET_TIMEOUT', `0x00002202')
-define(`SG_GET_TRANSFORM', `0x00002205')
-define(`SG_GET_VERSION_NUM', `0x00002282')
-define(`SG_IO', `0x00002285')
-define(`SG_NEXT_CMD_LEN', `0x00002283')
-define(`SG_SCSI_RESET', `0x00002284')
-define(`SG_SET_COMMAND_Q', `0x00002271')
-define(`SG_SET_DEBUG', `0x0000227e')
-define(`SG_SET_FORCE_LOW_DMA', `0x00002279')
-define(`SG_SET_FORCE_PACK_ID', `0x0000227b')
-define(`SG_SET_KEEP_ORPHAN', `0x00002287')
-define(`SG_SET_RESERVED_SIZE', `0x00002275')
-define(`SG_SET_TIMEOUT', `0x00002201')
-define(`SG_SET_TRANSFORM', `0x00002204')
-define(`SI4713_IOC_MEASURE_RNL', `0xc01c56c0')
-define(`SIOCADDDLCI', `0x00008980')
-define(`SIOCADDMULTI', `0x00008931')
-define(`SIOCADDRT', `0x0000890b')
-define(`SIOCATMARK', `0x00008905')
-define(`SIOCBONDCHANGEACTIVE', `0x00008995')
-define(`SIOCBONDENSLAVE', `0x00008990')
-define(`SIOCBONDINFOQUERY', `0x00008994')
-define(`SIOCBONDRELEASE', `0x00008991')
-define(`SIOCBONDSETHWADDR', `0x00008992')
-define(`SIOCBONDSLAVEINFOQUERY', `0x00008993')
-define(`SIOCBRADDBR', `0x000089a0')
-define(`SIOCBRADDIF', `0x000089a2')
-define(`SIOCBRDELBR', `0x000089a1')
-define(`SIOCBRDELIF', `0x000089a3')
-define(`SIOCDARP', `0x00008953')
-define(`SIOCDELDLCI', `0x00008981')
-define(`SIOCDELMULTI', `0x00008932')
-define(`SIOCDELRT', `0x0000890c')
-define(`SIOCDEVPRIVATE', `0x000089f0')
-define(`SIOCDEVPRIVATE_1', `0x000089f1')
-define(`SIOCDEVPRIVATE_2', `0x000089f2')
-define(`SIOCDEVPRIVATE_3', `0x000089f3')
-define(`SIOCDEVPRIVATE_4', `0x000089f4')
-define(`SIOCDEVPRIVATE_5', `0x000089f5')
-define(`SIOCDEVPRIVATE_6', `0x000089f6')
-define(`SIOCDEVPRIVATE_7', `0x000089f7')
-define(`SIOCDEVPRIVATE_8', `0x000089f8')
-define(`SIOCDEVPRIVATE_9', `0x000089f9')
-define(`SIOCDEVPRIVATE_A', `0x000089fa')
-define(`SIOCDEVPRIVATE_B', `0x000089fb')
-define(`SIOCDEVPRIVATE_C', `0x000089fc')
-define(`SIOCDEVPRIVATE_D', `0x000089fd')
-define(`SIOCDEVPRIVATE_E', `0x000089fe')
-define(`SIOCDEVPRIVLAST', `0x000089ff')
-define(`SIOCDIFADDR', `0x00008936')
-define(`SIOCDRARP', `0x00008960')
-define(`SIOCETHTOOL', `0x00008946')
-define(`SIOCGARP', `0x00008954')
-define(`SIOCGHWTSTAMP', `0x000089b1')
-define(`SIOCGIFADDR', `0x00008915')
-define(`SIOCGIFBR', `0x00008940')
-define(`SIOCGIFBRDADDR', `0x00008919')
-define(`SIOCGIFCONF', `0x00008912')
-define(`SIOCGIFCOUNT', `0x00008938')
-define(`SIOCGIFDSTADDR', `0x00008917')
-define(`SIOCGIFENCAP', `0x00008925')
-define(`SIOCGIFFLAGS', `0x00008913')
-define(`SIOCGIFHWADDR', `0x00008927')
-define(`SIOCGIFINDEX', `0x00008933')
-define(`SIOCGIFMAP', `0x00008970')
-define(`SIOCGIFMEM', `0x0000891f')
-define(`SIOCGIFMETRIC', `0x0000891d')
-define(`SIOCGIFMTU', `0x00008921')
-define(`SIOCGIFNAME', `0x00008910')
-define(`SIOCGIFNETMASK', `0x0000891b')
-define(`SIOCGIFPFLAGS', `0x00008935')
-define(`SIOCGIFSLAVE', `0x00008929')
-define(`SIOCGIFTXQLEN', `0x00008942')
-define(`SIOCGIFVLAN', `0x00008982')
-define(`SIOCGIWAP', `0x00008b15')
-define(`SIOCGIWAPLIST', `0x00008b17')
-define(`SIOCGIWAUTH', `0x00008b33')
-define(`SIOCGIWENCODE', `0x00008b2b')
-define(`SIOCGIWENCODEEXT', `0x00008b35')
-define(`SIOCGIWESSID', `0x00008b1b')
-define(`SIOCGIWFRAG', `0x00008b25')
-define(`SIOCGIWFREQ', `0x00008b05')
-define(`SIOCGIWGENIE', `0x00008b31')
-define(`SIOCGIWMODE', `0x00008b07')
-define(`SIOCGIWNAME', `0x00008b01')
-define(`SIOCGIWNICKN', `0x00008b1d')
-define(`SIOCGIWNWID', `0x00008b03')
-define(`SIOCGIWPOWER', `0x00008b2d')
-define(`SIOCGIWPRIV', `0x00008b0d')
-define(`SIOCGIWRANGE', `0x00008b0b')
-define(`SIOCGIWRATE', `0x00008b21')
-define(`SIOCGIWRETRY', `0x00008b29')
-define(`SIOCGIWRTS', `0x00008b23')
-define(`SIOCGIWSCAN', `0x00008b19')
-define(`SIOCGIWSENS', `0x00008b09')
-define(`SIOCGIWSPY', `0x00008b11')
-define(`SIOCGIWSTATS', `0x00008b0f')
-define(`SIOCGIWTHRSPY', `0x00008b13')
-define(`SIOCGIWTXPOW', `0x00008b27')
-define(`SIOCGMIIPHY', `0x00008947')
-define(`SIOCGMIIREG', `0x00008948')
-define(`SIOCGNETADDR', `0x800489e1')
-define(`SIOCGPGRP', `0x00008904')
-define(`SIOCGRARP', `0x00008961')
-define(`SIOCGSTAMP', `0x00008906')
-define(`SIOCGSTAMPNS', `0x00008907')
-define(`SIOCIWFIRST', `0x00008b00')
-define(`SIOCIWFIRSTPRIV_01', `0x00008be1')
-define(`SIOCIWFIRSTPRIV_02', `0x00008be2')
-define(`SIOCIWFIRSTPRIV_03', `0x00008be3')
-define(`SIOCIWFIRSTPRIV_04', `0x00008be4')
-define(`SIOCIWFIRSTPRIV_05', `0x00008be5')
-define(`SIOCIWFIRSTPRIV_06', `0x00008be6')
-define(`SIOCIWFIRSTPRIV_07', `0x00008be7')
-define(`SIOCIWFIRSTPRIV_08', `0x00008be8')
-define(`SIOCIWFIRSTPRIV_09', `0x00008be9')
-define(`SIOCIWFIRSTPRIV_0A', `0x00008bea')
-define(`SIOCIWFIRSTPRIV_0B', `0x00008beb')
-define(`SIOCIWFIRSTPRIV_0C', `0x00008bec')
-define(`SIOCIWFIRSTPRIV_0D', `0x00008bed')
-define(`SIOCIWFIRSTPRIV_0E', `0x00008bee')
-define(`SIOCIWFIRSTPRIV_0F', `0x00008bef')
-define(`SIOCIWFIRSTPRIV', `0x00008be0')
-define(`SIOCIWFIRSTPRIV_10', `0x00008bf0')
-define(`SIOCIWFIRSTPRIV_11', `0x00008bf1')
-define(`SIOCIWFIRSTPRIV_12', `0x00008bf2')
-define(`SIOCIWFIRSTPRIV_13', `0x00008bf3')
-define(`SIOCIWFIRSTPRIV_14', `0x00008bf4')
-define(`SIOCIWFIRSTPRIV_15', `0x00008bf5')
-define(`SIOCIWFIRSTPRIV_16', `0x00008bf6')
-define(`SIOCIWFIRSTPRIV_17', `0x00008bf7')
-define(`SIOCIWFIRSTPRIV_18', `0x00008bf8')
-define(`SIOCIWFIRSTPRIV_19', `0x00008bf9')
-define(`SIOCIWFIRSTPRIV_1A', `0x00008bfa')
-define(`SIOCIWFIRSTPRIV_1B', `0x00008bfb')
-define(`SIOCIWFIRSTPRIV_1C', `0x00008bfc')
-define(`SIOCIWFIRSTPRIV_1D', `0x00008bfd')
-define(`SIOCIWFIRSTPRIV_1E', `0x00008bfe')
-define(`SIOCIWLASTPRIV', `0x00008bff')
-define(`SIOCKILLADDR', `0x00008939')
-define(`SIOCMKCLIP', `0x000061e0')
-define(`SIOCOUTQNSD', `0x0000894b')
-define(`SIOCPROTOPRIVATE', `0x000089e0')
-define(`SIOCPROTOPRIVATE_1', `0x000089e1')
-define(`SIOCPROTOPRIVATE_2', `0x000089e2')
-define(`SIOCPROTOPRIVATE_3', `0x000089e3')
-define(`SIOCPROTOPRIVATE_4', `0x000089e4')
-define(`SIOCPROTOPRIVATE_5', `0x000089e5')
-define(`SIOCPROTOPRIVATE_6', `0x000089e6')
-define(`SIOCPROTOPRIVATE_7', `0x000089e7')
-define(`SIOCPROTOPRIVATE_8', `0x000089e8')
-define(`SIOCPROTOPRIVATE_9', `0x000089e9')
-define(`SIOCPROTOPRIVATE_A', `0x000089ea')
-define(`SIOCPROTOPRIVATE_B', `0x000089eb')
-define(`SIOCPROTOPRIVATE_C', `0x000089ec')
-define(`SIOCPROTOPRIVATE_D', `0x000089ed')
-define(`SIOCPROTOPRIVATE_E', `0x000089ee')
-define(`SIOCPROTOPRIVLAST', `0x000089ef')
-define(`SIOCRTMSG', `0x0000890d')
-define(`SIOCSARP', `0x00008955')
-define(`SIOCSHWTSTAMP', `0x000089b0')
-define(`SIOCSIFADDR', `0x00008916')
-define(`SIOCSIFATMTCP', `0x00006180')
-define(`SIOCSIFBR', `0x00008941')
-define(`SIOCSIFBRDADDR', `0x0000891a')
-define(`SIOCSIFDSTADDR', `0x00008918')
-define(`SIOCSIFENCAP', `0x00008926')
-define(`SIOCSIFFLAGS', `0x00008914')
-define(`SIOCSIFHWADDR', `0x00008924')
-define(`SIOCSIFHWBROADCAST', `0x00008937')
-define(`SIOCSIFLINK', `0x00008911')
-define(`SIOCSIFMAP', `0x00008971')
-define(`SIOCSIFMEM', `0x00008920')
-define(`SIOCSIFMETRIC', `0x0000891e')
-define(`SIOCSIFMTU', `0x00008922')
-define(`SIOCSIFNAME', `0x00008923')
-define(`SIOCSIFNETMASK', `0x0000891c')
-define(`SIOCSIFPFLAGS', `0x00008934')
-define(`SIOCSIFSLAVE', `0x00008930')
-define(`SIOCSIFTXQLEN', `0x00008943')
-define(`SIOCSIFVLAN', `0x00008983')
-define(`SIOCSIWAP', `0x00008b14')
-define(`SIOCSIWAUTH', `0x00008b32')
-define(`SIOCSIWCOMMIT', `0x00008b00')
-define(`SIOCSIWENCODE', `0x00008b2a')
-define(`SIOCSIWENCODEEXT', `0x00008b34')
-define(`SIOCSIWESSID', `0x00008b1a')
-define(`SIOCSIWFRAG', `0x00008b24')
-define(`SIOCSIWFREQ', `0x00008b04')
-define(`SIOCSIWGENIE', `0x00008b30')
-define(`SIOCSIWMLME', `0x00008b16')
-define(`SIOCSIWMODE', `0x00008b06')
-define(`SIOCSIWNICKN', `0x00008b1c')
-define(`SIOCSIWNWID', `0x00008b02')
-define(`SIOCSIWPMKSA', `0x00008b36')
-define(`SIOCSIWPOWER', `0x00008b2c')
-define(`SIOCSIWPRIV', `0x00008b0c')
-define(`SIOCSIWRANGE', `0x00008b0a')
-define(`SIOCSIWRATE', `0x00008b20')
-define(`SIOCSIWRETRY', `0x00008b28')
-define(`SIOCSIWRTS', `0x00008b22')
-define(`SIOCSIWSCAN', `0x00008b18')
-define(`SIOCSIWSENS', `0x00008b08')
-define(`SIOCSIWSPY', `0x00008b10')
-define(`SIOCSIWSTATS', `0x00008b0e')
-define(`SIOCSIWTHRSPY', `0x00008b12')
-define(`SIOCSIWTXPOW', `0x00008b26')
-define(`SIOCSMIIREG', `0x00008949')
-define(`SIOCSNETADDR', `0x400489e0')
-define(`SIOCSPGRP', `0x00008902')
-define(`SIOCSRARP', `0x00008962')
-define(`SIOCWANDEV', `0x0000894a')
-define(`SISFB_COMMAND', `0xc054f305')
-define(`SISFB_GET_AUTOMAXIMIZE', `0x8004f303')
-define(`SISFB_GET_AUTOMAXIMIZE_OLD', `0x80046efa')
-define(`SISFB_GET_INFO', `0x811cf301')
-define(`SISFB_GET_INFO_OLD', `0x80046ef8')
-define(`SISFB_GET_INFO_SIZE', `0x8004f300')
-define(`SISFB_GET_TVPOSOFFSET', `0x8004f304')
-define(`SISFB_GET_VBRSTATUS', `0x8004f302')
-define(`SISFB_GET_VBRSTATUS_OLD', `0x80046ef9')
-define(`SISFB_SET_AUTOMAXIMIZE', `0x4004f303')
-define(`SISFB_SET_AUTOMAXIMIZE_OLD', `0x40046efa')
-define(`SISFB_SET_LOCK', `0x4004f306')
-define(`SISFB_SET_TVPOSOFFSET', `0x4004f304')
-define(`SNAPSHOT_ALLOC_SWAP_PAGE', `0x80083314')
-define(`SNAPSHOT_ATOMIC_RESTORE', `0x00003304')
-define(`SNAPSHOT_AVAIL_SWAP_SIZE', `0x80083313')
-define(`SNAPSHOT_CREATE_IMAGE', `0x40043311')
-define(`SNAPSHOT_FREE', `0x00003305')
-define(`SNAPSHOT_FREE_SWAP_PAGES', `0x00003309')
-define(`SNAPSHOT_FREEZE', `0x00003301')
-define(`SNAPSHOT_GET_IMAGE_SIZE', `0x8008330e')
-define(`SNAPSHOT_PLATFORM_SUPPORT', `0x0000330f')
-define(`SNAPSHOT_POWER_OFF', `0x00003310')
-define(`SNAPSHOT_PREF_IMAGE_SIZE', `0x00003312')
-define(`SNAPSHOT_S2RAM', `0x0000330b')
-define(`SNAPSHOT_SET_SWAP_AREA', `0x400c330d')
-define(`SNAPSHOT_UNFREEZE', `0x00003302')
-define(`SNDCTL_COPR_HALT', `0xc0144307')
-define(`SNDCTL_COPR_LOAD', `0xcfb04301')
-define(`SNDCTL_COPR_RCODE', `0xc0144303')
-define(`SNDCTL_COPR_RCVMSG', `0x8fa44309')
-define(`SNDCTL_COPR_RDATA', `0xc0144302')
-define(`SNDCTL_COPR_RESET', `0x00004300')
-define(`SNDCTL_COPR_RUN', `0xc0144306')
-define(`SNDCTL_COPR_SENDMSG', `0xcfa44308')
-define(`SNDCTL_COPR_WCODE', `0x40144305')
-define(`SNDCTL_COPR_WDATA', `0x40144304')
-define(`SNDCTL_DSP_BIND_CHANNEL', `0xc0045041')
-define(`SNDCTL_DSP_CHANNELS', `0xc0045006')
-define(`SNDCTL_DSP_GETBLKSIZE', `0xc0045004')
-define(`SNDCTL_DSP_GETCAPS', `0x8004500f')
-define(`SNDCTL_DSP_GETCHANNELMASK', `0xc0045040')
-define(`SNDCTL_DSP_GETFMTS', `0x8004500b')
-define(`SNDCTL_DSP_GETIPTR', `0x800c5011')
-define(`SNDCTL_DSP_GETISPACE', `0x8010500d')
-define(`SNDCTL_DSP_GETODELAY', `0x80045017')
-define(`SNDCTL_DSP_GETOPTR', `0x800c5012')
-define(`SNDCTL_DSP_GETOSPACE', `0x8010500c')
-define(`SNDCTL_DSP_GETSPDIF', `0x80045043')
-define(`SNDCTL_DSP_GETTRIGGER', `0x80045010')
-define(`SNDCTL_DSP_MAPINBUF', `0x80105013')
-define(`SNDCTL_DSP_MAPOUTBUF', `0x80105014')
-define(`SNDCTL_DSP_NONBLOCK', `0x0000500e')
-define(`SNDCTL_DSP_POST', `0x00005008')
-define(`SNDCTL_DSP_PROFILE', `0x40045017')
-define(`SNDCTL_DSP_RESET', `0x00005000')
-define(`SNDCTL_DSP_SETDUPLEX', `0x00005016')
-define(`SNDCTL_DSP_SETFMT', `0xc0045005')
-define(`SNDCTL_DSP_SETFRAGMENT', `0xc004500a')
-define(`SNDCTL_DSP_SETSPDIF', `0x40045042')
-define(`SNDCTL_DSP_SETSYNCRO', `0x00005015')
-define(`SNDCTL_DSP_SETTRIGGER', `0x40045010')
-define(`SNDCTL_DSP_SPEED', `0xc0045002')
-define(`SNDCTL_DSP_STEREO', `0xc0045003')
-define(`SNDCTL_DSP_SUBDIVIDE', `0xc0045009')
-define(`SNDCTL_DSP_SYNC', `0x00005001')
-define(`SNDCTL_FM_4OP_ENABLE', `0x4004510f')
-define(`SNDCTL_FM_LOAD_INSTR', `0x40285107')
-define(`SNDCTL_MIDI_INFO', `0xc074510c')
-define(`SNDCTL_MIDI_MPUCMD', `0xc0216d02')
-define(`SNDCTL_MIDI_MPUMODE', `0xc0046d01')
-define(`SNDCTL_MIDI_PRETIME', `0xc0046d00')
-define(`SNDCTL_SEQ_CTRLRATE', `0xc0045103')
-define(`SNDCTL_SEQ_GETINCOUNT', `0x80045105')
-define(`SNDCTL_SEQ_GETOUTCOUNT', `0x80045104')
-define(`SNDCTL_SEQ_GETTIME', `0x80045113')
-define(`SNDCTL_SEQ_NRMIDIS', `0x8004510b')
-define(`SNDCTL_SEQ_NRSYNTHS', `0x8004510a')
-define(`SNDCTL_SEQ_OUTOFBAND', `0x40085112')
-define(`SNDCTL_SEQ_PANIC', `0x00005111')
-define(`SNDCTL_SEQ_PERCMODE', `0x40045106')
-define(`SNDCTL_SEQ_RESET', `0x00005100')
-define(`SNDCTL_SEQ_RESETSAMPLES', `0x40045109')
-define(`SNDCTL_SEQ_SYNC', `0x00005101')
-define(`SNDCTL_SEQ_TESTMIDI', `0x40045108')
-define(`SNDCTL_SEQ_THRESHOLD', `0x4004510d')
-define(`SNDCTL_SYNTH_CONTROL', `0xcfa45115')
-define(`SNDCTL_SYNTH_ID', `0xc08c5114')
-define(`SNDCTL_SYNTH_INFO', `0xc08c5102')
-define(`SNDCTL_SYNTH_MEMAVL', `0xc004510e')
-define(`SNDCTL_SYNTH_REMOVESAMPLE', `0xc00c5116')
-define(`SNDCTL_TMR_CONTINUE', `0x00005404')
-define(`SNDCTL_TMR_METRONOME', `0x40045407')
-define(`SNDCTL_TMR_SELECT', `0x40045408')
-define(`SNDCTL_TMR_SOURCE', `0xc0045406')
-define(`SNDCTL_TMR_START', `0x00005402')
-define(`SNDCTL_TMR_STOP', `0x00005403')
-define(`SNDCTL_TMR_TEMPO', `0xc0045405')
-define(`SNDCTL_TMR_TIMEBASE', `0xc0045401')
-define(`SNDRV_COMPRESS_AVAIL', `0x801c4321')
-define(`SNDRV_COMPRESS_DRAIN', `0x00004334')
-define(`SNDRV_COMPRESS_GET_CAPS', `0xc0c44310')
-define(`SNDRV_COMPRESS_GET_CODEC_CAPS', `0xeb884311')
-define(`SNDRV_COMPRESS_GET_METADATA', `0xc0244315')
-define(`SNDRV_COMPRESS_GET_PARAMS', `0x80784313')
-define(`SNDRV_COMPRESS_IOCTL_VERSION', `0x80044300')
-define(`SNDRV_COMPRESS_NEXT_TRACK', `0x00004335')
-define(`SNDRV_COMPRESS_PARTIAL_DRAIN', `0x00004336')
-define(`SNDRV_COMPRESS_PAUSE', `0x00004330')
-define(`SNDRV_COMPRESS_RESUME', `0x00004331')
-define(`SNDRV_COMPRESS_SET_METADATA', `0x40244314')
-define(`SNDRV_COMPRESS_SET_PARAMS', `0x40844312')
-define(`SNDRV_COMPRESS_START', `0x00004332')
-define(`SNDRV_COMPRESS_STOP', `0x00004333')
-define(`SNDRV_COMPRESS_TSTAMP', `0x80144320')
-define(`SNDRV_CTL_IOCTL_CARD_INFO', `0x81785501')
-define(`SNDRV_CTL_IOCTL_ELEM_ADD', `0xc1105517')
-define(`SNDRV_CTL_IOCTL_ELEM_INFO', `0xc1105511')
-define(`SNDRV_CTL_IOCTL_ELEM_LIST', `0xc0505510')
-define(`SNDRV_CTL_IOCTL_ELEM_LOCK', `0x40405514')
-define(`SNDRV_CTL_IOCTL_ELEM_READ', `0xc4c85512')
-define(`SNDRV_CTL_IOCTL_ELEM_REMOVE', `0xc0405519')
-define(`SNDRV_CTL_IOCTL_ELEM_REPLACE', `0xc1105518')
-define(`SNDRV_CTL_IOCTL_ELEM_UNLOCK', `0x40405515')
-define(`SNDRV_CTL_IOCTL_ELEM_WRITE', `0xc4c85513')
-define(`SNDRV_CTL_IOCTL_HWDEP_INFO', `0x80dc5521')
-define(`SNDRV_CTL_IOCTL_HWDEP_NEXT_DEVICE', `0xc0045520')
-define(`SNDRV_CTL_IOCTL_PCM_INFO', `0xc1205531')
-define(`SNDRV_CTL_IOCTL_PCM_NEXT_DEVICE', `0x80045530')
-define(`SNDRV_CTL_IOCTL_PCM_PREFER_SUBDEVICE', `0x40045532')
-define(`SNDRV_CTL_IOCTL_POWER', `0xc00455d0')
-define(`SNDRV_CTL_IOCTL_POWER_STATE', `0x800455d1')
-define(`SNDRV_CTL_IOCTL_PVERSION', `0x80045500')
-define(`SNDRV_CTL_IOCTL_RAWMIDI_INFO', `0xc10c5541')
-define(`SNDRV_CTL_IOCTL_RAWMIDI_NEXT_DEVICE', `0xc0045540')
-define(`SNDRV_CTL_IOCTL_RAWMIDI_PREFER_SUBDEVICE', `0x40045542')
-define(`SNDRV_CTL_IOCTL_SUBSCRIBE_EVENTS', `0xc0045516')
-define(`SNDRV_CTL_IOCTL_TLV_COMMAND', `0xc008551c')
-define(`SNDRV_CTL_IOCTL_TLV_READ', `0xc008551a')
-define(`SNDRV_CTL_IOCTL_TLV_WRITE', `0xc008551b')
-define(`SNDRV_DM_FM_IOCTL_CLEAR_PATCHES', `0x00004840')
-define(`SNDRV_DM_FM_IOCTL_INFO', `0x80024820')
-define(`SNDRV_DM_FM_IOCTL_PLAY_NOTE', `0x400c4822')
-define(`SNDRV_DM_FM_IOCTL_RESET', `0x00004821')
-define(`SNDRV_DM_FM_IOCTL_SET_CONNECTION', `0x40044826')
-define(`SNDRV_DM_FM_IOCTL_SET_MODE', `0x40044825')
-define(`SNDRV_DM_FM_IOCTL_SET_PARAMS', `0x40094824')
-define(`SNDRV_DM_FM_IOCTL_SET_VOICE', `0x40124823')
-define(`SNDRV_EMU10K1_IOCTL_CODE_PEEK', `0xc1b04812')
-define(`SNDRV_EMU10K1_IOCTL_CODE_POKE', `0x41b04811')
-define(`SNDRV_EMU10K1_IOCTL_CONTINUE', `0x00004881')
-define(`SNDRV_EMU10K1_IOCTL_DBG_READ', `0x80044884')
-define(`SNDRV_EMU10K1_IOCTL_INFO', `0x880c4810')
-define(`SNDRV_EMU10K1_IOCTL_PCM_PEEK', `0xc0484831')
-define(`SNDRV_EMU10K1_IOCTL_PCM_POKE', `0x40484830')
-define(`SNDRV_EMU10K1_IOCTL_PVERSION', `0x80044840')
-define(`SNDRV_EMU10K1_IOCTL_SINGLE_STEP', `0x40044883')
-define(`SNDRV_EMU10K1_IOCTL_STOP', `0x00004880')
-define(`SNDRV_EMU10K1_IOCTL_TRAM_PEEK', `0xc0104822')
-define(`SNDRV_EMU10K1_IOCTL_TRAM_POKE', `0x40104821')
-define(`SNDRV_EMU10K1_IOCTL_TRAM_SETUP', `0x40044820')
-define(`SNDRV_EMU10K1_IOCTL_ZERO_TRAM_COUNTER', `0x00004882')
-define(`SNDRV_EMUX_IOCTL_LOAD_PATCH', `0xc0104881')
-define(`SNDRV_EMUX_IOCTL_MEM_AVAIL', `0x40044884')
-define(`SNDRV_EMUX_IOCTL_MISC_MODE', `0xc0104884')
-define(`SNDRV_EMUX_IOCTL_REMOVE_LAST_SAMPLES', `0x00004883')
-define(`SNDRV_EMUX_IOCTL_RESET_SAMPLES', `0x00004882')
-define(`SNDRV_EMUX_IOCTL_VERSION', `0x80044880')
-define(`SNDRV_FIREWIRE_IOCTL_GET_INFO', `0x802048f8')
-define(`SNDRV_FIREWIRE_IOCTL_LOCK', `0x000048f9')
-define(`SNDRV_FIREWIRE_IOCTL_UNLOCK', `0x000048fa')
-define(`SNDRV_HDSP_IOCTL_GET_9632_AEB', `0x80084845')
-define(`SNDRV_HDSP_IOCTL_GET_CONFIG_INFO', `0x80244841')
-define(`SNDRV_HDSP_IOCTL_GET_MIXER', `0x90004844')
-define(`SNDRV_HDSP_IOCTL_GET_PEAK_RMS', `0x83b04840')
-define(`SNDRV_HDSP_IOCTL_GET_VERSION', `0x80084843')
-define(`SNDRV_HDSP_IOCTL_UPLOAD_FIRMWARE', `0x40084842')
-define(`SNDRV_HDSPM_IOCTL_GET_CONFIG', `0x80184841')
-define(`SNDRV_HDSPM_IOCTL_GET_LTC', `0x80104846')
-define(`SNDRV_HDSPM_IOCTL_GET_MIXER', `0x80084844')
-define(`SNDRV_HDSPM_IOCTL_GET_PEAK_RMS', `0x89084842')
-define(`SNDRV_HDSPM_IOCTL_GET_STATUS', `0x80204847')
-define(`SNDRV_HDSPM_IOCTL_GET_VERSION', `0x80244848')
-define(`SNDRV_HWDEP_IOCTL_DSP_LOAD', `0x40604803')
-define(`SNDRV_HWDEP_IOCTL_DSP_STATUS', `0x80404802')
-define(`SNDRV_HWDEP_IOCTL_INFO', `0x80dc4801')
-define(`SNDRV_HWDEP_IOCTL_PVERSION', `0x80044800')
-define(`SNDRV_PCM_IOCTL_CHANNEL_INFO', `0x80184132')
-define(`SNDRV_PCM_IOCTL_DELAY', `0x80084121')
-define(`SNDRV_PCM_IOCTL_DRAIN', `0x00004144')
-define(`SNDRV_PCM_IOCTL_DROP', `0x00004143')
-define(`SNDRV_PCM_IOCTL_FORWARD', `0x40084149')
-define(`SNDRV_PCM_IOCTL_HW_FREE', `0x00004112')
-define(`SNDRV_PCM_IOCTL_HW_PARAMS', `0xc2604111')
-define(`SNDRV_PCM_IOCTL_HW_REFINE', `0xc2604110')
-define(`SNDRV_PCM_IOCTL_HWSYNC', `0x00004122')
-define(`SNDRV_PCM_IOCTL_INFO', `0x81204101')
-define(`SNDRV_PCM_IOCTL_LINK', `0x40044160')
-define(`SNDRV_PCM_IOCTL_PAUSE', `0x40044145')
-define(`SNDRV_PCM_IOCTL_PREPARE', `0x00004140')
-define(`SNDRV_PCM_IOCTL_PVERSION', `0x80044100')
-define(`SNDRV_PCM_IOCTL_READI_FRAMES', `0x80184151')
-define(`SNDRV_PCM_IOCTL_READN_FRAMES', `0x80184153')
-define(`SNDRV_PCM_IOCTL_RESET', `0x00004141')
-define(`SNDRV_PCM_IOCTL_RESUME', `0x00004147')
-define(`SNDRV_PCM_IOCTL_REWIND', `0x40084146')
-define(`SNDRV_PCM_IOCTL_START', `0x00004142')
-define(`SNDRV_PCM_IOCTL_STATUS', `0x80984120')
-define(`SNDRV_PCM_IOCTL_SW_PARAMS', `0xc0884113')
-define(`SNDRV_PCM_IOCTL_SYNC_PTR', `0xc0884123')
-define(`SNDRV_PCM_IOCTL_TSTAMP', `0x40044102')
-define(`SNDRV_PCM_IOCTL_TTSTAMP', `0x40044103')
-define(`SNDRV_PCM_IOCTL_UNLINK', `0x00004161')
-define(`SNDRV_PCM_IOCTL_WRITEI_FRAMES', `0x40184150')
-define(`SNDRV_PCM_IOCTL_WRITEN_FRAMES', `0x40184152')
-define(`SNDRV_PCM_IOCTL_XRUN', `0x00004148')
-define(`SNDRV_RAWMIDI_IOCTL_DRAIN', `0x40045731')
-define(`SNDRV_RAWMIDI_IOCTL_DROP', `0x40045730')
-define(`SNDRV_RAWMIDI_IOCTL_INFO', `0x810c5701')
-define(`SNDRV_RAWMIDI_IOCTL_PARAMS', `0xc0305710')
-define(`SNDRV_RAWMIDI_IOCTL_PVERSION', `0x80045700')
-define(`SNDRV_RAWMIDI_IOCTL_STATUS', `0xc0385720')
-define(`SNDRV_SB_CSP_IOCTL_INFO', `0x80284810')
-define(`SNDRV_SB_CSP_IOCTL_LOAD_CODE', `0x70124811')
-define(`SNDRV_SB_CSP_IOCTL_PAUSE', `0x00004815')
-define(`SNDRV_SB_CSP_IOCTL_RESTART', `0x00004816')
-define(`SNDRV_SB_CSP_IOCTL_START', `0x40084813')
-define(`SNDRV_SB_CSP_IOCTL_STOP', `0x00004814')
-define(`SNDRV_SB_CSP_IOCTL_UNLOAD_CODE', `0x00004812')
-define(`SNDRV_SEQ_IOCTL_CLIENT_ID', `0x80045301')
-define(`SNDRV_SEQ_IOCTL_CREATE_PORT', `0xc0a85320')
-define(`SNDRV_SEQ_IOCTL_CREATE_QUEUE', `0xc08c5332')
-define(`SNDRV_SEQ_IOCTL_DELETE_PORT', `0x40a85321')
-define(`SNDRV_SEQ_IOCTL_DELETE_QUEUE', `0x408c5333')
-define(`SNDRV_SEQ_IOCTL_GET_CLIENT_INFO', `0xc0bc5310')
-define(`SNDRV_SEQ_IOCTL_GET_CLIENT_POOL', `0xc058534b')
-define(`SNDRV_SEQ_IOCTL_GET_NAMED_QUEUE', `0xc08c5336')
-define(`SNDRV_SEQ_IOCTL_GET_PORT_INFO', `0xc0a85322')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_CLIENT', `0xc04c5349')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_INFO', `0xc08c5334')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_OWNER', `0xc0005343')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_STATUS', `0xc05c5340')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TEMPO', `0xc02c5341')
-define(`SNDRV_SEQ_IOCTL_GET_QUEUE_TIMER', `0xc0605345')
-define(`SNDRV_SEQ_IOCTL_GET_SUBSCRIPTION', `0xc0505350')
-define(`SNDRV_SEQ_IOCTL_PVERSION', `0x80045300')
-define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT', `0xc0bc5351')
-define(`SNDRV_SEQ_IOCTL_QUERY_NEXT_PORT', `0xc0a85352')
-define(`SNDRV_SEQ_IOCTL_QUERY_SUBS', `0xc058534f')
-define(`SNDRV_SEQ_IOCTL_REMOVE_EVENTS', `0x4040534e')
-define(`SNDRV_SEQ_IOCTL_RUNNING_MODE', `0xc0105303')
-define(`SNDRV_SEQ_IOCTL_SET_CLIENT_INFO', `0x40bc5311')
-define(`SNDRV_SEQ_IOCTL_SET_CLIENT_POOL', `0x4058534c')
-define(`SNDRV_SEQ_IOCTL_SET_PORT_INFO', `0x40a85323')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_CLIENT', `0x404c534a')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_INFO', `0xc08c5335')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_OWNER', `0x40005344')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TEMPO', `0x402c5342')
-define(`SNDRV_SEQ_IOCTL_SET_QUEUE_TIMER', `0x40605346')
-define(`SNDRV_SEQ_IOCTL_SUBSCRIBE_PORT', `0x40505330')
-define(`SNDRV_SEQ_IOCTL_SYSTEM_INFO', `0xc0305302')
-define(`SNDRV_SEQ_IOCTL_UNSUBSCRIBE_PORT', `0x40505331')
-define(`SNDRV_TIMER_IOCTL_CONTINUE', `0x000054a2')
-define(`SNDRV_TIMER_IOCTL_GINFO', `0xc0f85403')
-define(`SNDRV_TIMER_IOCTL_GPARAMS', `0x40485404')
-define(`SNDRV_TIMER_IOCTL_GSTATUS', `0xc0505405')
-define(`SNDRV_TIMER_IOCTL_INFO', `0x80e85411')
-define(`SNDRV_TIMER_IOCTL_NEXT_DEVICE', `0xc0145401')
-define(`SNDRV_TIMER_IOCTL_PARAMS', `0x40505412')
-define(`SNDRV_TIMER_IOCTL_PAUSE', `0x000054a3')
-define(`SNDRV_TIMER_IOCTL_PVERSION', `0x80045400')
-define(`SNDRV_TIMER_IOCTL_SELECT', `0x40345410')
-define(`SNDRV_TIMER_IOCTL_START', `0x000054a0')
-define(`SNDRV_TIMER_IOCTL_STATUS', `0x80605414')
-define(`SNDRV_TIMER_IOCTL_STOP', `0x000054a1')
-define(`SNDRV_TIMER_IOCTL_TREAD', `0x40045402')
-define(`SONET_CLRDIAG', `0xc0046113')
-define(`SONET_GETDIAG', `0x80046114')
-define(`SONET_GETFRAMING', `0x80046116')
-define(`SONET_GETFRSENSE', `0x80066117')
-define(`SONET_GETSTAT', `0x80246110')
-define(`SONET_GETSTATZ', `0x80246111')
-define(`SONET_SETDIAG', `0xc0046112')
-define(`SONET_SETFRAMING', `0x40046115')
-define(`SONYPI_IOCGBAT1CAP', `0x80027602')
-define(`SONYPI_IOCGBAT1REM', `0x80027603')
-define(`SONYPI_IOCGBAT2CAP', `0x80027604')
-define(`SONYPI_IOCGBAT2REM', `0x80027605')
-define(`SONYPI_IOCGBATFLAGS', `0x80017607')
-define(`SONYPI_IOCGBLUE', `0x80017608')
-define(`SONYPI_IOCGBRT', `0x80017600')
-define(`SONYPI_IOCGFAN', `0x8001760a')
-define(`SONYPI_IOCGTEMP', `0x8001760c')
-define(`SONYPI_IOCSBLUE', `0x40017609')
-define(`SONYPI_IOCSBRT', `0x40017600')
-define(`SONYPI_IOCSFAN', `0x4001760b')
-define(`SOUND_MIXER_3DSE', `0xc0044d68')
-define(`SOUND_MIXER_ACCESS', `0xc0804d66')
-define(`SOUND_MIXER_AGC', `0xc0044d67')
-define(`SOUND_MIXER_GETLEVELS', `0xc0a44d74')
-define(`SOUND_MIXER_INFO', `0x805c4d65')
-define(`SOUND_MIXER_PRIVATE1', `0xc0044d6f')
-define(`SOUND_MIXER_PRIVATE2', `0xc0044d70')
-define(`SOUND_MIXER_PRIVATE3', `0xc0044d71')
-define(`SOUND_MIXER_PRIVATE4', `0xc0044d72')
-define(`SOUND_MIXER_PRIVATE5', `0xc0044d73')
-define(`SOUND_MIXER_SETLEVELS', `0xc0a44d75')
-define(`SOUND_OLD_MIXER_INFO', `0x80304d65')
-define(`SOUND_PCM_READ_BITS', `0x80045005')
-define(`SOUND_PCM_READ_CHANNELS', `0x80045006')
-define(`SOUND_PCM_READ_FILTER', `0x80045007')
-define(`SOUND_PCM_READ_RATE', `0x80045002')
-define(`SOUND_PCM_WRITE_FILTER', `0xc0045007')
-define(`SPI_IOC_RD_BITS_PER_WORD', `0x80016b03')
-define(`SPI_IOC_RD_LSB_FIRST', `0x80016b02')
-define(`SPI_IOC_RD_MAX_SPEED_HZ', `0x80046b04')
-define(`SPI_IOC_RD_MODE', `0x80016b01')
-define(`SPI_IOC_RD_MODE32', `0x80046b05')
-define(`SPI_IOC_WR_BITS_PER_WORD', `0x40016b03')
-define(`SPI_IOC_WR_LSB_FIRST', `0x40016b02')
-define(`SPI_IOC_WR_MAX_SPEED_HZ', `0x40046b04')
-define(`SPI_IOC_WR_MODE', `0x40016b01')
-define(`SPI_IOC_WR_MODE32', `0x40046b05')
-define(`SPIOCSTYPE', `0x40087101')
-define(`SSTFB_GET_VGAPASS', `0x800446dd')
-define(`SSTFB_SET_VGAPASS', `0x400446dd')
-define(`STOP_ARRAY', `0x00000932')
-define(`STOP_ARRAY_RO', `0x00000933')
-define(`SW_SYNC_IOC_CREATE_FENCE', `0xc0285700')
-define(`SW_SYNC_IOC_INC', `0x40045701')
-define(`SYNC_IOC_FENCE_INFO', `0xc0283e02')
-define(`SYNC_IOC_MERGE', `0xc0283e01')
-define(`SYNC_IOC_WAIT', `0x40043e00')
-define(`TCFLSH', `0x0000540b')
-define(`TCGETA', `0x00005405')
-define(`TCGETS2', `0x802c542a')
-define(`TCGETS', ifelse(target_arch, mips, 0x0000540d, 0x00005401))
-define(`TCGETX', `0x00005432')
-define(`TCSBRK', `0x00005409')
-define(`TCSBRKP', `0x00005425')
-define(`TCSETA', `0x00005406')
-define(`TCSETAF', `0x00005408')
-define(`TCSETAW', `0x00005407')
-define(`TCSETS', `0x00005402')
-define(`TCSETS2', `0x402c542b')
-define(`TCSETSF', `0x00005404')
-define(`TCSETSF2', `0x402c542d')
-define(`TCSETSW', `0x00005403')
-define(`TCSETSW2', `0x402c542c')
-define(`TCSETX', `0x00005433')
-define(`TCSETXF', `0x00005434')
-define(`TCSETXW', `0x00005435')
-define(`TCXONC', `0x0000540a')
-define(`TFD_IOC_SET_TICKS', `0x40085400')
-define(`TIOCCBRK', `0x00005428')
-define(`TIOCCONS', `0x0000541d')
-define(`TIOCEXCL', `0x0000540c')
-define(`TIOCGDEV', `0x80045432')
-define(`TIOCGETD', `0x00005424')
-define(`TIOCGEXCL', `0x80045440')
-define(`TIOCGICOUNT', `0x0000545d')
-define(`TIOCGLCKTRMIOS', `0x00005456')
-define(`TIOCGPGRP', `0x0000540f')
-define(`TIOCGPKT', `0x80045438')
-define(`TIOCGPTLCK', `0x80045439')
-define(`TIOCGPTN', `0x80045430')
-define(`TIOCGRS485', `0x0000542e')
-define(`TIOCGSERIAL', `0x0000541e')
-define(`TIOCGSID', `0x00005429')
-define(`TIOCGSOFTCAR', `0x00005419')
-define(`TIOCGWINSZ', ifelse(target_arch, mips, 0x80087468, 0x00005413))
-define(`TIOCLINUX', `0x0000541c')
-define(`TIOCMBIC', `0x00005417')
-define(`TIOCMBIS', `0x00005416')
-define(`TIOCMGET', `0x00005415')
-define(`TIOCMIWAIT', `0x0000545c')
-define(`TIOCMSET', `0x00005418')
-define(`TIOCNOTTY', `0x00005422')
-define(`TIOCNXCL', `0x0000540d')
-define(`TIOCOUTQ', ifelse(target_arch, mips, 0x00007472, 0x00005411))
-define(`TIOCPKT', `0x00005420')
-define(`TIOCSBRK', `0x00005427')
-define(`TIOCSCTTY', ifelse(target_arch, mips, 0x00005480, 0x0000540e))
-define(`TIOCSERCONFIG', `0x00005453')
-define(`TIOCSERGETLSR', `0x00005459')
-define(`TIOCSERGETMULTI', `0x0000545a')
-define(`TIOCSERGSTRUCT', `0x00005458')
-define(`TIOCSERGWILD', `0x00005454')
-define(`TIOCSERSETMULTI', `0x0000545b')
-define(`TIOCSERSWILD', `0x00005455')
-define(`TIOCSETD', `0x00005423')
-define(`TIOCSIG', `0x40045436')
-define(`TIOCSLCKTRMIOS', `0x00005457')
-define(`TIOCSPGRP', `0x00005410')
-define(`TIOCSPTLCK', `0x40045431')
-define(`TIOCSRS485', `0x0000542f')
-define(`TIOCSSERIAL', `0x0000541f')
-define(`TIOCSSOFTCAR', `0x0000541a')
-define(`TIOCSTI', `0x00005412')
-define(`TIOCSWINSZ', ifelse(target_arch, mips, 0x40087467, 0x00005414))
-define(`TIOCVHANGUP', `0x00005437')
-define(`TOSH_SMM', `0xc0047490')
-define(`TUNATTACHFILTER', `0x401054d5')
-define(`TUNDETACHFILTER', `0x401054d6')
-define(`TUNER_SET_CONFIG', `0x4010645c')
-define(`TUNGETFEATURES', `0x800454cf')
-define(`TUNGETFILTER', `0x801054db')
-define(`TUNGETIFF', `0x800454d2')
-define(`TUNGETSNDBUF', `0x800454d3')
-define(`TUNGETVNETHDRSZ', `0x800454d7')
-define(`TUNGETVNETLE', `0x800454dd')
-define(`TUNSETDEBUG', `0x400454c9')
-define(`TUNSETGROUP', `0x400454ce')
-define(`TUNSETIFF', `0x400454ca')
-define(`TUNSETIFINDEX', `0x400454da')
-define(`TUNSETLINK', `0x400454cd')
-define(`TUNSETNOCSUM', `0x400454c8')
-define(`TUNSETOFFLOAD', `0x400454d0')
-define(`TUNSETOWNER', `0x400454cc')
-define(`TUNSETPERSIST', `0x400454cb')
-define(`TUNSETQUEUE', `0x400454d9')
-define(`TUNSETSNDBUF', `0x400454d4')
-define(`TUNSETTXFILTER', `0x400454d1')
-define(`TUNSETVNETHDRSZ', `0x400454d8')
-define(`TUNSETVNETLE', `0x400454dc')
-define(`UBI_IOCATT', `0x40186f40')
-define(`UBI_IOCDET', `0x40046f41')
-define(`UBI_IOCEBCH', `0x40044f02')
-define(`UBI_IOCEBER', `0x40044f01')
-define(`UBI_IOCEBISMAP', `0x80044f05')
-define(`UBI_IOCEBMAP', `0x40084f03')
-define(`UBI_IOCEBUNMAP', `0x40044f04')
-define(`UBI_IOCMKVOL', `0x40986f00')
-define(`UBI_IOCRMVOL', `0x40046f01')
-define(`UBI_IOCRNVOL', `0x51106f03')
-define(`UBI_IOCRSVOL', `0x400c6f02')
-define(`UBI_IOCSETVOLPROP', `0x40104f06')
-define(`UBI_IOCVOLCRBLK', `0x40804f07')
-define(`UBI_IOCVOLRMBLK', `0x00004f08')
-define(`UBI_IOCVOLUP', `0x40084f00')
-define(`UDF_GETEABLOCK', `0x80086c41')
-define(`UDF_GETEASIZE', `0x80046c40')
-define(`UDF_GETVOLIDENT', `0x80086c42')
-define(`UDF_RELOCATE_BLOCKS', `0xc0086c43')
-define(`UI_BEGIN_FF_ERASE', `0xc00c55ca')
-define(`UI_BEGIN_FF_UPLOAD', `0xc06855c8')
-define(`UI_DEV_CREATE', `0x00005501')
-define(`UI_DEV_DESTROY', `0x00005502')
-define(`UI_END_FF_ERASE', `0x400c55cb')
-define(`UI_END_FF_UPLOAD', `0x406855c9')
-define(`UI_GET_VERSION', `0x8004552d')
-define(`UI_SET_ABSBIT', `0x40045567')
-define(`UI_SET_EVBIT', `0x40045564')
-define(`UI_SET_FFBIT', `0x4004556b')
-define(`UI_SET_KEYBIT', `0x40045565')
-define(`UI_SET_LEDBIT', `0x40045569')
-define(`UI_SET_MSCBIT', `0x40045568')
-define(`UI_SET_PHYS', `0x4008556c')
-define(`UI_SET_PROPBIT', `0x4004556e')
-define(`UI_SET_RELBIT', `0x40045566')
-define(`UI_SET_SNDBIT', `0x4004556a')
-define(`UI_SET_SWBIT', `0x4004556d')
-define(`UNPROTECT_ARRAY', `0x00000926')
-define(`USBDEVFS_ALLOC_STREAMS', `0x8008551c')
-define(`USBDEVFS_BULK', `0xc0185502')
-define(`USBDEVFS_BULK32', `0xc0105502')
-define(`USBDEVFS_CLAIMINTERFACE', `0x8004550f')
-define(`USBDEVFS_CLAIM_PORT', `0x80045518')
-define(`USBDEVFS_CLEAR_HALT', `0x80045515')
-define(`USBDEVFS_CONNECT', `0x00005517')
-define(`USBDEVFS_CONNECTINFO', `0x40085511')
-define(`USBDEVFS_CONTROL', `0xc0185500')
-define(`USBDEVFS_CONTROL32', `0xc0105500')
-define(`USBDEVFS_DISCARDURB', `0x0000550b')
-define(`USBDEVFS_DISCONNECT', `0x00005516')
-define(`USBDEVFS_DISCONNECT_CLAIM', `0x8108551b')
-define(`USBDEVFS_DISCSIGNAL', `0x8010550e')
-define(`USBDEVFS_DISCSIGNAL32', `0x8008550e')
-define(`USBDEVFS_FREE_STREAMS', `0x8008551d')
-define(`USBDEVFS_GET_CAPABILITIES', `0x8004551a')
-define(`USBDEVFS_GETDRIVER', `0x41045508')
-define(`USBDEVFS_HUB_PORTINFO', `0x80805513')
-define(`USBDEVFS_IOCTL', `0xc0105512')
-define(`USBDEVFS_IOCTL32', `0xc00c5512')
-define(`USBDEVFS_REAPURB', `0x4008550c')
-define(`USBDEVFS_REAPURB32', `0x4004550c')
-define(`USBDEVFS_REAPURBNDELAY', `0x4008550d')
-define(`USBDEVFS_REAPURBNDELAY32', `0x4004550d')
-define(`USBDEVFS_RELEASEINTERFACE', `0x80045510')
-define(`USBDEVFS_RELEASE_PORT', `0x80045519')
-define(`USBDEVFS_RESET', `0x00005514')
-define(`USBDEVFS_RESETEP', `0x80045503')
-define(`USBDEVFS_SETCONFIGURATION', `0x80045505')
-define(`USBDEVFS_SETINTERFACE', `0x80085504')
-define(`USBDEVFS_SUBMITURB', `0x8038550a')
-define(`USBDEVFS_SUBMITURB32', `0x802a550a')
-define(`USBTMC_IOCTL_ABORT_BULK_IN', `0x00005b04')
-define(`USBTMC_IOCTL_ABORT_BULK_OUT', `0x00005b03')
-define(`USBTMC_IOCTL_CLEAR', `0x00005b02')
-define(`USBTMC_IOCTL_CLEAR_IN_HALT', `0x00005b07')
-define(`USBTMC_IOCTL_CLEAR_OUT_HALT', `0x00005b06')
-define(`USBTMC_IOCTL_INDICATOR_PULSE', `0x00005b01')
-define(`UVCIOC_CTRL_MAP', `0xc0607520')
-define(`UVCIOC_CTRL_QUERY', `0xc0107521')
-define(`V4L2_SUBDEV_IR_RX_NOTIFY', `0x40047600')
-define(`V4L2_SUBDEV_IR_TX_NOTIFY', `0x40047601')
-define(`VFAT_IOCTL_READDIR_BOTH', `0x82307201')
-define(`VFAT_IOCTL_READDIR_SHORT', `0x82307202')
-define(`VFIO_CHECK_EXTENSION', `0x00003b65')
-define(`VFIO_DEVICE_GET_INFO', `0x00003b6b')
-define(`VFIO_DEVICE_GET_IRQ_INFO', `0x00003b6d')
-define(`VFIO_DEVICE_GET_PCI_HOT_RESET_INFO', `0x00003b70')
-define(`VFIO_DEVICE_GET_REGION_INFO', `0x00003b6c')
-define(`VFIO_DEVICE_PCI_HOT_RESET', `0x00003b71')
-define(`VFIO_DEVICE_RESET', `0x00003b6f')
-define(`VFIO_DEVICE_SET_IRQS', `0x00003b6e')
-define(`VFIO_EEH_PE_OP', `0x00003b79')
-define(`VFIO_GET_API_VERSION', `0x00003b64')
-define(`VFIO_GROUP_GET_DEVICE_FD', `0x00003b6a')
-define(`VFIO_GROUP_GET_STATUS', `0x00003b67')
-define(`VFIO_GROUP_SET_CONTAINER', `0x00003b68')
-define(`VFIO_GROUP_UNSET_CONTAINER', `0x00003b69')
-define(`VFIO_IOMMU_DISABLE', `0x00003b74')
-define(`VFIO_IOMMU_ENABLE', `0x00003b73')
-define(`VFIO_IOMMU_GET_INFO', `0x00003b70')
-define(`VFIO_IOMMU_MAP_DMA', `0x00003b71')
-define(`VFIO_IOMMU_SPAPR_TCE_GET_INFO', `0x00003b70')
-define(`VFIO_IOMMU_UNMAP_DMA', `0x00003b72')
-define(`VFIO_SET_IOMMU', `0x00003b66')
-define(`VHOST_GET_FEATURES', `0x8008af00')
-define(`VHOST_GET_VRING_BASE', `0xc008af12')
-define(`VHOST_NET_SET_BACKEND', `0x4008af30')
-define(`VHOST_RESET_OWNER', `0x0000af02')
-define(`VHOST_SCSI_CLEAR_ENDPOINT', `0x40e8af41')
-define(`VHOST_SCSI_GET_ABI_VERSION', `0x4004af42')
-define(`VHOST_SCSI_GET_EVENTS_MISSED', `0x4004af44')
-define(`VHOST_SCSI_SET_ENDPOINT', `0x40e8af40')
-define(`VHOST_SCSI_SET_EVENTS_MISSED', `0x4004af43')
-define(`VHOST_SET_FEATURES', `0x4008af00')
-define(`VHOST_SET_LOG_BASE', `0x4008af04')
-define(`VHOST_SET_LOG_FD', `0x4004af07')
-define(`VHOST_SET_MEM_TABLE', `0x4008af03')
-define(`VHOST_SET_OWNER', `0x0000af01')
-define(`VHOST_SET_VRING_ADDR', `0x4028af11')
-define(`VHOST_SET_VRING_BASE', `0x4008af12')
-define(`VHOST_SET_VRING_CALL', `0x4008af21')
-define(`VHOST_SET_VRING_ERR', `0x4008af22')
-define(`VHOST_SET_VRING_KICK', `0x4008af20')
-define(`VHOST_SET_VRING_NUM', `0x4008af10')
-define(`VIDEO_CLEAR_BUFFER', `0x00006f22')
-define(`VIDEO_COMMAND', `0xc0486f3b')
-define(`VIDEO_CONTINUE', `0x00006f18')
-define(`VIDEO_FAST_FORWARD', `0x00006f1f')
-define(`VIDEO_FREEZE', `0x00006f17')
-define(`VIDEO_GET_CAPABILITIES', `0x80046f21')
-define(`VIDEO_GET_EVENT', `0x80206f1c')
-define(`VIDEO_GET_FRAME_COUNT', `0x80086f3a')
-define(`VIDEO_GET_FRAME_RATE', `0x80046f38')
-define(`VIDEO_GET_NAVI', `0x84046f34')
-define(`VIDEO_GET_PTS', `0x80086f39')
-define(`VIDEO_GET_SIZE', `0x800c6f37')
-define(`VIDEO_GET_STATUS', `0x80146f1b')
-define(`VIDEO_PLAY', `0x00006f16')
-define(`VIDEO_SELECT_SOURCE', `0x00006f19')
-define(`VIDEO_SET_ATTRIBUTES', `0x00006f35')
-define(`VIDEO_SET_BLANK', `0x00006f1a')
-define(`VIDEO_SET_DISPLAY_FORMAT', `0x00006f1d')
-define(`VIDEO_SET_FORMAT', `0x00006f25')
-define(`VIDEO_SET_HIGHLIGHT', `0x40106f27')
-define(`VIDEO_SET_ID', `0x00006f23')
-define(`VIDEO_SET_SPU', `0x40086f32')
-define(`VIDEO_SET_SPU_PALETTE', `0x40106f33')
-define(`VIDEO_SET_STREAMTYPE', `0x00006f24')
-define(`VIDEO_SET_SYSTEM', `0x00006f26')
-define(`VIDEO_SLOWMOTION', `0x00006f20')
-define(`VIDEO_STILLPICTURE', `0x40106f1e')
-define(`VIDEO_STOP', `0x00006f15')
-define(`VIDEO_TRY_COMMAND', `0xc0486f3c')
-define(`VIDIOC_CREATE_BUFS', `0xc100565c')
-define(`VIDIOC_CROPCAP', `0xc02c563a')
-define(`VIDIOC_DBG_G_CHIP_INFO', `0xc0c85666')
-define(`VIDIOC_DBG_G_REGISTER', `0xc0385650')
-define(`VIDIOC_DBG_S_REGISTER', `0x4038564f')
-define(`VIDIOC_DECODER_CMD', `0xc0485660')
-define(`VIDIOC_DQBUF', `0xc0585611')
-define(`VIDIOC_DQEVENT', `0x80885659')
-define(`VIDIOC_DV_TIMINGS_CAP', `0xc0905664')
-define(`VIDIOC_ENCODER_CMD', `0xc028564d')
-define(`VIDIOC_ENUMAUDIO', `0xc0345641')
-define(`VIDIOC_ENUMAUDOUT', `0xc0345642')
-define(`VIDIOC_ENUM_DV_TIMINGS', `0xc0945662')
-define(`VIDIOC_ENUM_FMT', `0xc0405602')
-define(`VIDIOC_ENUM_FRAMEINTERVALS', `0xc034564b')
-define(`VIDIOC_ENUM_FRAMESIZES', `0xc02c564a')
-define(`VIDIOC_ENUM_FREQ_BANDS', `0xc0405665')
-define(`VIDIOC_ENUMINPUT', `0xc050561a')
-define(`VIDIOC_ENUMOUTPUT', `0xc0485630')
-define(`VIDIOC_ENUMSTD', `0xc0485619')
-define(`VIDIOC_EXPBUF', `0xc0405610')
-define(`VIDIOC_G_AUDIO', `0x80345621')
-define(`VIDIOC_G_AUDOUT', `0x80345631')
-define(`VIDIOC_G_CROP', `0xc014563b')
-define(`VIDIOC_G_CTRL', `0xc008561b')
-define(`VIDIOC_G_DV_TIMINGS', `0xc0845658')
-define(`VIDIOC_G_EDID', `0xc0285628')
-define(`VIDIOC_G_ENC_INDEX', `0x8818564c')
-define(`VIDIOC_G_EXT_CTRLS', `0xc0205647')
-define(`VIDIOC_G_FBUF', `0x8030560a')
-define(`VIDIOC_G_FMT', `0xc0d05604')
-define(`VIDIOC_G_FREQUENCY', `0xc02c5638')
-define(`VIDIOC_G_INPUT', `0x80045626')
-define(`VIDIOC_G_JPEGCOMP', `0x808c563d')
-define(`VIDIOC_G_MODULATOR', `0xc0445636')
-define(`VIDIOC_G_OUTPUT', `0x8004562e')
-define(`VIDIOC_G_PARM', `0xc0cc5615')
-define(`VIDIOC_G_PRIORITY', `0x80045643')
-define(`VIDIOC_G_SELECTION', `0xc040565e')
-define(`VIDIOC_G_SLICED_VBI_CAP', `0xc0745645')
-define(`VIDIOC_G_STD', `0x80085617')
-define(`VIDIOC_G_TUNER', `0xc054561d')
-define(`VIDIOC_INT_RESET', `0x40046466')
-define(`VIDIOC_LOG_STATUS', `0x00005646')
-define(`VIDIOC_OMAP3ISP_AEWB_CFG', `0xc02056c3')
-define(`VIDIOC_OMAP3ISP_AF_CFG', `0xc04c56c5')
-define(`VIDIOC_OMAP3ISP_CCDC_CFG', `0xc03856c1')
-define(`VIDIOC_OMAP3ISP_HIST_CFG', `0xc03056c4')
-define(`VIDIOC_OMAP3ISP_PRV_CFG', `0xc07056c2')
-define(`VIDIOC_OMAP3ISP_STAT_EN', `0xc00856c7')
-define(`VIDIOC_OMAP3ISP_STAT_REQ', `0xc02856c6')
-define(`VIDIOC_OVERLAY', `0x4004560e')
-define(`VIDIOC_PREPARE_BUF', `0xc058565d')
-define(`VIDIOC_QBUF', `0xc058560f')
-define(`VIDIOC_QUERYBUF', `0xc0585609')
-define(`VIDIOC_QUERYCAP', `0x80685600')
-define(`VIDIOC_QUERYCTRL', `0xc0445624')
-define(`VIDIOC_QUERY_DV_TIMINGS', `0x80845663')
-define(`VIDIOC_QUERY_EXT_CTRL', `0xc0e85667')
-define(`VIDIOC_QUERYMENU', `0xc02c5625')
-define(`VIDIOC_QUERYSTD', `0x8008563f')
-define(`VIDIOC_REQBUFS', `0xc0145608')
-define(`VIDIOC_RESERVED', `0x00005601')
-define(`VIDIOC_S_AUDIO', `0x40345622')
-define(`VIDIOC_S_AUDOUT', `0x40345632')
-define(`VIDIOC_S_CROP', `0x4014563c')
-define(`VIDIOC_S_CTRL', `0xc008561c')
-define(`VIDIOC_S_DV_TIMINGS', `0xc0845657')
-define(`VIDIOC_S_EDID', `0xc0285629')
-define(`VIDIOC_S_EXT_CTRLS', `0xc0205648')
-define(`VIDIOC_S_FBUF', `0x4030560b')
-define(`VIDIOC_S_FMT', `0xc0d05605')
-define(`VIDIOC_S_FREQUENCY', `0x402c5639')
-define(`VIDIOC_S_HW_FREQ_SEEK', `0x40305652')
-define(`VIDIOC_S_INPUT', `0xc0045627')
-define(`VIDIOC_S_JPEGCOMP', `0x408c563e')
-define(`VIDIOC_S_MODULATOR', `0x40445637')
-define(`VIDIOC_S_OUTPUT', `0xc004562f')
-define(`VIDIOC_S_PARM', `0xc0cc5616')
-define(`VIDIOC_S_PRIORITY', `0x40045644')
-define(`VIDIOC_S_SELECTION', `0xc040565f')
-define(`VIDIOC_S_STD', `0x40085618')
-define(`VIDIOC_STREAMOFF', `0x40045613')
-define(`VIDIOC_STREAMON', `0x40045612')
-define(`VIDIOC_S_TUNER', `0x4054561e')
-define(`VIDIOC_SUBDEV_DV_TIMINGS_CAP', `0xc0905664')
-define(`VIDIOC_SUBDEV_ENUM_DV_TIMINGS', `0xc0945662')
-define(`VIDIOC_SUBDEV_ENUM_FRAME_INTERVAL', `0xc040564b')
-define(`VIDIOC_SUBDEV_ENUM_FRAME_SIZE', `0xc040564a')
-define(`VIDIOC_SUBDEV_ENUM_MBUS_CODE', `0xc0305602')
-define(`VIDIOC_SUBDEV_G_CROP', `0xc038563b')
-define(`VIDIOC_SUBDEV_G_DV_TIMINGS', `0xc0845658')
-define(`VIDIOC_SUBDEV_G_EDID', `0xc0285628')
-define(`VIDIOC_SUBDEV_G_FMT', `0xc0585604')
-define(`VIDIOC_SUBDEV_G_FRAME_INTERVAL', `0xc0305615')
-define(`VIDIOC_SUBDEV_G_SELECTION', `0xc040563d')
-define(`VIDIOC_SUBDEV_QUERY_DV_TIMINGS', `0x80845663')
-define(`VIDIOC_SUBDEV_S_CROP', `0xc038563c')
-define(`VIDIOC_SUBDEV_S_DV_TIMINGS', `0xc0845657')
-define(`VIDIOC_SUBDEV_S_EDID', `0xc0285629')
-define(`VIDIOC_SUBDEV_S_FMT', `0xc0585605')
-define(`VIDIOC_SUBDEV_S_FRAME_INTERVAL', `0xc0305616')
-define(`VIDIOC_SUBDEV_S_SELECTION', `0xc040563e')
-define(`VIDIOC_SUBSCRIBE_EVENT', `0x4020565a')
-define(`VIDIOC_TRY_DECODER_CMD', `0xc0485661')
-define(`VIDIOC_TRY_ENCODER_CMD', `0xc028564e')
-define(`VIDIOC_TRY_EXT_CTRLS', `0xc0205649')
-define(`VIDIOC_TRY_FMT', `0xc0d05640')
-define(`VIDIOC_UNSUBSCRIBE_EVENT', `0x4020565b')
-define(`VIDIOC_VSP1_LUT_CONFIG', `0xc40056c1')
-define(`VPFE_CMD_S_CCDC_RAW_PARAMS', `0x400856c1')
-define(`VT_ACTIVATE', `0x00005606')
-define(`VT_DISALLOCATE', `0x00005608')
-define(`VT_GETHIFONTMASK', `0x0000560d')
-define(`VT_GETMODE', `0x00005601')
-define(`VT_GETSTATE', `0x00005603')
-define(`VT_LOCKSWITCH', `0x0000560b')
-define(`VT_OPENQRY', `0x00005600')
-define(`VT_RELDISP', `0x00005605')
-define(`VT_RESIZE', `0x00005609')
-define(`VT_RESIZEX', `0x0000560a')
-define(`VT_SENDSIG', `0x00005604')
-define(`VT_SETACTIVATE', `0x0000560f')
-define(`VT_SETMODE', `0x00005602')
-define(`VT_UNLOCKSWITCH', `0x0000560c')
-define(`VT_WAITACTIVE', `0x00005607')
-define(`VT_WAITEVENT', `0x0000560e')
-define(`WAN_IOC_ADD_FLT_INDEX', `0x00006902')
-define(`WAN_IOC_ADD_FLT_RULE', `0x00006900')
-define(`WDIOC_GETBOOTSTATUS', `0x80045702')
-define(`WDIOC_GETPRETIMEOUT', `0x80045709')
-define(`WDIOC_GETSTATUS', `0x80045701')
-define(`WDIOC_GETSUPPORT', `0x80285700')
-define(`WDIOC_GETTEMP', `0x80045703')
-define(`WDIOC_GETTIMELEFT', `0x8004570a')
-define(`WDIOC_GETTIMEOUT', `0x80045707')
-define(`WDIOC_KEEPALIVE', `0x80045705')
-define(`WDIOC_SETOPTIONS', `0x80045704')
-define(`WDIOC_SETPRETIMEOUT', `0xc0045708')
-define(`WDIOC_SETTIMEOUT', `0xc0045706')
-define(`WRITE_RAID_INFO', `0x00000925')
-define(`X86_IOC_RDMSR_REGS', `0xc02063a0')
-define(`X86_IOC_WRMSR_REGS', `0xc02063a1')
-define(`ZATM_GETPOOL', `0x40106161')
-define(`ZATM_GETPOOLZ', `0x40106162')
-define(`ZATM_SETPOOL', `0x40106163')
diff --git a/prebuilts/api/31.0/public/ioctl_macros b/prebuilts/api/31.0/public/ioctl_macros
deleted file mode 100644
index 47a5157..0000000
--- a/prebuilts/api/31.0/public/ioctl_macros
+++ /dev/null
@@ -1,76 +0,0 @@
-# socket ioctls allowed to unprivileged apps
-define(`unpriv_sock_ioctls', `
-{
-# Socket ioctls for gathering information about the interface
-SIOCGSTAMP SIOCGSTAMPNS
-SIOCGIFNAME SIOCGIFCONF SIOCGIFFLAGS SIOCGIFADDR SIOCGIFDSTADDR SIOCGIFBRDADDR
-SIOCGIFNETMASK SIOCGIFMTU SIOCGIFINDEX SIOCGIFCOUNT SIOCGIFTXQLEN
-# Wireless extension ioctls. Primarily get functions.
-SIOCGIWNAME SIOCGIWFREQ SIOCGIWMODE SIOCGIWSENS SIOCGIWRANGE SIOCGIWPRIV
-SIOCGIWSTATS SIOCGIWSPY SIOCSIWTHRSPY SIOCGIWTHRSPY SIOCGIWRATE SIOCGIWRTS
-SIOCGIWFRAG SIOCGIWTXPOW SIOCGIWRETRY SIOCGIWPOWER
-}')
-
-# socket ioctls never allowed to unprivileged apps
-define(`priv_sock_ioctls', `
-{
-# qualcomm rmnet ioctls
-WAN_IOC_ADD_FLT_RULE WAN_IOC_ADD_FLT_INDEX
-# socket ioctls
-SIOCADDRT SIOCDELRT SIOCRTMSG SIOCSIFLINK SIOCSIFFLAGS SIOCSIFADDR
-SIOCSIFDSTADDR SIOCSIFBRDADDR SIOCSIFNETMASK SIOCGIFMETRIC SIOCSIFMETRIC SIOCGIFMEM
-SIOCSIFMEM SIOCSIFMTU SIOCSIFNAME SIOCSIFHWADDR SIOCGIFENCAP SIOCSIFENCAP
-SIOCGIFHWADDR SIOCGIFSLAVE SIOCSIFSLAVE SIOCADDMULTI SIOCDELMULTI
-SIOCSIFPFLAGS SIOCGIFPFLAGS SIOCDIFADDR SIOCSIFHWBROADCAST SIOCKILLADDR SIOCGIFBR SIOCSIFBR
-SIOCSIFTXQLEN SIOCETHTOOL SIOCGMIIPHY SIOCGMIIREG SIOCSMIIREG SIOCWANDEV
-SIOCOUTQNSD SIOCDARP SIOCGARP SIOCSARP SIOCDRARP SIOCGRARP SIOCSRARP SIOCGIFMAP
-SIOCSIFMAP SIOCADDDLCI SIOCDELDLCI SIOCGIFVLAN SIOCSIFVLAN SIOCBONDENSLAVE
-SIOCBONDRELEASE SIOCBONDSETHWADDR SIOCBONDSLAVEINFOQUERY SIOCBONDINFOQUERY
-SIOCBONDCHANGEACTIVE SIOCBRADDBR SIOCBRDELBR SIOCBRADDIF SIOCBRDELIF SIOCSHWTSTAMP
-# device and protocol specific ioctls
-SIOCDEVPRIVATE-SIOCDEVPRIVLAST
-SIOCPROTOPRIVATE-SIOCPROTOPRIVLAST
-# Wireless extension ioctls
-SIOCSIWCOMMIT SIOCSIWNWID SIOCSIWFREQ SIOCSIWMODE SIOCSIWSENS SIOCSIWRANGE
-SIOCSIWPRIV SIOCSIWSTATS SIOCSIWSPY SIOCSIWAP SIOCGIWAP SIOCSIWMLME SIOCGIWAPLIST
-SIOCSIWSCAN SIOCGIWSCAN SIOCSIWESSID SIOCGIWESSID SIOCSIWNICKN SIOCGIWNICKN
-SIOCSIWRATE SIOCSIWRTS SIOCSIWFRAG SIOCSIWTXPOW SIOCSIWRETRY SIOCSIWENCODE
-SIOCGIWENCODE SIOCSIWPOWER SIOCSIWGENIE SIOCGIWGENIE SIOCSIWAUTH SIOCGIWAUTH
-SIOCSIWENCODEEXT SIOCGIWENCODEEXT SIOCSIWPMKSA
-# Dev private ioctl i.e. hardware specific ioctls
-SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
-}')
-
-# commonly used ioctls on unix sockets
-define(`unpriv_unix_sock_ioctls', `{
- TIOCOUTQ FIOCLEX FIONCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
-}')
-
-# commonly used TTY ioctls
-# merge with unpriv_unix_sock_ioctls?
-define(`unpriv_tty_ioctls', `{
- TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TCSETSW TCSETSF TIOCGWINSZ TIOCSWINSZ
- TIOCSCTTY TCFLSH TIOCSPGRP TIOCGPGRP
-}')
-
-# point to point ioctls
-define(`ppp_ioctls', `{
-PPPIOCGL2TPSTATS PPPIOCGCHAN PPPIOCATTCHAN PPPIOCDISCONN
-PPPIOCCONNECT PPPIOCSMRRU PPPIOCDETACH PPPIOCATTACH
-PPPIOCNEWUNIT PPPIOCGIDLE PPPIOCSDEBUG PPPIOCGDEBUG
-PPPIOCSACTIVE PPPIOCSPASS PPPIOCSNPMODE PPPIOCGNPMODE
-PPPIOCSCOMPRESS PPPIOCXFERUNIT PPPIOCSXASYNCMAP
-PPPIOCGXASYNCMAP PPPIOCSMAXCID PPPIOCSMRU PPPIOCGMRU
-PPPIOCSRASYNCMAP PPPIOCGRASYNCMAP PPPIOCGUNIT PPPIOCSASYNCMAP
-PPPIOCGASYNCMAP PPPIOCSFLAGS PPPIOCGFLAGS PPPIOCGCALLINFO
-PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
-PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
-}')
-
-# unprivileged binder ioctls
-define(`unpriv_binder_ioctls', `{
-BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
-BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
-BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
-BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
-}')
diff --git a/prebuilts/api/31.0/public/iorap_inode2filename.te b/prebuilts/api/31.0/public/iorap_inode2filename.te
deleted file mode 100644
index 6f119ee..0000000
--- a/prebuilts/api/31.0/public/iorap_inode2filename.te
+++ /dev/null
@@ -1,70 +0,0 @@
-# iorap.inode2filename -> look up file paths from an inode
-type iorap_inode2filename, domain;
-type iorap_inode2filename_exec, exec_type, file_type, system_file_type;
-type iorap_inode2filename_tmpfs, file_type;
-
-r_dir_file(iorap_inode2filename, rootfs)
-
-# Allow usage of pipes (child stdout -> parent pipe).
-allow iorap_inode2filename iorapd:fd use;
-allow iorap_inode2filename iorapd:fifo_file { read write getattr };
-
-# Allow reading most files under / ignoring usual access controls.
-allow iorap_inode2filename self:capability dac_read_search;
-
-typeattribute iorap_inode2filename mlstrustedsubject;
-
-# Grant access to open most of the files under /
-allow iorap_inode2filename apex_data_file:dir { getattr open read search };
-allow iorap_inode2filename apex_data_file:file { getattr };
-allow iorap_inode2filename apex_mnt_dir:dir { getattr open read search };
-allow iorap_inode2filename apex_mnt_dir:file { getattr };
-allow iorap_inode2filename apk_data_file:dir { getattr open read search };
-allow iorap_inode2filename apk_data_file:file { getattr };
-allow iorap_inode2filename app_data_file_type:dir { getattr open read search };
-allow iorap_inode2filename app_data_file_type:file { getattr };
-allow iorap_inode2filename backup_data_file:dir { getattr open read search };
-allow iorap_inode2filename backup_data_file:file { getattr };
-allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
-allow iorap_inode2filename bootchart_data_file:file { getattr };
-allow iorap_inode2filename metadata_file:dir { getattr open read search search };
-allow iorap_inode2filename metadata_file:file { getattr };
-allow iorap_inode2filename packages_list_file:dir { getattr open read search };
-allow iorap_inode2filename packages_list_file:file { getattr };
-allow iorap_inode2filename property_data_file:dir { getattr open read search };
-allow iorap_inode2filename property_data_file:file { getattr };
-allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
-allow iorap_inode2filename resourcecache_data_file:file { getattr };
-allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
-allow iorap_inode2filename ringtone_file:dir { getattr open read search };
-allow iorap_inode2filename ringtone_file:file { getattr };
-allow iorap_inode2filename same_process_hal_file:dir { getattr open read search };
-allow iorap_inode2filename same_process_hal_file:file { getattr };
-allow iorap_inode2filename sepolicy_file:file { getattr };
-allow iorap_inode2filename staging_data_file:dir { getattr open read search };
-allow iorap_inode2filename staging_data_file:file { getattr };
-allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
-allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
-allow iorap_inode2filename system_data_file:dir { getattr open read search };
-allow iorap_inode2filename system_data_file:file { getattr };
-allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
-allow iorap_inode2filename system_data_root_file:dir { getattr open read search };
-allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
-allow iorap_inode2filename textclassifier_data_file:file { getattr };
-allow iorap_inode2filename toolbox_exec:file getattr;
-allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
-allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
-allow iorap_inode2filename user_profile_data_file:file { getattr };
-allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
-allow iorap_inode2filename unlabeled:file { getattr };
-allow iorap_inode2filename vendor_file:dir { getattr open read search };
-allow iorap_inode2filename vendor_file:file { getattr };
-allow iorap_inode2filename vendor_overlay_file:file { getattr };
-allow iorap_inode2filename zygote_exec:file { getattr };
-
-###
-### neverallow rules
-###
-
-neverallow { domain -init -iorapd } iorap_inode2filename:process { transition dyntransition };
-neverallow iorap_inode2filename domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/31.0/public/iorap_prefetcherd.te b/prebuilts/api/31.0/public/iorap_prefetcherd.te
deleted file mode 100644
index 4b218fb..0000000
--- a/prebuilts/api/31.0/public/iorap_prefetcherd.te
+++ /dev/null
@@ -1,55 +0,0 @@
-# volume manager
-type iorap_prefetcherd, domain;
-type iorap_prefetcherd_exec, exec_type, file_type, system_file_type;
-type iorap_prefetcherd_tmpfs, file_type;
-
-r_dir_file(iorap_prefetcherd, rootfs)
-
-# Allow read/write /proc/sys/vm/drop/caches
-allow iorap_prefetcherd proc_drop_caches:file rw_file_perms;
-
-# iorap_prefetcherd temporarily changes its priority when running benchmarks
-allow iorap_prefetcherd self:global_capability_class_set sys_nice;
-
-# Allow usage of pipes (--input-fd=# and --output-fd=# command line parameters).
-allow iorap_prefetcherd iorapd:fd use;
-allow iorap_prefetcherd iorapd:fifo_file { read write };
-
-# Allow reading most files under / ignoring usual access controls.
-allow iorap_prefetcherd self:capability dac_read_search;
-
-typeattribute iorap_prefetcherd mlstrustedsubject;
-
-# Grant logcat access
-allow iorap_prefetcherd logcat_exec:file { open read };
-
-# Grant access to open most of the files under /
-allow iorap_prefetcherd apk_data_file:dir { open read search };
-allow iorap_prefetcherd apk_data_file:file { open read };
-allow iorap_prefetcherd app_data_file:dir { open read search };
-allow iorap_prefetcherd app_data_file:file { open read };
-allow iorap_prefetcherd dalvikcache_data_file:dir { open read search };
-allow iorap_prefetcherd dalvikcache_data_file:file{ open read };
-allow iorap_prefetcherd packages_list_file:dir { open read search };
-allow iorap_prefetcherd packages_list_file:file { open read };
-allow iorap_prefetcherd privapp_data_file:dir { open read search };
-allow iorap_prefetcherd privapp_data_file:file { open read };
-allow iorap_prefetcherd same_process_hal_file:dir{ open read search };
-allow iorap_prefetcherd same_process_hal_file:file { open read };
-allow iorap_prefetcherd system_data_file:dir { open read search };
-allow iorap_prefetcherd system_data_file:file { open read };
-allow iorap_prefetcherd system_data_file:lnk_file { open read };
-allow iorap_prefetcherd user_profile_root_file:dir { open read search };
-allow iorap_prefetcherd user_profile_data_file:dir { open read search };
-allow iorap_prefetcherd user_profile_data_file:file { open read };
-allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
-allow iorap_prefetcherd vendor_overlay_file:file { open read };
-# Note: Do not add any /vendor labels because they can be customized
-# by the vendor and we won't know about them beforehand.
-
-###
-### neverallow rules
-###
-
-neverallow { domain -init -iorapd } iorap_prefetcherd:process { transition dyntransition };
-neverallow iorap_prefetcherd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/31.0/public/iorapd.te b/prebuilts/api/31.0/public/iorapd.te
deleted file mode 100644
index b970699..0000000
--- a/prebuilts/api/31.0/public/iorapd.te
+++ /dev/null
@@ -1,97 +0,0 @@
-# volume manager
-type iorapd, domain;
-type iorapd_exec, exec_type, file_type, system_file_type;
-type iorapd_tmpfs, file_type;
-
-r_dir_file(iorapd, rootfs)
-
-# Allow read/write /proc/sys/vm/drop/caches
-allow iorapd proc_drop_caches:file rw_file_perms;
-
-# Give iorapd a place where only iorapd can store files; everyone else is off limits
-allow iorapd iorapd_data_file:dir create_dir_perms;
-allow iorapd iorapd_data_file:file create_file_perms;
-
-# Allow iorapd to publish a binder service and make binder calls.
-binder_use(iorapd)
-add_service(iorapd, iorapd_service)
-
-# Allow iorapd to call into the system server so it can check permissions.
-binder_call(iorapd, system_server)
-allow iorapd permission_service:service_manager find;
-# IUserManager
-allow iorapd user_service:service_manager find;
-# IPackageManagerNative
-allow iorapd package_native_service:service_manager find;
-# Allow dumpstate (bugreport) to call into iorapd.
-allow iorapd dumpstate:fd use;
-allow iorapd dumpstate:fifo_file write;
-
-# talk to batteryservice
-binder_call(iorapd, healthd)
-
-# TODO: does each of the service_manager allow finds above need the binder_call?
-
-# iorapd temporarily changes its priority when running benchmarks
-allow iorapd self:global_capability_class_set sys_nice;
-
-# Allow to access Perfetto traced's privileged consumer socket to start/stop
-# tracing sessions and read trace data.
-unix_socket_connect(iorapd, traced_consumer, traced)
-
-# Allow iorapd to execute compilation (iorap.cmd.compiler) in idle time.
-allow iorapd system_file:file rx_file_perms;
-
-# Allow iorapd to send signull to iorap_inode2filename and iorap_prefetcherd.
-allow iorapd iorap_inode2filename:process signull;
-allow iorapd iorap_prefetcherd:process signull;
-
-# Allowing system_server to check for the existence and size of files under iorapd
-# dir without collecting any sensitive app data.
-# This is used to predict if iorapd is doing prefetching or not.
-allow system_server iorapd_data_file:dir { getattr open read search };
-allow system_server iorapd_data_file:file getattr;
-
-###
-### neverallow rules
-###
-
-neverallow {
- domain
- -iorapd
-} iorapd_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-
-neverallow {
- domain
- -init
- -iorapd
- -system_server
-} iorapd_data_file:dir *;
-
-neverallow {
- domain
- -kernel
- -iorapd
-} iorapd_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow {
- domain
- -init
- -kernel
- -vendor_init
- -iorapd
- -system_server
-} { iorapd_data_file }:notdevfile_class_set *;
-
-# Only system_server and shell (for dumpsys) can interact with iorapd over binder
-neverallow { domain -dumpstate -system_server -iorapd } iorapd_service:service_manager find;
-neverallow iorapd {
- domain
- -healthd
- -servicemanager
- -system_server
- userdebug_or_eng(`-su')
-}:binder call;
-
-neverallow { domain -init } iorapd:process { transition dyntransition };
-neverallow iorapd domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/31.0/public/isolated_app.te b/prebuilts/api/31.0/public/isolated_app.te
deleted file mode 100644
index a907dac..0000000
--- a/prebuilts/api/31.0/public/isolated_app.te
+++ /dev/null
@@ -1,9 +0,0 @@
-###
-### Services with isolatedProcess=true in their manifest.
-###
-### This file defines the rules for isolated apps. An "isolated
-### app" is an APP with UID between AID_ISOLATED_START (99000)
-### and AID_ISOLATED_END (99999).
-###
-
-type isolated_app, domain;
diff --git a/prebuilts/api/31.0/public/kernel.te b/prebuilts/api/31.0/public/kernel.te
deleted file mode 100644
index 9aa40cc..0000000
--- a/prebuilts/api/31.0/public/kernel.te
+++ /dev/null
@@ -1,141 +0,0 @@
-# Life begins with the kernel.
-type kernel, domain, mlstrustedsubject;
-
-allow kernel self:global_capability_class_set sys_nice;
-
-# Root fs.
-r_dir_file(kernel, rootfs)
-
-# Used to read androidboot.selinux property
-allow kernel {
- proc_bootconfig
- proc_cmdline
-}:file r_file_perms;
-
-# Get SELinux enforcing status.
-allow kernel selinuxfs:dir r_dir_perms;
-allow kernel selinuxfs:file r_file_perms;
-
-# Get file contexts during first stage
-allow kernel file_contexts_file:file r_file_perms;
-
-# Allow init relabel itself.
-allow kernel rootfs:file relabelfrom;
-allow kernel init_exec:file relabelto;
-# TODO: investigate why we need this.
-allow kernel init:process share;
-
-# cgroup filesystem initialization prior to setting the cgroup root directory label.
-allow kernel unlabeled:dir search;
-
-# Mount usbfs.
-allow kernel usbfs:filesystem mount;
-allow kernel usbfs:dir search;
-
-# Initial setenforce by init prior to switching to init domain.
-# We use dontaudit instead of allow to prevent a kernel spawned userspace
-# process from turning off SELinux once enabled.
-dontaudit kernel self:security setenforce;
-
-# Write to /proc/1/oom_adj prior to switching to init domain.
-allow kernel self:global_capability_class_set sys_resource;
-
-# Init reboot before switching selinux domains under certain error
-# conditions. Allow it.
-# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
-# remount filesystems read-only. /data is not mounted at this point,
-# so we could ignore this. For now, we allow it.
-allow kernel self:global_capability_class_set sys_boot;
-allow kernel proc_sysrq:file w_file_perms;
-
-# Allow writing to /dev/kmsg which was created prior to loading policy.
-allow kernel tmpfs:chr_file write;
-
-# Set checkreqprot by init.rc prior to switching to init domain.
-allow kernel selinuxfs:file write;
-allow kernel self:security setcheckreqprot;
-
-# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel sdcard_type:file { read write };
-
-# f_mtp driver accesses files from kernel context.
-allow kernel mediaprovider:fd use;
-
-# Allow the kernel to read OBB files from app directories. (b/17428116)
-# Kernel thread "loop0" reads a vold supplied file descriptor.
-# Fixes CTS tests:
-# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountObbNormal
-# * android.os.storage.cts.StorageManagerTest#testMountAndUnmountTwoObbs
-allow kernel vold:fd use;
-allow kernel { app_data_file privapp_data_file }:file read;
-allow kernel asec_image_file:file read;
-
-# Allow mounting loop device in update_engine_unittests. (b/28319454)
-# and for LTP kernel tests (b/73220071)
-userdebug_or_eng(`
- allow kernel update_engine_data_file:file { read write };
- allow kernel nativetest_data_file:file { read write };
-')
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow kernel media_rw_data_file:dir create_dir_perms;
-allow kernel media_rw_data_file:file create_file_perms;
-
-# Access to /data/misc/vold/virtual_disk.
-allow kernel vold_data_file:file { read write };
-
-# Allow the kernel to read APEX file descriptors and (staged) data files;
-# Needed because APEX uses the loopback driver, which issues requests from
-# a kernel thread in earlier kernel version.
-allow kernel apexd:fd use;
-allow kernel {
- apex_data_file
- staging_data_file
- vendor_apex_file
-}:file read;
-
-# Allow the first-stage init (which is running in the kernel domain) to execute the
-# dynamic linker when it re-executes /init to switch into the second stage.
-# Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
-# before the domain is switched to the target domain. So, we need to allow the kernel
-# domain (the source domain) to execute the dynamic linker (system_file type).
-# TODO(b/110147943) remove these allow rules when we no longer need to support Linux
-# kernel older than 4.8.
-allow kernel system_file:file execute;
-# The label for the dynamic linker is rootfs in the recovery partition. This is because
-# the recovery partition which is rootfs does not support xattr and thus labeling can't be
-# done at build-time. All files are by default labeled as rootfs upon booting.
-recovery_only(`
- allow kernel rootfs:file execute;
-')
-
-# required by VTS lidbm unit test
-allow kernel appdomain_tmpfs:file { read write };
-
-###
-### neverallow rules
-###
-
-# The initial task starts in the kernel domain (assigned via
-# initial_sid_contexts), but nothing ever transitions to it.
-neverallow * kernel:process { transition dyntransition };
-
-# The kernel domain is never entered via an exec, nor should it
-# ever execute a program outside the rootfs without changing to another domain.
-# If you encounter an execute_no_trans denial on the kernel domain, then
-# possible causes include:
-# - The program is a kernel usermodehelper. In this case, define a domain
-# for the program and domain_auto_trans() to it.
-# - You are running an exploit which switched to the init task credentials
-# and is then trying to exec a shell or other program. You lose!
-neverallow kernel *:file { entrypoint execute_no_trans };
-
-# the kernel should not be accessing files owned by other users.
-# Instead of adding dac_{read_search,override}, fix the unix permissions
-# on files being accessed.
-neverallow kernel self:global_capability_class_set { dac_override dac_read_search };
-
-# Nobody should be ptracing kernel threads
-neverallow * kernel:process ptrace;
diff --git a/prebuilts/api/31.0/public/keystore.te b/prebuilts/api/31.0/public/keystore.te
deleted file mode 100644
index b7d5090..0000000
--- a/prebuilts/api/31.0/public/keystore.te
+++ /dev/null
@@ -1,45 +0,0 @@
-type keystore, domain, keystore2_key_type;
-type keystore_exec, system_file_type, exec_type, file_type;
-
-# keystore daemon
-typeattribute keystore mlstrustedsubject;
-binder_use(keystore)
-binder_service(keystore)
-binder_call(keystore, system_server)
-binder_call(keystore, wificond)
-
-allow keystore keystore_data_file:dir create_dir_perms;
-allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
-allow keystore keystore_exec:file { getattr };
-
-add_service(keystore, keystore_service)
-add_service(keystore, remoteprovisioning_service)
-allow keystore sec_key_att_app_id_provider_service:service_manager find;
-allow keystore dropbox_service:service_manager find;
-add_service(keystore, apc_service)
-add_service(keystore, keystore_compat_hal_service)
-add_service(keystore, authorization_service)
-add_service(keystore, keystore_maintenance_service)
-add_service(keystore, keystore_metrics_service)
-add_service(keystore, legacykeystore_service)
-
-# Check SELinux permissions.
-selinux_check_access(keystore)
-
-r_dir_file(keystore, cgroup)
-r_dir_file(keystore, cgroup_v2)
-
-###
-### Neverallow rules
-###
-### Protect ourself from others
-###
-
-neverallow { domain -keystore } keystore_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
-neverallow { domain -keystore } keystore_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow { domain -keystore -init } keystore_data_file:dir *;
-neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
-
-# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
-neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
diff --git a/prebuilts/api/31.0/public/keystore_keys.te b/prebuilts/api/31.0/public/keystore_keys.te
deleted file mode 100644
index 3c35984..0000000
--- a/prebuilts/api/31.0/public/keystore_keys.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# A keystore2 namespace for WI-FI.
-type wifi_key, keystore2_key_type;
diff --git a/prebuilts/api/31.0/public/llkd.te b/prebuilts/api/31.0/public/llkd.te
deleted file mode 100644
index 1faa429..0000000
--- a/prebuilts/api/31.0/public/llkd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# llkd Live LocK Daemon
-type llkd, domain, mlstrustedsubject;
-type llkd_exec, system_file_type, exec_type, file_type;
diff --git a/prebuilts/api/31.0/public/lmkd.te b/prebuilts/api/31.0/public/lmkd.te
deleted file mode 100644
index de6052d..0000000
--- a/prebuilts/api/31.0/public/lmkd.te
+++ /dev/null
@@ -1,72 +0,0 @@
-# lmkd low memory killer daemon
-type lmkd, domain, mlstrustedsubject;
-type lmkd_exec, system_file_type, exec_type, file_type;
-
-allow lmkd self:global_capability_class_set { dac_override dac_read_search sys_resource kill };
-
-# lmkd locks itself in memory, to prevent it from being
-# swapped out and unable to kill other memory hogs.
-# system/core commit b28ff9131363f7b4a698990da5748b2a88c3ed35
-# b/16236289
-allow lmkd self:global_capability_class_set ipc_lock;
-
-## Open and write to /proc/PID/oom_score_adj and /proc/PID/timerslack_ns
-## TODO: maybe scope this down?
-r_dir_file(lmkd, domain)
-allow lmkd domain:file write;
-
-## Writes to /sys/module/lowmemorykiller/parameters/minfree
-r_dir_file(lmkd, sysfs_lowmemorykiller)
-allow lmkd sysfs_lowmemorykiller:file w_file_perms;
-
-# setsched and send kill signals to any registered process
-allow lmkd domain:process { setsched sigkill };
-# TODO: delete this line b/131761776
-allow lmkd kernel:process { setsched };
-
-# Clean up old cgroups
-allow lmkd cgroup:dir { remove_name rmdir };
-allow lmkd cgroup_v2:dir { remove_name rmdir };
-
-# Allow to read memcg stats
-allow lmkd cgroup:file r_file_perms;
-allow lmkd cgroup_v2:file r_file_perms;
-
-# Set self to SCHED_FIFO
-allow lmkd self:global_capability_class_set sys_nice;
-
-allow lmkd proc_zoneinfo:file r_file_perms;
-allow lmkd proc_vmstat:file r_file_perms;
-
-# live lock watchdog process allowed to look through /proc/
-allow lmkd domain:dir { search open read };
-allow lmkd domain:file { open read };
-
-# live lock watchdog process allowed to dump process trace and
-# reboot because orderly shutdown may not be possible.
-allow lmkd proc_sysrq:file rw_file_perms;
-
-# Read /proc/lowmemorykiller
-allow lmkd proc_lowmemorykiller:file r_file_perms;
-
-# Read /proc/meminfo
-allow lmkd proc_meminfo:file r_file_perms;
-
-# Read /proc/pressure/cpu and /proc/pressure/io
-allow lmkd proc_pressure_cpu:file r_file_perms;
-allow lmkd proc_pressure_io:file r_file_perms;
-
-# Read/Write /proc/pressure/memory
-allow lmkd proc_pressure_mem:file rw_file_perms;
-
-# Allow lmkd to connect during reinit.
-allow lmkd lmkd_socket:sock_file write;
-
-# Allow lmkd to write to statsd.
-unix_socket_send(lmkd, statsdw, statsd)
-
-### neverallow rules
-
-# never honor LD_PRELOAD
-neverallow * lmkd:process noatsecure;
-neverallow lmkd self:global_capability_class_set sys_ptrace;
diff --git a/prebuilts/api/31.0/public/logd.te b/prebuilts/api/31.0/public/logd.te
deleted file mode 100644
index 8187179..0000000
--- a/prebuilts/api/31.0/public/logd.te
+++ /dev/null
@@ -1,74 +0,0 @@
-# android user-space log manager
-type logd, domain, mlstrustedsubject;
-type logd_exec, system_file_type, exec_type, file_type;
-
-# Read access to pseudo filesystems.
-r_dir_file(logd, cgroup)
-r_dir_file(logd, cgroup_v2)
-r_dir_file(logd, proc_kmsg)
-r_dir_file(logd, proc_meminfo)
-
-allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
-allow logd self:global_capability2_class_set syslog;
-allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-allow logd kernel:system syslog_read;
-allow logd kmsg_device:chr_file { getattr w_file_perms };
-allow logd system_data_file:{ file lnk_file } r_file_perms;
-allow logd packages_list_file:file r_file_perms;
-allow logd pstorefs:dir search;
-allow logd pstorefs:file r_file_perms;
-userdebug_or_eng(`
- # Access to /data/misc/logd/event-log-tags
- allow logd misc_logd_file:dir r_dir_perms;
- allow logd misc_logd_file:file rw_file_perms;
-')
-allow logd runtime_event_log_tags_file:file rw_file_perms;
-
-r_dir_file(logd, domain)
-
-allow logd kernel:system syslog_mod;
-
-control_logd(logd)
-read_runtime_log_tags(logd)
-
-allow runtime_event_log_tags_file tmpfs:filesystem associate;
-# Typically harmlessly blindly trying to access via liblog
-# event tag mapping while in the untrusted_app domain.
-# Access for that domain is controlled and gated via the
-# event log tag service (albeit at a performance penalty,
-# expected to be locally cached).
-dontaudit domain runtime_event_log_tags_file:file { map open read };
-
-# Logd sets defaults if certain properties are empty.
-set_prop(logd, logd_prop)
-
-###
-### Neverallow rules
-###
-### logd should NEVER do any of this
-
-# Block device access.
-neverallow logd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logd domain:process ptrace;
-
-# ... and nobody may ptrace me (except on userdebug or eng builds)
-neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
-
-# Write to /system.
-neverallow logd system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
-
-# Only init is allowed to enter the logd domain via exec()
-neverallow { domain -init } logd:process transition;
-neverallow * logd:process dyntransition;
-
-# protect the event-log-tags file
-neverallow {
- domain
- -init
- -logd
-} runtime_event_log_tags_file:file no_w_file_perms;
diff --git a/prebuilts/api/31.0/public/logpersist.te b/prebuilts/api/31.0/public/logpersist.te
deleted file mode 100644
index c8e6af4..0000000
--- a/prebuilts/api/31.0/public/logpersist.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# android debug logging, logpersist domains
-type logpersist, domain;
-
-# logcatd is a shell script that execs logcat with various parameters.
-allow logpersist shell_exec:file rx_file_perms;
-allow logpersist logcat_exec:file rx_file_perms;
-
-###
-### Neverallow rules
-###
-### logpersist should NEVER do any of this
-
-# Block device access.
-neverallow logpersist dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logpersist domain:process ptrace;
-
-# Write to files in /data/data or system files on /data except misc_logd_file
-neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
-
-# Only init should be allowed to enter the logpersist domain via exec()
-# Following is a list of debug domains we know that transition to logpersist
-# neverallow_with_undefined_domains {
-# domain
-# -init # goldfish, logcatd, raft
-# -mmi # bat, mtp8996, msmcobalt
-# -system_app # Smith.apk
-# } logpersist:process transition;
-neverallow * logpersist:process dyntransition;
diff --git a/prebuilts/api/31.0/public/mdnsd.te b/prebuilts/api/31.0/public/mdnsd.te
deleted file mode 100644
index ef7b065..0000000
--- a/prebuilts/api/31.0/public/mdnsd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# mdns daemon
-type mdnsd, domain;
diff --git a/prebuilts/api/31.0/public/mediadrmserver.te b/prebuilts/api/31.0/public/mediadrmserver.te
deleted file mode 100644
index a52295e..0000000
--- a/prebuilts/api/31.0/public/mediadrmserver.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# mediadrmserver - mediadrm daemon
-type mediadrmserver, domain;
-type mediadrmserver_exec, system_file_type, exec_type, file_type;
-
-typeattribute mediadrmserver mlstrustedsubject;
-
-net_domain(mediadrmserver)
-binder_use(mediadrmserver)
-binder_call(mediadrmserver, binderservicedomain)
-binder_call(mediadrmserver, appdomain)
-binder_service(mediadrmserver)
-hal_client_domain(mediadrmserver, hal_drm)
-
-add_service(mediadrmserver, mediadrmserver_service)
-allow mediadrmserver mediaserver_service:service_manager find;
-allow mediadrmserver mediametrics_service:service_manager find;
-allow mediadrmserver processinfo_service:service_manager find;
-allow mediadrmserver surfaceflinger_service:service_manager find;
-allow mediadrmserver system_file:dir r_dir_perms;
-
-# TODO(b/80317992): remove
-binder_call(mediadrmserver, hal_omx_server)
-
-###
-### neverallow rules
-###
-
-# mediadrmserver should never execute any executable without a
-# domain transition
-neverallow mediadrmserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediadrmserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/31.0/public/mediaextractor.te b/prebuilts/api/31.0/public/mediaextractor.te
deleted file mode 100644
index 06f7928..0000000
--- a/prebuilts/api/31.0/public/mediaextractor.te
+++ /dev/null
@@ -1,72 +0,0 @@
-# mediaextractor - multimedia daemon
-type mediaextractor, domain;
-type mediaextractor_exec, system_file_type, exec_type, file_type;
-type mediaextractor_tmpfs, file_type;
-
-typeattribute mediaextractor mlstrustedsubject;
-
-binder_use(mediaextractor)
-binder_call(mediaextractor, binderservicedomain)
-binder_call(mediaextractor, appdomain)
-binder_service(mediaextractor)
-
-add_service(mediaextractor, mediaextractor_service)
-allow mediaextractor mediametrics_service:service_manager find;
-allow mediaextractor hidl_token_hwservice:hwservice_manager find;
-
-allow mediaextractor system_server:fd use;
-
-hal_client_domain(mediaextractor, hal_cas)
-hal_client_domain(mediaextractor, hal_allocator)
-
-r_dir_file(mediaextractor, cgroup)
-r_dir_file(mediaextractor, cgroup_v2)
-allow mediaextractor proc_meminfo:file r_file_perms;
-
-crash_dump_fallback(mediaextractor)
-
-# allow mediaextractor read permissions for file sources
-allow mediaextractor sdcard_type:file { getattr read };
-allow mediaextractor media_rw_data_file:file { getattr read };
-allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
-
-# Read resources from open apk files passed over Binder
-allow mediaextractor apk_data_file:file { read getattr };
-allow mediaextractor asec_apk_file:file { read getattr };
-allow mediaextractor ringtone_file:file { read getattr };
-
-# overlay package access
-allow mediaextractor vendor_overlay_file:file { read map };
-
-# scan extractor library directory to dynamically load extractors
-allow mediaextractor system_file:dir { read open };
-
-###
-### neverallow rules
-###
-
-# mediaextractor should never execute any executable without a
-# domain transition
-neverallow mediaextractor { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaextractor domain:{ tcp_socket udp_socket rawip_socket } *;
-
-# mediaextractor should not be opening /data files directly. Any files
-# it touches (with a few exceptions) need to be passed to it via a file
-# descriptor opened outside the process.
-neverallow mediaextractor {
- data_file_type
- -zoneinfo_data_file # time zone data from /data/misc/zoneinfo
- userdebug_or_eng(`-apk_data_file') # for loading media extractor plugins
- with_native_coverage(`-method_trace_data_file')
-}:file open;
diff --git a/prebuilts/api/31.0/public/mediametrics.te b/prebuilts/api/31.0/public/mediametrics.te
deleted file mode 100644
index 468c0d0..0000000
--- a/prebuilts/api/31.0/public/mediametrics.te
+++ /dev/null
@@ -1,45 +0,0 @@
-# mediametrics - daemon for collecting media.metrics data
-type mediametrics, domain;
-type mediametrics_exec, system_file_type, exec_type, file_type;
-
-
-binder_use(mediametrics)
-binder_call(mediametrics, binderservicedomain)
-binder_service(mediametrics)
-
-add_service(mediametrics, mediametrics_service)
-
-allow mediametrics system_server:fd use;
-
-r_dir_file(mediametrics, cgroup)
-r_dir_file(mediametrics, cgroup_v2)
-allow mediametrics proc_meminfo:file r_file_perms;
-
-# allows interactions with dumpsys to GMScore
-allow mediametrics { app_data_file privapp_data_file }:file write;
-
-# allow access to package manager for uid->apk mapping
-allow mediametrics package_native_service:service_manager find;
-
-# Allow metrics service to send information to statsd socket.
-unix_socket_send(mediametrics, statsdw, statsd)
-
-###
-### neverallow rules
-###
-
-# mediametrics should never execute any executable without a
-# domain transition
-neverallow mediametrics { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediametrics domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/prebuilts/api/31.0/public/mediaprovider.te b/prebuilts/api/31.0/public/mediaprovider.te
deleted file mode 100644
index 24170a5..0000000
--- a/prebuilts/api/31.0/public/mediaprovider.te
+++ /dev/null
@@ -1,6 +0,0 @@
-###
-### A domain for android.process.media, which contains both
-### MediaProvider and DownloadProvider and associated services.
-###
-
-type mediaprovider, domain;
diff --git a/prebuilts/api/31.0/public/mediaserver.te b/prebuilts/api/31.0/public/mediaserver.te
deleted file mode 100644
index ad460e1..0000000
--- a/prebuilts/api/31.0/public/mediaserver.te
+++ /dev/null
@@ -1,149 +0,0 @@
-# mediaserver - multimedia daemon
-type mediaserver, domain;
-type mediaserver_exec, system_file_type, exec_type, file_type;
-type mediaserver_tmpfs, file_type;
-
-typeattribute mediaserver mlstrustedsubject;
-
-net_domain(mediaserver)
-
-r_dir_file(mediaserver, sdcard_type)
-r_dir_file(mediaserver, cgroup)
-r_dir_file(mediaserver, cgroup_v2)
-
-# stat /proc/self
-allow mediaserver proc:lnk_file getattr;
-
-# open /vendor/lib/mediadrm
-allow mediaserver system_file:dir r_dir_perms;
-
-userdebug_or_eng(`
- # ptrace to processes in the same domain for memory leak detection
- allow mediaserver self:process ptrace;
-')
-
-binder_use(mediaserver)
-binder_call(mediaserver, binderservicedomain)
-binder_call(mediaserver, appdomain)
-binder_service(mediaserver)
-
-allow mediaserver media_data_file:dir create_dir_perms;
-allow mediaserver media_data_file:file create_file_perms;
-allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
-allow mediaserver sdcard_type:file write;
-allow mediaserver gpu_device:chr_file rw_file_perms;
-allow mediaserver video_device:dir r_dir_perms;
-allow mediaserver video_device:chr_file rw_file_perms;
-
-# Read resources from open apk files passed over Binder.
-allow mediaserver apk_data_file:file { read getattr };
-allow mediaserver asec_apk_file:file { read getattr };
-allow mediaserver ringtone_file:file { read getattr };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow mediaserver radio_data_file:file { read getattr };
-
-# Use pipes passed over Binder from app domains.
-allow mediaserver appdomain:fifo_file { getattr read write };
-
-allow mediaserver rpmsg_device:chr_file rw_file_perms;
-
-# Inter System processes communicate over named pipe (FIFO)
-allow mediaserver system_server:fifo_file r_file_perms;
-
-r_dir_file(mediaserver, media_rw_data_file)
-
-# Grant access to read files on appfuse.
-allow mediaserver app_fuse_file:file { read getattr };
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-unix_socket_connect(mediaserver, drmserver, drmserver)
-
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(mediaserver, bluetooth, bluetooth)
-
-add_service(mediaserver, mediaserver_service)
-allow mediaserver activity_service:service_manager find;
-allow mediaserver appops_service:service_manager find;
-allow mediaserver audio_service:service_manager find;
-allow mediaserver audioserver_service:service_manager find;
-allow mediaserver cameraserver_service:service_manager find;
-allow mediaserver batterystats_service:service_manager find;
-allow mediaserver drmserver_service:service_manager find;
-allow mediaserver mediaextractor_service:service_manager find;
-allow mediaserver mediametrics_service:service_manager find;
-allow mediaserver media_session_service:service_manager find;
-allow mediaserver permission_service:service_manager find;
-allow mediaserver permission_checker_service:service_manager find;
-allow mediaserver power_service:service_manager find;
-allow mediaserver processinfo_service:service_manager find;
-allow mediaserver scheduling_policy_service:service_manager find;
-allow mediaserver surfaceflinger_service:service_manager find;
-
-# for ModDrm/MediaPlayer
-allow mediaserver mediadrmserver_service:service_manager find;
-
-# For hybrid interfaces
-allow mediaserver hidl_token_hwservice:hwservice_manager find;
-
-# /oem access
-allow mediaserver oemfs:dir search;
-allow mediaserver oemfs:file r_file_perms;
-
-# /vendor apk access
-allow mediaserver vendor_app_file:file { read map getattr };
-
-use_drmservice(mediaserver)
-allow mediaserver drmserver:drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-};
-
-# only allow unprivileged socket ioctl commands
-allowxperm mediaserver self:{ rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-
-# Access to /data/media.
-# This should be removed if sdcardfs is modified to alter the secontext for its
-# accesses to the underlying FS.
-allow mediaserver media_rw_data_file:dir create_dir_perms;
-allow mediaserver media_rw_data_file:file create_file_perms;
-
-# Access to media in /data/preloads
-allow mediaserver preloads_media_file:file { getattr read ioctl };
-
-allow mediaserver ion_device:chr_file r_file_perms;
-allow mediaserver dmabuf_system_heap_device:chr_file r_file_perms;
-allow mediaserver dmabuf_system_secure_heap_device:chr_file r_file_perms;
-allow mediaserver hal_graphics_allocator:fd use;
-allow mediaserver hal_graphics_composer:fd use;
-allow mediaserver hal_camera:fd use;
-
-allow mediaserver system_server:fd use;
-
-# b/120491318 allow mediaserver to access void:fd
-allow mediaserver vold:fd use;
-
-# overlay package access
-allow mediaserver vendor_overlay_file:file { read getattr map };
-
-hal_client_domain(mediaserver, hal_allocator)
-
-###
-### neverallow rules
-###
-
-# mediaserver should never execute any executable without a
-# domain transition
-neverallow mediaserver { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediaserver domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
diff --git a/prebuilts/api/31.0/public/mediaswcodec.te b/prebuilts/api/31.0/public/mediaswcodec.te
deleted file mode 100644
index 5726842..0000000
--- a/prebuilts/api/31.0/public/mediaswcodec.te
+++ /dev/null
@@ -1,27 +0,0 @@
-type mediaswcodec, domain;
-type mediaswcodec_exec, system_file_type, exec_type, file_type;
-
-hal_server_domain(mediaswcodec, hal_codec2)
-
-# mediaswcodec may use an input surface from a different Codec2 service or an
-# OMX service
-hal_client_domain(mediaswcodec, hal_codec2)
-hal_client_domain(mediaswcodec, hal_omx)
-
-hal_client_domain(mediaswcodec, hal_allocator)
-hal_client_domain(mediaswcodec, hal_graphics_allocator)
-
-crash_dump_fallback(mediaswcodec)
-
-# mediaswcodec_server should never execute any executable without a
-# domain transition
-neverallow mediaswcodec { file_type fs_type }:file execute_no_trans;
-
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
-
-allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
-allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/prebuilts/api/31.0/public/modprobe.te b/prebuilts/api/31.0/public/modprobe.te
deleted file mode 100644
index 2c7d64b..0000000
--- a/prebuilts/api/31.0/public/modprobe.te
+++ /dev/null
@@ -1,10 +0,0 @@
-type modprobe, domain;
-
-allow modprobe proc_modules:file r_file_perms;
-allow modprobe proc_cmdline:file r_file_perms;
-allow modprobe self:global_capability_class_set sys_module;
-allow modprobe kernel:key search;
-recovery_only(`
- allow modprobe rootfs:system module_load;
- allow modprobe rootfs:file r_file_perms;
-')
diff --git a/prebuilts/api/31.0/public/mtp.te b/prebuilts/api/31.0/public/mtp.te
deleted file mode 100644
index add63c0..0000000
--- a/prebuilts/api/31.0/public/mtp.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# vpn tunneling protocol manager
-type mtp, domain;
-type mtp_exec, system_file_type, exec_type, file_type;
-
-net_domain(mtp)
-
-# pptp policy
-allow mtp self:{ socket pppox_socket } create_socket_perms_no_ioctl;
-allow mtp self:global_capability_class_set net_raw;
-allow mtp ppp:process signal;
-allow mtp vpn_data_file:dir search;
diff --git a/prebuilts/api/31.0/public/net.te b/prebuilts/api/31.0/public/net.te
deleted file mode 100644
index e90715e..0000000
--- a/prebuilts/api/31.0/public/net.te
+++ /dev/null
@@ -1,39 +0,0 @@
-## Network types
-type node, node_type;
-type netif, netif_type;
-type port, port_type;
-
-###
-### Domain with network access
-###
-
-# Use network sockets.
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-# Connect to ports.
-allow netdomain port_type:tcp_socket name_connect;
-# Bind to ports.
-allow {netdomain -ephemeral_app} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow {netdomain -ephemeral_app} port_type:udp_socket name_bind;
-allow {netdomain -ephemeral_app} port_type:tcp_socket name_bind;
-# See changes to the routing table.
-allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read };
-# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
-# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-29) are granted access elsewhere
-# to avoid app-compat breakage.
-allow {
- netdomain
- -ephemeral_app
- -mediaprovider
- -untrusted_app_all
-} self:netlink_route_socket { bind nlmsg_readpriv };
-
-# Talks to netd via dnsproxyd socket.
-unix_socket_connect(netdomain, dnsproxyd, netd)
-
-# Talks to netd via fwmarkd socket.
-unix_socket_connect(netdomain, fwmarkd, netd)
-
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(netdomain, mdnsd, mdnsd)
diff --git a/prebuilts/api/31.0/public/netd.te b/prebuilts/api/31.0/public/netd.te
deleted file mode 100644
index ff0bff6..0000000
--- a/prebuilts/api/31.0/public/netd.te
+++ /dev/null
@@ -1,176 +0,0 @@
-# network manager
-type netd, domain, mlstrustedsubject;
-type netd_exec, system_file_type, exec_type, file_type;
-
-net_domain(netd)
-# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
-allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
-
-r_dir_file(netd, cgroup)
-
-allow netd system_server:fd use;
-
-allow netd self:global_capability_class_set { net_admin net_raw kill };
-# Note: fsetid is deliberately not included above. fsetid checks are
-# triggered by chmod on a directory or file owned by a group other
-# than one of the groups assigned to the current process to see if
-# the setgid bit should be cleared, regardless of whether the setgid
-# bit was even set. We do not appear to truly need this capability
-# for netd to operate.
-dontaudit netd self:global_capability_class_set fsetid;
-
-# Allow netd to open /dev/tun, set it up and pass it to clatd
-allow netd tun_device:chr_file rw_file_perms;
-allowxperm netd tun_device:chr_file ioctl { TUNGETIFF TUNSETIFF };
-allow netd self:tun_socket create;
-
-allow netd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_route_socket nlmsg_write;
-allow netd self:netlink_nflog_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
-allow netd self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow netd self:netlink_netfilter_socket create_socket_perms_no_ioctl;
-allow netd shell_exec:file rx_file_perms;
-allow netd system_file:file x_file_perms;
-not_full_treble(`allow netd vendor_file:file x_file_perms;')
-allow netd devpts:chr_file rw_file_perms;
-
-# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
-# exist, suppress the denial.
-allow netd system_file:file lock;
-dontaudit netd system_file:dir write;
-
-# Allow netd to write to qtaguid ctrl file.
-# TODO: Add proper rules to prevent other process to access qtaguid_proc file
-# after migration complete
-allow netd proc_qtaguid_ctrl:file rw_file_perms;
-# Allow netd to read /dev/qtaguid. This is the same privilege level that normal apps have.
-allow netd qtaguid_device:chr_file r_file_perms;
-
-r_dir_file(netd, proc_net_type)
-# For /proc/sys/net/ipv[46]/route/flush.
-allow netd proc_net_type:file rw_file_perms;
-
-# Enables PppController and interface enumeration (among others)
-allow netd sysfs:dir r_dir_perms;
-r_dir_file(netd, sysfs_net)
-
-# Allows setting interface MTU
-allow netd sysfs_net:file w_file_perms;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow netd sysfs_usb:file write;
-
-r_dir_file(netd, cgroup_v2)
-
-allow netd fs_bpf:dir search;
-allow netd fs_bpf:file { read write };
-
-# TODO: netd previously thought it needed these permissions to do WiFi related
-# work. However, after all the WiFi stuff is gone, we still need them.
-# Why?
-allow netd self:global_capability_class_set { dac_override dac_read_search chown };
-
-# Needed to update /data/misc/net/rt_tables
-allow netd net_data_file:file create_file_perms;
-allow netd net_data_file:dir rw_dir_perms;
-allow netd self:global_capability_class_set fowner;
-
-# Needed to lock the iptables lock.
-allow netd system_file:file lock;
-
-# Allow netd to spawn dnsmasq in it's own domain
-allow netd dnsmasq:process signal;
-
-# Allow netd to publish a binder service and make binder calls.
-binder_use(netd)
-add_service(netd, netd_service)
-add_service(netd, dnsresolver_service)
-allow netd dumpstate:fifo_file { getattr write };
-
-# Allow netd to call into the system server so it can check permissions.
-allow netd system_server:binder call;
-allow netd permission_service:service_manager find;
-
-# Allow netd to talk to the framework service which collects netd events.
-allow netd netd_listener_service:service_manager find;
-
-# Allow netd to operate on sockets that are passed to it.
-allow netd netdomain:{
- icmp_socket
- tcp_socket
- udp_socket
- rawip_socket
- tun_socket
-} { read write getattr setattr getopt setopt };
-allow netd netdomain:fd use;
-
-# give netd permission to read and write netlink xfrm
-allow netd self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
-
-# Allow netd to register as hal server.
-add_hwservice(netd, system_net_netd_hwservice)
-hwbinder_use(netd)
-
-###
-### Neverallow rules
-###
-### netd should NEVER do any of this
-
-# Block device access.
-neverallow netd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow netd { domain }:process ptrace;
-
-# Write to /system.
-neverallow netd system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
-
-# only system_server, dumpstate and network stack app may find netd service
-neverallow {
- domain
- -system_server
- -dumpstate
- -network_stack
- -netd
- -netutils_wrapper
-} netd_service:service_manager find;
-
-# only system_server, dumpstate and network stack app may find dnsresolver service
-neverallow {
- domain
- -system_server
- -dumpstate
- -network_stack
- -netd
- -netutils_wrapper
-} dnsresolver_service:service_manager find;
-
-# apps may not interact with netd over binder.
-neverallow { appdomain -network_stack } netd:binder call;
-neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
-
-# If an already existing file is opened with O_CREATE, the kernel might generate
-# a false report of a create denial. Silence these denials and make sure that
-# inappropriate permissions are not granted.
-neverallow netd proc_net:dir no_w_dir_perms;
-dontaudit netd proc_net:dir write;
-
-neverallow netd sysfs_net:dir no_w_dir_perms;
-dontaudit netd sysfs_net:dir write;
-
-# Netd should not have SYS_ADMIN privs.
-neverallow netd self:capability sys_admin;
-dontaudit netd self:capability sys_admin;
-
-# Netd should not have SYS_MODULE privs, nor should it be requesting module loads
-# (things it requires should be built directly into the kernel)
-dontaudit netd self:capability sys_module;
-
-dontaudit netd kernel:system module_request;
-
-dontaudit netd appdomain:unix_stream_socket { read write };
diff --git a/prebuilts/api/31.0/public/netutils_wrapper.te b/prebuilts/api/31.0/public/netutils_wrapper.te
deleted file mode 100644
index 27aa749..0000000
--- a/prebuilts/api/31.0/public/netutils_wrapper.te
+++ /dev/null
@@ -1,4 +0,0 @@
-type netutils_wrapper, domain;
-type netutils_wrapper_exec, system_file_type, exec_type, file_type;
-
-neverallow domain netutils_wrapper_exec:file execute_no_trans;
diff --git a/prebuilts/api/31.0/public/network_stack.te b/prebuilts/api/31.0/public/network_stack.te
deleted file mode 100644
index feff664..0000000
--- a/prebuilts/api/31.0/public/network_stack.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Network stack service app
-type network_stack, domain;
diff --git a/prebuilts/api/31.0/public/neverallow_macros b/prebuilts/api/31.0/public/neverallow_macros
deleted file mode 100644
index 59fa441..0000000
--- a/prebuilts/api/31.0/public/neverallow_macros
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# Common neverallow permissions
-define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setattr write }')
-define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock watch watch_mount watch_sb watch_with_perm watch_reads }')
-define(`no_x_file_perms', `{ execute execute_no_trans }')
-define(`no_w_dir_perms', `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
-
-#####################################
-# neverallow_establish_socket_comms(src, dst)
-# neverallow src domain establishing socket connections to dst domain.
-#
-define(`neverallow_establish_socket_comms', `
- neverallow $1 $2:socket_class_set { connect sendto };
- neverallow $1 $2:unix_stream_socket connectto;
-')
diff --git a/prebuilts/api/31.0/public/nfc.te b/prebuilts/api/31.0/public/nfc.te
deleted file mode 100644
index e3a03e7..0000000
--- a/prebuilts/api/31.0/public/nfc.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# nfc subsystem
-type nfc, domain;
diff --git a/prebuilts/api/31.0/public/otapreopt_chroot.te b/prebuilts/api/31.0/public/otapreopt_chroot.te
deleted file mode 100644
index db8dd1a..0000000
--- a/prebuilts/api/31.0/public/otapreopt_chroot.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# otapreopt_chroot seclabel
-
-# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
-type otapreopt_chroot, domain;
diff --git a/prebuilts/api/31.0/public/perfetto.te b/prebuilts/api/31.0/public/perfetto.te
deleted file mode 100644
index cec0e6f..0000000
--- a/prebuilts/api/31.0/public/perfetto.te
+++ /dev/null
@@ -1 +0,0 @@
-type perfetto, domain, coredomain;
diff --git a/prebuilts/api/31.0/public/performanced.te b/prebuilts/api/31.0/public/performanced.te
deleted file mode 100644
index d694fda..0000000
--- a/prebuilts/api/31.0/public/performanced.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# performanced
-type performanced, domain, mlstrustedsubject;
-type performanced_exec, system_file_type, exec_type, file_type;
-
-# Needed to check for app permissions.
-binder_use(performanced)
-binder_call(performanced, system_server)
-allow performanced permission_service:service_manager find;
-
-pdx_server(performanced, performance_client)
-
-# TODO: use file caps to obtain sys_nice instead of setuid / setgid.
-allow performanced self:global_capability_class_set { setuid setgid sys_nice };
-
-# Access /proc to validate we're only affecting threads in the same thread group.
-# Performanced also shields unbound kernel threads. It scans every task in the
-# root cpu set, but only affects the kernel threads.
-r_dir_file(performanced, { appdomain bufferhubd kernel surfaceflinger })
-dontaudit performanced domain:dir read;
-allow performanced { appdomain bufferhubd kernel surfaceflinger }:process setsched;
-
-# These /proc accesses only show up in permissive mode but they
-# generate a lot of noise in the log.
-userdebug_or_eng(`
- dontaudit performanced domain:dir open;
- dontaudit performanced domain:file { open read getattr };
-')
-
-# Access /dev/cpuset/cpuset.cpus
-r_dir_file(performanced, cgroup)
-r_dir_file(performanced, cgroup_v2)
diff --git a/prebuilts/api/31.0/public/platform_app.te b/prebuilts/api/31.0/public/platform_app.te
deleted file mode 100644
index 9b1faf0..0000000
--- a/prebuilts/api/31.0/public/platform_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-###
-### Apps signed with the platform key.
-###
-
-type platform_app, domain;
diff --git a/prebuilts/api/31.0/public/postinstall.te b/prebuilts/api/31.0/public/postinstall.te
deleted file mode 100644
index bcea2dc..0000000
--- a/prebuilts/api/31.0/public/postinstall.te
+++ /dev/null
@@ -1,45 +0,0 @@
-# Domain where the postinstall program runs during the update.
-# Extend the permissions in this domain to allow this program to access other
-# files needed by the specific device on your device's sepolicy directory.
-type postinstall, domain;
-
-# Allow postinstall to write to its stdout/stderr when redirected via pipes to
-# update_engine.
-allow postinstall update_engine_common:fd use;
-allow postinstall update_engine_common:fifo_file rw_file_perms;
-
-# Allow postinstall to read and execute directories and files in the same
-# mounted location.
-allow postinstall postinstall_file:file rx_file_perms;
-allow postinstall postinstall_file:lnk_file r_file_perms;
-allow postinstall postinstall_file:dir r_dir_perms;
-
-# Allow postinstall to execute the shell or other system executables.
-allow postinstall shell_exec:file rx_file_perms;
-allow postinstall system_file:file rx_file_perms;
-allow postinstall toolbox_exec:file rx_file_perms;
-
-# Allow postinstall to execute shell in recovery.
-recovery_only(`
- allow postinstall rootfs:file rx_file_perms;
-')
-
-#
-# For OTA dexopt.
-#
-
-# Allow postinstall scripts to talk to the system server.
-binder_use(postinstall)
-binder_call(postinstall, system_server)
-
-# Need to talk to the otadexopt service.
-allow postinstall otadexopt_service:service_manager find;
-
-# Allow postinstall scripts to trigger f2fs garbage collection
-allow postinstall sysfs_fs_f2fs:file rw_file_perms;
-allow postinstall sysfs_fs_f2fs:dir r_dir_perms;
-
-# No domain other than update_engine and recovery (via update_engine_sideload)
-# should transition to postinstall, as it is only meant to run during the
-# update.
-neverallow { domain -update_engine -recovery } postinstall:process { transition dyntransition };
diff --git a/prebuilts/api/31.0/public/ppp.te b/prebuilts/api/31.0/public/ppp.te
deleted file mode 100644
index b736def..0000000
--- a/prebuilts/api/31.0/public/ppp.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# Point to Point Protocol daemon
-type ppp, domain;
-type ppp_device, dev_type;
-type ppp_exec, system_file_type, exec_type, file_type;
-
-net_domain(ppp)
-
-r_dir_file(ppp, proc_net_type)
-
-allow ppp mtp:{ socket pppox_socket } rw_socket_perms;
-
-# ioctls needed for VPN.
-allowxperm ppp self:udp_socket ioctl priv_sock_ioctls;
-allowxperm ppp mtp:{ socket pppox_socket } ioctl ppp_ioctls;
-
-allow ppp mtp:unix_dgram_socket rw_socket_perms;
-allow ppp ppp_device:chr_file rw_file_perms;
-allow ppp self:global_capability_class_set net_admin;
-allow ppp system_file:file rx_file_perms;
-not_full_treble(`allow ppp vendor_file:file rx_file_perms;')
-allow ppp vpn_data_file:dir w_dir_perms;
-allow ppp vpn_data_file:file create_file_perms;
-allow ppp mtp:fd use;
diff --git a/prebuilts/api/31.0/public/priv_app.te b/prebuilts/api/31.0/public/priv_app.te
deleted file mode 100644
index 0761fc3..0000000
--- a/prebuilts/api/31.0/public/priv_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-###
-### A domain for further sandboxing privileged apps.
-###
-
-type priv_app, domain;
diff --git a/prebuilts/api/31.0/public/profman.te b/prebuilts/api/31.0/public/profman.te
deleted file mode 100644
index c014d79..0000000
--- a/prebuilts/api/31.0/public/profman.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# profman
-type profman, domain;
-type profman_exec, system_file_type, exec_type, file_type;
-
-allow profman user_profile_data_file:file { getattr read write lock map };
-
-# Dumping profile info opens the application APK file for pretty printing.
-allow profman asec_apk_file:file { read map };
-allow profman apk_data_file:file { getattr read map };
-allow profman apk_data_file:dir { getattr read search };
-
-allow profman oemfs:file { read map };
-# Reading an APK opens a ZipArchive, which unpack to tmpfs.
-allow profman tmpfs:file { read map };
-allow profman profman_dump_data_file:file { write map };
-
-allow profman installd:fd use;
-
-# Allow profman to analyze profiles for the secondary dex files. These
-# are application dex files reported back to the framework when using
-# BaseDexClassLoader.
-allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
-allow profman { privapp_data_file app_data_file }:dir { getattr read search };
-
-# Allow query ART device config properties
-get_prop(profman, device_config_runtime_native_prop)
-get_prop(profman, device_config_runtime_native_boot_prop)
-
-###
-### neverallow rules
-###
-
-neverallow profman { privapp_data_file app_data_file }:notdevfile_class_set open;
diff --git a/prebuilts/api/31.0/public/property.te b/prebuilts/api/31.0/public/property.te
deleted file mode 100644
index 1d3f358..0000000
--- a/prebuilts/api/31.0/public/property.te
+++ /dev/null
@@ -1,330 +0,0 @@
-# Properties used only in /system
-#
-# DO NOT ADD system_internal_prop here.
-# Instead, add to private/property.te.
-# TODO(b/150331497): move these to private/property.te
-system_internal_prop(apexd_prop)
-system_internal_prop(bootloader_boot_reason_prop)
-system_internal_prop(device_config_activity_manager_native_boot_prop)
-system_internal_prop(device_config_boot_count_prop)
-system_internal_prop(device_config_input_native_boot_prop)
-system_internal_prop(device_config_media_native_prop)
-system_internal_prop(device_config_netd_native_prop)
-system_internal_prop(device_config_reset_performed_prop)
-system_internal_prop(firstboot_prop)
-
-compatible_property_only(`
- # DO NOT ADD ANY PROPERTIES HERE
- system_internal_prop(boottime_prop)
- system_internal_prop(bpf_progs_loaded_prop)
- system_internal_prop(charger_prop)
- system_internal_prop(cold_boot_done_prop)
- system_internal_prop(ctl_adbd_prop)
- system_internal_prop(ctl_apexd_prop)
- system_internal_prop(ctl_bootanim_prop)
- system_internal_prop(ctl_bugreport_prop)
- system_internal_prop(ctl_console_prop)
- system_internal_prop(ctl_dumpstate_prop)
- system_internal_prop(ctl_fuse_prop)
- system_internal_prop(ctl_gsid_prop)
- system_internal_prop(ctl_interface_restart_prop)
- system_internal_prop(ctl_interface_stop_prop)
- system_internal_prop(ctl_mdnsd_prop)
- system_internal_prop(ctl_restart_prop)
- system_internal_prop(ctl_rildaemon_prop)
- system_internal_prop(ctl_sigstop_prop)
- system_internal_prop(dynamic_system_prop)
- system_internal_prop(heapprofd_enabled_prop)
- system_internal_prop(llkd_prop)
- system_internal_prop(lpdumpd_prop)
- system_internal_prop(mmc_prop)
- system_internal_prop(mock_ota_prop)
- system_internal_prop(net_dns_prop)
- system_internal_prop(overlay_prop)
- system_internal_prop(persistent_properties_ready_prop)
- system_internal_prop(safemode_prop)
- system_internal_prop(system_lmk_prop)
- system_internal_prop(system_trace_prop)
- system_internal_prop(test_boot_reason_prop)
- system_internal_prop(time_prop)
- system_internal_prop(traced_enabled_prop)
- system_internal_prop(traced_lazy_prop)
-')
-
-# Properties which can't be written outside system
-system_restricted_prop(aac_drc_prop)
-system_restricted_prop(arm64_memtag_prop)
-system_restricted_prop(binder_cache_bluetooth_server_prop)
-system_restricted_prop(binder_cache_system_server_prop)
-system_restricted_prop(binder_cache_telephony_server_prop)
-system_restricted_prop(boot_status_prop)
-system_restricted_prop(bootanim_system_prop)
-system_restricted_prop(bootloader_prop)
-system_restricted_prop(boottime_public_prop)
-system_restricted_prop(bq_config_prop)
-system_restricted_prop(build_bootimage_prop)
-system_restricted_prop(build_prop)
-system_restricted_prop(charger_status_prop)
-system_restricted_prop(device_config_runtime_native_boot_prop)
-system_restricted_prop(device_config_runtime_native_prop)
-system_restricted_prop(fingerprint_prop)
-system_restricted_prop(hal_instrumentation_prop)
-system_restricted_prop(init_service_status_prop)
-system_restricted_prop(libc_debug_prop)
-system_restricted_prop(module_sdkextensions_prop)
-system_restricted_prop(nnapi_ext_deny_product_prop)
-system_restricted_prop(power_debug_prop)
-system_restricted_prop(property_service_version_prop)
-system_restricted_prop(provisioned_prop)
-system_restricted_prop(restorecon_prop)
-system_restricted_prop(retaildemo_prop)
-system_restricted_prop(socket_hook_prop)
-system_restricted_prop(sqlite_log_prop)
-system_restricted_prop(surfaceflinger_display_prop)
-system_restricted_prop(system_boot_reason_prop)
-system_restricted_prop(system_jvmti_agent_prop)
-system_restricted_prop(ab_update_gki_prop)
-system_restricted_prop(usb_prop)
-system_restricted_prop(userspace_reboot_exported_prop)
-system_restricted_prop(vold_status_prop)
-system_restricted_prop(vts_status_prop)
-
-compatible_property_only(`
- # DO NOT ADD ANY PROPERTIES HERE
- system_restricted_prop(config_prop)
- system_restricted_prop(cppreopt_prop)
- system_restricted_prop(dalvik_prop)
- system_restricted_prop(debuggerd_prop)
- system_restricted_prop(device_logging_prop)
- system_restricted_prop(dhcp_prop)
- system_restricted_prop(dumpstate_prop)
- system_restricted_prop(exported3_system_prop)
- system_restricted_prop(exported_dumpstate_prop)
- system_restricted_prop(exported_secure_prop)
- system_restricted_prop(heapprofd_prop)
- system_restricted_prop(net_radio_prop)
- system_restricted_prop(pan_result_prop)
- system_restricted_prop(persist_debug_prop)
- system_restricted_prop(shell_prop)
- system_restricted_prop(test_harness_prop)
- system_restricted_prop(theme_prop)
- system_restricted_prop(use_memfd_prop)
- system_restricted_prop(vold_prop)
-')
-
-# Properties which can be written only by vendor_init
-system_vendor_config_prop(apexd_config_prop)
-system_vendor_config_prop(aaudio_config_prop)
-system_vendor_config_prop(apk_verity_prop)
-system_vendor_config_prop(audio_config_prop)
-system_vendor_config_prop(bootanim_config_prop)
-system_vendor_config_prop(build_config_prop)
-system_vendor_config_prop(build_odm_prop)
-system_vendor_config_prop(build_vendor_prop)
-system_vendor_config_prop(camera_calibration_prop)
-system_vendor_config_prop(camera_config_prop)
-system_vendor_config_prop(camera2_extensions_prop)
-system_vendor_config_prop(camerax_extensions_prop)
-system_vendor_config_prop(charger_config_prop)
-system_vendor_config_prop(codec2_config_prop)
-system_vendor_config_prop(cpu_variant_prop)
-system_vendor_config_prop(dalvik_config_prop)
-system_vendor_config_prop(debugfs_restriction_prop)
-system_vendor_config_prop(drm_service_config_prop)
-system_vendor_config_prop(exported_camera_prop)
-system_vendor_config_prop(exported_config_prop)
-system_vendor_config_prop(exported_default_prop)
-system_vendor_config_prop(ffs_config_prop)
-system_vendor_config_prop(framework_watchdog_config_prop)
-system_vendor_config_prop(graphics_config_prop)
-system_vendor_config_prop(hdmi_config_prop)
-system_vendor_config_prop(hw_timeout_multiplier_prop)
-system_vendor_config_prop(incremental_prop)
-system_vendor_config_prop(keyguard_config_prop)
-system_vendor_config_prop(lmkd_config_prop)
-system_vendor_config_prop(media_config_prop)
-system_vendor_config_prop(media_variant_prop)
-system_vendor_config_prop(mediadrm_config_prop)
-system_vendor_config_prop(mm_events_config_prop)
-system_vendor_config_prop(oem_unlock_prop)
-system_vendor_config_prop(packagemanager_config_prop)
-system_vendor_config_prop(recovery_config_prop)
-system_vendor_config_prop(sendbug_config_prop)
-system_vendor_config_prop(soc_prop)
-system_vendor_config_prop(storage_config_prop)
-system_vendor_config_prop(storagemanager_config_prop)
-system_vendor_config_prop(surfaceflinger_prop)
-system_vendor_config_prop(suspend_prop)
-system_vendor_config_prop(systemsound_config_prop)
-system_vendor_config_prop(telephony_config_prop)
-system_vendor_config_prop(tombstone_config_prop)
-system_vendor_config_prop(usb_config_prop)
-system_vendor_config_prop(userspace_reboot_config_prop)
-system_vendor_config_prop(vehicle_hal_prop)
-system_vendor_config_prop(vendor_security_patch_level_prop)
-system_vendor_config_prop(vendor_socket_hook_prop)
-system_vendor_config_prop(virtual_ab_prop)
-system_vendor_config_prop(vndk_prop)
-system_vendor_config_prop(vts_config_prop)
-system_vendor_config_prop(vold_config_prop)
-system_vendor_config_prop(wifi_config_prop)
-system_vendor_config_prop(zram_config_prop)
-system_vendor_config_prop(zygote_config_prop)
-system_vendor_config_prop(dck_prop)
-
-# Properties with no restrictions
-system_public_prop(adbd_config_prop)
-system_public_prop(audio_prop)
-system_public_prop(bluetooth_a2dp_offload_prop)
-system_public_prop(bluetooth_audio_hal_prop)
-system_public_prop(bluetooth_prop)
-system_public_prop(ctl_default_prop)
-system_public_prop(ctl_interface_start_prop)
-system_public_prop(ctl_start_prop)
-system_public_prop(ctl_stop_prop)
-system_public_prop(dalvik_runtime_prop)
-system_public_prop(debug_prop)
-system_public_prop(dumpstate_options_prop)
-system_public_prop(exported_system_prop)
-system_public_prop(exported_bluetooth_prop)
-system_public_prop(exported_overlay_prop)
-system_public_prop(exported_pm_prop)
-system_public_prop(ffs_control_prop)
-system_public_prop(hal_dumpstate_config_prop)
-system_public_prop(sota_prop)
-system_public_prop(hwservicemanager_prop)
-system_public_prop(lmkd_prop)
-system_public_prop(logd_prop)
-system_public_prop(logpersistd_logging_prop)
-system_public_prop(log_prop)
-system_public_prop(log_tag_prop)
-system_public_prop(lowpan_prop)
-system_public_prop(nfc_prop)
-system_public_prop(ota_prop)
-system_public_prop(powerctl_prop)
-system_public_prop(qemu_hw_prop)
-system_public_prop(qemu_sf_lcd_density_prop)
-system_public_prop(radio_control_prop)
-system_public_prop(radio_prop)
-system_public_prop(serialno_prop)
-system_public_prop(surfaceflinger_color_prop)
-system_public_prop(system_prop)
-system_public_prop(telephony_status_prop)
-system_public_prop(usb_control_prop)
-system_public_prop(vold_post_fs_data_prop)
-system_public_prop(wifi_hal_prop)
-system_public_prop(wifi_log_prop)
-system_public_prop(wifi_prop)
-system_public_prop(zram_control_prop)
-
-# Properties which don't have entries on property_contexts
-system_internal_prop(default_prop)
-
-# Properties used in default HAL implementations
-vendor_internal_prop(rebootescrow_hal_prop)
-
-vendor_public_prop(persist_vendor_debug_wifi_prop)
-
-# Properties which are public for devices launching with Android O or earlier
-# This should not be used for any new properties.
-not_compatible_property(`
- # DO NOT ADD ANY PROPERTIES HERE
- system_public_prop(boottime_prop)
- system_public_prop(bpf_progs_loaded_prop)
- system_public_prop(charger_prop)
- system_public_prop(cold_boot_done_prop)
- system_public_prop(ctl_adbd_prop)
- system_public_prop(ctl_apexd_prop)
- system_public_prop(ctl_bootanim_prop)
- system_public_prop(ctl_bugreport_prop)
- system_public_prop(ctl_console_prop)
- system_public_prop(ctl_dumpstate_prop)
- system_public_prop(ctl_fuse_prop)
- system_public_prop(ctl_gsid_prop)
- system_public_prop(ctl_interface_restart_prop)
- system_public_prop(ctl_interface_stop_prop)
- system_public_prop(ctl_mdnsd_prop)
- system_public_prop(ctl_restart_prop)
- system_public_prop(ctl_rildaemon_prop)
- system_public_prop(ctl_sigstop_prop)
- system_public_prop(dynamic_system_prop)
- system_public_prop(heapprofd_enabled_prop)
- system_public_prop(llkd_prop)
- system_public_prop(lpdumpd_prop)
- system_public_prop(mmc_prop)
- system_public_prop(mock_ota_prop)
- system_public_prop(net_dns_prop)
- system_public_prop(overlay_prop)
- system_public_prop(persistent_properties_ready_prop)
- system_public_prop(safemode_prop)
- system_public_prop(system_lmk_prop)
- system_public_prop(system_trace_prop)
- system_public_prop(test_boot_reason_prop)
- system_public_prop(time_prop)
- system_public_prop(traced_enabled_prop)
- system_public_prop(traced_lazy_prop)
-
- system_public_prop(config_prop)
- system_public_prop(cppreopt_prop)
- system_public_prop(dalvik_prop)
- system_public_prop(debuggerd_prop)
- system_public_prop(device_logging_prop)
- system_public_prop(dhcp_prop)
- system_public_prop(dumpstate_prop)
- system_public_prop(exported3_system_prop)
- system_public_prop(exported_dumpstate_prop)
- system_public_prop(exported_secure_prop)
- system_public_prop(heapprofd_prop)
- system_public_prop(net_radio_prop)
- system_public_prop(pan_result_prop)
- system_public_prop(persist_debug_prop)
- system_public_prop(shell_prop)
- system_public_prop(test_harness_prop)
- system_public_prop(theme_prop)
- system_public_prop(use_memfd_prop)
- system_public_prop(vold_prop)
-')
-
-not_compatible_property(`
- vendor_public_prop(vendor_default_prop)
-')
-
-compatible_property_only(`
- vendor_internal_prop(vendor_default_prop)
-')
-
-typeattribute log_prop log_property_type;
-typeattribute log_tag_prop log_property_type;
-typeattribute wifi_log_prop log_property_type;
-
-allow property_type tmpfs:filesystem associate;
-
-# core_property_type should not be used for new properties or
-# device specific properties. Properties with this attribute
-# are readable to everyone, which is overly broad and should
-# be avoided.
-# New properties should have appropriate read / write access
-# control rules written.
-
-typeattribute audio_prop core_property_type;
-typeattribute config_prop core_property_type;
-typeattribute cppreopt_prop core_property_type;
-typeattribute dalvik_prop core_property_type;
-typeattribute debuggerd_prop core_property_type;
-typeattribute debug_prop core_property_type;
-typeattribute dhcp_prop core_property_type;
-typeattribute dumpstate_prop core_property_type;
-typeattribute logd_prop core_property_type;
-typeattribute net_radio_prop core_property_type;
-typeattribute nfc_prop core_property_type;
-typeattribute ota_prop core_property_type;
-typeattribute pan_result_prop core_property_type;
-typeattribute persist_debug_prop core_property_type;
-typeattribute powerctl_prop core_property_type;
-typeattribute radio_prop core_property_type;
-typeattribute restorecon_prop core_property_type;
-typeattribute shell_prop core_property_type;
-typeattribute system_prop core_property_type;
-typeattribute usb_prop core_property_type;
-typeattribute vold_prop core_property_type;
-
diff --git a/prebuilts/api/31.0/public/racoon.te b/prebuilts/api/31.0/public/racoon.te
deleted file mode 100644
index e4b299e..0000000
--- a/prebuilts/api/31.0/public/racoon.te
+++ /dev/null
@@ -1,35 +0,0 @@
-# IKE key management daemon
-type racoon, domain;
-type racoon_exec, system_file_type, exec_type, file_type;
-
-typeattribute racoon mlstrustedsubject;
-
-net_domain(racoon)
-allowxperm racoon self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFADDR SIOCSIFNETMASK };
-
-binder_use(racoon)
-
-allow racoon tun_device:chr_file r_file_perms;
-allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
-allow racoon cgroup:dir { add_name create };
-allow racoon cgroup_v2:dir { add_name create };
-allow racoon kernel:system module_request;
-
-allow racoon self:key_socket create_socket_perms_no_ioctl;
-allow racoon self:tun_socket create_socket_perms_no_ioctl;
-allow racoon self:global_capability_class_set { net_admin net_bind_service net_raw };
-
-# XXX: should we give ip-up-vpn its own label (currently racoon domain)
-allow racoon system_file:file rx_file_perms;
-not_full_treble(`allow racoon vendor_file:file rx_file_perms;')
-allow racoon vpn_data_file:file create_file_perms;
-allow racoon vpn_data_file:dir w_dir_perms;
-
-use_keystore(racoon)
-
-# Racoon (VPN) has a restricted set of permissions from the default.
-allow racoon keystore:keystore_key {
- get
- sign
- verify
-};
diff --git a/prebuilts/api/31.0/public/radio.te b/prebuilts/api/31.0/public/radio.te
deleted file mode 100644
index e03b706..0000000
--- a/prebuilts/api/31.0/public/radio.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# phone subsystem
-type radio, domain, mlstrustedsubject;
-
-net_domain(radio)
-bluetooth_domain(radio)
-binder_service(radio)
-
-# Talks to hal_telephony_server via the rild socket only for devices without full treble
-not_full_treble(`unix_socket_connect(radio, rild, hal_telephony_server)')
-
-# Data file accesses.
-allow radio radio_data_file:dir create_dir_perms;
-allow radio radio_data_file:notdevfile_class_set create_file_perms;
-allow radio radio_core_data_file:dir r_dir_perms;
-allow radio radio_core_data_file:file r_file_perms;
-
-allow radio net_data_file:dir search;
-allow radio net_data_file:file r_file_perms;
-
-add_service(radio, radio_service)
-allow radio audioserver_service:service_manager find;
-allow radio cameraserver_service:service_manager find;
-allow radio drmserver_service:service_manager find;
-allow radio mediaserver_service:service_manager find;
-allow radio nfc_service:service_manager find;
-allow radio app_api_service:service_manager find;
-allow radio system_api_service:service_manager find;
-allow radio timedetector_service:service_manager find;
-allow radio timezonedetector_service:service_manager find;
-
-# Perform HwBinder IPC.
-hwbinder_use(radio)
-hal_client_domain(radio, hal_telephony)
-
-# Used by TelephonyManager
-allow radio proc_cmdline:file r_file_perms;
diff --git a/prebuilts/api/31.0/public/recovery.te b/prebuilts/api/31.0/public/recovery.te
deleted file mode 100644
index 3649888..0000000
--- a/prebuilts/api/31.0/public/recovery.te
+++ /dev/null
@@ -1,163 +0,0 @@
-# recovery console (used in recovery init.rc for /sbin/recovery)
-
-# Declare the domain unconditionally so we can always reference it
-# in neverallow rules.
-type recovery, domain;
-
-# But the allow rules are only included in the recovery policy.
-# Otherwise recovery is only allowed the domain rules.
-recovery_only(`
- # Allow recovery to perform an update as update_engine would do.
- typeattribute recovery update_engine_common;
- # Recovery can only use HALs in passthrough mode
- passthrough_hal_client_domain(recovery, hal_bootctl)
-
- allow recovery self:global_capability_class_set {
- chown
- dac_override
- dac_read_search
- fowner
- setuid
- setgid
- sys_admin
- sys_tty_config
- };
-
- # Run helpers from / or /system without changing domain.
- r_dir_file(recovery, rootfs)
- allow recovery rootfs:file execute_no_trans;
- allow recovery system_file:file execute_no_trans;
- allow recovery toolbox_exec:file rx_file_perms;
-
- # Mount filesystems.
- allow recovery rootfs:dir mounton;
- allow recovery tmpfs:dir mounton;
- allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto;
- allow recovery unlabeled:filesystem ~relabelto;
- allow recovery contextmount_type:filesystem relabelto;
-
- # We may be asked to set an SELinux label for a type not known to the
- # currently loaded policy. Allow it.
- allow recovery unlabeled:{ file lnk_file } { create_file_perms relabelfrom relabelto };
- allow recovery unlabeled:dir { create_dir_perms relabelfrom relabelto };
-
- # Get file contexts
- allow recovery file_contexts_file:file r_file_perms;
-
- # Write to /proc/sys/vm/drop_caches
- allow recovery proc_drop_caches:file w_file_perms;
-
- # Read /proc/swaps
- allow recovery proc_swaps:file r_file_perms;
-
- # Read kernel config through libvintf for OTA matching
- allow recovery config_gz:file { open read getattr };
-
- # Write to /sys/class/android_usb/android0/enable.
- r_dir_file(recovery, sysfs_android_usb)
- allow recovery sysfs_android_usb:file w_file_perms;
-
- # Write to /sys/devices/system/cpu/cpu0/cpufreq/scaling_max_freq.
- allow recovery sysfs_devices_system_cpu:file w_file_perms;
-
- allow recovery sysfs_batteryinfo:file r_file_perms;
-
- # Read /sysfs/fs/ext4/features
- r_dir_file(recovery, sysfs_fs_ext4_features)
-
- # Read from /sys/class/leds/lcd-backlight/max_brightness and write to /s/c/l/l/brightness to
- # control backlight brightness.
- allow recovery sysfs_leds:dir r_dir_perms;
- allow recovery sysfs_leds:file rw_file_perms;
- allow recovery sysfs_leds:lnk_file read;
-
- allow recovery kernel:system syslog_read;
-
- # Access /dev/usb-ffs/adb/ep0
- allow recovery functionfs:dir search;
- allow recovery functionfs:file rw_file_perms;
- allowxperm recovery functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
-
- # Access to /sys/fs/selinux/policyvers for compatibility check
- allow recovery selinuxfs:file r_file_perms;
-
- # Required to e.g. wipe userdata/cache.
- allow recovery device:dir r_dir_perms;
- allow recovery block_device:dir r_dir_perms;
- allow recovery dev_type:blk_file rw_file_perms;
- allowxperm recovery { userdata_block_device metadata_block_device cache_block_device }:blk_file ioctl BLKPBSZGET;
-
- # GUI
- allow recovery graphics_device:chr_file rw_file_perms;
- allow recovery graphics_device:dir r_dir_perms;
- allow recovery input_device:dir r_dir_perms;
- allow recovery input_device:chr_file r_file_perms;
- allow recovery tty_device:chr_file rw_file_perms;
-
- # Create /tmp/recovery.log and execute /tmp/update_binary.
- allow recovery tmpfs:file { create_file_perms x_file_perms };
- allow recovery tmpfs:dir create_dir_perms;
-
- # Manage files on /cache and /cache/recovery
- allow recovery { cache_file cache_recovery_file }:dir create_dir_perms;
- allow recovery { cache_file cache_recovery_file }:file create_file_perms;
-
- # Read /sys/class/thermal/*/temp for thermal info.
- r_dir_file(recovery, sysfs_thermal)
-
- # Read files on /oem.
- r_dir_file(recovery, oemfs);
-
- # Use setfscreatecon() to label files for OTA updates.
- allow recovery self:process setfscreate;
-
- # Allow recovery to create a fuse filesystem, and read files from it.
- allow recovery fuse_device:chr_file rw_file_perms;
- allow recovery fuse:dir r_dir_perms;
- allow recovery fuse:file r_file_perms;
-
- wakelock_use(recovery)
-
- # This line seems suspect, as it should not really need to
- # set scheduling parameters for a kernel domain task.
- allow recovery kernel:process setsched;
-
- # These are needed to update dynamic partitions in recovery.
- r_dir_file(recovery, sysfs_dm)
- allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
-
- # Allow using libfiemap/gsid directly (no binder in recovery).
- allow recovery gsi_metadata_file_type:dir search;
- allow recovery ota_metadata_file:dir rw_dir_perms;
- allow recovery ota_metadata_file:file create_file_perms;
-
- # Allow mounting /metadata for writing update states
- allow recovery metadata_file:dir { getattr mounton };
-')
-
-###
-### neverallow rules
-###
-
-# Recovery should never touch /data.
-#
-# In particular, if /data is encrypted, it is not accessible
-# to recovery anyway.
-#
-# For now, we only enforce write/execute restrictions, as domain.te
-# contains a number of read-only rules that apply to all
-# domains, including recovery.
-#
-# TODO: tighten this up further.
-neverallow recovery {
- data_file_type
- -cache_file
- -cache_recovery_file
- with_native_coverage(`-method_trace_data_file')
-}:file { no_w_file_perms no_x_file_perms };
-neverallow recovery {
- data_file_type
- -cache_file
- -cache_recovery_file
- with_native_coverage(`-method_trace_data_file')
-}:dir no_w_dir_perms;
diff --git a/prebuilts/api/31.0/public/recovery_persist.te b/prebuilts/api/31.0/public/recovery_persist.te
deleted file mode 100644
index d4b4562..0000000
--- a/prebuilts/api/31.0/public/recovery_persist.te
+++ /dev/null
@@ -1,32 +0,0 @@
-# android recovery persistent log manager
-type recovery_persist, domain;
-type recovery_persist_exec, system_file_type, exec_type, file_type;
-
-allow recovery_persist pstorefs:dir search;
-allow recovery_persist pstorefs:file r_file_perms;
-
-allow recovery_persist recovery_data_file:file create_file_perms;
-allow recovery_persist recovery_data_file:dir create_dir_perms;
-
-allow recovery_persist cache_file:dir search;
-allow recovery_persist cache_file:lnk_file read;
-allow recovery_persist cache_recovery_file:dir rw_dir_perms;
-allow recovery_persist cache_recovery_file:file { r_file_perms unlink };
-
-###
-### Neverallow rules
-###
-### recovery_persist should NEVER do any of this
-
-# Block device access.
-neverallow recovery_persist dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow recovery_persist domain:process ptrace;
-
-# Write to /system.
-neverallow recovery_persist system_file:dir_file_class_set write;
-
-# Write to files in /data/data
-neverallow recovery_persist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write;
-
diff --git a/prebuilts/api/31.0/public/recovery_refresh.te b/prebuilts/api/31.0/public/recovery_refresh.te
deleted file mode 100644
index d6870dc..0000000
--- a/prebuilts/api/31.0/public/recovery_refresh.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# android recovery refresh log manager
-type recovery_refresh, domain;
-type recovery_refresh_exec, system_file_type, exec_type, file_type;
-
-allow recovery_refresh pstorefs:dir search;
-allow recovery_refresh pstorefs:file r_file_perms;
-# NB: domain inherits write_logd which hands us write to pmsg_device
-
-###
-### Neverallow rules
-###
-### recovery_refresh should NEVER do any of this
-
-# Block device access.
-neverallow recovery_refresh dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow recovery_refresh domain:process ptrace;
-
-# Write to /system.
-neverallow recovery_refresh system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow recovery_refresh { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
diff --git a/prebuilts/api/31.0/public/roles b/prebuilts/api/31.0/public/roles
deleted file mode 100644
index ca92934..0000000
--- a/prebuilts/api/31.0/public/roles
+++ /dev/null
@@ -1 +0,0 @@
-role r types domain;
diff --git a/prebuilts/api/31.0/public/rs.te b/prebuilts/api/31.0/public/rs.te
deleted file mode 100644
index 16b6e96..0000000
--- a/prebuilts/api/31.0/public/rs.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type rs, domain, coredomain;
-type rs_exec, system_file_type, exec_type, file_type;
diff --git a/prebuilts/api/31.0/public/rss_hwm_reset.te b/prebuilts/api/31.0/public/rss_hwm_reset.te
deleted file mode 100644
index 163e1ac..0000000
--- a/prebuilts/api/31.0/public/rss_hwm_reset.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# rss_hwm_reset resets RSS high-water mark counters for all procesess.
-type rss_hwm_reset, domain, coredomain, mlstrustedsubject;
diff --git a/prebuilts/api/31.0/public/runas.te b/prebuilts/api/31.0/public/runas.te
deleted file mode 100644
index 356a019..0000000
--- a/prebuilts/api/31.0/public/runas.te
+++ /dev/null
@@ -1,43 +0,0 @@
-type runas, domain, mlstrustedsubject;
-type runas_exec, system_file_type, exec_type, file_type;
-
-allow runas adbd:fd use;
-allow runas adbd:process sigchld;
-allow runas adbd:unix_stream_socket { read write };
-allow runas shell:fd use;
-allow runas shell:fifo_file { read write };
-allow runas shell:unix_stream_socket { read write };
-allow runas devpts:chr_file { read write ioctl };
-allow runas shell_data_file:file { read write };
-
-# run-as reads package information.
-allow runas system_data_file:file r_file_perms;
-allow runas system_data_file:lnk_file getattr;
-allow runas packages_list_file:file r_file_perms;
-
-# The app's data dir may be accessed through a symlink.
-allow runas system_data_file:lnk_file read;
-
-# run-as checks and changes to the app data dir.
-dontaudit runas self:global_capability_class_set { dac_override dac_read_search };
-allow runas app_data_file:dir { getattr search };
-
-# run-as switches to the app UID/GID.
-allow runas self:global_capability_class_set { setuid setgid };
-
-# run-as switches to the app security context.
-selinux_check_context(runas) # validate context
-allow runas self:process setcurrent;
-allow runas non_system_app_set:process dyntransition; # setcon
-
-# runas/libselinux needs access to seapp_contexts_file to
-# determine which domain to transition to.
-allow runas seapp_contexts_file:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# run-as cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow runas self:global_capability_class_set ~{ setuid setgid };
-neverallow runas self:global_capability2_class_set *;
diff --git a/prebuilts/api/31.0/public/runas_app.te b/prebuilts/api/31.0/public/runas_app.te
deleted file mode 100644
index cdaa799..0000000
--- a/prebuilts/api/31.0/public/runas_app.te
+++ /dev/null
@@ -1 +0,0 @@
-type runas_app, domain;
diff --git a/prebuilts/api/31.0/public/scheduler_service_server.te b/prebuilts/api/31.0/public/scheduler_service_server.te
deleted file mode 100644
index b3cede1..0000000
--- a/prebuilts/api/31.0/public/scheduler_service_server.te
+++ /dev/null
@@ -1 +0,0 @@
-add_hwservice(scheduler_service_server, fwk_scheduler_hwservice)
diff --git a/prebuilts/api/31.0/public/sdcardd.te b/prebuilts/api/31.0/public/sdcardd.te
deleted file mode 100644
index bb1c919..0000000
--- a/prebuilts/api/31.0/public/sdcardd.te
+++ /dev/null
@@ -1,46 +0,0 @@
-type sdcardd, domain;
-type sdcardd_exec, system_file_type, exec_type, file_type;
-
-allow sdcardd cgroup:dir create_dir_perms;
-allow sdcardd cgroup_v2:dir create_dir_perms;
-allow sdcardd fuse_device:chr_file rw_file_perms;
-allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
-allow sdcardd sdcardfs:filesystem remount;
-allow sdcardd tmpfs:dir r_dir_perms;
-allow sdcardd mnt_media_rw_file:dir r_dir_perms;
-allow sdcardd storage_file:dir search;
-allow sdcardd storage_stub_file:dir { search mounton };
-allow sdcardd sdcard_type:filesystem { mount unmount };
-allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
-
-allow sdcardd sdcard_type:dir create_dir_perms;
-allow sdcardd sdcard_type:file create_file_perms;
-
-allow sdcardd media_rw_data_file:dir create_dir_perms;
-allow sdcardd media_rw_data_file:file create_file_perms;
-
-# Read /data/system/packages.list.
-allow sdcardd system_data_file:file r_file_perms;
-allow sdcardd packages_list_file:file r_file_perms;
-
-# Read /data/misc/installd/layout_version
-allow sdcardd install_data_file:file r_file_perms;
-allow sdcardd install_data_file:dir search;
-
-# Allow stdin/out back to vold
-allow sdcardd vold:fd use;
-allow sdcardd vold:fifo_file { read write getattr };
-
-# Allow running on top of expanded storage
-allow sdcardd mnt_expand_file:dir search;
-
-# access /proc/filesystems
-allow sdcardd proc_filesystems:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# The sdcard daemon should no longer be started from init
-neverallow init sdcardd_exec:file execute;
-neverallow init sdcardd:process { transition dyntransition };
diff --git a/prebuilts/api/31.0/public/secure_element.te b/prebuilts/api/31.0/public/secure_element.te
deleted file mode 100644
index 4ce6714..0000000
--- a/prebuilts/api/31.0/public/secure_element.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# secure_element subsystem
-type secure_element, domain;
diff --git a/prebuilts/api/31.0/public/sensor_service_server.te b/prebuilts/api/31.0/public/sensor_service_server.te
deleted file mode 100644
index 7c526a5..0000000
--- a/prebuilts/api/31.0/public/sensor_service_server.te
+++ /dev/null
@@ -1 +0,0 @@
-add_hwservice(sensor_service_server, fwk_sensor_hwservice)
diff --git a/prebuilts/api/31.0/public/service.te b/prebuilts/api/31.0/public/service.te
deleted file mode 100644
index ba7837d..0000000
--- a/prebuilts/api/31.0/public/service.te
+++ /dev/null
@@ -1,279 +0,0 @@
-type aidl_lazy_test_service, service_manager_type;
-type apc_service, service_manager_type;
-type apex_service, service_manager_type;
-type audioserver_service, service_manager_type;
-type authorization_service, service_manager_type;
-type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
-type bluetooth_service, service_manager_type;
-type cameraserver_service, service_manager_type;
-type default_android_service, service_manager_type;
-type dnsresolver_service, service_manager_type;
-type drmserver_service, service_manager_type;
-type dumpstate_service, service_manager_type;
-type fingerprintd_service, service_manager_type;
-type gatekeeper_service, app_api_service, service_manager_type;
-type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type;
-type idmap_service, service_manager_type;
-type iorapd_service, service_manager_type;
-type incident_service, service_manager_type;
-type installd_service, service_manager_type;
-type credstore_service, app_api_service, service_manager_type;
-type keystore_compat_hal_service, service_manager_type;
-type keystore_maintenance_service, service_manager_type;
-type keystore_metrics_service, service_manager_type;
-type keystore_service, service_manager_type;
-type legacykeystore_service, service_manager_type;
-type lpdump_service, service_manager_type;
-type mediaserver_service, service_manager_type;
-type mediametrics_service, service_manager_type;
-type mediaextractor_service, service_manager_type;
-type mediadrmserver_service, service_manager_type;
-type mediatranscoding_service, app_api_service, service_manager_type;
-type netd_service, service_manager_type;
-type nfc_service, service_manager_type;
-type radio_service, service_manager_type;
-type remoteprovisioning_service, service_manager_type;
-type secure_element_service, service_manager_type;
-type service_manager_service, service_manager_type;
-type storaged_service, service_manager_type;
-type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
-type system_app_service, service_manager_type;
-type system_suspend_control_internal_service, service_manager_type;
-type system_suspend_control_service, service_manager_type;
-type update_engine_service, service_manager_type;
-type update_engine_stable_service, service_manager_type;
-type virtualization_service, service_manager_type;
-type virtual_touchpad_service, service_manager_type;
-type vold_service, service_manager_type;
-type vr_hwc_service, service_manager_type;
-type vrflinger_vsync_service, service_manager_type;
-
-# system_server_services broken down
-type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type account_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type activity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type activity_task_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type adb_service, system_api_service, system_server_service, service_manager_type;
-type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type app_binding_service, system_server_service, service_manager_type;
-type app_hibernation_service, system_api_service, system_server_service, service_manager_type;
-type app_integrity_service, system_api_service, system_server_service, service_manager_type;
-type app_prediction_service, app_api_service, system_server_service, service_manager_type;
-type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type appops_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type appwidget_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type assetatlas_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type audio_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type auth_service, app_api_service, system_server_service, service_manager_type;
-type autofill_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type backup_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type batterystats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type battery_service, system_server_service, service_manager_type;
-type binder_calls_stats_service, system_server_service, service_manager_type;
-type blob_store_service, app_api_service, system_server_service, service_manager_type;
-type bluetooth_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type broadcastradio_service, system_server_service, service_manager_type;
-type cacheinfo_service, system_api_service, system_server_service, service_manager_type;
-type cameraproxy_service, system_server_service, service_manager_type;
-type clipboard_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type contexthub_service, app_api_service, system_server_service, service_manager_type;
-type crossprofileapps_service, app_api_service, system_server_service, service_manager_type;
-type IProxyService_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type companion_device_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type connectivity_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type connmetrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type consumer_ir_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_capture_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_suggestions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type content_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type country_detector_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-# Note: The coverage_service should only be enabled for userdebug / eng builds that were compiled
-# with EMMA_INSTRUMENT=true. We should consider locking this down in the future.
-type coverage_service, system_server_service, service_manager_type;
-type cpuinfo_service, system_api_service, system_server_service, service_manager_type;
-type dataloader_manager_service, system_server_service, service_manager_type;
-type dbinfo_service, system_api_service, system_server_service, service_manager_type;
-type device_config_service, system_server_service, service_manager_type;
-type device_policy_service, app_api_service, system_server_service, service_manager_type;
-type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type devicestoragemonitor_service, system_server_service, service_manager_type;
-type diskstats_service, system_api_service, system_server_service, service_manager_type;
-type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type domain_verification_service, app_api_service, system_server_service, service_manager_type;
-type color_display_service, system_api_service, system_server_service, service_manager_type;
-type external_vibrator_service, system_server_service, service_manager_type;
-type file_integrity_service, app_api_service, system_server_service, service_manager_type;
-type font_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netd_listener_service, system_server_service, service_manager_type;
-type network_watchlist_service, system_server_service, service_manager_type;
-type DockObserver_service, system_server_service, service_manager_type;
-type dreams_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type dropbox_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type lowpan_service, system_api_service, system_server_service, service_manager_type;
-type ethernet_service, app_api_service, system_server_service, service_manager_type;
-type biometric_service, app_api_service, system_server_service, service_manager_type;
-type bugreport_service, app_api_service, system_server_service, service_manager_type;
-type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type face_service, app_api_service, system_server_service, service_manager_type;
-type fingerprint_service, app_api_service, system_server_service, service_manager_type;
-type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
-type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
-type gnss_time_update_service, system_server_service, service_manager_type;
-type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type hardware_service, system_server_service, service_manager_type;
-type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type hdmi_control_service, app_api_service, system_server_service, service_manager_type;
-type hint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type incremental_service, system_server_service, service_manager_type;
-type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type ipsec_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type iris_service, app_api_service, system_server_service, service_manager_type;
-type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type legacy_permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type location_time_zone_manager_service, system_server_service, service_manager_type;
-type lock_settings_service, app_api_service, system_api_service, system_server_service, service_manager_type;
-type looper_stats_service, system_server_service, service_manager_type;
-type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type meminfo_service, system_api_service, system_server_service, service_manager_type;
-type memtrackproxy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type network_score_service, system_api_service, system_server_service, service_manager_type;
-type network_stack_service, system_server_service, service_manager_type;
-type network_time_update_service, system_server_service, service_manager_type;
-type notification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type oem_lock_service, system_api_service, system_server_service, service_manager_type;
-type otadexopt_service, system_server_service, service_manager_type;
-type overlay_service, system_api_service, system_server_service, service_manager_type;
-type pac_proxy_service, app_api_service, system_server_service, service_manager_type;
-type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type people_service, app_api_service, system_server_service, service_manager_type;
-type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
-type pinner_service, system_server_service, service_manager_type;
-type powerstats_service, app_api_service, system_server_service, service_manager_type;
-type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type processinfo_service, system_server_service, service_manager_type;
-type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
-type recovery_service, system_server_service, service_manager_type;
-type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type role_service, app_api_service, system_server_service, service_manager_type;
-type rollback_service, app_api_service, system_server_service, service_manager_type;
-type runtime_service, system_server_service, service_manager_type;
-type rttmanager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type samplingprofiler_service, system_server_service, service_manager_type;
-type scheduling_policy_service, system_server_service, service_manager_type;
-type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type search_ui_service, app_api_service, system_server_service, service_manager_type;
-type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
-type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type serial_service, system_api_service, system_server_service, service_manager_type;
-type servicediscovery_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type shortcut_service, app_api_service, system_server_service, service_manager_type;
-type slice_service, app_api_service, system_server_service, service_manager_type;
-type smartspace_service, app_api_service, system_server_service, service_manager_type;
-type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type system_config_service, system_api_service, system_server_service, service_manager_type;
-type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
-type system_update_service, system_server_service, service_manager_type;
-type soundtrigger_middleware_service, system_server_service, service_manager_type;
-type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type task_service, system_server_service, service_manager_type;
-type testharness_service, system_server_service, service_manager_type;
-type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type timedetector_service, app_api_service, system_server_service, service_manager_type;
-type timezone_service, system_server_service, service_manager_type;
-type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
-type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type trust_service, app_api_service, system_server_service, service_manager_type;
-type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
-type uimode_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type updatelock_service, system_api_service, system_server_service, service_manager_type;
-type uri_grants_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type usb_service, app_api_service, system_server_service, service_manager_type;
-type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type uwb_service, app_api_service, system_server_service, service_manager_type;
-type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vpn_management_service, app_api_service, system_server_service, service_manager_type;
-type vr_manager_service, system_server_service, service_manager_type;
-type wallpaper_service, app_api_service, system_server_service, service_manager_type;
-type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type wifip2p_service, app_api_service, system_server_service, service_manager_type;
-type wifiscanner_service, system_api_service, system_server_service, service_manager_type;
-type wifi_service, app_api_service, system_server_service, service_manager_type;
-type wifinl80211_service, service_manager_type;
-type wifiaware_service, app_api_service, system_server_service, service_manager_type;
-type window_service, system_api_service, system_server_service, service_manager_type;
-type inputflinger_service, system_api_service, system_server_service, service_manager_type;
-type wpantund_service, system_api_service, service_manager_type;
-type tethering_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type emergency_affordance_service, system_server_service, service_manager_type;
-
-###
-### HAL Services
-###
-
-type hal_audio_service, vendor_service, protected_service, service_manager_type;
-type hal_audiocontrol_service, vendor_service, service_manager_type;
-type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
-type hal_face_service, vendor_service, protected_service, service_manager_type;
-type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
-type hal_gnss_service, vendor_service, protected_service, service_manager_type;
-type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
-type hal_identity_service, vendor_service, protected_service, service_manager_type;
-type hal_keymint_service, vendor_service, protected_service, service_manager_type;
-type hal_light_service, vendor_service, protected_service, service_manager_type;
-type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
-type hal_neuralnetworks_service, vendor_service, service_manager_type;
-type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
-type hal_power_service, vendor_service, protected_service, service_manager_type;
-type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
-type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
-type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
-type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
-type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
-type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
-type hal_weaver_service, vendor_service, protected_service, service_manager_type;
-
-###
-### Neverallow rules
-###
-
-# servicemanager handles registering or looking up named services.
-# It does not make sense to register or lookup something which is not a service.
-# Trigger a compile error if this occurs.
-neverallow domain ~{ service_manager_type vndservice_manager_type }:service_manager { add find };
diff --git a/prebuilts/api/31.0/public/servicemanager.te b/prebuilts/api/31.0/public/servicemanager.te
deleted file mode 100644
index 63fc227..0000000
--- a/prebuilts/api/31.0/public/servicemanager.te
+++ /dev/null
@@ -1,32 +0,0 @@
-# servicemanager - the Binder context manager
-type servicemanager, domain, mlstrustedsubject;
-type servicemanager_exec, system_file_type, exec_type, file_type;
-
-# Note that we do not use the binder_* macros here.
-# servicemanager is unique in that it only provides
-# name service (aka context manager) for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains. It never passes its own references
-# or initiates a Binder IPC.
-allow servicemanager self:binder set_context_mgr;
-allow servicemanager {
- domain
- -init
- -vendor_init
- -hwservicemanager
- -vndservicemanager
-}:binder transfer;
-
-allow servicemanager service_contexts_file:file r_file_perms;
-
-allow servicemanager vendor_service_contexts_file:file r_file_perms;
-
-# nonplat_service_contexts only accessible on non full-treble devices
-not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
-
-add_service(servicemanager, service_manager_service)
-allow servicemanager dumpstate:fd use;
-allow servicemanager dumpstate:fifo_file write;
-
-# Check SELinux permissions.
-selinux_check_access(servicemanager)
diff --git a/prebuilts/api/31.0/public/sgdisk.te b/prebuilts/api/31.0/public/sgdisk.te
deleted file mode 100644
index e5a9152..0000000
--- a/prebuilts/api/31.0/public/sgdisk.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# sgdisk called from vold
-type sgdisk, domain;
-type sgdisk_exec, system_file_type, exec_type, file_type;
-
-# Allowed to read/write low-level partition tables
-allow sgdisk block_device:dir search;
-allow sgdisk vold_device:blk_file rw_file_perms;
-# HDIO_GETGEO needed to get the number of disk heads
-# on vold_device. How quaint.
-allowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO };
-# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64
-# is granted to all block device users in domain.te, so
-# no need to mention it here. sgdisk should not be
-# using the BLKGETSIZE ioctl as it is useless for devices over
-# 2T in size, but we allow it for now and hope that sgdisk
-# will fix their bug.
-allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE };
-# Force a re-read of the partition table.
-allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART };
-# Allow reading of the physical block size.
-allowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET };
-
-# Inherit and use pty created by android_fork_execvp()
-allow sgdisk devpts:chr_file { read write ioctl getattr };
-
-# Allow stdin/out back to vold
-allow sgdisk vold:fd use;
-allow sgdisk vold:fifo_file { read write getattr };
-
-# Used to probe kernel to reload partition tables
-allow sgdisk self:global_capability_class_set sys_admin;
-
-# Only allow entry from vold
-neverallow { domain -vold } sgdisk:process transition;
-neverallow * sgdisk:process dyntransition;
-neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
diff --git a/prebuilts/api/31.0/public/shared_relro.te b/prebuilts/api/31.0/public/shared_relro.te
deleted file mode 100644
index 6dd5bd7..0000000
--- a/prebuilts/api/31.0/public/shared_relro.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Process which creates/updates shared RELRO files to be used by other apps.
-type shared_relro, domain;
diff --git a/prebuilts/api/31.0/public/shell.te b/prebuilts/api/31.0/public/shell.te
deleted file mode 100644
index 70a7fb4..0000000
--- a/prebuilts/api/31.0/public/shell.te
+++ /dev/null
@@ -1,232 +0,0 @@
-# Domain for shell processes spawned by ADB or console service.
-type shell, domain, mlstrustedsubject;
-type shell_exec, system_file_type, exec_type, file_type;
-
-# Create and use network sockets.
-net_domain(shell)
-
-# logcat
-read_logd(shell)
-control_logd(shell)
-# logcat -L (directly, or via dumpstate)
-allow shell pstorefs:dir search;
-allow shell pstorefs:file r_file_perms;
-
-# Root fs.
-allow shell rootfs:dir r_dir_perms;
-
-# read files in /data/anr
-allow shell anr_data_file:dir r_dir_perms;
-allow shell anr_data_file:file r_file_perms;
-
-# Access /data/local/tmp.
-allow shell shell_data_file:dir create_dir_perms;
-allow shell shell_data_file:file create_file_perms;
-allow shell shell_data_file:file rx_file_perms;
-allow shell shell_data_file:lnk_file create_file_perms;
-
-# Access /data/local/tests.
-allow shell shell_test_data_file:dir create_dir_perms;
-allow shell shell_test_data_file:file create_file_perms;
-allow shell shell_test_data_file:file rx_file_perms;
-allow shell shell_test_data_file:lnk_file create_file_perms;
-allow shell shell_test_data_file:sock_file create_file_perms;
-
-# Read and delete from /data/local/traces.
-allow shell trace_data_file:file { r_file_perms unlink };
-allow shell trace_data_file:dir { r_dir_perms remove_name write };
-
-# Access /data/misc/profman.
-allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
-allow shell profman_dump_data_file:file { unlink r_file_perms };
-
-# Read/execute files in /data/nativetest
-userdebug_or_eng(`
- allow shell nativetest_data_file:dir r_dir_perms;
- allow shell nativetest_data_file:file rx_file_perms;
-')
-
-# adb bugreport
-unix_socket_connect(shell, dumpstate, dumpstate)
-
-allow shell devpts:chr_file rw_file_perms;
-allow shell tty_device:chr_file rw_file_perms;
-allow shell console_device:chr_file rw_file_perms;
-
-allow shell input_device:dir r_dir_perms;
-allow shell input_device:chr_file r_file_perms;
-
-r_dir_file(shell, system_file)
-allow shell system_file:file x_file_perms;
-allow shell toolbox_exec:file rx_file_perms;
-allow shell tzdatacheck_exec:file rx_file_perms;
-allow shell shell_exec:file rx_file_perms;
-allow shell zygote_exec:file rx_file_perms;
-
-r_dir_file(shell, apk_data_file)
-
-userdebug_or_eng(`
- # "systrace --boot" support - allow boottrace service to run
- allow shell boottrace_data_file:dir rw_dir_perms;
- allow shell boottrace_data_file:file create_file_perms;
-')
-
-# allow shell access to services
-allow shell servicemanager:service_manager list;
-# don't allow shell to access GateKeeper service
-# TODO: why is this so broad? Tightening candidate? It needs at list:
-# - dumpstate_service (so it can receive dumpstate progress updates)
-allow shell {
- service_manager_type
- -apex_service
- -dnsresolver_service
- -gatekeeper_service
- -incident_service
- -installd_service
- -iorapd_service
- -netd_service
- -system_suspend_control_internal_service
- -system_suspend_control_service
- -virtual_touchpad_service
- -vold_service
- -vr_hwc_service
- -default_android_service
-}:service_manager find;
-allow shell dumpstate:binder call;
-
-# allow shell to get information from hwservicemanager
-# for instance, listing hardware services with lshal
-hwbinder_use(shell)
-allow shell hwservicemanager:hwservice_manager list;
-
-# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
-r_dir_file(shell, proc_net_type)
-
-allow shell {
- proc_asound
- proc_filesystems
- proc_interrupts
- proc_loadavg # b/124024827
- proc_meminfo
- proc_modules
- proc_pid_max
- proc_slabinfo
- proc_stat
- proc_timer
- proc_uptime
- proc_version
- proc_vmstat
- proc_zoneinfo
-}:file r_file_perms;
-
-# allow listing network interfaces under /sys/class/net.
-allow shell sysfs_net:dir r_dir_perms;
-
-r_dir_file(shell, cgroup)
-allow shell cgroup_desc_file:file r_file_perms;
-allow shell cgroup_desc_api_file:file r_file_perms;
-allow shell vendor_cgroup_desc_file:file r_file_perms;
-r_dir_file(shell, cgroup_v2)
-allow shell domain:dir { search open read getattr };
-allow shell domain:{ file lnk_file } { open read getattr };
-
-# statvfs() of /proc and other labeled filesystems
-# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
-allow shell { proc labeledfs }:filesystem getattr;
-
-# stat() of /dev
-allow shell device:dir getattr;
-
-# allow shell to read /proc/pid/attr/current for ps -Z
-allow shell domain:process getattr;
-
-# Allow pulling the SELinux policy for CTS purposes
-allow shell selinuxfs:dir r_dir_perms;
-allow shell selinuxfs:file r_file_perms;
-
-# enable shell domain to read/write files/dirs for bootchart data
-# User will creates the start and stop file via adb shell
-# and read other files created by init process under /data/bootchart
-allow shell bootchart_data_file:dir rw_dir_perms;
-allow shell bootchart_data_file:file create_file_perms;
-
-# Make sure strace works for the non-privileged shell user
-allow shell self:process ptrace;
-
-# allow shell to get battery info
-allow shell sysfs:dir r_dir_perms;
-allow shell sysfs_batteryinfo:dir r_dir_perms;
-allow shell sysfs_batteryinfo:file r_file_perms;
-
-# allow shell to list /sys/class/block/ to get storage type for CTS
-allow shell sysfs_block:dir r_dir_perms;
-
-# Allow access to ion memory allocation device.
-allow shell ion_device:chr_file rw_file_perms;
-
-#
-# filesystem test for insecure chr_file's is done
-# via a host side test
-#
-allow shell dev_type:dir r_dir_perms;
-allow shell dev_type:chr_file getattr;
-
-# /dev/fd is a symlink
-allow shell proc:lnk_file getattr;
-
-#
-# filesystem test for insucre blk_file's is done
-# via hostside test
-#
-allow shell dev_type:blk_file getattr;
-
-# read selinux policy files
-allow shell file_contexts_file:file r_file_perms;
-allow shell property_contexts_file:file r_file_perms;
-allow shell seapp_contexts_file:file r_file_perms;
-allow shell service_contexts_file:file r_file_perms;
-allow shell sepolicy_file:file r_file_perms;
-
-# Allow shell to start up vendor shell
-allow shell vendor_shell_exec:file rx_file_perms;
-
-# Everything is labeled as rootfs in recovery mode. Allow shell to
-# execute them.
-recovery_only(`
- allow shell rootfs:file rx_file_perms;
-')
-
-###
-### Neverallow rules
-###
-
-# Do not allow shell to hard link to any files.
-# In particular, if shell hard links to app data
-# files, installd will not be able to guarantee the deletion
-# of the linked to file. Hard links also contribute to security
-# bugs, so we want to ensure the shell user never has this
-# capability.
-neverallow shell file_type:file link;
-
-# Do not allow privileged socket ioctl commands
-neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-
-# limit shell access to sensitive char drivers to
-# only getattr required for host side test.
-neverallow shell {
- fuse_device
- hw_random_device
- port_device
-}:chr_file ~getattr;
-
-# Limit shell to only getattr on blk devices for host side tests.
-neverallow shell dev_type:blk_file ~getattr;
-
-# b/30861057: Shell access to existing input devices is an abuse
-# vector. The shell user can inject events that look like they
-# originate from the touchscreen etc.
-# Everyone should have already moved to UiAutomation#injectInputEvent
-# if they are running instrumentation tests (i.e. CTS), Monkey for
-# their stress tests, and the input command (adb shell input ...) for
-# injecting swipes and things.
-neverallow shell input_device:chr_file no_w_file_perms;
diff --git a/prebuilts/api/31.0/public/simpleperf.te b/prebuilts/api/31.0/public/simpleperf.te
deleted file mode 100644
index 218fee7..0000000
--- a/prebuilts/api/31.0/public/simpleperf.te
+++ /dev/null
@@ -1 +0,0 @@
-type simpleperf, domain;
diff --git a/prebuilts/api/31.0/public/simpleperf_app_runner.te b/prebuilts/api/31.0/public/simpleperf_app_runner.te
deleted file mode 100644
index 2ed007e..0000000
--- a/prebuilts/api/31.0/public/simpleperf_app_runner.te
+++ /dev/null
@@ -1,44 +0,0 @@
-type simpleperf_app_runner, domain, mlstrustedsubject;
-type simpleperf_app_runner_exec, system_file_type, exec_type, file_type;
-
-# run simpleperf_app_runner in adb shell.
-allow simpleperf_app_runner adbd:fd use;
-allow simpleperf_app_runner shell:fd use;
-allow simpleperf_app_runner devpts:chr_file { read write ioctl };
-
-# simpleperf_app_runner reads package information.
-allow simpleperf_app_runner system_data_file:file r_file_perms;
-allow simpleperf_app_runner system_data_file:lnk_file getattr;
-allow simpleperf_app_runner packages_list_file:file r_file_perms;
-
-# The app's data dir may be accessed through a symlink.
-allow simpleperf_app_runner system_data_file:lnk_file read;
-
-# simpleperf_app_runner switches to the app UID/GID.
-allow simpleperf_app_runner self:global_capability_class_set { setuid setgid };
-
-# simpleperf_app_runner switches to the app security context.
-selinux_check_context(simpleperf_app_runner) # validate context
-allow simpleperf_app_runner self:process setcurrent;
-allow simpleperf_app_runner untrusted_app_all:process dyntransition; # setcon
-
-# simpleperf_app_runner/libselinux needs access to seapp_contexts_file to
-# determine which domain to transition to.
-allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
-
-# simpleperf_app_runner passes pipe fds.
-# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
-allow simpleperf_app_runner shell:fifo_file { read write };
-
-# simpleperf_app_runner checks shell data paths.
-# simpleperf_app_runner passes shell data fds.
-allow simpleperf_app_runner shell_data_file:dir { getattr search };
-allow simpleperf_app_runner shell_data_file:file { getattr write };
-
-###
-### neverallow rules
-###
-
-# simpleperf_app_runner cannot have capabilities other than CAP_SETUID and CAP_SETGID
-neverallow simpleperf_app_runner self:global_capability_class_set ~{ setuid setgid };
-neverallow simpleperf_app_runner self:global_capability2_class_set *;
diff --git a/prebuilts/api/31.0/public/slideshow.te b/prebuilts/api/31.0/public/slideshow.te
deleted file mode 100644
index 10fbbb8..0000000
--- a/prebuilts/api/31.0/public/slideshow.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# slideshow seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type slideshow, domain;
-
-allow slideshow kmsg_device:chr_file rw_file_perms;
-wakelock_use(slideshow)
-allow slideshow device:dir r_dir_perms;
-allow slideshow self:global_capability_class_set sys_tty_config;
-allow slideshow graphics_device:dir r_dir_perms;
-allow slideshow graphics_device:chr_file rw_file_perms;
-allow slideshow input_device:dir r_dir_perms;
-allow slideshow input_device:chr_file r_file_perms;
-allow slideshow tty_device:chr_file rw_file_perms;
-
diff --git a/prebuilts/api/31.0/public/stats_service_server.te b/prebuilts/api/31.0/public/stats_service_server.te
deleted file mode 100644
index ab8e58a..0000000
--- a/prebuilts/api/31.0/public/stats_service_server.te
+++ /dev/null
@@ -1,4 +0,0 @@
-add_hwservice(stats_service_server, fwk_stats_hwservice)
-add_service(stats_service_server, fwk_stats_service)
-
-binder_use(stats_service_server)
diff --git a/prebuilts/api/31.0/public/statsd.te b/prebuilts/api/31.0/public/statsd.te
deleted file mode 100644
index 670f4c7..0000000
--- a/prebuilts/api/31.0/public/statsd.te
+++ /dev/null
@@ -1,86 +0,0 @@
-type statsd, domain, mlstrustedsubject;
-
-type statsd_exec, system_file_type, exec_type, file_type;
-binder_use(statsd)
-
-# Allow statsd to scan through /proc/pid for all processes.
-r_dir_file(statsd, domain)
-
-# Allow executing files on system, such as running a shell or running:
-# /system/bin/toolbox
-# /system/bin/logcat
-# /system/bin/dumpsys
-allow statsd devpts:chr_file { getattr ioctl read write };
-allow statsd shell_exec:file rx_file_perms;
-allow statsd system_file:file execute_no_trans;
-allow statsd toolbox_exec:file rx_file_perms;
-
-userdebug_or_eng(`
- allow statsd su:fifo_file read;
-')
-
-# Create, read, and write into /data/misc/stats-data, /data/misc/stats-system.
-allow statsd stats_data_file:dir create_dir_perms;
-allow statsd stats_data_file:file create_file_perms;
-
-# Allow statsd to make binder calls to any binder service.
-binder_call(statsd, appdomain)
-binder_call(statsd, healthd)
-binder_call(statsd, incidentd)
-binder_call(statsd, system_server)
-
-# Allow statsd to interact with gpuservice
-allow statsd gpu_service:service_manager find;
-binder_call(statsd, gpuservice)
-
-# Allow statsd to interact with keystore to pull atoms
-allow statsd keystore_service:service_manager find;
-binder_call(statsd, keystore)
-
-# Allow statsd to interact with mediametrics
-allow statsd mediametrics_service:service_manager find;
-binder_call(statsd, mediametrics)
-
-# Allow logd access.
-read_logd(statsd)
-control_logd(statsd)
-
-# Grant statsd with permissions to register the services.
-allow statsd {
- app_api_service
- incident_service
- system_api_service
-}:service_manager find;
-
-# Grant statsd to access health hal to access battery metrics.
-allow statsd hal_health_hwservice:hwservice_manager find;
-
-# Allow statsd to send dump info to dumpstate
-allow statsd dumpstate:fd use;
-allow statsd dumpstate:fifo_file { getattr write };
-
-# Allow access to with hardware layer and process stats.
-allow statsd proc_uid_cputime_showstat:file { getattr open read };
-hal_client_domain(statsd, hal_health)
-hal_client_domain(statsd, hal_power)
-hal_client_domain(statsd, hal_power_stats)
-hal_client_domain(statsd, hal_thermal)
-
-# Allow 'adb shell cmd' to upload configs and download output.
-allow statsd adbd:fd use;
-allow statsd adbd:unix_stream_socket { getattr read write };
-allow statsd shell:fifo_file { getattr read write };
-
-unix_socket_send(statsd, statsdw, statsd)
-
-###
-### neverallow rules
-###
-
-# Only statsd and the other root services in limited circumstances.
-# can get to the files in /data/misc/stats-data, /data/misc/stats-service.
-# Other services are prohibitted from accessing the file.
-neverallow { domain -statsd -system_server -init -vold } stats_data_file:file *;
-
-# Limited access to the directory itself.
-neverallow { domain -statsd -system_server -init -vold } stats_data_file:dir *;
diff --git a/prebuilts/api/31.0/public/su.te b/prebuilts/api/31.0/public/su.te
deleted file mode 100644
index 074ff2e..0000000
--- a/prebuilts/api/31.0/public/su.te
+++ /dev/null
@@ -1,108 +0,0 @@
-# All types must be defined regardless of build variant to ensure
-# policy compilation succeeds with userdebug/user combination at boot
-type su, domain;
-
-# File types must be defined for file_contexts.
-type su_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
- # Domain used for su processes, as well as for adbd and adb shell
- # after performing an adb root command. The domain definition is
- # wrapped to ensure that it does not exist at all on -user builds.
- typeattribute su mlstrustedsubject;
-
- # Add su to various domains
- net_domain(su)
-
- # grant su access to vndbinder
- vndbinder_use(su)
-
- dontaudit su self:capability_class_set *;
- dontaudit su self:capability2 *;
- dontaudit su kernel:security *;
- dontaudit su { kernel file_type }:system *;
- dontaudit su self:memprotect *;
- dontaudit su domain:{ process process2 } *;
- dontaudit su domain:fd *;
- dontaudit su domain:dir *;
- dontaudit su domain:lnk_file *;
- dontaudit su domain:{ fifo_file file } *;
- dontaudit su domain:socket_class_set *;
- dontaudit su domain:ipc_class_set *;
- dontaudit su domain:key *;
- dontaudit su fs_type:filesystem *;
- dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
- dontaudit su node_type:node *;
- dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
- dontaudit su netif_type:netif *;
- dontaudit su port_type:socket_class_set *;
- dontaudit su port_type:{ tcp_socket dccp_socket } *;
- dontaudit su domain:peer *;
- dontaudit su domain:binder *;
- dontaudit su property_type:property_service *;
- dontaudit su property_type:file *;
- dontaudit su service_manager_type:service_manager *;
- dontaudit su hwservice_manager_type:hwservice_manager *;
- dontaudit su vndservice_manager_type:service_manager *;
- dontaudit su servicemanager:service_manager list;
- dontaudit su hwservicemanager:hwservice_manager list;
- dontaudit su vndservicemanager:service_manager list;
- dontaudit su keystore:keystore_key *;
- dontaudit su keystore:keystore2 *;
- dontaudit su domain:drmservice *;
- dontaudit su unlabeled:filesystem *;
- dontaudit su postinstall_file:filesystem *;
- dontaudit su domain:bpf *;
- dontaudit su unlabeled:vsock_socket *;
- dontaudit su self:perf_event *;
-
- # VTS tests run in the permissive su domain on debug builds, but the HALs
- # being tested run in enforcing mode. Because hal_foo_server is enforcing
- # su needs to be declared as hal_foo_client to grant hal_foo_server
- # permission to interact with it.
- typeattribute su halclientdomain;
- typeattribute su hal_allocator_client;
- typeattribute su hal_atrace_client;
- typeattribute su hal_audio_client;
- typeattribute su hal_authsecret_client;
- typeattribute su hal_bluetooth_client;
- typeattribute su hal_bootctl_client;
- typeattribute su hal_camera_client;
- typeattribute su hal_configstore_client;
- typeattribute su hal_confirmationui_client;
- typeattribute su hal_contexthub_client;
- typeattribute su hal_drm_client;
- typeattribute su hal_cas_client;
- typeattribute su hal_dumpstate_client;
- typeattribute su hal_fingerprint_client;
- typeattribute su hal_gatekeeper_client;
- typeattribute su hal_gnss_client;
- typeattribute su hal_graphics_allocator_client;
- typeattribute su hal_graphics_composer_client;
- typeattribute su hal_health_client;
- typeattribute su hal_input_classifier_client;
- typeattribute su hal_ir_client;
- typeattribute su hal_keymaster_client;
- typeattribute su hal_light_client;
- typeattribute su hal_memtrack_client;
- typeattribute su hal_neuralnetworks_client;
- typeattribute su hal_nfc_client;
- typeattribute su hal_oemlock_client;
- typeattribute su hal_power_client;
- typeattribute su hal_rebootescrow_client;
- typeattribute su hal_secure_element_client;
- typeattribute su hal_sensors_client;
- typeattribute su hal_telephony_client;
- typeattribute su hal_tetheroffload_client;
- typeattribute su hal_thermal_client;
- typeattribute su hal_tv_cec_client;
- typeattribute su hal_tv_input_client;
- typeattribute su hal_tv_tuner_client;
- typeattribute su hal_usb_client;
- typeattribute su hal_vibrator_client;
- typeattribute su hal_vr_client;
- typeattribute su hal_weaver_client;
- typeattribute su hal_wifi_client;
- typeattribute su hal_wifi_hostapd_client;
- typeattribute su hal_wifi_supplicant_client;
-')
diff --git a/prebuilts/api/31.0/public/surfaceflinger.te b/prebuilts/api/31.0/public/surfaceflinger.te
deleted file mode 100644
index c1e4844..0000000
--- a/prebuilts/api/31.0/public/surfaceflinger.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# surfaceflinger - display compositor service
-type surfaceflinger, domain;
-type surfaceflinger_tmpfs, file_type;
diff --git a/prebuilts/api/31.0/public/system_app.te b/prebuilts/api/31.0/public/system_app.te
deleted file mode 100644
index 023058e..0000000
--- a/prebuilts/api/31.0/public/system_app.te
+++ /dev/null
@@ -1,7 +0,0 @@
-###
-### Apps that run with the system UID, e.g. com.android.system.ui,
-### com.android.settings. These are not as privileged as the system
-### server.
-###
-
-type system_app, domain;
diff --git a/prebuilts/api/31.0/public/system_server.te b/prebuilts/api/31.0/public/system_server.te
deleted file mode 100644
index edefadf..0000000
--- a/prebuilts/api/31.0/public/system_server.te
+++ /dev/null
@@ -1,17 +0,0 @@
-#
-# System Server aka system_server spawned by zygote.
-# Most of the framework services run in this process.
-#
-type system_server, domain;
-type system_server_tmpfs, file_type, mlstrustedobject;
-
-# Power controls for debugging/diagnostics
-get_prop(system_server, power_debug_prop)
-set_prop(system_server, power_debug_prop)
-
-neverallow {
- domain
- -init
- -vendor_init
- -system_server
-} power_debug_prop:property_service set;
diff --git a/prebuilts/api/31.0/public/system_suspend_internal_server.te b/prebuilts/api/31.0/public/system_suspend_internal_server.te
deleted file mode 100644
index 67bff77..0000000
--- a/prebuilts/api/31.0/public/system_suspend_internal_server.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# To serve ISuspendControlServiceInternal.
-add_service(system_suspend_internal_server, system_suspend_control_internal_service)
-
-neverallow {
- domain
- -atrace # tracing
- -dumpstate # bug reports
- -system_suspend_internal_server # implements system_suspend_control_internal_service
- -system_server # configures system_suspend via ISuspendControlServiceInternal
- -traceur_app # tracing
-} system_suspend_control_internal_service:service_manager find;
diff --git a/prebuilts/api/31.0/public/system_suspend_server.te b/prebuilts/api/31.0/public/system_suspend_server.te
deleted file mode 100644
index 8e8310d..0000000
--- a/prebuilts/api/31.0/public/system_suspend_server.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# Required to export a HIDL interface.
-hwbinder_use(system_suspend_server)
-get_prop(system_suspend_server, hwservicemanager_prop)
-
-# To serve ISystemSuspend.hal.
-add_hwservice(system_suspend_server, system_suspend_hwservice)
diff --git a/prebuilts/api/31.0/public/te_macros b/prebuilts/api/31.0/public/te_macros
deleted file mode 100644
index 7dc5062..0000000
--- a/prebuilts/api/31.0/public/te_macros
+++ /dev/null
@@ -1,993 +0,0 @@
-#####################################
-# domain_trans(olddomain, type, newdomain)
-# Allow a transition from olddomain to newdomain
-# upon executing a file labeled with type.
-# This only allows the transition; it does not
-# cause it to occur automatically - use domain_auto_trans
-# if that is what you want.
-#
-define(`domain_trans', `
-# Old domain may exec the file and transition to the new domain.
-allow $1 $2:file { getattr open read execute map };
-allow $1 $3:process transition;
-# New domain is entered by executing the file.
-allow $3 $2:file { entrypoint open read execute getattr map };
-# New domain can send SIGCHLD to its caller.
-ifelse($1, `init', `', `allow $3 $1:process sigchld;')
-# Enable AT_SECURE, i.e. libc secure mode.
-dontaudit $1 $3:process noatsecure;
-# XXX dontaudit candidate but requires further study.
-allow $1 $3:process { siginh rlimitinh };
-')
-
-#####################################
-# domain_auto_trans(olddomain, type, newdomain)
-# Automatically transition from olddomain to newdomain
-# upon executing a file labeled with type.
-#
-define(`domain_auto_trans', `
-# Allow the necessary permissions.
-domain_trans($1,$2,$3)
-# Make the transition occur by default.
-type_transition $1 $2:process $3;
-')
-
-#####################################
-# file_type_trans(domain, dir_type, file_type)
-# Allow domain to create a file labeled file_type in a
-# directory labeled dir_type.
-# This only allows the transition; it does not
-# cause it to occur automatically - use file_type_auto_trans
-# if that is what you want.
-#
-define(`file_type_trans', `
-# Allow the domain to add entries to the directory.
-allow $1 $2:dir ra_dir_perms;
-# Allow the domain to create the file.
-allow $1 $3:notdevfile_class_set create_file_perms;
-allow $1 $3:dir create_dir_perms;
-')
-
-#####################################
-# file_type_auto_trans(domain, dir_type, file_type)
-# Automatically label new files with file_type when
-# they are created by domain in directories labeled dir_type.
-#
-define(`file_type_auto_trans', `
-# Allow the necessary permissions.
-file_type_trans($1, $2, $3)
-# Make the transition occur by default.
-type_transition $1 $2:dir $3;
-type_transition $1 $2:notdevfile_class_set $3;
-')
-
-#####################################
-# r_dir_file(domain, type)
-# Allow the specified domain to read directories, files
-# and symbolic links of the specified type.
-define(`r_dir_file', `
-allow $1 $2:dir r_dir_perms;
-allow $1 $2:{ file lnk_file } r_file_perms;
-')
-
-#####################################
-# tmpfs_domain(domain)
-# Allow access to a unique type for this domain when creating tmpfs / ashmem files.
-define(`tmpfs_domain', `
-type_transition $1 tmpfs:file $1_tmpfs;
-allow $1 $1_tmpfs:file { read write getattr map };
-')
-
-# pdx macros for IPC. pdx is a high-level name which contains transport-specific
-# rules from underlying transport (e.g. UDS-based implementation).
-
-#####################################
-# pdx_service_attributes(service)
-# Defines type attribute used to identify various service-related types.
-define(`pdx_service_attributes', `
-attribute pdx_$1_endpoint_dir_type;
-attribute pdx_$1_endpoint_socket_type;
-attribute pdx_$1_channel_socket_type;
-attribute pdx_$1_server_type;
-')
-
-#####################################
-# pdx_service_socket_types(service, endpoint_dir_t)
-# Define types for endpoint and channel sockets.
-define(`pdx_service_socket_types', `
-typeattribute $2 pdx_$1_endpoint_dir_type;
-type pdx_$1_endpoint_socket, pdx_$1_endpoint_socket_type, pdx_endpoint_socket_type, file_type, coredomain_socket, mlstrustedobject, mlstrustedsubject;
-type pdx_$1_channel_socket, pdx_$1_channel_socket_type, pdx_channel_socket_type, coredomain_socket;
-userdebug_or_eng(`
-dontaudit su pdx_$1_endpoint_socket:unix_stream_socket *;
-dontaudit su pdx_$1_channel_socket:unix_stream_socket *;
-')
-')
-
-#####################################
-# pdx_server(server_domain, service)
-define(`pdx_server', `
-# Mark the server domain as a PDX server.
-typeattribute $1 pdx_$2_server_type;
-# Allow the init process to create the initial endpoint socket.
-allow init pdx_$2_endpoint_socket_type:unix_stream_socket { create bind };
-# Allow the server domain to use the endpoint socket and accept connections on it.
-# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
-# than we need (e.g. we don"t need "bind" or "connect").
-allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown listen accept };
-# Allow the server domain to apply security context label to the channel socket pair (allow process to use setsockcreatecon_raw()).
-allow $1 self:process setsockcreate;
-# Allow the server domain to create a client channel socket.
-allow $1 pdx_$2_channel_socket_type:unix_stream_socket create_stream_socket_perms;
-# Prevent other processes from claiming to be a server for the same service.
-neverallow {domain -$1} pdx_$2_endpoint_socket_type:unix_stream_socket { listen accept };
-')
-
-#####################################
-# pdx_connect(client, service)
-define(`pdx_connect', `
-# Allow client to open the service endpoint file.
-allow $1 pdx_$2_endpoint_dir_type:dir r_dir_perms;
-allow $1 pdx_$2_endpoint_socket_type:sock_file rw_file_perms;
-# Allow the client to connect to endpoint socket.
-allow $1 pdx_$2_endpoint_socket_type:unix_stream_socket { connectto read write shutdown };
-')
-
-#####################################
-# pdx_use(client, service)
-define(`pdx_use', `
-# Allow the client to use the PDX channel socket.
-# Not using macro like "rw_socket_perms_no_ioctl" because it provides more rights
-# than we need (e.g. we don"t need "bind" or "connect").
-allow $1 pdx_$2_channel_socket_type:unix_stream_socket { read getattr write setattr lock append getopt setopt shutdown };
-# Client needs to use an channel event fd from the server.
-allow $1 pdx_$2_server_type:fd use;
-# Servers may receive sync fences, gralloc buffers, etc, from clients.
-# This could be tightened on a per-server basis, but keeping track of service
-# clients is error prone.
-allow pdx_$2_server_type $1:fd use;
-')
-
-#####################################
-# pdx_client(client, service)
-define(`pdx_client', `
-pdx_connect($1, $2)
-pdx_use($1, $2)
-')
-
-#####################################
-# init_daemon_domain(domain)
-# Set up a transition from init to the daemon domain
-# upon executing its binary.
-define(`init_daemon_domain', `
-domain_auto_trans(init, $1_exec, $1)
-')
-
-####################################
-# userfaultfd_use(domain)
-# Allow domain to create/use userfaultfd.
-define(`userfaultfd_use', `
-# Set up a type_transition to "userfaultfd" named anonymous inode object.
-type $1_userfaultfd;
-type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
-# Allow domain to create/use userfaultfd anon_inode.
-allow $1 $1_userfaultfd:anon_inode { create ioctl read };
-# Other domains may not use userfaultfd anon_inodes created by this domain.
-neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
-# This domain may not use userfaultfd anon_inodes created by other domains.
-neverallow $1 ~$1_userfaultfd:anon_inode *;
-')
-
-#####################################
-# app_domain(domain)
-# Allow a base set of permissions required for all apps.
-define(`app_domain', `
-typeattribute $1 appdomain;
-# Label tmpfs objects for all apps.
-type_transition $1 tmpfs:file appdomain_tmpfs;
-userfaultfd_use($1)
-allow $1 appdomain_tmpfs:file { execute getattr map read write };
-neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
-neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
-# The Android security model guarantees the confidentiality and integrity
-# of application data and execution state. Ptrace bypasses those
-# confidentiality guarantees. Disallow ptrace access from system components to
-# apps. crash_dump is excluded, as it needs ptrace access to produce stack
-# traces. runas_app is excluded, as it operates only on debuggable apps.
-# simpleperf is excluded, as it operates only on debuggable or profileable
-# apps. llkd is excluded, as it needs ptrace access to inspect stack traces for
-# live lock conditions.
-neverallow { domain -$1 -crash_dump userdebug_or_eng(`-llkd') -runas_app -simpleperf } $1:process ptrace;
-')
-
-#####################################
-# untrusted_app_domain(domain)
-# Allow a base set of permissions required for all untrusted apps.
-define(`untrusted_app_domain', `
-typeattribute $1 untrusted_app_all;
-')
-
-#####################################
-# net_domain(domain)
-# Allow a base set of permissions required for network access.
-define(`net_domain', `
-typeattribute $1 netdomain;
-')
-
-#####################################
-# bluetooth_domain(domain)
-# Allow a base set of permissions required for bluetooth access.
-define(`bluetooth_domain', `
-typeattribute $1 bluetoothdomain;
-')
-
-#####################################
-# hal_attribute(hal_name)
-# Add an attribute for hal implementations along with necessary
-# restrictions.
-define(`hal_attribute', `
-attribute hal_$1;
-expandattribute hal_$1 true;
-attribute hal_$1_client;
-expandattribute hal_$1_client true;
-attribute hal_$1_server;
-expandattribute hal_$1_server false;
-
-neverallow { hal_$1_server -halserverdomain } domain:process fork;
-# hal_*_client and halclientdomain attributes are always expanded for
-# performance reasons. Neverallow rules targeting expanded attributes can not be
-# verified by CTS since these attributes are already expanded by that time.
-build_test_only(`
-neverallow { hal_$1_server -hal_$1 } domain:process fork;
-neverallow { hal_$1_client -halclientdomain } domain:process fork;
-')
-')
-
-#####################################
-# hal_server_domain(domain, hal_type)
-# Allow a base set of permissions required for a domain to offer a
-# HAL implementation of the specified type over HwBinder.
-#
-# For example, default implementation of Foo HAL:
-# type hal_foo_default, domain;
-# hal_server_domain(hal_foo_default, hal_foo)
-#
-define(`hal_server_domain', `
-typeattribute $1 halserverdomain;
-typeattribute $1 $2_server;
-typeattribute $1 $2;
-')
-
-#####################################
-# hal_client_domain(domain, hal_type)
-# Allow a base set of permissions required for a domain to be a
-# client of a HAL of the specified type.
-#
-# For example, make some_domain a client of Foo HAL:
-# hal_client_domain(some_domain, hal_foo)
-#
-define(`hal_client_domain', `
-typeattribute $1 halclientdomain;
-typeattribute $1 $2_client;
-
-# TODO(b/34170079): Make the inclusion of the rules below conditional also on
-# non-Treble devices. For now, on non-Treble device, always grant clients of a
-# HAL sufficient access to run the HAL in passthrough mode (i.e., in-process).
-not_full_treble(`
-typeattribute $1 $2;
-# Find passthrough HAL implementations
-allow $2 system_file:dir r_dir_perms;
-allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute map };
-')
-')
-
-#####################################
-# passthrough_hal_client_domain(domain, hal_type)
-# Allow a base set of permissions required for a domain to be a
-# client of a passthrough HAL of the specified type.
-#
-# For example, make some_domain a client of passthrough Foo HAL:
-# passthrough_hal_client_domain(some_domain, hal_foo)
-#
-define(`passthrough_hal_client_domain', `
-typeattribute $1 halclientdomain;
-typeattribute $1 $2_client;
-typeattribute $1 $2;
-# Find passthrough HAL implementations
-allow $2 system_file:dir r_dir_perms;
-allow $2 vendor_file:dir r_dir_perms;
-allow $2 vendor_file:file { read open getattr execute map };
-')
-
-#####################################
-# unix_socket_connect(clientdomain, socket, serverdomain)
-# Allow a local socket connection from clientdomain via
-# socket to serverdomain.
-#
-# Note: If you see denial records that distill to the
-# following allow rules:
-# allow clientdomain property_socket:sock_file write;
-# allow clientdomain init:unix_stream_socket connectto;
-# allow clientdomain something_prop:property_service set;
-#
-# This sequence is indicative of attempting to set a property.
-# use set_prop(sourcedomain, targetproperty)
-#
-define(`unix_socket_connect', `
-allow $1 $2_socket:sock_file write;
-allow $1 $3:unix_stream_socket connectto;
-')
-
-#####################################
-# set_prop(sourcedomain, targetproperty)
-# Allows source domain to set the
-# targetproperty.
-#
-define(`set_prop', `
-unix_socket_connect($1, property, init)
-allow $1 $2:property_service set;
-get_prop($1, $2)
-')
-
-#####################################
-# get_prop(sourcedomain, targetproperty)
-# Allows source domain to read the
-# targetproperty.
-#
-define(`get_prop', `
-allow $1 $2:file { getattr open read map };
-')
-
-#####################################
-# unix_socket_send(clientdomain, socket, serverdomain)
-# Allow a local socket send from clientdomain via
-# socket to serverdomain.
-define(`unix_socket_send', `
-allow $1 $2_socket:sock_file write;
-allow $1 $3:unix_dgram_socket sendto;
-')
-
-#####################################
-# binder_use(domain)
-# Allow domain to use Binder IPC.
-define(`binder_use', `
-# Call the servicemanager and transfer references to it.
-allow $1 servicemanager:binder { call transfer };
-# Allow servicemanager to send out callbacks
-allow servicemanager $1:binder { call transfer };
-# servicemanager performs getpidcon on clients.
-allow servicemanager $1:dir search;
-allow servicemanager $1:file { read open };
-allow servicemanager $1:process getattr;
-# rw access to /dev/binder and /dev/ashmem is presently granted to
-# all domains in domain.te.
-')
-
-#####################################
-# hwbinder_use(domain)
-# Allow domain to use HwBinder IPC.
-define(`hwbinder_use', `
-# Call the hwservicemanager and transfer references to it.
-allow $1 hwservicemanager:binder { call transfer };
-# Allow hwservicemanager to send out callbacks
-allow hwservicemanager $1:binder { call transfer };
-# hwservicemanager performs getpidcon on clients.
-allow hwservicemanager $1:dir search;
-allow hwservicemanager $1:file { read open map };
-allow hwservicemanager $1:process getattr;
-# rw access to /dev/hwbinder and /dev/ashmem is presently granted to
-# all domains in domain.te.
-')
-
-#####################################
-# vndbinder_use(domain)
-# Allow domain to use Binder IPC.
-define(`vndbinder_use', `
-# Talk to the vndbinder device node
-allow $1 vndbinder_device:chr_file rw_file_perms;
-# Call the vndservicemanager and transfer references to it.
-allow $1 vndservicemanager:binder { call transfer };
-# vndservicemanager performs getpidcon on clients.
-allow vndservicemanager $1:dir search;
-allow vndservicemanager $1:file { read open map };
-allow vndservicemanager $1:process getattr;
-')
-
-#####################################
-# binder_call(clientdomain, serverdomain)
-# Allow clientdomain to perform binder IPC to serverdomain.
-define(`binder_call', `
-# Call the server domain and optionally transfer references to it.
-allow $1 $2:binder { call transfer };
-# Allow the serverdomain to transfer references to the client on the reply.
-allow $2 $1:binder transfer;
-# Receive and use open files from the server.
-allow $1 $2:fd use;
-')
-
-#####################################
-# binder_service(domain)
-# Mark a domain as being a Binder service domain.
-# Used to allow binder IPC to the various system services.
-define(`binder_service', `
-typeattribute $1 binderservicedomain;
-')
-
-#####################################
-# wakelock_use(domain)
-# Allow domain to manage wake locks
-define(`wakelock_use', `
-# TODO(b/115946999): Remove /sys/power/* permissions once CONFIG_PM_WAKELOCKS is
-# deprecated.
-# Access /sys/power/wake_lock and /sys/power/wake_unlock
-allow $1 sysfs_wake_lock:file rw_file_perms;
-# Accessing these files requires CAP_BLOCK_SUSPEND
-allow $1 self:global_capability2_class_set block_suspend;
-# system_suspend permissions
-binder_call($1, system_suspend_server)
-allow $1 system_suspend_hwservice:hwservice_manager find;
-# halclientdomain permissions
-hwbinder_use($1)
-get_prop($1, hwservicemanager_prop)
-allow $1 hidl_manager_hwservice:hwservice_manager find;
-')
-
-#####################################
-# selinux_check_access(domain)
-# Allow domain to check SELinux permissions via selinuxfs.
-define(`selinux_check_access', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
-allow $1 kernel:security compute_av;
-allow $1 self:netlink_selinux_socket { read write create getattr setattr lock relabelfrom relabelto append bind connect listen accept getopt setopt shutdown recvfrom sendto name_bind };
-')
-
-#####################################
-# selinux_check_context(domain)
-# Allow domain to check SELinux contexts via selinuxfs.
-define(`selinux_check_context', `
-r_dir_file($1, selinuxfs)
-allow $1 selinuxfs:file w_file_perms;
-allow $1 kernel:security check_context;
-')
-
-#####################################
-# create_pty(domain)
-# Allow domain to create and use a pty, isolated from any other domain ptys.
-define(`create_pty', `
-# Each domain gets a unique devpts type.
-type $1_devpts, fs_type;
-# Label the pty with the unique type when created.
-type_transition $1 devpts:chr_file $1_devpts;
-# Allow use of the pty after creation.
-allow $1 $1_devpts:chr_file { open getattr read write ioctl };
-allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
-# TIOCSTI is only ever used for exploits. Block it.
-# b/33073072, b/7530569
-# http://www.openwall.com/lists/oss-security/2016/09/26/14
-neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
-# Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
-# allowed to everyone via domain.te.
-')
-
-#####################################
-# Non system_app application set
-#
-define(`non_system_app_set', `{ appdomain -system_app }')
-
-#####################################
-# Recovery only
-# SELinux rules which apply only to recovery mode
-#
-define(`recovery_only', ifelse(target_recovery, `true', $1, ))
-
-#####################################
-# Not recovery
-# SELinux rules which apply only to non-recovery (normal) mode
-#
-define(`not_recovery', ifelse(target_recovery, `true', , $1))
-
-#####################################
-# Full TREBLE only
-# SELinux rules which apply only to full TREBLE devices
-#
-define(`full_treble_only', ifelse(target_full_treble, `true', $1,
-ifelse(target_full_treble, `cts',
-# BEGIN_TREBLE_ONLY -- this marker is used by CTS -- do not modify
-$1
-# END_TREBLE_ONLY -- this marker is used by CTS -- do not modify
-, )))
-
-#####################################
-# Not full TREBLE
-# SELinux rules which apply only to devices which are not full TREBLE devices
-#
-define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
-
-#####################################
-# enforce_debugfs_restriction
-# SELinux rules which apply to devices that enable debugfs restrictions.
-# The keyword "cts" is used to insert markers to only CTS test the neverallows
-# added by the macro for S-launch devices and newer.
-define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
-ifelse(target_enforce_debugfs_restriction, `cts',
-# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
-$1
-# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
-, )))
-
-#####################################
-# no_debugfs_restriction
-# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
-define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
-
-#####################################
-# Compatible property only
-# SELinux rules which apply only to devices with compatible property
-#
-define(`compatible_property_only', ifelse(target_compatible_property, `true', $1,
-ifelse(target_compatible_property, `cts',
-# BEGIN_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
-$1
-# END_COMPATIBLE_PROPERTY_ONLY -- this marker is used by CTS -- do not modify
-, )))
-
-#####################################
-# Not compatible property
-# SELinux rules which apply only to devices without compatible property
-#
-define(`not_compatible_property', ifelse(target_compatible_property, `true', , $1))
-
-#####################################
-# Userdebug or eng builds
-# SELinux rules which apply only to userdebug or eng builds
-#
-define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
-
-#####################################
-# asan builds
-# SELinux rules which apply only to asan builds
-#
-define(`with_asan', ifelse(target_with_asan, `true', userdebug_or_eng(`$1'), ))
-
-#####################################
-# native coverage builds
-# SELinux rules which apply only to builds with native coverage
-#
-define(`with_native_coverage', ifelse(target_with_native_coverage, `true', userdebug_or_eng(`$1'), ))
-
-#####################################
-# Build-time-only test
-# SELinux rules which are verified during build, but not as part of *TS testing.
-#
-define(`build_test_only', ifelse(target_exclude_build_test, `true', , $1))
-
-####################################
-# Fallback crash handling for processes that can't exec crash_dump (e.g. because of seccomp).
-#
-define(`crash_dump_fallback', `
-userdebug_or_eng(`
- allow $1 su:fifo_file append;
-')
-allow $1 anr_data_file:file append;
-allow $1 dumpstate:fd use;
-allow $1 incidentd:fd use;
-# TODO: Figure out why write is needed.
-allow $1 dumpstate:fifo_file { append write };
-allow $1 incidentd:fifo_file { append write };
-allow $1 system_server:fifo_file { append write };
-allow $1 tombstoned:unix_stream_socket connectto;
-allow $1 tombstoned:fd use;
-allow $1 tombstoned_crash_socket:sock_file write;
-allow $1 tombstone_data_file:file append;
-')
-
-#####################################
-# WITH_DEXPREOPT builds
-# SELinux rules which apply only when pre-opting.
-#
-define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
-
-#####################################
-# write_logd(domain)
-# Ability to write to android log
-# daemon via sockets
-define(`write_logd', `
-unix_socket_send($1, logdw, logd)
-allow $1 pmsg_device:chr_file w_file_perms;
-')
-
-#####################################
-# read_logd(domain)
-# Ability to run logcat and read from android
-# log daemon via sockets
-define(`read_logd', `
-allow $1 logcat_exec:file rx_file_perms;
-unix_socket_connect($1, logdr, logd)
-')
-
-#####################################
-# read_runtime_log_tags(domain)
-# ability to directly map the runtime event log tags
-define(`read_runtime_log_tags', `
-allow $1 runtime_event_log_tags_file:file r_file_perms;
-')
-
-#####################################
-# control_logd(domain)
-# Ability to control
-# android log daemon via sockets
-define(`control_logd', `
-# Group AID_LOG checked by filesystem & logd
-# to permit control commands
-unix_socket_connect($1, logd, logd)
-')
-
-#####################################
-# use_keystore(domain)
-# Ability to use keystore.
-# Keystore is requires the following permissions
-# to call getpidcon.
-define(`use_keystore', `
- allow keystore $1:dir search;
- allow keystore $1:file { read open };
- allow keystore $1:process getattr;
- allow $1 apc_service:service_manager find;
- allow $1 keystore_service:service_manager find;
- allow $1 legacykeystore_service:service_manager find;
- binder_call($1, keystore)
- binder_call(keystore, $1)
-')
-
-#####################################
-# use_credstore(domain)
-# Ability to use credstore.
-define(`use_credstore', `
- allow credstore $1:dir search;
- allow credstore $1:file { read open };
- allow credstore $1:process getattr;
- allow $1 credstore_service:service_manager find;
- binder_call($1, credstore)
- binder_call(credstore, $1)
-')
-
-###########################################
-# use_drmservice(domain)
-# Ability to use DrmService which requires
-# DrmService to call getpidcon.
-define(`use_drmservice', `
- allow drmserver $1:dir search;
- allow drmserver $1:file { read open };
- allow drmserver $1:process getattr;
-')
-
-###########################################
-# add_service(domain, service)
-# Ability for domain to add a service to service_manager
-# and find it. It also creates a neverallow preventing
-# others from adding it.
-define(`add_service', `
- allow $1 $2:service_manager { add find };
- neverallow { domain -$1 } $2:service_manager add;
-')
-
-###########################################
-# add_hwservice(domain, service)
-# Ability for domain to add a service to hwservice_manager
-# and find it. It also creates a neverallow preventing
-# others from adding it.
-define(`add_hwservice', `
- allow $1 $2:hwservice_manager { add find };
- allow $1 hidl_base_hwservice:hwservice_manager add;
- neverallow { domain -$1 } $2:hwservice_manager add;
-')
-
-###########################################
-# hal_attribute_hwservice(attribute, service)
-# Ability for domain to get a service to hwservice_manager
-# and find it. It also creates a neverallow preventing
-# others from adding it.
-#
-# Used to pair hal_foo_client with hal_foo_hwservice
-define(`hal_attribute_hwservice', `
- allow $1_client $2:hwservice_manager find;
- add_hwservice($1_server, $2)
-
- build_test_only(`
- # if you are hitting this neverallow, try using:
- # hal_client_domain(<your domain>, hal_<foo>)
- # instead
- neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
- ')
-')
-
-###########################################
-# hal_attribute_service(attribute, service)
-# Ability for domain to get a service to service_manager
-# and find it. It also creates a neverallow preventing
-# others from adding it.
-#
-# Used to pair hal_foo_client with hal_foo_service
-define(`hal_attribute_service', `
- allow $1_client $2:service_manager find;
- add_service($1_server, $2)
-
- build_test_only(`
- # if you are hitting this neverallow, try using:
- # hal_client_domain(<your domain>, hal_<foo>)
- # instead
- neverallow {
- domain
- -$1_client
- -$1_server
- # some services are allowed to find all services
- -atrace
- -dumpstate
- -shell
- -system_app
- -traceur_app
- } $2:service_manager find;
- ')
-')
-
-###################################
-# can_profile_heap(domain)
-# Allow processes within the domain to have their heap profiled by central
-# heapprofd.
-define(`can_profile_heap', `
- # Allow central daemon to send signal for client initialization.
- allow heapprofd $1:process signal;
- # Allow connecting to the daemon.
- unix_socket_connect($1, heapprofd, heapprofd)
- # Allow daemon to use the passed fds.
- allow heapprofd $1:fd use;
- # Allow to read and write to heapprofd shmem.
- # The client needs to read the read and write pointers in order to write.
- allow $1 heapprofd_tmpfs:file { read write getattr map };
- # Use shared memory received over the unix socket.
- allow $1 heapprofd:fd use;
-
- # To read and write from the received file descriptors.
- # /proc/[pid]/maps and /proc/[pid]/mem have the same SELinux label as the
- # process they relate to.
- # We need to write to /proc/$PID/page_idle to find idle allocations.
- # The client only opens /proc/self/page_idle with RDWR, everything else
- # with RDONLY.
- # heapprofd cannot open /proc/$PID/mem itself, as it does not have
- # sys_ptrace.
- allow heapprofd $1:file rw_file_perms;
- # Allow searching the /proc/[pid] directory for cmdline.
- allow heapprofd $1:dir r_dir_perms;
-')
-
-###################################
-# never_profile_heap(domain)
-# Opt out of heap profiling by heapprofd.
-define(`never_profile_heap', `
- neverallow heapprofd $1:file read;
- neverallow heapprofd $1:process signal;
-')
-
-###################################
-# can_profile_perf(domain)
-# Allow processes within the domain to be profiled, and have their stacks
-# sampled, by traced_perf.
-define(`can_profile_perf', `
- # Allow directory & file read to traced_perf, as it stat(2)s /proc/[pid], and
- # reads /proc/[pid]/cmdline.
- allow traced_perf $1:file r_file_perms;
- allow traced_perf $1:dir r_dir_perms;
-
- # Allow central daemon to send signal to request /proc/[pid]/maps and
- # /proc/[pid]/mem fds from this process.
- allow traced_perf $1:process signal;
-
- # Allow connecting to the daemon.
- unix_socket_connect($1, traced_perf, traced_perf)
- # Allow daemon to use the passed fds.
- allow traced_perf $1:fd use;
-')
-
-###################################
-# never_profile_perf(domain)
-# Opt out of profiling by traced_perf.
-define(`never_profile_perf', `
- neverallow traced_perf $1:file read;
- neverallow traced_perf $1:process signal;
-')
-
-###################################
-# perfetto_producer(domain)
-# Allow processes within the domain to write data to Perfetto.
-# When applying this macro, you might need to also allow traced to use the
-# producer tmpfs domain, if the producer will be the one creating the shared
-# memory.
-define(`perfetto_producer', `
- allow $1 traced:fd use;
- allow $1 traced_tmpfs:file { read write getattr map };
- unix_socket_connect($1, traced_producer, traced)
-
- # Also allow the service to use the producer file descriptors. This is
- # necessary when the producer is creating the shared memory, as it will be
- # passed to the service as a file descriptor (obtained from memfd_create).
- allow traced $1:fd use;
-')
-
-###########################################
-# dump_hal(hal_type)
-# Ability to dump the hal debug info
-#
-define(`dump_hal', `
- hal_client_domain(dumpstate, $1);
- allow $1_server dumpstate:fifo_file write;
- allow $1_server dumpstate:fd use;
-')
-
-#####################################
-# treble_sysprop_neverallow(rules)
-# SELinux neverallow rules which enforces the accessibility of each property
-# outside the owner.
-#
-# For devices launching with R or later, exported properties must be explicitly marked as
-# "restricted" or "public", depending on the accessibility outside the owner.
-# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
-# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
-# See {partition}_{accessibility}_prop macros below.
-#
-# CTS uses these rules only for devices launching with R or later.
-#
-# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW
-#
-define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
-ifelse(target_treble_sysprop_neverallow, `cts',
-# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
-$1
-# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
-, )))
-
-#####################################
-# enforce_sysprop_owner(rules)
-# SELinux neverallow rules which enforces the owner of each property.
-#
-# For devices launching with S or later, all properties must be explicitly marked as one of:
-# system_property_type, vendor_property_type, or product_property_type.
-# For devices launching with R or eariler, this neverallow rules can be relaxed with defining
-# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk.
-# See {partition}_{accessibility}_prop macros below.
-#
-# CTS uses these ules only for devices launching with S or later.
-#
-define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1,
-ifelse(target_enforce_sysprop_owner, `cts',
-# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
-$1
-# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
-, )))
-
-###########################################
-# define_prop(name, owner, scope)
-# Define a property with given owner and scope
-#
-define(`define_prop', `
- type $1, property_type, $2_property_type, $2_$3_property_type;
-')
-
-###########################################
-# system_internal_prop(name)
-# Define a /system-owned property used only in /system
-# For devices launching with Q or eariler, this restriction can be relaxed with
-# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
-#
-define(`system_internal_prop', `
- define_prop($1, system, internal)
- treble_sysprop_neverallow(`
- neverallow { domain -coredomain } $1:file no_rw_file_perms;
- ')
-')
-
-###########################################
-# system_restricted_prop(name)
-# Define a /system-owned property which can't be written outside /system
-# For devices launching with Q or eariler, this restriction can be relaxed with
-# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
-#
-define(`system_restricted_prop', `
- define_prop($1, system, restricted)
- treble_sysprop_neverallow(`
- neverallow { domain -coredomain } $1:property_service set;
- ')
-')
-
-###########################################
-# system_public_prop(name)
-# Define a /system-owned property with no restrictions
-#
-define(`system_public_prop', `define_prop($1, system, public)')
-
-###########################################
-# system_vendor_config_prop(name)
-# Define a /system-owned property which can only be written by vendor_init
-# This is a macro for vendor-specific configuration properties which is meant
-# to be set once from vendor_init.
-#
-define(`system_vendor_config_prop', `
- system_public_prop($1)
- set_prop(vendor_init, $1)
- neverallow { domain -init -vendor_init } $1:property_service set;
-')
-
-###########################################
-# product_internal_prop(name)
-# Define a /product-owned property used only in /product
-# For devices launching with Q or eariler, this restriction can be relaxed with
-# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
-#
-define(`product_internal_prop', `
- define_prop($1, product, internal)
- treble_sysprop_neverallow(`
- neverallow { domain -coredomain } $1:file no_rw_file_perms;
- ')
-')
-
-###########################################
-# product_restricted_prop(name)
-# Define a /product-owned property which can't be written outside /product
-# For devices launching with Q or eariler, this restriction can be relaxed with
-# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
-#
-define(`product_restricted_prop', `
- define_prop($1, product, restricted)
- treble_sysprop_neverallow(`
- neverallow { domain -coredomain } $1:property_service set;
- ')
-')
-
-###########################################
-# product_public_prop(name)
-# Define a /product-owned property with no restrictions
-#
-define(`product_public_prop', `define_prop($1, product, public)')
-
-###########################################
-# vendor_internal_prop(name)
-# Define a /vendor-owned property used only in /vendor
-# For devices launching with Q or eariler, this restriction can be relaxed with
-# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
-#
-define(`vendor_internal_prop', `
- define_prop($1, vendor, internal)
- treble_sysprop_neverallow(`
-# init and dumpstate are in coredomain, but should be able to read all props.
- neverallow { coredomain -init -dumpstate } $1:file no_rw_file_perms;
- ')
-')
-
-###########################################
-# vendor_restricted_prop(name)
-# Define a /vendor-owned property which can't be written outside /vendor
-# For devices launching with Q or eariler, this restriction can be relaxed with
-# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true
-#
-define(`vendor_restricted_prop', `
- define_prop($1, vendor, restricted)
- treble_sysprop_neverallow(`
-# init is in coredomain, but should be able to write all props.
- neverallow { coredomain -init } $1:property_service set;
- ')
-')
-
-###########################################
-# vendor_public_prop(name)
-# Define a /vendor-owned property with no restrictions
-#
-define(`vendor_public_prop', `define_prop($1, vendor, public)')
-
-#####################################
-# read_fstab(domain)
-# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
-#
-define(`read_fstab', `
- allow $1 { metadata_file gsi_metadata_file_type }:dir search;
- allow $1 gsi_public_metadata_file:file r_file_perms;
-')
diff --git a/prebuilts/api/31.0/public/tee.te b/prebuilts/api/31.0/public/tee.te
deleted file mode 100644
index 0f9b32d..0000000
--- a/prebuilts/api/31.0/public/tee.te
+++ /dev/null
@@ -1,11 +0,0 @@
-##
-# trusted execution environment (tee) daemon
-#
-type tee, domain;
-
-# Device(s) for communicating with the TEE
-type tee_device, dev_type;
-
-allow tee fingerprint_vendor_data_file:dir rw_dir_perms;
-allow tee fingerprint_vendor_data_file:file create_file_perms;
-
diff --git a/prebuilts/api/31.0/public/tombstoned.te b/prebuilts/api/31.0/public/tombstoned.te
deleted file mode 100644
index ea2abbb..0000000
--- a/prebuilts/api/31.0/public/tombstoned.te
+++ /dev/null
@@ -1,17 +0,0 @@
-# debugger interface
-type tombstoned, domain, mlstrustedsubject;
-type tombstoned_exec, system_file_type, exec_type, file_type;
-
-# Write to arbitrary pipes given to us.
-allow tombstoned domain:fd use;
-allow tombstoned domain:fifo_file write;
-
-allow tombstoned domain:dir r_dir_perms;
-allow tombstoned domain:file r_file_perms;
-allow tombstoned tombstone_data_file:dir rw_dir_perms;
-allow tombstoned tombstone_data_file:file { create_file_perms link };
-
-# Changes for the new stack dumping mechanism. Each trace goes into a
-# separate file, and these files are managed by tombstoned.
-allow tombstoned anr_data_file:dir rw_dir_perms;
-allow tombstoned anr_data_file:file { append create getattr open link unlink };
diff --git a/prebuilts/api/31.0/public/toolbox.te b/prebuilts/api/31.0/public/toolbox.te
deleted file mode 100644
index 4c2cc3e..0000000
--- a/prebuilts/api/31.0/public/toolbox.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# Any toolbox command run by init.
-# At present, the only known usage is for running mkswap via fs_mgr.
-# Do NOT use this domain for toolbox when run by any other domain.
-type toolbox, domain;
-type toolbox_exec, system_file_type, exec_type, file_type;
-
-# /dev/__null__ created by init prior to policy load,
-# open fd inherited by fsck.
-allow toolbox tmpfs:chr_file { read write ioctl };
-
-# Inherit and use pty created by android_fork_execvp_ext().
-allow toolbox devpts:chr_file { read write getattr ioctl };
-
-# mkswap-specific.
-# Read/write block devices used for swap partitions.
-# Assign swap_block_device type any such partition in your
-# device/<vendor>/<product>/sepolicy/file_contexts file.
-allow toolbox block_device:dir search;
-allow toolbox swap_block_device:blk_file rw_file_perms;
-
-# Only allow entry from init via the toolbox binary.
-neverallow { domain -init } toolbox:process transition;
-neverallow * toolbox:process dyntransition;
-neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
-
-# rm -rf directories in /data
-allow toolbox system_data_root_file:dir { remove_name write };
-allow toolbox system_data_file:dir { rmdir rw_dir_perms };
-allow toolbox system_data_file:file { getattr unlink };
-
-# chattr +F and chattr +P /data/media in init
-allow toolbox media_rw_data_file:dir { r_dir_perms setattr };
-allowxperm toolbox media_rw_data_file:dir ioctl {
- FS_IOC_FSGETXATTR
- FS_IOC_FSSETXATTR
- FS_IOC_GETFLAGS
- FS_IOC_SETFLAGS
-};
diff --git a/prebuilts/api/31.0/public/traced.te b/prebuilts/api/31.0/public/traced.te
deleted file mode 100644
index 922d46e..0000000
--- a/prebuilts/api/31.0/public/traced.te
+++ /dev/null
@@ -1,3 +0,0 @@
-type traced, domain, coredomain, mlstrustedsubject;
-type traced_tmpfs, file_type;
-
diff --git a/prebuilts/api/31.0/public/traced_perf.te b/prebuilts/api/31.0/public/traced_perf.te
deleted file mode 100644
index f9a0324..0000000
--- a/prebuilts/api/31.0/public/traced_perf.te
+++ /dev/null
@@ -1 +0,0 @@
-type traced_perf, domain;
diff --git a/prebuilts/api/31.0/public/traced_probes.te b/prebuilts/api/31.0/public/traced_probes.te
deleted file mode 100644
index 3e587c8..0000000
--- a/prebuilts/api/31.0/public/traced_probes.te
+++ /dev/null
@@ -1 +0,0 @@
-type traced_probes, domain, coredomain, mlstrustedsubject;
diff --git a/prebuilts/api/31.0/public/traceur_app.te b/prebuilts/api/31.0/public/traceur_app.te
deleted file mode 100644
index ce9b844..0000000
--- a/prebuilts/api/31.0/public/traceur_app.te
+++ /dev/null
@@ -1,27 +0,0 @@
-type traceur_app, domain;
-
-allow traceur_app servicemanager:service_manager list;
-allow traceur_app hwservicemanager:hwservice_manager list;
-
-allow traceur_app {
- service_manager_type
- -apex_service
- -dnsresolver_service
- -gatekeeper_service
- -incident_service
- -installd_service
- -iorapd_service
- -lpdump_service
- -netd_service
- -virtual_touchpad_service
- -vold_service
- -vr_hwc_service
- -default_android_service
-}:service_manager find;
-
-# Allow traceur_app to use atrace HAL
-hal_client_domain(traceur_app, hal_atrace)
-
-dontaudit traceur_app service_manager_type:service_manager find;
-dontaudit traceur_app hwservice_manager_type:hwservice_manager find;
-dontaudit traceur_app domain:binder call;
diff --git a/prebuilts/api/31.0/public/tzdatacheck.te b/prebuilts/api/31.0/public/tzdatacheck.te
deleted file mode 100644
index cf9b95d..0000000
--- a/prebuilts/api/31.0/public/tzdatacheck.te
+++ /dev/null
@@ -1,18 +0,0 @@
-# The tzdatacheck command run by init.
-type tzdatacheck, domain;
-type tzdatacheck_exec, system_file_type, exec_type, file_type;
-
-allow tzdatacheck zoneinfo_data_file:dir create_dir_perms;
-allow tzdatacheck zoneinfo_data_file:file unlink;
-
-# Below are strong assertion that only init, system_server and tzdatacheck
-# can modify the /data time zone rules directories. This is to make it very
-# clear that only these domains should modify the actual time zone rules data.
-# The tzdatacheck binary itself may be executed by shell for tests but it must
-# not be able to modify the real rules.
-# If other users / binaries could modify time zone rules on device this might
-# have negative implications for users (who may get incorrect local times)
-# or break assumptions made / invalidate data held by the components actually
-# responsible for updating time zone rules.
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:file no_w_file_perms;
-neverallow { domain -system_server -init -tzdatacheck } zoneinfo_data_file:dir no_w_dir_perms;
diff --git a/prebuilts/api/31.0/public/ueventd.te b/prebuilts/api/31.0/public/ueventd.te
deleted file mode 100644
index d5d4301..0000000
--- a/prebuilts/api/31.0/public/ueventd.te
+++ /dev/null
@@ -1,83 +0,0 @@
-# ueventd seclabel is specified in init.rc since
-# it lives in the rootfs and has no unique file type.
-type ueventd, domain;
-type ueventd_tmpfs, file_type;
-
-# Write to /dev/kmsg.
-allow ueventd kmsg_device:chr_file rw_file_perms;
-
-allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
-allow ueventd device:file create_file_perms;
-
-r_dir_file(ueventd, rootfs)
-
-# ueventd needs write access to files in /sys to regenerate uevents
-allow ueventd sysfs_type:file w_file_perms;
-r_dir_file(ueventd, sysfs_type)
-allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
-allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
-allow ueventd tmpfs:chr_file rw_file_perms;
-allow ueventd dev_type:dir create_dir_perms;
-allow ueventd dev_type:lnk_file { create unlink };
-allow ueventd dev_type:chr_file { getattr create setattr unlink };
-allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
-allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow ueventd efs_file:dir search;
-allow ueventd efs_file:file r_file_perms;
-
-# Get SELinux enforcing status.
-r_dir_file(ueventd, selinuxfs)
-
-# Access for /vendor/ueventd.rc and /vendor/firmware
-r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
-
-# Access for /apex/*/firmware
-allow ueventd apex_mnt_dir:dir r_dir_perms;
-
-# Get file contexts for new device nodes
-allow ueventd file_contexts_file:file r_file_perms;
-
-# Use setfscreatecon() to label /dev directories and files.
-allow ueventd self:process setfscreate;
-
-# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
-allow ueventd proc_cmdline:file r_file_perms;
-allow ueventd proc_bootconfig:file r_file_perms;
-
-# Everything is labeled as rootfs in recovery mode. ueventd has to execute
-# the dynamic linker and shared libraries.
-recovery_only(`
- allow ueventd rootfs:file { r_file_perms execute };
-')
-
-# Suppress denials for ueventd to getattr /postinstall. This occurs when the
-# linker tries to resolve paths in ld.config.txt.
-dontaudit ueventd postinstall_mnt_dir:dir getattr;
-
-# ueventd loads modules in response to modalias events.
-allow ueventd self:global_capability_class_set sys_module;
-allow ueventd vendor_file:system module_load;
-allow ueventd kernel:key search;
-
-# ueventd is using bootstrap bionic
-allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
-allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
-
-# Allow ueventd to run shell scripts from vendor
-allow ueventd vendor_shell_exec:file execute;
-
-#####
-##### neverallow rules
-#####
-
-# Restrict ueventd access on block devices to maintenence operations.
-neverallow ueventd dev_type:blk_file ~{ getattr relabelfrom relabelto create setattr unlink };
-
-# Only relabelto as we would never want to relabelfrom port_device
-neverallow ueventd port_device:chr_file ~{ getattr create setattr unlink relabelto };
-
-# Nobody should be able to ptrace ueventd
-neverallow * ueventd:process ptrace;
-
-# ueventd should never execute a program without changing to another domain.
-neverallow ueventd { file_type fs_type }:file execute_no_trans;
diff --git a/prebuilts/api/31.0/public/uncrypt.te b/prebuilts/api/31.0/public/uncrypt.te
deleted file mode 100644
index 3b04671..0000000
--- a/prebuilts/api/31.0/public/uncrypt.te
+++ /dev/null
@@ -1,46 +0,0 @@
-# uncrypt
-type uncrypt, domain, mlstrustedsubject;
-type uncrypt_exec, system_file_type, exec_type, file_type;
-
-allow uncrypt self:global_capability_class_set { dac_override dac_read_search };
-
-userdebug_or_eng(`
- # For debugging, allow /data/local/tmp access
- r_dir_file(uncrypt, shell_data_file)
-')
-
-# Read /cache/recovery/command
-# Read /cache/recovery/uncrypt_file
-allow uncrypt cache_file:dir search;
-allow uncrypt cache_recovery_file:dir rw_dir_perms;
-allow uncrypt cache_recovery_file:file create_file_perms;
-
-# Read and write(for f2fs_pin_file) on OTA zip file at /data/ota_package/.
-allow uncrypt ota_package_file:dir r_dir_perms;
-allow uncrypt ota_package_file:file rw_file_perms;
-
-# Write to /dev/socket/uncrypt
-unix_socket_connect(uncrypt, uncrypt, uncrypt)
-
-# Raw writes to block device
-allow uncrypt self:global_capability_class_set sys_rawio;
-allow uncrypt misc_block_device:blk_file w_file_perms;
-allow uncrypt block_device:dir r_dir_perms;
-
-# Access userdata block device.
-allow uncrypt userdata_block_device:blk_file w_file_perms;
-
-r_dir_file(uncrypt, rootfs)
-
-# Access to bootconfig is needed when calling ReadDefaultFstab.
-allow uncrypt {
- proc_bootconfig
- proc_cmdline
-
-}:file r_file_perms;
-
-# Read files in /sys
-r_dir_file(uncrypt, sysfs_dt_firmware_android)
-
-# Allow ReadDefaultFstab().
-read_fstab(uncrypt)
diff --git a/prebuilts/api/31.0/public/untrusted_app.te b/prebuilts/api/31.0/public/untrusted_app.te
deleted file mode 100644
index 43fe19a..0000000
--- a/prebuilts/api/31.0/public/untrusted_app.te
+++ /dev/null
@@ -1,30 +0,0 @@
-###
-### Untrusted apps.
-###
-### Apps are labeled based on mac_permissions.xml (maps signer and
-### optionally package name to seinfo value) and seapp_contexts (maps UID
-### and optionally seinfo value to domain for process and type for data
-### directory). The untrusted_app domain is the default assignment in
-### seapp_contexts for any app with UID between APP_AID (10000)
-### and AID_ISOLATED_START (99000) if the app has no specific seinfo
-### value as determined from mac_permissions.xml. In current AOSP, this
-### domain is assigned to all non-system apps as well as to any system apps
-### that are not signed by the platform key. To move
-### a system app into a specific domain, add a signer entry for it to
-### mac_permissions.xml and assign it one of the pre-existing seinfo values
-### or define and use a new seinfo value in both mac_permissions.xml and
-### seapp_contexts.
-###
-
-# This file defines the rules for untrusted apps running with
-# targetSdkVersion >= 30.
-type untrusted_app, domain;
-# This file defines the rules for untrusted apps running with
-# targetSdkVersion = 29.
-type untrusted_app_29, domain;
-# This file defines the rules for untrusted apps running with
-# 25 < targetSdkVersion <= 28.
-type untrusted_app_27, domain;
-# This file defines the rules for untrusted apps running with
-# targetSdkVersion <= 25.
-type untrusted_app_25, domain;
diff --git a/prebuilts/api/31.0/public/update_engine.te b/prebuilts/api/31.0/public/update_engine.te
deleted file mode 100644
index ab7090b..0000000
--- a/prebuilts/api/31.0/public/update_engine.te
+++ /dev/null
@@ -1,78 +0,0 @@
-# Domain for update_engine daemon.
-type update_engine, domain, update_engine_common;
-type update_engine_exec, system_file_type, exec_type, file_type;
-
-net_domain(update_engine);
-
-# Following permissions are needed for update_engine.
-allow update_engine self:process { setsched };
-allow update_engine self:global_capability_class_set { fowner sys_admin };
-# Note: fsetid checks are triggered when creating a file in a directory with
-# the setgid bit set to determine if the file should inherit setgid. In this
-# case, setgid on the file is undesirable so we should just suppress the
-# denial.
-dontaudit update_engine self:global_capability_class_set fsetid;
-
-allow update_engine kmsg_device:chr_file { getattr w_file_perms };
-allow update_engine update_engine_exec:file rx_file_perms;
-wakelock_use(update_engine);
-
-# Ignore these denials.
-dontaudit update_engine kernel:process setsched;
-dontaudit update_engine self:global_capability_class_set sys_rawio;
-
-# Allow using persistent storage in /data/misc/update_engine.
-allow update_engine update_engine_data_file:dir create_dir_perms;
-allow update_engine update_engine_data_file:file create_file_perms;
-
-# Allow using persistent storage in /data/misc/update_engine_log.
-allow update_engine update_engine_log_data_file:dir create_dir_perms;
-allow update_engine update_engine_log_data_file:file create_file_perms;
-
-# Don't allow kernel module loading, just silence the logs.
-dontaudit update_engine kernel:system module_request;
-
-# Register the service to perform Binder IPC.
-binder_use(update_engine)
-add_service(update_engine, update_engine_service)
-add_service(update_engine, update_engine_stable_service)
-
-# Allow update_engine to call the callback function provided by priv_app/GMS core.
-binder_call(update_engine, priv_app)
-# b/142672293: No other priv-app should need this rule now that GMS core runs in its own domain.
-userdebug_or_eng(`
- auditallow update_engine priv_app:binder { call transfer };
- auditallow priv_app update_engine:binder transfer;
- auditallow update_engine priv_app:fd use;
-')
-
-binder_call(update_engine, gmscore_app)
-
-# Allow update_engine to call the callback function provided by system_server.
-binder_call(update_engine, system_server)
-
-# Read OTA zip file at /data/ota_package/.
-allow update_engine ota_package_file:file r_file_perms;
-allow update_engine ota_package_file:dir r_dir_perms;
-
-# Use Boot Control HAL
-hal_client_domain(update_engine, hal_bootctl)
-
-# access /proc/misc
-allow update_engine proc_misc:file r_file_perms;
-
-# read directories on /system and /vendor
-allow update_engine system_file:dir r_dir_perms;
-
-# Allow ReadDefaultFstab().
-# update_engine tries to determine the parent path for all devices (e.g.
-# /dev/block/by-name) by reading the default fstab and looking for the misc
-# device.
-read_fstab(update_engine)
-
-# Allow to write to snapshotctl_log logs.
-# TODO(b/148818798) revert when parent bug is fixed.
-userdebug_or_eng(`
-allow update_engine snapshotctl_log_data_file:dir rw_dir_perms;
-allow update_engine snapshotctl_log_data_file:file create_file_perms;
-')
diff --git a/prebuilts/api/31.0/public/update_engine_common.te b/prebuilts/api/31.0/public/update_engine_common.te
deleted file mode 100644
index e8fd29e..0000000
--- a/prebuilts/api/31.0/public/update_engine_common.te
+++ /dev/null
@@ -1,98 +0,0 @@
-# update_engine payload application permissions. These are shared between the
-# background daemon and the recovery tool to sideload an update.
-
-# Allow update_engine to reach block devices in /dev/block.
-allow update_engine_common block_device:dir search;
-
-# Allow read/write on system and boot partitions.
-allow update_engine_common boot_block_device:blk_file rw_file_perms;
-allow update_engine_common system_block_device:blk_file rw_file_perms;
-
-# Where ioctls are granted via standard allow rules to block devices,
-# automatically allow common ioctls that are generally needed by
-# update_engine.
-allowxperm update_engine_common dev_type:blk_file ioctl {
- BLKDISCARD
- BLKDISCARDZEROES
- BLKROGET
- BLKROSET
- BLKSECDISCARD
- BLKZEROOUT
-};
-
-# Allow to set recovery options in the BCB. Used to trigger factory reset when
-# the update to an older version (channel change) or incompatible version
-# requires it.
-allow update_engine_common misc_block_device:blk_file rw_file_perms;
-
-# read fstab
-allow update_engine_common rootfs:dir getattr;
-allow update_engine_common rootfs:file r_file_perms;
-
-# Allow update_engine_common to mount on the /postinstall directory and reset the
-# labels on the mounted filesystem to postinstall_file.
-allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
-allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
-allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
-
-# Allow update_engine_common to read and execute postinstall_file.
-allow update_engine_common postinstall_file:file rx_file_perms;
-allow update_engine_common postinstall_file:lnk_file r_file_perms;
-allow update_engine_common postinstall_file:dir r_dir_perms;
-
-# install update.zip from cache
-r_dir_file(update_engine_common, cache_file)
-
-# A postinstall program is typically a shell script (with a #!), so we allow
-# to execute those.
-allow update_engine_common shell_exec:file rx_file_perms;
-
-# Allow update_engine_common to suspend, resume and kill the postinstall program.
-allow update_engine_common postinstall:process { signal sigstop sigkill };
-
-# access /proc/cmdline
-allow update_engine_common proc_cmdline:file r_file_perms;
-
-# Read files in /sys/firmware/devicetree/base/firmware/android/
-r_dir_file(update_engine_common, sysfs_dt_firmware_android)
-
-# Needed because libdm reads sysfs to validate when a dm path is ready.
-r_dir_file(update_engine_common, sysfs_dm)
-
-# Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics.
-allow update_engine_common sysfs:dir r_dir_perms;
-allow update_engine_common sysfs_fs_f2fs:dir r_dir_perms;
-
-# read / write on /dev/device-mapper to map / unmap devices
-allow update_engine_common dm_device:chr_file rw_file_perms;
-
-# apply / verify updates on devices mapped via device mapper
-allow update_engine_common dm_device:blk_file rw_file_perms;
-
-# read /dev/dm-user, so that we can inotify wait for control devices to be
-# asynchronously created by ueventd.
-allow update_engine dm_user_device:dir r_dir_perms;
-
-# read / write metadata on super device to resize partitions
-allow update_engine_common super_block_device_type:blk_file rw_file_perms;
-
-# ioctl on super device to get block device alignment and alignment offset
-allowxperm update_engine_common super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
-
-# get physical block device to map logical partitions on device mapper
-allow update_engine_common block_device:dir r_dir_perms;
-
-# Allow update_engine_common to write to statsd socket.
-unix_socket_send(update_engine_common, statsdw, statsd)
-
-# Allow to read Virtual A/B feature flags.
-get_prop(update_engine_common, virtual_ab_prop)
-
-# Allow to read GKI related flags.
-get_prop(update_engine_common, ab_update_gki_prop)
-get_prop(update_engine_common, build_bootimage_prop)
-
-# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
-allow update_engine_common metadata_file:dir search;
-allow update_engine_common ota_metadata_file:dir rw_dir_perms;
-allow update_engine_common ota_metadata_file:file create_file_perms;
diff --git a/prebuilts/api/31.0/public/update_verifier.te b/prebuilts/api/31.0/public/update_verifier.te
deleted file mode 100644
index 68b43f0..0000000
--- a/prebuilts/api/31.0/public/update_verifier.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# update_verifier
-type update_verifier, domain;
-type update_verifier_exec, system_file_type, exec_type, file_type;
-
-# Allow update_verifier to reach block devices in /dev/block.
-allow update_verifier block_device:dir search;
-
-# Read care map in /data/ota_package/.
-allow update_verifier ota_package_file:dir r_dir_perms;
-allow update_verifier ota_package_file:file r_file_perms;
-
-# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
-allow update_verifier sysfs:dir r_dir_perms;
-
-# Read /sys/block/dm-X/dm/name (which is a symlink to
-# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
-# dm-X and system/vendor partitions.
-allow update_verifier sysfs_dm:dir r_dir_perms;
-allow update_verifier sysfs_dm:file r_file_perms;
-
-# Read all blocks in DM wrapped system partition.
-allow update_verifier dm_device:blk_file r_file_perms;
-
-# Write to kernel message.
-allow update_verifier kmsg_device:chr_file { getattr w_file_perms };
-
-# Use Boot Control HAL
-hal_client_domain(update_verifier, hal_bootctl)
-
-# Access Checkpoint commands over binder
-allow update_verifier vold_service:service_manager find;
-binder_call(update_verifier, servicemanager)
-binder_call(update_verifier, vold)
diff --git a/prebuilts/api/31.0/public/usbd.te b/prebuilts/api/31.0/public/usbd.te
deleted file mode 100644
index 6f34954..0000000
--- a/prebuilts/api/31.0/public/usbd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type usbd, domain;
-type usbd_exec, system_file_type, exec_type, file_type;
diff --git a/prebuilts/api/31.0/public/userdata_sysdev.te b/prebuilts/api/31.0/public/userdata_sysdev.te
deleted file mode 100644
index 9974f36..0000000
--- a/prebuilts/api/31.0/public/userdata_sysdev.te
+++ /dev/null
@@ -1 +0,0 @@
-allow userdata_sysdev sysfs:filesystem associate;
diff --git a/prebuilts/api/31.0/public/vdc.te b/prebuilts/api/31.0/public/vdc.te
deleted file mode 100644
index e638e50..0000000
--- a/prebuilts/api/31.0/public/vdc.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# vdc spawned from init for the following services:
-# defaultcrypto
-# encrypt
-#
-# We also transition into this domain from dumpstate, when
-# collecting bug reports.
-
-type vdc, domain;
-type vdc_exec, system_file_type, exec_type, file_type;
-
-# vdc can be invoked with logwrapper, so let it write to pty
-allow vdc devpts:chr_file rw_file_perms;
-
-# vdc writes directly to kmsg during the boot process
-allow vdc kmsg_device:chr_file { getattr w_file_perms };
-
-# vdc talks to vold over Binder
-binder_use(vdc)
-binder_call(vdc, vold)
-allow vdc vold_service:service_manager find;
diff --git a/prebuilts/api/31.0/public/vendor_init.te b/prebuilts/api/31.0/public/vendor_init.te
deleted file mode 100644
index 0999f48..0000000
--- a/prebuilts/api/31.0/public/vendor_init.te
+++ /dev/null
@@ -1,296 +0,0 @@
-# vendor_init is its own domain.
-type vendor_init, domain, mlstrustedsubject;
-
-# Communication to the main init process
-allow vendor_init init:unix_stream_socket { read write };
-
-# Logging to kmsg
-allow vendor_init kmsg_device:chr_file { open getattr write };
-
-# Mount on /dev/usb-ffs/adb.
-allow vendor_init device:dir mounton;
-
-# Create and remove symlinks in /.
-allow vendor_init rootfs:lnk_file { create unlink };
-
-# Create cgroups mount points in tmpfs and mount cgroups on them.
-allow vendor_init cgroup:dir create_dir_perms;
-allow vendor_init cgroup:file w_file_perms;
-allow vendor_init cgroup_v2:dir create_dir_perms;
-allow vendor_init cgroup_v2:file w_file_perms;
-
-# /config
-allow vendor_init configfs:dir mounton;
-allow vendor_init configfs:dir create_dir_perms;
-allow vendor_init configfs:{ file lnk_file } create_file_perms;
-
-# Create directories under /dev/cpuctl after chowning it to system.
-allow vendor_init self:global_capability_class_set { dac_override dac_read_search };
-
-# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
-# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
-# system/core/init.rc requires at least cache_file and data_file_type.
-# init.<board>.rc files often include device-specific types, so
-# we just allow all file types except /system files here.
-allow vendor_init self:global_capability_class_set { chown fowner fsetid };
-
-# mkdir with FBE requires reading /data/unencrypted/{ref,mode}.
-allow vendor_init unencrypted_data_file:dir search;
-allow vendor_init unencrypted_data_file:file r_file_perms;
-
-# Set encryption policy on dirs in /data
-allowxperm vendor_init data_file_type:dir ioctl {
- FS_IOC_GET_ENCRYPTION_POLICY
- FS_IOC_SET_ENCRYPTION_POLICY
-};
-
-allow vendor_init system_data_file:dir getattr;
-
-allow vendor_init {
- file_type
- -core_data_file_type
- -exec_type
- -system_file_type
- -mnt_product_file
- -password_slot_metadata_file
- -ota_metadata_file
- -unlabeled
- -vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -userspace_reboot_metadata_file
-}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
-
-allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
-
-allow vendor_init {
- file_type
- -core_data_file_type
- -exec_type
- -password_slot_metadata_file
- -ota_metadata_file
- -runtime_event_log_tags_file
- -system_file_type
- -unlabeled
- -vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -apex_info_file
- -userspace_reboot_metadata_file
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { create getattr open read write setattr relabelfrom unlink map };
-
-allow vendor_init {
- file_type
- -core_data_file_type
- -exec_type
- -password_slot_metadata_file
- -ota_metadata_file
- -system_file_type
- -unlabeled
- -vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -userspace_reboot_metadata_file
-}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-
-allow vendor_init {
- file_type
- -apex_mnt_dir
- -core_data_file_type
- -exec_type
- -password_slot_metadata_file
- -ota_metadata_file
- -system_file_type
- -unlabeled
- -vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -userspace_reboot_metadata_file
-}:lnk_file { create getattr setattr relabelfrom unlink };
-
-allow vendor_init {
- file_type
- -core_data_file_type
- -exec_type
- -mnt_product_file
- -password_slot_metadata_file
- -ota_metadata_file
- -system_file_type
- -vendor_file_type
- -vold_metadata_file
- -gsi_metadata_file_type
- -apex_metadata_file
- -userspace_reboot_metadata_file
-}:dir_file_class_set relabelto;
-
-allow vendor_init dev_type:dir create_dir_perms;
-allow vendor_init dev_type:lnk_file create;
-
-# Disable tracing by writing to /sys/kernel/debug/tracing/tracing_on
-allow vendor_init debugfs_tracing:file w_file_perms;
-
-# chown/chmod on pseudo files.
-allow vendor_init {
- fs_type
- -contextmount_type
- -keychord_device
- -sdcard_type
- -rootfs
- -proc_uid_time_in_state
- -proc_uid_concurrent_active_time
- -proc_uid_concurrent_policy_time
- enforce_debugfs_restriction(`-debugfs_type')
-}:file { open read setattr map };
-
-allow vendor_init tracefs_type:file { open read setattr map };
-
-allow vendor_init {
- fs_type
- -contextmount_type
- -sdcard_type
- -rootfs
- -proc_uid_time_in_state
- -proc_uid_concurrent_active_time
- -proc_uid_concurrent_policy_time
-}:dir { open read setattr search };
-
-allow vendor_init dev_type:blk_file getattr;
-
-# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
-r_dir_file(vendor_init, proc_net_type)
-allow vendor_init proc_net_type:file w_file_perms;
-allow vendor_init self:global_capability_class_set net_admin;
-
-# Write to /proc/sys/vm/page-cluster
-allow vendor_init proc_page_cluster:file w_file_perms;
-
-# Write to sysfs nodes.
-allow vendor_init sysfs_type:dir r_dir_perms;
-allow vendor_init sysfs_type:lnk_file read;
-allow vendor_init { sysfs_type -sysfs_usermodehelper }:file rw_file_perms;
-
-# setfscreatecon() for labeling directories and socket files.
-allow vendor_init self:process { setfscreate };
-
-r_dir_file(vendor_init, vendor_file_type)
-
-# Vendor init can read properties
-allow vendor_init serialno_prop:file { getattr open read map };
-
-# Vendor init can perform operations on trusted and security Extended Attributes
-allow vendor_init self:global_capability_class_set sys_admin;
-
-# Raw writes to misc block device
-allow vendor_init misc_block_device:blk_file w_file_perms;
-
-# vendor_init is using bootstrap bionic
-allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
-allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
-
-# allow filesystem tuning
-allow vendor_init userdata_sysdev:file create_file_perms;
-
-# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
-# the dynamic linker and shared libraries.
-recovery_only(`
- allow vendor_init rootfs:file { r_file_perms execute };
-')
-
-not_compatible_property(`
- set_prop(vendor_init, {
- property_type
- -system_internal_property_type
- -system_restricted_property_type
- })
-')
-
-# Get file context
-allow vendor_init file_contexts_file:file r_file_perms;
-
-# Allow vendor_init to (re)set nice
-allow vendor_init self:capability sys_nice;
-
-set_prop(vendor_init, apk_verity_prop)
-set_prop(vendor_init, bluetooth_a2dp_offload_prop)
-set_prop(vendor_init, bluetooth_audio_hal_prop)
-set_prop(vendor_init, camera2_extensions_prop)
-set_prop(vendor_init, camerax_extensions_prop)
-set_prop(vendor_init, cpu_variant_prop)
-set_prop(vendor_init, dalvik_runtime_prop)
-set_prop(vendor_init, debug_prop)
-set_prop(vendor_init, exported_bluetooth_prop)
-set_prop(vendor_init, exported_camera_prop)
-set_prop(vendor_init, exported_config_prop)
-set_prop(vendor_init, exported_default_prop)
-set_prop(vendor_init, exported_overlay_prop)
-set_prop(vendor_init, exported_pm_prop)
-set_prop(vendor_init, ffs_control_prop)
-set_prop(vendor_init, hw_timeout_multiplier_prop)
-set_prop(vendor_init, incremental_prop)
-set_prop(vendor_init, lmkd_prop)
-set_prop(vendor_init, logd_prop)
-set_prop(vendor_init, log_tag_prop)
-set_prop(vendor_init, log_prop)
-set_prop(vendor_init, qemu_hw_prop)
-set_prop(vendor_init, radio_control_prop)
-set_prop(vendor_init, rebootescrow_hal_prop)
-set_prop(vendor_init, serialno_prop)
-set_prop(vendor_init, soc_prop)
-set_prop(vendor_init, surfaceflinger_color_prop)
-set_prop(vendor_init, usb_control_prop)
-set_prop(vendor_init, userspace_reboot_config_prop)
-set_prop(vendor_init, vehicle_hal_prop)
-set_prop(vendor_init, vendor_default_prop)
-set_prop(vendor_init, vendor_security_patch_level_prop)
-set_prop(vendor_init, vndk_prop)
-set_prop(vendor_init, virtual_ab_prop)
-set_prop(vendor_init, vold_post_fs_data_prop)
-set_prop(vendor_init, wifi_hal_prop)
-set_prop(vendor_init, wifi_log_prop)
-set_prop(vendor_init, zram_control_prop)
-
-get_prop(vendor_init, boot_status_prop)
-get_prop(vendor_init, exported3_system_prop)
-get_prop(vendor_init, ota_prop)
-get_prop(vendor_init, power_debug_prop)
-get_prop(vendor_init, provisioned_prop)
-get_prop(vendor_init, retaildemo_prop)
-get_prop(vendor_init, surfaceflinger_display_prop)
-get_prop(vendor_init, test_harness_prop)
-get_prop(vendor_init, theme_prop)
-set_prop(vendor_init, dck_prop)
-
-
-###
-### neverallow rules
-###
-
-# Vendor init shouldn't communicate with any vendor process, nor most system processes.
-neverallow_establish_socket_comms(vendor_init, { domain -init -logd -su -vendor_init });
-
-# The vendor_init domain is only entered via an exec based transition from the
-# init domain, never via setcon().
-neverallow domain vendor_init:process dyntransition;
-neverallow { domain -init } vendor_init:process transition;
-neverallow vendor_init { file_type fs_type -init_exec }:file entrypoint;
-
-# Never read/follow symlinks created by shell or untrusted apps.
-neverallow vendor_init { app_data_file privapp_data_file }:lnk_file read;
-neverallow vendor_init shell_data_file:lnk_file read;
-# Init should not be creating subdirectories in /data/local/tmp
-neverallow vendor_init shell_data_file:dir { write add_name remove_name };
-
-# init should never execute a program without changing to another domain.
-neverallow vendor_init { file_type fs_type }:file execute_no_trans;
-
-# Init never adds or uses services via service_manager.
-neverallow vendor_init service_manager_type:service_manager { add find };
-neverallow vendor_init servicemanager:service_manager list;
-
-# vendor_init should never be ptraced
-neverallow * vendor_init:process ptrace;
diff --git a/prebuilts/api/31.0/public/vendor_misc_writer.te b/prebuilts/api/31.0/public/vendor_misc_writer.te
deleted file mode 100644
index 3bc3a9f..0000000
--- a/prebuilts/api/31.0/public/vendor_misc_writer.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# vendor_misc_writer
-type vendor_misc_writer, domain;
-type vendor_misc_writer_exec, vendor_file_type, exec_type, file_type;
-
-# Raw writes to misc_block_device
-allow vendor_misc_writer misc_block_device:blk_file w_file_perms;
-allow vendor_misc_writer block_device:dir r_dir_perms;
-
-# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
-# load DT fstab.
-dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
-dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
-dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms;
-
-# Allow ReadDefaultFstab().
-read_fstab(vendor_misc_writer)
diff --git a/prebuilts/api/31.0/public/vendor_modprobe.te b/prebuilts/api/31.0/public/vendor_modprobe.te
deleted file mode 100644
index 529c4aa..0000000
--- a/prebuilts/api/31.0/public/vendor_modprobe.te
+++ /dev/null
@@ -1 +0,0 @@
-type vendor_modprobe, domain;
diff --git a/prebuilts/api/31.0/public/vendor_shell.te b/prebuilts/api/31.0/public/vendor_shell.te
deleted file mode 100644
index 5d7cb31..0000000
--- a/prebuilts/api/31.0/public/vendor_shell.te
+++ /dev/null
@@ -1,21 +0,0 @@
-type vendor_shell, domain;
-type vendor_shell_exec, exec_type, vendor_file_type, file_type;
-
-allow vendor_shell vendor_shell_exec:file rx_file_perms;
-allow vendor_shell vendor_toolbox_exec:file rx_file_perms;
-
-# Use fd from shell when vendor_shell is started from shell
-allow vendor_shell shell:fd use;
-
-# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh`
-allow vendor_shell adbd:fd use;
-allow vendor_shell adbd:process sigchld;
-allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write };
-
-allow vendor_shell devpts:chr_file rw_file_perms;
-allow vendor_shell tty_device:chr_file rw_file_perms;
-allow vendor_shell console_device:chr_file rw_file_perms;
-allow vendor_shell input_device:dir r_dir_perms;
-allow vendor_shell input_device:chr_file rw_file_perms;
-
-userdebug_or_eng(`set_prop(vendor_shell, persist_vendor_debug_wifi_prop)')
diff --git a/prebuilts/api/31.0/public/vendor_toolbox.te b/prebuilts/api/31.0/public/vendor_toolbox.te
deleted file mode 100644
index 63f938d..0000000
--- a/prebuilts/api/31.0/public/vendor_toolbox.te
+++ /dev/null
@@ -1,16 +0,0 @@
-# Toolbox installation for vendor binaries / scripts
-# Non-vendor processes are not allowed to execute the binary
-# and is always executed without transition.
-type vendor_toolbox_exec, exec_type, vendor_file_type, file_type;
-
-# Do not allow domains to transition to vendor toolbox
-# or read, execute the vendor_toolbox file.
-full_treble_only(`
- # Do not allow non-vendor domains to transition
- # to vendor toolbox except for the allowlisted domains.
- neverallow {
- coredomain
- -init
- -modprobe
- } vendor_toolbox_exec:file { entrypoint execute execute_no_trans };
-')
diff --git a/prebuilts/api/31.0/public/virtual_touchpad.te b/prebuilts/api/31.0/public/virtual_touchpad.te
deleted file mode 100644
index 49c8704..0000000
--- a/prebuilts/api/31.0/public/virtual_touchpad.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type virtual_touchpad, domain;
-type virtual_touchpad_exec, system_file_type, exec_type, file_type;
-
-binder_use(virtual_touchpad)
-binder_service(virtual_touchpad)
-add_service(virtual_touchpad, virtual_touchpad_service)
-
-# Needed to check app permissions.
-binder_call(virtual_touchpad, system_server)
-
-# Requires access to /dev/uinput to create and feed the virtual device.
-allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
-
-# Requires access to the permission service to validate that clients have the
-# appropriate VR permissions.
-allow virtual_touchpad permission_service:service_manager find;
diff --git a/prebuilts/api/31.0/public/vndservice.te b/prebuilts/api/31.0/public/vndservice.te
deleted file mode 100644
index efd9adf..0000000
--- a/prebuilts/api/31.0/public/vndservice.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type service_manager_vndservice, vndservice_manager_type;
-type default_android_vndservice, vndservice_manager_type;
diff --git a/prebuilts/api/31.0/public/vndservicemanager.te b/prebuilts/api/31.0/public/vndservicemanager.te
deleted file mode 100644
index 6b9f73d..0000000
--- a/prebuilts/api/31.0/public/vndservicemanager.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# vndservicemanager - the Binder context manager for vendor processes
-type vndservicemanager, domain;
diff --git a/prebuilts/api/31.0/public/vold.te b/prebuilts/api/31.0/public/vold.te
deleted file mode 100644
index 7796ba8..0000000
--- a/prebuilts/api/31.0/public/vold.te
+++ /dev/null
@@ -1,361 +0,0 @@
-# volume manager
-type vold, domain;
-type vold_exec, exec_type, file_type, system_file_type;
-
-# Read already opened /cache files.
-allow vold cache_file:dir r_dir_perms;
-allow vold cache_file:file { getattr read };
-allow vold cache_file:lnk_file r_file_perms;
-
-r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
-# XXX Label sysfs files with a specific type?
-allow vold {
- sysfs # writing to /sys/*/uevent during coldboot.
- sysfs_devices_block
- sysfs_dm
- sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
- sysfs_usb
- sysfs_zram_uevent
- sysfs_fs_f2fs
-}:file w_file_perms;
-
-r_dir_file(vold, rootfs)
-r_dir_file(vold, metadata_file)
-allow vold {
- proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
- proc_bootconfig
- proc_cmdline
- proc_drop_caches
- proc_filesystems
- proc_meminfo
- proc_mounts
-}:file r_file_perms;
-
-#Get file contexts
-allow vold file_contexts_file:file r_file_perms;
-
-# Allow us to jump into execution domains of above tools
-allow vold self:process setexec;
-
-# For formatting adoptable storage devices
-allow vold e2fs_exec:file rx_file_perms;
-
-# Run fstrim on mounted partitions
-# allowxperm still requires the ioctl permission for the individual type
-allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
-
-# Get/set file-based encryption policies on dirs in /data and adoptable storage,
-# and add/remove file-based encryption keys.
-allowxperm vold data_file_type:dir ioctl {
- FS_IOC_GET_ENCRYPTION_POLICY
- FS_IOC_SET_ENCRYPTION_POLICY
- FS_IOC_ADD_ENCRYPTION_KEY
- FS_IOC_REMOVE_ENCRYPTION_KEY
-};
-
-# Only vold and init should ever set file-based encryption policies.
-neverallowxperm {
- domain
- -vold
- -init
- -vendor_init
-} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
-
-# Only vold should ever add/remove file-based encryption keys.
-neverallowxperm {
- domain
- -vold
-} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
-
-# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
-# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
-# location of the file's blocks on the raw block device to erase.
-allowxperm vold {
- vold_data_file
- vold_metadata_file
-}:file ioctl {
- F2FS_IOC_SEC_TRIM_FILE
- FS_IOC_FIEMAP
-};
-
-typeattribute vold mlstrustedsubject;
-allow vold self:process setfscreate;
-allow vold system_file:file x_file_perms;
-not_full_treble(`allow vold vendor_file:file x_file_perms;')
-allow vold block_device:dir create_dir_perms;
-allow vold device:dir write;
-allow vold devpts:chr_file rw_file_perms;
-allow vold rootfs:dir mounton;
-allow vold sdcard_type:dir mounton; # TODO: deprecated in M
-allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
-allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
-allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
-
-# Manage locations where storage is mounted
-allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
-allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
-
-# Access to storage that backs emulated FUSE daemons for migration optimization
-allow vold media_rw_data_file:dir create_dir_perms;
-allow vold media_rw_data_file:file create_file_perms;
-# Allow mounting (lower filesystem) on parts of media for performance
-allow vold media_rw_data_file:dir mounton;
-
-# Allow setting extended attributes (for project quota IDs) on files and dirs
-# and to enable project ID inheritance through FS_IOC_SETFLAGS
-allowxperm vold media_rw_data_file:{ dir file } ioctl {
- FS_IOC_FSGETXATTR
- FS_IOC_FSSETXATTR
- FS_IOC_GETFLAGS
- FS_IOC_SETFLAGS
-};
-
-# Allow mounting of storage devices
-allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
-
-# Manage per-user primary symlinks
-allow vold mnt_user_file:dir { create_dir_perms mounton };
-allow vold mnt_user_file:lnk_file create_file_perms;
-allow vold mnt_user_file:file create_file_perms;
-
-# Manage per-user pass_through primary symlinks
-allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
-allow vold mnt_pass_through_file:lnk_file create_file_perms;
-
-# Allow to create and mount expanded storage
-allow vold mnt_expand_file:dir { create_dir_perms mounton };
-allow vold apk_data_file:dir { create getattr setattr };
-allow vold shell_data_file:dir { create getattr setattr };
-
-# Allow to mount incremental file system on /data/incremental and create files
-allow vold apk_data_file:dir { mounton rw_dir_perms };
-# Allow to create and write files in /data/incremental
-allow vold apk_data_file:file { rw_file_perms unlink };
-# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
-allow vold apk_tmp_file:dir { mounton r_dir_perms };
-# Allow to read incremental control file and call selinux restorecon on it
-allow vold incremental_control_file:file { r_file_perms relabelto };
-
-allow vold tmpfs:filesystem { mount unmount };
-allow vold tmpfs:dir create_dir_perms;
-allow vold tmpfs:dir mounton;
-allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
-allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow vold loop_control_device:chr_file rw_file_perms;
-allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
-allowxperm vold loop_device:blk_file ioctl {
- LOOP_CLR_FD
- LOOP_CTL_GET_FREE
- LOOP_GET_STATUS64
- LOOP_SET_FD
- LOOP_SET_STATUS64
-};
-allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
-allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
-allow vold dm_device:chr_file rw_file_perms;
-allow vold dm_device:blk_file rw_file_perms;
-allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD };
-# For vold Process::killProcessesWithOpenFiles function.
-allow vold domain:dir r_dir_perms;
-allow vold domain:{ file lnk_file } r_file_perms;
-allow vold domain:process { signal sigkill };
-allow vold self:global_capability_class_set { sys_ptrace kill };
-
-allow vold kmsg_device:chr_file rw_file_perms;
-
-# Run fsck in the fsck domain.
-allow vold fsck_exec:file { r_file_perms execute };
-
-# Log fsck results
-allow vold fscklogs:dir rw_dir_perms;
-allow vold fscklogs:file create_file_perms;
-
-#
-# Rules to support encrypted fs support.
-#
-
-# Unmount and mount the fs.
-allow vold labeledfs:filesystem { mount unmount remount };
-
-# Access /efs/userdata_footer.
-# XXX Split into a separate type?
-allow vold efs_file:file rw_file_perms;
-
-# Create and mount on /data/tmp_mnt and management of expansion mounts
-allow vold {
- system_data_file
- system_data_root_file
-}:dir { create rw_dir_perms mounton setattr rmdir };
-allow vold system_data_file:lnk_file getattr;
-
-# Vold create users in /data/vendor_{ce,de}/[0-9]+
-allow vold vendor_data_file:dir create_dir_perms;
-
-# for secdiscard
-allow vold system_data_file:file read;
-
-# Set scheduling policy of kernel processes
-allow vold kernel:process setsched;
-
-# ASEC
-allow vold asec_image_file:file create_file_perms;
-allow vold asec_image_file:dir rw_dir_perms;
-allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
-allow vold asec_public_file:dir { relabelto setattr };
-allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
-allow vold asec_public_file:file { relabelto setattr };
-# restorecon files in asec containers created on 4.2 or earlier.
-allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
-allow vold unlabeled:file { r_file_perms setattr relabelfrom };
-
-# Access to FUSE control filesystem to hard-abort FUSE mounts
-allow vold fusectlfs:file rw_file_perms;
-allow vold fusectlfs:dir rw_dir_perms;
-
-# Handle wake locks (used for device encryption)
-wakelock_use(vold)
-
-# Allow vold to publish a binder service and make binder calls.
-binder_use(vold)
-add_service(vold, vold_service)
-
-# Allow vold to call into the system server so it can check permissions.
-binder_call(vold, system_server)
-allow vold permission_service:service_manager find;
-
-# talk to batteryservice
-binder_call(vold, healthd)
-
-# talk to keymaster
-hal_client_domain(vold, hal_keymaster)
-
-# talk to health storage HAL
-hal_client_domain(vold, hal_health_storage)
-
-# talk to bootloader HAL
-full_treble_only(`hal_client_domain(vold, hal_bootctl)')
-
-# Access userdata block device.
-allow vold userdata_block_device:blk_file rw_file_perms;
-allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
-
-# Access metadata block device used for encryption meta-data.
-allow vold metadata_block_device:blk_file rw_file_perms;
-allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
-
-# Allow vold to manipulate /data/unencrypted
-allow vold unencrypted_data_file:{ file } create_file_perms;
-allow vold unencrypted_data_file:dir create_dir_perms;
-
-# Write to /proc/sys/vm/drop_caches
-allow vold proc_drop_caches:file w_file_perms;
-
-# Give vold a place where only vold can store files; everyone else is off limits
-allow vold vold_data_file:dir create_dir_perms;
-allow vold vold_data_file:file create_file_perms;
-
-# And a similar place in the metadata partition
-allow vold vold_metadata_file:dir create_dir_perms;
-allow vold vold_metadata_file:file create_file_perms;
-
-# linux keyring configuration
-allow vold init:key { write search setattr };
-allow vold vold:key { write search setattr };
-
-# vold temporarily changes its priority when running benchmarks
-allow vold self:global_capability_class_set sys_nice;
-
-# vold needs to chroot into app namespaces to remount when runtime permissions change
-allow vold self:global_capability_class_set sys_chroot;
-allow vold storage_file:dir mounton;
-
-# For AppFuse.
-allow vold fuse_device:chr_file rw_file_perms;
-allow vold fuse:filesystem { relabelfrom };
-allow vold app_fusefs:filesystem { relabelfrom relabelto };
-allow vold app_fusefs:filesystem { mount unmount };
-allow vold app_fuse_file:dir rw_dir_perms;
-allow vold app_fuse_file:file { read write open getattr append };
-
-# MoveTask.cpp executes cp and rm
-allow vold toolbox_exec:file rx_file_perms;
-
-# Prepare profile dir for users.
-allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
-
-# Raw writes to misc block device
-allow vold misc_block_device:blk_file w_file_perms;
-
-# vold might need to search or mount /mnt/vendor/*
-allow vold mnt_vendor_file:dir search;
-
-dontaudit vold self:global_capability_class_set sys_resource;
-
-# Allow ReadDefaultFstab().
-read_fstab(vold)
-
-# vold might need to search loopback apex files
-allow vold vendor_apex_file:file r_file_perms;
-
-neverallow {
- domain
- -vold
- -vold_prepare_subdirs
-} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
-
-neverallow {
- domain
- -init
- -vold
- -vold_prepare_subdirs
-} vold_data_file:dir *;
-
-neverallow {
- domain
- -init
- -vold
-} vold_metadata_file:dir *;
-
-neverallow {
- domain
- -kernel
- -vold
- -vold_prepare_subdirs
-} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow {
- domain
- -init
- -vold
- -vold_prepare_subdirs
-} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
-
-neverallow {
- domain
- -init
- -kernel
- -vold
- -vold_prepare_subdirs
-} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
-
-neverallow { domain -vold -init } restorecon_prop:property_service set;
-
-neverallow vold {
- domain
- -hal_health_storage_server
- -hal_keymaster_server
- -system_suspend_server
- -hal_bootctl_server
- -healthd
- -hwservicemanager
- -iorapd_service
- -keystore
- -servicemanager
- -system_server
- userdebug_or_eng(`-su')
-}:binder call;
-
-neverallow vold fsck_exec:file execute_no_trans;
-neverallow { domain -init } vold:process { transition dyntransition };
-neverallow vold *:process ptrace;
-neverallow vold *:rawip_socket *;
diff --git a/prebuilts/api/31.0/public/vold_prepare_subdirs.te b/prebuilts/api/31.0/public/vold_prepare_subdirs.te
deleted file mode 100644
index 3087fa8..0000000
--- a/prebuilts/api/31.0/public/vold_prepare_subdirs.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# SELinux directory creation and labelling for vold-managed directories
-
-type vold_prepare_subdirs, domain;
-type vold_prepare_subdirs_exec, system_file_type, exec_type, file_type;
-
-typeattribute vold_prepare_subdirs coredomain;
diff --git a/prebuilts/api/31.0/public/vr_hwc.te b/prebuilts/api/31.0/public/vr_hwc.te
deleted file mode 100644
index c146887..0000000
--- a/prebuilts/api/31.0/public/vr_hwc.te
+++ /dev/null
@@ -1,33 +0,0 @@
-type vr_hwc, domain;
-type vr_hwc_exec, system_file_type, exec_type, file_type;
-
-# Get buffer metadata.
-hal_client_domain(vr_hwc, hal_graphics_allocator)
-
-binder_use(vr_hwc)
-binder_service(vr_hwc)
-
-binder_call(vr_hwc, surfaceflinger)
-# Needed to check for app permissions.
-binder_call(vr_hwc, system_server)
-
-add_service(vr_hwc, vr_hwc_service)
-
-# Hosts the VR HWC implementation and provides a simple Binder interface for VR
-# Window Manager to receive the layers/buffers.
-hwbinder_use(vr_hwc)
-
-# Load vendor libraries.
-allow vr_hwc system_file:dir r_dir_perms;
-
-allow vr_hwc ion_device:chr_file r_file_perms;
-
-# Allow connection to VR DisplayClient to get the primary display metadata
-# (ie: size).
-pdx_client(vr_hwc, display_client)
-
-# Requires access to the permission service to validate that clients have the
-# appropriate VR permissions.
-allow vr_hwc permission_service:service_manager find;
-
-allow vr_hwc vrflinger_vsync_service:service_manager find;
diff --git a/prebuilts/api/31.0/public/watchdogd.te b/prebuilts/api/31.0/public/watchdogd.te
deleted file mode 100644
index 72e3685..0000000
--- a/prebuilts/api/31.0/public/watchdogd.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# watchdogd seclabel is specified in init.<board>.rc
-type watchdogd, domain;
-type watchdogd_exec, system_file_type, exec_type, file_type;
-
-allow watchdogd watchdog_device:chr_file rw_file_perms;
-allow watchdogd kmsg_device:chr_file rw_file_perms;
diff --git a/prebuilts/api/31.0/public/webview_zygote.te b/prebuilts/api/31.0/public/webview_zygote.te
deleted file mode 100644
index ace3a01..0000000
--- a/prebuilts/api/31.0/public/webview_zygote.te
+++ /dev/null
@@ -1,6 +0,0 @@
-# webview_zygote is an auxiliary zygote process that is used to spawn
-# isolated_app processes for rendering untrusted web content.
-
-type webview_zygote, domain;
-type webview_zygote_exec, exec_type, file_type;
-type webview_zygote_tmpfs, file_type;
diff --git a/prebuilts/api/31.0/public/wificond.te b/prebuilts/api/31.0/public/wificond.te
deleted file mode 100644
index 254fcbc..0000000
--- a/prebuilts/api/31.0/public/wificond.te
+++ /dev/null
@@ -1,43 +0,0 @@
-# wificond
-type wificond, domain;
-type wificond_exec, system_file_type, exec_type, file_type;
-
-binder_use(wificond)
-binder_call(wificond, system_server)
-binder_call(wificond, keystore)
-
-add_service(wificond, wifinl80211_service)
-
-# create sockets to set interfaces up and down
-allow wificond self:udp_socket create_socket_perms;
-# setting interface state up/down is a privileged ioctl
-allowxperm wificond self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFHWADDR };
-allow wificond self:global_capability_class_set { net_admin net_raw };
-# allow wificond to speak to nl80211 in the kernel
-allow wificond self:netlink_socket create_socket_perms_no_ioctl;
-# newer kernels (e.g. 4.4 but not 4.1) have a new class for sockets
-allow wificond self:netlink_generic_socket create_socket_perms_no_ioctl;
-
-r_dir_file(wificond, proc_net_type)
-
-# allow wificond to check permission for dumping logs
-allow wificond permission_service:service_manager find;
-
-# dumpstate support
-allow wificond dumpstate:fd use;
-allow wificond dumpstate:fifo_file write;
-
-#### Offer the Wifi Keystore HwBinder service ###
-hwbinder_use(wificond)
-typeattribute wificond wifi_keystore_service_server;
-add_hwservice(wificond, system_wifi_keystore_hwservice)
-
-# Allow keystore binder access to serve the HwBinder service.
-allow wificond keystore_service:service_manager find;
-allow wificond keystore:keystore_key get;
-
-# Allow keystore2 binder access to serve the HwBinder service.
-allow wificond wifi_key:keystore2_key {
- get_info
- use
-};
diff --git a/prebuilts/api/31.0/public/wpantund.te b/prebuilts/api/31.0/public/wpantund.te
deleted file mode 100644
index 8ddd693..0000000
--- a/prebuilts/api/31.0/public/wpantund.te
+++ /dev/null
@@ -1,29 +0,0 @@
-type wpantund, domain;
-type wpantund_exec, system_file_type, exec_type, file_type;
-
-hal_client_domain(wpantund, hal_lowpan)
-net_domain(wpantund)
-
-binder_use(wpantund)
-binder_call(wpantund, system_server)
-
-# wpantund needs to be able to check in with the lowpan_service
-allow wpantund lowpan_service:service_manager find;
-
-# Allow wpantund to call any callbacks that have been registered with it.
-# Generally, only privileged apps are able to register callbacks with
-# wpantund, so we are limiting the scope for callbacks to only privileged
-# apps. We also add shell to allow the command-line utility `lowpanctl`
-# to work properly from `adb shell`.
-allow wpantund {priv_app shell}:binder call;
-
-# create sockets to set interfaces up and down, add multicast groups, etc.
-allow wpantund self:udp_socket create_socket_perms;
-
-# setting interface state up/down and changing MTU are privileged ioctls
-allowxperm wpantund self:udp_socket ioctl { SIOCSIFFLAGS SIOCSIFMTU };
-
-# Allow us to bring up a TUN network interface.
-allow wpantund tun_device:chr_file rw_file_perms;
-allow wpantund self:global_capability_class_set { net_admin net_raw };
-allow wpantund self:tun_socket create;
diff --git a/prebuilts/api/31.0/public/zygote.te b/prebuilts/api/31.0/public/zygote.te
deleted file mode 100644
index 071354e..0000000
--- a/prebuilts/api/31.0/public/zygote.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# zygote
-type zygote, domain;
-type zygote_tmpfs, file_type;
-type zygote_exec, system_file_type, exec_type, file_type;
diff --git a/private/access_vectors b/private/access_vectors
index 7496c65..4144be8 100644
--- a/private/access_vectors
+++ b/private/access_vectors
@@ -138,7 +138,6 @@
wake_alarm
block_suspend
audit_read
- perfmon
}
#
@@ -182,9 +181,6 @@
entrypoint
}
-class anon_inode
-inherits file
-
class lnk_file
inherits file
@@ -714,40 +710,6 @@
gen_unique_id
}
-class keystore2
-{
- add_auth
- change_password
- change_user
- clear_ns
- clear_uid
- early_boot_ended
- get_auth_token
- get_state
- list
- lock
- pull_metrics
- report_off_body
- reset
- unlock
- delete_all_keys
-}
-
-class keystore2_key
-{
- convert_storage_key_to_ephemeral
- delete
- gen_unique_id
- get_info
- grant
- manage_blob
- rebind
- req_forced_op
- update
- use
- use_dev_id
-}
-
class drmservice {
consumeRights
setPlaybackStatus
diff --git a/private/adbd.te b/private/adbd.te
index c2c6164..e81aac7 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -44,9 +44,6 @@
# this occurs. (b/123569840)
dontaudit adbd self:{ socket vsock_socket } create;
-# Allow adbd inside vm to forward vm's vsock.
-allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-
# Create and use network sockets.
net_domain(adbd)
@@ -84,22 +81,14 @@
allow adbd anr_data_file:dir r_dir_perms;
allow adbd anr_data_file:file r_file_perms;
-# adb pull /vendor/framework/*
-allow adbd vendor_framework_file:dir r_dir_perms;
-allow adbd vendor_framework_file:file r_file_perms;
-
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
-get_prop(adbd, ffs_config_prop)
-set_prop(adbd, ffs_control_prop)
+set_prop(adbd, ffs_prop)
+set_prop(adbd, exported_ffs_prop)
-# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
+# Set service.adb.tls.port, persist.adb.wifi. properties
set_prop(adbd, adbd_prop)
-set_prop(adbd, adbd_config_prop)
-
-# Allow adbd start/stop mdnsd via ctl.start
-set_prop(adbd, ctl_mdnsd_prop)
# Access device logging gating property
get_prop(adbd, device_logging_prop)
@@ -169,6 +158,9 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+# For CTS listening ports test.
+allow adbd proc_net_tcp_udp:file r_file_perms;
+
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
@@ -200,26 +192,11 @@
allow adbd perfetto_traces_data_file:file r_file_perms;
allow adbd perfetto_traces_data_file:dir r_dir_perms;
-# Allow to push and manage configs in /data/misc/perfetto-configs.
-allow adbd perfetto_configs_data_file:dir rw_dir_perms;
-allow adbd perfetto_configs_data_file:file create_file_perms;
-
# Connect to shell and use a socket transferred from it.
# Used for e.g. abb.
allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;
-# Allow pull /vendor/apex files for CTS tests
-allow adbd vendor_apex_file:dir search;
-allow adbd vendor_apex_file:file r_file_perms;
-
-# Allow adb pull of updated apex files in /data/apex/active.
-allow adbd apex_data_file:dir search;
-allow adbd staging_data_file:file r_file_perms;
-
-# Allow adbd to pull /apex/apex-info-list.xml for CTS tests.
-allow adbd apex_info_file:file r_file_perms;
-
###
### Neverallow rules
###
diff --git a/private/apexd.te b/private/apexd.te
index 09799bd..9e702dd 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -5,31 +5,19 @@
# Allow creating, reading and writing of APEX files/dirs in the APEX data dir
allow apexd apex_data_file:dir create_dir_perms;
allow apexd apex_data_file:file create_file_perms;
-# Allow relabeling file created in /data/apex/decompressed
-allow apexd apex_data_file:file relabelfrom;
# Allow creating, reading and writing of APEX files/dirs in the APEX metadata dir
allow apexd metadata_file:dir search;
allow apexd apex_metadata_file:dir create_dir_perms;
allow apexd apex_metadata_file:file create_file_perms;
-# Allow reserving space on /data/apex/ota_reserved for apex decompression
-allow apexd apex_ota_reserved_file:dir create_dir_perms;
-allow apexd apex_ota_reserved_file:file create_file_perms;
-
# Allow apexd to create files and directories for snapshots of apex data
-allow apexd apex_appsearch_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_appsearch_data_file:file { create_file_perms relabelto };
-allow apexd apex_art_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_art_data_file:file { create_file_perms relabelto };
allow apexd apex_permission_data_file:dir { create_dir_perms relabelto };
allow apexd apex_permission_data_file:file { create_file_perms relabelto };
allow apexd apex_module_data_file:dir { create_dir_perms relabelfrom };
allow apexd apex_module_data_file:file { create_file_perms relabelfrom };
allow apexd apex_rollback_data_file:dir create_dir_perms;
allow apexd apex_rollback_data_file:file create_file_perms;
-allow apexd apex_scheduling_data_file:dir { create_dir_perms relabelto };
-allow apexd apex_scheduling_data_file:file { create_file_perms relabelto };
allow apexd apex_wifi_data_file:dir { create_dir_perms relabelto };
allow apexd apex_wifi_data_file:file { create_file_perms relabelto };
@@ -49,14 +37,9 @@
LOOP_SET_DIRECT_IO
LOOP_CLR_FD
BLKFLSBUF
- LOOP_CONFIGURE
};
-# Allow apexd to access /dev/block
-allow apexd bdev_type:dir r_dir_perms;
-allow apexd bdev_type:blk_file getattr;
-
-#allow apexd to access virtual disks
-allow apexd vd_device:blk_file r_file_perms;
+# allow apexd to access /dev/block
+allow apexd block_device:dir r_dir_perms;
# allow apexd to access /dev/block/dm-* (device-mapper entries)
allow apexd dm_device:chr_file rw_file_perms;
@@ -81,12 +64,6 @@
allow apexd apex_mnt_dir:dir mounton;
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file create_file_perms;
-# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
-allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
-allow apexd apex_info_file:file relabelto;
-# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
-allow apexd apex_info_file:file rw_file_perms;
-
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
# because it doesn't have write permission for staging_data_file object.
@@ -95,8 +72,6 @@
# allow apexd to read files from /data/app-staging and hardlink them to /data/apex.
allow apexd staging_data_file:dir r_dir_perms;
allow apexd staging_data_file:file { r_file_perms link };
-# # Allow relabeling file created in /data/apex/decompressed
-allow apexd staging_data_file:file relabelto;
# allow apexd to read files from /vendor/apex
allow apexd vendor_apex_file:dir r_dir_perms;
@@ -107,8 +82,6 @@
# /sys directory tree traversal
allow apexd sysfs_type:dir search;
-allow apexd sysfs_block_type:dir r_dir_perms;
-allow apexd sysfs_block_type:file r_file_perms;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;
@@ -148,14 +121,16 @@
allow apexd system_bootstrap_lib_file:dir r_dir_perms;
allow apexd system_bootstrap_lib_file:file { execute read open getattr map };
+# Allow transition to ART APEX preinstall domain.
+domain_auto_trans(apexd, art_apex_preinstall_exec, art_apex_preinstall)
+# Allow transition to ART APEX postinstall domain.
+domain_auto_trans(apexd, art_apex_postinstall_exec, art_apex_postinstall)
+
# Allow transition to test APEX preinstall domain.
userdebug_or_eng(`
domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
')
-# Allow transition to GKI update pre/post install domain
-domain_auto_trans(apexd, gki_apex_prepostinstall_exec, gki_apex_prepostinstall)
-
# Allow apexd to be invoked with logwrapper from init during userspace reboot.
allow apexd devpts:chr_file { read write };
@@ -169,19 +144,6 @@
# Allow apexd to execute toybox for snapshot & restore
allow apexd toolbox_exec:file rx_file_perms;
-# Allow apexd to release compressed blocks in case /data is f2fs-compressed fs.
-allowxperm apexd staging_data_file:file ioctl {
- FS_IOC_GETFLAGS
- F2FS_IOC_RELEASE_COMPRESS_BLOCKS
-};
-
-# Allow apexd to read ro.cold_boot_done prop.
-# apexd uses it to decide whether it needs to keep retrying polling for loop device.
-get_prop(apexd, cold_boot_done_prop)
-
-# Allow apexd to read per-device configuration properties.
-get_prop(apexd, apexd_config_prop)
-
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
@@ -193,24 +155,3 @@
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -vold_prepare_subdirs } apex_rollback_data_file:file no_w_file_perms;
-
-# only apexd can set apexd sysprop
-set_prop(apexd, apexd_prop)
-neverallow { domain -apexd -init } apexd_prop:property_service set;
-
-# only apexd can write apex-info-list.xml
-neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
-
-# Only apexd and init should be allowed to manage /apex mounts
-# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
-# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
-# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
-neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
-neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
-
-# Allow for use in postinstall
-allow apexd otapreopt_chroot:fd use;
-allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
-allow apexd postinstall_apex_mnt_dir:file { create_file_perms relabelfrom };
-allow apexd postinstall_apex_mnt_dir:lnk_file create;
-allow apexd proc_filesystems:file r_file_perms;
diff --git a/private/app.te b/private/app.te
index 2b3554f..9882d8f 100644
--- a/private/app.te
+++ b/private/app.te
@@ -2,23 +2,6 @@
# the implementation of ActivityManager.isDeviceInTestHarnessMode()
get_prop(appdomain, test_harness_prop)
-get_prop(appdomain, boot_status_prop)
-get_prop(appdomain, dalvik_config_prop)
-get_prop(appdomain, media_config_prop)
-get_prop(appdomain, packagemanager_config_prop)
-get_prop(appdomain, radio_control_prop)
-get_prop(appdomain, surfaceflinger_color_prop)
-get_prop(appdomain, systemsound_config_prop)
-get_prop(appdomain, telephony_config_prop)
-get_prop(appdomain, userspace_reboot_config_prop)
-get_prop(appdomain, vold_config_prop)
-get_prop(appdomain, adbd_config_prop)
-
-# Allow ART to be configurable via device_config properties
-# (ART "runs" inside the app process)
-get_prop(appdomain, device_config_runtime_native_prop)
-get_prop(appdomain, device_config_runtime_native_boot_prop)
-
userdebug_or_eng(`perfetto_producer({ appdomain })')
# Prevent apps from causing presubmit failures.
@@ -39,9 +22,6 @@
# Apps should not be reading vendor-defined properties.
dontaudit appdomain vendor_default_prop:file read;
-# Access to /mnt/media_rw/<vol> (limited by DAC to apps with external_storage gid)
-allow appdomain mnt_media_rw_file:dir search;
-
neverallow appdomain system_server:udp_socket {
accept append bind create ioctl listen lock name_bind
relabelfrom relabelto setattr shutdown };
@@ -59,47 +39,5 @@
# Don't allow regular apps access to storage configuration properties.
neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
-# Allow to read sendbug.preferred.domain
-get_prop(appdomain, sendbug_config_prop)
-
# Allow to read graphics related properties.
get_prop(appdomain, graphics_config_prop)
-
-# Allow to read persist.config.calibration_fac
-get_prop(appdomain, camera_calibration_prop)
-
-# Allow to read db.log.detailed, db.log.slow_query_threshold*
-get_prop(appdomain, sqlite_log_prop)
-
-# Allow font file read by apps.
-allow appdomain font_data_file:file r_file_perms;
-allow appdomain font_data_file:dir r_dir_perms;
-
-# Enter /data/misc/apexdata/
-allow appdomain apex_module_data_file:dir search;
-# Read /data/misc/apexdata/com.android.art, execute signed AOT artifacts.
-allow appdomain apex_art_data_file:dir r_dir_perms;
-allow appdomain apex_art_data_file:file rx_file_perms;
-
-# Allow access to tombstones if an fd to one is given to you.
-# This is restricted by unix permissions, so an app must go through system_server to get one.
-allow appdomain tombstone_data_file:file { getattr read };
-neverallow appdomain tombstone_data_file:file ~{ getattr read };
-
-# Sensitive app domains are not allowed to execute from /data
-# to prevent persistence attacks and ensure all code is executed
-# from read-only locations.
-neverallow {
- bluetooth
- isolated_app
- nfc
- radio
- shared_relro
- system_app
-} {
- data_file_type
- -apex_art_data_file
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index c7fa4e8..1157187 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -19,9 +19,6 @@
# Receive or send generic netlink messages
neverallow all_untrusted_apps domain:netlink_socket *;
-# Read or write kernel printk buffer
-neverallow all_untrusted_apps kmsg_device:chr_file no_rw_file_perms;
-
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow all_untrusted_apps { debugfs_type -debugfs_kcov }:file read;
@@ -45,9 +42,6 @@
# net.dns properties are not a public API. Disallow untrusted apps from reading this property.
neverallow { all_untrusted_apps } net_dns_prop:file read;
-# radio_cdma_ecm_prop properties are not a public API. Disallow untrusted apps from reading this property.
-neverallow { all_untrusted_apps } radio_cdma_ecm_prop:file read;
-
# Shared libraries created by trusted components within an app home
# directory can be dlopen()ed. To maintain the W^X property, these files
# must never be writable to the app.
@@ -160,7 +154,28 @@
# The tun_device ioctls below are not allowed, to prove equivalence
# to the kernel patch at
# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
-neverallowxperm all_untrusted_apps tun_device:chr_file ioctl ~{ FIOCLEX FIONCLEX TUNGETIFF };
+neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
+ SIOCGIFHWADDR
+ SIOCSIFHWADDR
+ TUNATTACHFILTER
+ TUNDETACHFILTER
+ TUNGETFEATURES
+ TUNGETFILTER
+ TUNGETSNDBUF
+ TUNGETVNETHDRSZ
+ TUNSETDEBUG
+ TUNSETGROUP
+ TUNSETIFF
+ TUNSETLINK
+ TUNSETNOCSUM
+ TUNSETOFFLOAD
+ TUNSETOWNER
+ TUNSETPERSIST
+ TUNSETQUEUE
+ TUNSETSNDBUF
+ TUNSETTXFILTER
+ TUNSETVNETHDRSZ
+};
# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
neverallow all_untrusted_apps anr_data_file:file ~{ open append };
@@ -202,21 +217,24 @@
# other than find actions for services listed below
neverallow all_untrusted_apps *:hwservice_manager ~find;
-# Do not permit access from apps which host arbitrary code to the protected services
+# Do not permit access from apps which host arbitrary code to the protected HwBinder
+# services.
# The two main reasons for this are:
-# 1. Protected HwBinder servers do not perform client authentication because
-# vendor code does not have a way to understand apps or their relation to
-# caller UID information and, even if it did, those services either operate
-# at a level below that of apps (e.g., HALs) or must not rely on app identity
-# for authorization. Thus, to be safe, the default assumption for all added
-# vendor services is that they treat all their clients as equally authorized
-# to perform operations offered by the service.
-# 2. HAL servers contain code with higher incidence rate of security issues
-# than system/core components and have access to lower layes of the stack
-# (all the way down to hardware) thus increasing opportunities for bypassing
-# the Android security model.
+# 1. Protected HwBinder servers do not perform client authentication because HIDL
+# currently does not expose caller UID information and, even if it did, those
+# HwBinder services either operate at a level below that of apps (e.g., HALs)
+# or must not rely on app identity for authorization. Thus, to be safe, the
+# default assumption is that every HwBinder service treats all its clients as
+# equally authorized to perform operations offered by the service.
+# 2. HAL servers (a subset of HwBinder services) contain code with higher
+# incidence rate of security issues than system/core components and have
+# access to lower layes of the stack (all the way down to hardware) thus
+# increasing opportunities for bypassing the Android security model.
neverallow all_untrusted_apps protected_hwservice:hwservice_manager find;
-neverallow all_untrusted_apps protected_service:service_manager find;
+
+neverallow all_untrusted_apps {
+ vendor_service
+}:service_manager find;
# SELinux is not an API for untrusted apps to use
neverallow all_untrusted_apps selinuxfs:file no_rw_file_perms;
@@ -231,7 +249,6 @@
# Untrusted apps are not allowed to use cgroups.
neverallow all_untrusted_apps cgroup:file *;
-neverallow all_untrusted_apps cgroup_v2:file *;
# /mnt/sdcard symlink was supposed to have been removed in Gingerbread. Apps
# must not use it.
diff --git a/private/app_zygote.te b/private/app_zygote.te
index 004c108..9285323 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -41,9 +41,6 @@
# Check SELinux permissions.
selinux_check_access(app_zygote)
-# Read and inspect temporary files managed by zygote.
-allow app_zygote zygote_tmpfs:file { read getattr };
-
######
###### Policy below is shared with regular zygote-spawned apps
######
@@ -56,11 +53,6 @@
r_dir_file(app_zygote, dalvikcache_data_file);
allow app_zygote dalvikcache_data_file:file execute;
-# Read /data/misc/apexdata/ to (get to com.android.art/dalvik-cache).
-allow app_zygote apex_module_data_file:dir search;
-# For ART APEX (read /data/misc/apexdata/com.android.art/dalvik-cache).
-r_dir_file(app_zygote, apex_art_data_file)
-
# Allow reading/executing installed binaries to enable preloading
# application data
allow app_zygote apk_data_file:dir r_dir_perms;
@@ -78,13 +70,6 @@
# Send unsolicited message to system_server
unix_socket_send(app_zygote, system_unsolzygote, system_server)
-# Allow the app_zygote to access the runtime feature flag properties.
-get_prop(app_zygote, device_config_runtime_native_prop)
-get_prop(app_zygote, device_config_runtime_native_boot_prop)
-
-# Allow app_zygote to access odsign verification status
-get_prop(app_zygote, odsign_prop)
-
#####
##### Neverallow
#####
@@ -108,7 +93,14 @@
neverallow app_zygote property_type:property_service set;
# Should not have any access to data files.
-neverallow app_zygote app_data_file_type:file { rwx_file_perms };
+neverallow app_zygote {
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ app_data_file
+ privapp_data_file
+}:file { rwx_file_perms };
neverallow app_zygote {
service_manager_type
diff --git a/private/art_apex_boot_integrity.te b/private/art_apex_boot_integrity.te
new file mode 100644
index 0000000..ba02083
--- /dev/null
+++ b/private/art_apex_boot_integrity.te
@@ -0,0 +1,28 @@
+# This command set checks the integrity of boot classpath ART
+# artifacts in /data, potentially removing them.
+
+type art_apex_boot_integrity, domain, coredomain;
+type art_apex_boot_integrity_exec, system_file_type, exec_type, file_type;
+
+# Technically not a daemon but we do want the transition from init domain to
+# art_apex_boot_integrity to occur.
+init_daemon_domain(art_apex_boot_integrity)
+
+# Read dalvik cache directories, remove entries.
+allow art_apex_boot_integrity dalvikcache_data_file:dir { r_dir_perms write remove_name };
+# Read and possibly delete dalvik cache files.
+allow art_apex_boot_integrity dalvikcache_data_file:file { r_file_perms unlink };
+
+# Allow art_apex_boot_integrity to execute itself using #!/system/bin/sh
+allow art_apex_boot_integrity shell_exec:file rx_file_perms;
+
+# Allow running the mv and rm/rmdir commands using art_apex_boot_integrity
+# permissions.
+allow art_apex_boot_integrity toolbox_exec:file rx_file_perms;
+
+# Fsverity in the same domain.
+allow art_apex_boot_integrity system_file:file execute_no_trans;
+# Fsverity work.
+allowxperm art_apex_boot_integrity dalvikcache_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
diff --git a/private/art_apex_postinstall.te b/private/art_apex_postinstall.te
new file mode 100644
index 0000000..576ed20
--- /dev/null
+++ b/private/art_apex_postinstall.te
@@ -0,0 +1,31 @@
+# ART APEX postinstall.
+#
+
+type art_apex_postinstall, domain, coredomain;
+type art_apex_postinstall_exec, system_file_type, exec_type, file_type;
+
+# /system/bin/sh (see b/126787589).
+allow art_apex_postinstall apexd:fd use;
+
+# Read temp dirs and files. Move directories.
+allow art_apex_postinstall ota_data_file:dir { r_dir_perms write rename remove_name relabelfrom reparent };
+allow art_apex_postinstall ota_data_file:file { r_file_perms relabelfrom };
+# We're deleting the old /data/dalvik-cache/* and move the new ones
+# over.
+allow art_apex_postinstall dalvikcache_data_file:dir { create_dir_perms relabelto };
+allow art_apex_postinstall dalvikcache_data_file:file { r_file_perms unlink relabelto };
+
+# Required for relabel.
+allow art_apex_postinstall file_contexts_file:file r_file_perms;
+allow art_apex_postinstall self:global_capability_class_set sys_admin;
+
+# Script helpers.
+allow art_apex_postinstall shell_exec:file rx_file_perms;
+allow art_apex_postinstall toolbox_exec:file rx_file_perms;
+
+# Fsverity in the same domain.
+allow art_apex_postinstall system_file:file execute_no_trans;
+# Fsverity work.
+allowxperm art_apex_postinstall ota_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
diff --git a/private/art_apex_preinstall.te b/private/art_apex_preinstall.te
new file mode 100644
index 0000000..12b1020
--- /dev/null
+++ b/private/art_apex_preinstall.te
@@ -0,0 +1,33 @@
+# ART APEX preinstall.
+#
+
+type art_apex_preinstall, domain, coredomain;
+type art_apex_preinstall_exec, system_file_type, exec_type, file_type;
+
+# /system/bin/sh (see b/126787589).
+allow art_apex_preinstall apexd:fd use;
+
+# Create temp dirs and files under /data/ota.
+allow art_apex_preinstall ota_data_file:dir create_dir_perms;
+allow art_apex_preinstall ota_data_file:file create_file_perms;
+# We mount /data/ota/dalvik-cache over /data/dalvik-cache in our
+# mount namespace.
+allow art_apex_preinstall dalvikcache_data_file:dir { r_dir_perms mounton };
+allow art_apex_preinstall self:capability sys_admin;
+
+# Script helpers.
+allow art_apex_preinstall shell_exec:file rx_file_perms;
+allow art_apex_preinstall toolbox_exec:file rx_file_perms;
+
+# Execute subscripts in the same domain.
+allow art_apex_preinstall art_apex_preinstall_exec:file execute_no_trans;
+
+# Run dex2oat.
+domain_auto_trans(art_apex_preinstall, dex2oat_exec, dex2oat)
+
+# Fsverity in the same domain.
+allow art_apex_preinstall system_file:file execute_no_trans;
+# Fsverity work.
+allowxperm art_apex_preinstall ota_data_file:file ioctl {
+ FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY
+};
diff --git a/private/asan_extract.te b/private/asan_extract.te
index 69bcd50..1c20d78 100644
--- a/private/asan_extract.te
+++ b/private/asan_extract.te
@@ -3,9 +3,6 @@
# Technically not a daemon but we do want the transition from init domain to
# asan_extract to occur.
with_asan(`
- typeattribute asan_extract coredomain;
- init_daemon_domain(asan_extract)
-
- # We need to signal a reboot when done.
- set_prop(asan_extract, powerctl_prop)
+typeattribute asan_extract coredomain;
+init_daemon_domain(asan_extract)
')
diff --git a/private/atrace.te b/private/atrace.te
index d9e351c..ad7d177 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -1,6 +1,7 @@
# Domain for atrace process.
# It is spawned either by traced_probes or by init for the boottrace service.
+type atrace, domain, coredomain;
type atrace_exec, exec_type, file_type, system_file_type;
# boottrace services uses /data/misc/boottrace/categories
@@ -27,16 +28,15 @@
allow atrace {
service_manager_type
-apex_service
- -dnsresolver_service
- -dumpstate_service
-incident_service
- -installd_service
-iorapd_service
- -lpdump_service
-netd_service
+ -dnsresolver_service
-stats_service
- -tracingproxy_service
+ -dumpstate_service
+ -installd_service
-vold_service
+ -lpdump_service
-default_android_service
}:service_manager { find };
allow atrace servicemanager:service_manager list;
@@ -59,7 +59,7 @@
hal_client_domain(atrace, hal_vibrator)
')
-# Remove logspam from notification attempts to non-allowlisted services.
+# Remove logspam from notification attempts to non-whitelisted services.
dontaudit atrace hwservice_manager_type:hwservice_manager find;
dontaudit atrace service_manager_type:service_manager find;
dontaudit atrace domain:binder call;
diff --git a/private/attributes b/private/attributes
index 991bac1..e01b212 100644
--- a/private/attributes
+++ b/private/attributes
@@ -1,12 +1 @@
hal_attribute(lazy_test);
-
-# This is applied to apps on vendor images with SDK <=30 only,
-# to exempt them from recent mls changes. It must not be applied
-# to any domain on newer system or vendor image.
-attribute mlsvendorcompat;
-
-# Attributes for property types having both system_property_type
-# and vendor_property_type. Such types are ill-formed because
-# property owner attributes must be exclusive.
-attribute system_and_vendor_property_type;
-expandattribute system_and_vendor_property_type false;
diff --git a/private/audioserver.te b/private/audioserver.te
index 2d0b46d..067152f 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -36,7 +36,6 @@
allow audioserver external_vibrator_service:service_manager find;
allow audioserver package_native_service:service_manager find;
allow audioserver permission_service:service_manager find;
-allow audioserver permission_checker_service:service_manager find;
allow audioserver power_service:service_manager find;
allow audioserver scheduling_policy_service:service_manager find;
allow audioserver mediametrics_service:service_manager find;
@@ -99,6 +98,3 @@
# Allow using wake locks
wakelock_use(audioserver)
-
-# Allow reading audio config props, e.g. af.fast_track_multiplier
-get_prop(audioserver, audio_config_prop)
diff --git a/private/automotive_display_service.te b/private/automotive_display_service.te
index da933a9..fa11ca4 100644
--- a/private/automotive_display_service.te
+++ b/private/automotive_display_service.te
@@ -16,7 +16,6 @@
# Allow to use HwBinder IPC for HAL implementations.
hwbinder_use(automotive_display_service)
hal_client_domain(automotive_display_service, hal_graphics_composer)
-hal_client_domain(automotive_display_service, hal_graphics_allocator)
# Allow to read the target property.
get_prop(automotive_display_service, hwservicemanager_prop)
diff --git a/private/binder_in_vendor_violators.te b/private/binder_in_vendor_violators.te
new file mode 100644
index 0000000..4a1218e
--- /dev/null
+++ b/private/binder_in_vendor_violators.te
@@ -0,0 +1 @@
+allow binder_in_vendor_violators binder_device:chr_file rw_file_perms;
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index 7275954..0891ee5 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -18,7 +18,5 @@
allow binderservicedomain permission_service:service_manager find;
allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow binderservicedomain keystore:keystore2 { get_state };
-allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
use_keystore(binderservicedomain)
diff --git a/private/blank_screen.te b/private/blank_screen.te
index 20d50cc..51310d1 100644
--- a/private/blank_screen.te
+++ b/private/blank_screen.te
@@ -3,5 +3,4 @@
init_daemon_domain(blank_screen)
-# hal_light_client has access to hal_light_server
hal_client_domain(blank_screen, hal_light)
diff --git a/private/bluetooth.te b/private/bluetooth.te
index 8fc6d20..1680361 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -1,6 +1,6 @@
# bluetooth app
-typeattribute bluetooth coredomain, mlstrustedsubject;
+typeattribute bluetooth coredomain;
app_domain(bluetooth)
net_domain(bluetooth)
@@ -57,7 +57,6 @@
allow bluetooth app_api_service:service_manager find;
allow bluetooth system_api_service:service_manager find;
allow bluetooth network_stack_service:service_manager find;
-allow bluetooth system_suspend_control_service:service_manager find;
# already open bugreport file descriptors may be shared with
# the bluetooth process, from a file in
diff --git a/private/bootanim.te b/private/bootanim.te
index 855bc3d..4740560 100644
--- a/private/bootanim.te
+++ b/private/bootanim.te
@@ -7,11 +7,3 @@
# Bootanim should not be reading default vendor-defined properties.
dontaudit bootanim vendor_default_prop:file read;
-
-# Read ro.boot.bootreason b/30654343
-get_prop(bootanim, bootloader_boot_reason_prop)
-
-get_prop(bootanim, bootanim_config_prop)
-
-# Allow updating boot animation status.
-set_prop(bootanim, bootanim_system_prop)
diff --git a/private/bootstat.te b/private/bootstat.te
index 016292e..806144c 100644
--- a/private/bootstat.te
+++ b/private/bootstat.te
@@ -1,34 +1,3 @@
typeattribute bootstat coredomain;
init_daemon_domain(bootstat)
-
-# Collect metrics on boot time created by init
-get_prop(bootstat, boottime_prop)
-
-# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
-set_prop(bootstat, bootloader_boot_reason_prop)
-set_prop(bootstat, system_boot_reason_prop)
-set_prop(bootstat, last_boot_reason_prop)
-
-neverallow {
- domain
- -bootanim
- -bootstat
- -dumpstate
- userdebug_or_eng(`-incidentd')
- -init
- -recovery
- -shell
- -system_server
-} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
-# ... and refine, as these components should not set the last boot reason
-neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
-
-neverallow {
- domain
- -bootstat
- -init
- -system_server
-} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
-# ... and refine ... for a ro propertly no less ... keep this _tight_
-neverallow system_server bootloader_boot_reason_prop:property_service set;
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 343ec7a..74a8e25 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -4,40 +4,37 @@
typeattribute bpfloader coredomain;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader { fs_bpf fs_bpf_tethering }:dir { add_name create search write };
-allow bpfloader { fs_bpf fs_bpf_tethering }:file { create read setattr };
-allow fs_bpf_tethering fs_bpf:filesystem associate;
+allow bpfloader fs_bpf:dir { search write add_name };
+allow bpfloader fs_bpf:file { create setattr read };
# Allow bpfloader to create bpf maps and programs.
allow bpfloader self:bpf { map_create map_read map_write prog_load prog_run };
-allow bpfloader self:capability { chown sys_admin net_admin };
-
-set_prop(bpfloader, bpf_progs_loaded_prop)
+allow bpfloader self:capability { chown sys_admin };
###
### Neverallow rules
###
-# TODO: get rid of init & vendor_init; Note: we don't care about getattr/mounton/search
-neverallow { domain -init -vendor_init } { fs_bpf fs_bpf_tethering }:dir { open read setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:dir { add_name create write };
-neverallow domain { fs_bpf fs_bpf_tethering }:dir ~{ add_name create getattr mounton open read search setattr write };
+# TODO: get rid of init & vendor_init
+neverallow { domain -init -vendor_init } fs_bpf:dir setattr;
+neverallow { domain -bpfloader } fs_bpf:dir { write add_name };
+neverallow domain fs_bpf:dir { reparent rename rmdir };
# TODO: get rid of init & vendor_init
-neverallow { domain -bpfloader -init -vendor_init } { fs_bpf fs_bpf_tethering }:file { map open setattr };
-neverallow { domain -bpfloader } { fs_bpf fs_bpf_tethering }:file create;
-neverallow { domain -bpfloader -gpuservice -init -lmkd -netd -netutils_wrapper -network_stack -system_server -vendor_init } { fs_bpf fs_bpf_tethering }:file read;
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } { fs_bpf fs_bpf_tethering }:file write;
-neverallow domain { fs_bpf fs_bpf_tethering }:file ~{ create map open read setattr write };
+neverallow { domain -bpfloader -init -vendor_init } fs_bpf:file setattr;
+neverallow { domain -bpfloader } fs_bpf:file create;
+neverallow domain fs_bpf:file { rename unlink };
neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -lmkd -netd -network_stack -system_server } *:bpf { map_read map_write };
+neverallow { domain -bpfloader -netd -netutils_wrapper -system_server } *:bpf prog_run;
+neverallow { domain -bpfloader -netd -system_server } *:bpf { map_read map_write };
neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
-neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
+neverallow bpfloader domain:{ tcp_socket udp_socket rawip_socket } *;
# No domain should be allowed to ptrace bpfloader
neverallow { domain userdebug_or_eng(`-llkd') } bpfloader:process ptrace;
+
+set_prop(bpfloader, bpf_progs_loaded_prop)
diff --git a/private/bug_map b/private/bug_map
index 5b042ae..eaa1593 100644
--- a/private/bug_map
+++ b/private/bug_map
@@ -28,8 +28,8 @@
system_server crash_dump process b/73128755
system_server overlayfs_file file b/142390309
system_server sdcardfs file b/77856826
+system_server storage_stub_file dir b/145267097
system_server zygote process b/77856826
untrusted_app untrusted_app netlink_route_socket b/155595000
vold system_data_file file b/124108085
zygote untrusted_app_25 process b/77925912
-zygote labeledfs filesystem b/170748799
diff --git a/private/canhalconfigurator.te b/private/canhalconfigurator.te
deleted file mode 100644
index 9ba60ac..0000000
--- a/private/canhalconfigurator.te
+++ /dev/null
@@ -1,7 +0,0 @@
-type canhalconfigurator, domain, coredomain;
-type canhalconfigurator_exec, exec_type, system_file_type, file_type;
-init_daemon_domain(canhalconfigurator)
-
-# This allows the configurator to look up the CAN HAL controller via
-# hwservice_manager and communicate with it.
-hal_client_domain(canhalconfigurator, hal_can_controller)
diff --git a/private/charger.te b/private/charger.te
index 8be113f..65109de 100644
--- a/private/charger.te
+++ b/private/charger.te
@@ -1,31 +1 @@
typeattribute charger coredomain;
-
-# charger needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(charger, system_prop)
-set_prop(charger, exported_system_prop)
-set_prop(charger, exported3_system_prop)
-set_prop(charger, charger_status_prop)
-
-get_prop(charger, charger_prop)
-get_prop(charger, charger_config_prop)
-
-# get minui properties
-get_prop(charger, recovery_config_prop)
-
-compatible_property_only(`
- neverallow {
- domain
- -init
- -dumpstate
- -charger
- } charger_prop:file no_rw_file_perms;
-')
-
-neverallow {
- domain
- -init
- -dumpstate
- -vendor_init
- -charger
-} { charger_config_prop charger_status_prop }:file no_rw_file_perms;
diff --git a/private/compat/26.0/26.0.compat.cil b/private/compat/26.0/26.0.compat.cil
index 2e85b23..30af58c 100644
--- a/private/compat/26.0/26.0.compat.cil
+++ b/private/compat/26.0/26.0.compat.cil
@@ -3,9 +3,3 @@
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
-
-(typeattributeset mlsvendorcompat (and appdomain vendordomain))
-(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
-(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 98d5840..b395855 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -18,11 +18,9 @@
apexd_prop
apexd_tmpfs
app_zygote
- audio_config_prop
atrace
binder_calls_stats_service
biometric_service
- boot_status_prop
bootloader_boot_reason_prop
blank_screen
blank_screen_exec
@@ -41,7 +39,6 @@
ctl_interface_start_prop
ctl_interface_stop_prop
ctl_sigstop_prop
- dalvik_config_prop
device_config_boot_count_prop
device_config_reset_performed_prop
device_config_netd_native_prop
@@ -70,6 +67,7 @@
exported2_radio_prop
exported2_system_prop
exported2_vold_prop
+ exported3_default_prop
exported3_radio_prop
exported3_system_prop
fastbootd
@@ -111,7 +109,6 @@
llkd_exec
llkd_prop
llkd_tmpfs
- lmkd_config_prop
looper_stats_service
lowpan_device
lowpan_prop
@@ -164,15 +161,12 @@
statscompanion_service
storaged_data_file
super_block_device
- surfaceflinger_color_prop
- surfaceflinger_prop
sysfs_fs_ext4_features
system_boot_reason_prop
system_bootstrap_lib_file
system_lmk_prop
system_net_netd_hwservice
system_update_service
- systemsound_config_prop
test_boot_reason_prop
thermal_service
thermalcallback_hwservice
@@ -209,13 +203,10 @@
vendor_shell
vendor_socket_hook_prop
vndk_prop
- vold_config_prop
vold_metadata_file
- vold_post_fs_data_prop
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
- vold_status_prop
vrflinger_vsync_service
wait_for_keymaster
wait_for_keymaster_exec
diff --git a/private/compat/27.0/27.0.compat.cil b/private/compat/27.0/27.0.compat.cil
index 2e85b23..30af58c 100644
--- a/private/compat/27.0/27.0.compat.cil
+++ b/private/compat/27.0/27.0.compat.cil
@@ -3,9 +3,3 @@
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
-
-(typeattributeset mlsvendorcompat (and appdomain vendordomain))
-(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
-(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 427f4d4..cb500c9 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -5,8 +5,6 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
- aac_drc_prop
- aaudio_config_prop
activity_task_service
adb_service
app_binding_service
@@ -19,31 +17,18 @@
apexd_prop
apexd_tmpfs
app_zygote
- art_apex_dir
atrace
- audio_config_prop
binder_calls_stats_service
biometric_service
blank_screen
blank_screen_exec
blank_screen_tmpfs
- boot_status_prop
- bootanim_system_prop
bootloader_boot_reason_prop
- bootloader_prop
bluetooth_a2dp_offload_prop
bpfloader
bpfloader_exec
- build_bootimage_prop
- build_odm_prop
- build_prop
- build_vendor_prop
- camera_calibration_prop
- camera_config_prop
cgroup_bpf
- charger_config_prop
charger_exec
- charger_status_prop
color_display_service
content_capture_service
crossprofileapps_service
@@ -52,13 +37,10 @@
ctl_interface_start_prop
ctl_interface_stop_prop
ctl_sigstop_prop
- dalvik_config_prop
- dalvik_runtime_prop
device_config_boot_count_prop
device_config_reset_performed_prop
device_config_netd_native_prop
dnsresolver_service
- drm_service_config_prop
exfat
exported2_config_prop
exported2_default_prop
@@ -85,8 +67,6 @@
exported_vold_prop
exported_wifi_prop
fastbootd
- ffs_config_prop
- ffs_control_prop
flags_health_check
flags_health_check_exec
fingerprint_vendor_data_file
@@ -99,39 +79,30 @@
hal_confirmationui_hwservice
hal_evs_hwservice
hal_health_storage_hwservice
- hal_instrumentation_prop
hal_lowpan_hwservice
hal_secure_element_hwservice
hal_usb_gadget_hwservice
hal_vehicle_hwservice
hal_wifi_hostapd_hwservice
- hdmi_config_prop
heapprofd
heapprofd_exec
heapprofd_socket
incident_helper
incident_helper_exec
- init_service_status_private_prop
- init_service_status_prop
iorapd
iorapd_data_file
iorapd_exec
iorapd_service
iorapd_tmpfs
- keyguard_config_prop
last_boot_reason_prop
- libc_debug_prop
llkd
llkd_exec
llkd_prop
llkd_tmpfs
- lmkd_config_prop
looper_stats_service
lowpan_device
lowpan_prop
lowpan_service
- media_config_prop
- mediadrm_config_prop
mediaextractor_update_service
mediaswcodec
mediaswcodec_exec
@@ -144,28 +115,21 @@
network_stack_service
network_watchlist_data_file
network_watchlist_service
- oem_unlock_prop
overlayfs_file
- packagemanager_config_prop
perfetto
perfetto_exec
perfetto_tmpfs
perfetto_traces_data_file
property_info
- property_service_version_prop
- provisioned_prop
- radio_control_prop
- recovery_config_prop
recovery_socket
- retaildemo_prop
role_service
runas_app
+ art_apex_dir
runtime_service
secure_element
secure_element_device
secure_element_service
secure_element_tmpfs
- sendbug_config_prop
server_configurable_flags_data_file
simpleperf_app_runner
simpleperf_app_runner_exec
@@ -183,21 +147,14 @@
statsdw_socket
storaged_data_file
super_block_device
- surfaceflinger_color_prop
- surfaceflinger_prop
staging_data_file
- storagemanager_config_prop
system_boot_reason_prop
system_bootstrap_lib_file
system_lmk_prop
system_update_service
- systemsound_config_prop
- telephony_config_prop
- telephony_status_prop
test_boot_reason_prop
time_prop
timedetector_service
- tombstone_config_prop
tombstone_wifi_data_file
trace_data_file
traced
@@ -214,8 +171,6 @@
untrusted_app_all_devpts
update_engine_log_data_file
uri_grants_service
- usb_config_prop
- usb_control_prop
usbd
usbd_exec
usbd_tmpfs
@@ -226,29 +181,20 @@
vendor_shell
vendor_socket_hook_prop
vndk_prop
- vold_config_prop
vold_metadata_file
- vold_post_fs_data_prop
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
- vold_status_prop
vrflinger_vsync_service
- vts_config_prop
- vts_status_prop
wait_for_keymaster
wait_for_keymaster_exec
wait_for_keymaster_tmpfs
watchdogd_tmpfs
- wifi_config_prop
- wifi_hal_prop
wm_trace_data_file
wpantund
wpantund_exec
wpantund_service
- wpantund_tmpfs
- zram_config_prop
- zram_control_prop))
+ wpantund_tmpfs))
;; private_objects - a collection of types that were labeled differently in
;; older policy, but that should not remain accessible to vendor policy.
diff --git a/private/compat/28.0/28.0.compat.cil b/private/compat/28.0/28.0.compat.cil
index 2e85b23..30af58c 100644
--- a/private/compat/28.0/28.0.compat.cil
+++ b/private/compat/28.0/28.0.compat.cil
@@ -3,9 +3,3 @@
(allowx vendordomain dev_type (ioctl blk_file ((range 0x0000 0xffff))))
(allowx vendordomain file_type (ioctl file ((range 0x0000 0xffff))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
-
-(typeattributeset mlsvendorcompat (and appdomain vendordomain))
-(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
-(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index e7ddf48..d24d12d 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -61,7 +61,6 @@
gpuservice
gsi_data_file
gsi_metadata_file
- gsi_public_metadata_file
gsi_service
gsid
gsid_exec
diff --git a/private/compat/29.0/29.0.cil b/private/compat/29.0/29.0.cil
index 0fb0a1c..5231498 100644
--- a/private/compat/29.0/29.0.cil
+++ b/private/compat/29.0/29.0.cil
@@ -1,10 +1,5 @@
;; types removed from current policy
(type ashmemd)
-(type exported_audio_prop)
-(type exported_dalvik_prop)
-(type exported_vold_prop)
-(type exported2_config_prop)
-(type exported2_vold_prop)
(type hal_wifi_offload_hwservice)
(type install_recovery)
(type install_recovery_exec)
@@ -1200,26 +1195,20 @@
(typeattributeset ephemeral_app_29_0 (ephemeral_app))
(typeattributeset ethernet_service_29_0 (ethernet_service))
(typeattributeset exfat_29_0 (exfat))
-(typeattributeset exported2_config_prop_29_0 (exported2_config_prop systemsound_config_prop))
+(typeattributeset exported2_config_prop_29_0 (exported2_config_prop))
(typeattributeset exported2_default_prop_29_0 (exported2_default_prop))
(typeattributeset exported2_radio_prop_29_0 (exported2_radio_prop))
-(typeattributeset exported2_system_prop_29_0
- ( exported2_system_prop
- surfaceflinger_color_prop))
-(typeattributeset exported2_vold_prop_29_0
- ( exported2_vold_prop
- vold_config_prop
- vold_post_fs_data_prop))
-(typeattributeset exported3_default_prop_29_0 (exported3_default_prop lmkd_config_prop))
+(typeattributeset exported2_system_prop_29_0 (exported2_system_prop))
+(typeattributeset exported2_vold_prop_29_0 (exported2_vold_prop))
+(typeattributeset exported3_default_prop_29_0 (exported3_default_prop))
(typeattributeset exported3_radio_prop_29_0 (exported3_radio_prop))
-(typeattributeset exported3_system_prop_29_0 (exported3_system_prop boot_status_prop))
-(typeattributeset exported_audio_prop_29_0 (exported_audio_prop audio_config_prop))
+(typeattributeset exported3_system_prop_29_0 (exported3_system_prop))
+(typeattributeset exported_audio_prop_29_0 (exported_audio_prop))
(typeattributeset exported_bluetooth_prop_29_0 (exported_bluetooth_prop))
(typeattributeset exported_config_prop_29_0 (exported_config_prop))
-(typeattributeset exported_dalvik_prop_29_0 (exported_dalvik_prop dalvik_config_prop))
+(typeattributeset exported_dalvik_prop_29_0 (exported_dalvik_prop))
(typeattributeset exported_default_prop_29_0
( exported_default_prop
- surfaceflinger_prop
vndk_prop))
(typeattributeset exported_dumpstate_prop_29_0 (exported_dumpstate_prop))
(typeattributeset exported_ffs_prop_29_0 (exported_ffs_prop))
@@ -1230,7 +1219,7 @@
(typeattributeset exported_secure_prop_29_0 (exported_secure_prop))
(typeattributeset exported_system_prop_29_0 (exported_system_prop))
(typeattributeset exported_system_radio_prop_29_0 (exported_system_radio_prop))
-(typeattributeset exported_vold_prop_29_0 (exported_vold_prop vold_status_prop))
+(typeattributeset exported_vold_prop_29_0 (exported_vold_prop))
(typeattributeset exported_wifi_prop_29_0 (exported_wifi_prop))
(typeattributeset external_vibrator_service_29_0 (external_vibrator_service))
(typeattributeset face_service_29_0 (face_service))
@@ -1917,9 +1906,7 @@
(typeattributeset vendor_keychars_file_29_0 (vendor_keychars_file))
(typeattributeset vendor_keylayout_file_29_0 (vendor_keylayout_file))
(typeattributeset vendor_overlay_file_29_0 (vendor_overlay_file))
-(typeattributeset vendor_public_lib_file_29_0
- ( vendor_public_framework_file
- vendor_public_lib_file))
+(typeattributeset vendor_public_lib_file_29_0 (vendor_public_lib_file))
(typeattributeset vendor_security_patch_level_prop_29_0 (vendor_security_patch_level_prop))
(typeattributeset vendor_shell_29_0 (vendor_shell))
(typeattributeset vendor_shell_exec_29_0 (vendor_shell_exec))
diff --git a/private/compat/29.0/29.0.compat.cil b/private/compat/29.0/29.0.compat.cil
index ccd9d1a..af4da8a 100644
--- a/private/compat/29.0/29.0.compat.cil
+++ b/private/compat/29.0/29.0.compat.cil
@@ -1,9 +1,3 @@
(typeattribute vendordomain)
(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
(allow vendordomain self (netlink_route_socket (nlmsg_readpriv)))
-
-(typeattributeset mlsvendorcompat (and appdomain vendordomain))
-(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
-(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 1079046..fdea691 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -38,6 +38,7 @@
platform_compat_service
ctl_apexd_prop
dataloader_manager_service
+ debugfs_kprobes
device_config_storage_native_boot_prop
device_config_sys_traced_prop
device_config_window_manager_native_boot_prop
@@ -49,7 +50,6 @@
fwk_automotive_display_hwservice
fusectlfs
gmscore_app
- gnss_device
graphics_config_prop
hal_can_bus_hwservice
hal_can_controller_hwservice
diff --git a/private/compat/30.0/30.0.cil b/private/compat/30.0/30.0.cil
deleted file mode 100644
index 9f40876..0000000
--- a/private/compat/30.0/30.0.cil
+++ /dev/null
@@ -1,2266 +0,0 @@
-;; types removed from current policy
-(type cgroup_bpf)
-(type exported_audio_prop)
-(type exported_dalvik_prop)
-(type exported_ffs_prop)
-(type exported_fingerprint_prop)
-(type exported_system_radio_prop)
-(type exported_radio_prop)
-(type exported_vold_prop)
-(type exported_wifi_prop)
-(type exported2_config_prop)
-(type exported2_default_prop)
-(type exported2_radio_prop)
-(type exported2_system_prop)
-(type exported2_vold_prop)
-(type exported3_default_prop)
-(type exported3_radio_prop)
-(type ffs_prop)
-(type system_radio_prop)
-(type thermalcallback_hwservice)
-
-(typeattribute binder_in_vendor_violators)
-
-(expandtypeattribute (DockObserver_service_30_0) true)
-(expandtypeattribute (IProxyService_service_30_0) true)
-(expandtypeattribute (accessibility_service_30_0) true)
-(expandtypeattribute (account_service_30_0) true)
-(expandtypeattribute (activity_service_30_0) true)
-(expandtypeattribute (activity_task_service_30_0) true)
-(expandtypeattribute (adb_data_file_30_0) true)
-(expandtypeattribute (adb_keys_file_30_0) true)
-(expandtypeattribute (adb_service_30_0) true)
-(expandtypeattribute (adbd_30_0) true)
-(expandtypeattribute (adbd_exec_30_0) true)
-(expandtypeattribute (adbd_prop_30_0) true)
-(expandtypeattribute (adbd_socket_30_0) true)
-(expandtypeattribute (aidl_lazy_test_server_30_0) true)
-(expandtypeattribute (aidl_lazy_test_server_exec_30_0) true)
-(expandtypeattribute (aidl_lazy_test_service_30_0) true)
-(expandtypeattribute (alarm_service_30_0) true)
-(expandtypeattribute (anr_data_file_30_0) true)
-(expandtypeattribute (apex_data_file_30_0) true)
-(expandtypeattribute (apex_metadata_file_30_0) true)
-(expandtypeattribute (apex_mnt_dir_30_0) true)
-(expandtypeattribute (apex_module_data_file_30_0) true)
-(expandtypeattribute (apex_permission_data_file_30_0) true)
-(expandtypeattribute (apex_rollback_data_file_30_0) true)
-(expandtypeattribute (apex_service_30_0) true)
-(expandtypeattribute (apex_wifi_data_file_30_0) true)
-(expandtypeattribute (apexd_30_0) true)
-(expandtypeattribute (apexd_exec_30_0) true)
-(expandtypeattribute (apexd_prop_30_0) true)
-(expandtypeattribute (apk_data_file_30_0) true)
-(expandtypeattribute (apk_private_data_file_30_0) true)
-(expandtypeattribute (apk_private_tmp_file_30_0) true)
-(expandtypeattribute (apk_tmp_file_30_0) true)
-(expandtypeattribute (apk_verity_prop_30_0) true)
-(expandtypeattribute (app_binding_service_30_0) true)
-(expandtypeattribute (app_data_file_30_0) true)
-(expandtypeattribute (app_fuse_file_30_0) true)
-(expandtypeattribute (app_fusefs_30_0) true)
-(expandtypeattribute (app_integrity_service_30_0) true)
-(expandtypeattribute (app_prediction_service_30_0) true)
-(expandtypeattribute (app_search_service_30_0) true)
-(expandtypeattribute (app_zygote_30_0) true)
-(expandtypeattribute (app_zygote_tmpfs_30_0) true)
-(expandtypeattribute (appdomain_tmpfs_30_0) true)
-(expandtypeattribute (appops_service_30_0) true)
-(expandtypeattribute (appwidget_service_30_0) true)
-(expandtypeattribute (art_apex_dir_30_0) true)
-(expandtypeattribute (asec_apk_file_30_0) true)
-(expandtypeattribute (asec_image_file_30_0) true)
-(expandtypeattribute (asec_public_file_30_0) true)
-(expandtypeattribute (ashmem_device_30_0) true)
-(expandtypeattribute (ashmem_libcutils_device_30_0) true)
-(expandtypeattribute (assetatlas_service_30_0) true)
-(expandtypeattribute (audio_data_file_30_0) true)
-(expandtypeattribute (audio_device_30_0) true)
-(expandtypeattribute (audio_prop_30_0) true)
-(expandtypeattribute (audio_service_30_0) true)
-(expandtypeattribute (audiohal_data_file_30_0) true)
-(expandtypeattribute (audioserver_30_0) true)
-(expandtypeattribute (audioserver_data_file_30_0) true)
-(expandtypeattribute (audioserver_service_30_0) true)
-(expandtypeattribute (audioserver_tmpfs_30_0) true)
-(expandtypeattribute (auth_service_30_0) true)
-(expandtypeattribute (autofill_service_30_0) true)
-(expandtypeattribute (backup_data_file_30_0) true)
-(expandtypeattribute (backup_service_30_0) true)
-(expandtypeattribute (battery_service_30_0) true)
-(expandtypeattribute (batteryproperties_service_30_0) true)
-(expandtypeattribute (batterystats_service_30_0) true)
-(expandtypeattribute (binder_cache_bluetooth_server_prop_30_0) true)
-(expandtypeattribute (binder_cache_system_server_prop_30_0) true)
-(expandtypeattribute (binder_cache_telephony_server_prop_30_0) true)
-(expandtypeattribute (binder_calls_stats_service_30_0) true)
-(expandtypeattribute (binder_device_30_0) true)
-(expandtypeattribute (binderfs_30_0) true)
-(expandtypeattribute (binderfs_logs_30_0) true)
-(expandtypeattribute (binderfs_logs_proc_30_0) true)
-(expandtypeattribute (binfmt_miscfs_30_0) true)
-(expandtypeattribute (biometric_service_30_0) true)
-(expandtypeattribute (blkid_30_0) true)
-(expandtypeattribute (blkid_untrusted_30_0) true)
-(expandtypeattribute (blob_store_service_30_0) true)
-(expandtypeattribute (block_device_30_0) true)
-(expandtypeattribute (bluetooth_30_0) true)
-(expandtypeattribute (bluetooth_a2dp_offload_prop_30_0) true)
-(expandtypeattribute (bluetooth_audio_hal_prop_30_0) true)
-(expandtypeattribute (bluetooth_data_file_30_0) true)
-(expandtypeattribute (bluetooth_efs_file_30_0) true)
-(expandtypeattribute (bluetooth_logs_data_file_30_0) true)
-(expandtypeattribute (bluetooth_manager_service_30_0) true)
-(expandtypeattribute (bluetooth_prop_30_0) true)
-(expandtypeattribute (bluetooth_service_30_0) true)
-(expandtypeattribute (bluetooth_socket_30_0) true)
-(expandtypeattribute (boot_block_device_30_0) true)
-(expandtypeattribute (bootanim_30_0) true)
-(expandtypeattribute (bootanim_exec_30_0) true)
-(expandtypeattribute (bootchart_data_file_30_0) true)
-(expandtypeattribute (bootloader_boot_reason_prop_30_0) true)
-(expandtypeattribute (bootstat_30_0) true)
-(expandtypeattribute (bootstat_data_file_30_0) true)
-(expandtypeattribute (bootstat_exec_30_0) true)
-(expandtypeattribute (boottime_prop_30_0) true)
-(expandtypeattribute (boottime_public_prop_30_0) true)
-(expandtypeattribute (boottrace_data_file_30_0) true)
-(expandtypeattribute (bpf_progs_loaded_prop_30_0) true)
-(expandtypeattribute (bq_config_prop_30_0) true)
-(expandtypeattribute (broadcastradio_service_30_0) true)
-(expandtypeattribute (bufferhubd_30_0) true)
-(expandtypeattribute (bufferhubd_exec_30_0) true)
-(expandtypeattribute (bugreport_service_30_0) true)
-(expandtypeattribute (cache_backup_file_30_0) true)
-(expandtypeattribute (cache_block_device_30_0) true)
-(expandtypeattribute (cache_file_30_0) true)
-(expandtypeattribute (cache_private_backup_file_30_0) true)
-(expandtypeattribute (cache_recovery_file_30_0) true)
-(expandtypeattribute (camera_data_file_30_0) true)
-(expandtypeattribute (camera_device_30_0) true)
-(expandtypeattribute (cameraproxy_service_30_0) true)
-(expandtypeattribute (cameraserver_30_0) true)
-(expandtypeattribute (cameraserver_exec_30_0) true)
-(expandtypeattribute (cameraserver_service_30_0) true)
-(expandtypeattribute (cameraserver_tmpfs_30_0) true)
-(expandtypeattribute (cgroup_30_0) true)
-(expandtypeattribute (cgroup_bpf_30_0) true)
-(expandtypeattribute (cgroup_desc_file_30_0) true)
-(expandtypeattribute (cgroup_rc_file_30_0) true)
-(expandtypeattribute (charger_30_0) true)
-(expandtypeattribute (charger_exec_30_0) true)
-(expandtypeattribute (charger_prop_30_0) true)
-(expandtypeattribute (clipboard_service_30_0) true)
-(expandtypeattribute (cold_boot_done_prop_30_0) true)
-(expandtypeattribute (color_display_service_30_0) true)
-(expandtypeattribute (companion_device_service_30_0) true)
-(expandtypeattribute (config_prop_30_0) true)
-(expandtypeattribute (configfs_30_0) true)
-(expandtypeattribute (connectivity_service_30_0) true)
-(expandtypeattribute (connmetrics_service_30_0) true)
-(expandtypeattribute (console_device_30_0) true)
-(expandtypeattribute (consumer_ir_service_30_0) true)
-(expandtypeattribute (content_capture_service_30_0) true)
-(expandtypeattribute (content_service_30_0) true)
-(expandtypeattribute (content_suggestions_service_30_0) true)
-(expandtypeattribute (contexthub_service_30_0) true)
-(expandtypeattribute (coredump_file_30_0) true)
-(expandtypeattribute (country_detector_service_30_0) true)
-(expandtypeattribute (coverage_service_30_0) true)
-(expandtypeattribute (cppreopt_prop_30_0) true)
-(expandtypeattribute (cpu_variant_prop_30_0) true)
-(expandtypeattribute (cpuinfo_service_30_0) true)
-(expandtypeattribute (crash_dump_30_0) true)
-(expandtypeattribute (crash_dump_exec_30_0) true)
-(expandtypeattribute (credstore_30_0) true)
-(expandtypeattribute (credstore_data_file_30_0) true)
-(expandtypeattribute (credstore_exec_30_0) true)
-(expandtypeattribute (credstore_service_30_0) true)
-(expandtypeattribute (crossprofileapps_service_30_0) true)
-(expandtypeattribute (ctl_adbd_prop_30_0) true)
-(expandtypeattribute (ctl_apexd_prop_30_0) true)
-(expandtypeattribute (ctl_bootanim_prop_30_0) true)
-(expandtypeattribute (ctl_bugreport_prop_30_0) true)
-(expandtypeattribute (ctl_console_prop_30_0) true)
-(expandtypeattribute (ctl_default_prop_30_0) true)
-(expandtypeattribute (ctl_dumpstate_prop_30_0) true)
-(expandtypeattribute (ctl_fuse_prop_30_0) true)
-(expandtypeattribute (ctl_gsid_prop_30_0) true)
-(expandtypeattribute (ctl_interface_restart_prop_30_0) true)
-(expandtypeattribute (ctl_interface_start_prop_30_0) true)
-(expandtypeattribute (ctl_interface_stop_prop_30_0) true)
-(expandtypeattribute (ctl_mdnsd_prop_30_0) true)
-(expandtypeattribute (ctl_restart_prop_30_0) true)
-(expandtypeattribute (ctl_rildaemon_prop_30_0) true)
-(expandtypeattribute (ctl_sigstop_prop_30_0) true)
-(expandtypeattribute (ctl_start_prop_30_0) true)
-(expandtypeattribute (ctl_stop_prop_30_0) true)
-(expandtypeattribute (dalvik_prop_30_0) true)
-(expandtypeattribute (dalvikcache_data_file_30_0) true)
-(expandtypeattribute (dataloader_manager_service_30_0) true)
-(expandtypeattribute (dbinfo_service_30_0) true)
-(expandtypeattribute (debug_prop_30_0) true)
-(expandtypeattribute (debugfs_30_0) true)
-(expandtypeattribute (debugfs_mmc_30_0) true)
-(expandtypeattribute (debugfs_trace_marker_30_0) true)
-(expandtypeattribute (debugfs_tracing_30_0) true)
-(expandtypeattribute (debugfs_tracing_debug_30_0) true)
-(expandtypeattribute (debugfs_tracing_instances_30_0) true)
-(expandtypeattribute (debugfs_wakeup_sources_30_0) true)
-(expandtypeattribute (debugfs_wifi_tracing_30_0) true)
-(expandtypeattribute (debuggerd_prop_30_0) true)
-(expandtypeattribute (default_android_hwservice_30_0) true)
-(expandtypeattribute (default_android_service_30_0) true)
-(expandtypeattribute (default_android_vndservice_30_0) true)
-(expandtypeattribute (default_prop_30_0) true)
-(expandtypeattribute (dev_cpu_variant_30_0) true)
-(expandtypeattribute (device_30_0) true)
-(expandtypeattribute (device_config_activity_manager_native_boot_prop_30_0) true)
-(expandtypeattribute (device_config_boot_count_prop_30_0) true)
-(expandtypeattribute (device_config_configuration_prop_30_0) true)
-(expandtypeattribute (device_config_input_native_boot_prop_30_0) true)
-(expandtypeattribute (device_config_media_native_prop_30_0) true)
-(expandtypeattribute (device_config_netd_native_prop_30_0) true)
-(expandtypeattribute (device_config_reset_performed_prop_30_0) true)
-(expandtypeattribute (device_config_runtime_native_boot_prop_30_0) true)
-(expandtypeattribute (device_config_runtime_native_prop_30_0) true)
-(expandtypeattribute (device_config_service_30_0) true)
-(expandtypeattribute (device_config_storage_native_boot_prop_30_0) true)
-(expandtypeattribute (device_config_sys_traced_prop_30_0) true)
-(expandtypeattribute (device_config_window_manager_native_boot_prop_30_0) true)
-(expandtypeattribute (device_identifiers_service_30_0) true)
-(expandtypeattribute (device_logging_prop_30_0) true)
-(expandtypeattribute (device_policy_service_30_0) true)
-(expandtypeattribute (deviceidle_service_30_0) true)
-(expandtypeattribute (devicestoragemonitor_service_30_0) true)
-(expandtypeattribute (devpts_30_0) true)
-(expandtypeattribute (dhcp_30_0) true)
-(expandtypeattribute (dhcp_data_file_30_0) true)
-(expandtypeattribute (dhcp_exec_30_0) true)
-(expandtypeattribute (dhcp_prop_30_0) true)
-(expandtypeattribute (diskstats_service_30_0) true)
-(expandtypeattribute (display_service_30_0) true)
-(expandtypeattribute (dm_device_30_0) true)
-(expandtypeattribute (dnsmasq_30_0) true)
-(expandtypeattribute (dnsmasq_exec_30_0) true)
-(expandtypeattribute (dnsproxyd_socket_30_0) true)
-(expandtypeattribute (dnsresolver_service_30_0) true)
-(expandtypeattribute (dreams_service_30_0) true)
-(expandtypeattribute (drm_data_file_30_0) true)
-(expandtypeattribute (drmserver_30_0) true)
-(expandtypeattribute (drmserver_exec_30_0) true)
-(expandtypeattribute (drmserver_service_30_0) true)
-(expandtypeattribute (drmserver_socket_30_0) true)
-(expandtypeattribute (dropbox_data_file_30_0) true)
-(expandtypeattribute (dropbox_service_30_0) true)
-(expandtypeattribute (dumpstate_30_0) true)
-(expandtypeattribute (dumpstate_exec_30_0) true)
-(expandtypeattribute (dumpstate_options_prop_30_0) true)
-(expandtypeattribute (dumpstate_prop_30_0) true)
-(expandtypeattribute (dumpstate_service_30_0) true)
-(expandtypeattribute (dumpstate_socket_30_0) true)
-(expandtypeattribute (dynamic_system_prop_30_0) true)
-(expandtypeattribute (e2fs_30_0) true)
-(expandtypeattribute (e2fs_exec_30_0) true)
-(expandtypeattribute (efs_file_30_0) true)
-(expandtypeattribute (emergency_affordance_service_30_0) true)
-(expandtypeattribute (ephemeral_app_30_0) true)
-(expandtypeattribute (ethernet_service_30_0) true)
-(expandtypeattribute (exfat_30_0) true)
-(expandtypeattribute (exported2_config_prop_30_0) true)
-(expandtypeattribute (exported2_default_prop_30_0) true)
-(expandtypeattribute (exported2_radio_prop_30_0) true)
-(expandtypeattribute (exported2_system_prop_30_0) true)
-(expandtypeattribute (exported2_vold_prop_30_0) true)
-(expandtypeattribute (exported3_default_prop_30_0) true)
-(expandtypeattribute (exported3_radio_prop_30_0) true)
-(expandtypeattribute (exported3_system_prop_30_0) true)
-(expandtypeattribute (exported_audio_prop_30_0) true)
-(expandtypeattribute (exported_bluetooth_prop_30_0) true)
-(expandtypeattribute (exported_camera_prop_30_0) true)
-(expandtypeattribute (exported_config_prop_30_0) true)
-(expandtypeattribute (exported_dalvik_prop_30_0) true)
-(expandtypeattribute (exported_default_prop_30_0) true)
-(expandtypeattribute (exported_dumpstate_prop_30_0) true)
-(expandtypeattribute (exported_ffs_prop_30_0) true)
-(expandtypeattribute (exported_fingerprint_prop_30_0) true)
-(expandtypeattribute (exported_overlay_prop_30_0) true)
-(expandtypeattribute (exported_pm_prop_30_0) true)
-(expandtypeattribute (exported_radio_prop_30_0) true)
-(expandtypeattribute (exported_secure_prop_30_0) true)
-(expandtypeattribute (exported_system_prop_30_0) true)
-(expandtypeattribute (exported_system_radio_prop_30_0) true)
-(expandtypeattribute (exported_vold_prop_30_0) true)
-(expandtypeattribute (exported_wifi_prop_30_0) true)
-(expandtypeattribute (external_vibrator_service_30_0) true)
-(expandtypeattribute (face_service_30_0) true)
-(expandtypeattribute (face_vendor_data_file_30_0) true)
-(expandtypeattribute (fastbootd_30_0) true)
-(expandtypeattribute (ffs_prop_30_0) true)
-(expandtypeattribute (file_contexts_file_30_0) true)
-(expandtypeattribute (file_integrity_service_30_0) true)
-(expandtypeattribute (fingerprint_service_30_0) true)
-(expandtypeattribute (fingerprint_vendor_data_file_30_0) true)
-(expandtypeattribute (fingerprintd_30_0) true)
-(expandtypeattribute (fingerprintd_data_file_30_0) true)
-(expandtypeattribute (fingerprintd_exec_30_0) true)
-(expandtypeattribute (fingerprintd_service_30_0) true)
-(expandtypeattribute (firstboot_prop_30_0) true)
-(expandtypeattribute (flags_health_check_30_0) true)
-(expandtypeattribute (flags_health_check_exec_30_0) true)
-(expandtypeattribute (font_service_30_0) true)
-(expandtypeattribute (frp_block_device_30_0) true)
-(expandtypeattribute (fs_bpf_30_0) true)
-(expandtypeattribute (fsck_30_0) true)
-(expandtypeattribute (fsck_exec_30_0) true)
-(expandtypeattribute (fsck_untrusted_30_0) true)
-(expandtypeattribute (fscklogs_30_0) true)
-(expandtypeattribute (functionfs_30_0) true)
-(expandtypeattribute (fuse_30_0) true)
-(expandtypeattribute (fuse_device_30_0) true)
-(expandtypeattribute (fwk_automotive_display_hwservice_30_0) true)
-(expandtypeattribute (fwk_bufferhub_hwservice_30_0) true)
-(expandtypeattribute (fwk_camera_hwservice_30_0) true)
-(expandtypeattribute (fwk_display_hwservice_30_0) true)
-(expandtypeattribute (fwk_scheduler_hwservice_30_0) true)
-(expandtypeattribute (fwk_sensor_hwservice_30_0) true)
-(expandtypeattribute (fwk_stats_hwservice_30_0) true)
-(expandtypeattribute (fwmarkd_socket_30_0) true)
-(expandtypeattribute (gatekeeper_data_file_30_0) true)
-(expandtypeattribute (gatekeeper_service_30_0) true)
-(expandtypeattribute (gatekeeperd_30_0) true)
-(expandtypeattribute (gatekeeperd_exec_30_0) true)
-(expandtypeattribute (gfxinfo_service_30_0) true)
-(expandtypeattribute (gmscore_app_30_0) true)
-(expandtypeattribute (gps_control_30_0) true)
-(expandtypeattribute (gpu_device_30_0) true)
-(expandtypeattribute (gpu_service_30_0) true)
-(expandtypeattribute (gpuservice_30_0) true)
-(expandtypeattribute (graphics_device_30_0) true)
-(expandtypeattribute (graphicsstats_service_30_0) true)
-(expandtypeattribute (gsi_data_file_30_0) true)
-(expandtypeattribute (gsi_metadata_file_30_0) true)
-(expandtypeattribute (gsid_prop_30_0) true)
-(expandtypeattribute (hal_atrace_hwservice_30_0) true)
-(expandtypeattribute (hal_audio_hwservice_30_0) true)
-(expandtypeattribute (hal_audiocontrol_hwservice_30_0) true)
-(expandtypeattribute (hal_authsecret_hwservice_30_0) true)
-(expandtypeattribute (hal_bluetooth_hwservice_30_0) true)
-(expandtypeattribute (hal_bootctl_hwservice_30_0) true)
-(expandtypeattribute (hal_broadcastradio_hwservice_30_0) true)
-(expandtypeattribute (hal_camera_hwservice_30_0) true)
-(expandtypeattribute (hal_can_bus_hwservice_30_0) true)
-(expandtypeattribute (hal_can_controller_hwservice_30_0) true)
-(expandtypeattribute (hal_cas_hwservice_30_0) true)
-(expandtypeattribute (hal_codec2_hwservice_30_0) true)
-(expandtypeattribute (hal_configstore_ISurfaceFlingerConfigs_30_0) true)
-(expandtypeattribute (hal_confirmationui_hwservice_30_0) true)
-(expandtypeattribute (hal_contexthub_hwservice_30_0) true)
-(expandtypeattribute (hal_drm_hwservice_30_0) true)
-(expandtypeattribute (hal_dumpstate_hwservice_30_0) true)
-(expandtypeattribute (hal_evs_hwservice_30_0) true)
-(expandtypeattribute (hal_face_hwservice_30_0) true)
-(expandtypeattribute (hal_fingerprint_hwservice_30_0) true)
-(expandtypeattribute (hal_fingerprint_service_30_0) true)
-(expandtypeattribute (hal_gatekeeper_hwservice_30_0) true)
-(expandtypeattribute (hal_gnss_hwservice_30_0) true)
-(expandtypeattribute (hal_graphics_allocator_hwservice_30_0) true)
-(expandtypeattribute (hal_graphics_composer_hwservice_30_0) true)
-(expandtypeattribute (hal_graphics_composer_server_tmpfs_30_0) true)
-(expandtypeattribute (hal_graphics_mapper_hwservice_30_0) true)
-(expandtypeattribute (hal_health_hwservice_30_0) true)
-(expandtypeattribute (hal_health_storage_hwservice_30_0) true)
-(expandtypeattribute (hal_identity_service_30_0) true)
-(expandtypeattribute (hal_input_classifier_hwservice_30_0) true)
-(expandtypeattribute (hal_ir_hwservice_30_0) true)
-(expandtypeattribute (hal_keymaster_hwservice_30_0) true)
-(expandtypeattribute (hal_light_hwservice_30_0) true)
-(expandtypeattribute (hal_light_service_30_0) true)
-(expandtypeattribute (hal_lowpan_hwservice_30_0) true)
-(expandtypeattribute (hal_memtrack_hwservice_30_0) true)
-(expandtypeattribute (hal_neuralnetworks_hwservice_30_0) true)
-(expandtypeattribute (hal_nfc_hwservice_30_0) true)
-(expandtypeattribute (hal_oemlock_hwservice_30_0) true)
-(expandtypeattribute (hal_omx_hwservice_30_0) true)
-(expandtypeattribute (hal_power_hwservice_30_0) true)
-(expandtypeattribute (hal_power_service_30_0) true)
-(expandtypeattribute (hal_power_stats_hwservice_30_0) true)
-(expandtypeattribute (hal_rebootescrow_service_30_0) true)
-(expandtypeattribute (hal_renderscript_hwservice_30_0) true)
-(expandtypeattribute (hal_secure_element_hwservice_30_0) true)
-(expandtypeattribute (hal_sensors_hwservice_30_0) true)
-(expandtypeattribute (hal_telephony_hwservice_30_0) true)
-(expandtypeattribute (hal_tetheroffload_hwservice_30_0) true)
-(expandtypeattribute (hal_thermal_hwservice_30_0) true)
-(expandtypeattribute (hal_tv_cec_hwservice_30_0) true)
-(expandtypeattribute (hal_tv_input_hwservice_30_0) true)
-(expandtypeattribute (hal_tv_tuner_hwservice_30_0) true)
-(expandtypeattribute (hal_usb_gadget_hwservice_30_0) true)
-(expandtypeattribute (hal_usb_hwservice_30_0) true)
-(expandtypeattribute (hal_vehicle_hwservice_30_0) true)
-(expandtypeattribute (hal_vibrator_hwservice_30_0) true)
-(expandtypeattribute (hal_vibrator_service_30_0) true)
-(expandtypeattribute (hal_vr_hwservice_30_0) true)
-(expandtypeattribute (hal_weaver_hwservice_30_0) true)
-(expandtypeattribute (hal_wifi_hostapd_hwservice_30_0) true)
-(expandtypeattribute (hal_wifi_hwservice_30_0) true)
-(expandtypeattribute (hal_wifi_supplicant_hwservice_30_0) true)
-(expandtypeattribute (hardware_properties_service_30_0) true)
-(expandtypeattribute (hardware_service_30_0) true)
-(expandtypeattribute (hci_attach_dev_30_0) true)
-(expandtypeattribute (hdmi_control_service_30_0) true)
-(expandtypeattribute (healthd_30_0) true)
-(expandtypeattribute (healthd_exec_30_0) true)
-(expandtypeattribute (heapdump_data_file_30_0) true)
-(expandtypeattribute (heapprofd_30_0) true)
-(expandtypeattribute (heapprofd_enabled_prop_30_0) true)
-(expandtypeattribute (heapprofd_prop_30_0) true)
-(expandtypeattribute (heapprofd_socket_30_0) true)
-(expandtypeattribute (hidl_allocator_hwservice_30_0) true)
-(expandtypeattribute (hidl_base_hwservice_30_0) true)
-(expandtypeattribute (hidl_manager_hwservice_30_0) true)
-(expandtypeattribute (hidl_memory_hwservice_30_0) true)
-(expandtypeattribute (hidl_token_hwservice_30_0) true)
-(expandtypeattribute (hw_random_device_30_0) true)
-(expandtypeattribute (hwbinder_device_30_0) true)
-(expandtypeattribute (hwservice_contexts_file_30_0) true)
-(expandtypeattribute (hwservicemanager_30_0) true)
-(expandtypeattribute (hwservicemanager_exec_30_0) true)
-(expandtypeattribute (hwservicemanager_prop_30_0) true)
-(expandtypeattribute (icon_file_30_0) true)
-(expandtypeattribute (idmap_30_0) true)
-(expandtypeattribute (idmap_exec_30_0) true)
-(expandtypeattribute (idmap_service_30_0) true)
-(expandtypeattribute (iio_device_30_0) true)
-(expandtypeattribute (imms_service_30_0) true)
-(expandtypeattribute (incident_30_0) true)
-(expandtypeattribute (incident_data_file_30_0) true)
-(expandtypeattribute (incident_helper_30_0) true)
-(expandtypeattribute (incident_service_30_0) true)
-(expandtypeattribute (incidentd_30_0) true)
-(expandtypeattribute (incremental_control_file_30_0) true)
-(expandtypeattribute (incremental_prop_30_0) true)
-(expandtypeattribute (incremental_service_30_0) true)
-(expandtypeattribute (init_30_0) true)
-(expandtypeattribute (init_exec_30_0) true)
-(expandtypeattribute (init_perf_lsm_hooks_prop_30_0) true)
-(expandtypeattribute (init_svc_debug_prop_30_0) true)
-(expandtypeattribute (init_tmpfs_30_0) true)
-(expandtypeattribute (inotify_30_0) true)
-(expandtypeattribute (input_device_30_0) true)
-(expandtypeattribute (input_method_service_30_0) true)
-(expandtypeattribute (input_service_30_0) true)
-(expandtypeattribute (inputflinger_30_0) true)
-(expandtypeattribute (inputflinger_exec_30_0) true)
-(expandtypeattribute (inputflinger_service_30_0) true)
-(expandtypeattribute (install_data_file_30_0) true)
-(expandtypeattribute (installd_30_0) true)
-(expandtypeattribute (installd_exec_30_0) true)
-(expandtypeattribute (installd_service_30_0) true)
-(expandtypeattribute (ion_device_30_0) true)
-(expandtypeattribute (iorap_inode2filename_30_0) true)
-(expandtypeattribute (iorap_inode2filename_exec_30_0) true)
-(expandtypeattribute (iorap_inode2filename_tmpfs_30_0) true)
-(expandtypeattribute (iorap_prefetcherd_30_0) true)
-(expandtypeattribute (iorap_prefetcherd_exec_30_0) true)
-(expandtypeattribute (iorap_prefetcherd_tmpfs_30_0) true)
-(expandtypeattribute (iorapd_30_0) true)
-(expandtypeattribute (iorapd_data_file_30_0) true)
-(expandtypeattribute (iorapd_exec_30_0) true)
-(expandtypeattribute (iorapd_service_30_0) true)
-(expandtypeattribute (iorapd_tmpfs_30_0) true)
-(expandtypeattribute (ipsec_service_30_0) true)
-(expandtypeattribute (iris_service_30_0) true)
-(expandtypeattribute (iris_vendor_data_file_30_0) true)
-(expandtypeattribute (isolated_app_30_0) true)
-(expandtypeattribute (jobscheduler_service_30_0) true)
-(expandtypeattribute (kernel_30_0) true)
-(expandtypeattribute (keychain_data_file_30_0) true)
-(expandtypeattribute (keychord_device_30_0) true)
-(expandtypeattribute (keystore_30_0) true)
-(expandtypeattribute (keystore_data_file_30_0) true)
-(expandtypeattribute (keystore_exec_30_0) true)
-(expandtypeattribute (keystore_service_30_0) true)
-(expandtypeattribute (kmsg_debug_device_30_0) true)
-(expandtypeattribute (kmsg_device_30_0) true)
-(expandtypeattribute (labeledfs_30_0) true)
-(expandtypeattribute (last_boot_reason_prop_30_0) true)
-(expandtypeattribute (launcherapps_service_30_0) true)
-(expandtypeattribute (light_service_30_0) true)
-(expandtypeattribute (linkerconfig_file_30_0) true)
-(expandtypeattribute (llkd_30_0) true)
-(expandtypeattribute (llkd_exec_30_0) true)
-(expandtypeattribute (llkd_prop_30_0) true)
-(expandtypeattribute (lmkd_30_0) true)
-(expandtypeattribute (lmkd_exec_30_0) true)
-(expandtypeattribute (lmkd_prop_30_0) true)
-(expandtypeattribute (lmkd_socket_30_0) true)
-(expandtypeattribute (location_service_30_0) true)
-(expandtypeattribute (lock_settings_service_30_0) true)
-(expandtypeattribute (log_prop_30_0) true)
-(expandtypeattribute (log_tag_prop_30_0) true)
-(expandtypeattribute (logcat_exec_30_0) true)
-(expandtypeattribute (logd_30_0) true)
-(expandtypeattribute (logd_exec_30_0) true)
-(expandtypeattribute (logd_prop_30_0) true)
-(expandtypeattribute (logd_socket_30_0) true)
-(expandtypeattribute (logdr_socket_30_0) true)
-(expandtypeattribute (logdw_socket_30_0) true)
-(expandtypeattribute (logpersist_30_0) true)
-(expandtypeattribute (logpersistd_logging_prop_30_0) true)
-(expandtypeattribute (loop_control_device_30_0) true)
-(expandtypeattribute (loop_device_30_0) true)
-(expandtypeattribute (looper_stats_service_30_0) true)
-(expandtypeattribute (lowpan_device_30_0) true)
-(expandtypeattribute (lowpan_prop_30_0) true)
-(expandtypeattribute (lowpan_service_30_0) true)
-(expandtypeattribute (lpdump_service_30_0) true)
-(expandtypeattribute (lpdumpd_prop_30_0) true)
-(expandtypeattribute (mac_perms_file_30_0) true)
-(expandtypeattribute (mdns_socket_30_0) true)
-(expandtypeattribute (mdnsd_30_0) true)
-(expandtypeattribute (mdnsd_socket_30_0) true)
-(expandtypeattribute (media_data_file_30_0) true)
-(expandtypeattribute (media_projection_service_30_0) true)
-(expandtypeattribute (media_router_service_30_0) true)
-(expandtypeattribute (media_rw_data_file_30_0) true)
-(expandtypeattribute (media_session_service_30_0) true)
-(expandtypeattribute (media_variant_prop_30_0) true)
-(expandtypeattribute (mediadrmserver_30_0) true)
-(expandtypeattribute (mediadrmserver_exec_30_0) true)
-(expandtypeattribute (mediadrmserver_service_30_0) true)
-(expandtypeattribute (mediaextractor_30_0) true)
-(expandtypeattribute (mediaextractor_exec_30_0) true)
-(expandtypeattribute (mediaextractor_service_30_0) true)
-(expandtypeattribute (mediaextractor_tmpfs_30_0) true)
-(expandtypeattribute (mediametrics_30_0) true)
-(expandtypeattribute (mediametrics_exec_30_0) true)
-(expandtypeattribute (mediametrics_service_30_0) true)
-(expandtypeattribute (mediaprovider_30_0) true)
-(expandtypeattribute (mediaserver_30_0) true)
-(expandtypeattribute (mediaserver_exec_30_0) true)
-(expandtypeattribute (mediaserver_service_30_0) true)
-(expandtypeattribute (mediaserver_tmpfs_30_0) true)
-(expandtypeattribute (mediaswcodec_30_0) true)
-(expandtypeattribute (mediaswcodec_exec_30_0) true)
-(expandtypeattribute (mediatranscoding_30_0) true)
-(expandtypeattribute (mediatranscoding_exec_30_0) true)
-(expandtypeattribute (mediatranscoding_service_30_0) true)
-(expandtypeattribute (meminfo_service_30_0) true)
-(expandtypeattribute (metadata_block_device_30_0) true)
-(expandtypeattribute (metadata_bootstat_file_30_0) true)
-(expandtypeattribute (metadata_file_30_0) true)
-(expandtypeattribute (method_trace_data_file_30_0) true)
-(expandtypeattribute (midi_service_30_0) true)
-(expandtypeattribute (mirror_data_file_30_0) true)
-(expandtypeattribute (misc_block_device_30_0) true)
-(expandtypeattribute (misc_logd_file_30_0) true)
-(expandtypeattribute (misc_user_data_file_30_0) true)
-(expandtypeattribute (mmc_prop_30_0) true)
-(expandtypeattribute (mnt_expand_file_30_0) true)
-(expandtypeattribute (mnt_media_rw_file_30_0) true)
-(expandtypeattribute (mnt_media_rw_stub_file_30_0) true)
-(expandtypeattribute (mnt_pass_through_file_30_0) true)
-(expandtypeattribute (mnt_product_file_30_0) true)
-(expandtypeattribute (mnt_sdcard_file_30_0) true)
-(expandtypeattribute (mnt_user_file_30_0) true)
-(expandtypeattribute (mnt_vendor_file_30_0) true)
-(expandtypeattribute (mock_ota_prop_30_0) true)
-(expandtypeattribute (modprobe_30_0) true)
-(expandtypeattribute (module_sdkextensions_prop_30_0) true)
-(expandtypeattribute (mount_service_30_0) true)
-(expandtypeattribute (mqueue_30_0) true)
-(expandtypeattribute (mtp_30_0) true)
-(expandtypeattribute (mtp_device_30_0) true)
-(expandtypeattribute (mtp_exec_30_0) true)
-(expandtypeattribute (mtpd_socket_30_0) true)
-(expandtypeattribute (nativetest_data_file_30_0) true)
-(expandtypeattribute (net_data_file_30_0) true)
-(expandtypeattribute (net_dns_prop_30_0) true)
-(expandtypeattribute (net_radio_prop_30_0) true)
-(expandtypeattribute (netd_30_0) true)
-(expandtypeattribute (netd_exec_30_0) true)
-(expandtypeattribute (netd_listener_service_30_0) true)
-(expandtypeattribute (netd_service_30_0) true)
-(expandtypeattribute (netd_stable_secret_prop_30_0) true)
-(expandtypeattribute (netif_30_0) true)
-(expandtypeattribute (netpolicy_service_30_0) true)
-(expandtypeattribute (netstats_service_30_0) true)
-(expandtypeattribute (netutils_wrapper_30_0) true)
-(expandtypeattribute (netutils_wrapper_exec_30_0) true)
-(expandtypeattribute (network_management_service_30_0) true)
-(expandtypeattribute (network_score_service_30_0) true)
-(expandtypeattribute (network_stack_30_0) true)
-(expandtypeattribute (network_stack_service_30_0) true)
-(expandtypeattribute (network_time_update_service_30_0) true)
-(expandtypeattribute (network_watchlist_data_file_30_0) true)
-(expandtypeattribute (network_watchlist_service_30_0) true)
-(expandtypeattribute (nfc_30_0) true)
-(expandtypeattribute (nfc_data_file_30_0) true)
-(expandtypeattribute (nfc_device_30_0) true)
-(expandtypeattribute (nfc_prop_30_0) true)
-(expandtypeattribute (nfc_service_30_0) true)
-(expandtypeattribute (nnapi_ext_deny_product_prop_30_0) true)
-(expandtypeattribute (node_30_0) true)
-(expandtypeattribute (nonplat_service_contexts_file_30_0) true)
-(expandtypeattribute (notification_service_30_0) true)
-(expandtypeattribute (null_device_30_0) true)
-(expandtypeattribute (oem_lock_service_30_0) true)
-(expandtypeattribute (oemfs_30_0) true)
-(expandtypeattribute (ota_data_file_30_0) true)
-(expandtypeattribute (ota_metadata_file_30_0) true)
-(expandtypeattribute (ota_package_file_30_0) true)
-(expandtypeattribute (ota_prop_30_0) true)
-(expandtypeattribute (otadexopt_service_30_0) true)
-(expandtypeattribute (overlay_prop_30_0) true)
-(expandtypeattribute (overlay_service_30_0) true)
-(expandtypeattribute (overlayfs_file_30_0) true)
-(expandtypeattribute (owntty_device_30_0) true)
-(expandtypeattribute (package_native_service_30_0) true)
-(expandtypeattribute (package_service_30_0) true)
-(expandtypeattribute (packages_list_file_30_0) true)
-(expandtypeattribute (pan_result_prop_30_0) true)
-(expandtypeattribute (password_slot_metadata_file_30_0) true)
-(expandtypeattribute (pdx_bufferhub_client_channel_socket_30_0) true)
-(expandtypeattribute (pdx_bufferhub_client_endpoint_socket_30_0) true)
-(expandtypeattribute (pdx_bufferhub_dir_30_0) true)
-(expandtypeattribute (pdx_display_client_channel_socket_30_0) true)
-(expandtypeattribute (pdx_display_client_endpoint_socket_30_0) true)
-(expandtypeattribute (pdx_display_dir_30_0) true)
-(expandtypeattribute (pdx_display_manager_channel_socket_30_0) true)
-(expandtypeattribute (pdx_display_manager_endpoint_socket_30_0) true)
-(expandtypeattribute (pdx_display_screenshot_channel_socket_30_0) true)
-(expandtypeattribute (pdx_display_screenshot_endpoint_socket_30_0) true)
-(expandtypeattribute (pdx_display_vsync_channel_socket_30_0) true)
-(expandtypeattribute (pdx_display_vsync_endpoint_socket_30_0) true)
-(expandtypeattribute (pdx_performance_client_channel_socket_30_0) true)
-(expandtypeattribute (pdx_performance_client_endpoint_socket_30_0) true)
-(expandtypeattribute (pdx_performance_dir_30_0) true)
-(expandtypeattribute (perfetto_30_0) true)
-(expandtypeattribute (performanced_30_0) true)
-(expandtypeattribute (performanced_exec_30_0) true)
-(expandtypeattribute (permission_service_30_0) true)
-(expandtypeattribute (permissionmgr_service_30_0) true)
-(expandtypeattribute (persist_debug_prop_30_0) true)
-(expandtypeattribute (persistent_data_block_service_30_0) true)
-(expandtypeattribute (persistent_properties_ready_prop_30_0) true)
-(expandtypeattribute (pinner_service_30_0) true)
-(expandtypeattribute (pipefs_30_0) true)
-(expandtypeattribute (platform_app_30_0) true)
-(expandtypeattribute (platform_compat_service_30_0) true)
-(expandtypeattribute (pm_prop_30_0) true)
-(expandtypeattribute (pmsg_device_30_0) true)
-(expandtypeattribute (port_30_0) true)
-(expandtypeattribute (port_device_30_0) true)
-(expandtypeattribute (postinstall_30_0) true)
-(expandtypeattribute (postinstall_apex_mnt_dir_30_0) true)
-(expandtypeattribute (postinstall_file_30_0) true)
-(expandtypeattribute (postinstall_mnt_dir_30_0) true)
-(expandtypeattribute (power_service_30_0) true)
-(expandtypeattribute (powerctl_prop_30_0) true)
-(expandtypeattribute (ppp_30_0) true)
-(expandtypeattribute (ppp_device_30_0) true)
-(expandtypeattribute (ppp_exec_30_0) true)
-(expandtypeattribute (preloads_data_file_30_0) true)
-(expandtypeattribute (preloads_media_file_30_0) true)
-(expandtypeattribute (prereboot_data_file_30_0) true)
-(expandtypeattribute (print_service_30_0) true)
-(expandtypeattribute (priv_app_30_0) true)
-(expandtypeattribute (privapp_data_file_30_0) true)
-(expandtypeattribute (proc_30_0) true)
-(expandtypeattribute (proc_abi_30_0) true)
-(expandtypeattribute (proc_asound_30_0) true)
-(expandtypeattribute (proc_bluetooth_writable_30_0) true)
-(expandtypeattribute (proc_buddyinfo_30_0) true)
-(expandtypeattribute (proc_cmdline_30_0) true)
-(expandtypeattribute (proc_cpuinfo_30_0) true)
-(expandtypeattribute (proc_dirty_30_0) true)
-(expandtypeattribute (proc_diskstats_30_0) true)
-(expandtypeattribute (proc_drop_caches_30_0) true)
-(expandtypeattribute (proc_extra_free_kbytes_30_0) true)
-(expandtypeattribute (proc_filesystems_30_0) true)
-(expandtypeattribute (proc_fs_verity_30_0) true)
-(expandtypeattribute (proc_hostname_30_0) true)
-(expandtypeattribute (proc_hung_task_30_0) true)
-(expandtypeattribute (proc_interrupts_30_0) true)
-(expandtypeattribute (proc_iomem_30_0) true)
-(expandtypeattribute (proc_keys_30_0) true)
-(expandtypeattribute (proc_kmsg_30_0) true)
-(expandtypeattribute (proc_kpageflags_30_0) true)
-(expandtypeattribute (proc_loadavg_30_0) true)
-(expandtypeattribute (proc_lowmemorykiller_30_0) true)
-(expandtypeattribute (proc_max_map_count_30_0) true)
-(expandtypeattribute (proc_meminfo_30_0) true)
-(expandtypeattribute (proc_min_free_order_shift_30_0) true)
-(expandtypeattribute (proc_misc_30_0) true)
-(expandtypeattribute (proc_modules_30_0) true)
-(expandtypeattribute (proc_mounts_30_0) true)
-(expandtypeattribute (proc_net_30_0) true)
-(expandtypeattribute (proc_net_tcp_udp_30_0) true)
-(expandtypeattribute (proc_overcommit_memory_30_0) true)
-(expandtypeattribute (proc_page_cluster_30_0) true)
-(expandtypeattribute (proc_pagetypeinfo_30_0) true)
-(expandtypeattribute (proc_panic_30_0) true)
-(expandtypeattribute (proc_perf_30_0) true)
-(expandtypeattribute (proc_pid_max_30_0) true)
-(expandtypeattribute (proc_pipe_conf_30_0) true)
-(expandtypeattribute (proc_pressure_cpu_30_0) true)
-(expandtypeattribute (proc_pressure_io_30_0) true)
-(expandtypeattribute (proc_pressure_mem_30_0) true)
-(expandtypeattribute (proc_qtaguid_ctrl_30_0) true)
-(expandtypeattribute (proc_qtaguid_stat_30_0) true)
-(expandtypeattribute (proc_random_30_0) true)
-(expandtypeattribute (proc_sched_30_0) true)
-(expandtypeattribute (proc_security_30_0) true)
-(expandtypeattribute (proc_slabinfo_30_0) true)
-(expandtypeattribute (proc_stat_30_0) true)
-(expandtypeattribute (proc_swaps_30_0) true)
-(expandtypeattribute (proc_sysrq_30_0) true)
-(expandtypeattribute (proc_timer_30_0) true)
-(expandtypeattribute (proc_tty_drivers_30_0) true)
-(expandtypeattribute (proc_uid_concurrent_active_time_30_0) true)
-(expandtypeattribute (proc_uid_concurrent_policy_time_30_0) true)
-(expandtypeattribute (proc_uid_cpupower_30_0) true)
-(expandtypeattribute (proc_uid_cputime_removeuid_30_0) true)
-(expandtypeattribute (proc_uid_cputime_showstat_30_0) true)
-(expandtypeattribute (proc_uid_io_stats_30_0) true)
-(expandtypeattribute (proc_uid_procstat_set_30_0) true)
-(expandtypeattribute (proc_uid_time_in_state_30_0) true)
-(expandtypeattribute (proc_uptime_30_0) true)
-(expandtypeattribute (proc_version_30_0) true)
-(expandtypeattribute (proc_vmallocinfo_30_0) true)
-(expandtypeattribute (proc_vmstat_30_0) true)
-(expandtypeattribute (proc_zoneinfo_30_0) true)
-(expandtypeattribute (processinfo_service_30_0) true)
-(expandtypeattribute (procstats_service_30_0) true)
-(expandtypeattribute (profman_30_0) true)
-(expandtypeattribute (profman_dump_data_file_30_0) true)
-(expandtypeattribute (profman_exec_30_0) true)
-(expandtypeattribute (properties_device_30_0) true)
-(expandtypeattribute (properties_serial_30_0) true)
-(expandtypeattribute (property_contexts_file_30_0) true)
-(expandtypeattribute (property_data_file_30_0) true)
-(expandtypeattribute (property_info_30_0) true)
-(expandtypeattribute (property_socket_30_0) true)
-(expandtypeattribute (pstorefs_30_0) true)
-(expandtypeattribute (ptmx_device_30_0) true)
-(expandtypeattribute (qtaguid_device_30_0) true)
-(expandtypeattribute (racoon_30_0) true)
-(expandtypeattribute (racoon_exec_30_0) true)
-(expandtypeattribute (racoon_socket_30_0) true)
-(expandtypeattribute (radio_30_0) true)
-(expandtypeattribute (radio_data_file_30_0) true)
-(expandtypeattribute (radio_device_30_0) true)
-(expandtypeattribute (radio_prop_30_0) true)
-(expandtypeattribute (radio_service_30_0) true)
-(expandtypeattribute (ram_device_30_0) true)
-(expandtypeattribute (random_device_30_0) true)
-(expandtypeattribute (rebootescrow_hal_prop_30_0) true)
-(expandtypeattribute (recovery_30_0) true)
-(expandtypeattribute (recovery_block_device_30_0) true)
-(expandtypeattribute (recovery_data_file_30_0) true)
-(expandtypeattribute (recovery_persist_30_0) true)
-(expandtypeattribute (recovery_persist_exec_30_0) true)
-(expandtypeattribute (recovery_refresh_30_0) true)
-(expandtypeattribute (recovery_refresh_exec_30_0) true)
-(expandtypeattribute (recovery_service_30_0) true)
-(expandtypeattribute (recovery_socket_30_0) true)
-(expandtypeattribute (registry_service_30_0) true)
-(expandtypeattribute (resourcecache_data_file_30_0) true)
-(expandtypeattribute (restorecon_prop_30_0) true)
-(expandtypeattribute (restrictions_service_30_0) true)
-(expandtypeattribute (rild_debug_socket_30_0) true)
-(expandtypeattribute (rild_socket_30_0) true)
-(expandtypeattribute (ringtone_file_30_0) true)
-(expandtypeattribute (role_service_30_0) true)
-(expandtypeattribute (rollback_service_30_0) true)
-(expandtypeattribute (root_block_device_30_0) true)
-(expandtypeattribute (rootfs_30_0) true)
-(expandtypeattribute (rpmsg_device_30_0) true)
-(expandtypeattribute (rs_30_0) true)
-(expandtypeattribute (rs_exec_30_0) true)
-(expandtypeattribute (rss_hwm_reset_30_0) true)
-(expandtypeattribute (rtc_device_30_0) true)
-(expandtypeattribute (rttmanager_service_30_0) true)
-(expandtypeattribute (runas_30_0) true)
-(expandtypeattribute (runas_app_30_0) true)
-(expandtypeattribute (runas_exec_30_0) true)
-(expandtypeattribute (runtime_event_log_tags_file_30_0) true)
-(expandtypeattribute (runtime_service_30_0) true)
-(expandtypeattribute (safemode_prop_30_0) true)
-(expandtypeattribute (same_process_hal_file_30_0) true)
-(expandtypeattribute (samplingprofiler_service_30_0) true)
-(expandtypeattribute (scheduling_policy_service_30_0) true)
-(expandtypeattribute (sdcard_block_device_30_0) true)
-(expandtypeattribute (sdcardd_30_0) true)
-(expandtypeattribute (sdcardd_exec_30_0) true)
-(expandtypeattribute (sdcardfs_30_0) true)
-(expandtypeattribute (seapp_contexts_file_30_0) true)
-(expandtypeattribute (search_service_30_0) true)
-(expandtypeattribute (sec_key_att_app_id_provider_service_30_0) true)
-(expandtypeattribute (secure_element_30_0) true)
-(expandtypeattribute (secure_element_device_30_0) true)
-(expandtypeattribute (secure_element_service_30_0) true)
-(expandtypeattribute (securityfs_30_0) true)
-(expandtypeattribute (selinuxfs_30_0) true)
-(expandtypeattribute (sensor_privacy_service_30_0) true)
-(expandtypeattribute (sensors_device_30_0) true)
-(expandtypeattribute (sensorservice_service_30_0) true)
-(expandtypeattribute (sepolicy_file_30_0) true)
-(expandtypeattribute (serial_device_30_0) true)
-(expandtypeattribute (serial_service_30_0) true)
-(expandtypeattribute (serialno_prop_30_0) true)
-(expandtypeattribute (server_configurable_flags_data_file_30_0) true)
-(expandtypeattribute (service_contexts_file_30_0) true)
-(expandtypeattribute (service_manager_service_30_0) true)
-(expandtypeattribute (service_manager_vndservice_30_0) true)
-(expandtypeattribute (servicediscovery_service_30_0) true)
-(expandtypeattribute (servicemanager_30_0) true)
-(expandtypeattribute (servicemanager_exec_30_0) true)
-(expandtypeattribute (settings_service_30_0) true)
-(expandtypeattribute (sgdisk_30_0) true)
-(expandtypeattribute (sgdisk_exec_30_0) true)
-(expandtypeattribute (shared_relro_30_0) true)
-(expandtypeattribute (shared_relro_file_30_0) true)
-(expandtypeattribute (shell_30_0) true)
-(expandtypeattribute (shell_data_file_30_0) true)
-(expandtypeattribute (shell_exec_30_0) true)
-(expandtypeattribute (shell_prop_30_0) true)
-(expandtypeattribute (shm_30_0) true)
-(expandtypeattribute (shortcut_manager_icons_30_0) true)
-(expandtypeattribute (shortcut_service_30_0) true)
-(expandtypeattribute (simpleperf_30_0) true)
-(expandtypeattribute (simpleperf_app_runner_30_0) true)
-(expandtypeattribute (simpleperf_app_runner_exec_30_0) true)
-(expandtypeattribute (slice_service_30_0) true)
-(expandtypeattribute (slideshow_30_0) true)
-(expandtypeattribute (snapshotctl_log_data_file_30_0) true)
-(expandtypeattribute (socket_device_30_0) true)
-(expandtypeattribute (socket_hook_prop_30_0) true)
-(expandtypeattribute (sockfs_30_0) true)
-(expandtypeattribute (sota_prop_30_0) true)
-(expandtypeattribute (soundtrigger_middleware_service_30_0) true)
-(expandtypeattribute (staging_data_file_30_0) true)
-(expandtypeattribute (stats_data_file_30_0) true)
-(expandtypeattribute (statsd_30_0) true)
-(expandtypeattribute (statsd_exec_30_0) true)
-(expandtypeattribute (statsdw_socket_30_0) true)
-(expandtypeattribute (statusbar_service_30_0) true)
-(expandtypeattribute (storage_config_prop_30_0) true)
-(expandtypeattribute (storage_file_30_0) true)
-(expandtypeattribute (storage_stub_file_30_0) true)
-(expandtypeattribute (storaged_service_30_0) true)
-(expandtypeattribute (storagestats_service_30_0) true)
-(expandtypeattribute (su_30_0) true)
-(expandtypeattribute (su_exec_30_0) true)
-(expandtypeattribute (super_block_device_30_0) true)
-(expandtypeattribute (surfaceflinger_30_0) true)
-(expandtypeattribute (surfaceflinger_service_30_0) true)
-(expandtypeattribute (surfaceflinger_tmpfs_30_0) true)
-(expandtypeattribute (swap_block_device_30_0) true)
-(expandtypeattribute (sysfs_30_0) true)
-(expandtypeattribute (sysfs_android_usb_30_0) true)
-(expandtypeattribute (sysfs_batteryinfo_30_0) true)
-(expandtypeattribute (sysfs_bluetooth_writable_30_0) true)
-(expandtypeattribute (sysfs_devices_block_30_0) true)
-(expandtypeattribute (sysfs_devices_system_cpu_30_0) true)
-(expandtypeattribute (sysfs_dm_30_0) true)
-(expandtypeattribute (sysfs_dm_verity_30_0) true)
-(expandtypeattribute (sysfs_dt_firmware_android_30_0) true)
-(expandtypeattribute (sysfs_extcon_30_0) true)
-(expandtypeattribute (sysfs_fs_ext4_features_30_0) true)
-(expandtypeattribute (sysfs_fs_f2fs_30_0) true)
-(expandtypeattribute (sysfs_hwrandom_30_0) true)
-(expandtypeattribute (sysfs_ion_30_0) true)
-(expandtypeattribute (sysfs_ipv4_30_0) true)
-(expandtypeattribute (sysfs_kernel_notes_30_0) true)
-(expandtypeattribute (sysfs_leds_30_0) true)
-(expandtypeattribute (sysfs_loop_30_0) true)
-(expandtypeattribute (sysfs_lowmemorykiller_30_0) true)
-(expandtypeattribute (sysfs_net_30_0) true)
-(expandtypeattribute (sysfs_nfc_power_writable_30_0) true)
-(expandtypeattribute (sysfs_power_30_0) true)
-(expandtypeattribute (sysfs_rtc_30_0) true)
-(expandtypeattribute (sysfs_suspend_stats_30_0) true)
-(expandtypeattribute (sysfs_switch_30_0) true)
-(expandtypeattribute (sysfs_thermal_30_0) true)
-(expandtypeattribute (sysfs_transparent_hugepage_30_0) true)
-(expandtypeattribute (sysfs_uio_30_0) true)
-(expandtypeattribute (sysfs_usb_30_0) true)
-(expandtypeattribute (sysfs_usermodehelper_30_0) true)
-(expandtypeattribute (sysfs_vibrator_30_0) true)
-(expandtypeattribute (sysfs_wake_lock_30_0) true)
-(expandtypeattribute (sysfs_wakeup_30_0) true)
-(expandtypeattribute (sysfs_wakeup_reasons_30_0) true)
-(expandtypeattribute (sysfs_wlan_fwpath_30_0) true)
-(expandtypeattribute (sysfs_zram_30_0) true)
-(expandtypeattribute (sysfs_zram_uevent_30_0) true)
-(expandtypeattribute (system_adbd_prop_30_0) true)
-(expandtypeattribute (system_app_30_0) true)
-(expandtypeattribute (system_app_data_file_30_0) true)
-(expandtypeattribute (system_app_service_30_0) true)
-(expandtypeattribute (system_asan_options_file_30_0) true)
-(expandtypeattribute (system_block_device_30_0) true)
-(expandtypeattribute (system_boot_reason_prop_30_0) true)
-(expandtypeattribute (system_bootstrap_lib_file_30_0) true)
-(expandtypeattribute (system_config_service_30_0) true)
-(expandtypeattribute (system_data_file_30_0) true)
-(expandtypeattribute (system_data_root_file_30_0) true)
-(expandtypeattribute (system_event_log_tags_file_30_0) true)
-(expandtypeattribute (system_file_30_0) true)
-(expandtypeattribute (system_group_file_30_0) true)
-(expandtypeattribute (system_jvmti_agent_prop_30_0) true)
-(expandtypeattribute (system_lib_file_30_0) true)
-(expandtypeattribute (system_linker_config_file_30_0) true)
-(expandtypeattribute (system_linker_exec_30_0) true)
-(expandtypeattribute (system_lmk_prop_30_0) true)
-(expandtypeattribute (system_ndebug_socket_30_0) true)
-(expandtypeattribute (system_net_netd_hwservice_30_0) true)
-(expandtypeattribute (system_passwd_file_30_0) true)
-(expandtypeattribute (system_prop_30_0) true)
-(expandtypeattribute (system_radio_prop_30_0) true)
-(expandtypeattribute (system_seccomp_policy_file_30_0) true)
-(expandtypeattribute (system_security_cacerts_file_30_0) true)
-(expandtypeattribute (system_server_30_0) true)
-(expandtypeattribute (system_server_tmpfs_30_0) true)
-(expandtypeattribute (system_suspend_control_service_30_0) true)
-(expandtypeattribute (system_suspend_hwservice_30_0) true)
-(expandtypeattribute (system_trace_prop_30_0) true)
-(expandtypeattribute (system_unsolzygote_socket_30_0) true)
-(expandtypeattribute (system_update_service_30_0) true)
-(expandtypeattribute (system_wifi_keystore_hwservice_30_0) true)
-(expandtypeattribute (system_wpa_socket_30_0) true)
-(expandtypeattribute (system_zoneinfo_file_30_0) true)
-(expandtypeattribute (systemkeys_data_file_30_0) true)
-(expandtypeattribute (task_profiles_file_30_0) true)
-(expandtypeattribute (task_service_30_0) true)
-(expandtypeattribute (tcpdump_exec_30_0) true)
-(expandtypeattribute (tee_30_0) true)
-(expandtypeattribute (tee_data_file_30_0) true)
-(expandtypeattribute (tee_device_30_0) true)
-(expandtypeattribute (telecom_service_30_0) true)
-(expandtypeattribute (test_boot_reason_prop_30_0) true)
-(expandtypeattribute (test_harness_prop_30_0) true)
-(expandtypeattribute (testharness_service_30_0) true)
-(expandtypeattribute (tethering_service_30_0) true)
-(expandtypeattribute (textclassification_service_30_0) true)
-(expandtypeattribute (textclassifier_data_file_30_0) true)
-(expandtypeattribute (textservices_service_30_0) true)
-(expandtypeattribute (theme_prop_30_0) true)
-(expandtypeattribute (thermal_service_30_0) true)
-(expandtypeattribute (thermalcallback_hwservice_30_0) true)
-(expandtypeattribute (time_prop_30_0) true)
-(expandtypeattribute (timedetector_service_30_0) true)
-(expandtypeattribute (timezone_service_30_0) true)
-(expandtypeattribute (timezonedetector_service_30_0) true)
-(expandtypeattribute (tmpfs_30_0) true)
-(expandtypeattribute (tombstone_data_file_30_0) true)
-(expandtypeattribute (tombstone_wifi_data_file_30_0) true)
-(expandtypeattribute (tombstoned_30_0) true)
-(expandtypeattribute (tombstoned_crash_socket_30_0) true)
-(expandtypeattribute (tombstoned_exec_30_0) true)
-(expandtypeattribute (tombstoned_intercept_socket_30_0) true)
-(expandtypeattribute (tombstoned_java_trace_socket_30_0) true)
-(expandtypeattribute (toolbox_30_0) true)
-(expandtypeattribute (toolbox_exec_30_0) true)
-(expandtypeattribute (trace_data_file_30_0) true)
-(expandtypeattribute (traced_30_0) true)
-(expandtypeattribute (traced_consumer_socket_30_0) true)
-(expandtypeattribute (traced_enabled_prop_30_0) true)
-(expandtypeattribute (traced_lazy_prop_30_0) true)
-(expandtypeattribute (traced_perf_30_0) true)
-(expandtypeattribute (traced_perf_enabled_prop_30_0) true)
-(expandtypeattribute (traced_perf_socket_30_0) true)
-(expandtypeattribute (traced_probes_30_0) true)
-(expandtypeattribute (traced_producer_socket_30_0) true)
-(expandtypeattribute (traceur_app_30_0) true)
-(expandtypeattribute (trust_service_30_0) true)
-(expandtypeattribute (tty_device_30_0) true)
-(expandtypeattribute (tun_device_30_0) true)
-(expandtypeattribute (tv_input_service_30_0) true)
-(expandtypeattribute (tv_tuner_resource_mgr_service_30_0) true)
-(expandtypeattribute (tzdatacheck_30_0) true)
-(expandtypeattribute (tzdatacheck_exec_30_0) true)
-(expandtypeattribute (ueventd_30_0) true)
-(expandtypeattribute (ueventd_tmpfs_30_0) true)
-(expandtypeattribute (uhid_device_30_0) true)
-(expandtypeattribute (uimode_service_30_0) true)
-(expandtypeattribute (uio_device_30_0) true)
-(expandtypeattribute (uncrypt_30_0) true)
-(expandtypeattribute (uncrypt_exec_30_0) true)
-(expandtypeattribute (uncrypt_socket_30_0) true)
-(expandtypeattribute (unencrypted_data_file_30_0) true)
-(expandtypeattribute (unlabeled_30_0) true)
-(expandtypeattribute (untrusted_app_25_30_0) true)
-(expandtypeattribute (untrusted_app_27_30_0) true)
-(expandtypeattribute (untrusted_app_29_30_0) true)
-(expandtypeattribute (untrusted_app_30_0) true)
-(expandtypeattribute (update_engine_30_0) true)
-(expandtypeattribute (update_engine_data_file_30_0) true)
-(expandtypeattribute (update_engine_exec_30_0) true)
-(expandtypeattribute (update_engine_log_data_file_30_0) true)
-(expandtypeattribute (update_engine_service_30_0) true)
-(expandtypeattribute (update_verifier_30_0) true)
-(expandtypeattribute (update_verifier_exec_30_0) true)
-(expandtypeattribute (updatelock_service_30_0) true)
-(expandtypeattribute (uri_grants_service_30_0) true)
-(expandtypeattribute (usagestats_service_30_0) true)
-(expandtypeattribute (usb_device_30_0) true)
-(expandtypeattribute (usb_serial_device_30_0) true)
-(expandtypeattribute (usb_service_30_0) true)
-(expandtypeattribute (usbaccessory_device_30_0) true)
-(expandtypeattribute (usbd_30_0) true)
-(expandtypeattribute (usbd_exec_30_0) true)
-(expandtypeattribute (usbfs_30_0) true)
-(expandtypeattribute (use_memfd_prop_30_0) true)
-(expandtypeattribute (user_profile_data_file_30_0) true)
-(expandtypeattribute (user_service_30_0) true)
-(expandtypeattribute (userdata_block_device_30_0) true)
-(expandtypeattribute (usermodehelper_30_0) true)
-(expandtypeattribute (userspace_reboot_config_prop_30_0) true)
-(expandtypeattribute (userspace_reboot_exported_prop_30_0) true)
-(expandtypeattribute (userspace_reboot_log_prop_30_0) true)
-(expandtypeattribute (userspace_reboot_test_prop_30_0) true)
-(expandtypeattribute (vdc_30_0) true)
-(expandtypeattribute (vdc_exec_30_0) true)
-(expandtypeattribute (vehicle_hal_prop_30_0) true)
-(expandtypeattribute (vendor_apex_file_30_0) true)
-(expandtypeattribute (vendor_app_file_30_0) true)
-(expandtypeattribute (vendor_cgroup_desc_file_30_0) true)
-(expandtypeattribute (vendor_configs_file_30_0) true)
-(expandtypeattribute (vendor_data_file_30_0) true)
-(expandtypeattribute (vendor_default_prop_30_0) true)
-(expandtypeattribute (vendor_file_30_0) true)
-(expandtypeattribute (vendor_framework_file_30_0) true)
-(expandtypeattribute (vendor_hal_file_30_0) true)
-(expandtypeattribute (vendor_idc_file_30_0) true)
-(expandtypeattribute (vendor_init_30_0) true)
-(expandtypeattribute (vendor_keychars_file_30_0) true)
-(expandtypeattribute (vendor_keylayout_file_30_0) true)
-(expandtypeattribute (vendor_misc_writer_30_0) true)
-(expandtypeattribute (vendor_misc_writer_exec_30_0) true)
-(expandtypeattribute (vendor_overlay_file_30_0) true)
-(expandtypeattribute (vendor_public_lib_file_30_0) true)
-(expandtypeattribute (vendor_security_patch_level_prop_30_0) true)
-(expandtypeattribute (vendor_shell_30_0) true)
-(expandtypeattribute (vendor_shell_exec_30_0) true)
-(expandtypeattribute (vendor_socket_hook_prop_30_0) true)
-(expandtypeattribute (vendor_task_profiles_file_30_0) true)
-(expandtypeattribute (vendor_toolbox_exec_30_0) true)
-(expandtypeattribute (vfat_30_0) true)
-(expandtypeattribute (vibrator_service_30_0) true)
-(expandtypeattribute (video_device_30_0) true)
-(expandtypeattribute (virtual_ab_prop_30_0) true)
-(expandtypeattribute (virtual_touchpad_30_0) true)
-(expandtypeattribute (virtual_touchpad_exec_30_0) true)
-(expandtypeattribute (virtual_touchpad_service_30_0) true)
-(expandtypeattribute (vndbinder_device_30_0) true)
-(expandtypeattribute (vndk_prop_30_0) true)
-(expandtypeattribute (vndk_sp_file_30_0) true)
-(expandtypeattribute (vndservice_contexts_file_30_0) true)
-(expandtypeattribute (vndservicemanager_30_0) true)
-(expandtypeattribute (voiceinteraction_service_30_0) true)
-(expandtypeattribute (vold_30_0) true)
-(expandtypeattribute (vold_data_file_30_0) true)
-(expandtypeattribute (vold_device_30_0) true)
-(expandtypeattribute (vold_exec_30_0) true)
-(expandtypeattribute (vold_metadata_file_30_0) true)
-(expandtypeattribute (vold_prepare_subdirs_30_0) true)
-(expandtypeattribute (vold_prepare_subdirs_exec_30_0) true)
-(expandtypeattribute (vold_prop_30_0) true)
-(expandtypeattribute (vold_service_30_0) true)
-(expandtypeattribute (vpn_data_file_30_0) true)
-(expandtypeattribute (vr_hwc_30_0) true)
-(expandtypeattribute (vr_hwc_exec_30_0) true)
-(expandtypeattribute (vr_hwc_service_30_0) true)
-(expandtypeattribute (vr_manager_service_30_0) true)
-(expandtypeattribute (vrflinger_vsync_service_30_0) true)
-(expandtypeattribute (wallpaper_file_30_0) true)
-(expandtypeattribute (wallpaper_service_30_0) true)
-(expandtypeattribute (watchdog_device_30_0) true)
-(expandtypeattribute (watchdogd_30_0) true)
-(expandtypeattribute (watchdogd_exec_30_0) true)
-(expandtypeattribute (webview_zygote_30_0) true)
-(expandtypeattribute (webview_zygote_exec_30_0) true)
-(expandtypeattribute (webview_zygote_tmpfs_30_0) true)
-(expandtypeattribute (webviewupdate_service_30_0) true)
-(expandtypeattribute (wifi_data_file_30_0) true)
-(expandtypeattribute (wifi_log_prop_30_0) true)
-(expandtypeattribute (wifi_prop_30_0) true)
-(expandtypeattribute (wifi_service_30_0) true)
-(expandtypeattribute (wifiaware_service_30_0) true)
-(expandtypeattribute (wificond_30_0) true)
-(expandtypeattribute (wificond_exec_30_0) true)
-(expandtypeattribute (wifinl80211_service_30_0) true)
-(expandtypeattribute (wifip2p_service_30_0) true)
-(expandtypeattribute (wifiscanner_service_30_0) true)
-(expandtypeattribute (window_service_30_0) true)
-(expandtypeattribute (wpa_socket_30_0) true)
-(expandtypeattribute (wpantund_30_0) true)
-(expandtypeattribute (wpantund_exec_30_0) true)
-(expandtypeattribute (wpantund_service_30_0) true)
-(expandtypeattribute (zero_device_30_0) true)
-(expandtypeattribute (zoneinfo_data_file_30_0) true)
-(expandtypeattribute (zygote_30_0) true)
-(expandtypeattribute (zygote_exec_30_0) true)
-(expandtypeattribute (zygote_socket_30_0) true)
-(expandtypeattribute (zygote_tmpfs_30_0) true)
-(typeattributeset DockObserver_service_30_0 (DockObserver_service))
-(typeattributeset IProxyService_service_30_0 (IProxyService_service))
-(typeattributeset accessibility_service_30_0 (accessibility_service))
-(typeattributeset account_service_30_0 (account_service))
-(typeattributeset activity_service_30_0 (activity_service))
-(typeattributeset activity_task_service_30_0 (activity_task_service))
-(typeattributeset adb_data_file_30_0 (adb_data_file))
-(typeattributeset adb_keys_file_30_0 (adb_keys_file))
-(typeattributeset adb_service_30_0 (adb_service))
-(typeattributeset adbd_30_0 (adbd))
-(typeattributeset adbd_exec_30_0 (adbd_exec))
-(typeattributeset adbd_prop_30_0 (adbd_prop))
-(typeattributeset adbd_socket_30_0 (adbd_socket))
-(typeattributeset aidl_lazy_test_server_30_0 (aidl_lazy_test_server))
-(typeattributeset aidl_lazy_test_server_exec_30_0 (aidl_lazy_test_server_exec))
-(typeattributeset aidl_lazy_test_service_30_0 (aidl_lazy_test_service))
-(typeattributeset alarm_service_30_0 (alarm_service))
-(typeattributeset anr_data_file_30_0 (anr_data_file))
-(typeattributeset apex_data_file_30_0 (apex_data_file))
-(typeattributeset apex_metadata_file_30_0 (apex_metadata_file))
-(typeattributeset apex_mnt_dir_30_0 (apex_mnt_dir))
-(typeattributeset apex_module_data_file_30_0 (apex_module_data_file))
-(typeattributeset apex_permission_data_file_30_0 (apex_permission_data_file))
-(typeattributeset apex_rollback_data_file_30_0 (apex_rollback_data_file))
-(typeattributeset apex_service_30_0 (apex_service))
-(typeattributeset apex_wifi_data_file_30_0 (apex_wifi_data_file))
-(typeattributeset apexd_30_0 (apexd))
-(typeattributeset apexd_exec_30_0 (apexd_exec))
-(typeattributeset apexd_prop_30_0 (apexd_prop))
-(typeattributeset apk_data_file_30_0 (apk_data_file))
-(typeattributeset apk_private_data_file_30_0 (apk_private_data_file))
-(typeattributeset apk_private_tmp_file_30_0 (apk_private_tmp_file))
-(typeattributeset apk_tmp_file_30_0 (apk_tmp_file))
-(typeattributeset apk_verity_prop_30_0 (apk_verity_prop))
-(typeattributeset app_binding_service_30_0 (app_binding_service))
-(typeattributeset app_data_file_30_0 (app_data_file))
-(typeattributeset app_fuse_file_30_0 (app_fuse_file))
-(typeattributeset app_fusefs_30_0 (app_fusefs))
-(typeattributeset app_integrity_service_30_0 (app_integrity_service))
-(typeattributeset app_prediction_service_30_0 (app_prediction_service))
-(typeattributeset app_search_service_30_0 (app_search_service))
-(typeattributeset app_zygote_30_0 (app_zygote))
-(typeattributeset app_zygote_tmpfs_30_0 (app_zygote_tmpfs))
-(typeattributeset appdomain_tmpfs_30_0 (appdomain_tmpfs))
-(typeattributeset appops_service_30_0 (appops_service))
-(typeattributeset appwidget_service_30_0 (appwidget_service))
-(typeattributeset art_apex_dir_30_0 (art_apex_dir))
-(typeattributeset asec_apk_file_30_0 (asec_apk_file))
-(typeattributeset asec_image_file_30_0 (asec_image_file))
-(typeattributeset asec_public_file_30_0 (asec_public_file))
-(typeattributeset ashmem_device_30_0 (ashmem_device))
-(typeattributeset ashmem_libcutils_device_30_0 (ashmem_libcutils_device))
-(typeattributeset assetatlas_service_30_0 (assetatlas_service))
-(typeattributeset audio_data_file_30_0 (audio_data_file))
-(typeattributeset audio_device_30_0 (audio_device))
-(typeattributeset audio_prop_30_0 (audio_prop))
-(typeattributeset audio_service_30_0 (audio_service))
-(typeattributeset audiohal_data_file_30_0 (audiohal_data_file))
-(typeattributeset audioserver_30_0 (audioserver))
-(typeattributeset audioserver_data_file_30_0 (audioserver_data_file))
-(typeattributeset audioserver_service_30_0 (audioserver_service))
-(typeattributeset audioserver_tmpfs_30_0 (audioserver_tmpfs))
-(typeattributeset auth_service_30_0 (auth_service))
-(typeattributeset autofill_service_30_0 (autofill_service))
-(typeattributeset backup_data_file_30_0 (backup_data_file))
-(typeattributeset backup_service_30_0 (backup_service))
-(typeattributeset battery_service_30_0 (battery_service))
-(typeattributeset batteryproperties_service_30_0 (batteryproperties_service))
-(typeattributeset batterystats_service_30_0 (batterystats_service))
-(typeattributeset binder_cache_bluetooth_server_prop_30_0 (binder_cache_bluetooth_server_prop))
-(typeattributeset binder_cache_system_server_prop_30_0 (binder_cache_system_server_prop))
-(typeattributeset binder_cache_telephony_server_prop_30_0 (binder_cache_telephony_server_prop))
-(typeattributeset binder_calls_stats_service_30_0 (binder_calls_stats_service))
-(typeattributeset binder_device_30_0 (binder_device))
-(typeattributeset binderfs_30_0 (binderfs))
-(typeattributeset binderfs_logs_30_0 (binderfs_logs))
-(typeattributeset binderfs_logs_proc_30_0 (binderfs_logs_proc))
-(typeattributeset binfmt_miscfs_30_0 (binfmt_miscfs))
-(typeattributeset biometric_service_30_0 (biometric_service))
-(typeattributeset blkid_30_0 (blkid))
-(typeattributeset blkid_untrusted_30_0 (blkid_untrusted))
-(typeattributeset blob_store_service_30_0 (blob_store_service))
-(typeattributeset block_device_30_0 (block_device))
-(typeattributeset bluetooth_30_0 (bluetooth))
-(typeattributeset bluetooth_a2dp_offload_prop_30_0 (bluetooth_a2dp_offload_prop))
-(typeattributeset bluetooth_audio_hal_prop_30_0 (bluetooth_audio_hal_prop))
-(typeattributeset bluetooth_data_file_30_0 (bluetooth_data_file))
-(typeattributeset bluetooth_efs_file_30_0 (bluetooth_efs_file))
-(typeattributeset bluetooth_logs_data_file_30_0 (bluetooth_logs_data_file))
-(typeattributeset bluetooth_manager_service_30_0 (bluetooth_manager_service))
-(typeattributeset bluetooth_prop_30_0 (bluetooth_prop))
-(typeattributeset bluetooth_service_30_0 (bluetooth_service))
-(typeattributeset bluetooth_socket_30_0 (bluetooth_socket))
-(typeattributeset boot_block_device_30_0 (boot_block_device))
-(typeattributeset bootanim_30_0 (bootanim))
-(typeattributeset bootanim_exec_30_0 (bootanim_exec))
-(typeattributeset bootchart_data_file_30_0 (bootchart_data_file))
-(typeattributeset bootloader_boot_reason_prop_30_0 (bootloader_boot_reason_prop))
-(typeattributeset bootstat_30_0 (bootstat))
-(typeattributeset bootstat_data_file_30_0 (bootstat_data_file))
-(typeattributeset bootstat_exec_30_0 (bootstat_exec))
-(typeattributeset boottime_prop_30_0 (boottime_prop))
-(typeattributeset boottime_public_prop_30_0 (boottime_public_prop))
-(typeattributeset boottrace_data_file_30_0 (boottrace_data_file))
-(typeattributeset bpf_progs_loaded_prop_30_0 (bpf_progs_loaded_prop))
-(typeattributeset bq_config_prop_30_0 (bq_config_prop))
-(typeattributeset broadcastradio_service_30_0 (broadcastradio_service))
-(typeattributeset bufferhubd_30_0 (bufferhubd))
-(typeattributeset bufferhubd_exec_30_0 (bufferhubd_exec))
-(typeattributeset bugreport_service_30_0 (bugreport_service))
-(typeattributeset cache_backup_file_30_0 (cache_backup_file))
-(typeattributeset cache_block_device_30_0 (cache_block_device))
-(typeattributeset cache_file_30_0 (cache_file))
-(typeattributeset cache_private_backup_file_30_0 (cache_private_backup_file))
-(typeattributeset cache_recovery_file_30_0 (cache_recovery_file))
-(typeattributeset camera_data_file_30_0 (camera_data_file))
-(typeattributeset camera_device_30_0 (camera_device))
-(typeattributeset cameraproxy_service_30_0 (cameraproxy_service))
-(typeattributeset cameraserver_30_0 (cameraserver))
-(typeattributeset cameraserver_exec_30_0 (cameraserver_exec))
-(typeattributeset cameraserver_service_30_0 (cameraserver_service))
-(typeattributeset cameraserver_tmpfs_30_0 (cameraserver_tmpfs))
-(typeattributeset cgroup_30_0 (cgroup))
-(typeattributeset cgroup_bpf_30_0 (cgroup_bpf))
-(typeattributeset cgroup_desc_file_30_0 (cgroup_desc_file))
-(typeattributeset cgroup_rc_file_30_0 (cgroup_rc_file))
-(typeattributeset charger_30_0 (charger))
-(typeattributeset charger_exec_30_0 (charger_exec))
-(typeattributeset charger_prop_30_0 (charger_prop))
-(typeattributeset clipboard_service_30_0 (clipboard_service))
-(typeattributeset cold_boot_done_prop_30_0 (cold_boot_done_prop))
-(typeattributeset color_display_service_30_0 (color_display_service))
-(typeattributeset companion_device_service_30_0 (companion_device_service))
-(typeattributeset config_prop_30_0 (config_prop))
-(typeattributeset configfs_30_0 (configfs))
-(typeattributeset connectivity_service_30_0 (connectivity_service))
-(typeattributeset connmetrics_service_30_0 (connmetrics_service))
-(typeattributeset console_device_30_0 (console_device))
-(typeattributeset consumer_ir_service_30_0 (consumer_ir_service))
-(typeattributeset content_capture_service_30_0 (content_capture_service))
-(typeattributeset content_service_30_0 (content_service))
-(typeattributeset content_suggestions_service_30_0 (content_suggestions_service))
-(typeattributeset contexthub_service_30_0 (contexthub_service))
-(typeattributeset coredump_file_30_0 (coredump_file))
-(typeattributeset country_detector_service_30_0 (country_detector_service))
-(typeattributeset coverage_service_30_0 (coverage_service))
-(typeattributeset cppreopt_prop_30_0 (cppreopt_prop))
-(typeattributeset cpu_variant_prop_30_0 (cpu_variant_prop))
-(typeattributeset cpuinfo_service_30_0 (cpuinfo_service))
-(typeattributeset crash_dump_30_0 (crash_dump))
-(typeattributeset crash_dump_exec_30_0 (crash_dump_exec))
-(typeattributeset credstore_30_0 (credstore))
-(typeattributeset credstore_data_file_30_0 (credstore_data_file))
-(typeattributeset credstore_exec_30_0 (credstore_exec))
-(typeattributeset credstore_service_30_0 (credstore_service))
-(typeattributeset crossprofileapps_service_30_0 (crossprofileapps_service))
-(typeattributeset ctl_adbd_prop_30_0 (ctl_adbd_prop))
-(typeattributeset ctl_apexd_prop_30_0 (ctl_apexd_prop))
-(typeattributeset ctl_bootanim_prop_30_0 (ctl_bootanim_prop))
-(typeattributeset ctl_bugreport_prop_30_0 (ctl_bugreport_prop))
-(typeattributeset ctl_console_prop_30_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_30_0 (ctl_default_prop))
-(typeattributeset ctl_dumpstate_prop_30_0 (ctl_dumpstate_prop))
-(typeattributeset ctl_fuse_prop_30_0 (ctl_fuse_prop))
-(typeattributeset ctl_gsid_prop_30_0 (ctl_gsid_prop))
-(typeattributeset ctl_interface_restart_prop_30_0 (ctl_interface_restart_prop))
-(typeattributeset ctl_interface_start_prop_30_0 (ctl_interface_start_prop))
-(typeattributeset ctl_interface_stop_prop_30_0 (ctl_interface_stop_prop))
-(typeattributeset ctl_mdnsd_prop_30_0 (ctl_mdnsd_prop))
-(typeattributeset ctl_restart_prop_30_0 (ctl_restart_prop))
-(typeattributeset ctl_rildaemon_prop_30_0 (ctl_rildaemon_prop))
-(typeattributeset ctl_sigstop_prop_30_0 (ctl_sigstop_prop))
-(typeattributeset ctl_start_prop_30_0 (ctl_start_prop))
-(typeattributeset ctl_stop_prop_30_0 (ctl_stop_prop))
-(typeattributeset dalvik_prop_30_0 (dalvik_prop))
-(typeattributeset dalvikcache_data_file_30_0 (dalvikcache_data_file))
-(typeattributeset dataloader_manager_service_30_0 (dataloader_manager_service))
-(typeattributeset dbinfo_service_30_0 (dbinfo_service))
-(typeattributeset debug_prop_30_0 (debug_prop))
-(typeattributeset debugfs_30_0 (debugfs))
-(typeattributeset debugfs_mmc_30_0 (debugfs_mmc))
-(typeattributeset debugfs_trace_marker_30_0 (debugfs_trace_marker))
-(typeattributeset debugfs_tracing_30_0 (debugfs_tracing))
-(typeattributeset debugfs_tracing_debug_30_0 (debugfs_tracing_debug
- debugfs_tracing_printk_formats))
-(typeattributeset debugfs_tracing_instances_30_0 (debugfs_tracing_instances))
-(typeattributeset debugfs_wakeup_sources_30_0 (debugfs_wakeup_sources))
-(typeattributeset debugfs_wifi_tracing_30_0 (debugfs_wifi_tracing))
-(typeattributeset debuggerd_prop_30_0 (debuggerd_prop))
-(typeattributeset default_android_hwservice_30_0 (default_android_hwservice))
-(typeattributeset default_android_service_30_0 (default_android_service))
-(typeattributeset default_android_vndservice_30_0 (default_android_vndservice))
-(typeattributeset default_prop_30_0 (
- default_prop
- audio_config_prop
- build_config_prop
- suspend_prop
- init_service_status_private_prop
- setupwizard_prop
- sqlite_log_prop
- verity_status_prop
- zygote_wrap_prop
-))
-(typeattributeset dev_cpu_variant_30_0 (dev_cpu_variant))
-(typeattributeset device_30_0 (device))
-(typeattributeset device_config_activity_manager_native_boot_prop_30_0 (device_config_activity_manager_native_boot_prop))
-(typeattributeset device_config_boot_count_prop_30_0 (device_config_boot_count_prop))
-(typeattributeset device_config_configuration_prop_30_0 (device_config_configuration_prop))
-(typeattributeset device_config_input_native_boot_prop_30_0 (device_config_input_native_boot_prop))
-(typeattributeset device_config_media_native_prop_30_0 (device_config_media_native_prop))
-(typeattributeset device_config_netd_native_prop_30_0 (device_config_netd_native_prop))
-(typeattributeset device_config_reset_performed_prop_30_0 (device_config_reset_performed_prop))
-(typeattributeset device_config_runtime_native_boot_prop_30_0 (device_config_runtime_native_boot_prop))
-(typeattributeset device_config_runtime_native_prop_30_0 (device_config_runtime_native_prop))
-(typeattributeset device_config_service_30_0 (device_config_service))
-(typeattributeset device_config_storage_native_boot_prop_30_0 (device_config_storage_native_boot_prop))
-(typeattributeset device_config_sys_traced_prop_30_0 (device_config_sys_traced_prop))
-(typeattributeset device_config_window_manager_native_boot_prop_30_0 (device_config_window_manager_native_boot_prop))
-(typeattributeset device_identifiers_service_30_0 (device_identifiers_service))
-(typeattributeset device_logging_prop_30_0 (device_logging_prop))
-(typeattributeset device_policy_service_30_0 (device_policy_service))
-(typeattributeset deviceidle_service_30_0 (deviceidle_service))
-(typeattributeset devicestoragemonitor_service_30_0 (devicestoragemonitor_service))
-(typeattributeset devpts_30_0 (devpts))
-(typeattributeset dhcp_30_0 (dhcp))
-(typeattributeset dhcp_data_file_30_0 (dhcp_data_file))
-(typeattributeset dhcp_exec_30_0 (dhcp_exec))
-(typeattributeset dhcp_prop_30_0 (dhcp_prop))
-(typeattributeset diskstats_service_30_0 (diskstats_service))
-(typeattributeset display_service_30_0 (display_service))
-(typeattributeset dm_device_30_0 (dm_device))
-(typeattributeset dnsmasq_30_0 (dnsmasq))
-(typeattributeset dnsmasq_exec_30_0 (dnsmasq_exec))
-(typeattributeset dnsproxyd_socket_30_0 (dnsproxyd_socket))
-(typeattributeset dnsresolver_service_30_0 (dnsresolver_service))
-(typeattributeset dreams_service_30_0 (dreams_service))
-(typeattributeset drm_data_file_30_0 (drm_data_file))
-(typeattributeset drmserver_30_0 (drmserver))
-(typeattributeset drmserver_exec_30_0 (drmserver_exec))
-(typeattributeset drmserver_service_30_0 (drmserver_service))
-(typeattributeset drmserver_socket_30_0 (drmserver_socket))
-(typeattributeset dropbox_data_file_30_0 (dropbox_data_file))
-(typeattributeset dropbox_service_30_0 (dropbox_service))
-(typeattributeset dumpstate_30_0 (dumpstate))
-(typeattributeset dumpstate_exec_30_0 (dumpstate_exec))
-(typeattributeset dumpstate_options_prop_30_0 (dumpstate_options_prop))
-(typeattributeset dumpstate_prop_30_0 (dumpstate_prop))
-(typeattributeset dumpstate_service_30_0 (dumpstate_service))
-(typeattributeset dumpstate_socket_30_0 (dumpstate_socket))
-(typeattributeset dynamic_system_prop_30_0 (dynamic_system_prop))
-(typeattributeset e2fs_30_0 (e2fs))
-(typeattributeset e2fs_exec_30_0 (e2fs_exec))
-(typeattributeset efs_file_30_0 (efs_file))
-(typeattributeset emergency_affordance_service_30_0 (emergency_affordance_service))
-(typeattributeset ephemeral_app_30_0 (ephemeral_app))
-(typeattributeset ethernet_service_30_0 (ethernet_service))
-(typeattributeset exfat_30_0 (exfat))
-(typeattributeset exported2_config_prop_30_0 (exported2_config_prop systemsound_config_prop))
-(typeattributeset exported2_default_prop_30_0
- ( exported2_default_prop
- aac_drc_prop
- bootloader_prop
- build_prop
- hal_instrumentation_prop
- init_service_status_prop
- libc_debug_prop
- property_service_version_prop))
-(typeattributeset exported2_radio_prop_30_0 (exported2_radio_prop))
-(typeattributeset exported2_system_prop_30_0
- ( exported2_system_prop
- dalvik_runtime_prop
- surfaceflinger_color_prop
- zram_control_prop))
-(typeattributeset exported2_vold_prop_30_0
- ( exported2_vold_prop
- vold_config_prop
- vold_post_fs_data_prop))
-(typeattributeset exported3_default_prop_30_0
- ( exported3_default_prop
- camera_calibration_prop
- camera_config_prop
- charger_config_prop
- drm_service_config_prop
- hdmi_config_prop
- keyguard_config_prop
- lmkd_config_prop
- media_config_prop
- mediadrm_config_prop
- oem_unlock_prop
- packagemanager_config_prop
- recovery_config_prop
- sendbug_config_prop
- storagemanager_config_prop
- telephony_config_prop
- tombstone_config_prop
- vts_status_prop
- wifi_config_prop
- zram_config_prop))
-(typeattributeset exported3_radio_prop_30_0 (exported3_radio_prop radio_control_prop))
-(typeattributeset exported3_system_prop_30_0
- ( exported3_system_prop
- boot_status_prop
- provisioned_prop
- retaildemo_prop))
-(typeattributeset exported_audio_prop_30_0 (exported_audio_prop audio_config_prop))
-(typeattributeset exported_bluetooth_prop_30_0 (exported_bluetooth_prop))
-(typeattributeset exported_camera_prop_30_0 (exported_camera_prop))
-(typeattributeset exported_config_prop_30_0 (exported_config_prop))
-(typeattributeset exported_dalvik_prop_30_0 (exported_dalvik_prop dalvik_config_prop))
-(typeattributeset exported_default_prop_30_0
- ( exported_default_prop
- aaudio_config_prop
- build_bootimage_prop
- build_odm_prop
- build_vendor_prop
- surfaceflinger_prop
- vts_config_prop))
-(typeattributeset exported_dumpstate_prop_30_0 (exported_dumpstate_prop))
-(typeattributeset exported_ffs_prop_30_0
- ( exported_ffs_prop
- ffs_config_prop
- ffs_control_prop))
-(typeattributeset exported_fingerprint_prop_30_0 (exported_fingerprint_prop fingerprint_prop))
-(typeattributeset exported_overlay_prop_30_0 (exported_overlay_prop))
-(typeattributeset exported_pm_prop_30_0 (exported_pm_prop))
-(typeattributeset exported_radio_prop_30_0 (exported_radio_prop telephony_status_prop))
-(typeattributeset exported_secure_prop_30_0 (exported_secure_prop))
-(typeattributeset exported_system_prop_30_0 (exported_system_prop charger_status_prop))
-(typeattributeset exported_system_prop_30_0 (exported_system_prop bootanim_system_prop))
-
-(typeattributeset exported_system_radio_prop_30_0
- ( exported_system_radio_prop
- usb_config_prop
- usb_control_prop))
-(typeattributeset exported_vold_prop_30_0 (exported_vold_prop vold_status_prop))
-(typeattributeset exported_wifi_prop_30_0 (exported_wifi_prop wifi_hal_prop))
-(typeattributeset external_vibrator_service_30_0 (external_vibrator_service))
-(typeattributeset face_service_30_0 (face_service))
-(typeattributeset face_vendor_data_file_30_0 (face_vendor_data_file))
-(typeattributeset fastbootd_30_0 (fastbootd))
-(typeattributeset ffs_prop_30_0 (ffs_prop))
-(typeattributeset file_contexts_file_30_0 (file_contexts_file))
-(typeattributeset file_integrity_service_30_0 (file_integrity_service))
-(typeattributeset fingerprint_service_30_0 (fingerprint_service))
-(typeattributeset fingerprint_vendor_data_file_30_0 (fingerprint_vendor_data_file))
-(typeattributeset fingerprintd_30_0 (fingerprintd))
-(typeattributeset fingerprintd_data_file_30_0 (fingerprintd_data_file))
-(typeattributeset fingerprintd_exec_30_0 (fingerprintd_exec))
-(typeattributeset fingerprintd_service_30_0 (fingerprintd_service))
-(typeattributeset firstboot_prop_30_0 (firstboot_prop))
-(typeattributeset flags_health_check_30_0 (flags_health_check))
-(typeattributeset flags_health_check_exec_30_0 (flags_health_check_exec))
-(typeattributeset font_service_30_0 (font_service))
-(typeattributeset frp_block_device_30_0 (frp_block_device))
-(typeattributeset fs_bpf_30_0 (fs_bpf))
-(typeattributeset fsck_30_0 (fsck))
-(typeattributeset fsck_exec_30_0 (fsck_exec))
-(typeattributeset fsck_untrusted_30_0 (fsck_untrusted))
-(typeattributeset fscklogs_30_0 (fscklogs))
-(typeattributeset functionfs_30_0 (functionfs))
-(typeattributeset fuse_30_0 (fuse))
-(typeattributeset fuse_device_30_0 (fuse_device))
-(typeattributeset fwk_automotive_display_hwservice_30_0 (fwk_automotive_display_hwservice))
-(typeattributeset fwk_bufferhub_hwservice_30_0 (fwk_bufferhub_hwservice))
-(typeattributeset fwk_camera_hwservice_30_0 (fwk_camera_hwservice))
-(typeattributeset fwk_display_hwservice_30_0 (fwk_display_hwservice))
-(typeattributeset fwk_scheduler_hwservice_30_0 (fwk_scheduler_hwservice))
-(typeattributeset fwk_sensor_hwservice_30_0 (fwk_sensor_hwservice))
-(typeattributeset fwk_stats_hwservice_30_0 (fwk_stats_hwservice))
-(typeattributeset fwmarkd_socket_30_0 (fwmarkd_socket))
-(typeattributeset gatekeeper_data_file_30_0 (gatekeeper_data_file))
-(typeattributeset gatekeeper_service_30_0 (gatekeeper_service))
-(typeattributeset gatekeeperd_30_0 (gatekeeperd))
-(typeattributeset gatekeeperd_exec_30_0 (gatekeeperd_exec))
-(typeattributeset gfxinfo_service_30_0 (gfxinfo_service))
-(typeattributeset gmscore_app_30_0 (gmscore_app))
-(typeattributeset gps_control_30_0 (gps_control))
-(typeattributeset gpu_device_30_0 (gpu_device))
-(typeattributeset gpu_service_30_0 (gpu_service))
-(typeattributeset gpuservice_30_0 (gpuservice))
-(typeattributeset graphics_device_30_0 (graphics_device))
-(typeattributeset graphicsstats_service_30_0 (graphicsstats_service))
-(typeattributeset gsi_data_file_30_0 (gsi_data_file))
-(typeattributeset gsi_metadata_file_30_0
- ( gsi_metadata_file
- gsi_public_metadata_file))
-(typeattributeset gsid_prop_30_0 (gsid_prop))
-(typeattributeset hal_atrace_hwservice_30_0 (hal_atrace_hwservice))
-(typeattributeset hal_audio_hwservice_30_0 (hal_audio_hwservice))
-(typeattributeset hal_audiocontrol_hwservice_30_0 (hal_audiocontrol_hwservice))
-(typeattributeset hal_authsecret_hwservice_30_0 (hal_authsecret_hwservice))
-(typeattributeset hal_bluetooth_hwservice_30_0 (hal_bluetooth_hwservice))
-(typeattributeset hal_bootctl_hwservice_30_0 (hal_bootctl_hwservice))
-(typeattributeset hal_broadcastradio_hwservice_30_0 (hal_broadcastradio_hwservice))
-(typeattributeset hal_camera_hwservice_30_0 (hal_camera_hwservice))
-(typeattributeset hal_can_bus_hwservice_30_0 (hal_can_bus_hwservice))
-(typeattributeset hal_can_controller_hwservice_30_0 (hal_can_controller_hwservice))
-(typeattributeset hal_cas_hwservice_30_0 (hal_cas_hwservice))
-(typeattributeset hal_codec2_hwservice_30_0 (hal_codec2_hwservice))
-(typeattributeset hal_configstore_ISurfaceFlingerConfigs_30_0 (hal_configstore_ISurfaceFlingerConfigs))
-(typeattributeset hal_confirmationui_hwservice_30_0 (hal_confirmationui_hwservice))
-(typeattributeset hal_contexthub_hwservice_30_0 (hal_contexthub_hwservice))
-(typeattributeset hal_drm_hwservice_30_0 (hal_drm_hwservice))
-(typeattributeset hal_dumpstate_hwservice_30_0 (hal_dumpstate_hwservice))
-(typeattributeset hal_evs_hwservice_30_0 (hal_evs_hwservice))
-(typeattributeset hal_face_hwservice_30_0 (hal_face_hwservice))
-(typeattributeset hal_fingerprint_hwservice_30_0 (hal_fingerprint_hwservice))
-(typeattributeset hal_fingerprint_service_30_0 (hal_fingerprint_service))
-(typeattributeset hal_gatekeeper_hwservice_30_0 (hal_gatekeeper_hwservice))
-(typeattributeset hal_gnss_hwservice_30_0 (hal_gnss_hwservice))
-(typeattributeset hal_graphics_allocator_hwservice_30_0 (hal_graphics_allocator_hwservice))
-(typeattributeset hal_graphics_composer_hwservice_30_0 (hal_graphics_composer_hwservice))
-(typeattributeset hal_graphics_composer_server_tmpfs_30_0 (hal_graphics_composer_server_tmpfs))
-(typeattributeset hal_graphics_mapper_hwservice_30_0 (hal_graphics_mapper_hwservice))
-(typeattributeset hal_health_hwservice_30_0 (hal_health_hwservice))
-(typeattributeset hal_health_storage_hwservice_30_0 (hal_health_storage_hwservice))
-(typeattributeset hal_identity_service_30_0 (hal_identity_service))
-(typeattributeset hal_input_classifier_hwservice_30_0 (hal_input_classifier_hwservice))
-(typeattributeset hal_ir_hwservice_30_0 (hal_ir_hwservice))
-(typeattributeset hal_keymaster_hwservice_30_0 (hal_keymaster_hwservice))
-(typeattributeset hal_light_hwservice_30_0 (hal_light_hwservice))
-(typeattributeset hal_light_service_30_0 (hal_light_service))
-(typeattributeset hal_lowpan_hwservice_30_0 (hal_lowpan_hwservice))
-(typeattributeset hal_memtrack_hwservice_30_0 (hal_memtrack_hwservice))
-(typeattributeset hal_neuralnetworks_hwservice_30_0 (hal_neuralnetworks_hwservice))
-(typeattributeset hal_nfc_hwservice_30_0 (hal_nfc_hwservice))
-(typeattributeset hal_oemlock_hwservice_30_0 (hal_oemlock_hwservice))
-(typeattributeset hal_omx_hwservice_30_0 (hal_omx_hwservice))
-(typeattributeset hal_power_hwservice_30_0 (hal_power_hwservice))
-(typeattributeset hal_power_service_30_0 (hal_power_service))
-(typeattributeset hal_power_stats_hwservice_30_0 (hal_power_stats_hwservice))
-(typeattributeset hal_rebootescrow_service_30_0 (hal_rebootescrow_service))
-(typeattributeset hal_renderscript_hwservice_30_0 (hal_renderscript_hwservice))
-(typeattributeset hal_secure_element_hwservice_30_0 (hal_secure_element_hwservice))
-(typeattributeset hal_sensors_hwservice_30_0 (hal_sensors_hwservice))
-(typeattributeset hal_telephony_hwservice_30_0 (hal_telephony_hwservice))
-(typeattributeset hal_tetheroffload_hwservice_30_0 (hal_tetheroffload_hwservice))
-(typeattributeset hal_thermal_hwservice_30_0 (hal_thermal_hwservice))
-(typeattributeset hal_tv_cec_hwservice_30_0 (hal_tv_cec_hwservice))
-(typeattributeset hal_tv_input_hwservice_30_0 (hal_tv_input_hwservice))
-(typeattributeset hal_tv_tuner_hwservice_30_0 (hal_tv_tuner_hwservice))
-(typeattributeset hal_usb_gadget_hwservice_30_0 (hal_usb_gadget_hwservice))
-(typeattributeset hal_usb_hwservice_30_0 (hal_usb_hwservice))
-(typeattributeset hal_vehicle_hwservice_30_0 (hal_vehicle_hwservice))
-(typeattributeset hal_vibrator_hwservice_30_0 (hal_vibrator_hwservice))
-(typeattributeset hal_vibrator_service_30_0 (hal_vibrator_service))
-(typeattributeset hal_vr_hwservice_30_0 (hal_vr_hwservice))
-(typeattributeset hal_weaver_hwservice_30_0 (hal_weaver_hwservice))
-(typeattributeset hal_wifi_hostapd_hwservice_30_0 (hal_wifi_hostapd_hwservice))
-(typeattributeset hal_wifi_hwservice_30_0 (hal_wifi_hwservice))
-(typeattributeset hal_wifi_supplicant_hwservice_30_0 (hal_wifi_supplicant_hwservice))
-(typeattributeset hardware_properties_service_30_0 (hardware_properties_service))
-(typeattributeset hardware_service_30_0 (hardware_service))
-(typeattributeset hci_attach_dev_30_0 (hci_attach_dev))
-(typeattributeset hdmi_control_service_30_0 (hdmi_control_service))
-(typeattributeset healthd_30_0 (healthd))
-(typeattributeset healthd_exec_30_0 (healthd_exec))
-(typeattributeset heapdump_data_file_30_0 (heapdump_data_file))
-(typeattributeset heapprofd_30_0 (heapprofd))
-(typeattributeset heapprofd_enabled_prop_30_0 (heapprofd_enabled_prop))
-(typeattributeset heapprofd_prop_30_0 (heapprofd_prop))
-(typeattributeset heapprofd_socket_30_0 (heapprofd_socket))
-(typeattributeset hidl_allocator_hwservice_30_0 (hidl_allocator_hwservice))
-(typeattributeset hidl_base_hwservice_30_0 (hidl_base_hwservice))
-(typeattributeset hidl_manager_hwservice_30_0 (hidl_manager_hwservice))
-(typeattributeset hidl_memory_hwservice_30_0 (hidl_memory_hwservice))
-(typeattributeset hidl_token_hwservice_30_0 (hidl_token_hwservice))
-(typeattributeset hw_random_device_30_0 (hw_random_device))
-(typeattributeset hwbinder_device_30_0 (hwbinder_device))
-(typeattributeset hwservice_contexts_file_30_0 (hwservice_contexts_file))
-(typeattributeset hwservicemanager_30_0 (hwservicemanager))
-(typeattributeset hwservicemanager_exec_30_0 (hwservicemanager_exec))
-(typeattributeset hwservicemanager_prop_30_0 (hwservicemanager_prop))
-(typeattributeset icon_file_30_0 (icon_file))
-(typeattributeset idmap_30_0 (idmap))
-(typeattributeset idmap_exec_30_0 (idmap_exec))
-(typeattributeset idmap_service_30_0 (idmap_service))
-(typeattributeset iio_device_30_0 (iio_device))
-(typeattributeset imms_service_30_0 (imms_service))
-(typeattributeset incident_30_0 (incident))
-(typeattributeset incident_data_file_30_0 (incident_data_file))
-(typeattributeset incident_helper_30_0 (incident_helper))
-(typeattributeset incident_service_30_0 (incident_service))
-(typeattributeset incidentd_30_0 (incidentd))
-(typeattributeset incremental_control_file_30_0 (incremental_control_file))
-(typeattributeset incremental_prop_30_0 (incremental_prop))
-(typeattributeset incremental_service_30_0 (incremental_service))
-(typeattributeset init_30_0 (init))
-(typeattributeset init_exec_30_0 (init_exec))
-(typeattributeset init_perf_lsm_hooks_prop_30_0 (init_perf_lsm_hooks_prop))
-(typeattributeset init_svc_debug_prop_30_0 (init_svc_debug_prop))
-(typeattributeset init_tmpfs_30_0 (init_tmpfs))
-(typeattributeset inotify_30_0 (inotify))
-(typeattributeset input_device_30_0 (input_device))
-(typeattributeset input_method_service_30_0 (input_method_service))
-(typeattributeset input_service_30_0 (input_service))
-(typeattributeset inputflinger_30_0 (inputflinger))
-(typeattributeset inputflinger_exec_30_0 (inputflinger_exec))
-(typeattributeset inputflinger_service_30_0 (inputflinger_service))
-(typeattributeset install_data_file_30_0 (install_data_file))
-(typeattributeset installd_30_0 (installd))
-(typeattributeset installd_exec_30_0 (installd_exec))
-(typeattributeset installd_service_30_0 (installd_service))
-(typeattributeset ion_device_30_0 (ion_device))
-(typeattributeset iorap_inode2filename_30_0 (iorap_inode2filename))
-(typeattributeset iorap_inode2filename_exec_30_0 (iorap_inode2filename_exec))
-(typeattributeset iorap_inode2filename_tmpfs_30_0 (iorap_inode2filename_tmpfs))
-(typeattributeset iorap_prefetcherd_30_0 (iorap_prefetcherd))
-(typeattributeset iorap_prefetcherd_exec_30_0 (iorap_prefetcherd_exec))
-(typeattributeset iorap_prefetcherd_tmpfs_30_0 (iorap_prefetcherd_tmpfs))
-(typeattributeset iorapd_30_0 (iorapd))
-(typeattributeset iorapd_data_file_30_0 (iorapd_data_file))
-(typeattributeset iorapd_exec_30_0 (iorapd_exec))
-(typeattributeset iorapd_service_30_0 (iorapd_service))
-(typeattributeset iorapd_tmpfs_30_0 (iorapd_tmpfs))
-(typeattributeset ipsec_service_30_0 (ipsec_service))
-(typeattributeset iris_service_30_0 (iris_service))
-(typeattributeset iris_vendor_data_file_30_0 (iris_vendor_data_file))
-(typeattributeset isolated_app_30_0 (isolated_app))
-(typeattributeset jobscheduler_service_30_0 (jobscheduler_service))
-(typeattributeset kernel_30_0 (kernel))
-(typeattributeset keychain_data_file_30_0 (keychain_data_file))
-(typeattributeset keychord_device_30_0 (keychord_device))
-(typeattributeset keystore_30_0 (keystore))
-(typeattributeset keystore_data_file_30_0 (keystore_data_file))
-(typeattributeset keystore_exec_30_0 (keystore_exec))
-(typeattributeset keystore_service_30_0 (keystore_service))
-(typeattributeset kmsg_debug_device_30_0 (kmsg_debug_device))
-(typeattributeset kmsg_device_30_0 (kmsg_device))
-(typeattributeset labeledfs_30_0 (labeledfs))
-(typeattributeset last_boot_reason_prop_30_0 (last_boot_reason_prop))
-(typeattributeset launcherapps_service_30_0 (launcherapps_service))
-(typeattributeset light_service_30_0 (light_service))
-(typeattributeset linkerconfig_file_30_0 (linkerconfig_file))
-(typeattributeset llkd_30_0 (llkd))
-(typeattributeset llkd_exec_30_0 (llkd_exec))
-(typeattributeset llkd_prop_30_0 (llkd_prop))
-(typeattributeset lmkd_30_0 (lmkd))
-(typeattributeset lmkd_exec_30_0 (lmkd_exec))
-(typeattributeset lmkd_prop_30_0 (lmkd_prop))
-(typeattributeset lmkd_socket_30_0 (lmkd_socket))
-(typeattributeset location_service_30_0 (location_service))
-(typeattributeset lock_settings_service_30_0 (lock_settings_service))
-(typeattributeset log_prop_30_0 (log_prop))
-(typeattributeset log_tag_prop_30_0 (log_tag_prop))
-(typeattributeset logcat_exec_30_0 (logcat_exec))
-(typeattributeset logd_30_0 (logd))
-(typeattributeset logd_exec_30_0 (logd_exec))
-(typeattributeset logd_prop_30_0 (logd_prop))
-(typeattributeset logd_socket_30_0 (logd_socket))
-(typeattributeset logdr_socket_30_0 (logdr_socket))
-(typeattributeset logdw_socket_30_0 (logdw_socket))
-(typeattributeset logpersist_30_0 (logpersist))
-(typeattributeset logpersistd_logging_prop_30_0 (logpersistd_logging_prop))
-(typeattributeset loop_control_device_30_0 (loop_control_device))
-(typeattributeset loop_device_30_0 (loop_device))
-(typeattributeset looper_stats_service_30_0 (looper_stats_service))
-(typeattributeset lowpan_device_30_0 (lowpan_device))
-(typeattributeset lowpan_prop_30_0 (lowpan_prop))
-(typeattributeset lowpan_service_30_0 (lowpan_service))
-(typeattributeset lpdump_service_30_0 (lpdump_service))
-(typeattributeset lpdumpd_prop_30_0 (lpdumpd_prop))
-(typeattributeset mac_perms_file_30_0 (mac_perms_file))
-(typeattributeset mdns_socket_30_0 (mdns_socket))
-(typeattributeset mdnsd_30_0 (mdnsd))
-(typeattributeset mdnsd_socket_30_0 (mdnsd_socket))
-(typeattributeset media_data_file_30_0 (media_data_file))
-(typeattributeset media_projection_service_30_0 (media_projection_service))
-(typeattributeset media_router_service_30_0 (media_router_service))
-(typeattributeset media_rw_data_file_30_0 (media_rw_data_file))
-(typeattributeset media_session_service_30_0 (media_session_service))
-(typeattributeset media_variant_prop_30_0 (media_variant_prop))
-(typeattributeset mediadrmserver_30_0 (mediadrmserver))
-(typeattributeset mediadrmserver_exec_30_0 (mediadrmserver_exec))
-(typeattributeset mediadrmserver_service_30_0 (mediadrmserver_service))
-(typeattributeset mediaextractor_30_0 (mediaextractor))
-(typeattributeset mediaextractor_exec_30_0 (mediaextractor_exec))
-(typeattributeset mediaextractor_service_30_0 (mediaextractor_service))
-(typeattributeset mediaextractor_tmpfs_30_0 (mediaextractor_tmpfs))
-(typeattributeset mediametrics_30_0 (mediametrics))
-(typeattributeset mediametrics_exec_30_0 (mediametrics_exec))
-(typeattributeset mediametrics_service_30_0 (mediametrics_service))
-(typeattributeset mediaprovider_30_0 (mediaprovider))
-(typeattributeset mediaserver_30_0 (mediaserver))
-(typeattributeset mediaserver_exec_30_0 (mediaserver_exec))
-(typeattributeset mediaserver_service_30_0 (mediaserver_service))
-(typeattributeset mediaserver_tmpfs_30_0 (mediaserver_tmpfs))
-(typeattributeset mediaswcodec_30_0 (mediaswcodec))
-(typeattributeset mediaswcodec_exec_30_0 (mediaswcodec_exec))
-(typeattributeset mediatranscoding_30_0 (mediatranscoding))
-(typeattributeset mediatranscoding_exec_30_0 (mediatranscoding_exec))
-(typeattributeset mediatranscoding_service_30_0 (mediatranscoding_service))
-(typeattributeset meminfo_service_30_0 (meminfo_service))
-(typeattributeset metadata_block_device_30_0 (metadata_block_device))
-(typeattributeset metadata_bootstat_file_30_0 (metadata_bootstat_file))
-(typeattributeset metadata_file_30_0 (metadata_file))
-(typeattributeset method_trace_data_file_30_0 (method_trace_data_file))
-(typeattributeset midi_service_30_0 (midi_service))
-(typeattributeset mirror_data_file_30_0 (mirror_data_file))
-(typeattributeset misc_block_device_30_0 (misc_block_device))
-(typeattributeset misc_logd_file_30_0 (misc_logd_file))
-(typeattributeset misc_user_data_file_30_0 (misc_user_data_file))
-(typeattributeset mmc_prop_30_0 (mmc_prop))
-(typeattributeset mnt_expand_file_30_0 (mnt_expand_file))
-(typeattributeset mnt_media_rw_file_30_0 (mnt_media_rw_file))
-(typeattributeset mnt_media_rw_stub_file_30_0 (mnt_media_rw_stub_file))
-(typeattributeset mnt_pass_through_file_30_0 (mnt_pass_through_file))
-(typeattributeset mnt_product_file_30_0 (mnt_product_file))
-(typeattributeset mnt_sdcard_file_30_0 (mnt_sdcard_file))
-(typeattributeset mnt_user_file_30_0 (mnt_user_file))
-(typeattributeset mnt_vendor_file_30_0 (mnt_vendor_file))
-(typeattributeset mock_ota_prop_30_0 (mock_ota_prop))
-(typeattributeset modprobe_30_0 (modprobe))
-(typeattributeset module_sdkextensions_prop_30_0 (module_sdkextensions_prop))
-(typeattributeset mount_service_30_0 (mount_service))
-(typeattributeset mqueue_30_0 (mqueue))
-(typeattributeset mtp_30_0 (mtp))
-(typeattributeset mtp_device_30_0 (mtp_device))
-(typeattributeset mtp_exec_30_0 (mtp_exec))
-(typeattributeset mtpd_socket_30_0 (mtpd_socket))
-(typeattributeset nativetest_data_file_30_0 (nativetest_data_file))
-(typeattributeset net_data_file_30_0 (net_data_file))
-(typeattributeset net_dns_prop_30_0 (net_dns_prop))
-(typeattributeset net_radio_prop_30_0 (net_radio_prop))
-(typeattributeset netd_30_0 (netd))
-(typeattributeset netd_exec_30_0 (netd_exec))
-(typeattributeset netd_listener_service_30_0 (netd_listener_service))
-(typeattributeset netd_service_30_0 (netd_service))
-(typeattributeset netd_stable_secret_prop_30_0 (netd_stable_secret_prop))
-(typeattributeset netif_30_0 (netif))
-(typeattributeset netpolicy_service_30_0 (netpolicy_service))
-(typeattributeset netstats_service_30_0 (netstats_service))
-(typeattributeset netutils_wrapper_30_0 (netutils_wrapper))
-(typeattributeset netutils_wrapper_exec_30_0 (netutils_wrapper_exec))
-(typeattributeset network_management_service_30_0 (network_management_service))
-(typeattributeset network_score_service_30_0 (network_score_service))
-(typeattributeset network_stack_30_0 (network_stack))
-(typeattributeset network_stack_service_30_0 (network_stack_service))
-(typeattributeset network_time_update_service_30_0 (network_time_update_service))
-(typeattributeset network_watchlist_data_file_30_0 (network_watchlist_data_file))
-(typeattributeset network_watchlist_service_30_0 (network_watchlist_service))
-(typeattributeset nfc_30_0 (nfc))
-(typeattributeset nfc_data_file_30_0 (nfc_data_file))
-(typeattributeset nfc_device_30_0 (nfc_device))
-(typeattributeset nfc_prop_30_0 (nfc_prop))
-(typeattributeset nfc_service_30_0 (nfc_service))
-(typeattributeset nnapi_ext_deny_product_prop_30_0 (nnapi_ext_deny_product_prop))
-(typeattributeset node_30_0 (node))
-(typeattributeset nonplat_service_contexts_file_30_0 (nonplat_service_contexts_file))
-(typeattributeset notification_service_30_0 (notification_service))
-(typeattributeset null_device_30_0 (null_device))
-(typeattributeset oem_lock_service_30_0 (oem_lock_service))
-(typeattributeset oemfs_30_0 (oemfs))
-(typeattributeset ota_data_file_30_0 (ota_data_file))
-(typeattributeset ota_metadata_file_30_0 (ota_metadata_file))
-(typeattributeset ota_package_file_30_0 (ota_package_file))
-(typeattributeset ota_prop_30_0 (ota_prop))
-(typeattributeset otadexopt_service_30_0 (otadexopt_service))
-(typeattributeset overlay_prop_30_0 (overlay_prop))
-(typeattributeset overlay_service_30_0 (overlay_service))
-(typeattributeset overlayfs_file_30_0 (overlayfs_file))
-(typeattributeset owntty_device_30_0 (owntty_device))
-(typeattributeset package_native_service_30_0 (package_native_service))
-(typeattributeset package_service_30_0 (package_service))
-(typeattributeset packages_list_file_30_0 (packages_list_file))
-(typeattributeset pan_result_prop_30_0 (pan_result_prop))
-(typeattributeset password_slot_metadata_file_30_0 (password_slot_metadata_file))
-(typeattributeset pdx_bufferhub_client_channel_socket_30_0 (pdx_bufferhub_client_channel_socket))
-(typeattributeset pdx_bufferhub_client_endpoint_socket_30_0 (pdx_bufferhub_client_endpoint_socket))
-(typeattributeset pdx_bufferhub_dir_30_0 (pdx_bufferhub_dir))
-(typeattributeset pdx_display_client_channel_socket_30_0 (pdx_display_client_channel_socket))
-(typeattributeset pdx_display_client_endpoint_socket_30_0 (pdx_display_client_endpoint_socket))
-(typeattributeset pdx_display_dir_30_0 (pdx_display_dir))
-(typeattributeset pdx_display_manager_channel_socket_30_0 (pdx_display_manager_channel_socket))
-(typeattributeset pdx_display_manager_endpoint_socket_30_0 (pdx_display_manager_endpoint_socket))
-(typeattributeset pdx_display_screenshot_channel_socket_30_0 (pdx_display_screenshot_channel_socket))
-(typeattributeset pdx_display_screenshot_endpoint_socket_30_0 (pdx_display_screenshot_endpoint_socket))
-(typeattributeset pdx_display_vsync_channel_socket_30_0 (pdx_display_vsync_channel_socket))
-(typeattributeset pdx_display_vsync_endpoint_socket_30_0 (pdx_display_vsync_endpoint_socket))
-(typeattributeset pdx_performance_client_channel_socket_30_0 (pdx_performance_client_channel_socket))
-(typeattributeset pdx_performance_client_endpoint_socket_30_0 (pdx_performance_client_endpoint_socket))
-(typeattributeset pdx_performance_dir_30_0 (pdx_performance_dir))
-(typeattributeset perfetto_30_0 (perfetto))
-(typeattributeset performanced_30_0 (performanced))
-(typeattributeset performanced_exec_30_0 (performanced_exec))
-(typeattributeset permission_service_30_0 (permission_service))
-(typeattributeset permissionmgr_service_30_0 (permissionmgr_service))
-(typeattributeset persist_debug_prop_30_0 (persist_debug_prop))
-(typeattributeset persistent_data_block_service_30_0 (persistent_data_block_service))
-(typeattributeset persistent_properties_ready_prop_30_0 (persistent_properties_ready_prop))
-(typeattributeset pinner_service_30_0 (pinner_service))
-(typeattributeset pipefs_30_0 (pipefs))
-(typeattributeset platform_app_30_0 (platform_app))
-(typeattributeset platform_compat_service_30_0 (platform_compat_service))
-(typeattributeset pm_prop_30_0 (pm_prop))
-(typeattributeset pmsg_device_30_0 (pmsg_device))
-(typeattributeset port_30_0 (port))
-(typeattributeset port_device_30_0 (port_device))
-(typeattributeset postinstall_30_0 (postinstall))
-(typeattributeset postinstall_apex_mnt_dir_30_0 (postinstall_apex_mnt_dir))
-(typeattributeset postinstall_file_30_0 (postinstall_file))
-(typeattributeset postinstall_mnt_dir_30_0 (postinstall_mnt_dir))
-(typeattributeset power_service_30_0 (power_service))
-(typeattributeset powerctl_prop_30_0 (powerctl_prop))
-(typeattributeset ppp_30_0 (ppp))
-(typeattributeset ppp_device_30_0 (ppp_device))
-(typeattributeset ppp_exec_30_0 (ppp_exec))
-(typeattributeset preloads_data_file_30_0 (preloads_data_file))
-(typeattributeset preloads_media_file_30_0 (preloads_media_file))
-(typeattributeset prereboot_data_file_30_0 (prereboot_data_file))
-(typeattributeset print_service_30_0 (print_service))
-(typeattributeset priv_app_30_0 (priv_app))
-(typeattributeset privapp_data_file_30_0 (privapp_data_file))
-(typeattributeset proc_30_0
- ( proc
- proc_bootconfig))
-(typeattributeset proc_abi_30_0 (proc_abi))
-(typeattributeset proc_asound_30_0 (proc_asound))
-(typeattributeset proc_bluetooth_writable_30_0 (proc_bluetooth_writable))
-(typeattributeset proc_buddyinfo_30_0 (proc_buddyinfo))
-(typeattributeset proc_cmdline_30_0 (proc_cmdline))
-(typeattributeset proc_cpuinfo_30_0 (proc_cpuinfo))
-(typeattributeset proc_dirty_30_0 (proc_dirty))
-(typeattributeset proc_diskstats_30_0 (proc_diskstats))
-(typeattributeset proc_drop_caches_30_0 (proc_drop_caches))
-(typeattributeset proc_extra_free_kbytes_30_0 (proc_extra_free_kbytes))
-(typeattributeset proc_filesystems_30_0 (proc_filesystems))
-(typeattributeset proc_fs_verity_30_0 (proc_fs_verity))
-(typeattributeset proc_hostname_30_0 (proc_hostname))
-(typeattributeset proc_hung_task_30_0 (proc_hung_task))
-(typeattributeset proc_interrupts_30_0 (proc_interrupts))
-(typeattributeset proc_iomem_30_0 (proc_iomem))
-(typeattributeset proc_keys_30_0 (proc_keys))
-(typeattributeset proc_kmsg_30_0 (proc_kmsg))
-(typeattributeset proc_kpageflags_30_0 (proc_kpageflags))
-(typeattributeset proc_loadavg_30_0 (proc_loadavg))
-(typeattributeset proc_lowmemorykiller_30_0 (proc_lowmemorykiller))
-(typeattributeset proc_max_map_count_30_0 (proc_max_map_count))
-(typeattributeset proc_meminfo_30_0 (proc_meminfo))
-(typeattributeset proc_min_free_order_shift_30_0 (proc_min_free_order_shift))
-(typeattributeset proc_misc_30_0 (proc_misc))
-(typeattributeset proc_modules_30_0 (proc_modules))
-(typeattributeset proc_mounts_30_0 (proc_mounts))
-(typeattributeset proc_net_30_0 (proc_net))
-(typeattributeset proc_net_tcp_udp_30_0 (proc_net_tcp_udp))
-(typeattributeset proc_overcommit_memory_30_0 (proc_overcommit_memory))
-(typeattributeset proc_page_cluster_30_0 (proc_page_cluster))
-(typeattributeset proc_pagetypeinfo_30_0 (proc_pagetypeinfo))
-(typeattributeset proc_panic_30_0 (proc_panic))
-(typeattributeset proc_perf_30_0 (proc_perf))
-(typeattributeset proc_pid_max_30_0 (proc_pid_max))
-(typeattributeset proc_pipe_conf_30_0 (proc_pipe_conf))
-(typeattributeset proc_pressure_cpu_30_0 (proc_pressure_cpu))
-(typeattributeset proc_pressure_io_30_0 (proc_pressure_io))
-(typeattributeset proc_pressure_mem_30_0 (proc_pressure_mem))
-(typeattributeset proc_qtaguid_ctrl_30_0 (proc_qtaguid_ctrl))
-(typeattributeset proc_qtaguid_stat_30_0 (proc_qtaguid_stat))
-(typeattributeset proc_random_30_0 (proc_random))
-(typeattributeset proc_sched_30_0 (proc_sched))
-(typeattributeset proc_security_30_0 (proc_security))
-(typeattributeset proc_slabinfo_30_0 (proc_slabinfo))
-(typeattributeset proc_stat_30_0 (proc_stat))
-(typeattributeset proc_swaps_30_0 (proc_swaps))
-(typeattributeset proc_sysrq_30_0 (proc_sysrq))
-(typeattributeset proc_timer_30_0 (proc_timer))
-(typeattributeset proc_tty_drivers_30_0 (proc_tty_drivers))
-(typeattributeset proc_uid_concurrent_active_time_30_0 (proc_uid_concurrent_active_time))
-(typeattributeset proc_uid_concurrent_policy_time_30_0 (proc_uid_concurrent_policy_time))
-(typeattributeset proc_uid_cpupower_30_0 (proc_uid_cpupower))
-(typeattributeset proc_uid_cputime_removeuid_30_0 (proc_uid_cputime_removeuid))
-(typeattributeset proc_uid_cputime_showstat_30_0 (proc_uid_cputime_showstat))
-(typeattributeset proc_uid_io_stats_30_0 (proc_uid_io_stats))
-(typeattributeset proc_uid_procstat_set_30_0 (proc_uid_procstat_set))
-(typeattributeset proc_uid_time_in_state_30_0 (proc_uid_time_in_state))
-(typeattributeset proc_uptime_30_0 (proc_uptime))
-(typeattributeset proc_version_30_0 (proc_version))
-(typeattributeset proc_vmallocinfo_30_0 (proc_vmallocinfo))
-(typeattributeset proc_vmstat_30_0 (proc_vmstat))
-(typeattributeset proc_zoneinfo_30_0 (proc_zoneinfo))
-(typeattributeset processinfo_service_30_0 (processinfo_service))
-(typeattributeset procstats_service_30_0 (procstats_service))
-(typeattributeset profman_30_0 (profman))
-(typeattributeset profman_dump_data_file_30_0 (profman_dump_data_file))
-(typeattributeset profman_exec_30_0 (profman_exec))
-(typeattributeset properties_device_30_0 (properties_device))
-(typeattributeset properties_serial_30_0 (properties_serial))
-(typeattributeset property_contexts_file_30_0 (property_contexts_file))
-(typeattributeset property_data_file_30_0 (property_data_file))
-(typeattributeset property_info_30_0 (property_info))
-(typeattributeset property_socket_30_0 (property_socket))
-(typeattributeset pstorefs_30_0 (pstorefs))
-(typeattributeset ptmx_device_30_0 (ptmx_device))
-(typeattributeset qtaguid_device_30_0 (qtaguid_device))
-(typeattributeset racoon_30_0 (racoon))
-(typeattributeset racoon_exec_30_0 (racoon_exec))
-(typeattributeset racoon_socket_30_0 (racoon_socket))
-(typeattributeset radio_30_0 (radio))
-(typeattributeset radio_data_file_30_0 (radio_data_file))
-(typeattributeset radio_device_30_0 (radio_device))
-(typeattributeset radio_prop_30_0 (radio_prop))
-(typeattributeset radio_service_30_0 (radio_service))
-(typeattributeset ram_device_30_0 (ram_device))
-(typeattributeset random_device_30_0 (random_device))
-(typeattributeset rebootescrow_hal_prop_30_0 (rebootescrow_hal_prop))
-(typeattributeset recovery_30_0 (recovery))
-(typeattributeset recovery_block_device_30_0 (recovery_block_device))
-(typeattributeset recovery_data_file_30_0 (recovery_data_file))
-(typeattributeset recovery_persist_30_0 (recovery_persist))
-(typeattributeset recovery_persist_exec_30_0 (recovery_persist_exec))
-(typeattributeset recovery_refresh_30_0 (recovery_refresh))
-(typeattributeset recovery_refresh_exec_30_0 (recovery_refresh_exec))
-(typeattributeset recovery_service_30_0 (recovery_service))
-(typeattributeset recovery_socket_30_0 (recovery_socket))
-(typeattributeset registry_service_30_0 (registry_service))
-(typeattributeset resourcecache_data_file_30_0 (resourcecache_data_file))
-(typeattributeset restorecon_prop_30_0 (restorecon_prop))
-(typeattributeset restrictions_service_30_0 (restrictions_service))
-(typeattributeset rild_debug_socket_30_0 (rild_debug_socket))
-(typeattributeset rild_socket_30_0 (rild_socket))
-(typeattributeset ringtone_file_30_0 (ringtone_file))
-(typeattributeset role_service_30_0 (role_service))
-(typeattributeset rollback_service_30_0 (rollback_service))
-(typeattributeset root_block_device_30_0 (root_block_device))
-(typeattributeset rootfs_30_0 (rootfs))
-(typeattributeset rpmsg_device_30_0 (rpmsg_device))
-(typeattributeset rs_30_0 (rs))
-(typeattributeset rs_exec_30_0 (rs_exec))
-(typeattributeset rss_hwm_reset_30_0 (rss_hwm_reset))
-(typeattributeset rtc_device_30_0 (rtc_device))
-(typeattributeset rttmanager_service_30_0 (rttmanager_service))
-(typeattributeset runas_30_0 (runas))
-(typeattributeset runas_app_30_0 (runas_app))
-(typeattributeset runas_exec_30_0 (runas_exec))
-(typeattributeset runtime_event_log_tags_file_30_0 (runtime_event_log_tags_file))
-(typeattributeset runtime_service_30_0 (runtime_service))
-(typeattributeset safemode_prop_30_0 (safemode_prop))
-(typeattributeset same_process_hal_file_30_0 (same_process_hal_file))
-(typeattributeset samplingprofiler_service_30_0 (samplingprofiler_service))
-(typeattributeset scheduling_policy_service_30_0 (scheduling_policy_service))
-(typeattributeset sdcard_block_device_30_0 (sdcard_block_device))
-(typeattributeset sdcardd_30_0 (sdcardd))
-(typeattributeset sdcardd_exec_30_0 (sdcardd_exec))
-(typeattributeset sdcardfs_30_0 (sdcardfs))
-(typeattributeset seapp_contexts_file_30_0 (seapp_contexts_file))
-(typeattributeset search_service_30_0 (search_service))
-(typeattributeset sec_key_att_app_id_provider_service_30_0 (sec_key_att_app_id_provider_service))
-(typeattributeset secure_element_30_0 (secure_element))
-(typeattributeset secure_element_device_30_0 (secure_element_device))
-(typeattributeset secure_element_service_30_0 (secure_element_service))
-(typeattributeset securityfs_30_0 (securityfs))
-(typeattributeset selinuxfs_30_0 (selinuxfs))
-(typeattributeset sensor_privacy_service_30_0 (sensor_privacy_service))
-(typeattributeset sensors_device_30_0 (sensors_device))
-(typeattributeset sensorservice_service_30_0 (sensorservice_service))
-(typeattributeset sepolicy_file_30_0 (sepolicy_file))
-(typeattributeset serial_device_30_0 (serial_device))
-(typeattributeset serial_service_30_0 (serial_service))
-(typeattributeset serialno_prop_30_0 (serialno_prop))
-(typeattributeset server_configurable_flags_data_file_30_0 (server_configurable_flags_data_file))
-(typeattributeset service_contexts_file_30_0 (service_contexts_file))
-(typeattributeset service_manager_service_30_0 (service_manager_service))
-(typeattributeset service_manager_vndservice_30_0 (service_manager_vndservice))
-(typeattributeset servicediscovery_service_30_0 (servicediscovery_service))
-(typeattributeset servicemanager_30_0 (servicemanager))
-(typeattributeset servicemanager_exec_30_0 (servicemanager_exec))
-(typeattributeset settings_service_30_0 (settings_service))
-(typeattributeset sgdisk_30_0 (sgdisk))
-(typeattributeset sgdisk_exec_30_0 (sgdisk_exec))
-(typeattributeset shared_relro_30_0 (shared_relro))
-(typeattributeset shared_relro_file_30_0 (shared_relro_file))
-(typeattributeset shell_30_0 (shell))
-(typeattributeset shell_data_file_30_0 (shell_data_file))
-(typeattributeset shell_exec_30_0 (shell_exec))
-(typeattributeset shell_prop_30_0 (shell_prop))
-(typeattributeset shm_30_0 (shm))
-(typeattributeset shortcut_manager_icons_30_0 (shortcut_manager_icons))
-(typeattributeset shortcut_service_30_0 (shortcut_service))
-(typeattributeset simpleperf_30_0 (simpleperf))
-(typeattributeset simpleperf_app_runner_30_0 (simpleperf_app_runner))
-(typeattributeset simpleperf_app_runner_exec_30_0 (simpleperf_app_runner_exec))
-(typeattributeset slice_service_30_0 (slice_service))
-(typeattributeset slideshow_30_0 (slideshow))
-(typeattributeset snapshotctl_log_data_file_30_0 (snapshotctl_log_data_file))
-(typeattributeset socket_device_30_0 (socket_device))
-(typeattributeset socket_hook_prop_30_0 (socket_hook_prop))
-(typeattributeset sockfs_30_0 (sockfs))
-(typeattributeset sota_prop_30_0 (sota_prop))
-(typeattributeset soundtrigger_middleware_service_30_0 (soundtrigger_middleware_service))
-(typeattributeset staging_data_file_30_0 (staging_data_file))
-(typeattributeset stats_data_file_30_0 (stats_data_file))
-(typeattributeset statsd_30_0 (statsd))
-(typeattributeset statsd_exec_30_0 (statsd_exec))
-(typeattributeset statsdw_socket_30_0 (statsdw_socket))
-(typeattributeset statusbar_service_30_0 (statusbar_service))
-(typeattributeset storage_config_prop_30_0 (storage_config_prop))
-(typeattributeset storage_file_30_0 (storage_file))
-(typeattributeset storage_stub_file_30_0 (storage_stub_file))
-(typeattributeset storaged_service_30_0 (storaged_service))
-(typeattributeset storagestats_service_30_0 (storagestats_service))
-(typeattributeset su_30_0 (su))
-(typeattributeset su_exec_30_0 (su_exec))
-(typeattributeset super_block_device_30_0 (super_block_device))
-(typeattributeset surfaceflinger_30_0 (surfaceflinger))
-(typeattributeset surfaceflinger_service_30_0 (surfaceflinger_service))
-(typeattributeset surfaceflinger_tmpfs_30_0 (surfaceflinger_tmpfs))
-(typeattributeset swap_block_device_30_0 (swap_block_device))
-(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_features))
-(typeattributeset sysfs_30_0 (sysfs sysfs_fs_incfs_metrics))
-(typeattributeset sysfs_android_usb_30_0 (sysfs_android_usb))
-(typeattributeset sysfs_batteryinfo_30_0 (sysfs_batteryinfo))
-(typeattributeset sysfs_bluetooth_writable_30_0 (sysfs_bluetooth_writable))
-(typeattributeset sysfs_devices_block_30_0 (sysfs_devices_block))
-(typeattributeset sysfs_devices_system_cpu_30_0 (sysfs_devices_system_cpu))
-(typeattributeset sysfs_dm_30_0 (sysfs_dm))
-(typeattributeset sysfs_dm_verity_30_0 (sysfs_dm_verity))
-(typeattributeset sysfs_dt_firmware_android_30_0 (sysfs_dt_firmware_android))
-(typeattributeset sysfs_extcon_30_0 (sysfs_extcon))
-(typeattributeset sysfs_fs_ext4_features_30_0 (sysfs_fs_ext4_features))
-(typeattributeset sysfs_fs_f2fs_30_0 (sysfs_fs_f2fs))
-(typeattributeset sysfs_hwrandom_30_0 (sysfs_hwrandom))
-(typeattributeset sysfs_ion_30_0 (sysfs_ion))
-(typeattributeset sysfs_ipv4_30_0 (sysfs_ipv4))
-(typeattributeset sysfs_kernel_notes_30_0 (sysfs_kernel_notes))
-(typeattributeset sysfs_leds_30_0 (sysfs_leds))
-(typeattributeset sysfs_loop_30_0 (sysfs_loop))
-(typeattributeset sysfs_lowmemorykiller_30_0 (sysfs_lowmemorykiller))
-(typeattributeset sysfs_net_30_0 (sysfs_net))
-(typeattributeset sysfs_nfc_power_writable_30_0 (sysfs_nfc_power_writable))
-(typeattributeset sysfs_power_30_0 (sysfs_power))
-(typeattributeset sysfs_rtc_30_0 (sysfs_rtc))
-(typeattributeset sysfs_suspend_stats_30_0 (sysfs_suspend_stats))
-(typeattributeset sysfs_switch_30_0 (sysfs_switch))
-(typeattributeset sysfs_thermal_30_0 (sysfs_thermal))
-(typeattributeset sysfs_transparent_hugepage_30_0 (sysfs_transparent_hugepage))
-(typeattributeset sysfs_uio_30_0 (sysfs_uio))
-(typeattributeset sysfs_usb_30_0 (sysfs_usb))
-(typeattributeset sysfs_usermodehelper_30_0 (sysfs_usermodehelper))
-(typeattributeset sysfs_vibrator_30_0 (sysfs_vibrator))
-(typeattributeset sysfs_wake_lock_30_0 (sysfs_wake_lock))
-(typeattributeset sysfs_wakeup_30_0 (sysfs_wakeup))
-(typeattributeset sysfs_wakeup_reasons_30_0 (sysfs_wakeup_reasons))
-(typeattributeset sysfs_wlan_fwpath_30_0 (sysfs_wlan_fwpath))
-(typeattributeset sysfs_zram_30_0 (sysfs_zram))
-(typeattributeset sysfs_zram_uevent_30_0 (sysfs_zram_uevent))
-(typeattributeset system_adbd_prop_30_0 (system_adbd_prop))
-(typeattributeset system_app_30_0 (system_app))
-(typeattributeset system_app_data_file_30_0 (system_app_data_file))
-(typeattributeset system_app_service_30_0 (system_app_service))
-(typeattributeset system_asan_options_file_30_0 (system_asan_options_file))
-(typeattributeset system_block_device_30_0 (system_block_device))
-(typeattributeset system_boot_reason_prop_30_0 (system_boot_reason_prop))
-(typeattributeset system_bootstrap_lib_file_30_0 (system_bootstrap_lib_file))
-(typeattributeset system_config_service_30_0 (system_config_service))
-(typeattributeset system_data_file_30_0 (system_data_file))
-(typeattributeset system_data_root_file_30_0 (system_data_root_file))
-(typeattributeset system_event_log_tags_file_30_0 (system_event_log_tags_file))
-(typeattributeset system_file_30_0 (system_file))
-(typeattributeset system_group_file_30_0 (system_group_file))
-(typeattributeset system_jvmti_agent_prop_30_0 (system_jvmti_agent_prop))
-(typeattributeset system_lib_file_30_0 (system_lib_file))
-(typeattributeset system_linker_config_file_30_0 (system_linker_config_file))
-(typeattributeset system_linker_exec_30_0 (system_linker_exec))
-(typeattributeset system_lmk_prop_30_0 (system_lmk_prop))
-(typeattributeset system_ndebug_socket_30_0 (system_ndebug_socket))
-(typeattributeset system_net_netd_hwservice_30_0 (system_net_netd_hwservice))
-(typeattributeset system_passwd_file_30_0 (system_passwd_file))
-(typeattributeset system_prop_30_0 (system_prop))
-(typeattributeset system_radio_prop_30_0 (system_radio_prop usb_prop))
-(typeattributeset system_seccomp_policy_file_30_0 (system_seccomp_policy_file))
-(typeattributeset system_security_cacerts_file_30_0 (system_security_cacerts_file))
-(typeattributeset system_server_30_0 (system_server))
-(typeattributeset system_server_tmpfs_30_0 (system_server_tmpfs))
-(typeattributeset system_suspend_control_service_30_0 (system_suspend_control_service))
-(typeattributeset system_suspend_hwservice_30_0 (system_suspend_hwservice))
-(typeattributeset system_trace_prop_30_0 (system_trace_prop))
-(typeattributeset system_unsolzygote_socket_30_0 (system_unsolzygote_socket))
-(typeattributeset system_update_service_30_0 (system_update_service))
-(typeattributeset system_wifi_keystore_hwservice_30_0 (system_wifi_keystore_hwservice))
-(typeattributeset system_wpa_socket_30_0 (system_wpa_socket))
-(typeattributeset system_zoneinfo_file_30_0 (system_zoneinfo_file))
-(typeattributeset systemkeys_data_file_30_0 (systemkeys_data_file))
-(typeattributeset task_profiles_file_30_0 (task_profiles_file))
-(typeattributeset task_service_30_0 (task_service))
-(typeattributeset tcpdump_exec_30_0 (tcpdump_exec))
-(typeattributeset tee_30_0 (tee))
-(typeattributeset tee_data_file_30_0 (tee_data_file))
-(typeattributeset tee_device_30_0 (tee_device))
-(typeattributeset telecom_service_30_0 (telecom_service))
-(typeattributeset test_boot_reason_prop_30_0 (test_boot_reason_prop))
-(typeattributeset test_harness_prop_30_0 (test_harness_prop))
-(typeattributeset testharness_service_30_0 (testharness_service))
-(typeattributeset tethering_service_30_0 (tethering_service))
-(typeattributeset textclassification_service_30_0 (textclassification_service))
-(typeattributeset textclassifier_data_file_30_0 (textclassifier_data_file))
-(typeattributeset textservices_service_30_0 (textservices_service))
-(typeattributeset theme_prop_30_0 (theme_prop))
-(typeattributeset thermal_service_30_0 (thermal_service))
-(typeattributeset thermalcallback_hwservice_30_0 (thermalcallback_hwservice))
-(typeattributeset time_prop_30_0 (time_prop))
-(typeattributeset timedetector_service_30_0 (timedetector_service))
-(typeattributeset timezone_service_30_0 (timezone_service))
-(typeattributeset timezonedetector_service_30_0 (timezonedetector_service))
-(typeattributeset tmpfs_30_0 (tmpfs))
-(typeattributeset tombstone_data_file_30_0 (tombstone_data_file))
-(typeattributeset tombstone_wifi_data_file_30_0 (tombstone_wifi_data_file))
-(typeattributeset tombstoned_30_0 (tombstoned))
-(typeattributeset tombstoned_crash_socket_30_0 (tombstoned_crash_socket))
-(typeattributeset tombstoned_exec_30_0 (tombstoned_exec))
-(typeattributeset tombstoned_intercept_socket_30_0 (tombstoned_intercept_socket))
-(typeattributeset tombstoned_java_trace_socket_30_0 (tombstoned_java_trace_socket))
-(typeattributeset toolbox_30_0 (toolbox))
-(typeattributeset toolbox_exec_30_0 (toolbox_exec))
-(typeattributeset trace_data_file_30_0 (trace_data_file))
-(typeattributeset traced_30_0 (traced))
-(typeattributeset traced_consumer_socket_30_0 (traced_consumer_socket))
-(typeattributeset traced_enabled_prop_30_0 (traced_enabled_prop))
-(typeattributeset traced_lazy_prop_30_0 (traced_lazy_prop))
-(typeattributeset traced_perf_30_0 (traced_perf))
-(typeattributeset traced_perf_enabled_prop_30_0 (traced_perf_enabled_prop))
-(typeattributeset traced_perf_socket_30_0 (traced_perf_socket))
-(typeattributeset traced_probes_30_0 (traced_probes))
-(typeattributeset traced_producer_socket_30_0 (traced_producer_socket))
-(typeattributeset traceur_app_30_0 (traceur_app))
-(typeattributeset trust_service_30_0 (trust_service))
-(typeattributeset tty_device_30_0 (tty_device))
-(typeattributeset tun_device_30_0 (tun_device))
-(typeattributeset tv_input_service_30_0 (tv_input_service))
-(typeattributeset tv_tuner_resource_mgr_service_30_0 (tv_tuner_resource_mgr_service))
-(typeattributeset tzdatacheck_30_0 (tzdatacheck))
-(typeattributeset tzdatacheck_exec_30_0 (tzdatacheck_exec))
-(typeattributeset ueventd_30_0 (ueventd))
-(typeattributeset ueventd_tmpfs_30_0 (ueventd_tmpfs))
-(typeattributeset uhid_device_30_0 (uhid_device))
-(typeattributeset uimode_service_30_0 (uimode_service))
-(typeattributeset uio_device_30_0 (uio_device))
-(typeattributeset uncrypt_30_0 (uncrypt))
-(typeattributeset uncrypt_exec_30_0 (uncrypt_exec))
-(typeattributeset uncrypt_socket_30_0 (uncrypt_socket))
-(typeattributeset unencrypted_data_file_30_0 (unencrypted_data_file))
-(typeattributeset unlabeled_30_0 (unlabeled))
-(typeattributeset untrusted_app_25_30_0 (untrusted_app_25))
-(typeattributeset untrusted_app_27_30_0 (untrusted_app_27))
-(typeattributeset untrusted_app_29_30_0 (untrusted_app_29))
-(typeattributeset untrusted_app_30_0 (untrusted_app))
-(typeattributeset update_engine_30_0 (update_engine))
-(typeattributeset update_engine_data_file_30_0 (update_engine_data_file))
-(typeattributeset update_engine_exec_30_0 (update_engine_exec))
-(typeattributeset update_engine_log_data_file_30_0 (update_engine_log_data_file))
-(typeattributeset update_engine_service_30_0 (update_engine_service))
-(typeattributeset update_verifier_30_0 (update_verifier))
-(typeattributeset update_verifier_exec_30_0 (update_verifier_exec))
-(typeattributeset updatelock_service_30_0 (updatelock_service))
-(typeattributeset uri_grants_service_30_0 (uri_grants_service))
-(typeattributeset usagestats_service_30_0 (usagestats_service))
-(typeattributeset usb_device_30_0 (usb_device))
-(typeattributeset usb_serial_device_30_0 (usb_serial_device))
-(typeattributeset usb_service_30_0 (usb_service))
-(typeattributeset usbaccessory_device_30_0 (usbaccessory_device))
-(typeattributeset usbd_30_0 (usbd))
-(typeattributeset usbd_exec_30_0 (usbd_exec))
-(typeattributeset usbfs_30_0 (usbfs))
-(typeattributeset use_memfd_prop_30_0 (use_memfd_prop))
-(typeattributeset user_profile_data_file_30_0
- ( user_profile_data_file
- user_profile_root_file
-))
-(typeattributeset user_service_30_0 (user_service))
-(typeattributeset userdata_block_device_30_0 (userdata_block_device))
-(typeattributeset usermodehelper_30_0 (usermodehelper))
-(typeattributeset userspace_reboot_config_prop_30_0 (userspace_reboot_config_prop))
-(typeattributeset userspace_reboot_exported_prop_30_0 (userspace_reboot_exported_prop))
-(typeattributeset userspace_reboot_log_prop_30_0 (userspace_reboot_log_prop))
-(typeattributeset userspace_reboot_test_prop_30_0 (userspace_reboot_test_prop))
-(typeattributeset vdc_30_0 (vdc))
-(typeattributeset vdc_exec_30_0 (vdc_exec))
-(typeattributeset vehicle_hal_prop_30_0 (vehicle_hal_prop))
-(typeattributeset vendor_apex_file_30_0 (vendor_apex_file))
-(typeattributeset vendor_app_file_30_0 (vendor_app_file))
-(typeattributeset vendor_cgroup_desc_file_30_0 (vendor_cgroup_desc_file))
-(typeattributeset vendor_configs_file_30_0 (vendor_configs_file))
-(typeattributeset vendor_data_file_30_0 (vendor_data_file))
-(typeattributeset vendor_default_prop_30_0 (vendor_default_prop))
-(typeattributeset vendor_file_30_0 (vendor_file))
-(typeattributeset vendor_framework_file_30_0 (vendor_framework_file))
-(typeattributeset vendor_hal_file_30_0 (vendor_hal_file))
-(typeattributeset vendor_idc_file_30_0 (vendor_idc_file))
-(typeattributeset vendor_init_30_0 (vendor_init))
-(typeattributeset vendor_keychars_file_30_0 (vendor_keychars_file))
-(typeattributeset vendor_keylayout_file_30_0 (vendor_keylayout_file))
-(typeattributeset vendor_misc_writer_30_0 (vendor_misc_writer))
-(typeattributeset vendor_misc_writer_exec_30_0 (vendor_misc_writer_exec))
-(typeattributeset vendor_overlay_file_30_0 (vendor_overlay_file))
-(typeattributeset vendor_public_lib_file_30_0
- ( vendor_public_framework_file
- vendor_public_lib_file))
-(typeattributeset vendor_security_patch_level_prop_30_0 (vendor_security_patch_level_prop))
-(typeattributeset vendor_shell_30_0 (vendor_shell))
-(typeattributeset vendor_shell_exec_30_0 (vendor_shell_exec))
-(typeattributeset vendor_socket_hook_prop_30_0 (vendor_socket_hook_prop))
-(typeattributeset vendor_task_profiles_file_30_0 (vendor_task_profiles_file))
-(typeattributeset vendor_toolbox_exec_30_0 (vendor_toolbox_exec))
-(typeattributeset vfat_30_0 (vfat))
-(typeattributeset vibrator_service_30_0 (vibrator_service))
-(typeattributeset video_device_30_0 (video_device))
-(typeattributeset virtual_ab_prop_30_0 (virtual_ab_prop))
-(typeattributeset virtual_touchpad_30_0 (virtual_touchpad))
-(typeattributeset virtual_touchpad_exec_30_0 (virtual_touchpad_exec))
-(typeattributeset virtual_touchpad_service_30_0 (virtual_touchpad_service))
-(typeattributeset vndbinder_device_30_0 (vndbinder_device))
-(typeattributeset vndk_prop_30_0 (vndk_prop))
-(typeattributeset vndk_sp_file_30_0 (vndk_sp_file))
-(typeattributeset vndservice_contexts_file_30_0 (vndservice_contexts_file))
-(typeattributeset vndservicemanager_30_0 (vndservicemanager))
-(typeattributeset voiceinteraction_service_30_0 (voiceinteraction_service))
-(typeattributeset vold_30_0 (vold))
-(typeattributeset vold_data_file_30_0 (vold_data_file))
-(typeattributeset vold_device_30_0 (vold_device))
-(typeattributeset vold_exec_30_0 (vold_exec))
-(typeattributeset vold_metadata_file_30_0 (vold_metadata_file))
-(typeattributeset vold_prepare_subdirs_30_0 (vold_prepare_subdirs))
-(typeattributeset vold_prepare_subdirs_exec_30_0 (vold_prepare_subdirs_exec))
-(typeattributeset vold_prop_30_0 (vold_prop))
-(typeattributeset vold_service_30_0 (vold_service))
-(typeattributeset vpn_data_file_30_0 (vpn_data_file))
-(typeattributeset vr_hwc_30_0 (vr_hwc))
-(typeattributeset vr_hwc_exec_30_0 (vr_hwc_exec))
-(typeattributeset vr_hwc_service_30_0 (vr_hwc_service))
-(typeattributeset vr_manager_service_30_0 (vr_manager_service))
-(typeattributeset vrflinger_vsync_service_30_0 (vrflinger_vsync_service))
-(typeattributeset wallpaper_file_30_0 (wallpaper_file))
-(typeattributeset wallpaper_service_30_0 (wallpaper_service))
-(typeattributeset watchdog_device_30_0 (watchdog_device))
-(typeattributeset watchdogd_30_0 (watchdogd))
-(typeattributeset watchdogd_exec_30_0 (watchdogd_exec))
-(typeattributeset webview_zygote_30_0 (webview_zygote))
-(typeattributeset webview_zygote_exec_30_0 (webview_zygote_exec))
-(typeattributeset webview_zygote_tmpfs_30_0 (webview_zygote_tmpfs))
-(typeattributeset webviewupdate_service_30_0 (webviewupdate_service))
-(typeattributeset wifi_data_file_30_0 (wifi_data_file))
-(typeattributeset wifi_log_prop_30_0 (wifi_log_prop))
-(typeattributeset wifi_prop_30_0 (wifi_prop))
-(typeattributeset wifi_service_30_0 (wifi_service))
-(typeattributeset wifiaware_service_30_0 (wifiaware_service))
-(typeattributeset wificond_30_0 (wificond))
-(typeattributeset wificond_exec_30_0 (wificond_exec))
-(typeattributeset wifinl80211_service_30_0 (wifinl80211_service))
-(typeattributeset wifip2p_service_30_0 (wifip2p_service))
-(typeattributeset wifiscanner_service_30_0 (wifiscanner_service))
-(typeattributeset window_service_30_0 (window_service))
-(typeattributeset wpa_socket_30_0 (wpa_socket))
-(typeattributeset wpantund_30_0 (wpantund))
-(typeattributeset wpantund_exec_30_0 (wpantund_exec))
-(typeattributeset wpantund_service_30_0 (wpantund_service))
-(typeattributeset zero_device_30_0 (zero_device))
-(typeattributeset zoneinfo_data_file_30_0 (zoneinfo_data_file))
-(typeattributeset zygote_30_0 (zygote))
-(typeattributeset zygote_exec_30_0 (zygote_exec))
-(typeattributeset zygote_socket_30_0 (zygote_socket))
-(typeattributeset zygote_tmpfs_30_0 (zygote_tmpfs))
diff --git a/private/compat/30.0/30.0.compat.cil b/private/compat/30.0/30.0.compat.cil
deleted file mode 100644
index 97c5874..0000000
--- a/private/compat/30.0/30.0.compat.cil
+++ /dev/null
@@ -1,10 +0,0 @@
-(typeattribute vendordomain)
-(typeattributeset vendordomain ((and (domain) ((not (coredomain))))))
-
-;; TODO: Once 30.0 is no longer supported for vendor images,
-;; mlsvendorcompat can be completely from the system policy.
-(typeattributeset mlsvendorcompat (and appdomain vendordomain))
-(allow mlsvendorcompat app_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat app_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
-(allow mlsvendorcompat privapp_data_file (dir (ioctl read write create getattr setattr lock rename open watch watch_reads add_name remove_name reparent search rmdir)))
-(allow mlsvendorcompat privapp_data_file (file (ioctl read write create getattr setattr lock append map unlink rename open watch watch_reads)))
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
deleted file mode 100644
index 0c36aed..0000000
--- a/private/compat/30.0/30.0.ignore.cil
+++ /dev/null
@@ -1,154 +0,0 @@
-;; new_objects - a collection of types that have been introduced that have no
-;; analogue in older policy. Thus, we do not need to map these types to
-;; previous ones. Add here to pass checkapi tests.
-(type new_objects)
-(typeattribute new_objects)
-(typeattributeset new_objects
- ( new_objects
- ab_update_gki_prop
- adbd_config_prop
- apc_service
- apex_appsearch_data_file
- apex_art_data_file
- apex_art_staging_data_file
- apex_info_file
- apex_ota_reserved_file
- apex_scheduling_data_file
- apexd_config_prop
- app_hibernation_service
- appcompat_data_file
- arm64_memtag_prop
- authorization_service
- bootanim_config_prop
- camera2_extensions_prop
- camerax_extensions_prop
- cgroup_desc_api_file
- cgroup_v2
- codec2_config_prop
- ctl_snapuserd_prop
- dck_prop
- debugfs_kprobes
- debugfs_mm_events_tracing
- debugfs_bootreceiver_tracing
- debugfs_restriction_prop
- device_config_profcollect_native_boot_prop
- device_config_connectivity_prop
- device_config_swcodec_native_prop
- device_state_service
- dm_user_device
- dmabuf_heap_device
- dmabuf_system_heap_device
- dmabuf_system_secure_heap_device
- domain_verification_service
- dumpstate_tmpfs
- framework_watchdog_config_prop
- fs_bpf_tethering
- fwk_stats_service
- game_service
- font_data_file
- gki_apex_prepostinstall
- gki_apex_prepostinstall_exec
- hal_audio_service
- hal_authsecret_service
- hal_audiocontrol_service
- hal_face_service
- hal_fingerprint_service
- hal_health_storage_service
- hal_memtrack_service
- hal_oemlock_service
- hint_service
- gnss_device
- gnss_time_update_service
- hal_dumpstate_config_prop
- hal_gnss_service
- hal_keymint_service
- hal_neuralnetworks_service
- hal_power_stats_service
- hal_remotelyprovisionedcomponent_service
- hal_secureclock_service
- hal_sharedsecret_service
- hal_uwb_service
- hal_weaver_service
- hw_timeout_multiplier_prop
- keystore_compat_hal_service
- keystore_maintenance_service
- keystore_metrics_service
- keystore2_key_contexts_file
- legacy_permission_service
- legacykeystore_service
- location_time_zone_manager_service
- media_communication_service
- media_metrics_service
- mediatuner_exec
- mediatuner_service
- mediatuner
- mediatranscoding_tmpfs
- memtrackproxy_service
- mm_events_config_prop
- music_recognition_service
- nfc_logs_data_file
- odrefresh
- odrefresh_exec
- odsign
- odsign_data_file
- odsign_exec
- pac_proxy_service
- permission_checker_service
- people_service
- persist_vendor_debug_wifi_prop
- postinstall_dexopt_exec
- postinstall_device_mnt_dir
- postinstall_product_mnt_dir
- postinstall_vendor_mnt_dir
- power_debug_prop
- powerstats_service
- proc_kallsyms
- proc_locks
- profcollectd
- profcollectd_data_file
- profcollectd_exec
- profcollectd_node_id_prop
- profcollectd_service
- qemu_hw_prop
- qemu_sf_lcd_density_prop
- radio_core_data_file
- reboot_readiness_service
- remote_prov_app
- remoteprovisioning_service
- resolver_service
- search_ui_service
- shell_test_data_file
- smartspace_service
- snapuserd
- snapuserd_exec
- snapuserd_socket
- soc_prop
- speech_recognition_service
- sysfs_block
- sysfs_devfreq_cur
- sysfs_devfreq_dir
- sysfs_devices_cs_etm
- sysfs_dma_heap
- sysfs_dmabuf_stats
- sysfs_uhid
- system_server_dumper_service
- system_suspend_control_internal_service
- task_profiles_api_file
- texttospeech_service
- translation_service
- update_engine_stable_service
- userdata_sysdev
- userspace_reboot_metadata_file
- uwb_service
- vcn_management_service
- vd_device
- vendor_kernel_modules
- vendor_modprobe
- vibrator_manager_service
- virtualization_service
- vpn_management_service
- watchdog_metadata_file
- wifi_key
- zygote_config_prop
- proc_vendor_sched
- sysfs_vendor_sched))
diff --git a/private/coredomain.te b/private/coredomain.te
index b7f4f5d..86e8009 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -1,33 +1,5 @@
-get_prop(coredomain, boot_status_prop)
-get_prop(coredomain, camera_config_prop)
-get_prop(coredomain, dalvik_config_prop)
-get_prop(coredomain, dalvik_runtime_prop)
-get_prop(coredomain, exported_pm_prop)
-get_prop(coredomain, ffs_config_prop)
-get_prop(coredomain, graphics_config_prop)
-get_prop(coredomain, hdmi_config_prop)
-get_prop(coredomain, init_service_status_private_prop)
-get_prop(coredomain, lmkd_config_prop)
-get_prop(coredomain, localization_prop)
get_prop(coredomain, pm_prop)
-get_prop(coredomain, radio_control_prop)
-get_prop(coredomain, rollback_test_prop)
-get_prop(coredomain, setupwizard_prop)
-get_prop(coredomain, sqlite_log_prop)
-get_prop(coredomain, storagemanager_config_prop)
-get_prop(coredomain, surfaceflinger_color_prop)
-get_prop(coredomain, systemsound_config_prop)
-get_prop(coredomain, telephony_config_prop)
-get_prop(coredomain, usb_config_prop)
-get_prop(coredomain, usb_control_prop)
-get_prop(coredomain, userspace_reboot_config_prop)
-get_prop(coredomain, vold_config_prop)
-get_prop(coredomain, vts_status_prop)
-get_prop(coredomain, zygote_config_prop)
-get_prop(coredomain, zygote_wrap_prop)
-
-# TODO(b/170590987): remove this after cleaning up default_prop
-get_prop(coredomain, default_prop)
+get_prop(coredomain, exported_pm_prop)
full_treble_only(`
neverallow {
@@ -43,7 +15,7 @@
')
# On TREBLE devices, a limited set of files in /vendor are accessible to
-# only a few allowlisted coredomains to keep system/vendor separation.
+# only a few whitelisted coredomains to keep system/vendor separation.
full_treble_only(`
# Limit access to /vendor/app
neverallow {
@@ -54,7 +26,7 @@
-idmap
-init
-installd
- -heapprofd
+ userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
@@ -71,8 +43,7 @@
-idmap
-init
-installd
- -heapprofd
- userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-heapprofd')
-postinstall_dexopt
-rs # spawned by appdomain, so carryover the exception above
-system_server
@@ -98,7 +69,7 @@
-app_zygote
-webview_zygote
-zygote
- -heapprofd
+ userdebug_or_eng(`-heapprofd')
} vendor_overlay_file:dir { getattr open read search };
')
@@ -118,8 +89,7 @@
-app_zygote
-webview_zygote
-zygote
- -heapprofd
- userdebug_or_eng(`-profcollectd')
+ userdebug_or_eng(`-heapprofd')
} vendor_overlay_file:file open;
')
@@ -153,11 +123,9 @@
# debugfs
neverallow {
coredomain
- no_debugfs_restriction(`
- -dumpstate
- -init
- -system_server
- ')
+ -dumpstate
+ -init
+ -system_server
} debugfs:file no_rw_file_perms;
# tracefs
@@ -165,14 +133,11 @@
coredomain
-atrace
-dumpstate
- -gpuservice
-init
- -traced_perf
-traced_probes
-shell
-system_server
-traceur_app
- userdebug_or_eng(`-profcollectd')
} debugfs_tracing:file no_rw_file_perms;
# inotifyfs
@@ -219,17 +184,6 @@
coredomain
-init
}{ usbfs binfmt_miscfs }:file no_rw_file_perms;
-
- # dmabuf heaps
- neverallow {
- coredomain
- -init
- -ueventd
- }{
- dmabuf_heap_device_type
- -dmabuf_system_heap_device
- -dmabuf_system_secure_heap_device
- }:chr_file no_rw_file_perms;
')
# Following /dev nodes must not be directly accessed by coredomain, but should
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 9233a4d..f130327 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -17,16 +17,8 @@
-vendor_init
-vold
}:process { ptrace signal sigchld sigstop sigkill };
-
-# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?)
userdebug_or_eng(`
- allow crash_dump {
- apexd
- keystore
- llkd
- logd
- vold
- }:process { ptrace signal sigchld sigstop sigkill };
+ allow crash_dump { apexd llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
')
###
@@ -43,7 +35,6 @@
init
kernel
keystore
- userdebug_or_eng(`-keystore')
llkd
userdebug_or_eng(`-llkd')
logd
@@ -56,7 +47,3 @@
neverallow crash_dump self:process ptrace;
neverallow crash_dump gpu_device:chr_file *;
-
-# Read ART APEX data directory
-allow crash_dump apex_art_data_file:dir { getattr search };
-allow crash_dump apex_art_data_file:file r_file_perms;
diff --git a/private/crosvm.te b/private/crosvm.te
deleted file mode 100644
index 5d7080a..0000000
--- a/private/crosvm.te
+++ /dev/null
@@ -1,16 +0,0 @@
-type crosvm, domain, coredomain;
-type crosvm_exec, system_file_type, exec_type, file_type;
-type crosvm_tmpfs, file_type;
-
-# Let crosvm create temporary files.
-tmpfs_domain(crosvm)
-
-# Let crosvm receive file descriptors from virtmanager.
-allow crosvm virtmanager:fd use;
-
-# Let crosvm open /dev/kvm.
-allow crosvm kvm_device:chr_file rw_file_perms;
-
-# Most other domains shouldn't access /dev/kvm.
-neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
-neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
diff --git a/private/derive_classpath.te b/private/derive_classpath.te
deleted file mode 100644
index 2299ba0..0000000
--- a/private/derive_classpath.te
+++ /dev/null
@@ -1,25 +0,0 @@
-
-# Domain for derive_classpath
-type derive_classpath, domain, coredomain;
-type derive_classpath_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(derive_classpath)
-
-# Read /apex
-allow derive_classpath apex_mnt_dir:dir r_dir_perms;
-
-# Create /data/system/environ/classpath file
-allow derive_classpath environ_system_data_file:dir rw_dir_perms;
-allow derive_classpath environ_system_data_file:file create_file_perms;
-
-# b/183079517 fails on gphone targets otherwise
-allow derive_classpath unlabeled:dir search;
-
-# Allow derive_classpath to write the classpath into ota dexopt
-# - Read the ota's apex dir
-allow derive_classpath postinstall_apex_mnt_dir:dir r_dir_perms;
-# - Report the BCP to the ota's dexopt
-allow derive_classpath postinstall_dexopt:dir search;
-allow derive_classpath postinstall_dexopt:fd use;
-allow derive_classpath postinstall_dexopt:file read;
-allow derive_classpath postinstall_dexopt:lnk_file read;
-allow derive_classpath postinstall_dexopt_tmpfs:file rw_file_perms;
diff --git a/private/dex2oat.te b/private/dex2oat.te
index e7cdd5f..7907f6c 100644
--- a/private/dex2oat.te
+++ b/private/dex2oat.te
@@ -2,8 +2,6 @@
type dex2oat, domain, coredomain;
type dex2oat_exec, system_file_type, exec_type, file_type;
-userfaultfd_use(dex2oat)
-
r_dir_file(dex2oat, apk_data_file)
# Access to /vendor/app
r_dir_file(dex2oat, vendor_app_file)
@@ -15,11 +13,13 @@
r_dir_file(dex2oat, dalvikcache_data_file)
allow dex2oat dalvikcache_data_file:file write;
+# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot images, where
+# the oat file is symlinked to the original file in /system.
+allow dex2oat dalvikcache_data_file:lnk_file read;
allow dex2oat installd:fd use;
# Acquire advisory lock on /system/framework/arm/*
allow dex2oat system_file:file lock;
-allow dex2oat postinstall_file:file lock;
# Read already open asec_apk_file file descriptors passed by installd.
# Also allow reading unlabeled files, to allow for upgrading forward
@@ -35,32 +35,6 @@
# the framework.
allow dex2oat { privapp_data_file app_data_file }:file { getattr read write lock map };
-# Allow dex2oat to find files and directories under /data/misc/apexdata/com.android.runtime.
-allow dex2oat apex_module_data_file:dir search;
-
-# Allow dex2oat to use file descriptors passed from odrefresh.
-allow dex2oat odrefresh:fd use;
-
-# Allow dex2oat to use devpts and file descriptors passed from odsign
-allow dex2oat odsign_devpts:chr_file { read write };
-allow dex2oat odsign:fd use;
-
-# Allow dex2oat to write to file descriptors from odrefresh for files
-# in the staging area.
-allow dex2oat apex_art_staging_data_file:dir r_dir_perms;
-allow dex2oat apex_art_staging_data_file:file { getattr map read write unlink };
-
-# Allow dex2oat to read artifacts from odrefresh.
-allow dex2oat apex_art_data_file:dir r_dir_perms;
-allow dex2oat apex_art_data_file:file r_file_perms;
-
-# Allow dex2oat to read runtime native flag properties.
-get_prop(dex2oat, device_config_runtime_native_prop)
-get_prop(dex2oat, device_config_runtime_native_boot_prop)
-
-# Allow dex2oat to read /apex/apex-info-list.xml
-allow dex2oat apex_info_file:file r_file_perms;
-
##################
# A/B OTA Dexopt #
##################
@@ -79,7 +53,6 @@
# Allow dex2oat access to /postinstall/apex.
allow dex2oat postinstall_apex_mnt_dir:dir { getattr search };
-allow dex2oat postinstall_apex_mnt_dir:file r_file_perms;
# Allow dex2oat access to files in /data/ota.
allow dex2oat ota_data_file:dir ra_dir_perms;
@@ -102,6 +75,7 @@
allow dex2oat apexd:fd use;
# Allow dex2oat to use file descriptors from preinstall.
+allow dex2oat art_apex_preinstall:fd use;
##############
# Neverallow #
diff --git a/private/dexoptanalyzer.te b/private/dexoptanalyzer.te
index 8eb1d29..a2b2b01 100644
--- a/private/dexoptanalyzer.te
+++ b/private/dexoptanalyzer.te
@@ -11,30 +11,15 @@
# Use tmpfs_domain() which will give tmpfs files created by dexoptanalyzer their
# own label, which differs from other labels created by other processes.
# This allows to distinguish in policy files created by dexoptanalyzer vs other
-# processes.
+#processes.
tmpfs_domain(dexoptanalyzer)
-userfaultfd_use(dexoptanalyzer)
-
-# Allow dexoptanalyzer to read files in the dalvik cache.
-allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
-allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
-
# Read symlinks in /data/dalvik-cache. This is required for PIC mode boot
# app_data_file the oat file is symlinked to the original file in /system.
+allow dexoptanalyzer dalvikcache_data_file:dir { getattr search };
+allow dexoptanalyzer dalvikcache_data_file:file r_file_perms;
allow dexoptanalyzer dalvikcache_data_file:lnk_file read;
-# Allow dexoptanalyzer to read files in the ART APEX data directory.
-allow dexoptanalyzer { apex_art_data_file apex_module_data_file }:dir { getattr search };
-allow dexoptanalyzer apex_art_data_file:file r_file_perms;
-
-# Allow dexoptanalyzer to use file descriptors from odrefresh.
-allow dexoptanalyzer odrefresh:fd use;
-
-# Use devpts and fd from odsign (which exec()'s odrefresh)
-allow dexoptanalyzer odsign:fd use;
-allow dexoptanalyzer odsign_devpts:chr_file { read write };
-
allow dexoptanalyzer installd:fd use;
allow dexoptanalyzer installd:fifo_file { getattr write };
@@ -43,14 +28,12 @@
# Allow reading secondary dex files that were reported by the app to the
# package manager.
+allow dexoptanalyzer { privapp_data_file app_data_file }:dir { getattr search };
allow dexoptanalyzer { privapp_data_file app_data_file }:file { getattr read map };
+# dexoptanalyzer calls access(2) with W_OK flag on app data. We can use the
+# "dontaudit...audit_access" policy line to suppress the audit access without
+# suppressing denial on actual access.
+dontaudit dexoptanalyzer { privapp_data_file app_data_file }:dir audit_access;
# Allow testing /data/user/0 which symlinks to /data/data
allow dexoptanalyzer system_data_file:lnk_file { getattr };
-
-# Allow query ART device config properties
-get_prop(dexoptanalyzer, device_config_runtime_native_prop)
-get_prop(dexoptanalyzer, device_config_runtime_native_boot_prop)
-
-# Allow dexoptanalyzer to read /apex/apex-info-list.xml
-allow dexoptanalyzer apex_info_file:file r_file_perms;
diff --git a/private/dhcp.te b/private/dhcp.te
index 8ec9111..b2f8ac7 100644
--- a/private/dhcp.te
+++ b/private/dhcp.te
@@ -2,6 +2,3 @@
init_daemon_domain(dhcp)
type_transition dhcp system_data_file:{ dir file } dhcp_data_file;
-
-set_prop(dhcp, dhcp_prop)
-set_prop(dhcp, pan_result_prop)
diff --git a/private/domain.te b/private/domain.te
index b91d36d..7116dad 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -11,7 +11,7 @@
# necessary SELinux permissions.
get_prop(domain, heapprofd_prop);
# Allow heap profiling on debug builds.
-userdebug_or_eng(`can_profile_heap({
+userdebug_or_eng(`can_profile_heap_central({
domain
-bpfloader
-init
@@ -49,22 +49,14 @@
-zygote
})')
-# Everyone can access the IncFS list of features.
-r_dir_file(domain, sysfs_fs_incfs_features);
-
# Path resolution access in cgroups.
allow domain cgroup:dir search;
allow { domain -appdomain -rs } cgroup:dir w_dir_perms;
allow { domain -appdomain -rs } cgroup:file w_file_perms;
-allow domain cgroup_v2:dir search;
-allow { domain -appdomain -rs } cgroup_v2:dir w_dir_perms;
-allow { domain -appdomain -rs } cgroup_v2:file w_file_perms;
-
allow domain cgroup_rc_file:dir search;
allow domain cgroup_rc_file:file r_file_perms;
allow domain task_profiles_file:file r_file_perms;
-allow domain task_profiles_api_file:file r_file_perms;
allow domain vendor_task_profiles_file:file r_file_perms;
# Allow all domains to read sys.use_memfd to determine
@@ -80,16 +72,33 @@
# For now, everyone can access core property files
# Device specific properties are not granted by default
not_compatible_property(`
- # DO NOT ADD ANY PROPERTIES HERE
get_prop(domain, core_property_type)
+ get_prop(domain, exported_dalvik_prop)
+ get_prop(domain, exported_ffs_prop)
+ get_prop(domain, exported_system_radio_prop)
+ get_prop(domain, exported2_config_prop)
+ get_prop(domain, exported2_radio_prop)
+ get_prop(domain, exported2_system_prop)
+ get_prop(domain, exported2_vold_prop)
+ get_prop(domain, exported3_default_prop)
+ get_prop(domain, exported3_radio_prop)
get_prop(domain, exported3_system_prop)
get_prop(domain, vendor_default_prop)
')
compatible_property_only(`
- # DO NOT ADD ANY PROPERTIES HERE
get_prop({coredomain appdomain shell}, core_property_type)
+ get_prop({coredomain appdomain shell}, exported_dalvik_prop)
+ get_prop({coredomain appdomain shell}, exported_ffs_prop)
+ get_prop({coredomain appdomain shell}, exported_system_radio_prop)
+ get_prop({coredomain appdomain shell}, exported2_config_prop)
+ get_prop({coredomain appdomain shell}, exported2_radio_prop)
+ get_prop({coredomain appdomain shell}, exported2_system_prop)
+ get_prop({coredomain appdomain shell}, exported2_vold_prop)
+ get_prop({coredomain appdomain shell}, exported3_default_prop)
+ get_prop({coredomain appdomain shell}, exported3_radio_prop)
get_prop({coredomain appdomain shell}, exported3_system_prop)
get_prop({coredomain appdomain shell}, exported_camera_prop)
+ get_prop({coredomain appdomain shell}, userspace_reboot_config_prop)
get_prop({coredomain shell}, userspace_reboot_exported_prop)
get_prop({coredomain shell}, userspace_reboot_log_prop)
get_prop({coredomain shell}, userspace_reboot_test_prop)
@@ -113,23 +122,19 @@
allow domain boringssl_self_test_marker:dir search;
# Limit ability to ptrace or read sensitive /proc/pid files of processes
-# with other UIDs to these allowlisted domains.
+# with other UIDs to these whitelisted domains.
neverallow {
domain
-vold
userdebug_or_eng(`-llkd')
-dumpstate
userdebug_or_eng(`-incidentd')
- userdebug_or_eng(`-profcollectd')
-storaged
-system_server
} self:global_capability_class_set sys_ptrace;
# Limit ability to generate hardware unique device ID attestations to priv_apps
neverallow { domain -priv_app -gmscore_app } *:keystore_key gen_unique_id;
-neverallow { domain -priv_app -gmscore_app } *:keystore2_key gen_unique_id;
-neverallow { domain -system_server } *:keystore2_key use_dev_id;
-neverallow { domain -system_server } keystore:keystore2 { clear_ns lock reset unlock };
neverallow {
domain
@@ -203,8 +208,8 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
-neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
+neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename } staging_data_file:dir *;
+neverallow { domain -init -system_app -system_server -apexd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
# except for `link` and `unlink`.
@@ -220,7 +225,7 @@
#
# Assert that, to the extent possible, we're not loading executable content from
-# outside the rootfs or /system partition except for a few allowlisted domains.
+# outside the rootfs or /system partition except for a few whitelisted domains.
# Executable files loaded from /data is a persistence vector
# we want to avoid. See
# https://bugs.chromium.org/p/project-zero/issues/detail?id=955 for example.
@@ -265,6 +270,8 @@
-cppreopts
-dex2oat
-otapreopt_slot
+ -art_apex_postinstall
+ -art_apex_boot_integrity
} dalvikcache_data_file:file no_w_file_perms;
neverallow {
@@ -276,44 +283,10 @@
-dex2oat
-zygote
-otapreopt_slot
+ -art_apex_boot_integrity
+ -art_apex_postinstall
} dalvikcache_data_file:dir no_w_dir_perms;
-# Only authorized processes should be writing to /data/misc/apexdata/com.android.art as it
-# contains boot class path and system server AOT artifacts following an ART APEX Mainline update.
-neverallow {
- domain
- # art processes
- -odrefresh
- -odsign
- # others
- -apexd
- -init
- -vold_prepare_subdirs
-} apex_art_data_file:file no_w_file_perms;
-
-neverallow {
- domain
- # art processes
- -odrefresh
- -odsign
- # others
- -apexd
- -init
- -vold_prepare_subdirs
-} apex_art_data_file:dir no_w_dir_perms;
-
-# Protect most domains from executing arbitrary content from /data.
-neverallow {
- domain
- -appdomain
-} {
- data_file_type
- -apex_art_data_file
- -dalvikcache_data_file
- -system_data_file # shared libs in apks
- -apk_data_file
-}:file no_x_file_perms;
-
# Minimize dac_override and dac_read_search.
# Instead of granting them it is usually better to add the domain to
# a Unix group or change the permissions of a file.
@@ -350,7 +323,7 @@
iorap_prefetcherd
traced_perf
traced_probes
- heapprofd
+ userdebug_or_eng(`heapprofd')
} self:global_capability_class_set dac_read_search;
# Limit what domains can mount filesystems or change their mount flags.
@@ -359,7 +332,7 @@
neverallow {
domain
-apexd
- recovery_only(`-fastbootd')
+ recovery_only(`userdebug_or_eng(`-fastbootd')')
-init
-kernel
-otapreopt_chroot
@@ -367,17 +340,9 @@
-update_engine
-vold
-zygote
-} { fs_type
- -sdcard_type
-}:filesystem { mount remount relabelfrom relabelto };
+} { fs_type -sdcard_type }:filesystem { mount remount relabelfrom relabelto };
-enforce_debugfs_restriction(`
- neverallow {
- domain userdebug_or_eng(`-init')
- } { debugfs_type -debugfs_tracing_debug }:filesystem { mount remount relabelfrom relabelto };
-')
-
-# Limit raw I/O to these allowlisted domains. Do not apply to debug builds.
+# Limit raw I/O to these whitelisted domains. Do not apply to debug builds.
neverallow {
domain
userdebug_or_eng(`-domain')
@@ -405,137 +370,5 @@
neverallow { domain -init -system_server -vendor_init } net_dns_prop:property_service set;
neverallow { domain -dumpstate -init -system_server -vendor_init } net_dns_prop:file read;
-# Only core domains are allowed to access package_manager properties
-neverallow { domain -init -system_server } pm_prop:property_service set;
-neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
-
-# Do not allow reading the last boot timestamp from system properties
-neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
-
# Kprobes should only be used by adb root
neverallow { domain -init -vendor_init } debugfs_kprobes:file *;
-
-# On TREBLE devices, most coredomains should not access vendor_files.
-# TODO(b/71553434): Remove exceptions here.
-full_treble_only(`
- neverallow {
- coredomain
- -appdomain
- -bootanim
- -crash_dump
- -heapprofd
- userdebug_or_eng(`-profcollectd')
- -init
- -iorap_inode2filename
- -iorap_prefetcherd
- -kernel
- -traced_perf
- -ueventd
- } vendor_file:file { no_w_file_perms no_x_file_perms open };
-')
-
-# Vendor domains are not permitted to initiate communications to core domain sockets
-full_treble_only(`
- neverallow_establish_socket_comms({
- domain
- -coredomain
- -appdomain
- -socket_between_core_and_vendor_violators
- }, {
- coredomain
- -logd # Logging by writing to logd Unix domain socket is public API
- -netd # netdomain needs this
- -mdnsd # netdomain needs this
- userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
- -init
- -tombstoned # linker to tombstoned
- userdebug_or_eng(`-heapprofd')
- userdebug_or_eng(`-traced_perf')
- });
-')
-
-full_treble_only(`
- # Do not allow system components access to /vendor files except for the
- # ones allowed here.
- neverallow {
- coredomain
- # TODO(b/37168747): clean up fwk access to /vendor
- -crash_dump
- -init # starts vendor executables
- -iorap_inode2filename
- -iorap_prefetcherd
- -kernel # loads /vendor/firmware
- -heapprofd
- userdebug_or_eng(`-profcollectd')
- -shell
- -system_executes_vendor_violators
- -traced_perf # library/binary access for symbolization
- -ueventd # reads /vendor/ueventd.rc
- -vold # loads incremental fs driver
- } {
- vendor_file_type
- -same_process_hal_file
- -vendor_app_file
- -vendor_apex_file
- -vendor_configs_file
- -vendor_service_contexts_file
- -vendor_framework_file
- -vendor_idc_file
- -vendor_keychars_file
- -vendor_keylayout_file
- -vendor_overlay_file
- -vendor_public_framework_file
- -vendor_public_lib_file
- -vendor_task_profiles_file
- -vndk_sp_file
- }:file *;
-')
-
-# mlsvendorcompat is only for compatibility support for older vendor
-# images, and should not be granted to any domain in current policy.
-# (Every domain is allowed self:fork, so this will trigger if the
-# intsersection of domain & mlsvendorcompat is not empty.)
-neverallow domain mlsvendorcompat:process fork;
-
-# Only init and otapreopt_chroot should be mounting filesystems on locations
-# labeled system or vendor (/product and /vendor respectively).
-neverallow { domain -init -otapreopt_chroot } { system_file_type vendor_file_type }:dir_file_class_set mounton;
-
-# Only allow init and vendor_init to read/write mm_events properties
-# NOTE: dumpstate is allowed to read any system property
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
-} mm_events_config_prop:file no_rw_file_perms;
-
-# Allow the tracing daemon and callstack sampler to use kallsyms to symbolize
-# kernel traces. Addresses are not disclosed, they are repalced with symbol
-# names (if available). Traces don't disclose KASLR.
-neverallow {
- domain
- -init
- userdebug_or_eng(`-profcollectd')
- -vendor_init
- -traced_probes
- -traced_perf
-} proc_kallsyms:file { open read };
-
-# debugfs_kcov type is not included in this neverallow statement since the KCOV
-# tool uses it for kernel fuzzing.
-# vendor_modprobe is also exempted since the kernel modules it loads may create
-# debugfs files in its context.
-enforce_debugfs_restriction(`
- neverallow {
- domain
- -vendor_modprobe
- userdebug_or_eng(`
- -init
- -hal_dumpstate
- ')
- } { debugfs_type
- userdebug_or_eng(`-debugfs_kcov')
- -tracefs_type
- }:file no_rw_file_perms;
-')
diff --git a/private/drmserver.te b/private/drmserver.te
index 8449c3e..afe4f0a 100644
--- a/private/drmserver.te
+++ b/private/drmserver.te
@@ -5,5 +5,3 @@
type_transition drmserver apk_data_file:sock_file drmserver_socket;
typeattribute drmserver_socket coredomain_socket;
-
-get_prop(drmserver, drm_service_config_prop)
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 37a9a0c..72e508e 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -1,5 +1,4 @@
typeattribute dumpstate coredomain;
-type dumpstate_tmpfs, file_type;
init_daemon_domain(dumpstate)
@@ -11,12 +10,6 @@
allow dumpstate storaged_exec:file rx_file_perms;
-# /data/misc/a11ytrace for accessibility traces
-userdebug_or_eng(`
- allow dumpstate accessibility_trace_data_file:dir r_dir_perms;
- allow dumpstate accessibility_trace_data_file:file r_file_perms;
-')
-
# /data/misc/wmtrace for wm traces
userdebug_or_eng(`
allow dumpstate wm_trace_data_file:dir r_dir_perms;
@@ -38,55 +31,25 @@
# Allow dumpstate to talk to idmap over binder
binder_call(dumpstate, idmap);
-# Allow dumpstate to talk to profcollectd over binder
-userdebug_or_eng(`
- binder_call(dumpstate, profcollectd)
-')
-
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
# Signal native processes to dump their stack.
allow dumpstate {
- mediatranscoding
statsd
netd
}:process signal;
-userdebug_or_eng(`
- allow dumpstate keystore:process signal;
-')
-
# For collecting bugreports.
-no_debugfs_restriction(`
- allow dumpstate debugfs_wakeup_sources:file r_file_perms;
-')
-
+allow dumpstate debugfs_wakeup_sources:file r_file_perms;
allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
-allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
dontaudit dumpstate update_engine:binder call;
-
-# Read files in /proc
-allow dumpstate {
- proc_net_tcp_udp
- proc_pid_max
-}:file r_file_perms;
+allow dumpstate proc_net_tcp_udp:file r_file_perms;
# For comminucating with the system process to do confirmation ui.
binder_call(dumpstate, incidentcompanion_service)
-# Set properties.
-# dumpstate_prop is used to share state with the Shell app.
-set_prop(dumpstate, dumpstate_prop)
-set_prop(dumpstate, exported_dumpstate_prop)
-
-# dumpstate_options_prop is used to pass extra command-line args.
-set_prop(dumpstate, dumpstate_options_prop)
-
-# Allow dumpstate to kill vendor dumpstate service by init
-set_prop(dumpstate, ctl_dumpstate_prop)
-
# For dumping dynamic partition information.
set_prop(dumpstate, lpdumpd_prop)
binder_call(dumpstate, lpdumpd)
@@ -97,19 +60,3 @@
binder_call(dumpstate, gsid)
r_dir_file(dumpstate, ota_metadata_file)
-
-# For starting (and killing) perfetto --save-for-bugreport. If a labelled trace
-# is being recorded, the command above will serialize it into
-# /data/misc/perfetto-traces/bugreport/*.pftrace .
-domain_auto_trans(dumpstate, perfetto_exec, perfetto)
-allow dumpstate perfetto:process signal;
-allow dumpstate perfetto_traces_data_file:dir { search };
-allow dumpstate perfetto_traces_bugreport_data_file:dir rw_dir_perms;
-allow dumpstate perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
-
-# When exec-ing /system/bin/perfetto, dumpstates redirects stdio to /dev/null
-# (which is labelled as dumpstate_tmpfs) to avoid leaking a FD to the bugreport
-# zip file. These rules are to allow perfetto.te to inherit dumpstate's
-# /dev/null.
-allow perfetto dumpstate_tmpfs:file rw_file_perms;
-allow perfetto dumpstate:fd use;
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index e004891..56d4747 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -44,6 +44,10 @@
allow ephemeral_app drmserver_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
+allow ephemeral_app gpu_service:service_manager find;
+
+# Allow ephemeral apps to interact with gpuservice
+binder_call(ephemeral_app, gpuservice)
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
diff --git a/private/fastbootd.te b/private/fastbootd.te
index 40b3945..29a9157 100644
--- a/private/fastbootd.te
+++ b/private/fastbootd.te
@@ -1,47 +1 @@
typeattribute fastbootd coredomain;
-
-# The allow rules are only included in the recovery policy.
-# Otherwise fastbootd is only allowed the domain rules.
-recovery_only(`
- # Reboot the device
- set_prop(fastbootd, powerctl_prop)
-
- # Read serial number of the device from system properties
- get_prop(fastbootd, serialno_prop)
-
- # Set sys.usb.ffs.ready.
- get_prop(fastbootd, ffs_config_prop)
- set_prop(fastbootd, ffs_control_prop)
-
- userdebug_or_eng(`
- get_prop(fastbootd, persistent_properties_ready_prop)
- ')
-
- set_prop(fastbootd, gsid_prop)
-
- # Determine allocation scheme (whether B partitions needs to be
- # at the second half of super.
- get_prop(fastbootd, virtual_ab_prop)
-
- # Needed for TCP protocol
- allow fastbootd node:tcp_socket node_bind;
- allow fastbootd port:tcp_socket name_bind;
- allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
-
- # Start snapuserd for merging VABC updates
- set_prop(fastbootd, ctl_snapuserd_prop)
-
- # Needed to communicate with snapuserd to complete merges.
- allow fastbootd snapuserd_socket:sock_file write;
- allow fastbootd snapuserd:unix_stream_socket connectto;
- allow fastbootd dm_user_device:dir r_dir_perms;
-
- # Get fastbootd protocol property
- get_prop(fastbootd, fastbootd_protocol_prop)
-
- # Mount /metadata to interact with Virtual A/B snapshots.
- allow fastbootd labeledfs:filesystem { mount unmount };
-
- # Needed for reading boot properties.
- allow fastbootd proc_bootconfig:file r_file_perms;
-')
diff --git a/private/file.te b/private/file.te
index a024600..4492002 100644
--- a/private/file.te
+++ b/private/file.te
@@ -7,18 +7,9 @@
# /data/misc/wmtrace for wm traces
type wm_trace_data_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/a11ytrace for accessibility traces
-type accessibility_trace_data_file, file_type, data_file_type, core_data_file_type;
-
# /data/misc/perfetto-traces for perfetto traces
type perfetto_traces_data_file, file_type, data_file_type, core_data_file_type;
-# /data/misc/perfetto-traces/bugreport for perfetto traces for bugreports.
-type perfetto_traces_bugreport_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/perfetto-configs for perfetto configs
-type perfetto_configs_data_file, file_type, data_file_type, core_data_file_type;
-
# /sys/kernel/debug/kcov for coverage guided kernel fuzzing in userdebug builds.
type debugfs_kcov, fs_type, debugfs_type;
@@ -33,32 +24,5 @@
# /data/gsi/ota
type ota_image_data_file, file_type, data_file_type, core_data_file_type;
-# /data/gsi_persistent_data
-type gsi_persistent_data_file, file_type, data_file_type, core_data_file_type;
-
# /data/misc/emergencynumberdb
type emergency_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/profcollectd
-type profcollectd_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/apexdata/com.android.art
-type apex_art_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/apexdata/com.android.art/staging
-type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/font/files
-type font_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/odrefresh
-type odrefresh_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/misc/odsign
-type odsign_data_file, file_type, data_file_type, core_data_file_type;
-
-# /data/system/environ
-type environ_system_data_file, file_type, data_file_type, core_data_file_type;
-
-# /dev/kvm
-type kvm_device, dev_type;
diff --git a/private/file_contexts b/private/file_contexts
index 351cd7c..9620b75 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -27,17 +27,12 @@
/data_mirror u:object_r:mirror_data_file:s0
/debug_ramdisk u:object_r:tmpfs:s0
/mnt u:object_r:tmpfs:s0
+/postinstall u:object_r:postinstall_mnt_dir:s0
+/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
/proc u:object_r:rootfs:s0
-/second_stage_resources u:object_r:tmpfs:s0
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
-# Postinstall directories
-/postinstall u:object_r:postinstall_mnt_dir:s0
-/postinstall/apex u:object_r:postinstall_apex_mnt_dir:s0
-
-/apex/(\.(bootstrap|default)-)?apex-info-list.xml u:object_r:apex_info_file:s0
-
# Symlinks
/bin u:object_r:rootfs:s0
/bugreports u:object_r:rootfs:s0
@@ -65,7 +60,6 @@
/sepolicy u:object_r:sepolicy_file:s0
/plat_service_contexts u:object_r:service_contexts_file:s0
/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/nonplat_service_contexts u:object_r:nonplat_service_contexts_file:s0
# Use nonplat_service_contexts_file to allow servicemanager to read it
# on non full-treble devices.
@@ -88,7 +82,6 @@
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
-/dev/block/vd[a-z][0-9]* u:object_r:vd_device:s0
/dev/block/vold/.+ u:object_r:vold_device:s0
/dev/block/ram[0-9]* u:object_r:ram_device:s0
/dev/block/zram[0-9]* u:object_r:ram_device:s0
@@ -96,18 +89,12 @@
/dev/bus/usb(.*)? u:object_r:usb_device:s0
/dev/console u:object_r:console_device:s0
/dev/cpu_variant:.* u:object_r:dev_cpu_variant:s0
-/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
-/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
-/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
/dev/fuse u:object_r:fuse_device:s0
-/dev/gnss[0-9]+ u:object_r:gnss_device:s0
/dev/graphics(/.*)? u:object_r:graphics_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
@@ -126,7 +113,6 @@
/dev/pvrsrvkm u:object_r:gpu_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
-/dev/kvm u:object_r:kvm_device:s0
/dev/null u:object_r:null_device:s0
/dev/nvhdcp1 u:object_r:video_device:s0
/dev/random u:object_r:random_device:s0
@@ -161,7 +147,6 @@
/dev/socket/recovery u:object_r:recovery_socket:s0
/dev/socket/rild u:object_r:rild_socket:s0
/dev/socket/rild-debug u:object_r:rild_debug_socket:s0
-/dev/socket/snapuserd u:object_r:snapuserd_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
@@ -177,8 +162,6 @@
/dev/socket/usap_pool_primary u:object_r:zygote_socket:s0
/dev/socket/usap_pool_secondary u:object_r:zygote_socket:s0
/dev/spdif_out.* u:object_r:audio_device:s0
-/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
-/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
/dev/tty u:object_r:owntty_device:s0
/dev/tty[0-9]* u:object_r:tty_device:s0
/dev/ttyS[0-9]* u:object_r:serial_device:s0
@@ -191,7 +174,6 @@
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
-/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/watchdog u:object_r:watchdog_device:s0
@@ -210,14 +192,12 @@
/system/apex/com.android.art u:object_r:art_apex_dir:s0
/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
-/system/bin/mm_events u:object_r:mm_events_exec:s0
/system/bin/atrace u:object_r:atrace_exec:s0
/system/bin/auditctl u:object_r:auditctl_exec:s0
/system/bin/bcc u:object_r:rs_exec:s0
/system/bin/blank_screen u:object_r:blank_screen_exec:s0
/system/bin/boringssl_self_test(32|64) u:object_r:boringssl_self_test_exec:s0
/system/bin/charger u:object_r:charger_exec:s0
-/system/bin/canhalconfigurator u:object_r:canhalconfigurator_exec:s0
/system/bin/e2fsdroid u:object_r:e2fs_exec:s0
/system/bin/mke2fs u:object_r:e2fs_exec:s0
/system/bin/e2fsck -- u:object_r:fsck_exec:s0
@@ -232,7 +212,6 @@
/system/bin/fsck_msdos -- u:object_r:fsck_exec:s0
/system/bin/tcpdump -- u:object_r:tcpdump_exec:s0
/system/bin/tune2fs -- u:object_r:fsck_exec:s0
-/system/bin/resize2fs -- u:object_r:fsck_exec:s0
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
/system/bin/toybox -- u:object_r:toolbox_exec:s0
/system/bin/ld\.mc u:object_r:rs_exec:s0
@@ -268,16 +247,17 @@
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
/system/bin/mediaswcodec u:object_r:mediaswcodec_exec:s0
/system/bin/mediatranscoding u:object_r:mediatranscoding_exec:s0
-/system/bin/mediatuner u:object_r:mediatuner_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
/system/bin/otapreopt_slot u:object_r:otapreopt_slot_exec:s0
+/system/bin/art_apex_boot_integrity u:object_r:art_apex_boot_integrity_exec:s0
/system/bin/credstore u:object_r:credstore_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
-/system/bin/keystore2 u:object_r:keystore_exec:s0
/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
+/system/bin/crash_dump32 u:object_r:crash_dump_exec:s0
+/system/bin/crash_dump64 u:object_r:crash_dump_exec:s0
/system/bin/tombstoned u:object_r:tombstoned_exec:s0
/system/bin/recovery-persist u:object_r:recovery_persist_exec:s0
/system/bin/recovery-refresh u:object_r:recovery_refresh_exec:s0
@@ -295,7 +275,6 @@
/system/bin/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
-/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/llkd u:object_r:llkd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/usbd u:object_r:usbd_exec:s0
@@ -315,7 +294,10 @@
/system/bin/cppreopts\.sh u:object_r:cppreopts_exec:s0
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
/system/bin/preopt2cachename u:object_r:preopt2cachename_exec:s0
+/system/bin/dex2oat(d)? u:object_r:dex2oat_exec:s0
+/system/bin/dexoptanalyzer(d)? u:object_r:dexoptanalyzer_exec:s0
/system/bin/viewcompiler u:object_r:viewcompiler_exec:s0
+/system/bin/profman(d)? u:object_r:profman_exec:s0
/system/bin/iorapd u:object_r:iorapd_exec:s0
/system/bin/iorap\.inode2filename u:object_r:iorap_inode2filename_exec:s0
/system/bin/iorap\.prefetcherd u:object_r:iorap_prefetcherd_exec:s0
@@ -326,8 +308,6 @@
/system/bin/idmap u:object_r:idmap_exec:s0
/system/bin/idmap2(d)? u:object_r:idmap_exec:s0
/system/bin/update_engine u:object_r:update_engine_exec:s0
-/system/bin/profcollectd u:object_r:profcollectd_exec:s0
-/system/bin/profcollectctl u:object_r:profcollectd_exec:s0
/system/bin/storaged u:object_r:storaged_exec:s0
/system/bin/wpantund u:object_r:wpantund_exec:s0
/system/bin/virtual_touchpad u:object_r:virtual_touchpad_exec:s0
@@ -335,7 +315,6 @@
/system/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
/system/bin/hw/android\.system\.suspend@1\.0-service u:object_r:system_suspend_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
-/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
/system/etc/group u:object_r:system_group_file:s0
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
@@ -347,13 +326,11 @@
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
/system/etc/selinux/plat_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/system/etc/selinux/plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
/system/etc/selinux/plat_seapp_contexts u:object_r:seapp_contexts_file:s0
/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
-/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
/system/usr/share/zoneinfo(/.*)? u:object_r:system_zoneinfo_file:s0
/system/bin/vr_hwc u:object_r:vr_hwc_exec:s0
/system/bin/adbd u:object_r:adbd_exec:s0
@@ -367,10 +344,9 @@
/system/bin/gsid u:object_r:gsid_exec:s0
/system/bin/simpleperf u:object_r:simpleperf_exec:s0
/system/bin/simpleperf_app_runner u:object_r:simpleperf_app_runner_exec:s0
+/system/bin/notify_traceur\.sh u:object_r:notify_traceur_exec:s0
/system/bin/migrate_legacy_obb_data\.sh u:object_r:migrate_legacy_obb_data_exec:s0
/system/bin/android\.frameworks\.automotive\.display@1\.0-service u:object_r:automotive_display_service_exec:s0
-/system/bin/snapuserd u:object_r:snapuserd_exec:s0
-/system/bin/odsign u:object_r:odsign_exec:s0
#############################
# Vendor files
@@ -406,6 +382,8 @@
/(vendor|system/vendor)/etc/selinux/vendor_service_contexts u:object_r:vendor_service_contexts_file:s0
+/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
+
#############################
# OEM and ODM files
#
@@ -438,7 +416,6 @@
/(odm|vendor/odm)/etc/selinux/odm_seapp_contexts u:object_r:seapp_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_property_contexts u:object_r:property_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml u:object_r:mac_perms_file:s0
#############################
@@ -451,7 +428,6 @@
/(product|system/product)/etc/selinux/product_file_contexts u:object_r:file_contexts_file:s0
/(product|system/product)/etc/selinux/product_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/(product|system/product)/etc/selinux/product_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(product|system/product)/etc/selinux/product_property_contexts u:object_r:property_contexts_file:s0
/(product|system/product)/etc/selinux/product_seapp_contexts u:object_r:seapp_contexts_file:s0
/(product|system/product)/etc/selinux/product_service_contexts u:object_r:service_contexts_file:s0
@@ -469,7 +445,6 @@
/(system_ext|system/system_ext)/etc/selinux/system_ext_file_contexts u:object_r:file_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_hwservice_contexts u:object_r:hwservice_contexts_file:s0
-/(system_ext|system/system_ext)/etc/selinux/system_ext_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_property_contexts u:object_r:property_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_seapp_contexts u:object_r:seapp_contexts_file:s0
/(system_ext|system/system_ext)/etc/selinux/system_ext_service_contexts u:object_r:service_contexts_file:s0
@@ -481,18 +456,6 @@
/(system_ext|system/system_ext)/lib(64)?(/.*)? u:object_r:system_lib_file:s0
#############################
-# VendorDlkm files
-# This includes VENDOR Dynamically Loadable Kernel Modules and other misc files.
-#
-/(vendor_dlkm|vendor/vendor_dlkm|system/vendor/vendor_dlkm)(/.*)? u:object_r:vendor_file:s0
-
-#############################
-# OdmDlkm files
-# This includes ODM Dynamically Loadable Kernel Modules and other misc files.
-#
-/(odm_dlkm|vendor/odm_dlkm|system/vendor/odm_dlkm)(/.*)? u:object_r:vendor_file:s0
-
-#############################
# Vendor files from /(product|system/product)/vendor_overlay
#
# NOTE: For additional vendor file contexts for vendor overlay files,
@@ -508,7 +471,6 @@
#
/data u:object_r:system_data_root_file:s0
/data/(.*)? u:object_r:system_data_file:s0
-/data/system/environ(/.*)? u:object_r:environ_system_data_file:s0
/data/system/packages\.list u:object_r:packages_list_file:s0
/data/unencrypted(/.*)? u:object_r:unencrypted_data_file:s0
/data/backup(/.*)? u:object_r:backup_data_file:s0
@@ -525,8 +487,6 @@
/data/apex(/.*)? u:object_r:apex_data_file:s0
/data/apex/active/(.*)? u:object_r:staging_data_file:s0
/data/apex/backup/(.*)? u:object_r:staging_data_file:s0
-/data/apex/decompressed/(.*)? u:object_r:staging_data_file:s0
-/data/apex/ota_reserved(/.*)? u:object_r:apex_ota_reserved_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
# Traditional /data/app/[packageName]-[randomString]/base.apk location
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
@@ -537,11 +497,9 @@
/data/app-private(/.*)? u:object_r:apk_private_data_file:s0
/data/app-private/vmdl.*\.tmp(/.*)? u:object_r:apk_private_tmp_file:s0
/data/gsi(/.*)? u:object_r:gsi_data_file:s0
-/data/gsi_persistent_data u:object_r:gsi_persistent_data_file:s0
/data/gsi/ota(/.*)? u:object_r:ota_image_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor/tombstones/wifi(/.*)? u:object_r:tombstone_wifi_data_file:s0
-/data/local/tests(/.*)? u:object_r:shell_test_data_file:s0
/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
/data/local/traces(/.*)? u:object_r:trace_data_file:s0
@@ -557,23 +515,14 @@
/data/preloads/demo(/.*)? u:object_r:preloads_media_file:s0
/data/server_configurable_flags(/.*)? u:object_r:server_configurable_flags_data_file:s0
/data/app-staging(/.*)? u:object_r:staging_data_file:s0
-# Ensure we have the same labels as /data/app or /data/apex/active
-# to avoid restorecon conflicts
-/data/rollback/\d+/[^/]+/.*\.apk u:object_r:apk_data_file:s0
-/data/rollback/\d+/[^/]+/.*\.apex u:object_r:staging_data_file:s0
-/data/fonts/files(/.*)? u:object_r:font_data_file:s0
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
-/data/misc/a11ytrace(/.*)? u:object_r:accessibility_trace_data_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
-/data/misc/apexdata/com\.android\.art(/.*)? u:object_r:apex_art_data_file:s0
-/data/misc/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
-/data/misc/apexdata/com\.android\.scheduling(/.*)? u:object_r:apex_scheduling_data_file:s0
-/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
+/data/misc/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
+/data/misc/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
-/data/misc/appcompat(/.*)? u:object_r:appcompat_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
/data/misc/audioserver(/.*)? u:object_r:audioserver_data_file:s0
/data/misc/audiohal(/.*)? u:object_r:audiohal_data_file:s0
@@ -599,15 +548,8 @@
/data/misc/media(/.*)? u:object_r:media_data_file:s0
/data/misc/net(/.*)? u:object_r:net_data_file:s0
/data/misc/network_watchlist(/.*)? u:object_r:network_watchlist_data_file:s0
-/data/misc/nfc/logs(/.*)? u:object_r:nfc_logs_data_file:s0
-/data/misc/odrefresh(/.*)? u:object_r:odrefresh_data_file:s0
-/data/misc/odsign(/.*)? u:object_r:odsign_data_file:s0
-/data/misc/perfetto-traces/bugreport(.*)? u:object_r:perfetto_traces_bugreport_data_file:s0
-/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
-/data/misc/perfetto-configs(/.*)? u:object_r:perfetto_configs_data_file:s0
+/data/misc/perfetto-traces(/.*)? u:object_r:perfetto_traces_data_file:s0
/data/misc/prereboot(/.*)? u:object_r:prereboot_data_file:s0
-/data/misc/profcollectd(/.*)? u:object_r:profcollectd_data_file:s0
-/data/misc/radio(/.*)? u:object_r:radio_core_data_file:s0
/data/misc/recovery(/.*)? u:object_r:recovery_data_file:s0
/data/misc/shared_relro(/.*)? u:object_r:shared_relro_file:s0
/data/misc/sms(/.*)? u:object_r:radio_data_file:s0
@@ -636,8 +578,7 @@
/data/misc/wmtrace(/.*)? u:object_r:wm_trace_data_file:s0
# TODO(calin) label profile reference differently so that only
# profman run as a special user can write to them
-/data/misc/profiles/cur(/[0-9]+)? u:object_r:user_profile_root_file:s0
-/data/misc/profiles/cur/[0-9]+/.* u:object_r:user_profile_data_file:s0
+/data/misc/profiles/cur(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profiles/ref(/.*)? u:object_r:user_profile_data_file:s0
/data/misc/profman(/.*)? u:object_r:profman_dump_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
@@ -671,9 +612,8 @@
# Apex data directories
/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
-/data/misc_ce/[0-9]+/apexdata/com\.android\.appsearch(/.*)? u:object_r:apex_appsearch_data_file:s0
-/data/misc_de/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
-/data/misc_ce/[0-9]+/apexdata/com\.android\.permission(/.*)? u:object_r:apex_permission_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc_de/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
/data/misc_ce/[0-9]+/apexdata/com\.android\.wifi(/.*)? u:object_r:apex_wifi_data_file:s0
@@ -685,7 +625,6 @@
/data/incremental(/.*)? u:object_r:apk_data_file:s0
/data/incremental/MT_[^/]+/mount/.pending_reads u:object_r:incremental_control_file:s0
/data/incremental/MT_[^/]+/mount/.log u:object_r:incremental_control_file:s0
-/data/incremental/MT_[^/]+/mount/.blocks_written u:object_r:incremental_control_file:s0
#############################
# Expanded data files
@@ -768,17 +707,11 @@
/metadata/apex(/.*)? u:object_r:apex_metadata_file:s0
/metadata/vold(/.*)? u:object_r:vold_metadata_file:s0
/metadata/gsi(/.*)? u:object_r:gsi_metadata_file:s0
-/metadata/gsi/dsu/active u:object_r:gsi_public_metadata_file:s0
-/metadata/gsi/dsu/booted u:object_r:gsi_public_metadata_file:s0
-/metadata/gsi/dsu/lp_names u:object_r:gsi_public_metadata_file:s0
-/metadata/gsi/dsu/[^/]+/metadata_encryption_dir u:object_r:gsi_public_metadata_file:s0
/metadata/gsi/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/password_slots(/.*)? u:object_r:password_slot_metadata_file:s0
/metadata/ota(/.*)? u:object_r:ota_metadata_file:s0
/metadata/bootstat(/.*)? u:object_r:metadata_bootstat_file:s0
/metadata/staged-install(/.*)? u:object_r:staged_install_file:s0
-/metadata/userspacereboot(/.*)? u:object_r:userspace_reboot_metadata_file:s0
-/metadata/watchdog(/.*)? u:object_r:watchdog_metadata_file:s0
#############################
# asec containers
@@ -803,9 +736,3 @@
#############################
# mount point for read-write product partitions
/mnt/product(/.*)? u:object_r:mnt_product_file:s0
-
-#############################
-# /postinstall file contexts
-/(system|product)/bin/check_dynamic_partitions u:object_r:postinstall_exec:s0
-/(system|product)/bin/otapreopt_script u:object_r:postinstall_exec:s0
-/(system|product)/bin/otapreopt u:object_r:postinstall_dexopt_exec:s0
diff --git a/private/file_contexts_asan b/private/file_contexts_asan
index fd083c2..b37f086 100644
--- a/private/file_contexts_asan
+++ b/private/file_contexts_asan
@@ -6,8 +6,6 @@
/data/asan/odm/lib64(/.*)? u:object_r:system_lib_file:s0
/data/asan/product/lib(/.*)? u:object_r:system_lib_file:s0
/data/asan/product/lib64(/.*)? u:object_r:system_lib_file:s0
-/data/asan/system/system_ext/lib(/.*)? u:object_r:system_lib_file:s0
-/data/asan/system/system_ext/lib64(/.*)? u:object_r:system_lib_file:s0
/system/asan.options u:object_r:system_asan_options_file:s0
/system/bin/asan_extract u:object_r:asan_extract_exec:s0
/system/bin/asanwrapper u:object_r:asanwrapper_exec:s0
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index 55d1a9a..fb41aff 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -1,32 +1,3 @@
typeattribute flags_health_check coredomain;
init_daemon_domain(flags_health_check)
-
-set_prop(flags_health_check, device_config_boot_count_prop)
-set_prop(flags_health_check, device_config_reset_performed_prop)
-set_prop(flags_health_check, device_config_runtime_native_boot_prop)
-set_prop(flags_health_check, device_config_runtime_native_prop)
-set_prop(flags_health_check, device_config_input_native_boot_prop)
-set_prop(flags_health_check, device_config_netd_native_prop)
-set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
-set_prop(flags_health_check, device_config_media_native_prop)
-set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
-set_prop(flags_health_check, device_config_statsd_native_prop)
-set_prop(flags_health_check, device_config_statsd_native_boot_prop)
-set_prop(flags_health_check, device_config_storage_native_boot_prop)
-set_prop(flags_health_check, device_config_swcodec_native_prop)
-set_prop(flags_health_check, device_config_sys_traced_prop)
-set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
-set_prop(flags_health_check, device_config_configuration_prop)
-set_prop(flags_health_check, device_config_connectivity_prop)
-
-# system property device_config_boot_count_prop is used for deciding when to perform server
-# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
-# wrong timing, trigger server configurable flag related disaster recovery, which will override
-# server configured values of all flags with default values.
-neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
-
-# system property device_config_reset_performed_prop is used for indicating whether server
-# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
-# cause bad server configurable flags synced back to device.
-neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;
diff --git a/private/fs_use b/private/fs_use
index 93d7f1b..6fcc2cc 100644
--- a/private/fs_use
+++ b/private/fs_use
@@ -11,7 +11,6 @@
fs_use_xattr overlay u:object_r:labeledfs:s0;
fs_use_xattr erofs u:object_r:labeledfs:s0;
fs_use_xattr incremental-fs u:object_r:labeledfs:s0;
-fs_use_xattr virtiofs u:object_r:labeledfs:s0;
# Label inodes from task label.
fs_use_task pipefs u:object_r:pipefs:s0;
diff --git a/private/fsverity_init.te b/private/fsverity_init.te
index 42d142f..4bb3d0f 100644
--- a/private/fsverity_init.te
+++ b/private/fsverity_init.te
@@ -15,10 +15,6 @@
# Allow init to write to /proc/sys/fs/verity/require_signatures
allow fsverity_init proc_fs_verity:file w_file_perms;
-# Read the on-device signing certificate, to be able to add it to the keyring
-allow fsverity_init odsign:fd use;
-allow fsverity_init odsign_data_file:file { getattr read };
-
# When kernel requests an algorithm, the crypto API first looks for an
# already registered algorithm with that name. If it fails, the kernel creates
# an implementation of the algorithm from templates.
diff --git a/private/gatekeeperd.te b/private/gatekeeperd.te
index 2fb88a3..5e4d0a2 100644
--- a/private/gatekeeperd.te
+++ b/private/gatekeeperd.te
@@ -1,6 +1,3 @@
typeattribute gatekeeperd coredomain;
init_daemon_domain(gatekeeperd)
-
-# For checking whether GSI is running
-get_prop(gatekeeperd, gsid_prop)
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 13bfb46..89232bc 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -3,7 +3,6 @@
# proc labeling can be further refined (longest matching prefix).
genfscon proc / u:object_r:proc:s0
genfscon proc /asound u:object_r:proc_asound:s0
-genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
@@ -11,11 +10,9 @@
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
genfscon proc /iomem u:object_r:proc_iomem:s0
-genfscon proc /kallsyms u:object_r:proc_kallsyms:s0
genfscon proc /keys u:object_r:proc_keys:s0
genfscon proc /kmsg u:object_r:proc_kmsg:s0
genfscon proc /loadavg u:object_r:proc_loadavg:s0
-genfscon proc /locks u:object_r:proc_locks:s0
genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
genfscon proc /meminfo u:object_r:proc_meminfo:s0
genfscon proc /misc u:object_r:proc_misc:s0
@@ -68,9 +65,6 @@
genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_util_clamp_max u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_util_clamp_min u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
@@ -103,21 +97,18 @@
genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
-genfscon proc /vendor_sched u:object_r:proc_vendor_sched:s0
genfscon fusectl / u:object_r:fusectlfs:s0
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
-genfscon cgroup2 / u:object_r:cgroup_v2:s0
+genfscon cgroup2 / u:object_r:cgroup_bpf:s0
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
-genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_etm:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
-genfscon sysfs /class/block u:object_r:sysfs_block:s0
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
genfscon sysfs /class/net u:object_r:sysfs_net:s0
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
@@ -143,8 +134,6 @@
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
-genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
-genfscon sysfs /fs/incremental-fs/instances u:object_r:sysfs_fs_incfs_metrics:s0
genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
genfscon sysfs /power/state u:object_r:sysfs_power:s0
genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
@@ -152,21 +141,17 @@
genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
-genfscon sysfs /kernel/dma_heap u:object_r:sysfs_dma_heap:s0
genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
-genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0
genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
-genfscon sysfs /kernel/vendor_sched u:object_r:sysfs_vendor_sched:s0
genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
@@ -181,17 +166,11 @@
genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
-genfscon debugfs /tracing/instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
-genfscon tracefs /instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
-genfscon debugfs /tracing/instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
-genfscon tracefs /instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
-genfscon debugfs /tracing/printk_formats u:object_r:debugfs_tracing_printk_formats:s0
-genfscon tracefs /printk_formats u:object_r:debugfs_tracing_printk_formats:s0
genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
@@ -235,18 +214,12 @@
genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/clock_enable/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/clock_disable/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
@@ -262,7 +235,6 @@
genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
@@ -275,21 +247,10 @@
genfscon tracefs /events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cpuhp/cpuhp_pause/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/irq/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
@@ -299,18 +260,12 @@
genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/clock_enable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/clock_disable/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
@@ -325,8 +280,7 @@
genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
+genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
@@ -339,20 +293,10 @@
genfscon debugfs /tracing/events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
@@ -378,4 +322,3 @@
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
genfscon bpf / u:object_r:fs_bpf:s0
-genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
diff --git a/private/gki_apex_prepostinstall.te b/private/gki_apex_prepostinstall.te
deleted file mode 100644
index 1155389..0000000
--- a/private/gki_apex_prepostinstall.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# GKI pre- & post-install hooks.
-#
-# Allow to run pre- and post-install hooks for GKI APEXes
-
-type gki_apex_prepostinstall, domain, coredomain;
-type gki_apex_prepostinstall_exec, system_file_type, exec_type, file_type;
-
-# Execute /system/bin/sh.
-allow gki_apex_prepostinstall shell_exec:file rx_file_perms;
-
-# Execute various toolsbox utilities.
-allow gki_apex_prepostinstall toolbox_exec:file rx_file_perms;
-
-# Allow preinstall.sh to execute update_engine_stable_client binary.
-allow gki_apex_prepostinstall gki_apex_prepostinstall_exec:file execute_no_trans;
-
-# Allow preinstall hook to communicate with update_engine to execute update.
-binder_use(gki_apex_prepostinstall)
-allow gki_apex_prepostinstall update_engine_stable_service:service_manager find;
-binder_call(gki_apex_prepostinstall, update_engine)
-
-# /dev/zero is inherited although it is not used. See b/126787589.
-allow gki_apex_prepostinstall apexd:fd use;
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
index 571d155..2355326 100644
--- a/private/gmscore_app.te
+++ b/private/gmscore_app.te
@@ -33,7 +33,6 @@
# Allow GMS core to generate unique hardware IDs
allow gmscore_app keystore:keystore_key gen_unique_id;
-allow gmscore_app keystore:keystore2_key gen_unique_id;
# Allow GMS core to access /sys/fs/selinux/policyvers for compatibility check
allow gmscore_app selinuxfs:file r_file_perms;
@@ -54,7 +53,8 @@
dontaudit gmscore_app sysfs_android_usb:file r_file_perms;
dontaudit gmscore_app sysfs_dm:file r_file_perms;
dontaudit gmscore_app sysfs_loop:file r_file_perms;
-dontaudit gmscore_app { wifi_prop wifi_hal_prop }:file r_file_perms;
+dontaudit gmscore_app wifi_prop:file r_file_perms;
+dontaudit gmscore_app { wifi_prop exported_wifi_prop }:file r_file_perms;
dontaudit gmscore_app mirror_data_file:dir search;
dontaudit gmscore_app mnt_vendor_file:dir search;
@@ -75,10 +75,6 @@
# TODO: Tighten (b/112357170)
allow gmscore_app privapp_data_file:file execute;
-# Chrome Crashpad uses the the dynamic linker to load native executables
-# from an APK (b/112050209, crbug.com/928422)
-allow gmscore_app system_linker_exec:file execute_no_trans;
-
allow gmscore_app privapp_data_file:lnk_file create_file_perms;
# /proc access
@@ -131,10 +127,3 @@
# b/148974132: com.android.vending needs this
allow gmscore_app priv_app:tcp_socket { read write };
-
-# b/168059475 Allow GMSCore to read Virtual AB properties to determine
-# if device supports VAB.
-get_prop(gmscore_app, virtual_ab_prop)
-
-# b/186488185: Allow GMSCore to read dck properties
-get_prop(gmscore_app, dck_prop)
diff --git a/private/gpuservice.te b/private/gpuservice.te
index 2e4254c..a4d84ea 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -26,9 +26,6 @@
# Needed for dumpsys pipes.
allow gpuservice shell:fifo_file write;
-# Needed for perfetto producer.
-perfetto_producer(gpuservice)
-
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow gpuservice adbd:unix_stream_socket { read write getattr };
@@ -45,21 +42,6 @@
# TODO(b/146461633): remove this once native pullers talk to StatsManagerService
binder_call(gpuservice, statsd);
-# Needed for reading tracepoint ids in order to attach bpf programs.
-allow gpuservice debugfs_tracing:file r_file_perms;
-allow gpuservice self:perf_event { cpu kernel open write };
-neverallow gpuservice self:perf_event ~{ cpu kernel open write };
-
-# Needed for interact with bpf fs.
-allow gpuservice fs_bpf:dir search;
-allow gpuservice fs_bpf:file read;
-
-# Needed for enable the bpf program and read the map.
-allow gpuservice bpfloader:bpf { map_read prog_run };
-
-# Needed for getting a prop to ensure bpf programs loaded.
-get_prop(gpuservice, bpf_progs_loaded_prop)
-
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
diff --git a/private/gsid.te b/private/gsid.te
index 8a13cb1..3ff9d67 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -9,11 +9,6 @@
binder_use(gsid)
binder_service(gsid)
add_service(gsid, gsi_service)
-
-# Manage DSU metadata encryption key through vold.
-allow gsid vold_service:service_manager find;
-binder_call(gsid, vold)
-
set_prop(gsid, gsid_prop)
# Needed to create/delete device-mapper nodes, and read/write to them.
@@ -64,28 +59,20 @@
# When installing images to an sdcard, gsid needs to be able to stat() the
# block device. gsid also calls realpath() to remove symlinks.
allow gsid mnt_media_rw_file:dir r_dir_perms;
-allow gsid mnt_media_rw_stub_file:dir r_dir_perms;
# When installing images to an sdcard, gsid must bypass sdcardfs and install
# directly to vfat, which supports the FIBMAP ioctl.
-allow gsid vfat:dir create_dir_perms;
+allow gsid vfat:dir rw_dir_perms;
allow gsid vfat:file create_file_perms;
allow gsid sdcard_block_device:blk_file r_file_perms;
# This is needed for FIBMAP unfortunately. Oddly FIEMAP does not carry this
# requirement, but the kernel does not implement FIEMAP support for VFAT.
allow gsid self:global_capability_class_set sys_rawio;
-# Allow rules for gsi_tool.
-userdebug_or_eng(`
- # gsi_tool passes the system image over the adb connection, via stdin.
- allow gsid adbd:fd use;
- # Needed when running gsi_tool through "su root" rather than adb root.
- allow gsid adbd:unix_stream_socket rw_socket_perms;
- # gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
- allow gsid { shell su }:fifo_file r_file_perms;
- # Allow installing images from /storage/emulated/...
- allow gsid sdcard_type:file r_file_perms;
-')
+# gsi_tool passes the system image over the adb connection, via stdin.
+allow gsid adbd:fd use;
+# Needed when running gsi_tool through "su root" rather than adb root.
+allow gsid adbd:unix_stream_socket rw_socket_perms;
neverallow {
domain
@@ -123,7 +110,7 @@
#
allow gsid metadata_file:dir { search getattr };
allow gsid {
- gsi_metadata_file_type
+ gsi_metadata_file
}:dir create_dir_perms;
allow gsid {
@@ -131,15 +118,10 @@
}:dir rw_dir_perms;
allow gsid {
- gsi_metadata_file_type
+ gsi_metadata_file
ota_metadata_file
}:file create_file_perms;
-# Allow restorecon to fix context of gsi_public_metadata_file.
-allow gsid file_contexts_file:file r_file_perms;
-allow gsid gsi_metadata_file:file relabelfrom;
-allow gsid gsi_public_metadata_file:file relabelto;
-
allow gsid {
gsi_data_file
ota_image_data_file
@@ -151,50 +133,48 @@
allowxperm gsid {
gsi_data_file
ota_image_data_file
-}:file ioctl {
- FS_IOC_FIEMAP
- FS_IOC_GETFLAGS
-};
+}:file ioctl FS_IOC_FIEMAP;
allow gsid system_server:binder call;
-# Prevent most processes from writing to gsi_metadata_file_type, but allow
-# adding rules for path resolution of gsi_public_metadata_file and reading
-# gsi_public_metadata_file.
neverallow {
domain
-init
-gsid
-fastbootd
-} gsi_metadata_file_type:dir no_w_dir_perms;
+ -recovery
+ -vold
+} gsi_metadata_file:dir *;
neverallow {
domain
-init
-gsid
-fastbootd
-} { gsi_metadata_file_type -gsi_public_metadata_file }:file_class_set *;
+ -vold
+} gsi_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow {
domain
-init
-gsid
-fastbootd
-} gsi_public_metadata_file:file_class_set ~{ r_file_perms };
+ -vold
+} { gsi_data_file gsi_metadata_file }:notdevfile_class_set *;
-# Prevent apps from accessing gsi_metadata_file_type.
neverallow {
- appdomain
- -shell
-} gsi_metadata_file_type:dir_file_class_set *;
+ domain
+ -gsid
+ -init
+} gsi_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow {
domain
-init
-gsid
-} gsi_data_file:dir_file_class_set *;
+} gsi_data_file:dir *;
neverallow {
domain
-gsid
-} gsi_data_file:file_class_set ~{ relabelto getattr };
+} gsi_data_file:notdevfile_class_set ~{ relabelto getattr };
diff --git a/private/healthd.te b/private/healthd.te
index 93bc3d8..20d0791 100644
--- a/private/healthd.te
+++ b/private/healthd.te
@@ -4,9 +4,3 @@
# Allow healthd to serve health HAL
hal_server_domain(healthd, hal_health)
-
-# Healthd needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(healthd, system_prop)
-set_prop(healthd, exported_system_prop)
-set_prop(healthd, exported3_system_prop)
diff --git a/private/heapprofd.te b/private/heapprofd.te
index 246f936..ec3e4d0 100644
--- a/private/heapprofd.te
+++ b/private/heapprofd.te
@@ -29,7 +29,7 @@
allow heapprofd self:capability kill;
# When scanning /proc/[pid]/cmdline to find matching processes for by-name
-# profiling, only allowlisted domains will be allowed by SELinux. Avoid
+# profiling, only whitelisted domains will be allowed by SELinux. Avoid
# spamming logs with denials for entries that we can not access.
dontaudit heapprofd domain:dir { search open };
@@ -39,19 +39,18 @@
# When handling profiling for all processes, heapprofd needs to read
# executables/libraries/etc to do stack unwinding.
-r_dir_file(heapprofd, nativetest_data_file)
-r_dir_file(heapprofd, system_file_type)
-r_dir_file(heapprofd, apex_art_data_file)
-r_dir_file(heapprofd, apk_data_file)
-r_dir_file(heapprofd, dalvikcache_data_file)
-r_dir_file(heapprofd, vendor_file_type)
-r_dir_file(heapprofd, shell_test_data_file)
-# Some dex files are not world-readable.
-# We are still constrained by the SELinux rules above.
-allow heapprofd self:global_capability_class_set dac_read_search;
+userdebug_or_eng(`
+ r_dir_file(heapprofd, nativetest_data_file)
+ r_dir_file(heapprofd, system_file_type)
+ r_dir_file(heapprofd, apk_data_file)
+ r_dir_file(heapprofd, dalvikcache_data_file)
+ r_dir_file(heapprofd, vendor_file_type)
+ # Some dex files are not world-readable.
+ # We are still constrained by the SELinux rules above.
+ allow heapprofd self:global_capability_class_set dac_read_search;
-# For checking profileability.
-allow heapprofd packages_list_file:file r_file_perms;
+ allow heapprofd proc_kpageflags:file r_file_perms;
+')
# This is going to happen on user but is benign because central heapprofd
# does not actually need these permission.
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 5b6e79d..c45b0ef 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -63,6 +63,7 @@
android.hardware.tetheroffload.config::IOffloadConfig u:object_r:hal_tetheroffload_hwservice:s0
android.hardware.tetheroffload.control::IOffloadControl u:object_r:hal_tetheroffload_hwservice:s0
android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
+android.hardware.thermal::IThermalCallback u:object_r:thermalcallback_hwservice:s0
android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
android.hardware.tv.tuner::ITuner u:object_r:hal_tv_tuner_hwservice:s0
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index e1fde43..0705cc7 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -6,4 +6,3 @@
add_hwservice(hwservicemanager, hidl_token_hwservice)
set_prop(hwservicemanager, ctl_interface_start_prop)
-set_prop(hwservicemanager, hwservicemanager_prop)
diff --git a/private/incidentd.te b/private/incidentd.te
index 918ffda..656f69f 100644
--- a/private/incidentd.te
+++ b/private/incidentd.te
@@ -22,16 +22,11 @@
# section id 1002, allow reading kernel version /proc/version
allow incidentd proc_version:file r_file_perms;
-# section id 1116, allow accessing statsd socket
-unix_socket_send(incidentd, statsdw, statsd)
-
# section id 2001, allow reading /proc/pagetypeinfo
allow incidentd proc_pagetypeinfo:file r_file_perms;
# section id 2002, allow reading /d/wakeup_sources
-no_debugfs_restriction(`
- allow incidentd debugfs_wakeup_sources:file r_file_perms;
-')
+allow incidentd debugfs_wakeup_sources:file r_file_perms;
# section id 2003, allow executing top
allow incidentd proc_meminfo:file { open read };
@@ -58,9 +53,6 @@
allow incidentd perfetto_traces_data_file:dir r_dir_perms;
allow incidentd perfetto_traces_data_file:file r_file_perms;
-# section id 3052, allow accessing nfc_service
-allow incidentd nfc_service:service_manager find;
-
# Create and write into /data/misc/incidents
allow incidentd incident_data_file:dir rw_dir_perms;
allow incidentd incident_data_file:file create_file_perms;
@@ -75,7 +67,6 @@
# Read files in /proc
allow incidentd {
proc_cmdline
- proc_pid_max
proc_pipe_conf
proc_stat
}:file r_file_perms;
@@ -140,14 +131,10 @@
# Access the runtime feature flag properties.
get_prop(incidentd, device_config_runtime_native_prop)
get_prop(incidentd, device_config_runtime_native_boot_prop)
-# Access odsign verification status.
-get_prop(incidentd, odsign_prop)
# ART locks profile files.
allow incidentd system_file:file lock;
# Incidentd should never exec from the memory (e.g. JIT cache). These denials are expected.
dontaudit incidentd dalvikcache_data_file:dir r_dir_perms;
-dontaudit incidentd apex_module_data_file:dir r_dir_perms;
-dontaudit incidentd apex_art_data_file:dir r_dir_perms;
dontaudit incidentd tmpfs:file rwx_file_perms;
# logd access - work to be done is a PII safe log (possibly an event log?)
@@ -158,12 +145,11 @@
r_dir_file(incidentd, misc_logd_file)
# Allow incidentd to find these standard groups of services.
-# Others can be allowlisted individually.
+# Others can be whitelisted individually.
allow incidentd {
system_server_service
app_api_service
system_api_service
- -tracingproxy_service
}:service_manager find;
# Only incidentd can publish the binder service
diff --git a/private/init.te b/private/init.te
index f569e0c..b0e7f80 100644
--- a/private/init.te
+++ b/private/init.te
@@ -16,7 +16,6 @@
domain_trans(init, rootfs, fastbootd)
domain_trans(init, rootfs, recovery)
domain_trans(init, rootfs, linkerconfig)
- domain_trans(init, rootfs, snapuserd)
')
domain_trans(init, shell_exec, shell)
domain_trans(init, init_exec, ueventd)
@@ -38,19 +37,6 @@
# that userdata is mounted onto.
allow init sysfs_dm:file read;
-# Allow init to modify the properties of loop devices.
-allow init sysfs_loop:dir r_dir_perms;
-allow init sysfs_loop:file rw_file_perms;
-
-# Allow init to examine the properties of block devices.
-allow init sysfs_block_type:file { getattr read };
-# Allow init access /dev/block
-allow init bdev_type:dir r_dir_perms;
-allow init bdev_type:blk_file getattr;
-
-# Allow init to write to the drop_caches file.
-allow init proc_drop_caches:file rw_file_perms;
-
# Allow the BoringSSL self test to request a reboot upon failure
set_prop(init, powerctl_prop)
@@ -65,50 +51,10 @@
# kernels that precede the perf_event_open hooks (Android common kernels 4.4
# and 4.9).
allow init self:perf_event { open cpu };
-allow init self:global_capability2_class_set perfmon;
neverallow init self:perf_event { kernel tracepoint read write };
dontaudit init self:perf_event { kernel tracepoint read write };
-# Allow init to communicate with snapuserd to transition Virtual A/B devices
-# from the first-stage daemon to the second-stage.
-allow init snapuserd_socket:sock_file write;
-allow init snapuserd:unix_stream_socket connectto;
-# Allow for libsnapshot's use of flock() on /metadata/ota.
-allow init ota_metadata_file:dir lock;
-
-# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
-# /dev/block.
-allow init vd_device:blk_file relabelto;
-
# Only init is allowed to set the sysprop indicating whether perf_event_open()
# SELinux hooks were detected.
set_prop(init, init_perf_lsm_hooks_prop)
neverallow { domain -init } init_perf_lsm_hooks_prop:property_service set;
-
-# Only init can write vts.native_server.on
-set_prop(init, vts_status_prop)
-neverallow { domain -init } vts_status_prop:property_service set;
-
-# Only init can write normal ro.boot. properties
-neverallow { domain -init } bootloader_prop:property_service set;
-
-# Only init can write hal.instrumentation.enable
-neverallow { domain -init } hal_instrumentation_prop:property_service set;
-
-# Only init can write ro.property_service.version
-neverallow { domain -init } property_service_version_prop:property_service set;
-
-# Only init can set keystore.boot_level
-neverallow { domain -init } keystore_listen_prop:property_service set;
-
-# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
-allow init debugfs_bootreceiver_tracing:file w_file_perms;
-
-# chown/chmod on devices.
-allow init {
- dev_type
- -hw_random_device
- -keychord_device
- -kvm_device
- -port_device
-}:chr_file setattr;
diff --git a/private/installd.te b/private/installd.te
index 726e5aa..c89ba8b 100644
--- a/private/installd.te
+++ b/private/installd.te
@@ -40,9 +40,6 @@
# Allow installd to access apk verity feature flag (for legacy case).
get_prop(installd, apk_verity_prop)
-# Allow installd to access odsign verification status
-get_prop(installd, odsign_prop)
-
# Allow installd to delete files in /data/staging
allow installd staging_data_file:file unlink;
allow installd staging_data_file:dir { open read remove_name rmdir search write };
diff --git a/private/iorap_inode2filename.te b/private/iorap_inode2filename.te
index 5acb262..96b7bc2 100644
--- a/private/iorap_inode2filename.te
+++ b/private/iorap_inode2filename.te
@@ -1,8 +1,6 @@
typeattribute iorap_inode2filename coredomain;
# Grant access to open most of the files under /
-allow iorap_inode2filename { apex_module_data_file apex_art_data_file }:dir r_dir_perms;
-allow iorap_inode2filename apex_data_file:file { getattr };
allow iorap_inode2filename dalvikcache_data_file:dir { getattr open read search };
allow iorap_inode2filename dalvikcache_data_file:file { getattr };
allow iorap_inode2filename dex2oat_exec:lnk_file { getattr open read };
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 71749c0..4c6c5aa 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -88,7 +88,7 @@
neverallow isolated_app vndbinder_device:chr_file *;
# Isolated apps must not be permitted to perform actions on Binder and VndBinder service_manager
-# except the find actions for services allowlisted below.
+# except the find actions for services whitelisted below.
neverallow isolated_app *:service_manager ~find;
# b/17487348
@@ -128,7 +128,6 @@
-sysfs_devices_system_cpu
-sysfs_transparent_hugepage
-sysfs_usb # TODO: check with audio team if needed for isolated_app (b/28417852)
- -sysfs_fs_incfs_features
}:file no_rw_file_perms;
# No creation of sockets families other than AF_UNIX sockets.
diff --git a/private/kernel.te b/private/kernel.te
index 5341163..207800e 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -1,33 +1,8 @@
typeattribute kernel coredomain;
domain_auto_trans(kernel, init_exec, init)
-domain_auto_trans(kernel, snapuserd_exec, snapuserd)
# Allow the kernel to read otapreopt_chroot's file descriptors and files under
# /postinstall, as it uses apexd logic to mount APEX packages in /postinstall/apex.
allow kernel otapreopt_chroot:fd use;
allow kernel postinstall_file:file read;
-
-# The following sections are for the transition period during a Virtual A/B
-# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
-# context, and with properly labelled devices. This must be done before
-# enabling enforcement, eg, in permissive mode while still in the kernel
-# context.
-allow kernel tmpfs:blk_file { getattr relabelfrom };
-allow kernel tmpfs:chr_file { getattr relabelfrom };
-allow kernel tmpfs:lnk_file { getattr relabelfrom };
-allow kernel tmpfs:dir { open read relabelfrom };
-
-allow kernel block_device:blk_file relabelto;
-allow kernel block_device:lnk_file relabelto;
-allow kernel dm_device:chr_file relabelto;
-allow kernel dm_device:blk_file relabelto;
-allow kernel dm_user_device:dir { read open search relabelto };
-allow kernel dm_user_device:chr_file relabelto;
-allow kernel kmsg_device:chr_file relabelto;
-allow kernel null_device:chr_file relabelto;
-allow kernel random_device:chr_file relabelto;
-allow kernel snapuserd_exec:file relabelto;
-
-allow kernel kmsg_device:chr_file write;
-allow kernel gsid:fd use;
diff --git a/private/keystore.te b/private/keystore.te
index 8842224..81b6dfb 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -8,9 +8,6 @@
# talk to confirmationui
hal_client_domain(keystore, hal_confirmationui)
-# talk to keymint
-hal_client_domain(keystore, hal_keymint)
-
# This is used for the ConfirmationUI async callback.
allow keystore platform_app:binder call;
@@ -19,18 +16,3 @@
# Allow keystore to write to statsd.
unix_socket_send(keystore, statsdw, statsd)
-
-# Keystore need access to the keystore_key context files to load the keystore key backend.
-allow keystore keystore2_key_contexts_file:file r_file_perms;
-
-get_prop(keystore, keystore_listen_prop)
-
-# Keystore needs to transfer binder references to vold and wait_for_keymaster so that they
-# can call keystore methods on those references.
-allow keystore vold:binder transfer;
-allow keystore wait_for_keymaster:binder transfer;
-
-# Only keystore can set keystore.crash_count system property. Since init is allowed to set any
-# system property, an exception is added for init as well.
-set_prop(keystore, keystore_crash_prop)
-neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
diff --git a/private/keystore2_key_contexts b/private/keystore2_key_contexts
deleted file mode 100644
index 3833971..0000000
--- a/private/keystore2_key_contexts
+++ /dev/null
@@ -1,28 +0,0 @@
-# Keystore 2.0 key contexts.
-# This file defines Keystore 2.0 namespaces and maps them to labels.
-# Format:
-# <namespace> <label>
-#
-# <namespace> must be an integer in the interval [0 ... 2^31)
-# su_key is a keystore_key namespace for the su domain intended for native tests.
-0 u:object_r:su_key:s0
-
-# shell_key is a keystore_key namespace for the shell domain intended for native tests.
-1 u:object_r:shell_key:s0
-
-# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
-100 u:object_r:vold_key:s0
-
-# odsign_key is a keystore2_key namespace for the on-device signing daemon.
-101 u:object_r:odsign_key:s0
-
-# wifi_key is a keystore2_key namespace for the WI-FI subsystem. It replaces the WIFI_UID
-# namespace in keystore.
-102 u:object_r:wifi_key:s0
-
-# locksettings_key is a keystore2_key namespace for the LockSettingsService.
-103 u:object_r:locksettings_key:s0
-
-# resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot.
-120 u:object_r:resume_on_reboot_key:s0
-
diff --git a/private/keystore_keys.te b/private/keystore_keys.te
deleted file mode 100644
index 2f97608..0000000
--- a/private/keystore_keys.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# Specify keystore2_key namespaces in this file.
-# Please keep the names in alphabetical order and comment each new entry.
-
-# A keystore2_key namespace for the shell domain. Mainly used for native tests.
-type shell_key, keystore2_key_type;
-
-# A keystore2 namespace for the su domain. Mainly used for native tests.
-type su_key, keystore2_key_type;
-
-# A keystore2 namespace for vold. Vold need special permission to handle
-# its own Keymint blobs.
-type vold_key, keystore2_key_type;
-
-# A keystore2 namespace for the on-device signing daemon.
-type odsign_key, keystore2_key_type;
-
-# A keystore2 namespace for LockSettingsService.
-type locksettings_key, keystore2_key_type;
-
-# A keystore2 namespace for resume on reboot.
-type resume_on_reboot_key, keystore2_key_type;
-
diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 2688102..414b39f 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -16,12 +16,4 @@
# Allow linkerconfig to scan for apex modules
allow linkerconfig apex_mnt_dir:dir r_dir_perms;
-# Allow linkerconfig to read apex-info-list.xml
-allow linkerconfig apex_info_file:file r_file_perms;
-
-# Allow linkerconfig to be called in the otapreopt_chroot
-allow linkerconfig otapreopt_chroot:fd use;
-allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
-allow linkerconfig postinstall_apex_mnt_dir:file r_file_perms;
-
-neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;
+neverallow { domain -init -linkerconfig } linkerconfig_exec:file no_x_file_perms;
diff --git a/private/lmkd.te b/private/lmkd.te
index ec9a93e..e51cddb 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -2,14 +2,7 @@
init_daemon_domain(lmkd)
-# Set sys.lmk.* properties.
-set_prop(lmkd, system_lmk_prop)
-
# Set lmkd.* properties.
set_prop(lmkd, lmkd_prop)
-allow lmkd fs_bpf:dir search;
-allow lmkd fs_bpf:file read;
-allow lmkd bpfloader:bpf map_read;
-
-neverallow { domain -init -lmkd -vendor_init } lmkd_prop:property_service set;
+neverallow { -init -lmkd -vendor_init } lmkd_prop:property_service set;
diff --git a/private/logd.te b/private/logd.te
index 7112c4f..ca92e20 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -2,9 +2,6 @@
init_daemon_domain(logd)
-# Access device logging gating property
-get_prop(logd, device_logging_prop)
-
# logd is not allowed to write anywhere other than /data/misc/logd, and then
# only on userdebug or eng builds
neverallow logd {
diff --git a/private/logpersist.te b/private/logpersist.te
index ab2c9c6..ac324df 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -4,7 +4,6 @@
userdebug_or_eng(`
r_dir_file(logpersist, cgroup)
- r_dir_file(logpersist, cgroup_v2)
allow logpersist misc_logd_file:file create_file_perms;
allow logpersist misc_logd_file:dir rw_dir_perms;
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
index 9f5f87e..3bcd761 100644
--- a/private/lpdumpd.te
+++ b/private/lpdumpd.te
@@ -16,7 +16,12 @@
# Allow lpdumpd to read fstab.
allow lpdumpd sysfs_dt_firmware_android:dir r_dir_perms;
allow lpdumpd sysfs_dt_firmware_android:file r_file_perms;
-read_fstab(lpdumpd)
+
+# Triggered when lpdumpd tries to read default fstab.
+dontaudit lpdumpd metadata_file:dir r_dir_perms;
+dontaudit lpdumpd metadata_file:file r_file_perms;
+dontaudit lpdumpd gsi_metadata_file:dir r_dir_perms;
+dontaudit lpdumpd gsi_metadata_file:file r_file_perms;
### Neverallow rules
diff --git a/private/mediaextractor.te b/private/mediaextractor.te
index 7bcf5c8..2e654d68 100644
--- a/private/mediaextractor.te
+++ b/private/mediaextractor.te
@@ -5,6 +5,3 @@
allow mediaextractor appdomain_tmpfs:file { getattr map read write };
allow mediaextractor mediaserver_tmpfs:file { getattr map read write };
allow mediaextractor system_server_tmpfs:file { getattr map read write };
-
-get_prop(mediaextractor, device_config_media_native_prop)
-get_prop(mediaextractor, device_config_swcodec_native_prop)
diff --git a/private/mediametrics.te b/private/mediametrics.te
index 5a6f2e1..f8b2fa5 100644
--- a/private/mediametrics.te
+++ b/private/mediametrics.te
@@ -1,8 +1,3 @@
typeattribute mediametrics coredomain;
init_daemon_domain(mediametrics)
-
-# Needed for stats callback registration to statsd.
-allow mediametrics stats_service:service_manager find;
-allow mediametrics statsmanager_service:service_manager find;
-binder_call(mediametrics, statsd)
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 78bbdb0..249fee1 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -24,7 +24,6 @@
allow mediaprovider app_api_service:service_manager find;
allow mediaprovider audioserver_service:service_manager find;
-allow mediaprovider cameraserver_service:service_manager find;
allow mediaprovider drmserver_service:service_manager find;
allow mediaprovider mediaextractor_service:service_manager find;
allow mediaprovider mediaserver_service:service_manager find;
@@ -41,8 +40,5 @@
allowxperm mediaprovider functionfs:file ioctl FUNCTIONFS_ENDPOINT_DESC;
# MtpServer sets sys.usb.ffs.mtp.ready
-get_prop(mediaprovider, ffs_config_prop)
-set_prop(mediaprovider, ffs_control_prop)
-
-# DownloadManager may retrieve DRM status
-get_prop(mediaprovider, drm_service_config_prop)
+set_prop(mediaprovider, ffs_prop)
+set_prop(mediaprovider, exported_ffs_prop)
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 0e4a50e..335c1b6 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -6,7 +6,7 @@
app_domain(mediaprovider_app)
# Access to /mnt/pass_through.
-r_dir_file(mediaprovider_app, mnt_pass_through_file)
+allow mediaprovider_app mnt_pass_through_file:dir r_dir_perms;
# Allow MediaProvider to host a FUSE daemon for external storage
allow mediaprovider_app fuse_device:chr_file { read write ioctl getattr };
@@ -27,10 +27,6 @@
# Talk to the GPU service
binder_call(mediaprovider_app, gpuservice)
-# Talk to statsd
-allow mediaprovider_app statsmanager_service:service_manager find;
-binder_call(mediaprovider_app, statsd)
-
# read pipe-max-size configuration
allow mediaprovider_app proc_pipe_conf:file r_file_perms;
@@ -43,14 +39,7 @@
FS_IOC_SETFLAGS
};
-# Access external sdcards through /mnt/media_rw
-allow mediaprovider_app { mnt_media_rw_file }:dir search;
-
allow mediaprovider_app proc_filesystems:file r_file_perms;
#Allow MediaProvider to see if sdcardfs is in use
get_prop(mediaprovider_app, storage_config_prop)
-
-get_prop(mediaprovider_app, drm_service_config_prop)
-
-allow mediaprovider_app gpu_device:dir search;
diff --git a/private/mediaserver.te b/private/mediaserver.te
index 6fe460c..c55e54a 100644
--- a/private/mediaserver.te
+++ b/private/mediaserver.te
@@ -11,10 +11,4 @@
hal_client_domain(mediaserver, hal_omx)
hal_client_domain(mediaserver, hal_codec2)
-set_prop(mediaserver, audio_prop)
-
-get_prop(mediaserver, drm_service_config_prop)
-get_prop(mediaserver, media_config_prop)
-
-# Allow mediaserver to start media.transcoding service via ctl.start.
-set_prop(mediaserver, ctl_mediatranscoding_prop);
+allow mediaserver mediatranscoding_service:service_manager find;
diff --git a/private/mediaswcodec.te b/private/mediaswcodec.te
index 02079c1..50f5698 100644
--- a/private/mediaswcodec.te
+++ b/private/mediaswcodec.te
@@ -2,5 +2,3 @@
init_daemon_domain(mediaswcodec)
-get_prop(mediaswcodec, device_config_media_native_prop)
-get_prop(mediaswcodec, device_config_swcodec_native_prop)
diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te
index 2a43cf9..e0ad84c 100644
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@@ -1,64 +1,3 @@
-# mediatranscoding - daemon for transcoding video and image.
-type mediatranscoding, domain;
-type mediatranscoding_exec, system_file_type, exec_type, file_type;
-type mediatranscoding_tmpfs, file_type;
typeattribute mediatranscoding coredomain;
init_daemon_domain(mediatranscoding)
-tmpfs_domain(mediatranscoding)
-allow mediatranscoding appdomain_tmpfs:file { getattr map read write };
-
-binder_use(mediatranscoding)
-binder_call(mediatranscoding, binderservicedomain)
-binder_call(mediatranscoding, appdomain)
-binder_service(mediatranscoding)
-
-add_service(mediatranscoding, mediatranscoding_service)
-
-hal_client_domain(mediatranscoding, hal_graphics_allocator)
-hal_client_domain(mediatranscoding, hal_configstore)
-hal_client_domain(mediatranscoding, hal_omx)
-hal_client_domain(mediatranscoding, hal_codec2)
-
-allow mediatranscoding mediaserver_service:service_manager find;
-allow mediatranscoding mediametrics_service:service_manager find;
-allow mediatranscoding mediaextractor_service:service_manager find;
-allow mediatranscoding package_native_service:service_manager find;
-allow mediatranscoding thermal_service:service_manager find;
-
-allow mediatranscoding system_server:fd use;
-allow mediatranscoding activity_service:service_manager find;
-
-# allow mediatranscoding service read/write permissions for file sources
-allow mediatranscoding sdcardfs:file { getattr read write };
-allow mediatranscoding media_rw_data_file:file { getattr read write };
-allow mediatranscoding apk_data_file:file { getattr read };
-allow mediatranscoding app_data_file:file { getattr read write };
-allow mediatranscoding shell_data_file:file { getattr read write };
-
-# allow mediatranscoding service write permission to statsd socket
-unix_socket_send(mediatranscoding, statsdw, statsd)
-
-# Allow mediatranscoding to access the DMA-BUF system heap
-allow mediatranscoding dmabuf_system_heap_device:chr_file r_file_perms;
-
-allow mediatranscoding gpu_device:dir search;
-
-# Allow mediatranscoding service to access media-related system properties
-get_prop(mediatranscoding, media_config_prop)
-
-# mediatranscoding should never execute any executable without a
-# domain transition
-neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
-
-# The goal of the mediaserver split is to place media processing code into
-# restrictive sandboxes with limited responsibilities and thus limited
-# permissions. Example: Audioserver is only responsible for controlling audio
-# hardware and processing audio content. Cameraserver does the same for camera
-# hardware/content. Etc.
-#
-# Media processing code is inherently risky and thus should have limited
-# permissions and be isolated from the rest of the system and network.
-# Lengthier explanation here:
-# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/private/mediatuner.te b/private/mediatuner.te
deleted file mode 100644
index 413d2e5..0000000
--- a/private/mediatuner.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# mediatuner - mediatuner daemon
-type mediatuner, domain;
-type mediatuner_exec, system_file_type, exec_type, file_type;
-
-typeattribute mediatuner coredomain;
-
-init_daemon_domain(mediatuner)
-hal_client_domain(mediatuner, hal_tv_tuner)
-
-binder_use(mediatuner)
-binder_call(mediatuner, appdomain)
-binder_service(mediatuner)
-
-add_service(mediatuner, mediatuner_service)
-allow mediatuner system_server:fd use;
-allow mediatuner tv_tuner_resource_mgr_service:service_manager find;
-allow mediatuner package_native_service:service_manager find;
-binder_call(mediatuner, system_server)
-
-###
-### neverallow rules
-###
-
-# mediatuner should never execute any executable without a
-# domain transition
-neverallow mediatuner { file_type fs_type }:file execute_no_trans;
-
-# do not allow privileged socket ioctl commands
-neverallowxperm mediatuner domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
-
diff --git a/private/mls b/private/mls
index 955c27b..9690440 100644
--- a/private/mls
+++ b/private/mls
@@ -48,28 +48,20 @@
(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
#
-# Userfaultfd constraints
-#
-# To enforce that anonymous inodes are self contained in the application's process.
-mlsconstrain anon_inode { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute open execmod }
- (l1 eq l2);
-
-#
# Constraints for app data files only.
#
-# Only constrain open, not read/write, so already open fds can be used.
+# Only constrain open, not read/write.
# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
# Subject must dominate object unless the subject is trusted.
-mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
- (t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject);
+mlsconstrain dir { open search setattr rename add_name remove_name reparent rmdir }
+ ( (t2 != app_data_file and t2 != privapp_data_file ) or l1 dom l2 or t1 == mlstrustedsubject);
mlsconstrain { file sock_file } { open setattr unlink link rename }
- ( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
-
-# For symlinks in app data files, require equivalence in order to manipulate or follow (read).
+ ( (t2 != app_data_file and t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
+# For symlinks in app_data_file, require equivalence in order to manipulate or follow (read).
mlsconstrain { lnk_file } { open setattr unlink link rename read }
- ( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
-# But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
+ ( (t2 != app_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
+# For priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
# TODO: Migrate to equivalence when it's no longer needed.
mlsconstrain { lnk_file } { open setattr unlink link rename read }
( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
@@ -81,19 +73,18 @@
# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
- (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
- or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
+ (t2 == app_data_file or t2 == privapp_data_file or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
- (t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (t2 == app_data_file or t2 == privapp_data_file or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the
diff --git a/private/mlstrustedsubject.te b/private/mlstrustedsubject.te
deleted file mode 100644
index 22482d9..0000000
--- a/private/mlstrustedsubject.te
+++ /dev/null
@@ -1,30 +0,0 @@
-# MLS override can't be used to access private app data.
-
-# Apps should not normally be mlstrustedsubject, but if they must be
-# they cannot use this to access app private data files; their own app
-# data files must use a different label.
-
-neverallow {
- mlstrustedsubject
- -installd
- -iorap_prefetcherd
- -iorap_inode2filename
-} { app_data_file privapp_data_file }:file ~{ read write map getattr ioctl lock append };
-
-neverallow {
- mlstrustedsubject
- -installd
- -iorap_prefetcherd
- -iorap_inode2filename
-} { app_data_file privapp_data_file }:dir ~{ read getattr search };
-
-neverallow {
- mlstrustedsubject
- -installd
- -iorap_prefetcherd
- -iorap_inode2filename
- -system_server
- -adbd
- -runas
- -zygote
-} { app_data_file privapp_data_file }:dir { read getattr search };
diff --git a/private/mm_events.te b/private/mm_events.te
deleted file mode 100644
index 4875d40..0000000
--- a/private/mm_events.te
+++ /dev/null
@@ -1,14 +0,0 @@
-type mm_events, domain, coredomain;
-type mm_events_exec, system_file_type, exec_type, file_type;
-
-init_daemon_domain(mm_events)
-
-allow mm_events shell_exec:file rx_file_perms;
-
-# Allow running the sleep command to rate limit attempts
-# to arm mm_events on failure.
-allow mm_events toolbox_exec:file rx_file_perms;
-
-allow mm_events perfetto_exec:file rx_file_perms;
-
-domain_auto_trans(mm_events, perfetto_exec, perfetto)
diff --git a/private/netd.te b/private/netd.te
index 670a4bf..41473b7 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -17,13 +17,7 @@
# TODO: Remove this permission when 4.9 kernel is deprecated.
allow netd self:key_socket create;
-set_prop(netd, ctl_mdnsd_prop)
-set_prop(netd, netd_stable_secret_prop)
-
-get_prop(netd, adbd_config_prop)
get_prop(netd, bpf_progs_loaded_prop)
-get_prop(netd, hwservicemanager_prop)
-get_prop(netd, device_config_netd_native_prop)
# Allow netd to write to statsd.
unix_socket_send(netd, statsdw, statsd)
@@ -34,11 +28,3 @@
# Allow netd to send dump info to dumpstate
allow netd dumpstate:fd use;
allow netd dumpstate:fifo_file { getattr write };
-
-# persist.netd.stable_secret contains RFC 7217 secret key which should never be
-# leaked to other processes. Make sure it never leaks.
-neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
-
-# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
-# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
-neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
diff --git a/private/network_stack.te b/private/network_stack.te
index 09a98b5..1295a07 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,5 +1,5 @@
# Networking service app
-typeattribute network_stack coredomain, mlstrustedsubject;
+typeattribute network_stack coredomain;
app_domain(network_stack);
net_domain(network_stack);
@@ -23,24 +23,12 @@
allow network_stack app_api_service:service_manager find;
allow network_stack dnsresolver_service:service_manager find;
allow network_stack netd_service:service_manager find;
-allow network_stack network_watchlist_service:service_manager find;
allow network_stack radio_service:service_manager find;
-allow network_stack system_config_service:service_manager find;
allow network_stack radio_data_file:dir create_dir_perms;
allow network_stack radio_data_file:file create_file_perms;
binder_call(network_stack, netd);
-# in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
-allow network_stack self:key_socket create;
-# Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
-# calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
-dontaudit network_stack self:key_socket getopt;
-
-# Grant read permission of connectivity namespace system property prefix.
-get_prop(network_stack, device_config_connectivity_prop)
-
# Create/use netlink_tcpdiag_socket to get tcp info
allow network_stack self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
############### Tethering Service app - Tethering.apk ##############
@@ -48,15 +36,3 @@
# Create and share netlink_netfilter_sockets for tetheroffload.
allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
allow network_stack network_stack_service:service_manager find;
-# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
-allow network_stack { fs_bpf fs_bpf_tethering }:dir search;
-allow network_stack { fs_bpf fs_bpf_tethering }:file { read write };
-allow network_stack bpfloader:bpf { map_read map_write prog_run };
-
-# Only the bpfloader and the network_stack should ever touch 'fs_bpf_tethering' programs/maps.
-# Unfortunately init/vendor_init have all sorts of extra privs
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:dir ~getattr;
-neverallow { domain -bpfloader -init -network_stack -vendor_init } fs_bpf_tethering:file *;
-
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:dir ~{ getattr open read search setattr };
-neverallow { domain -bpfloader -network_stack } fs_bpf_tethering:file ~{ map open read setattr };
diff --git a/private/nfc.te b/private/nfc.te
index f1a08f7..2e48eef 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -1,5 +1,5 @@
# nfc subsystem
-typeattribute nfc coredomain, mlstrustedsubject;
+typeattribute nfc coredomain;
app_domain(nfc)
net_domain(nfc)
@@ -11,8 +11,6 @@
# Data file accesses.
allow nfc nfc_data_file:dir create_dir_perms;
allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
-allow nfc nfc_logs_data_file:dir rw_dir_perms;
-allow nfc nfc_logs_data_file:file create_file_perms;
# SoundPool loading and playback
allow nfc audioserver_service:service_manager find;
diff --git a/private/notify_traceur.te b/private/notify_traceur.te
new file mode 100644
index 0000000..ef1fd4f
--- /dev/null
+++ b/private/notify_traceur.te
@@ -0,0 +1,12 @@
+type notify_traceur, domain, coredomain;
+type notify_traceur_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(notify_traceur);
+binder_use(notify_traceur);
+
+# This is to execute am
+allow notify_traceur activity_service:service_manager find;
+allow notify_traceur shell_exec:file rx_file_perms;
+allow notify_traceur system_file:file rx_file_perms;
+
+binder_call(notify_traceur, system_server);
diff --git a/private/odrefresh.te b/private/odrefresh.te
deleted file mode 100644
index 3db1ae8..0000000
--- a/private/odrefresh.te
+++ /dev/null
@@ -1,60 +0,0 @@
-# odrefresh
-type odrefresh, domain, coredomain;
-type odrefresh_exec, system_file_type, exec_type, file_type;
-
-# Allow odrefresh to create files and directories for on device signing.
-allow odrefresh apex_module_data_file:dir { getattr search };
-allow odrefresh apex_art_data_file:dir { create_dir_perms relabelfrom };
-allow odrefresh apex_art_data_file:file create_file_perms;
-
-# Allow odrefresh to create data files (typically for metrics before statsd starts).
-allow odrefresh odrefresh_data_file:dir create_dir_perms;
-allow odrefresh odrefresh_data_file:file create_file_perms;
-
-userfaultfd_use(odrefresh)
-
-# Staging area labels (/data/misc/apexdata/com.android.art/staging). odrefresh
-# sets up files here and passes file descriptors for dex2oat to write to.
-allow odrefresh apex_art_staging_data_file:dir { create_dir_perms relabelto };
-allow odrefresh apex_art_staging_data_file:file create_file_perms;
-
-# Run dex2oat in its own sandbox.
-domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
-
-# Allow odrefresh to kill dex2oat if compilation times out.
-allow odrefresh dex2oat:process sigkill;
-
-# Run dexoptanalyzer in its own sandbox.
-domain_auto_trans(odrefresh, dexoptanalyzer_exec, dexoptanalyzer)
-
-# Allow odrefresh to kill dexoptanalyzer if analysis times out.
-allow odrefresh dexoptanalyzer:process sigkill;
-
-# Use devpts and fd from odsign (which exec()'s odrefresh)
-allow odrefresh odsign_devpts:chr_file { read write };
-allow odrefresh odsign:fd use;
-
-# Do not audit unused resources from parent processes (adb, shell, su).
-# These appear to be unnecessary for odrefresh.
-dontaudit odrefresh { adbd shell }:fd use;
-dontaudit odrefresh devpts:chr_file rw_file_perms;
-dontaudit odrefresh adbd:unix_stream_socket { getattr read write };
-
-# Allow odrefresh to read /apex/apex-info-list.xml to determine
-# whether current apex is in /system or /data.
-allow odrefresh apex_info_file:file r_file_perms;
-
-# No other processes should be creating files in the staging area.
-neverallow { domain -init -odrefresh } apex_art_staging_data_file:file open;
-
-# No processes other than init, odrefresh and system_server access
-# odrefresh_data_files.
-neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:dir *;
-neverallow { domain -init -odrefresh -system_server } odrefresh_data_file:file *;
-
-# Allow updating boot animation status.
-set_prop(odrefresh, bootanim_system_prop)
-
-# Allow query ART device config properties
-get_prop(odrefresh, device_config_runtime_native_prop)
-get_prop(odrefresh, device_config_runtime_native_boot_prop)
diff --git a/private/odsign.te b/private/odsign.te
deleted file mode 100644
index c6c7808..0000000
--- a/private/odsign.te
+++ /dev/null
@@ -1,62 +0,0 @@
-# odsign - on-device signing.
-type odsign, domain;
-
-# odsign - Binary for signing ART artifacts.
-typeattribute odsign coredomain;
-
-type odsign_exec, exec_type, file_type, system_file_type;
-
-# Allow init to start odsign
-init_daemon_domain(odsign)
-
-# Allow using persistent storage in /data/odsign
-allow odsign odsign_data_file:dir create_dir_perms;
-allow odsign odsign_data_file:file create_file_perms;
-
-# Create and use pty created by android_fork_execvp().
-create_pty(odsign)
-
-# FS_IOC_ENABLE_VERITY and FS_IOC_MEASURE_VERITY on ART data files
-allowxperm odsign apex_art_data_file:file ioctl {
- FS_IOC_ENABLE_VERITY FS_IOC_MEASURE_VERITY FS_IOC_GETFLAGS
-};
-
-# talk to binder services (for keystore)
-binder_use(odsign);
-
-# talk to keystore specifically
-use_keystore(odsign);
-
-# Use our dedicated keystore key
-allow odsign odsign_key:keystore2_key {
- delete
- get_info
- rebind
- use
-};
-
-# talk to keymaster
-hal_client_domain(odsign, hal_keymaster)
-
-# For ART apex data dir access
-allow odsign apex_module_data_file:dir { getattr search };
-
-allow odsign apex_art_data_file:dir { rw_dir_perms rmdir };
-allow odsign apex_art_data_file:file { rw_file_perms unlink };
-
-# Run odrefresh to refresh ART artifacts
-domain_auto_trans(odsign, odrefresh_exec, odrefresh)
-
-# Run fsverity_init to add key to fsverity keyring
-domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
-
-# only odsign can set odsign sysprop
-set_prop(odsign, odsign_prop)
-neverallow { domain -odsign -init } odsign_prop:property_service set;
-
-# Allow odsign to stop itself
-set_prop(odsign, ctl_odsign_prop)
-
-# Neverallows
-neverallow { domain -odsign -init -fsverity_init } odsign_data_file:dir *;
-neverallow { domain -odsign -init -fsverity_init } odsign_data_file:file *;
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index ea9d4ee..e2bc33e 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -1,18 +1,10 @@
# otapreopt_chroot executable
-typeattribute otapreopt_chroot coredomain;
-type otapreopt_chroot_exec, exec_type, file_type, system_file_type;
+type otapreopt_chroot, domain, coredomain;
+type otapreopt_chroot_exec, system_file_type, exec_type, file_type;
# Chroot preparation and execution.
# We need to create an unshared mount namespace, and then mount /data.
allow otapreopt_chroot postinstall_file:dir { search mounton };
-allow otapreopt_chroot apex_mnt_dir:dir mounton;
-allow otapreopt_chroot device:dir mounton;
-allow otapreopt_chroot linkerconfig_file:dir mounton;
-allow otapreopt_chroot rootfs:dir mounton;
-allow otapreopt_chroot sysfs:dir mounton;
-allow otapreopt_chroot system_data_root_file:dir mounton;
-allow otapreopt_chroot system_file:dir mounton;
-allow otapreopt_chroot vendor_file:dir mounton;
allow otapreopt_chroot self:global_capability_class_set { sys_admin sys_chroot };
# This is required to mount /vendor and mount/unmount ext4 images from
@@ -43,20 +35,13 @@
allow otapreopt_chroot update_engine:fifo_file write;
# Allow to transition to postinstall_dexopt, to run otapreopt in its own sandbox.
-domain_auto_trans(otapreopt_chroot, postinstall_dexopt_exec, postinstall_dexopt)
-domain_auto_trans(otapreopt_chroot, linkerconfig_exec, linkerconfig)
-domain_auto_trans(otapreopt_chroot, apexd_exec, apexd)
-
-# Allow otapreopt_chroot to control linkerconfig
-allow otapreopt_chroot linkerconfig_file:dir { create_dir_perms relabelto };
-allow otapreopt_chroot linkerconfig_file:file create_file_perms;
+domain_auto_trans(otapreopt_chroot, postinstall_file, postinstall_dexopt)
# Allow otapreopt_chroot to create loop devices with /dev/loop-control.
allow otapreopt_chroot loop_control_device:chr_file rw_file_perms;
# Allow otapreopt_chroot to access loop devices.
allow otapreopt_chroot loop_device:blk_file rw_file_perms;
allowxperm otapreopt_chroot loop_device:blk_file ioctl {
- LOOP_CONFIGURE
LOOP_GET_STATUS64
LOOP_SET_STATUS64
LOOP_SET_FD
@@ -78,7 +63,6 @@
# Allow otapreopt_chroot to manipulate directory /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir create_dir_perms;
-allow otapreopt_chroot postinstall_apex_mnt_dir:file create_file_perms;
# Allow otapreopt_chroot to mount APEX packages in /postinstall/apex.
allow otapreopt_chroot postinstall_apex_mnt_dir:dir mounton;
@@ -88,11 +72,3 @@
# Allow to access the linker through the symlink.
allow otapreopt_chroot postinstall_file:lnk_file r_file_perms;
-
-# Allow otapreopt_chroot to read ro.cold_boot_done prop.
-# This is a temporary solution to make sure that otapreopt_chroot doesn't block indefinetelly.
-# TODO(b/165948777): remove this once otapreopt_chroot is migrated to libapexmount.
-get_prop(otapreopt_chroot, cold_boot_done_prop)
-
-# allow otapreopt_chroot to run the linkerconfig from the new image.
-allow otapreopt_chroot linkerconfig_exec:file rx_file_perms;
diff --git a/private/perfetto.te b/private/perfetto.te
index f9693da..0161361 100644
--- a/private/perfetto.te
+++ b/private/perfetto.te
@@ -1,5 +1,5 @@
# Perfetto command-line client. Can be used only from the domains that are
-# explicitly allowlisted with a domain_auto_trans(X, perfetto_exec, perfetto).
+# explicitly whitelisted with a domain_auto_trans(X, perfetto_exec, perfetto).
# This command line client accesses the privileged socket of the traced
# daemon.
@@ -24,16 +24,11 @@
binder_call(perfetto, system_server)
allow perfetto dropbox_service:service_manager find;
-# Allow perfetto to read the trace config from /data/misc/perfetto-configs.
-# shell and adb can write files into that directory.
-allow perfetto perfetto_configs_data_file:dir r_dir_perms;
-allow perfetto perfetto_configs_data_file:file r_file_perms;
-
-# Allow perfetto to read the trace config from statsd, mm_events and shell
+# Allow perfetto to read the trace config from statsd and shell
# (both root and non-root) on stdin and also to write the resulting trace to
# stdout.
-allow perfetto { statsd mm_events shell su }:fd use;
-allow perfetto { statsd mm_events shell su }:fifo_file { getattr read write };
+allow perfetto { statsd shell su }:fd use;
+allow perfetto { statsd shell su }:fifo_file { getattr read write };
# Allow to communicate use, read and write over the adb connection.
allow perfetto adbd:fd use;
@@ -87,7 +82,6 @@
-vendor_data_file
-zoneinfo_data_file
-perfetto_traces_data_file
- -perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:dir *;
neverallow perfetto { system_data_file -perfetto_traces_data_file }:dir ~{ getattr search };
@@ -97,6 +91,5 @@
data_file_type
-zoneinfo_data_file
-perfetto_traces_data_file
- -perfetto_configs_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;
diff --git a/private/permissioncontroller_app.te b/private/permissioncontroller_app.te
index 5f81875..41185e3 100644
--- a/private/permissioncontroller_app.te
+++ b/private/permissioncontroller_app.te
@@ -5,18 +5,35 @@
app_domain(permissioncontroller_app)
-allow permissioncontroller_app app_api_service:service_manager find;
-allow permissioncontroller_app system_api_service:service_manager find;
-
# Allow interaction with gpuservice
binder_call(permissioncontroller_app, gpuservice)
+allow permissioncontroller_app gpu_service:service_manager find;
+# Allow interaction with role_service
+allow permissioncontroller_app role_service:service_manager find;
+
+# Allow interaction with usagestats_service
+allow permissioncontroller_app usagestats_service:service_manager find;
+
+# Allow interaction with activity_service
+allow permissioncontroller_app activity_service:service_manager find;
+
+allow permissioncontroller_app activity_task_service:service_manager find;
+allow permissioncontroller_app audio_service:service_manager find;
+allow permissioncontroller_app autofill_service:service_manager find;
+allow permissioncontroller_app content_capture_service:service_manager find;
+allow permissioncontroller_app device_policy_service:service_manager find;
+allow permissioncontroller_app incidentcompanion_service:service_manager find;
+allow permissioncontroller_app IProxyService_service:service_manager find;
+allow permissioncontroller_app location_service:service_manager find;
+allow permissioncontroller_app media_session_service:service_manager find;
allow permissioncontroller_app radio_service:service_manager find;
+allow permissioncontroller_app surfaceflinger_service:service_manager find;
+allow permissioncontroller_app telecom_service:service_manager find;
+allow permissioncontroller_app trust_service:service_manager find;
# Allow the app to request and collect incident reports.
# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
allow permissioncontroller_app incident_service:service_manager find;
binder_call(permissioncontroller_app, incidentd)
allow permissioncontroller_app incidentd:fifo_file { read write };
-
-allow permissioncontroller_app gpu_device:dir search;
diff --git a/private/platform_app.te b/private/platform_app.te
index f746f1c..3beec38 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -66,8 +66,12 @@
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
+allow platform_app gpu_service:service_manager find;
allow platform_app stats_service:service_manager find;
+# Allow platform apps to interact with gpuservice
+binder_call(platform_app, gpuservice)
+
# Allow platform apps to log via statsd.
binder_call(platform_app, statsd)
@@ -87,21 +91,9 @@
# allow platform apps to connect to the property service
set_prop(platform_app, test_boot_reason_prop)
-# allow platform apps to read keyguard.no_require_sim
-get_prop(platform_app, keyguard_config_prop)
-
-# allow platform apps to read qemu.hw.mainkeys
-get_prop(platform_app, qemu_hw_prop)
-
# allow platform apps to create symbolic link
allow platform_app app_data_file:lnk_file create_file_perms;
-# suppress denials caused by debugfs_tracing
-dontaudit platform_app debugfs_tracing:file rw_file_perms;
-
-# Allow platform apps to act as Perfetto producers.
-perfetto_producer(platform_app)
-
###
### Neverallow rules
###
diff --git a/private/postinstall.te b/private/postinstall.te
index 7060c59..363e362 100644
--- a/private/postinstall.te
+++ b/private/postinstall.te
@@ -1,5 +1,3 @@
typeattribute postinstall coredomain;
-type postinstall_exec, system_file_type, exec_type, file_type;
-domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
-allow postinstall rootfs:dir r_dir_perms;
+domain_auto_trans(postinstall, otapreopt_chroot_exec, otapreopt_chroot)
diff --git a/private/postinstall_dexopt.te b/private/postinstall_dexopt.te
index 2fdc941..fd370c2 100644
--- a/private/postinstall_dexopt.te
+++ b/private/postinstall_dexopt.te
@@ -3,9 +3,7 @@
# Note: otapreopt is a driver for dex2oat, and reuses parts of installd. As such,
# this is derived and adapted from installd.te.
-type postinstall_dexopt, domain, coredomain, mlstrustedsubject;
-type postinstall_dexopt_exec, system_file_type, exec_type, file_type;
-type postinstall_dexopt_tmpfs, file_type;
+type postinstall_dexopt, domain, coredomain;
# Run dex2oat/patchoat in its own sandbox.
# We have to manually transition, as we don't have an entrypoint.
@@ -16,25 +14,14 @@
# with the `postinstall_file` type by update_engine.
domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)
-# Run derive_classpath to get the current BCP.
-domain_auto_trans(postinstall_dexopt, derive_classpath_exec, derive_classpath)
-# Allow postinstall_dexopt to make a tempfile for derive_classpath to write into
-tmpfs_domain(postinstall_dexopt);
-allow postinstall_dexopt postinstall_dexopt_tmpfs:file open;
-
allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
allow postinstall_dexopt postinstall_file:filesystem getattr;
allow postinstall_dexopt postinstall_file:dir { getattr read search };
allow postinstall_dexopt postinstall_file:lnk_file { getattr read };
allow postinstall_dexopt proc_filesystems:file { getattr open read };
-allow postinstall_dexopt rootfs:file r_file_perms;
-
allow postinstall_dexopt tmpfs:file read;
-# Allow access odsign verification status
-get_prop(postinstall_dexopt, odsign_prop)
-
# Allow access to /postinstall/apex.
allow postinstall_dexopt postinstall_apex_mnt_dir:dir { getattr search };
@@ -51,7 +38,7 @@
r_dir_file(postinstall_dexopt, dalvikcache_data_file)
# Read profile data.
-allow postinstall_dexopt { user_profile_root_file user_profile_data_file }:dir { getattr search };
+allow postinstall_dexopt user_profile_data_file:dir { getattr search };
allow postinstall_dexopt user_profile_data_file:file r_file_perms;
# Suppress deletion denial (we do not want to update the profile).
dontaudit postinstall_dexopt user_profile_data_file:file { write };
diff --git a/private/priv_app.te b/private/priv_app.te
index 3ceb7a3..44c81ee 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -25,10 +25,6 @@
# TODO: Tighten (b/112357170)
allow priv_app privapp_data_file:file execute;
-# Chrome Crashpad uses the the dynamic linker to load native executables
-# from an APK (b/112050209, crbug.com/928422)
-allow priv_app system_linker_exec:file execute_no_trans;
-
allow priv_app privapp_data_file:lnk_file create_file_perms;
# Priv apps can find services that expose both @SystemAPI and normal APIs.
@@ -42,7 +38,6 @@
allow priv_app mediaextractor_service:service_manager find;
allow priv_app mediametrics_service:service_manager find;
allow priv_app mediaserver_service:service_manager find;
-allow priv_app music_recognition_service:service_manager find;
allow priv_app network_watchlist_service:service_manager find;
allow priv_app nfc_service:service_manager find;
allow priv_app oem_lock_service:service_manager find;
@@ -51,6 +46,10 @@
allow priv_app recovery_service:service_manager find;
allow priv_app stats_service:service_manager find;
+# Allow privileged apps to interact with gpuservice
+binder_call(priv_app, gpuservice)
+allow priv_app gpu_service:service_manager find;
+
# Write to /cache.
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
@@ -69,21 +68,6 @@
# Allow traceur to pass file descriptors through a content provider to betterbug
allow priv_app trace_data_file:file { getattr read };
-# Allow betterbug to read profile reports generated by profcollect.
-userdebug_or_eng(`
- allow priv_app profcollectd_data_file:file r_file_perms;
-')
-
-# Allow the bug reporting frontend to read the presence and timestamp of the
-# trace attached to the bugreport (but not its contents, which will go in the
-# usual bugreport .zip file). This is used by the bug reporting UI to tell if
-# the bugreport will contain a system trace or not while the bugreport is still
-# in progress.
-allow priv_app perfetto_traces_bugreport_data_file:dir r_dir_perms;
-allow priv_app perfetto_traces_bugreport_data_file:file { getattr };
-# Required to traverse the parent dir (/data/misc/perfetto-traces).
-allow priv_app perfetto_traces_data_file:dir { search };
-
# Allow verifier to access staged apks.
allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;
@@ -154,7 +138,8 @@
dontaudit priv_app sysfs:file read;
dontaudit priv_app sysfs_android_usb:file read;
dontaudit priv_app sysfs_dm:file r_file_perms;
-dontaudit priv_app { wifi_prop wifi_hal_prop }:file read;
+dontaudit priv_app wifi_prop:file read;
+dontaudit priv_app { wifi_prop exported_wifi_prop }:file read;
# allow privileged apps to use UDP sockets provided by the system server but not
# modify them other than to connect
@@ -162,13 +147,8 @@
connect getattr read recvfrom sendto write getopt setopt };
# allow apps like Phonesky to check the file signature of an apk installed on
-# the Incremental File System, fill missing blocks and get the app status and loading progress
-allowxperm priv_app apk_data_file:file ioctl {
- INCFS_IOCTL_READ_SIGNATURE
- INCFS_IOCTL_FILL_BLOCKS
- INCFS_IOCTL_GET_BLOCK_COUNT
- INCFS_IOCTL_GET_FILLED_BLOCKS
-};
+# the Incremental File System, and fill missing blocks in the apk
+allowxperm priv_app apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
allow priv_app incremental_control_file:file { read getattr ioctl };
@@ -177,25 +157,9 @@
# on the Incremental File System.
allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;
-# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
-get_prop(priv_app, incremental_prop)
-
# Required for Phonesky to be able to read APEX files under /data/apex/active/.
allow priv_app apex_data_file:dir search;
allow priv_app staging_data_file:file r_file_perms;
-# Required for Phonesky to be able to read staged files under /data/app-staging.
-allow priv_app staging_data_file:dir r_dir_perms;
-
-# allow priv app to access the system app data files for ContentProvider case.
-allow priv_app system_app_data_file:file { read getattr };
-
-# Allow the renderscript compiler to be run.
-domain_auto_trans(priv_app, rs_exec, rs)
-
-# Allow loading and deleting executable shared libraries
-# within an application home directory. Such shared libraries would be
-# created by things like renderscript or via other mechanisms.
-allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
###
### neverallow rules
@@ -207,9 +171,6 @@
# Receive or send generic netlink messages
neverallow priv_app domain:netlink_socket *;
-# Read or write kernel printk buffer
-neverallow priv_app kmsg_device:chr_file no_rw_file_perms;
-
# Too much leaky information in debugfs. It's a security
# best practice to ensure these files aren't readable.
neverallow priv_app debugfs:file read;
@@ -250,7 +211,6 @@
# Do not allow priv_app access to cgroups.
neverallow priv_app cgroup:file *;
-neverallow priv_app cgroup_v2:file *;
# Do not allow loading executable code from non-privileged
# application home directories. Code loading across a security boundary
diff --git a/private/profcollectd.te b/private/profcollectd.te
deleted file mode 100644
index efde321..0000000
--- a/private/profcollectd.te
+++ /dev/null
@@ -1,61 +0,0 @@
-# profcollectd - hardware profile collection daemon
-type profcollectd, domain, coredomain, mlstrustedsubject;
-type profcollectd_exec, system_file_type, exec_type, file_type;
-
-userdebug_or_eng(`
- init_daemon_domain(profcollectd)
-
- # profcollectd opens a file for writing in /data/misc/profcollectd.
- allow profcollectd profcollectd_data_file:file create_file_perms;
- allow profcollectd profcollectd_data_file:dir create_dir_perms;
-
- # Allow profcollectd full use of perf_event_open(2), to enable system wide profiling.
- allow profcollectd self:perf_event { cpu kernel open read write };
-
- # Allow profcollectd to scan through /proc/pid for all processes.
- r_dir_file(profcollectd, domain)
-
- # Allow profcollectd to read executable binaries.
- allow profcollectd system_file_type:file r_file_perms;
- allow profcollectd vendor_file_type:file r_file_perms;
-
- # Allow profcollectd to search for and read kernel modules.
- allow profcollectd vendor_file:dir r_dir_perms;
- allow profcollectd vendor_kernel_modules:file r_file_perms;
-
- # Allow profcollectd to read system bootstrap libs.
- allow profcollectd system_bootstrap_lib_file:dir search;
- allow profcollectd system_bootstrap_lib_file:file r_file_perms;
-
- # Allow profcollectd to access tracefs.
- allow profcollectd debugfs_tracing:dir r_dir_perms;
- allow profcollectd debugfs_tracing:file rw_file_perms;
- allow profcollectd debugfs_tracing_debug:dir r_dir_perms;
- allow profcollectd debugfs_tracing_debug:file rw_file_perms;
-
- # Allow profcollectd to write to perf_event_paranoid under /proc.
- allow profcollectd proc_perf:file write;
-
- # Allow profcollectd to access cs_etm sysfs.
- r_dir_file(profcollectd, sysfs_devices_cs_etm)
-
- # Allow profcollectd to ptrace.
- allow profcollectd self:global_capability_class_set sys_ptrace;
-
- # Allow profcollectd to read its system properties.
- get_prop(profcollectd, device_config_profcollect_native_boot_prop)
- set_prop(profcollectd, profcollectd_node_id_prop)
-
- # Allow profcollectd to publish a binder service and make binder calls.
- binder_use(profcollectd)
- add_service(profcollectd, profcollectd_service)
-
- # Allow to temporarily lift the kptr_restrict setting and get kernel start address
- # by reading /proc/kallsyms, get module start address by reading /proc/modules.
- set_prop(profcollectd, lower_kptr_restrict_prop)
- allow profcollectd proc_kallsyms:file r_file_perms;
- allow profcollectd proc_modules:file r_file_perms;
-
- # Allow profcollectd to read kernel build id.
- allow profcollectd sysfs_kernel_notes:file r_file_perms;
-')
diff --git a/private/property.te b/private/property.te
deleted file mode 100644
index 29f4f1a..0000000
--- a/private/property.te
+++ /dev/null
@@ -1,607 +0,0 @@
-# Properties used only in /system
-system_internal_prop(adbd_prop)
-system_internal_prop(ctl_snapuserd_prop)
-system_internal_prop(device_config_profcollect_native_boot_prop)
-system_internal_prop(device_config_statsd_native_prop)
-system_internal_prop(device_config_statsd_native_boot_prop)
-system_internal_prop(device_config_storage_native_boot_prop)
-system_internal_prop(device_config_sys_traced_prop)
-system_internal_prop(device_config_window_manager_native_boot_prop)
-system_internal_prop(device_config_configuration_prop)
-system_internal_prop(device_config_connectivity_prop)
-system_internal_prop(device_config_swcodec_native_prop)
-system_internal_prop(fastbootd_protocol_prop)
-system_internal_prop(gsid_prop)
-system_internal_prop(init_perf_lsm_hooks_prop)
-system_internal_prop(init_service_status_private_prop)
-system_internal_prop(init_svc_debug_prop)
-system_internal_prop(keystore_crash_prop)
-system_internal_prop(keystore_listen_prop)
-system_internal_prop(last_boot_reason_prop)
-system_internal_prop(localization_prop)
-system_internal_prop(lower_kptr_restrict_prop)
-system_internal_prop(net_464xlat_fromvendor_prop)
-system_internal_prop(net_connectivity_prop)
-system_internal_prop(netd_stable_secret_prop)
-system_internal_prop(odsign_prop)
-system_internal_prop(perf_drop_caches_prop)
-system_internal_prop(pm_prop)
-system_internal_prop(profcollectd_node_id_prop)
-system_internal_prop(radio_cdma_ecm_prop)
-system_internal_prop(rollback_test_prop)
-system_internal_prop(setupwizard_prop)
-system_internal_prop(system_adbd_prop)
-system_internal_prop(traced_perf_enabled_prop)
-system_internal_prop(userspace_reboot_log_prop)
-system_internal_prop(userspace_reboot_test_prop)
-system_internal_prop(verity_status_prop)
-system_internal_prop(zygote_wrap_prop)
-system_internal_prop(ctl_mediatranscoding_prop)
-system_internal_prop(ctl_odsign_prop)
-
-###
-### Neverallow rules
-###
-
-treble_sysprop_neverallow(`
-
-enforce_sysprop_owner(`
- neverallow domain {
- property_type
- -system_property_type
- -product_property_type
- -vendor_property_type
- }:file no_rw_file_perms;
-')
-
-neverallow { domain -coredomain } {
- system_property_type
- system_internal_property_type
- -system_restricted_property_type
- -system_public_property_type
-}:file no_rw_file_perms;
-
-neverallow { domain -coredomain } {
- system_property_type
- -system_public_property_type
-}:property_service set;
-
-# init is in coredomain, but should be able to read/write all props.
-# dumpstate is also in coredomain, but should be able to read all props.
-neverallow { coredomain -init -dumpstate } {
- vendor_property_type
- vendor_internal_property_type
- -vendor_restricted_property_type
- -vendor_public_property_type
-}:file no_rw_file_perms;
-
-neverallow { coredomain -init } {
- vendor_property_type
- -vendor_public_property_type
-}:property_service set;
-
-')
-
-# There is no need to perform ioctl or advisory locking operations on
-# property files. If this neverallow is being triggered, it is
-# likely that the policy is using r_file_perms directly instead of
-# the get_prop() macro.
-neverallow domain property_type:file { ioctl lock };
-
-neverallow * {
- core_property_type
- -audio_prop
- -config_prop
- -cppreopt_prop
- -dalvik_prop
- -debuggerd_prop
- -debug_prop
- -dhcp_prop
- -dumpstate_prop
- -fingerprint_prop
- -logd_prop
- -net_radio_prop
- -nfc_prop
- -ota_prop
- -pan_result_prop
- -persist_debug_prop
- -powerctl_prop
- -radio_prop
- -restorecon_prop
- -shell_prop
- -system_prop
- -usb_prop
- -vold_prop
-}:file no_rw_file_perms;
-
-# sigstop property is only used for debugging; should only be set by su which is permissive
-# for userdebug/eng
-neverallow {
- domain
- -init
- -vendor_init
-} ctl_sigstop_prop:property_service set;
-
-# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
-# in the audit log
-dontaudit domain {
- ctl_bootanim_prop
- ctl_bugreport_prop
- ctl_console_prop
- ctl_default_prop
- ctl_dumpstate_prop
- ctl_fuse_prop
- ctl_mdnsd_prop
- ctl_rildaemon_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
-} init_svc_debug_prop:property_service set;
-
-neverallow {
- domain
- -init
- -dumpstate
- userdebug_or_eng(`-su')
-} init_svc_debug_prop:file no_rw_file_perms;
-
-compatible_property_only(`
-# Prevent properties from being set
- neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_init
- } {
- core_property_type
- extended_core_property_type
- exported_config_prop
- exported_default_prop
- exported_dumpstate_prop
- exported_system_prop
- exported3_system_prop
- usb_control_prop
- -nfc_prop
- -powerctl_prop
- -radio_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_nfc_server
- } {
- nfc_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- -vendor_init
- } {
- radio_control_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- } {
- radio_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- } {
- bluetooth_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- -vendor_init
- } {
- exported_bluetooth_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -hal_camera_server
- -cameraserver
- -vendor_init
- } {
- exported_camera_prop
- }:property_service set;
-
- neverallow {
- domain
- -coredomain
- -hal_wifi_server
- -wificond
- } {
- wifi_prop
- }:property_service set;
-
- neverallow {
- domain
- -init
- -dumpstate
- -hal_wifi_server
- -wificond
- -vendor_init
- } {
- wifi_hal_prop
- }:property_service set;
-
-# Prevent properties from being read
- neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_init
- } {
- core_property_type
- dalvik_config_prop
- extended_core_property_type
- exported3_system_prop
- systemsound_config_prop
- -debug_prop
- -logd_prop
- -nfc_prop
- -powerctl_prop
- -radio_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_nfc_server
- } {
- nfc_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -appdomain
- -hal_telephony_server
- } {
- radio_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -bluetooth
- -hal_bluetooth_server
- } {
- bluetooth_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -hal_wifi_server
- -wificond
- } {
- wifi_prop
- }:file no_rw_file_perms;
-
- neverallow {
- domain
- -coredomain
- -vendor_init
- } {
- suspend_prop
- }:property_service set;
-')
-
-compatible_property_only(`
- # Neverallow coredomain to set vendor properties
- neverallow {
- coredomain
- -init
- -system_writes_vendor_properties_violators
- } {
- property_type
- -system_property_type
- -extended_core_property_type
- }:property_service set;
-')
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} {
- ffs_config_prop
- ffs_control_prop
-}:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -system_server
-} {
- userspace_reboot_log_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and system_server to set system_adbd_prop
- domain
- -init
- -system_server
-} {
- system_adbd_prop
-}:property_service set;
-
-# Let (vendor_)init, adbd, and system_server set service.adb.tcp.port
-neverallow {
- domain
- -init
- -vendor_init
- -adbd
- -system_server
-} {
- adbd_config_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and adbd to set adbd_prop
- domain
- -init
- -adbd
-} {
- adbd_prop
-}:property_service set;
-
-neverallow {
- # Only allow init and shell to set userspace_reboot_test_prop
- domain
- -init
- -shell
-} {
- userspace_reboot_test_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -system_server
- -vendor_init
-} {
- surfaceflinger_color_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
-} {
- libc_debug_prop
-}:property_service set;
-
-# Allow the shell to set MTE props, so that non-root users with adb shell
-# access can control the settings on their device.
-neverallow {
- domain
- -init
- -shell
-} {
- arm64_memtag_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -system_server
- -vendor_init
-} zram_control_prop:property_service set;
-
-neverallow {
- domain
- -init
- -system_server
- -vendor_init
-} dalvik_runtime_prop:property_service set;
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} {
- usb_config_prop
- usb_control_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -system_server
-} {
- provisioned_prop
- retaildemo_prop
-}:property_service set;
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} {
- provisioned_prop
- retaildemo_prop
-}:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
-} {
- init_service_status_private_prop
- init_service_status_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -radio
- -appdomain
- -hal_telephony_server
- not_compatible_property(`-vendor_init')
-} telephony_status_prop:property_service set;
-
-neverallow {
- domain
- -init
- -vendor_init
-} {
- graphics_config_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -surfaceflinger
-} {
- surfaceflinger_display_prop
-}:property_service set;
-
-neverallow {
- domain
- -coredomain
- -appdomain
- -vendor_init
-} packagemanager_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} keyguard_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
-} {
- localization_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -system_app
-} oem_unlock_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -coredomain
- -vendor_init
-} storagemanager_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -appdomain
-} sendbug_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -appdomain
-} camera_calibration_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -dumpstate
- -hal_dumpstate_server
- not_compatible_property(`-vendor_init')
-} hal_dumpstate_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- userdebug_or_eng(`-profcollectd')
- userdebug_or_eng(`-traced_probes')
- userdebug_or_eng(`-traced_perf')
-} {
- lower_kptr_restrict_prop
-}:property_service set;
-
-neverallow {
- domain
- -init
-} zygote_wrap_prop:property_service set;
-
-neverallow {
- domain
- -init
-} verity_status_prop:property_service set;
-
-neverallow {
- domain
- -init
-} setupwizard_prop:property_service set;
-
-# ro.product.property_source_order is useless after initialization of ro.product.* props.
-# So making it accessible only from init and vendor_init.
-neverallow {
- domain
- -init
- -dumpstate
- -vendor_init
-} build_config_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
- -shell
-} sqlite_log_prop:property_service set;
-
-neverallow {
- domain
- -coredomain
- -appdomain
-} sqlite_log_prop:file no_rw_file_perms;
-
-neverallow {
- domain
- -init
-} default_prop:property_service set;
-
-# Only one of system_property_type and vendor_property_type can be assigned.
-# Property types having both attributes won't be accessible from anywhere.
-neverallow domain system_and_vendor_property_type:{file property_service} *;
-
-neverallow {
- # Only allow init and shell to set rollback_test_prop
- domain
- -init
- -shell
-} rollback_test_prop:property_service set;
-
-neverallow {
- # Only allow init and profcollectd to access profcollectd_node_id_prop
- domain
- -init
- -dumpstate
- -profcollectd
-} profcollectd_node_id_prop:file r_file_perms;
-
diff --git a/private/property_contexts b/private/property_contexts
index 0009197..7908bb1 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -9,6 +9,7 @@
net.lte u:object_r:net_radio_prop:s0
net.cdma u:object_r:net_radio_prop:s0
net.dns u:object_r:net_dns_prop:s0
+sys.usb.config u:object_r:system_radio_prop:s0
ril. u:object_r:radio_prop:s0
ro.ril. u:object_r:radio_prop:s0
gsm. u:object_r:radio_prop:s0
@@ -26,6 +27,7 @@
sys.cppreopt u:object_r:cppreopt_prop:s0
sys.lpdumpd u:object_r:lpdumpd_prop:s0
sys.powerctl u:object_r:powerctl_prop:s0
+sys.usb.ffs. u:object_r:ffs_prop:s0
service. u:object_r:system_prop:s0
dhcp. u:object_r:dhcp_prop:s0
dhcp.bt-pan.result u:object_r:pan_result_prop:s0
@@ -40,12 +42,13 @@
khungtask. u:object_r:llkd_prop:s0
ro.llk. u:object_r:llkd_prop:s0
ro.khungtask. u:object_r:llkd_prop:s0
+lmkd.reinit u:object_r:lmkd_prop:s0 exact int
log. u:object_r:log_prop:s0
log.tag u:object_r:log_tag_prop:s0
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
security.perf_harden u:object_r:shell_prop:s0
-security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0
service.adb.root u:object_r:shell_prop:s0
+service.adb.tcp.port u:object_r:shell_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
persist.adb.wifi. u:object_r:adbd_prop:s0
persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
@@ -54,7 +57,6 @@
persist.bluetooth. u:object_r:bluetooth_prop:s0
persist.nfc_cfg. u:object_r:nfc_prop:s0
persist.debug. u:object_r:persist_debug_prop:s0
-logd. u:object_r:logd_prop:s0
persist.logd. u:object_r:logd_prop:s0
ro.logd. u:object_r:logd_prop:s0
persist.logd.security u:object_r:device_logging_prop:s0
@@ -64,7 +66,6 @@
persist.mmc. u:object_r:mmc_prop:s0
persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0
persist.pm.mock-upgrade u:object_r:mock_ota_prop:s0
-persist.profcollectd.node_id u:object_r:profcollectd_node_id_prop:s0 exact string
persist.sys. u:object_r:system_prop:s0
persist.sys.safemode u:object_r:safemode_prop:s0
persist.sys.theme u:object_r:theme_prop:s0
@@ -79,9 +80,7 @@
traced.lazy. u:object_r:traced_lazy_prop:s0
persist.heapprofd.enable u:object_r:heapprofd_enabled_prop:s0
persist.traced_perf.enable u:object_r:traced_perf_enabled_prop:s0
-persist.vendor.debug.wifi. u:object_r:persist_vendor_debug_wifi_prop:s0
persist.vendor.overlay. u:object_r:overlay_prop:s0
-ril.cdma.inecmmode u:object_r:radio_cdma_ecm_prop:s0 exact bool
ro.boot.vendor.overlay. u:object_r:overlay_prop:s0
ro.boottime. u:object_r:boottime_prop:s0
ro.serialno u:object_r:serialno_prop:s0
@@ -97,24 +96,10 @@
test.userspace_reboot.requested u:object_r:userspace_reboot_test_prop:s0
sys.lmk. u:object_r:system_lmk_prop:s0
sys.trace. u:object_r:system_trace_prop:s0
-wrap. u:object_r:zygote_wrap_prop:s0 prefix string
-
-# Suspend service properties
-suspend.max_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
-suspend.base_sleep_time_millis u:object_r:suspend_prop:s0 exact uint
-suspend.backoff_threshold_count u:object_r:suspend_prop:s0 exact uint
-suspend.short_suspend_threshold_millis u:object_r:suspend_prop:s0 exact uint
-suspend.sleep_time_scale_factor u:object_r:suspend_prop:s0 exact double
-suspend.failed_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
-suspend.short_suspend_backoff_enabled u:object_r:suspend_prop:s0 exact bool
# Fastbootd protocol control property
fastbootd.protocol u:object_r:fastbootd_protocol_prop:s0 exact enum usb tcp
-# adbd protoctl configuration property
-service.adb.tcp.port u:object_r:adbd_config_prop:s0 exact int
-service.adb.transport u:object_r:adbd_config_prop:s0 exact string
-
# Boolean property set by system server upon boot indicating
# if device is fully owned by organization instead of being
# a personal device.
@@ -132,7 +117,7 @@
# ro.build.fingerprint is either set in /system/build.prop, or is
# set at runtime by system_server.
-ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
+ro.build.fingerprint u:object_r:fingerprint_prop:s0
ro.persistent_properties.ready u:object_r:persistent_properties_ready_prop:s0
@@ -146,7 +131,7 @@
ctl.console u:object_r:ctl_console_prop:s0
ctl. u:object_r:ctl_default_prop:s0
-# Don't allow uncontrolled access to all services
+# Don't allow blind access to all services
ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
ctl.start$ u:object_r:ctl_start_prop:s0
@@ -169,20 +154,9 @@
# Restrict access to stopping apexd.
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
-# Restrict access to stopping odsign
-ctl.stop$odsign u:object_r:ctl_odsign_prop:s0
-
-# Restrict access to starting media.transcoding.
-ctl.start$media.transcoding u:object_r:ctl_mediatranscoding_prop:s0
-
# Restrict access to restart dumpstate
ctl.interface_restart$android.hardware.dumpstate u:object_r:ctl_dumpstate_prop:s0
-# Restrict access to control snapuserd
-ctl.start$snapuserd u:object_r:ctl_snapuserd_prop:s0
-ctl.stop$snapuserd u:object_r:ctl_snapuserd_prop:s0
-ctl.restart$snapuserd u:object_r:ctl_snapuserd_prop:s0
-
# NFC properties
nfc. u:object_r:nfc_prop:s0
@@ -194,12 +168,6 @@
dalvik. u:object_r:dalvik_prop:s0
ro.dalvik. u:object_r:dalvik_prop:s0
-# qemu_hw_prop is read/written by both system and vendor.
-qemu.hw.mainkeys u:object_r:qemu_hw_prop:s0 exact string
-
-# qemu_sf_lcd_density_prop is read/written by both system and vendor.
-qemu.sf.lcd_density u:object_r:qemu_sf_lcd_density_prop:s0 exact int
-
# Shared between system server and wificond
wifi. u:object_r:wifi_prop:s0
wlan. u:object_r:wifi_prop:s0
@@ -214,49 +182,39 @@
# hwservicemanager properties
hwservicemanager. u:object_r:hwservicemanager_prop:s0
-# Common default properties for vendor, odm, vendor_dlkm, and odm_dlkm.
+# Common default properties for vendor and odm.
init.svc.odm. u:object_r:vendor_default_prop:s0
init.svc.vendor. u:object_r:vendor_default_prop:s0
ro.hardware. u:object_r:vendor_default_prop:s0
ro.odm. u:object_r:vendor_default_prop:s0
ro.vendor. u:object_r:vendor_default_prop:s0
-ro.vendor_dlkm. u:object_r:vendor_default_prop:s0
-ro.odm_dlkm. u:object_r:vendor_default_prop:s0
odm. u:object_r:vendor_default_prop:s0
persist.odm. u:object_r:vendor_default_prop:s0
persist.vendor. u:object_r:vendor_default_prop:s0
vendor. u:object_r:vendor_default_prop:s0
+# ro.boot. properties are set based on kernel commandline arguments, which are vendor owned.
+ro.boot. u:object_r:exported2_default_prop:s0
# Properties that relate to time / time zone detection behavior.
persist.time. u:object_r:time_prop:s0
# Properties that relate to server configurable flags
-device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
+device_config.reset_performed u:object_r:device_config_reset_performed_prop:s0
persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
-persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
-persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
-persist.device_config.connectivity. u:object_r:device_config_connectivity_prop:s0
-persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
-persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
-persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
-persist.device_config.profcollect_native_boot. u:object_r:device_config_profcollect_native_boot_prop:s0
-persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
-persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
-persist.device_config.statsd_native. u:object_r:device_config_statsd_native_prop:s0
-persist.device_config.statsd_native_boot. u:object_r:device_config_statsd_native_boot_prop:s0
-persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
-persist.device_config.swcodec_native. u:object_r:device_config_swcodec_native_prop:s0
-persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
-
-# MM Events config props
-persist.mm_events.enabled u:object_r:mm_events_config_prop:s0 exact bool
+persist.device_config.attempted_boot_count u:object_r:device_config_boot_count_prop:s0
+persist.device_config.input_native_boot. u:object_r:device_config_input_native_boot_prop:s0
+persist.device_config.netd_native. u:object_r:device_config_netd_native_prop:s0
+persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0
+persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0
+persist.device_config.media_native. u:object_r:device_config_media_native_prop:s0
+persist.device_config.storage_native_boot. u:object_r:device_config_storage_native_boot_prop:s0
+persist.device_config.window_manager_native_boot. u:object_r:device_config_window_manager_native_boot_prop:s0
+persist.device_config.configuration. u:object_r:device_config_configuration_prop:s0
# Properties that relate to legacy server configurable flags
persist.device_config.global_settings.sys_traced u:object_r:device_config_sys_traced_prop:s0
apexd. u:object_r:apexd_prop:s0
-apexd.config.dm_delete.timeout u:object_r:apexd_config_prop:s0 exact uint
-apexd.config.dm_create.timeout u:object_r:apexd_config_prop:s0 exact uint
persist.apexd. u:object_r:apexd_prop:s0
bpf.progs_loaded u:object_r:bpf_progs_loaded_prop:s0
@@ -271,35 +229,20 @@
# Property that is set once ueventd finishes cold boot.
ro.cold_boot_done u:object_r:cold_boot_done_prop:s0
-# Properties that control performance operations.
-# Leave space to later set drop_caches to 1, 2, and 4.
-perf.drop_caches u:object_r:perf_drop_caches_prop:s0 exact enum 0 3
-
# Charger properties
-ro.charger. u:object_r:charger_prop:s0
-sys.boot_from_charger_mode u:object_r:charger_status_prop:s0 exact int
-ro.enable_boot_charger_mode u:object_r:charger_config_prop:s0 exact bool
+ro.charger. u:object_r:charger_prop:s0
# Virtual A/B properties
-ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
-ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0 exact bool
-ro.virtual_ab.compression.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0
+ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0
-ro.product.ab_ota_partitions u:object_r:ota_prop:s0 exact string
# Property to set/clear the warm reset flag after an OTA update.
ota.warm_reset u:object_r:ota_prop:s0
-# The vbmeta digest for the inactive slot. It can be set after installing
-# ota updates to the b partition of a/b devices.
-ota.other.vbmeta_digest u:object_r:ota_prop:s0 exact string
# Module properties
com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
persist.com.android.sdkext. u:object_r:module_sdkextensions_prop:s0
-# Connectivity module
-net.464xlat.cellular.enabled u:object_r:net_464xlat_fromvendor_prop:s0 exact bool
-net.tcp_def_init_rwnd u:object_r:net_connectivity_prop:s0 exact int
-
# Userspace reboot properties
sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
persist.sys.userspace_reboot.log. u:object_r:userspace_reboot_log_prop:s0
@@ -310,720 +253,6 @@
# history size.
ro.lib_gui.frame_event_history_size u:object_r:bq_config_prop:s0
-af.fast_track_multiplier u:object_r:audio_config_prop:s0 exact int
-ro.af.client_heap_size_kbyte u:object_r:audio_config_prop:s0 exact int
-ro.audio.flinger_standbytime_ms u:object_r:audio_config_prop:s0 exact int
-
-audio.camerasound.force u:object_r:audio_config_prop:s0 exact bool
-audio.deep_buffer.media u:object_r:audio_config_prop:s0 exact bool
-audio.offload.video u:object_r:audio_config_prop:s0 exact bool
-audio.offload.min.duration.secs u:object_r:audio_config_prop:s0 exact int
-
-ro.audio.ignore_effects u:object_r:audio_config_prop:s0 exact bool
-ro.audio.monitorRotation u:object_r:audio_config_prop:s0 exact bool
-ro.audio.offload_wakelock u:object_r:audio_config_prop:s0 exact bool
-
-persist.config.calibration_fac u:object_r:camera_calibration_prop:s0 exact string
-
-config.disable_cameraservice u:object_r:camera_config_prop:s0 exact bool
-
-camera.disable_zsl_mode u:object_r:camera_config_prop:s0 exact bool
-camera.fifo.disable u:object_r:camera_config_prop:s0 exact bool
-ro.camera.notify_nfc u:object_r:camera_config_prop:s0 exact bool
-ro.camera.enableLazyHal u:object_r:camera_config_prop:s0 exact bool
-ro.camera.enableCamera1MaxZsl u:object_r:camera_config_prop:s0 exact bool
-
-ro.camerax.extensions.enabled u:object_r:camerax_extensions_prop:s0 exact bool
-
-ro.vendor.camera.extensions.package u:object_r:camera2_extensions_prop:s0 exact string
-ro.vendor.camera.extensions.service u:object_r:camera2_extensions_prop:s0 exact string
-
-# ART properties
-dalvik.vm. u:object_r:dalvik_config_prop:s0
-ro.dalvik.vm. u:object_r:dalvik_config_prop:s0
-ro.zygote u:object_r:dalvik_config_prop:s0 exact string
-
-# A set of ART properties listed explicitly for compatibility purposes.
-ro.dalvik.vm.native.bridge u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.always_debuggable u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.appimageformat u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.backgroundgctype u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.boot-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.boot-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.boot-image u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.bgdexopt.new-classes-percent u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.bgdexopt.new-methods-percent u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.checkjni u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dex2oat-Xms u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-Xmx u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-filter u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-flags u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-max-image-block-size u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.dex2oat-minidebuginfo u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dex2oat-resolve-startup-strings u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.dex2oat-updatable-bcp-packages-file u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.dex2oat-very-large u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.dex2oat-swap u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dex2oat64.enabled u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dexopt.secondary u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.dexopt.thermal-cutoff u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.execution-mode u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.extra-opts u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.foreground-heap-growth-multiplier u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.gctype u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heapgrowthlimit u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heapmaxfree u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heapminfree u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heapsize u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heapstartsize u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.heaptargetutilization u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.hot-startup-method-samples u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.image-dex2oat-Xms u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-Xmx u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-filter u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-flags u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.image-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.isa.arm.features u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.arm.variant u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.arm64.features u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.arm64.variant u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.mips.features u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.mips.variant u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.mips64.features u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.mips64.variant u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.unknown.features u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.unknown.variant u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.x86.features u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.x86.variant u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.x86_64.features u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.isa.x86_64.variant u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.jitinitialsize u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.jitmaxsize u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.jitprithreadweight u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.jitthreshold u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.jittransitionweight u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.jniopts u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.lockprof.threshold u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.method-trace u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.method-trace-file u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.method-trace-file-siz u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.method-trace-stream u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.profilesystemserver u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.profilebootclasspath u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.ps-min-save-period-ms u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.ps-resolved-classes-delay-ms u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.restore-dex2oat-cpu-set u:object_r:dalvik_config_prop:s0 exact string
-dalvik.vm.restore-dex2oat-threads u:object_r:dalvik_config_prop:s0 exact int
-dalvik.vm.usejit u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.usejitprofiles u:object_r:dalvik_config_prop:s0 exact bool
-dalvik.vm.zygote.max-boot-retry u:object_r:dalvik_config_prop:s0 exact int
-
-persist.sys.dalvik.vm.lib.2 u:object_r:dalvik_runtime_prop:s0 exact string
-
-keyguard.no_require_sim u:object_r:keyguard_config_prop:s0 exact bool
-
-media.c2.dmabuf.padding u:object_r:codec2_config_prop:s0 exact int
-
-media.recorder.show_manufacturer_and_model u:object_r:media_config_prop:s0 exact bool
-media.stagefright.cache-params u:object_r:media_config_prop:s0 exact string
-media.stagefright.enable-aac u:object_r:media_config_prop:s0 exact bool
-media.stagefright.enable-fma2dp u:object_r:media_config_prop:s0 exact bool
-media.stagefright.enable-http u:object_r:media_config_prop:s0 exact bool
-media.stagefright.enable-player u:object_r:media_config_prop:s0 exact bool
-media.stagefright.enable-qcp u:object_r:media_config_prop:s0 exact bool
-media.stagefright.enable-scan u:object_r:media_config_prop:s0 exact bool
-media.stagefright.thumbnail.prefer_hw_codecs u:object_r:media_config_prop:s0 exact bool
-persist.sys.media.avsync u:object_r:media_config_prop:s0 exact bool
-
-persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
-persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
-persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
-persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
-
-persist.radio.multisim.config u:object_r:radio_control_prop:s0 exact string
-
-persist.sys.hdmi.keep_awake u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.cec_device_types u:object_r:hdmi_config_prop:s0 exact string
-ro.hdmi.device_type u:object_r:hdmi_config_prop:s0 exact string
-ro.hdmi.set_menu_language u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.cec.source.set_menu_language.enabled u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.property_sytem_audio_device_arc_port u:object_r:hdmi_config_prop:s0 exact string
-ro.hdmi.cec_audio_device_forward_volume_keys_system_audio_mode_off u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.property_is_device_hdmi_cec_switch u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.wake_on_hotplug u:object_r:hdmi_config_prop:s0 exact bool
-ro.hdmi.cec.source.send_standby_on_sleep u:object_r:hdmi_config_prop:s0 exact enum to_tv broadcast none
-ro.hdmi.cec.source.playback_device_action_on_routing_control u:object_r:hdmi_config_prop:s0 exact enum none wake_up_only wake_up_and_send_active_source
-
-pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.cmdline u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
-pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
-pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-fast u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-secondary u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-downgraded u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.install-bulk-secondary-downgraded u:object_r:exported_pm_prop:s0 exact string
-pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
-
-ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
-
-ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
-
-ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
-
-ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
-
-ro.config.alarm_alert u:object_r:systemsound_config_prop:s0 exact string
-ro.config.alarm_vol_default u:object_r:systemsound_config_prop:s0 exact int
-ro.config.alarm_vol_steps u:object_r:systemsound_config_prop:s0 exact int
-ro.config.media_vol_default u:object_r:systemsound_config_prop:s0 exact int
-ro.config.media_vol_steps u:object_r:systemsound_config_prop:s0 exact int
-ro.config.notification_sound u:object_r:systemsound_config_prop:s0 exact string
-ro.config.ringtone u:object_r:systemsound_config_prop:s0 exact string
-ro.config.system_vol_default u:object_r:systemsound_config_prop:s0 exact int
-ro.config.system_vol_steps u:object_r:systemsound_config_prop:s0 exact int
-ro.config.vc_call_vol_default u:object_r:systemsound_config_prop:s0 exact int
-
-ro.control_privapp_permissions u:object_r:packagemanager_config_prop:s0 exact enum disable enforce log
-ro.cp_system_other_odex u:object_r:packagemanager_config_prop:s0 exact bool
-
-ro.crypto.allow_encrypt_override u:object_r:vold_config_prop:s0 exact bool
-ro.crypto.dm_default_key.options_format.version u:object_r:vold_config_prop:s0 exact int
-ro.crypto.fde_algorithm u:object_r:vold_config_prop:s0 exact string
-ro.crypto.fde_sector_size u:object_r:vold_config_prop:s0 exact int
-ro.crypto.metadata_init_delete_all_keys.enabled u:object_r:vold_config_prop:s0 exact bool
-ro.crypto.scrypt_params u:object_r:vold_config_prop:s0 exact string
-ro.crypto.set_dun u:object_r:vold_config_prop:s0 exact bool
-ro.crypto.volume.contents_mode u:object_r:vold_config_prop:s0 exact string
-ro.crypto.volume.filenames_mode u:object_r:vold_config_prop:s0 exact string
-ro.crypto.volume.metadata.encryption u:object_r:vold_config_prop:s0 exact string
-ro.crypto.volume.metadata.method u:object_r:vold_config_prop:s0 exact string
-ro.crypto.volume.options u:object_r:vold_config_prop:s0 exact string
-
-external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
-external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
-external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
-external_storage.cross_user.enabled u:object_r:storage_config_prop:s0 exact bool
-
-ro.config.per_app_memcg u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.critical u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.critical_upgrade u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.debug u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.downgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.filecache_min_kb u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.kill_heaviest_task u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.kill_timeout_ms u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.log_stats u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.low u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.medium u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.psi_partial_stall_ms u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.psi_complete_stall_ms u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.swap_free_low_percentage u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.swap_util_max u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.thrashing_limit u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.thrashing_limit_critical u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.thrashing_limit_decay u:object_r:lmkd_config_prop:s0 exact int
-ro.lmk.use_minfree_levels u:object_r:lmkd_config_prop:s0 exact bool
-ro.lmk.upgrade_pressure u:object_r:lmkd_config_prop:s0 exact int
-lmkd.reinit u:object_r:lmkd_prop:s0 exact int
-
-ro.media.xml_variant.codecs u:object_r:media_variant_prop:s0 exact string
-ro.media.xml_variant.codecs_performance u:object_r:media_variant_prop:s0 exact string
-ro.media.xml_variant.profiles u:object_r:media_variant_prop:s0 exact string
-
-ro.minui.default_rotation u:object_r:recovery_config_prop:s0 exact string
-ro.minui.overscan_percent u:object_r:recovery_config_prop:s0 exact int
-ro.minui.pixel_format u:object_r:recovery_config_prop:s0 exact string
-
-ro.oem_unlock_supported u:object_r:oem_unlock_prop:s0 exact int
-
-ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
-
-ro.storage_manager.enabled u:object_r:storagemanager_config_prop:s0 exact bool
-ro.storage_manager.show_opt_in u:object_r:storagemanager_config_prop:s0 exact bool
-
-ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string
-
-ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
-
-ro.zram.mark_idle_delay_mins u:object_r:zram_config_prop:s0 exact int
-ro.zram.first_wb_delay_mins u:object_r:zram_config_prop:s0 exact int
-ro.zram.periodic_wb_delay_hours u:object_r:zram_config_prop:s0 exact int
-zram.force_writeback u:object_r:zram_config_prop:s0 exact bool
-persist.sys.zram_enabled u:object_r:zram_control_prop:s0 exact bool
-
-sendbug.preferred.domain u:object_r:sendbug_config_prop:s0 exact string
-
-persist.sys.usb.usbradio.config u:object_r:usb_control_prop:s0 exact string
-
-sys.usb.config u:object_r:usb_control_prop:s0 exact string
-sys.usb.configfs u:object_r:usb_control_prop:s0 exact int
-sys.usb.controller u:object_r:usb_control_prop:s0 exact string
-sys.usb.state u:object_r:usb_control_prop:s0 exact string
-
-sys.usb.mtp.batchcancel u:object_r:usb_config_prop:s0 exact bool
-sys.usb.mtp.device_type u:object_r:usb_config_prop:s0 exact int
-
-sys.usb.config. u:object_r:usb_prop:s0
-
-sys.usb.ffs.aio_compat u:object_r:ffs_config_prop:s0 exact bool
-sys.usb.ffs.max_read u:object_r:ffs_config_prop:s0 exact int
-sys.usb.ffs.max_write u:object_r:ffs_config_prop:s0 exact int
-
-sys.usb.ffs.ready u:object_r:ffs_control_prop:s0 exact bool
-sys.usb.ffs.mtp.ready u:object_r:ffs_control_prop:s0 exact bool
-
-tombstoned.max_tombstone_count u:object_r:tombstone_config_prop:s0 exact int
-
-vold.post_fs_data_done u:object_r:vold_post_fs_data_prop:s0 exact int
-
-apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
-
-odsign.key.done u:object_r:odsign_prop:s0 exact bool
-odsign.verification.done u:object_r:odsign_prop:s0 exact bool
-odsign.verification.success u:object_r:odsign_prop:s0 exact bool
-
-dev.bootcomplete u:object_r:boot_status_prop:s0 exact bool
-sys.boot_completed u:object_r:boot_status_prop:s0 exact bool
-
-persist.sys.device_provisioned u:object_r:provisioned_prop:s0 exact string
-
-persist.sys.theme u:object_r:theme_prop:s0 exact string
-
-sys.retaildemo.enabled u:object_r:retaildemo_prop:s0 exact int
-
-sys.user.0.ce_available u:object_r:exported3_system_prop:s0 exact bool
-
-aac_drc_boost u:object_r:aac_drc_prop:s0 exact int
-aac_drc_cut u:object_r:aac_drc_prop:s0 exact int
-aac_drc_enc_target_level u:object_r:aac_drc_prop:s0 exact int
-aac_drc_heavy u:object_r:aac_drc_prop:s0 exact int
-aac_drc_reference_level u:object_r:aac_drc_prop:s0 exact int
-ro.aac_drc_effect_type u:object_r:aac_drc_prop:s0 exact int
-
-build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
-
-drm.64bit.enabled u:object_r:mediadrm_config_prop:s0 exact bool
-media.mediadrmservice.enable u:object_r:mediadrm_config_prop:s0 exact bool
-
-drm.service.enabled u:object_r:drm_service_config_prop:s0 exact bool
-
-dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
-dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
-persist.dumpstate.verbose_logging.enabled u:object_r:hal_dumpstate_config_prop:s0 exact bool
-
-hal.instrumentation.enable u:object_r:hal_instrumentation_prop:s0 exact bool
-
-# default contexts only accessible by coredomain
-init.svc. u:object_r:init_service_status_private_prop:s0 prefix string
-
-# Globally-readable init service props
-init.svc.adbd u:object_r:init_service_status_prop:s0 exact string
-init.svc.bugreport u:object_r:init_service_status_prop:s0 exact string
-init.svc.bugreportd u:object_r:init_service_status_prop:s0 exact string
-init.svc.console u:object_r:init_service_status_prop:s0 exact string
-init.svc.dumpstatez u:object_r:init_service_status_prop:s0 exact string
-init.svc.mediadrm u:object_r:init_service_status_prop:s0 exact string
-init.svc.statsd u:object_r:init_service_status_prop:s0 exact string
-init.svc.surfaceflinger u:object_r:init_service_status_prop:s0 exact string
-init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
-init.svc.zygote u:object_r:init_service_status_prop:s0 exact string
-
-libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
-libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
-libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
-
-# shell-only props for ARM memory tagging (MTE).
-arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
-
-net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
-
-persist.sys.locale u:object_r:exported_system_prop:s0 exact string
-persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
-persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
-
-ro.arch u:object_r:build_prop:s0 exact string
-
-# ro.boot. properties are set based on kernel commandline arguments, which are vendor owned.
-ro.boot. u:object_r:bootloader_prop:s0
-ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string
-ro.boot.baseband u:object_r:bootloader_prop:s0 exact string
-ro.boot.bootdevice u:object_r:bootloader_prop:s0 exact string
-ro.boot.bootloader u:object_r:bootloader_prop:s0 exact string
-ro.boot.boottime u:object_r:bootloader_prop:s0 exact string
-ro.boot.console u:object_r:bootloader_prop:s0 exact string
-ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
-ro.boot.hardware.color u:object_r:bootloader_prop:s0 exact string
-ro.boot.hardware.sku u:object_r:bootloader_prop:s0 exact string
-ro.boot.keymaster u:object_r:bootloader_prop:s0 exact string
-ro.boot.mode u:object_r:bootloader_prop:s0 exact string
-# Populated on Android Studio Emulator (for emulator specific workarounds)
-ro.boot.qemu u:object_r:bootloader_prop:s0 exact bool
-ro.boot.revision u:object_r:bootloader_prop:s0 exact string
-ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
-ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
-ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
-
-# These ro.X properties are set to values of ro.boot.X by property_service.
-ro.baseband u:object_r:bootloader_prop:s0 exact string
-ro.bootloader u:object_r:bootloader_prop:s0 exact string
-ro.bootmode u:object_r:bootloader_prop:s0 exact string
-ro.hardware u:object_r:bootloader_prop:s0 exact string
-ro.revision u:object_r:bootloader_prop:s0 exact string
-
-ro.boot.dynamic_partitions u:object_r:exported_default_prop:s0 exact string
-ro.boot.dynamic_partitions_retrofit u:object_r:exported_default_prop:s0 exact string
-
-ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
-ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
-
-ro.build.characteristics u:object_r:build_prop:s0 exact string
-ro.build.date u:object_r:build_prop:s0 exact string
-ro.build.date.utc u:object_r:build_prop:s0 exact int
-ro.build.description u:object_r:build_prop:s0 exact string
-ro.build.display.id u:object_r:build_prop:s0 exact string
-ro.build.flavor u:object_r:build_prop:s0 exact string
-ro.build.host u:object_r:build_prop:s0 exact string
-ro.build.id u:object_r:build_prop:s0 exact string
-ro.build.product u:object_r:build_prop:s0 exact string
-ro.build.system_root_image u:object_r:build_prop:s0 exact bool
-ro.build.tags u:object_r:build_prop:s0 exact string
-ro.build.type u:object_r:build_prop:s0 exact string
-ro.build.user u:object_r:build_prop:s0 exact string
-ro.build.version.all_codenames u:object_r:build_prop:s0 exact string
-ro.build.version.base_os u:object_r:build_prop:s0 exact string
-ro.build.version.codename u:object_r:build_prop:s0 exact string
-ro.build.version.incremental u:object_r:build_prop:s0 exact string
-ro.build.version.min_supported_target_sdk u:object_r:build_prop:s0 exact int
-ro.build.version.preview_sdk u:object_r:build_prop:s0 exact int
-ro.build.version.preview_sdk_fingerprint u:object_r:build_prop:s0 exact string
-ro.build.version.release u:object_r:build_prop:s0 exact string
-ro.build.version.release_or_codename u:object_r:build_prop:s0 exact string
-ro.build.version.sdk u:object_r:build_prop:s0 exact int
-ro.build.version.security_patch u:object_r:build_prop:s0 exact string
-
-ro.actionable_compatible_property.enabled u:object_r:build_prop:s0 exact bool
-
-ro.debuggable u:object_r:build_prop:s0 exact bool
-
-ro.treble.enabled u:object_r:build_prop:s0 exact bool
-
-ro.product.cpu.abi u:object_r:build_prop:s0 exact string
-ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
-ro.product.cpu.abilist32 u:object_r:build_prop:s0 exact string
-ro.product.cpu.abilist64 u:object_r:build_prop:s0 exact string
-
-ro.product.system.brand u:object_r:build_prop:s0 exact string
-ro.product.system.device u:object_r:build_prop:s0 exact string
-ro.product.system.manufacturer u:object_r:build_prop:s0 exact string
-ro.product.system.model u:object_r:build_prop:s0 exact string
-ro.product.system.name u:object_r:build_prop:s0 exact string
-
-ro.system.build.date u:object_r:build_prop:s0 exact string
-ro.system.build.date.utc u:object_r:build_prop:s0 exact int
-ro.system.build.fingerprint u:object_r:build_prop:s0 exact string
-ro.system.build.id u:object_r:build_prop:s0 exact string
-ro.system.build.tags u:object_r:build_prop:s0 exact string
-ro.system.build.type u:object_r:build_prop:s0 exact string
-ro.system.build.version.incremental u:object_r:build_prop:s0 exact string
-ro.system.build.version.release u:object_r:build_prop:s0 exact string
-ro.system.build.version.release_or_codename u:object_r:build_prop:s0 exact string
-ro.system.build.version.sdk u:object_r:build_prop:s0 exact int
-
-ro.adb.secure u:object_r:build_prop:s0 exact bool
-ro.secure u:object_r:build_prop:s0 exact int
-
-ro.product.system_ext.brand u:object_r:build_prop:s0 exact string
-ro.product.system_ext.device u:object_r:build_prop:s0 exact string
-ro.product.system_ext.manufacturer u:object_r:build_prop:s0 exact string
-ro.product.system_ext.model u:object_r:build_prop:s0 exact string
-ro.product.system_ext.name u:object_r:build_prop:s0 exact string
-
-ro.system_ext.build.date u:object_r:build_prop:s0 exact string
-ro.system_ext.build.date.utc u:object_r:build_prop:s0 exact int
-ro.system_ext.build.fingerprint u:object_r:build_prop:s0 exact string
-ro.system_ext.build.id u:object_r:build_prop:s0 exact string
-ro.system_ext.build.tags u:object_r:build_prop:s0 exact string
-ro.system_ext.build.type u:object_r:build_prop:s0 exact string
-ro.system_ext.build.version.incremental u:object_r:build_prop:s0 exact string
-ro.system_ext.build.version.release u:object_r:build_prop:s0 exact string
-ro.system_ext.build.version.release_or_codename u:object_r:build_prop:s0 exact string
-ro.system_ext.build.version.sdk u:object_r:build_prop:s0 exact int
-
-# These ro.product.product.* and ro.product.build.* are set by /product/etc/build.prop
-ro.product.product.brand u:object_r:build_prop:s0 exact string
-ro.product.product.device u:object_r:build_prop:s0 exact string
-ro.product.product.manufacturer u:object_r:build_prop:s0 exact string
-ro.product.product.model u:object_r:build_prop:s0 exact string
-ro.product.product.name u:object_r:build_prop:s0 exact string
-
-ro.product.build.date u:object_r:build_prop:s0 exact string
-ro.product.build.date.utc u:object_r:build_prop:s0 exact int
-ro.product.build.fingerprint u:object_r:build_prop:s0 exact string
-ro.product.build.id u:object_r:build_prop:s0 exact string
-ro.product.build.tags u:object_r:build_prop:s0 exact string
-ro.product.build.type u:object_r:build_prop:s0 exact string
-ro.product.build.version.incremental u:object_r:build_prop:s0 exact string
-ro.product.build.version.release u:object_r:build_prop:s0 exact string
-ro.product.build.version.release_or_codename u:object_r:build_prop:s0 exact string
-ro.product.build.version.sdk u:object_r:build_prop:s0 exact int
-
-# These 5 properties are set by property_service
-ro.product.brand u:object_r:build_prop:s0 exact string
-ro.product.device u:object_r:build_prop:s0 exact string
-ro.product.manufacturer u:object_r:build_prop:s0 exact string
-ro.product.model u:object_r:build_prop:s0 exact string
-ro.product.name u:object_r:build_prop:s0 exact string
-
-# Sanitizer properties
-ro.sanitize.address u:object_r:build_prop:s0 exact bool
-ro.sanitize.cfi u:object_r:build_prop:s0 exact bool
-ro.sanitize.default-ub u:object_r:build_prop:s0 exact bool
-ro.sanitize.fuzzer u:object_r:build_prop:s0 exact bool
-ro.sanitize.hwaddress u:object_r:build_prop:s0 exact bool
-ro.sanitize.integer_overflow u:object_r:build_prop:s0 exact bool
-ro.sanitize.safe-stack u:object_r:build_prop:s0 exact bool
-ro.sanitize.scudo u:object_r:build_prop:s0 exact bool
-ro.sanitize.thread u:object_r:build_prop:s0 exact bool
-ro.sanitize.undefined u:object_r:build_prop:s0 exact bool
-
-# All odm build props are set by /odm/build.prop
-ro.odm.build.date u:object_r:build_odm_prop:s0 exact string
-ro.odm.build.date.utc u:object_r:build_odm_prop:s0 exact int
-ro.odm.build.fingerprint u:object_r:build_odm_prop:s0 exact string
-ro.odm.build.version.incremental u:object_r:build_odm_prop:s0 exact string
-ro.odm.build.media_performance_class u:object_r:build_odm_prop:s0 exact int
-
-ro.product.odm.brand u:object_r:build_odm_prop:s0 exact string
-ro.product.odm.device u:object_r:build_odm_prop:s0 exact string
-ro.product.odm.manufacturer u:object_r:build_odm_prop:s0 exact string
-ro.product.odm.model u:object_r:build_odm_prop:s0 exact string
-ro.product.odm.name u:object_r:build_odm_prop:s0 exact string
-
-# All vendor_dlkm build props are set by /vendor_dlkm/etc/build.prop
-ro.vendor_dlkm.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.vendor_dlkm.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.id u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.tags u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.type u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.version.release u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
-ro.vendor_dlkm.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
-
-# All odm_dlkm build props are set by /odm_dlkm/etc/build.prop
-ro.product.odm_dlkm.brand u:object_r:build_odm_prop:s0 exact string
-ro.product.odm_dlkm.device u:object_r:build_odm_prop:s0 exact string
-ro.product.odm_dlkm.manufacturer u:object_r:build_odm_prop:s0 exact string
-ro.product.odm_dlkm.model u:object_r:build_odm_prop:s0 exact string
-ro.product.odm_dlkm.name u:object_r:build_odm_prop:s0 exact string
-
-ro.odm_dlkm.build.date u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.date.utc u:object_r:build_odm_prop:s0 exact int
-ro.odm_dlkm.build.fingerprint u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.id u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.tags u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.type u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.version.incremental u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.version.release u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.version.release_or_codename u:object_r:build_odm_prop:s0 exact string
-ro.odm_dlkm.build.version.sdk u:object_r:build_odm_prop:s0 exact int
-
-# enforces debugfs restrictions in non-user builds, set by /vendor/build.prop
-ro.product.debugfs_restrictions.enabled u:object_r:debugfs_restriction_prop:s0 exact bool
-
-# All vendor build props are set by /vendor/build.prop
-ro.vendor.build.date u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.date.utc u:object_r:build_vendor_prop:s0 exact int
-ro.vendor.build.fingerprint u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.id u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.tags u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.type u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.incremental u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.release u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.release_or_codename u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.build.version.sdk u:object_r:build_vendor_prop:s0 exact int
-
-# All vendor CPU abilist props are set by /vendor/build.prop
-ro.vendor.product.cpu.abilist u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.product.cpu.abilist32 u:object_r:build_vendor_prop:s0 exact string
-ro.vendor.product.cpu.abilist64 u:object_r:build_vendor_prop:s0 exact string
-
-ro.product.board u:object_r:build_vendor_prop:s0 exact string
-ro.product.first_api_level u:object_r:build_vendor_prop:s0 exact int
-ro.product.vendor.brand u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.device u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.manufacturer u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.model u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor.name u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor_dlkm.brand u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor_dlkm.device u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor_dlkm.manufacturer u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor_dlkm.model u:object_r:build_vendor_prop:s0 exact string
-ro.product.vendor_dlkm.name u:object_r:build_vendor_prop:s0 exact string
-
-# GRF property for the first api level of the vendor partition
-ro.board.first_api_level u:object_r:build_vendor_prop:s0 exact int
-ro.board.api_level u:object_r:build_vendor_prop:s0 exact int
-
-# Boot image build props set by /{second_stage_resources/,}boot/etc/build.prop
-ro.bootimage.build.date u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.date.utc u:object_r:build_bootimage_prop:s0 exact int
-ro.bootimage.build.fingerprint u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.id u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.tags u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.type u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.incremental u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.release u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.release_or_codename u:object_r:build_bootimage_prop:s0 exact string
-ro.bootimage.build.version.sdk u:object_r:build_bootimage_prop:s0 exact int
-
-ro.product.bootimage.brand u:object_r:build_bootimage_prop:s0 exact string
-ro.product.bootimage.device u:object_r:build_bootimage_prop:s0 exact string
-ro.product.bootimage.manufacturer u:object_r:build_bootimage_prop:s0 exact string
-ro.product.bootimage.model u:object_r:build_bootimage_prop:s0 exact string
-ro.product.bootimage.name u:object_r:build_bootimage_prop:s0 exact string
-
-# ro.product.property_source_order is settable from any build.prop
-ro.product.property_source_order u:object_r:build_config_prop:s0 exact string
-
-ro.crypto.state u:object_r:vold_status_prop:s0 exact enum encrypted unencrypted unsupported
-ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file none
-
-ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
-
-ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
-
-service.bootanim.exit u:object_r:bootanim_system_prop:s0 exact int
-service.bootanim.progress u:object_r:bootanim_system_prop:s0 exact int
-
-sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
-sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
-
-vold.decrypt u:object_r:vold_status_prop:s0 exact string
-
-aaudio.hw_burst_min_usec u:object_r:aaudio_config_prop:s0 exact int
-aaudio.minimum_sleep_usec u:object_r:aaudio_config_prop:s0 exact int
-aaudio.mixer_bursts u:object_r:aaudio_config_prop:s0 exact int
-aaudio.mmap_exclusive_policy u:object_r:aaudio_config_prop:s0 exact int
-aaudio.mmap_policy u:object_r:aaudio_config_prop:s0 exact int
-aaudio.wakeup_delay_usec u:object_r:aaudio_config_prop:s0 exact int
-
-persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
-
-ro.bionic.2nd_arch u:object_r:cpu_variant_prop:s0 exact string
-ro.bionic.2nd_cpu_variant u:object_r:cpu_variant_prop:s0 exact string
-ro.bionic.arch u:object_r:cpu_variant_prop:s0 exact string
-ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
-
-ro.board.platform u:object_r:exported_default_prop:s0 exact string
-
-ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
-ro.boot.fstab_suffix u:object_r:exported_default_prop:s0 exact string
-ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
-ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
-ro.boot.product.vendor.sku u:object_r:exported_default_prop:s0 exact string
-ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
-
-ro.boringcrypto.hwrand u:object_r:exported_default_prop:s0 exact bool
-
-# Update related props
-ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
-ro.build.ab_update.gki.prevent_downgrade_version u:object_r:ab_update_gki_prop:s0 exact bool
-ro.build.ab_update.gki.prevent_downgrade_spl u:object_r:ab_update_gki_prop:s0 exact bool
-
-ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string
-ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string
-
-ro.carrier u:object_r:exported_default_prop:s0 exact string
-
-ro.config.low_ram u:object_r:exported_config_prop:s0 exact bool
-ro.config.vc_call_vol_steps u:object_r:exported_config_prop:s0 exact int
-
-ro.frp.pst u:object_r:exported_default_prop:s0 exact string
-
-ro.hardware.activity_recognition u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio.a2dp u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio.hearing_aid u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio.primary u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio.usb u:object_r:exported_default_prop:s0 exact string
-ro.hardware.audio_policy u:object_r:exported_default_prop:s0 exact string
-ro.hardware.bootctrl u:object_r:exported_default_prop:s0 exact string
-ro.hardware.camera u:object_r:exported_default_prop:s0 exact string
-ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string
-ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string
-ro.hardware.egl u:object_r:exported_default_prop:s0 exact string
-ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string
-ro.hardware.flp u:object_r:exported_default_prop:s0 exact string
-ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string
-ro.hardware.gps u:object_r:exported_default_prop:s0 exact string
-ro.hardware.gralloc u:object_r:exported_default_prop:s0 exact string
-ro.hardware.hdmi_cec u:object_r:exported_default_prop:s0 exact string
-ro.hardware.hwcomposer u:object_r:exported_default_prop:s0 exact string
-ro.hardware.input u:object_r:exported_default_prop:s0 exact string
-ro.hardware.keystore u:object_r:exported_default_prop:s0 exact string
-ro.hardware.keystore_desede u:object_r:exported_default_prop:s0 exact string
-ro.hardware.lights u:object_r:exported_default_prop:s0 exact string
-ro.hardware.local_time u:object_r:exported_default_prop:s0 exact string
-ro.hardware.memtrack u:object_r:exported_default_prop:s0 exact string
-ro.hardware.nfc u:object_r:exported_default_prop:s0 exact string
-ro.hardware.nfc_nci u:object_r:exported_default_prop:s0 exact string
-ro.hardware.nfc_tag u:object_r:exported_default_prop:s0 exact string
-ro.hardware.nvram u:object_r:exported_default_prop:s0 exact string
-ro.hardware.power u:object_r:exported_default_prop:s0 exact string
-ro.hardware.radio u:object_r:exported_default_prop:s0 exact string
-ro.hardware.sensors u:object_r:exported_default_prop:s0 exact string
-ro.hardware.sound_trigger u:object_r:exported_default_prop:s0 exact string
-ro.hardware.thermal u:object_r:exported_default_prop:s0 exact string
-ro.hardware.tv_input u:object_r:exported_default_prop:s0 exact string
-ro.hardware.type u:object_r:exported_default_prop:s0 exact string
-ro.hardware.vehicle u:object_r:exported_default_prop:s0 exact string
-ro.hardware.vibrator u:object_r:exported_default_prop:s0 exact string
-ro.hardware.virtual_device u:object_r:exported_default_prop:s0 exact string
-ro.hardware.vulkan u:object_r:exported_default_prop:s0 exact string
-
-ro.hw_timeout_multiplier u:object_r:hw_timeout_multiplier_prop:s0 exact int
-
-ro.hwui.use_vulkan u:object_r:exported_default_prop:s0 exact bool
-
-# ro.kernel.* properties are emulator specific and deprecated. Do not use.
-# Should be retired once presubmit allows.
-ro.kernel.qemu u:object_r:exported_default_prop:s0 exact bool
-ro.kernel.qemu. u:object_r:exported_default_prop:s0
-ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
-
-ro.oem.key1 u:object_r:exported_default_prop:s0 exact string
-
-ro.product.vndk.version u:object_r:vndk_prop:s0 exact string
-
-ro.vndk.lite u:object_r:vndk_prop:s0 exact bool
-ro.vndk.version u:object_r:vndk_prop:s0 exact string
-
-ro.vts.coverage u:object_r:vts_config_prop:s0 exact int
-
-vts.native_server.on u:object_r:vts_status_prop:s0 exact bool
-
-wifi.active.interface u:object_r:wifi_hal_prop:s0 exact string
-wifi.aware.interface u:object_r:wifi_hal_prop:s0 exact string
-wifi.concurrent.interface u:object_r:wifi_hal_prop:s0 exact string
-wifi.direct.interface u:object_r:wifi_hal_prop:s0 exact string
-wifi.interface u:object_r:wifi_hal_prop:s0 exact string
-wlan.driver.status u:object_r:wifi_hal_prop:s0 exact enum ok unloaded
-
-ro.boot.wificountrycode u:object_r:wifi_config_prop:s0 exact string
-
-ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
-
# Property to enable incremental feature
ro.incremental.enable u:object_r:incremental_prop:s0
@@ -1035,188 +264,5 @@
init.userspace_reboot.userdata_remount.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
init.userspace_reboot.watchdog.timeoutmillis u:object_r:userspace_reboot_config_prop:s0 exact int
-sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
-
-# surfaceflinger properties
-ro.surface_flinger.default_composition_dataspace u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.default_composition_pixel_format u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.force_hwc_copy_for_virtual_displays u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.has_HDR_display u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.has_wide_color_display u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.max_frame_buffer_acquired_buffers u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.max_graphics_height u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.max_graphics_width u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.max_virtual_display_dimension u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.primary_display_orientation u:object_r:surfaceflinger_prop:s0 exact enum ORIENTATION_0 ORIENTATION_180 ORIENTATION_270 ORIENTATION_90
-ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.running_without_sync_framework u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.start_graphics_allocator_service u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.use_color_management u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.use_context_priority u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.use_vr_flinger u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.vsync_event_phase_offset_ns u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.vsync_sf_event_phase_offset_ns u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.wcg_composition_dataspace u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.wcg_composition_pixel_format u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.display_primary_red u:object_r:surfaceflinger_prop:s0 exact string
-ro.surface_flinger.display_primary_green u:object_r:surfaceflinger_prop:s0 exact string
-ro.surface_flinger.display_primary_blue u:object_r:surfaceflinger_prop:s0 exact string
-ro.surface_flinger.display_primary_white u:object_r:surfaceflinger_prop:s0 exact string
-ro.surface_flinger.protected_contents u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.set_idle_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.set_touch_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.set_display_power_timer_ms u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.support_kernel_idle_timer u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.supports_background_blur u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.use_smart_90_for_video u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.color_space_agnostic_dataspace u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.refresh_rate_switching u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.update_device_product_info_on_hotplug_reconnect u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.enable_frame_rate_override u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.enable_layer_caching u:object_r:surfaceflinger_prop:s0 exact bool
-ro.surface_flinger.display_update_imminent_timeout_ms u:object_r:surfaceflinger_prop:s0 exact int
-ro.surface_flinger.uclamp.min u:object_r:surfaceflinger_prop:s0 exact int
-
-ro.sf.disable_triple_buffer u:object_r:surfaceflinger_prop:s0 exact bool
-ro.sf.lcd_density u:object_r:surfaceflinger_prop:s0 exact int
-
-persist.sys.sf.color_mode u:object_r:surfaceflinger_color_prop:s0 exact int
-persist.sys.sf.color_saturation u:object_r:surfaceflinger_color_prop:s0 exact string
-persist.sys.sf.native_mode u:object_r:surfaceflinger_color_prop:s0 exact int
-
-# Binder cache properties. These are world-readable
-cache_key.app_inactive u:object_r:binder_cache_system_server_prop:s0
-cache_key.is_compat_change_enabled u:object_r:binder_cache_system_server_prop:s0
-cache_key.get_packages_for_uid u:object_r:binder_cache_system_server_prop:s0
-cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
-cache_key.is_interactive u:object_r:binder_cache_system_server_prop:s0
-cache_key.is_power_save_mode u:object_r:binder_cache_system_server_prop:s0
-cache_key.is_user_unlocked u:object_r:binder_cache_system_server_prop:s0
-cache_key.volume_list u:object_r:binder_cache_system_server_prop:s0
-cache_key.display_info u:object_r:binder_cache_system_server_prop:s0
-cache_key.location_enabled u:object_r:binder_cache_system_server_prop:s0
-cache_key.package_info u:object_r:binder_cache_system_server_prop:s0
-
-cache_key.bluetooth. u:object_r:binder_cache_bluetooth_server_prop:s0 prefix string
-cache_key.system_server. u:object_r:binder_cache_system_server_prop:s0 prefix string
-cache_key.telephony. u:object_r:binder_cache_telephony_server_prop:s0 prefix string
-
-# Framework watchdog configuration properties.
-framework_watchdog.fatal_count u:object_r:framework_watchdog_config_prop:s0 exact int
-framework_watchdog.fatal_window.second u:object_r:framework_watchdog_config_prop:s0 exact int
-
-gsm.sim.operator.numeric u:object_r:telephony_status_prop:s0 exact string
-persist.radio.airplane_mode_on u:object_r:telephony_status_prop:s0 exact bool
-
-ro.cdma.home.operator.alpha u:object_r:telephony_config_prop:s0 exact string
-ro.cdma.home.operator.numeric u:object_r:telephony_config_prop:s0 exact string
-ro.com.android.dataroaming u:object_r:telephony_config_prop:s0 exact bool
-ro.com.android.prov_mobiledata u:object_r:telephony_config_prop:s0 exact bool
-ro.radio.noril u:object_r:telephony_config_prop:s0 exact string
-ro.telephony.call_ring.multiple u:object_r:telephony_config_prop:s0 exact bool
-ro.telephony.default_cdma_sub u:object_r:telephony_config_prop:s0 exact int
-ro.telephony.default_network u:object_r:telephony_config_prop:s0 exact string
-ro.telephony.iwlan_operation_mode u:object_r:telephony_config_prop:s0 exact enum default legacy AP-assisted
-telephony.active_modems.max_count u:object_r:telephony_config_prop:s0 exact int
-telephony.lteOnCdmaDevice u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.volte_avail_ovr u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.volte_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.volte_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.volte_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.vt_avail_ovr u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.vt_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.vt_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.vt_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.wfc_avail_ovr u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.wfc_avail_ovr0 u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.wfc_avail_ovr1 u:object_r:telephony_config_prop:s0 exact int
-persist.dbg.wfc_avail_ovr2 u:object_r:telephony_config_prop:s0 exact int
-
-# System locale list filter configuration
-ro.localization.locale_filter u:object_r:localization_prop:s0 exact string
-
-# Graphics related properties
-ro.opengles.version u:object_r:graphics_config_prop:s0 exact int
-
-ro.gfx.driver.0 u:object_r:graphics_config_prop:s0 exact string
-ro.gfx.driver.1 u:object_r:graphics_config_prop:s0 exact string
-ro.gfx.angle.supported u:object_r:graphics_config_prop:s0 exact bool
-ro.gfx.driver_build_time u:object_r:graphics_config_prop:s0 exact int
-
-graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
-graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
-
-ro.cpuvulkan.version u:object_r:graphics_config_prop:s0 exact int
-
# surfaceflinger-settable
graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
-
-# Disable/enable charger input
-power.battery_input.suspended u:object_r:power_debug_prop:s0 exact bool
-
-# zygote config property
-zygote.critical_window.minute u:object_r:zygote_config_prop:s0 exact int
-
-ro.zygote.disable_gl_preload u:object_r:zygote_config_prop:s0 exact bool
-
-# Broadcast boot stages, which keystore listens to
-keystore.boot_level u:object_r:keystore_listen_prop:s0 exact int
-
-# Property that tracks keystore crash counts during a boot cycle.
-keystore.crash_count u:object_r:keystore_crash_prop:s0 exact int
-
-partition.system.verified u:object_r:verity_status_prop:s0 exact string
-partition.system_ext.verified u:object_r:verity_status_prop:s0 exact string
-partition.product.verified u:object_r:verity_status_prop:s0 exact string
-partition.vendor.verified u:object_r:verity_status_prop:s0 exact string
-
-partition.system.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
-partition.system_ext.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
-partition.product.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
-partition.vendor.verified.hash_alg u:object_r:verity_status_prop:s0 exact string
-
-ro.setupwizard.enterprise_mode u:object_r:setupwizard_prop:s0 exact bool
-ro.setupwizard.esim_cid_ignore u:object_r:setupwizard_prop:s0 exact string
-ro.setupwizard.rotation_locked u:object_r:setupwizard_prop:s0 exact bool
-ro.setupwizard.wifi_on_exit u:object_r:setupwizard_prop:s0 exact bool
-
-setupwizard.enable_assist_gesture_training u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.avoid_duplicate_tos u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.baseline_setupwizard_enabled u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.day_night_mode_enabled u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.deferred_setup_low_ram_filter u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.deferred_setup_notification u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.deferred_setup_suggestion u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.device_default_dark_mode u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.esim_enabled u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.google_services_deferred_setup_pretend_not_suw u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.lock_mobile_data u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.lock_mobile_data.carrier-1 u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.portal_notification u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.predeferred_enabled u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.return_partner_customization_bundle u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.show_pixel_tos u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.use_biometric_lock u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.feature.wallpaper_suggestion_after_restore u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.logging u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.metrics_debug_mode u:object_r:setupwizard_prop:s0 exact bool
-setupwizard.theme u:object_r:setupwizard_prop:s0 exact string
-
-db.log.detailed u:object_r:sqlite_log_prop:s0 exact bool
-db.log.slow_query_threshold u:object_r:sqlite_log_prop:s0 exact int
-db.log.slow_query_threshold. u:object_r:sqlite_log_prop:s0 prefix int
-
-# SOC related props
-ro.soc.manufacturer u:object_r:soc_prop:s0 exact string
-ro.soc.model u:object_r:soc_prop:s0 exact string
-
-# set to true when running rollback tests to disable fallback-to-copy when enabling rollbacks
-# to detect failures where hard linking should work otherwise
-persist.rollback.is_test u:object_r:rollback_test_prop:s0 exact bool
-
-# bootanimation properties
-ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
-
-# dck properties
-ro.gms.dck.eligible_wcc u:object_r:dck_prop:s0 exact int
diff --git a/private/radio.te b/private/radio.te
index 08365f0..00a5cda 100644
--- a/private/radio.te
+++ b/private/radio.te
@@ -1,19 +1,9 @@
-typeattribute radio coredomain, mlstrustedsubject;
+typeattribute radio coredomain;
app_domain(radio)
read_runtime_log_tags(radio)
-# Property service
-set_prop(radio, radio_control_prop)
-set_prop(radio, radio_prop)
-set_prop(radio, net_radio_prop)
-set_prop(radio, telephony_status_prop)
-set_prop(radio, radio_cdma_ecm_prop)
-
-# ctl interface
-set_prop(radio, ctl_rildaemon_prop)
-
# Telephony code contains time / time zone detection logic so it reads the associated properties.
get_prop(radio, time_prop)
@@ -26,11 +16,10 @@
allow radio emergency_data_file:dir r_dir_perms;
allow radio emergency_data_file:file r_file_perms;
+# allow sending pulled atoms to statsd
+binder_call(radio, statsd)
+
# allow telephony to access related cache properties
set_prop(radio, binder_cache_telephony_server_prop);
neverallow { domain -radio -init }
binder_cache_telephony_server_prop:property_service set;
-
-# allow sending pulled atoms to statsd
-binder_call(radio, statsd)
-
diff --git a/private/recovery.te b/private/recovery.te
index bba2a0d..2a7fdc7 100644
--- a/private/recovery.te
+++ b/private/recovery.te
@@ -1,49 +1 @@
typeattribute recovery coredomain;
-
-# The allow rules are only included in the recovery policy.
-# Otherwise recovery is only allowed the domain rules.
-recovery_only(`
- # Reboot the device
- set_prop(recovery, powerctl_prop)
-
- # Read serial number of the device from system properties
- get_prop(recovery, serialno_prop)
-
- # Set sys.usb.ffs.ready when starting minadbd for sideload.
- get_prop(recovery, ffs_config_prop)
- set_prop(recovery, ffs_control_prop)
-
- # Set sys.usb.config when switching into fastboot.
- set_prop(recovery, usb_control_prop)
- set_prop(recovery, usb_prop)
-
- # Read ro.boot.bootreason
- get_prop(recovery, bootloader_boot_reason_prop)
-
- # Read storage properties (for correctly formatting filesystems)
- get_prop(recovery, storage_config_prop)
-
- set_prop(recovery, gsid_prop)
-
- # These are needed to allow recovery to manage network
- allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
- allow recovery self:global_capability_class_set net_admin;
- allow recovery self:tcp_socket { create ioctl };
- allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
-
- # Start snapuserd for merging VABC updates
- set_prop(recovery, ctl_snapuserd_prop)
-
- # Needed to communicate with snapuserd to complete merges.
- allow recovery snapuserd_socket:sock_file write;
- allow recovery snapuserd:unix_stream_socket connectto;
- allow recovery dm_user_device:dir r_dir_perms;
-
- # Set fastbootd protocol property
- set_prop(recovery, fastbootd_protocol_prop)
-
- get_prop(recovery, recovery_config_prop)
-
- # Needed to read bootconfig parameters through libfs_mgr
- allow recovery proc_bootconfig:file r_file_perms;
-')
diff --git a/private/remote_prov_app.te b/private/remote_prov_app.te
deleted file mode 100644
index 010c9bc..0000000
--- a/private/remote_prov_app.te
+++ /dev/null
@@ -1,13 +0,0 @@
-type remote_prov_app, domain;
-typeattribute remote_prov_app coredomain;
-
-app_domain(remote_prov_app)
-net_domain(remote_prov_app)
-
-# The app needs access to properly build a DeviceInfo package for the verifying server
-get_prop(remote_prov_app, vendor_security_patch_level_prop)
-
-allow remote_prov_app {
- app_api_service
- remoteprovisioning_service
-}:service_manager find;
diff --git a/private/rs.te b/private/rs.te
index 268f040..bf10841 100644
--- a/private/rs.te
+++ b/private/rs.te
@@ -1,19 +1,18 @@
-# Any files which would have been created as app_data_file and
-# privapp_data_file will be created as app_exec_data_file instead.
-allow rs { app_data_file privapp_data_file }:dir ra_dir_perms;
+# Any files which would have been created as app_data_file
+# will be created as app_exec_data_file instead.
+allow rs app_data_file:dir ra_dir_perms;
allow rs app_exec_data_file:file create_file_perms;
type_transition rs app_data_file:file app_exec_data_file;
-type_transition rs privapp_data_file:file app_exec_data_file;
# Follow /data/user/0 symlink
allow rs system_data_file:lnk_file read;
# Read files from the app home directory.
-allow rs { app_data_file privapp_data_file }:file r_file_perms;
-allow rs { app_data_file privapp_data_file }:dir r_dir_perms;
+allow rs app_data_file:file r_file_perms;
+allow rs app_data_file:dir r_dir_perms;
# Cleanup app_exec_data_file files in the app home directory.
-allow rs { app_data_file privapp_data_file }:dir remove_name;
+allow rs app_data_file:dir remove_name;
# Use vendor resources
allow rs vendor_file:dir r_dir_perms;
@@ -28,7 +27,7 @@
allow rs same_process_hal_file:file { r_file_perms execute };
# File descriptors passed from app to renderscript
-allow rs { untrusted_app_all ephemeral_app priv_app }:fd use;
+allow rs { untrusted_app_all ephemeral_app }:fd use;
# rs can access app data, so ensure it can only be entered via an app domain and cannot have
# CAP_DAC_OVERRIDE.
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 1d38fd9..a8c61be 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -79,8 +79,7 @@
# domain= determines the label to be used for the app process; entries
# without domain= are ignored for this purpose.
# type= specifies the label to be used for the app data directory; entries
-# without type= are ignored for this purpose. The label specified must
-# have the app_data_file_type attribute.
+# without type= are ignored for this purpose.
# levelFrom and level are used to determine the level (sensitivity + categories)
# for MLS/MCS.
# levelFrom=none omits the level.
@@ -142,25 +141,24 @@
isSystemServer=true domain=system_server_startup
-user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
+user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
+user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
user=secure_element seinfo=platform domain=secure_element levelFrom=all
user=radio seinfo=platform domain=radio type=radio_data_file
-user=shared_relro domain=shared_relro levelFrom=all
+user=shared_relro domain=shared_relro
user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
user=webview_zygote seinfo=webview_zygote domain=webview_zygote
user=_isolated domain=isolated_app levelFrom=user
user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
-user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
+user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
-user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
diff --git a/private/security_classes b/private/security_classes
index 200b030..04ed814 100644
--- a/private/security_classes
+++ b/private/security_classes
@@ -15,7 +15,6 @@
# file-related classes
class filesystem
class file
-class anon_inode
class dir
class fd
class lnk_file
@@ -154,14 +153,8 @@
# hardware service manager # userspace
class hwservice_manager
-# Legacy Keystore key permissions
+# Keystore Key
class keystore_key # userspace
-# Keystore 2.0 permissions
-class keystore2 # userspace
-
-# Keystore 2.0 key permissions
-class keystore2_key # userspace
-
class drmservice # userspace
# FLASK
diff --git a/private/service.te b/private/service.te
index 7f692f3..6c17521 100644
--- a/private/service.te
+++ b/private/service.te
@@ -2,11 +2,7 @@
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
-type mediatuner_service, app_api_service, service_manager_type;
-type profcollectd_service, service_manager_type;
-type resolver_service, system_server_service, service_manager_type;
type stats_service, service_manager_type;
type statscompanion_service, system_server_service, service_manager_type;
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
-type tracingproxy_service, system_server_service, service_manager_type;
type uce_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 3fd342b..5c6f1a4 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -1,26 +1,8 @@
-android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
-android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
-android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
-android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
-android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
-android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
android.hardware.light.ILights/default u:object_r:hal_light_service:s0
-android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
-android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
android.hardware.power.IPower/default u:object_r:hal_power_service:s0
-android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
-android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
-android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
-android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
-android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
-android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
-android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
-android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
-android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
-android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
accessibility u:object_r:accessibility_service:s0
account u:object_r:account_service:s0
@@ -31,19 +13,10 @@
aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
alarm u:object_r:alarm_service:s0
android.os.UpdateEngineService u:object_r:update_engine_service:s0
-android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
-android.security.apc u:object_r:apc_service:s0
-android.security.authorization u:object_r:authorization_service:s0
-android.security.compat u:object_r:keystore_compat_hal_service:s0
android.security.identity u:object_r:credstore_service:s0
android.security.keystore u:object_r:keystore_service:s0
-android.security.legacykeystore u:object_r:legacykeystore_service:s0
-android.security.maintenance u:object_r:keystore_maintenance_service:s0
-android.security.metrics u:object_r:keystore_metrics_service:s0
-android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
app_binding u:object_r:app_binding_service:s0
-app_hibernation u:object_r:app_hibernation_service:s0
app_integrity u:object_r:app_integrity_service:s0
app_prediction u:object_r:app_prediction_service:s0
app_search u:object_r:app_search_service:s0
@@ -71,7 +44,6 @@
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
-android.system.virtmanager u:object_r:virtualization_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0
@@ -92,12 +64,10 @@
device_policy u:object_r:device_policy_service:s0
device_identifiers u:object_r:device_identifiers_service:s0
deviceidle u:object_r:deviceidle_service:s0
-device_state u:object_r:device_state_service:s0
devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
diskstats u:object_r:diskstats_service:s0
display u:object_r:display_service:s0
dnsresolver u:object_r:dnsresolver_service:s0
-domain_verification u:object_r:domain_verification_service:s0
color_display u:object_r:color_display_service:s0
netd_listener u:object_r:netd_listener_service:s0
network_watchlist u:object_r:network_watchlist_service:s0
@@ -118,9 +88,7 @@
fingerprint u:object_r:fingerprint_service:s0
font u:object_r:font_service:s0
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
-game u:object_r:game_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
-gnss_time_update_service u:object_r:gnss_time_update_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
gpu u:object_r:gpu_service:s0
hardware u:object_r:hardware_service:s0
@@ -150,10 +118,8 @@
isub u:object_r:radio_service:s0
jobscheduler u:object_r:jobscheduler_service:s0
launcherapps u:object_r:launcherapps_service:s0
-legacy_permission u:object_r:legacy_permission_service:s0
lights u:object_r:light_service:s0
location u:object_r:location_service:s0
-location_time_zone_manager u:object_r:location_time_zone_manager_service:s0
lock_settings u:object_r:lock_settings_service:s0
looper_stats u:object_r:looper_stats_service:s0
lpdump_service u:object_r:lpdump_service:s0
@@ -168,21 +134,15 @@
media.extractor u:object_r:mediaextractor_service:s0
media.transcoding u:object_r:mediatranscoding_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
-media.resource_observer u:object_r:mediaserver_service:s0
media.sound_trigger_hw u:object_r:audioserver_service:s0
media.drm u:object_r:mediadrmserver_service:s0
-media.tuner u:object_r:mediatuner_service:s0
-media_communication u:object_r:media_communication_service:s0
-media_metrics u:object_r:media_metrics_service:s0
media_projection u:object_r:media_projection_service:s0
media_resource_monitor u:object_r:media_session_service:s0
media_router u:object_r:media_router_service:s0
media_session u:object_r:media_session_service:s0
meminfo u:object_r:meminfo_service:s0
-memtrack.proxy u:object_r:memtrackproxy_service:s0
midi u:object_r:midi_service:s0
mount u:object_r:mount_service:s0
-music_recognition u:object_r:music_recognition_service:s0
netd u:object_r:netd_service:s0
netpolicy u:object_r:netpolicy_service:s0
netstats u:object_r:netstats_service:s0
@@ -195,33 +155,25 @@
oem_lock u:object_r:oem_lock_service:s0
otadexopt u:object_r:otadexopt_service:s0
overlay u:object_r:overlay_service:s0
-pac_proxy u:object_r:pac_proxy_service:s0
package u:object_r:package_service:s0
package_native u:object_r:package_native_service:s0
-people u:object_r:people_service:s0
-performance_hint u:object_r:hint_service:s0
permission u:object_r:permission_service:s0
permissionmgr u:object_r:permissionmgr_service:s0
-permission_checker u:object_r:permission_checker_service:s0
persistent_data_block u:object_r:persistent_data_block_service:s0
phone_msim u:object_r:radio_service:s0
phone1 u:object_r:radio_service:s0
phone2 u:object_r:radio_service:s0
phone u:object_r:radio_service:s0
pinner u:object_r:pinner_service:s0
-powerstats u:object_r:powerstats_service:s0
power u:object_r:power_service:s0
print u:object_r:print_service:s0
processinfo u:object_r:processinfo_service:s0
procstats u:object_r:procstats_service:s0
-profcollectd u:object_r:profcollectd_service:s0
radio.phonesubinfo u:object_r:radio_service:s0
radio.phone u:object_r:radio_service:s0
radio.sms u:object_r:radio_service:s0
rcs u:object_r:radio_service:s0
-reboot_readiness u:object_r:reboot_readiness_service:s0
recovery u:object_r:recovery_service:s0
-resolver u:object_r:resolver_service:s0
restrictions u:object_r:restrictions_service:s0
role u:object_r:role_service:s0
rollback u:object_r:rollback_service:s0
@@ -230,7 +182,6 @@
samplingprofiler u:object_r:samplingprofiler_service:s0
scheduling_policy u:object_r:scheduling_policy_service:s0
search u:object_r:search_service:s0
-search_ui u:object_r:search_ui_service:s0
secure_element u:object_r:secure_element_service:s0
sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
sensorservice u:object_r:sensorservice_service:s0
@@ -245,8 +196,6 @@
simphonebook u:object_r:radio_service:s0
sip u:object_r:radio_service:s0
slice u:object_r:slice_service:s0
-smartspace u:object_r:smartspace_service:s0
-speech_recognition u:object_r:speech_recognition_service:s0
stats u:object_r:stats_service:s0
statscompanion u:object_r:statscompanion_service:s0
statsmanager u:object_r:statsmanager_service:s0
@@ -258,9 +207,7 @@
storagestats u:object_r:storagestats_service:s0
SurfaceFlinger u:object_r:surfaceflinger_service:s0
suspend_control u:object_r:system_suspend_control_service:s0
-suspend_control_internal u:object_r:system_suspend_control_internal_service:s0
system_config u:object_r:system_config_service:s0
-system_server_dumper u:object_r:system_server_dumper_service:s0
system_update u:object_r:system_update_service:s0
task u:object_r:task_service:s0
telecom u:object_r:telecom_service:s0
@@ -270,13 +217,10 @@
tethering u:object_r:tethering_service:s0
textclassification u:object_r:textclassification_service:s0
textservices u:object_r:textservices_service:s0
-texttospeech u:object_r:texttospeech_service:s0
time_detector u:object_r:timedetector_service:s0
time_zone_detector u:object_r:timezonedetector_service:s0
timezone u:object_r:timezone_service:s0
thermalservice u:object_r:thermal_service:s0
-tracing.proxy u:object_r:tracingproxy_service:s0
-translation u:object_r:translation_service:s0
trust u:object_r:trust_service:s0
tv_input u:object_r:tv_input_service:s0
tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
@@ -287,14 +231,10 @@
usagestats u:object_r:usagestats_service:s0
usb u:object_r:usb_service:s0
user u:object_r:user_service:s0
-uwb u:object_r:uwb_service:s0
-vcn_management u:object_r:vcn_management_service:s0
vibrator u:object_r:vibrator_service:s0
-vibrator_manager u:object_r:vibrator_manager_service:s0
virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
-vpn_management u:object_r:vpn_management_service:s0
vr_hwc u:object_r:vr_hwc_service:s0
vrflinger_vsync u:object_r:vrflinger_vsync_service:s0
vrmanager u:object_r:vr_manager_service:s0
diff --git a/private/shared_relro.te b/private/shared_relro.te
index 31fdb8c..02f7206 100644
--- a/private/shared_relro.te
+++ b/private/shared_relro.te
@@ -3,13 +3,3 @@
# The shared relro process is a Java program forked from the zygote, so it
# inherits from app to get basic permissions it needs to run.
app_domain(shared_relro)
-
-allow shared_relro shared_relro_file:dir rw_dir_perms;
-allow shared_relro shared_relro_file:file create_file_perms;
-
-allow shared_relro activity_service:service_manager find;
-allow shared_relro webviewupdate_service:service_manager find;
-allow shared_relro package_service:service_manager find;
-
-# StrictMode may attempt to find this service, failure is harmless.
-dontaudit shared_relro network_management_service:service_manager find;
diff --git a/private/shell.te b/private/shell.te
index 40b19fd..43e4dd5 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -1,4 +1,4 @@
-typeattribute shell coredomain, mlstrustedsubject;
+typeattribute shell coredomain;
# allow shell input injection
allow shell uhid_device:chr_file rw_file_perms;
@@ -48,22 +48,9 @@
# Allow shell to run adb shell cmd stats commands. Needed for CTS.
binder_call(shell, statsd);
-# Allow shell to read and unlink traces stored in /data/misc/a11ytraces.
-userdebug_or_eng(`
- allow shell accessibility_trace_data_file:dir rw_dir_perms;
- allow shell accessibility_trace_data_file:file { r_file_perms unlink };
-')
-
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir rw_dir_perms;
allow shell perfetto_traces_data_file:file { r_file_perms unlink };
-# ... and /data/misc/perfetto-traces/bugreport/ .
-allow shell perfetto_traces_bugreport_data_file:dir rw_dir_perms;
-allow shell perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
-
-# Allow shell to create/remove configs stored in /data/misc/perfetto-configs.
-allow shell perfetto_configs_data_file:dir rw_dir_perms;
-allow shell perfetto_configs_data_file:file create_file_perms;
# Allow shell to run adb shell cmd gpu commands.
binder_call(shell, gpuservice);
@@ -82,10 +69,6 @@
# /system/bin/bcc (b/126388046)
allow shell rs_exec:file rx_file_perms;
-# Allow (host-driven) ART run-tests to execute dex2oat, in order to
-# check ART's compiler.
-allow shell dex2oat_exec:file rx_file_perms;
-
# Allow shell to start and comminicate with lpdumpd.
set_prop(shell, lpdumpd_prop);
binder_call(shell, lpdumpd)
@@ -94,9 +77,6 @@
# userspace reboot
set_prop(shell, userspace_reboot_test_prop)
-# Allow shell to set this property used for rollback tests
-set_prop(shell, rollback_test_prop)
-
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
@@ -106,102 +86,10 @@
# Allow shell to execute simpleperf without a domain transition.
allow shell simpleperf_exec:file rx_file_perms;
-# Allow shell to execute profcollectctl without a domain transition.
-allow shell profcollectd_exec:file rx_file_perms;
-
# Allow shell to call perf_event_open for profiling other shell processes, but
# not the whole system.
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
-# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
-allow shell apex_info_file:file r_file_perms;
-allow shell vendor_apex_file:file r_file_perms;
-allow shell vendor_apex_file:dir r_dir_perms;
-
-# Set properties.
-set_prop(shell, shell_prop)
-set_prop(shell, ctl_bugreport_prop)
-set_prop(shell, ctl_dumpstate_prop)
-set_prop(shell, dumpstate_prop)
-set_prop(shell, exported_dumpstate_prop)
-set_prop(shell, debug_prop)
-set_prop(shell, perf_drop_caches_prop)
-set_prop(shell, powerctl_prop)
-set_prop(shell, log_tag_prop)
-set_prop(shell, wifi_log_prop)
-# Allow shell to start/stop traced via the persist.traced.enable
-# property (which also takes care of /data/misc initialization).
-set_prop(shell, traced_enabled_prop)
-# adjust is_loggable properties
-userdebug_or_eng(`set_prop(shell, log_prop)')
-# logpersist script
-userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
-# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
-# property.
-set_prop(shell, heapprofd_enabled_prop)
-# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
-# property.
-set_prop(shell, traced_perf_enabled_prop)
-# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
-set_prop(shell, ctl_gsid_prop)
-set_prop(shell, ctl_snapuserd_prop)
-# Allow shell to enable Dynamic System Update
-set_prop(shell, dynamic_system_prop)
-# Allow shell to mock an OTA using persist.pm.mock-upgrade
-set_prop(shell, mock_ota_prop)
-
-# Read device's serial number from system properties
-get_prop(shell, serialno_prop)
-
-# Allow shell to read the vendor security patch level for CTS
-get_prop(shell, vendor_security_patch_level_prop)
-
-# Read state of logging-related properties
-get_prop(shell, device_logging_prop)
-
-# Read state of boot reason properties
-get_prop(shell, bootloader_boot_reason_prop)
-get_prop(shell, last_boot_reason_prop)
-get_prop(shell, system_boot_reason_prop)
-
-# Allow reading the outcome of perf_event_open LSM support test for CTS.
-get_prop(shell, init_perf_lsm_hooks_prop)
-
-# Allow shell to read boot image timestamps and fingerprints.
-get_prop(shell, build_bootimage_prop)
-
-userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
-
-# Allow to issue control commands to profcollectd binder service.
-userdebug_or_eng(`
- allow shell profcollectd:binder call;
-')
-
-# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
-allow shell keystore2_key_contexts_file:file r_file_perms;
-
-# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
-allow shell shell_key:keystore2_key { delete rebind use get_info update };
-
-# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
-set_prop(shell, sqlite_log_prop)
-
-# Allow shell to write MTE properties even on user builds.
-set_prop(shell, arm64_memtag_prop)
-
-# Allow shell to read the dm-verity props on user builds.
-get_prop(shell, verity_status_prop)
-
-# Allow shell to read Virtual A/B related properties
-get_prop(shell, virtual_ab_prop)
-
-# Never allow others to set or get the perf.drop_caches property.
-neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
-neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
-
-# Allow ReadDefaultFstab() for CTS.
-read_fstab(shell)
-
-# Allow shell read access to /apex/apex-info-list.xml for CTS.
-allow shell apex_info_file:file r_file_perms;
+# Allow to read graphics related properties.
+get_prop(shell, graphics_config_prop)
\ No newline at end of file
diff --git a/private/snapuserd.te b/private/snapuserd.te
deleted file mode 100644
index d96b31e..0000000
--- a/private/snapuserd.te
+++ /dev/null
@@ -1,26 +0,0 @@
-# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
-type snapuserd, domain;
-type snapuserd_exec, exec_type, file_type, system_file_type;
-
-typeattribute snapuserd coredomain;
-
-init_daemon_domain(snapuserd)
-
-allow snapuserd kmsg_device:chr_file rw_file_perms;
-
-# Reading and writing to /dev/block/dm-* (device-mapper) nodes.
-allow snapuserd block_device:dir r_dir_perms;
-allow snapuserd dm_device:chr_file rw_file_perms;
-allow snapuserd dm_device:blk_file rw_file_perms;
-
-# Reading and writing to dm-user control nodes.
-allow snapuserd dm_user_device:dir r_dir_perms;
-allow snapuserd dm_user_device:chr_file rw_file_perms;
-
-# Reading and writing to /dev/socket/snapuserd.
-allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
-
-# This arises due to first-stage init opening /dev/null without F_CLOEXEC
-# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
-# again, the descriptor leaks into the new process.
-allow snapuserd kernel:fd use;
diff --git a/private/stats.te b/private/stats.te
index db29072..3e8a3d5 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -43,8 +43,6 @@
-gmscore_app
-gpuservice
-incidentd
- -keystore
- -mediametrics
-platform_app
-priv_app
-shell
diff --git a/private/statsd.te b/private/statsd.te
index 444d82e..1483156 100644
--- a/private/statsd.te
+++ b/private/statsd.te
@@ -21,7 +21,3 @@
# Allow statsd to retrieve SF statistics over binder
binder_call(statsd, surfaceflinger);
-
-# Allow statsd to read its system properties
-get_prop(statsd, device_config_statsd_native_prop)
-get_prop(statsd, device_config_statsd_native_boot_prop)
diff --git a/private/storaged.te b/private/storaged.te
index bb39e5b..b7d4ae9 100644
--- a/private/storaged.te
+++ b/private/storaged.te
@@ -18,12 +18,10 @@
allow storaged storaged_data_file:dir rw_dir_perms;
allow storaged storaged_data_file:file create_file_perms;
-no_debugfs_restriction(`
- userdebug_or_eng(`
- # Read access to debugfs
- allow storaged debugfs_mmc:dir search;
- allow storaged debugfs_mmc:file r_file_perms;
- ')
+userdebug_or_eng(`
+ # Read access to debugfs
+ allow storaged debugfs_mmc:dir search;
+ allow storaged debugfs_mmc:file r_file_perms;
')
# Needed to provide debug dump output via dumpsys pipes.
diff --git a/private/su.te b/private/su.te
index 587f449..16e47bb 100644
--- a/private/su.te
+++ b/private/su.te
@@ -13,9 +13,6 @@
# Put the incident command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, incident_exec, incident)
- # Put the odrefresh command into its domain.
- domain_auto_trans(su, odrefresh_exec, odrefresh)
-
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, perfetto_exec, perfetto)
@@ -23,8 +20,4 @@
permissive su;
app_domain(su)
-
- # Do not audit accesses to keystore2 namespace for the su domain.
- dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
-
')
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 7a92bd4..2e9ce19 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -53,15 +53,12 @@
# Set properties.
set_prop(surfaceflinger, system_prop)
-set_prop(surfaceflinger, bootanim_system_prop)
set_prop(surfaceflinger, exported_system_prop)
+set_prop(surfaceflinger, exported2_system_prop)
set_prop(surfaceflinger, exported3_system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
set_prop(surfaceflinger, surfaceflinger_display_prop)
-# Get properties.
-get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
-
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
allow surfaceflinger { app_data_file privapp_data_file }:file { read write };
@@ -104,13 +101,11 @@
allow surfaceflinger self:global_capability_class_set sys_nice;
allow surfaceflinger proc_meminfo:file r_file_perms;
r_dir_file(surfaceflinger, cgroup)
-r_dir_file(surfaceflinger, cgroup_v2)
r_dir_file(surfaceflinger, system_file)
allow surfaceflinger tmpfs:dir r_dir_perms;
allow surfaceflinger system_server:fd use;
allow surfaceflinger system_server:unix_stream_socket { read write };
allow surfaceflinger ion_device:chr_file r_file_perms;
-allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms;
# pdx IPC
pdx_server(surfaceflinger, display_client)
diff --git a/private/system_app.te b/private/system_app.te
index 239686e..06dac78 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -4,7 +4,7 @@
### server.
###
-typeattribute system_app coredomain, mlstrustedsubject;
+typeattribute system_app coredomain;
app_domain(system_app)
net_domain(system_app)
@@ -21,6 +21,9 @@
allow system_app misc_user_data_file:dir create_dir_perms;
allow system_app misc_user_data_file:file create_file_perms;
+# Access to vold-mounted storage for measuring free space
+allow system_app mnt_media_rw_file:dir search;
+
# Access to apex files stored on /data (b/136063500)
# Needed so that Settings can access NOTICE files inside apex
# files located in the assets/ directory.
@@ -41,16 +44,17 @@
set_prop(system_app, system_prop)
set_prop(system_app, exported_bluetooth_prop)
set_prop(system_app, exported_system_prop)
+set_prop(system_app, exported2_system_prop)
set_prop(system_app, exported3_system_prop)
set_prop(system_app, logd_prop)
set_prop(system_app, net_radio_prop)
-set_prop(system_app, usb_control_prop)
-set_prop(system_app, usb_prop)
+set_prop(system_app, system_radio_prop)
+set_prop(system_app, exported_system_radio_prop)
set_prop(system_app, log_tag_prop)
userdebug_or_eng(`set_prop(system_app, logpersistd_logging_prop)')
auditallow system_app net_radio_prop:property_service set;
-auditallow system_app usb_control_prop:property_service set;
-auditallow system_app usb_prop:property_service set;
+auditallow system_app system_radio_prop:property_service set;
+auditallow system_app exported_system_radio_prop:property_service set;
# Allow Settings to enable Dynamic System Update
set_prop(system_app, dynamic_system_prop)
@@ -74,6 +78,9 @@
# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)
+# Allow system apps to interact with gpuservice
+binder_call(system_app, gpuservice)
+
# Allow system app to interact with Dumpstate HAL
hal_client_domain(system_app, hal_dumpstate)
@@ -88,9 +95,7 @@
-iorapd_service
-lpdump_service
-netd_service
- -system_suspend_control_internal_service
-system_suspend_control_service
- -tracingproxy_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
@@ -108,9 +113,6 @@
vr_hwc_service
}:service_manager find;
-# suppress denials caused by debugfs_tracing
-dontaudit system_app debugfs_tracing:file rw_file_perms;
-
allow system_app keystore:keystore_key {
get_state
get
@@ -131,24 +133,6 @@
user_changed
};
-allow system_app keystore:keystore2_key {
- delete
- get_info
- grant
- rebind
- update
- use
-};
-
-# Allow Settings to manage WI-FI keys.
-allow system_app wifi_key:keystore2_key {
- delete
- get_info
- rebind
- update
- use
-};
-
# settings app reads /proc/version
allow system_app {
proc_version
@@ -156,7 +140,6 @@
# Settings app writes to /dev/stune/foreground/tasks.
allow system_app cgroup:file w_file_perms;
-allow system_app cgroup_v2:file w_file_perms;
control_logd(system_app)
read_runtime_log_tags(system_app)
@@ -167,12 +150,6 @@
allow system_app system_server:udp_socket {
connect getattr read recvfrom sendto write getopt setopt };
-# Settings app reads ro.oem_unlock_supported
-get_prop(system_app, oem_unlock_prop)
-
-# Allow system apps to act as Perfetto producers.
-perfetto_producer(system_app)
-
###
### Neverallow rules
###
diff --git a/private/system_server.te b/private/system_server.te
index 73301c1..66c46ed 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -12,8 +12,6 @@
# Define a type for tmpfs-backed ashmem regions.
tmpfs_domain(system_server)
-userfaultfd_use(system_server)
-
# Create a socket for connections from crash_dump.
type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
@@ -26,49 +24,16 @@
# For Incremental Service to check if incfs is available
allow system_server proc_filesystems:file r_file_perms;
-# To create files, get permission to fill blocks, and configure Incremental File System
+# To create files and get permission to fill blocks on Incremental File System
allow system_server incremental_control_file:file { ioctl r_file_perms };
-allowxperm system_server incremental_control_file:file ioctl {
- INCFS_IOCTL_CREATE_FILE
- INCFS_IOCTL_CREATE_MAPPED_FILE
- INCFS_IOCTL_PERMIT_FILL
- INCFS_IOCTL_GET_READ_TIMEOUTS
- INCFS_IOCTL_SET_READ_TIMEOUTS
- INCFS_IOCTL_GET_LAST_READ_ERROR
-};
+allowxperm system_server incremental_control_file:file ioctl { INCFS_IOCTL_CREATE_FILE INCFS_IOCTL_PERMIT_FILL };
-# To get signature of an APK installed on Incremental File System, and fill in data
-# blocks and get the filesystem state
-allowxperm system_server apk_data_file:file ioctl {
- INCFS_IOCTL_READ_SIGNATURE
- INCFS_IOCTL_FILL_BLOCKS
- INCFS_IOCTL_GET_FILLED_BLOCKS
- INCFS_IOCTL_GET_BLOCK_COUNT
- F2FS_IOC_GET_FEATURES
- F2FS_IOC_GET_COMPRESS_BLOCKS
- F2FS_IOC_COMPRESS_FILE
- F2FS_IOC_DECOMPRESS_FILE
- F2FS_IOC_RELEASE_COMPRESS_BLOCKS
- F2FS_IOC_RESERVE_COMPRESS_BLOCKS
- FS_IOC_SETFLAGS
- FS_IOC_GETFLAGS
-};
-
-allowxperm system_server apk_tmp_file:file ioctl {
- F2FS_IOC_RELEASE_COMPRESS_BLOCKS
- FS_IOC_GETFLAGS
-};
-
-# For Incremental Service to check incfs metrics
-allow system_server sysfs_fs_incfs_metrics:file r_file_perms;
-
-# For f2fs-compression support
-allow system_server sysfs_fs_f2fs:dir r_dir_perms;
-allow system_server sysfs_fs_f2fs:file r_file_perms;
+# To get signature of an APK installed on Incremental File System and fill in data blocks
+allowxperm system_server apk_data_file:file ioctl { INCFS_IOCTL_READ_SIGNATURE INCFS_IOCTL_FILL_BLOCKS };
# For art.
-allow system_server { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
-allow system_server { apex_art_data_file dalvikcache_data_file }:file r_file_perms;
+allow system_server dalvikcache_data_file:dir r_dir_perms;
+allow system_server dalvikcache_data_file:file r_file_perms;
# When running system server under --invoke-with, we'll try to load the boot image under the
# system server domain, following links to the system partition.
@@ -101,14 +66,14 @@
# system server gets network and bluetooth permissions.
net_domain(system_server)
-# in addition to ioctls allowlisted for all domains, also allow system_server
+# in addition to ioctls whitelisted for all domains, also allow system_server
# to use privileged ioctls commands. Needed to set up VPNs.
allowxperm system_server self:udp_socket ioctl priv_sock_ioctls;
bluetooth_domain(system_server)
# Allow setup of tcp keepalive offload. This gives system_server the permission to
# call ioctl on app domains' tcp sockets. Additional ioctl commands still need to
-# be granted individually, except for a small set of safe values allowlisted in
+# be granted individually, except for a small set of safe values whitelisted in
# public/domain.te.
allow system_server appdomain:tcp_socket ioctl;
@@ -153,7 +118,7 @@
# Use generic "sockets" where the address family is not known
# to the kernel. The ioctl permission is specifically omitted here, but may
# be added to device specific policy along with the ioctl commands to be
-# allowlisted.
+# whitelisted.
allow system_server self:socket create_socket_perms_no_ioctl;
# Set and get routes directly via netlink.
@@ -204,27 +169,11 @@
allow system_server stats_data_file:file unlink;
# Read /sys/kernel/debug/wakeup_sources.
-no_debugfs_restriction(`
- allow system_server debugfs_wakeup_sources:file r_file_perms;
-')
+allow system_server debugfs_wakeup_sources:file r_file_perms;
# Read /sys/kernel/ion/*.
allow system_server sysfs_ion:file r_file_perms;
-# Read /sys/kernel/dma_heap/*.
-allow system_server sysfs_dma_heap:file r_file_perms;
-
-# Allow reading DMA-BUF sysfs stats from /sys/kernel/dmabuf.
-allow system_server sysfs_dmabuf_stats:dir r_dir_perms;
-allow system_server sysfs_dmabuf_stats:file r_file_perms;
-
-# Allow ActivityManager to look at the list of DMA-BUF heaps from /dev/dma_heap
-# for dumpsys meminfo
-allow system_server dmabuf_heap_device:dir r_dir_perms;
-
-# Allow reading /proc/vmstat for the oom kill count
-allow system_server proc_vmstat:file r_file_perms;
-
# The DhcpClient and WifiWatchdog use packet_sockets
allow system_server self:packet_socket create_socket_perms_no_ioctl;
@@ -265,7 +214,7 @@
binder_call(system_server, incidentd)
binder_call(system_server, iorapd)
binder_call(system_server, netd)
-userdebug_or_eng(`binder_call(system_server, profcollectd)')
+binder_call(system_server, notify_traceur)
binder_call(system_server, statsd)
binder_call(system_server, storaged)
binder_call(system_server, update_engine)
@@ -310,10 +259,6 @@
hal_client_domain(system_server, hal_wifi)
hal_client_domain(system_server, hal_wifi_hostapd)
hal_client_domain(system_server, hal_wifi_supplicant)
-# The bootctl is a pass through HAL mode under recovery mode. So we skip the
-# permission for recovery in order not to give system server the access to
-# the low level block devices.
-not_recovery(`hal_client_domain(system_server, hal_bootctl)')
# Talk with graphics composer fences
allow system_server hal_graphics_composer:fd use;
@@ -327,7 +272,6 @@
# List HAL interfaces to get ANR traces.
allow system_server hwservicemanager:hwservice_manager list;
-allow system_server servicemanager:service_manager list;
# Send signals to trigger ANR traces.
allow system_server {
@@ -339,14 +283,11 @@
drmserver
gpuservice
inputflinger
- keystore
mediadrmserver
mediaextractor
mediametrics
mediaserver
mediaswcodec
- mediatranscoding
- mediatuner
netd
sdcardd
statsd
@@ -365,7 +306,6 @@
hal_graphics_allocator_server
hal_graphics_composer_server
hal_health_server
- hal_light_server
hal_neuralnetworks_server
hal_omx_server
hal_power_stats_server
@@ -405,14 +345,13 @@
r_dir_file(system_server, sysfs_rtc)
r_dir_file(system_server, sysfs_switch)
+r_dir_file(system_server, sysfs_wakeup_reasons)
allow system_server sysfs_nfc_power_writable:file rw_file_perms;
allow system_server sysfs_power:dir search;
allow system_server sysfs_power:file rw_file_perms;
allow system_server sysfs_thermal:dir search;
allow system_server sysfs_thermal:file r_file_perms;
-allow system_server sysfs_uhid:dir r_dir_perms;
-allow system_server sysfs_uhid:file rw_file_perms;
# TODO: Remove when HALs are forced into separate processes
allow system_server sysfs_vibrator:file { write append };
@@ -537,10 +476,6 @@
allow system_server adb_keys_file:dir create_dir_perms;
allow system_server adb_keys_file:file create_file_perms;
-# Manage /data/misc/appcompat.
-allow system_server appcompat_data_file:dir rw_dir_perms;
-allow system_server appcompat_data_file:file create_file_perms;
-
# Manage /data/misc/emergencynumberdb
allow system_server emergency_data_file:dir create_dir_perms;
allow system_server emergency_data_file:file create_file_perms;
@@ -566,9 +501,6 @@
allow system_server tombstone_data_file:dir r_dir_perms;
allow system_server tombstone_data_file:file r_file_perms;
-# Allow write access to be able to truncate tombstones.
-allow system_server tombstone_data_file:file write;
-
# Manage /data/misc/vpn.
allow system_server vpn_data_file:dir create_dir_perms;
allow system_server vpn_data_file:file create_file_perms;
@@ -585,11 +517,17 @@
allow system_server staging_data_file:dir create_dir_perms;
allow system_server staging_data_file:file create_file_perms;
-# Manage /data/rollback.
-allow system_server staging_data_file:{ file lnk_file } { create_file_perms link };
-
# Walk /data/data subdirectories.
-allow system_server app_data_file_type:dir { getattr read search };
+# Types extracted from seapp_contexts type= fields.
+allow system_server {
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ app_data_file
+ privapp_data_file
+}:dir { getattr read search };
# Also permit for unlabeled /data/data subdirectories and
# for unlabeled asec containers on upgrades from 4.2.
@@ -602,7 +540,16 @@
allow system_server system_app_data_file:file create_file_perms;
# Receive and use open app data files passed over binder IPC.
-allow system_server app_data_file_type:file { getattr read write append map };
+# Types extracted from seapp_contexts type= fields.
+allow system_server {
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ app_data_file
+ privapp_data_file
+}:file { getattr read write append map };
# Access to /data/media for measuring disk usage.
allow system_server media_rw_data_file:dir { search getattr open read };
@@ -618,11 +565,6 @@
# Relabel apk files.
allow system_server { apk_tmp_file apk_private_tmp_file }:{ dir file } { relabelfrom relabelto };
allow system_server { apk_data_file apk_private_data_file }:{ dir file } { relabelfrom relabelto };
-# Allow PackageManager to:
-# 1. rename file from /data/app-staging folder to /data/app
-# 2. relabel files (linked to /data/rollback) under /data/app-staging
-# during staged apk/apex install.
-allow system_server { staging_data_file }:{ dir file } { relabelfrom relabelto };
# Relabel wallpaper.
allow system_server system_data_file:file relabelfrom;
@@ -656,20 +598,20 @@
# Property Service write
set_prop(system_server, system_prop)
-set_prop(system_server, bootanim_system_prop)
set_prop(system_server, exported_system_prop)
+set_prop(system_server, exported2_system_prop)
set_prop(system_server, exported3_system_prop)
set_prop(system_server, safemode_prop)
set_prop(system_server, theme_prop)
set_prop(system_server, dhcp_prop)
-set_prop(system_server, net_connectivity_prop)
set_prop(system_server, net_radio_prop)
set_prop(system_server, net_dns_prop)
-set_prop(system_server, usb_control_prop)
-set_prop(system_server, usb_prop)
+set_prop(system_server, system_radio_prop)
+set_prop(system_server, exported_system_radio_prop)
set_prop(system_server, debug_prop)
set_prop(system_server, powerctl_prop)
set_prop(system_server, fingerprint_prop)
+set_prop(system_server, exported_fingerprint_prop)
set_prop(system_server, device_logging_prop)
set_prop(system_server, dumpstate_options_prop)
set_prop(system_server, overlay_prop)
@@ -678,10 +620,6 @@
set_prop(system_server, exported_pm_prop)
set_prop(system_server, socket_hook_prop)
set_prop(system_server, audio_prop)
-set_prop(system_server, boot_status_prop)
-set_prop(system_server, surfaceflinger_color_prop)
-set_prop(system_server, provisioned_prop)
-set_prop(system_server, retaildemo_prop)
userdebug_or_eng(`set_prop(system_server, wifi_log_prop)')
# ctl interface
@@ -699,20 +637,10 @@
set_prop(system_server, device_config_runtime_native_boot_prop)
set_prop(system_server, device_config_runtime_native_prop)
set_prop(system_server, device_config_media_native_prop)
-set_prop(system_server, device_config_profcollect_native_boot_prop)
-set_prop(system_server, device_config_statsd_native_prop)
-set_prop(system_server, device_config_statsd_native_boot_prop)
set_prop(system_server, device_config_storage_native_boot_prop)
-set_prop(system_server, device_config_swcodec_native_prop)
set_prop(system_server, device_config_sys_traced_prop)
set_prop(system_server, device_config_window_manager_native_boot_prop)
set_prop(system_server, device_config_configuration_prop)
-set_prop(system_server, device_config_connectivity_prop)
-
-
-# Allow query ART device config properties
-get_prop(system_server, device_config_runtime_native_boot_prop)
-get_prop(system_server, device_config_runtime_native_prop)
# BootReceiver to read ro.boot.bootreason
get_prop(system_server, bootloader_boot_reason_prop)
@@ -728,9 +656,9 @@
# Read/write the property which keeps track of whether this is the first start of system_server
set_prop(system_server, firstboot_prop)
-# Audio service in system server can read audio config properties,
+# Audio service in system server can read exported audio properties,
# such as camera shutter enforcement
-get_prop(system_server, audio_config_prop)
+get_prop(system_server, exported_audio_prop)
# system server reads this property to keep track of whether server configurable flags have been
# reset during current boot.
@@ -754,21 +682,6 @@
# Read the vendor property that indicates if Incremental features is enabled
get_prop(system_server, incremental_prop)
-# Read ro.zram. properties
-get_prop(system_server, zram_config_prop)
-
-# Read/write persist.sys.zram_enabled
-set_prop(system_server, zram_control_prop)
-
-# Read/write persist.sys.dalvik.vm.lib.2
-set_prop(system_server, dalvik_runtime_prop)
-
-# Read ro.control_privapp_permissions and ro.cp_system_other_odex
-get_prop(system_server, packagemanager_config_prop)
-
-# Read the net.464xlat.cellular.enabled property (written by init).
-get_prop(system_server, net_464xlat_fromvendor_prop)
-
# Create a socket for connections from debuggerd.
allow system_server system_ndebug_socket:sock_file create_file_perms;
@@ -806,6 +719,9 @@
allow system_server usb_device:chr_file rw_file_perms;
allow system_server usb_device:dir r_dir_perms;
+# Read from HW RNG (needed by EntropyMixer).
+allow system_server hw_random_device:chr_file r_file_perms;
+
# Read and delete files under /dev/fscklogs.
r_dir_file(system_server, fscklogs)
allow system_server fscklogs:dir { write remove_name };
@@ -836,7 +752,6 @@
add_service(system_server, system_server_service);
allow system_server audioserver_service:service_manager find;
-allow system_server authorization_service:service_manager find;
allow system_server batteryproperties_service:service_manager find;
allow system_server cameraserver_service:service_manager find;
allow system_server dataloader_manager_service:service_manager find;
@@ -847,19 +762,17 @@
allow system_server gatekeeper_service:service_manager find;
allow system_server gpu_service:service_manager find;
allow system_server gsi_service:service_manager find;
+allow system_server hal_fingerprint_service:service_manager find;
allow system_server idmap_service:service_manager find;
allow system_server incident_service:service_manager find;
allow system_server incremental_service:service_manager find;
allow system_server installd_service:service_manager find;
allow system_server iorapd_service:service_manager find;
-allow system_server keystore_maintenance_service:service_manager find;
-allow system_server keystore_metrics_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server mediametrics_service:service_manager find;
allow system_server mediaextractor_service:service_manager find;
allow system_server mediadrmserver_service:service_manager find;
-allow system_server mediatuner_service:service_manager find;
allow system_server netd_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
@@ -869,9 +782,6 @@
allow system_server update_engine_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find;
-userdebug_or_eng(`
- allow system_server profcollectd_service:service_manager find;
-')
add_service(system_server, batteryproperties_service)
@@ -896,67 +806,14 @@
user_changed
};
-allow system_server keystore:keystore2 {
- add_auth
- change_password
- change_user
- clear_ns
- clear_uid
- get_state
- lock
- pull_metrics
- reset
- unlock
-};
-
-allow system_server keystore:keystore2_key {
- delete
- use_dev_id
- grant
- get_info
- rebind
- update
- use
-};
-
-# Allow Wifi module to manage Wi-Fi keys.
-allow system_server wifi_key:keystore2_key {
- delete
- get_info
- rebind
- update
- use
-};
-
-# Allow lock_settings service to manage RoR keys.
-allow system_server resume_on_reboot_key:keystore2_key {
- delete
- get_info
- rebind
- update
- use
-};
-
-# Allow lock_settings service to manage locksettings keys (e.g. the synthetic password key).
-allow system_server locksettings_key:keystore2_key {
- delete
- get_info
- rebind
- update
- use
-};
-
-
# Allow system server to search and write to the persistent factory reset
# protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search;
allow system_server frp_block_device:blk_file rw_file_perms;
allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
-# Create new process groups and clean up old cgroups
+# Clean up old cgroups
allow system_server cgroup:dir { remove_name rmdir };
-allow system_server cgroup_v2:dir create_dir_perms;
-allow system_server cgroup_v2:file { r_file_perms setattr };
# /oem access
r_dir_file(system_server, oemfs)
@@ -988,10 +845,6 @@
# Allow writing and removing window traces in /data/misc/wmtrace.
allow system_server wm_trace_data_file:dir rw_dir_perms;
allow system_server wm_trace_data_file:file { getattr setattr create unlink w_file_perms };
-
- # Allow writing and removing accessibility traces in /data/misc/a11ytrace.
- allow system_server accessibility_trace_data_file:dir rw_dir_perms;
- allow system_server accessibility_trace_data_file:file { getattr setattr create unlink w_file_perms };
')
# For AppFuse.
@@ -1039,21 +892,14 @@
allow system_server preloads_media_file:dir { r_dir_perms write remove_name rmdir };
r_dir_file(system_server, cgroup)
-r_dir_file(system_server, cgroup_v2)
allow system_server ion_device:chr_file r_file_perms;
-# Access to /dev/dma_heap/system
-allow system_server dmabuf_system_heap_device:chr_file r_file_perms;
-# Access to /dev/dma_heap/system-secure
-allow system_server dmabuf_system_secure_heap_device:chr_file r_file_perms;
-
r_dir_file(system_server, proc_asound)
r_dir_file(system_server, proc_net_type)
r_dir_file(system_server, proc_qtaguid_stat)
allow system_server {
proc_cmdline
proc_loadavg
- proc_locks
proc_meminfo
proc_pagetypeinfo
proc_pipe_conf
@@ -1077,10 +923,6 @@
allow system_server debugfs_wifi_tracing:dir search;
allow system_server debugfs_wifi_tracing:file rw_file_perms;
-# Allow BootReceiver to watch trace error_report events.
-allow system_server debugfs_bootreceiver_tracing:dir search;
-allow system_server debugfs_bootreceiver_tracing:file r_file_perms;
-
# Allow system_server to read tracepoint ids in order to attach BPF programs to them.
allow system_server debugfs_tracing:file r_file_perms;
@@ -1103,7 +945,7 @@
# Allow system_server to open profile snapshots for read.
# System server never reads the actual content. It passes the descriptor to
# to privileged apps which acquire the permissions to inspect the profiles.
-allow system_server { user_profile_root_file user_profile_data_file}:dir { getattr search };
+allow system_server user_profile_data_file:dir { getattr search };
allow system_server user_profile_data_file:file { getattr open read };
# System server may dump profile data for debuggable apps in the /data/misc/profman.
@@ -1129,31 +971,6 @@
# on low memory kills.
get_prop(system_server, system_lmk_prop)
-get_prop(system_server, wifi_config_prop)
-
-# Only system server can access BINDER_FREEZE and BINDER_GET_FROZEN_INFO
-allowxperm system_server binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
-
-# Watchdog prints debugging log to /dev/kmsg_debug.
-userdebug_or_eng(`
- allow system_server kmsg_debug_device:chr_file { open append getattr };
-')
-# Watchdog reads sysprops framework_watchdog.fatal_* to handle watchdog timeout loop.
-get_prop(system_server, framework_watchdog_config_prop)
-
-
-# Font files are written by system server
-allow system_server font_data_file:file create_file_perms;
-allow system_server font_data_file:dir create_dir_perms;
-# Allow system process to setup fs-verity for font files
-allowxperm system_server font_data_file:file ioctl FS_IOC_ENABLE_VERITY;
-
-# Read qemu.hw.mainkeys property
-get_prop(system_server, qemu_hw_prop)
-
-# Allow system server to read profcollectd reports for upload.
-userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
-
###
### Neverallow rules
###
@@ -1167,11 +984,14 @@
# system server should never be operating on zygote spawned app data
# files directly. Rather, they should always be passed via a
# file descriptor.
-# Exclude those types that system_server needs to open directly.
+# Types extracted from seapp_contexts type= fields, excluding
+# those types that system_server needs to open directly.
neverallow system_server {
- app_data_file_type
- -system_app_data_file
- -radio_data_file
+ bluetooth_data_file
+ nfc_data_file
+ shell_data_file
+ app_data_file
+ privapp_data_file
}:file { open create unlink link };
# Forking and execing is inherently dangerous and racy. See, for
@@ -1211,7 +1031,6 @@
-flags_health_check
} {
device_config_activity_manager_native_boot_prop
- device_config_connectivity_prop
device_config_input_native_boot_prop
device_config_netd_native_prop
device_config_runtime_native_boot_prop
@@ -1219,7 +1038,6 @@
device_config_media_native_prop
device_config_storage_native_boot_prop
device_config_sys_traced_prop
- device_config_swcodec_native_prop
device_config_window_manager_native_boot_prop
}:property_service set;
@@ -1265,11 +1083,7 @@
# Allow system server to scan /apex for flattened APEXes
allow system_server apex_mnt_dir:dir r_dir_perms;
-# Allow system server to read /apex/apex-info-list.xml
-allow system_server apex_info_file:file r_file_perms;
-
# Allow system server to communicate to system-suspend's control interface
-allow system_server system_suspend_control_internal_service:service_manager find;
allow system_server system_suspend_control_service:service_manager find;
binder_call(system_server, system_suspend)
binder_call(system_suspend, system_server)
@@ -1292,12 +1106,8 @@
# Allow the system server to manage relevant apex module data files.
allow system_server apex_module_data_file:dir { getattr search };
-allow system_server apex_appsearch_data_file:dir create_dir_perms;
-allow system_server apex_appsearch_data_file:file create_file_perms;
allow system_server apex_permission_data_file:dir create_dir_perms;
allow system_server apex_permission_data_file:file create_file_perms;
-allow system_server apex_scheduling_data_file:dir create_dir_perms;
-allow system_server apex_scheduling_data_file:file create_file_perms;
allow system_server apex_wifi_data_file:dir create_dir_perms;
allow system_server apex_wifi_data_file:file create_file_perms;
@@ -1307,26 +1117,10 @@
allow system_server password_slot_metadata_file:dir rw_dir_perms;
allow system_server password_slot_metadata_file:file create_file_perms;
-allow system_server userspace_reboot_metadata_file:dir create_dir_perms;
-allow system_server userspace_reboot_metadata_file:file create_file_perms;
-
# Allow system server rw access to files in /metadata/staged-install folder
allow system_server staged_install_file:dir rw_dir_perms;
allow system_server staged_install_file:file create_file_perms;
-allow system_server watchdog_metadata_file:dir rw_dir_perms;
-allow system_server watchdog_metadata_file:file create_file_perms;
-
-allow system_server gsi_persistent_data_file:dir rw_dir_perms;
-allow system_server gsi_persistent_data_file:file create_file_perms;
-
-# Allow system server read and remove files under /data/misc/odrefresh
-allow system_server odrefresh_data_file:dir rw_dir_perms;
-allow system_server odrefresh_data_file:file { r_file_perms unlink };
-
-# Allow system server r access to /system/bin/surfaceflinger for PinnerService.
-allow system_server surfaceflinger_exec:file r_file_perms;
-
# Allow init to set sysprop used to compute stats about userspace reboot.
set_prop(system_server, userspace_reboot_log_prop)
@@ -1364,10 +1158,6 @@
} password_slot_metadata_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -init -system_server } password_slot_metadata_file:notdevfile_class_set *;
-# Only system_server/init should access /metadata/userspacereboot.
-neverallow { domain -init -system_server } userspace_reboot_metadata_file:dir *;
-neverallow { domain -init -system_server } userspace_reboot_metadata_file:file no_rw_file_perms;
-
# Allow systemserver to read/write the invalidation property
set_prop(system_server, binder_cache_system_server_prop)
neverallow { domain -system_server -init }
@@ -1380,32 +1170,3 @@
# Do not allow any domain other than init or system server to set the property
neverallow { domain -init -system_server } socket_hook_prop:property_service set;
-
-neverallow { domain -init -system_server } boot_status_prop:property_service set;
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -system_server
-} wifi_config_prop:file no_rw_file_perms;
-
-# Only allow system server to write uhid sysfs files
-neverallow {
- domain
- -init
- -system_server
- -ueventd
- -vendor_init
-} sysfs_uhid:file no_w_file_perms;
-
-# BINDER_FREEZE is used to block ipc transactions to frozen processes, so it
-# can be accessed by system_server only (b/143717177)
-# BINDER_GET_FROZEN_INFO is used by system_server to determine the state of a frozen binder
-# interface
-neverallowxperm { domain -system_server } binder_device:chr_file ioctl { BINDER_FREEZE BINDER_GET_FROZEN_INFO };
-
-# Only system server can write the font files.
-neverallow { domain -init -system_server } font_data_file:file no_w_file_perms;
-neverallow { domain -init -system_server } font_data_file:dir no_w_dir_perms;
diff --git a/private/system_server_startup.te b/private/system_server_startup.te
index 064e038..902941e 100644
--- a/private/system_server_startup.te
+++ b/private/system_server_startup.te
@@ -7,10 +7,6 @@
allow system_server_startup self:process execmem;
allow system_server_startup system_server_startup_tmpfs:file { execute read write open map };
-# Allow to pick up integrity-checked artifacts from the ART APEX dalvik cache.
-allow system_server_startup apex_art_data_file:dir r_dir_perms;
-allow system_server_startup apex_art_data_file:file { r_file_perms execute };
-
# Allow system_server_startup to run setcon() and enter the
# system_server domain
allow system_server_startup self:process setcurrent;
@@ -18,7 +14,3 @@
# Child of the zygote.
allow system_server_startup zygote:process sigchld;
-
-# Allow query ART device config properties
-get_prop(system_server_startup, device_config_runtime_native_boot_prop)
-get_prop(system_server_startup, device_config_runtime_native_prop)
diff --git a/private/system_suspend.te b/private/system_suspend.te
index caf8955..d33dc8e 100644
--- a/private/system_suspend.te
+++ b/private/system_suspend.te
@@ -1,36 +1,24 @@
-type system_suspend, domain, coredomain, system_suspend_server, system_suspend_internal_server;
+type system_suspend, domain, coredomain, system_suspend_server;
type system_suspend_exec, system_file_type, exec_type, file_type;
init_daemon_domain(system_suspend)
-# To serve ISuspendControlService.
+# To serve ISuspendControlService.aidl.
binder_use(system_suspend)
add_service(system_suspend, system_suspend_control_service)
# Access to /sys/power/{ wakeup_count, state } suspend interface.
allow system_suspend sysfs_power:file rw_file_perms;
-# Access to wakeup, suspend stats, and wakeup reasons.
+# Access to wakeup and suspend stats.
r_dir_file(system_suspend, sysfs_suspend_stats)
r_dir_file(system_suspend, sysfs_wakeup)
-r_dir_file(system_suspend, sysfs_wakeup_reasons)
# To resolve arbitrary sysfs paths from /sys/class/wakeup/* symlinks.
allow system_suspend sysfs_type:dir search;
-# Access to suspend_hal system properties
-get_prop(system_suspend, suspend_prop)
-
-# To call BTAA registered callbacks
-allow system_suspend bluetooth:binder call;
-
-# For adding `dumpsys syspend_control` output to bugreport
-allow system_suspend dumpstate:fd use;
-allow system_suspend dumpstate:fifo_file write;
-
neverallow {
domain
-atrace # tracing
- -bluetooth # support Bluetooth activity attribution (BTAA)
-dumpstate # bug reports
-system_suspend # implements system_suspend_control_service
-system_server # configures system_suspend via ISuspendControlService
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 9b3e3c6..fdcd0a3 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -63,9 +63,3 @@
; Unfortunately, we can't currently express this in module policy language:
; typeattribute { appdomain -isolated_app } hal_cas_client;
(typeattributeset hal_bufferhub_client ((and (appdomain) ((not (isolated_app))))))
-
-; Properties having both system_property_type and vendor_property_type are illegal
-; Unfortunately, we can't currently express this in module policy language:
-; typeattribute { system_property_type && vendor_property_type } system_and_vendor_property_type;
-(typeattribute system_and_vendor_property_type)
-(typeattributeset system_and_vendor_property_type ((and (system_property_type) (vendor_property_type))))
diff --git a/private/tombstoned.te b/private/tombstoned.te
index b6dfd1e..305f9d0 100644
--- a/private/tombstoned.te
+++ b/private/tombstoned.te
@@ -1,13 +1,3 @@
typeattribute tombstoned coredomain;
init_daemon_domain(tombstoned)
-
-get_prop(tombstoned, tombstone_config_prop)
-
-neverallow {
- domain
- -init
- -vendor_init
- -dumpstate
- -tombstoned
-} tombstone_config_prop:file no_rw_file_perms;
diff --git a/private/traced.te b/private/traced.te
index fc9a245..2410d7e 100644
--- a/private/traced.te
+++ b/private/traced.te
@@ -3,6 +3,7 @@
# type traced is defined under /public (because iorapd rules
# under public/ need to refer to it).
type traced_exec, system_file_type, exec_type, file_type;
+type traced_tmpfs, file_type;
# Allow init to exec the daemon.
init_daemon_domain(traced)
@@ -27,20 +28,12 @@
# Allow the service to create new files within /data/misc/perfetto-traces.
allow traced perfetto_traces_data_file:file create_file_perms;
allow traced perfetto_traces_data_file:dir rw_dir_perms;
-# ... and /data/misc/perfetto-traces/bugreport*
-allow traced perfetto_traces_bugreport_data_file:file create_file_perms;
-allow traced perfetto_traces_bugreport_data_file:dir rw_dir_perms;
# Allow traceur to pass open file descriptors to traced, so traced can directly
# write into the output file without doing roundtrips over IPC.
allow traced traceur_app:fd use;
allow traced trace_data_file:file { read write };
-# Allow perfetto to access the proxy service for notifying Traceur.
-allow traced tracingproxy_service:service_manager find;
-binder_use(traced);
-binder_call(traced, system_server);
-
# Allow iorapd to pass memfd descriptors to traced, so traced can directly
# write into the shmem buffer file without doing roundtrips over IPC.
allow traced iorapd:fd use;
@@ -69,9 +62,6 @@
# Allow to lazily start producers.
set_prop(traced, traced_lazy_prop)
-# Allow traced to talk to statsd for logging metrics.
-unix_socket_send(traced, statsdw, statsd)
-
###
### Neverallow rules
###
@@ -92,7 +82,6 @@
neverallow traced {
data_file_type
-perfetto_traces_data_file
- -perfetto_traces_bugreport_data_file
-system_data_file
-system_data_root_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
@@ -108,7 +97,6 @@
data_file_type
-zoneinfo_data_file
-perfetto_traces_data_file
- -perfetto_traces_bugreport_data_file
-trace_data_file
with_native_coverage(`-method_trace_data_file')
}:file ~write;
@@ -116,6 +104,3 @@
# Only init is allowed to enter the traced domain via exec()
neverallow { domain -init } traced:process transition;
neverallow * traced:process dyntransition;
-
-# Limit the processes that can access tracingproxy_service.
-neverallow { domain -traced -dumpstate -traceur_app -shell -system_server } tracingproxy_service:service_manager find;
diff --git a/private/traced_perf.te b/private/traced_perf.te
index 96a7263..9483e6c 100644
--- a/private/traced_perf.te
+++ b/private/traced_perf.te
@@ -28,24 +28,10 @@
# Allow reading files for stack unwinding and symbolization.
r_dir_file(traced_perf, nativetest_data_file)
r_dir_file(traced_perf, system_file_type)
-r_dir_file(traced_perf, apex_art_data_file)
r_dir_file(traced_perf, apk_data_file)
r_dir_file(traced_perf, dalvikcache_data_file)
r_dir_file(traced_perf, vendor_file_type)
-# Allow to temporarily lift the kptr_restrict setting and build a symbolization
-# map reading /proc/kallsyms.
-userdebug_or_eng(`set_prop(traced_perf, lower_kptr_restrict_prop)')
-allow traced_perf proc_kallsyms:file r_file_perms;
-
-# Allow reading tracefs files to get the format and numeric ids of tracepoints.
-allow traced_perf debugfs_tracing:dir r_dir_perms;
-allow traced_perf debugfs_tracing:file r_file_perms;
-userdebug_or_eng(`
- allow traced_perf debugfs_tracing_debug:dir r_dir_perms;
- allow traced_perf debugfs_tracing_debug:file r_file_perms;
-')
-
# Do not audit the cases where traced_perf attempts to access /proc/[pid] for
# domains that it cannot read.
dontaudit traced_perf domain:dir { search getattr open };
@@ -59,7 +45,7 @@
neverallow traced_perf { app_data_file privapp_data_file system_app_data_file }:file *;
# Never allow profiling highly privileged processes.
-never_profile_perf(`{
+never_profile_heap(`{
bpfloader
init
kernel
diff --git a/private/traced_probes.te b/private/traced_probes.te
index 730a45c..dd6ece0 100644
--- a/private/traced_probes.te
+++ b/private/traced_probes.te
@@ -14,15 +14,9 @@
allow traced_probes debugfs_tracing:dir r_dir_perms;
allow traced_probes debugfs_tracing:file rw_file_perms;
allow traced_probes debugfs_trace_marker:file getattr;
-allow traced_probes debugfs_tracing_printk_formats:file r_file_perms;
-
-# Allow traced_probes to access mm_events trace instance
-allow traced_probes debugfs_tracing_instances:dir search;
-allow traced_probes debugfs_mm_events_tracing:dir search;
-allow traced_probes debugfs_mm_events_tracing:file rw_file_perms;
# TODO(primiano): temporarily I/O tracing categories are still
-# userdebug only until we nail down the denylist/allowlist.
+# userdebug only until we nail down the blacklist/whitelist.
userdebug_or_eng(`
allow traced_probes debugfs_tracing_debug:dir r_dir_perms;
allow traced_probes debugfs_tracing_debug:file rw_file_perms;
@@ -35,11 +29,6 @@
# Allow procfs access
r_dir_file(traced_probes, domain)
-# Allow to temporarily lift the kptr_restrict setting and build a symbolization
-# map reading /proc/kallsyms.
-userdebug_or_eng(`set_prop(traced_probes, lower_kptr_restrict_prop)')
-allow traced_probes proc_kallsyms:file r_file_perms;
-
# Allow to read packages.list file.
allow traced_probes packages_list_file:file r_file_perms;
@@ -53,7 +42,6 @@
allow traced_probes self:global_capability_class_set dac_read_search;
allow traced_probes apk_data_file:dir { getattr open read search };
-allow traced_probes { apex_art_data_file apex_module_data_file }:dir { getattr open read search };
allow traced_probes dalvikcache_data_file:dir { getattr open read search };
userdebug_or_eng(`
# search and getattr are granted via domain and coredomain, respectively.
@@ -64,7 +52,7 @@
allow traced_probes bootstat_data_file:dir { getattr open read search };
allow traced_probes update_engine_data_file:dir { getattr open read search };
allow traced_probes update_engine_log_data_file:dir { getattr open read search };
-allow traced_probes { user_profile_root_file user_profile_data_file}:dir { getattr open read search };
+allow traced_probes user_profile_data_file:dir { getattr open read search };
# Allow traced_probes to run atrace. atrace pokes at system services to enable
# their userspace TRACE macros.
@@ -82,10 +70,6 @@
proc_stat
}:file r_file_perms;
-# Allow access to read /sys/class/devfreq/ and /$DEVICE/cur_freq files
-allow traced_probes sysfs_devfreq_dir:dir r_dir_perms;
-allow traced_probes sysfs_devfreq_cur:file r_file_perms;
-
# Allow access to the IHealth and IPowerStats HAL service for tracing battery counters.
hal_client_domain(traced_probes, hal_health)
hal_client_domain(traced_probes, hal_power_stats)
@@ -96,9 +80,6 @@
# On debug builds allow to ingest system logs into the trace.
userdebug_or_eng(`read_logd(traced_probes)')
-# Allow traced_probes to talk to statsd for logging metrics.
-unix_socket_send(traced_probes, statsdw, statsd)
-
###
### Neverallow rules
###
@@ -117,8 +98,6 @@
# Disallows access to /data files.
neverallow traced_probes {
data_file_type
- -apex_module_data_file
- -apex_art_data_file
-apk_data_file
-dalvikcache_data_file
-system_data_file
@@ -128,7 +107,6 @@
-bootstat_data_file
-update_engine_data_file
-update_engine_log_data_file
- -user_profile_root_file
-user_profile_data_file
# TODO(b/72998741) Remove vendor_data_file exemption. Further restricted in a
# subsequent neverallow. Currently only getattr and search are allowed.
@@ -149,4 +127,3 @@
# Only init is allowed to enter the traced_probes domain via exec()
neverallow { domain -init } traced_probes:process transition;
neverallow * traced_probes:process dyntransition;
-
diff --git a/private/traceur_app.te b/private/traceur_app.te
index 2937e26..94841df 100644
--- a/private/traceur_app.te
+++ b/private/traceur_app.te
@@ -20,5 +20,3 @@
unix_socket_connect(traceur_app, traced_consumer, traced)
dontaudit traceur_app debugfs_tracing_debug:file audit_access;
-
-set_prop(traceur_app, debug_prop)
diff --git a/private/ueventd.te b/private/ueventd.te
index 8bcdbf9..1bd6773 100644
--- a/private/ueventd.te
+++ b/private/ueventd.te
@@ -1,7 +1,3 @@
typeattribute ueventd coredomain;
tmpfs_domain(ueventd)
-
-# ueventd can set properties, particularly it sets ro.cold_boot_done to signal
-# to init that cold boot has completed.
-set_prop(ueventd, cold_boot_done_prop)
diff --git a/private/uncrypt.te b/private/uncrypt.te
index 1a94cd1..e4e9224 100644
--- a/private/uncrypt.te
+++ b/private/uncrypt.te
@@ -1,6 +1,3 @@
typeattribute uncrypt coredomain;
init_daemon_domain(uncrypt)
-
-# Set a property to reboot the device.
-set_prop(uncrypt, powerctl_prop)
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
index 41cabe8..a1abc41 100644
--- a/private/untrusted_app_25.te
+++ b/private/untrusted_app_25.te
@@ -51,4 +51,3 @@
# allow binding to netlink route sockets and sending RTM_GETLINK messages.
allow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_25 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_27.te b/private/untrusted_app_27.te
index 0993faa..b7b6d72 100644
--- a/private/untrusted_app_27.te
+++ b/private/untrusted_app_27.te
@@ -39,4 +39,3 @@
# allow binding to netlink route sockets and sending RTM_GETLINK messages.
allow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_27 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_29.te b/private/untrusted_app_29.te
index c5652b1..344ae89 100644
--- a/private/untrusted_app_29.te
+++ b/private/untrusted_app_29.te
@@ -17,4 +17,3 @@
# allow binding to netlink route sockets and sending RTM_GETLINK messages.
allow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
-auditallow untrusted_app_29 self:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 6064c14..d9fd5a1 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -2,8 +2,7 @@
### Untrusted_app_all.
###
### This file defines the rules shared by all untrusted app domains except
-### ephemeral_app for instant apps and isolated_app (which has a reduced
-### permission set).
+### ephemeral_app for instant apps.
### Apps are labeled based on mac_permissions.xml (maps signer and
### optionally package name to seinfo value) and seapp_contexts (maps UID
### and optionally seinfo value to domain for process and type for data
@@ -64,9 +63,6 @@
neverallow untrusted_app_all trace_data_file:dir *;
neverallow untrusted_app_all trace_data_file:file { no_w_file_perms open };
-# neverallow untrusted apps accessing debugfs_tracing
-neverallow untrusted_app_all debugfs_tracing:file no_rw_file_perms;
-
# Allow to read staged apks.
allow untrusted_app_all { apk_tmp_file apk_private_tmp_file }:file {read getattr};
@@ -84,6 +80,10 @@
allow untrusted_app_all media_rw_data_file:dir create_dir_perms;
allow untrusted_app_all media_rw_data_file:file create_file_perms;
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow untrusted_app_all mnt_media_rw_file:dir search;
+
# allow cts to query all services
allow untrusted_app_all servicemanager:service_manager list;
@@ -98,6 +98,10 @@
allow untrusted_app_all radio_service:service_manager find;
allow untrusted_app_all app_api_service:service_manager find;
allow untrusted_app_all vr_manager_service:service_manager find;
+allow untrusted_app_all gpu_service:service_manager find;
+
+# Allow untrusted apps to interact with gpuservice
+binder_call(untrusted_app_all, gpuservice)
# gdbserver for ndk-gdb ptrace attaches to app process.
allow untrusted_app_all self:process ptrace;
@@ -145,9 +149,6 @@
# Allow the renderscript compiler to be run.
domain_auto_trans(untrusted_app_all, rs_exec, rs)
-# suppress denials caused by debugfs_tracing
-dontaudit untrusted_app_all debugfs_tracing:file rw_file_perms;
-
# This is allowed for targetSdkVersion <= 25 but disallowed on newer versions.
dontaudit untrusted_app_all net_dns_prop:file read;
@@ -166,9 +167,6 @@
userdebug_or_eng(`
allow untrusted_app_all debugfs_kcov:file rw_file_perms;
allowxperm untrusted_app_all debugfs_kcov:file ioctl { KCOV_INIT_TRACE KCOV_ENABLE KCOV_DISABLE };
- # The use of debugfs kcov is considered a breach of the kernel integrity
- # according to the heuristic of lockdown.
- allow untrusted_app_all self:lockdown integrity;
')
# Allow signalling simpleperf domain, which is the domain that the simpleperf
diff --git a/private/update_engine.te b/private/update_engine.te
index d828e1f..e4e7009 100644
--- a/private/update_engine.te
+++ b/private/update_engine.te
@@ -5,27 +5,3 @@
# Allow to talk to gsid.
allow update_engine gsi_service:service_manager find;
binder_call(update_engine, gsid)
-
-# Allow to start gsid service.
-set_prop(update_engine, ctl_gsid_prop)
-
-# Allow to start snapuserd for dm-user communication.
-set_prop(update_engine, ctl_snapuserd_prop)
-
-# Allow to set the OTA related properties, e.g. ota.warm_reset.
-set_prop(update_engine, ota_prop)
-
-# Allow to get the DSU status
-get_prop(update_engine, gsid_prop)
-
-# Allow update_engine to call the callback function provided by GKI update hook.
-binder_call(update_engine, gki_apex_prepostinstall)
-
-# Allow to communicate with the snapuserd service, for dm-user snapshots.
-allow update_engine snapuserd:unix_stream_socket connectto;
-allow update_engine snapuserd_socket:sock_file write;
-
-# Allow to communicate with apexd for calculating and reserving space for
-# capex decompression
-allow update_engine apex_service:service_manager find;
-binder_call(update_engine, apexd)
diff --git a/private/update_engine_common.te b/private/update_engine_common.te
index 8571ff6..a7fb584 100644
--- a/private/update_engine_common.te
+++ b/private/update_engine_common.te
@@ -1,13 +1,5 @@
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
-# The postinstall program is run by update_engine_common and must be tagged
-# with postinstall_exec in the new filesystem.
-# TODO Have build system attempt to verify this
-domain_auto_trans(update_engine_common, postinstall_exec, postinstall)
-
-# Vendor directories can have the transition as well during OTA. This is caused
-# by update_engine execing scripts in vendor to perform any update tasks needed
-# there.
+# The postinstall program is run by update_engine_common and will always be tagged as a
+# postinstall_file regardless of its attributes in the new system.
domain_auto_trans(update_engine_common, postinstall_file, postinstall)
-
-allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
diff --git a/private/update_verifier.te b/private/update_verifier.te
index 5e1b27b..1b934d9 100644
--- a/private/update_verifier.te
+++ b/private/update_verifier.te
@@ -1,9 +1,3 @@
typeattribute update_verifier coredomain;
init_daemon_domain(update_verifier)
-
-# Allow update_verifier to reboot the device.
-set_prop(update_verifier, powerctl_prop)
-
-# Allow to set the OTA related properties e.g. ota.warm_reset.
-set_prop(update_verifier, ota_prop)
diff --git a/private/usbd.te b/private/usbd.te
index 42f2324..13a0ad7 100644
--- a/private/usbd.te
+++ b/private/usbd.te
@@ -10,6 +10,3 @@
# start adbd during boot if adb is enabled
set_prop(usbd, ctl_default_prop)
-
-# Start/stop adbd via ctl.start adbd
-set_prop(usbd, ctl_adbd_prop)
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 2e616f3..6a68f1f 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -5,16 +5,3 @@
# TODO(b/140259336) We want to remove vendor_init in the long term but allow for now
allow vendor_init system_data_root_file:dir rw_dir_perms;
-
-# Let vendor_init set service.adb.tcp.port.
-set_prop(vendor_init, adbd_config_prop)
-
-# chown/chmod on devices, e.g. /dev/ttyHS0
-allow vendor_init {
- dev_type
- -keychord_device
- -kvm_device
- -port_device
- -lowpan_device
- -hw_random_device
-}:chr_file setattr;
diff --git a/private/virtmanager.te b/private/virtmanager.te
deleted file mode 100644
index 467f7d4..0000000
--- a/private/virtmanager.te
+++ /dev/null
@@ -1,17 +0,0 @@
-type virtmanager, domain, coredomain;
-type virtmanager_exec, system_file_type, exec_type, file_type;
-
-# When init runs a file labelled with virtmanager_exec, run it in the virtmanager domain.
-init_daemon_domain(virtmanager)
-
-# Let the virtmanager domain use Binder.
-binder_use(virtmanager)
-
-# Let the virtmanager domain register the virtualization_service with ServiceManager.
-add_service(virtmanager, virtualization_service)
-
-# When virtmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
-domain_auto_trans(virtmanager, crosvm_exec, crosvm)
-
-# Let virtmanager kill crosvm.
-allow virtmanager crosvm:process sigkill;
diff --git a/private/vold.te b/private/vold.te
index de0fde4..dea24a5 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -17,52 +17,3 @@
# from accidentally writing when the mount point isn't present.
type_transition vold storage_file:dir storage_stub_file;
type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
-
-# Property Service
-get_prop(vold, vold_config_prop)
-get_prop(vold, storage_config_prop);
-get_prop(vold, incremental_prop);
-
-set_prop(vold, vold_post_fs_data_prop)
-set_prop(vold, vold_prop)
-set_prop(vold, vold_status_prop)
-set_prop(vold, powerctl_prop)
-set_prop(vold, ctl_fuse_prop)
-set_prop(vold, restorecon_prop)
-set_prop(vold, ota_prop)
-set_prop(vold, boottime_prop)
-set_prop(vold, boottime_public_prop)
-
-# Vold will use Keystore instead of using Keymint directly. But it still needs
-# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
-allow vold vold_key:keystore2_key {
- convert_storage_key_to_ephemeral
- delete
- get_info
- manage_blob
- rebind
- req_forced_op
- update
- use
-};
-
-# vold needs to call keystore methods
-allow vold keystore:binder call;
-
-# vold needs to find keystore2 services
-allow vold keystore_service:service_manager find;
-allow vold keystore_maintenance_service:service_manager find;
-
-# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
-allow vold keystore:keystore2 early_boot_ended;
-allow vold keystore:keystore2 delete_all_keys;
-
-neverallow {
- domain
- -system_server
- -vdc
- -vold
- -update_verifier
- -apexd
- -gsid
-} vold_service:service_manager find;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 956e94e..f3ec058 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -1,7 +1,5 @@
domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
-typeattribute vold_prepare_subdirs mlstrustedsubject;
-
allow vold_prepare_subdirs system_file:file execute_no_trans;
allow vold_prepare_subdirs shell_exec:file rx_file_perms;
allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
@@ -16,12 +14,9 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
- apex_appsearch_data_file
- apex_art_data_file
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
- apex_scheduling_data_file
apex_wifi_data_file
backup_data_file
face_vendor_data_file
@@ -29,17 +24,12 @@
iris_vendor_data_file
rollback_data_file
storaged_data_file
- system_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
- apex_appsearch_data_file
- apex_art_data_file
- apex_art_staging_data_file
apex_module_data_file
apex_permission_data_file
apex_rollback_data_file
- apex_scheduling_data_file
apex_wifi_data_file
backup_data_file
face_vendor_data_file
@@ -51,10 +41,5 @@
vold_data_file
}:file { getattr unlink };
allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
-allow vold_prepare_subdirs mnt_expand_file:dir search;
-allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
-allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
-# /data/misc is unlabeled during early boot.
-allow vold_prepare_subdirs unlabeled:dir search;
dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
diff --git a/private/wait_for_keymaster.te b/private/wait_for_keymaster.te
index da98e2e..85a28da 100644
--- a/private/wait_for_keymaster.te
+++ b/private/wait_for_keymaster.te
@@ -7,9 +7,3 @@
hal_client_domain(wait_for_keymaster, hal_keymaster)
allow wait_for_keymaster kmsg_device:chr_file w_file_perms;
-
-# wait_for_keymaster needs to find keystore and call methods with the returned
-# binder reference.
-binder_use(wait_for_keymaster)
-allow wait_for_keymaster keystore_service:service_manager find;
-binder_call(wait_for_keymaster, keystore)
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 3473eca..969ab9c 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -10,8 +10,6 @@
# a domain macro.
tmpfs_domain(webview_zygote);
-userfaultfd_use(webview_zygote)
-
# Allow reading/executing installed binaries to enable preloading the
# installed WebView implementation.
allow webview_zygote apk_data_file:dir r_dir_perms;
@@ -30,10 +28,9 @@
allow webview_zygote isolated_app:process dyntransition;
# For art.
-allow webview_zygote { apex_art_data_file dalvikcache_data_file }:dir r_dir_perms;
+allow webview_zygote dalvikcache_data_file:dir r_dir_perms;
allow webview_zygote dalvikcache_data_file:lnk_file r_file_perms;
-allow webview_zygote { apex_art_data_file dalvikcache_data_file }:file { r_file_perms execute };
-allow webview_zygote apex_module_data_file:dir search;
+allow webview_zygote dalvikcache_data_file:file { r_file_perms execute };
# Allow webview_zygote to create JIT memory.
allow webview_zygote self:process execmem;
@@ -83,13 +80,6 @@
# Send unsolicited message to system_server
unix_socket_send(webview_zygote, system_unsolzygote, system_server)
-# Allow the webview_zygote to access the runtime feature flag properties.
-get_prop(webview_zygote, device_config_runtime_native_prop)
-get_prop(webview_zygote, device_config_runtime_native_boot_prop)
-
-# Allow webview_zygote to access odsign verification status
-get_prop(zygote, odsign_prop)
-
#####
##### Neverallow
#####
@@ -113,7 +103,15 @@
neverallow webview_zygote property_type:property_service set;
# Should not have any access to app data files.
-neverallow webview_zygote app_data_file_type:file { rwx_file_perms };
+neverallow webview_zygote {
+ app_data_file
+ privapp_data_file
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+}:file { rwx_file_perms };
neverallow webview_zygote {
service_manager_type
diff --git a/private/wificond.te b/private/wificond.te
index 3fdaca2..5476e33 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -1,11 +1,3 @@
typeattribute wificond coredomain;
-set_prop(wificond, wifi_hal_prop)
-set_prop(wificond, wifi_prop)
-set_prop(wificond, ctl_default_prop)
-
-get_prop(wificond, hwservicemanager_prop)
-
-allow wificond legacykeystore_service:service_manager find;
-
init_daemon_domain(wificond)
diff --git a/private/zygote.te b/private/zygote.te
index 090e121..5f08f8d 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -24,8 +24,6 @@
allow zygote appdomain:dir { getattr search };
allow zygote appdomain:file { r_file_perms };
-userfaultfd_use(zygote)
-
# Move children into the peer process group.
allow zygote system_server:process { getpgid setpgid };
allow zygote appdomain:process { getpgid setpgid };
@@ -52,13 +50,6 @@
# is ensured by fsverity protection (checked in art_apex_boot_integrity).
allow zygote dalvikcache_data_file:file execute;
-# Allow zygote to find files in APEX data directories.
-allow zygote apex_module_data_file:dir search;
-
-# Allow zygote to find and map files created by on device signing.
-allow zygote apex_art_data_file:dir { getattr search };
-allow zygote apex_art_data_file:file { r_file_perms execute };
-
# Bind mount on /data/data and mounted volumes
allow zygote { system_data_file mnt_expand_file }:dir mounton;
@@ -69,8 +60,8 @@
# Zygote opens /mnt/expand to mount CE DE storage on each vol
allow zygote mnt_expand_file:dir { open read search relabelto };
-# Bind mount subdirectories on /data/misc/profiles/cur and /data/misc/profiles/ref
-allow zygote { user_profile_root_file user_profile_data_file }:dir { mounton search };
+# Bind mount subdirectories on /data/misc/profiles/cur
+allow zygote { user_profile_data_file }:dir { mounton search };
# Create and bind dirs on /data/data
allow zygote tmpfs:dir { create_dir_perms mounton };
@@ -78,9 +69,6 @@
# Goes into media directory and bind mount obb directory
allow zygote media_rw_data_file:dir { getattr search };
-# Bind mount on top of existing mounted obb and data directory
-allow zygote media_rw_data_file:dir { mounton };
-
# Read if sdcardfs is supported
allow zygote proc_filesystems:file r_file_perms;
@@ -89,10 +77,15 @@
allow zygote mirror_data_file:dir r_dir_perms;
-# Get inode of directories for app data isolation
+# Get inode of data directories
allow zygote {
- app_data_file_type
system_data_file
+ radio_data_file
+ app_data_file
+ shell_data_file
+ bluetooth_data_file
+ privapp_data_file
+ nfc_data_file
mnt_expand_file
}:dir getattr;
@@ -113,8 +106,6 @@
# Control cgroups.
allow zygote cgroup:dir create_dir_perms;
allow zygote cgroup:{ file lnk_file } r_file_perms;
-allow zygote cgroup_v2:dir create_dir_perms;
-allow zygote cgroup_v2:{ file lnk_file } { r_file_perms setattr };
allow zygote self:global_capability_class_set sys_admin;
# Allow zygote to stat the files that it opens. The zygote must
@@ -181,9 +172,6 @@
allow zygote same_process_hal_file:file { execute read open getattr map };
-# Allow the zygote to access storage properties to check if sdcardfs is enabled.
-get_prop(zygote, storage_config_prop);
-
# Let the zygote access overlays so it can initialize the AssetManager.
get_prop(zygote, overlay_prop)
get_prop(zygote, exported_overlay_prop)
@@ -197,16 +185,11 @@
get_prop(zygote, device_config_window_manager_native_boot_prop)
# ingore spurious denials
-# fsetid can be checked as a consequence of chmod when using cgroup v2 uid/pid hierarchy. This is
-# done to determine if the file should inherit setgid. In this case, setgid on the file is
-# undesirable, so suppress the denial.
-dontaudit zygote self:global_capability_class_set { sys_resource fsetid };
+dontaudit zygote self:global_capability_class_set sys_resource;
-# Ignore spurious denials calling access() on fuse.
-# Also ignore read and open as sdcardfs may read and open dir when app tries to access a dir that
-# doesn't exist.
+# Ignore spurious denials calling access() on fuse
# TODO(b/151316657): avoid the denials
-dontaudit zygote media_rw_data_file:dir { read open setattr };
+dontaudit zygote media_rw_data_file:dir setattr;
# Allow zygote to use ashmem fds from system_server.
allow zygote system_server:fd use;
@@ -217,18 +200,6 @@
# Allow zygote to access media_variant_prop for static initialization
get_prop(zygote, media_variant_prop)
-# Allow zygote to access odsign verification status
-get_prop(zygote, odsign_prop)
-
-# Allow zygote to read ro.control_privapp_permissions and ro.cp_system_other_odex
-get_prop(zygote, packagemanager_config_prop)
-
-# Allow zygote to read qemu.sf.lcd_density
-get_prop(zygote, qemu_sf_lcd_density_prop)
-
-# Allow zygote to read /apex/apex-info-list.xml
-allow zygote apex_info_file:file r_file_perms;
-
###
### neverallow rules
###
@@ -247,12 +218,9 @@
app_zygote
}:process dyntransition;
-# Zygote should never execute anything from /data except for
-# /data/dalvik-cache files or files generated during on-device
-# signing under /data/misc/apexdata/com.android.art/.
+# Zygote should never execute anything from /data except for /data/dalvik-cache files.
neverallow zygote {
data_file_type
- -apex_art_data_file # map PROT_EXEC
-dalvikcache_data_file # map PROT_EXEC
}:file no_x_file_perms;
@@ -265,4 +233,7 @@
}:file create_file_perms;
# Zygote should not be able to access app private data.
-neverallow zygote app_data_file_type:dir ~getattr;
+neverallow zygote {
+ privapp_data_file
+ app_data_file
+}:dir ~getattr;
diff --git a/public/adbd.te b/public/adbd.te
index 5056b35..4a1f633 100644
--- a/public/adbd.te
+++ b/public/adbd.te
@@ -7,7 +7,5 @@
neverallow { domain -init } adbd:process transition;
neverallow * adbd:process dyntransition;
-# Access /data/local/tests.
-allow adbd shell_test_data_file:dir create_dir_perms;
-allow adbd shell_test_data_file:file create_file_perms;
-allow adbd shell_test_data_file:lnk_file create_file_perms;
+# Allow adbd start/stop mdnsd via ctl.start
+set_prop(adbd, ctl_mdnsd_prop)
diff --git a/public/apexd.te b/public/apexd.te
index 53bc569..93c257f 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -4,8 +4,12 @@
binder_use(apexd)
add_service(apexd, apex_service)
+set_prop(apexd, apexd_prop)
-neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
+neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server -servicemanager } apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
+
+# only apexd can set apexd sysprop
+neverallow { domain -apexd -init } apexd_prop:property_service set;
diff --git a/public/app.te b/public/app.te
index 5527f99..e5b9fd6 100644
--- a/public/app.te
+++ b/public/app.te
@@ -16,9 +16,6 @@
# Receive and use open file descriptors inherited from zygote.
allow appdomain zygote:fd use;
-# Receive and use open file descriptors inherited from app zygote.
-allow appdomain app_zygote:fd use;
-
# gdbserver for ndk-gdb reads the zygote.
# valgrind needs mmap exec for zygote
allow appdomain zygote_exec:file rx_file_perms;
@@ -69,11 +66,8 @@
allow appdomain surfaceflinger:unix_stream_socket { read write setopt getattr getopt shutdown };
# App sandbox file accesses.
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:dir create_dir_perms;
-allow { appdomain -isolated_app -mlstrustedsubject } { app_data_file privapp_data_file }:file create_file_perms;
-
-# Access via already open fds is ok even for mlstrustedsubject.
-allow { appdomain -isolated_app } { app_data_file privapp_data_file system_app_data_file }:file { getattr map read write };
+allow { appdomain -isolated_app } { app_data_file privapp_data_file }:dir create_dir_perms;
+allow { appdomain -isolated_app } { app_data_file privapp_data_file }:file create_file_perms;
# Traverse into expanded storage
allow appdomain mnt_expand_file:dir r_dir_perms;
@@ -123,8 +117,8 @@
r_dir_file(appdomain, vendor_framework_file)
# Allow apps read / execute access to vendor public libraries.
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:dir r_dir_perms;
-allow appdomain {vendor_public_framework_file vendor_public_lib_file}:file { execute read open getattr map };
+allow appdomain vendor_public_lib_file:dir r_dir_perms;
+allow appdomain vendor_public_lib_file:file { execute read open getattr map };
# Read/write wallpaper file (opened by system).
allow appdomain wallpaper_file:file { getattr read write map };
@@ -173,7 +167,6 @@
unix_socket_send(appdomain, statsdw, statsd)
# Write profiles /data/misc/profiles
-allow appdomain user_profile_root_file:dir search;
allow appdomain user_profile_data_file:dir { search write add_name };
allow appdomain user_profile_data_file:file create_file_perms;
@@ -226,8 +219,6 @@
binder_call(appdomain, appdomain)
# Perform binder IPC to ephemeral apps.
binder_call(appdomain, ephemeral_app)
-# Perform binder IPC to gpuservice.
-binder_call({ appdomain -isolated_app }, gpuservice)
# Talk with graphics composer fences
allow appdomain hal_graphics_composer:fd use;
@@ -299,10 +290,6 @@
allow appdomain zygote:unix_dgram_socket write;
allow { appdomain -isolated_app -ephemeral_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2_key { delete use get_info rebind update };
-
-allow { appdomain -isolated_app -ephemeral_app } keystore_maintenance_service:service_manager find;
-allow { appdomain -isolated_app -ephemeral_app } keystore:keystore2 get_state;
use_keystore({ appdomain -isolated_app -ephemeral_app })
@@ -315,8 +302,6 @@
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
allow { appdomain -isolated_app } ion_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_heap_device:chr_file r_file_perms;
-allow { appdomain -isolated_app } dmabuf_system_secure_heap_device:chr_file r_file_perms;
# Allow AAudio apps to use shared memory file descriptors from the HAL
allow { appdomain -isolated_app } hal_audio:fd use;
@@ -324,9 +309,6 @@
# Allow app to access shared memory created by camera HAL1
allow { appdomain -isolated_app } hal_camera:fd use;
-# Allow apps to access shared memory file descriptor from the tuner HAL
-allow {appdomain -isolated_app} hal_tv_tuner_server:fd use;
-
# RenderScript always-passthrough HAL
allow { appdomain -isolated_app } hal_renderscript_hwservice:hwservice_manager find;
allow appdomain same_process_hal_file:file { execute read open getattr map };
@@ -484,10 +466,10 @@
# Write to various other parts of /data.
neverallow appdomain drm_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
+neverallow { appdomain -platform_app -system_app }
apk_data_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
-neverallow { appdomain -platform_app }
+neverallow { appdomain -platform_app -system_app }
apk_tmp_file:dir_file_class_set
{ create write setattr relabelfrom relabelto append unlink link rename };
neverallow { appdomain -platform_app }
@@ -555,13 +537,28 @@
tmpfs
}:lnk_file no_w_file_perms;
+# Blacklist app domains not allowed to execute from /data
+neverallow {
+ bluetooth
+ isolated_app
+ nfc
+ radio
+ shared_relro
+ system_app
+} {
+ data_file_type
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
# Applications should use the activity model for receiving events
neverallow {
appdomain
-shell # bugreport
} input_device:chr_file ~getattr;
-# Do not allow access to Bluetooth-related system properties except for a few allowed domains.
+# Do not allow access to Bluetooth-related system properties except for a few whitelisted domains.
# neverallow rules for access to Bluetooth-related data files are above.
neverallow {
appdomain
@@ -595,9 +592,3 @@
{ open read write append execute execute_no_trans map };
neverallow appdomain system_bootstrap_lib_file:dir
{ open read getattr search };
-
-# Allow to read ro.vendor.camera.extensions.enabled
-get_prop(appdomain, camera2_extensions_prop)
-
-# Allow to ro.camerax.extensions.enabled
-get_prop(appdomain, camerax_extensions_prop)
diff --git a/public/asan_extract.te b/public/asan_extract.te
index d8a1b73..15c5a09 100644
--- a/public/asan_extract.te
+++ b/public/asan_extract.te
@@ -5,7 +5,7 @@
with_asan(`
type asan_extract, domain, coredomain;
- type asan_extract_exec, exec_type, file_type, system_file_type;
+ type asan_extract_exec, exec_type, file_type;
# Allow asan_extract to execute itself using #!/system/bin/sh
allow asan_extract shell_exec:file rx_file_perms;
@@ -30,4 +30,7 @@
# Restorecon will actually already try to run with sanitized libraries (libpackagelistparser).
allow asan_extract system_data_file:file execute;
+
+ # We need to signal a reboot when done.
+ set_prop(asan_extract, powerctl_prop)
')
diff --git a/public/atrace.te b/public/atrace.te
deleted file mode 100644
index 7327f84..0000000
--- a/public/atrace.te
+++ /dev/null
@@ -1 +0,0 @@
-type atrace, domain, coredomain;
diff --git a/public/attributes b/public/attributes
index b60c9cc..19623af 100644
--- a/public/attributes
+++ b/public/attributes
@@ -7,9 +7,6 @@
# in tools/checkfc.c
attribute dev_type;
-# Attribute for block devices.
-attribute bdev_type;
-
# All types used for processes.
attribute domain;
@@ -37,11 +34,6 @@
attribute core_data_file_type;
expandattribute core_data_file_type false;
-# All types used for app private data files in seapp_contexts.
-# Such types should not be applied to any other files.
-attribute app_data_file_type;
-expandattribute app_data_file_type false;
-
# All types in /system
attribute system_file_type;
@@ -62,15 +54,9 @@
# All types used for sysfs files.
attribute sysfs_type;
-# Attribute for /sys/class/block files.
-attribute sysfs_block_type;
-
# All types use for debugfs files.
attribute debugfs_type;
-# All types used for tracefs files.
-attribute tracefs_type;
-
# Attribute used for all sdcards
attribute sdcard_type;
@@ -105,46 +91,35 @@
# All properties defined by /system.
attribute system_property_type;
-expandattribute system_property_type false;
# All /system-defined properties used only in /system.
attribute system_internal_property_type;
-expandattribute system_internal_property_type false;
# All /system-defined properties which can't be written outside /system.
attribute system_restricted_property_type;
-expandattribute system_restricted_property_type false;
# All /system-defined properties with no restrictions.
attribute system_public_property_type;
-expandattribute system_public_property_type false;
-
-# All keystore2_key labels.
-attribute keystore2_key_type;
# All properties defined by /product.
# Currently there are no enforcements between /system and /product, so for now
# /product attributes are just replaced to /system attributes.
define(`product_property_type', `system_property_type')
-define(`product_internal_property_type', `system_internal_property_type')
-define(`product_restricted_property_type', `system_restricted_property_type')
-define(`product_public_property_type', `system_public_property_type')
+define(`product_internal_type', `system_internal_property_type')
+define(`product_restricted_type', `system_restricted_property_type')
+define(`product_public_type', `system_public_property_type')
# All properties defined by /vendor.
attribute vendor_property_type;
-expandattribute vendor_property_type false;
# All /vendor-defined properties used only in /vendor.
attribute vendor_internal_property_type;
-expandattribute vendor_internal_property_type false;
# All /vendor-defined properties which can't be written outside /vendor.
attribute vendor_restricted_property_type;
-expandattribute vendor_restricted_property_type false;
# All /vendor-defined properties with no restrictions.
attribute vendor_public_property_type;
-expandattribute vendor_public_property_type false;
# All service_manager types created by system_server
attribute system_server_service;
@@ -158,9 +133,6 @@
# services which export only system_api
attribute system_api_service;
-# services which are explicitly disallowed for untrusted apps to access
-attribute protected_service;
-
# services which served by vendor and also using the copy of libbinder on
# system (for instance via libbinder_ndk). services using a different copy
# of libbinder currently need their own context manager (e.g.
@@ -201,7 +173,7 @@
# All domains used for apps.
attribute appdomain;
-# All third party apps (except isolated_app and ephemeral_app)
+# All third party apps.
attribute untrusted_app_all;
# All domains used for apps with network access.
@@ -221,13 +193,15 @@
# All core domains (as opposed to vendor/device-specific domains)
attribute coredomain;
-# All vendor hwservice.
-attribute vendor_hwservice_type;
-
# All socket devices owned by core domain components
attribute coredomain_socket;
expandattribute coredomain_socket false;
+# All vendor domains which violate the requirement of not using Binder
+# TODO(b/35870313): Remove this once there are no violations
+attribute binder_in_vendor_violators;
+expandattribute binder_in_vendor_violators false;
+
# All vendor domains which violate the requirement of not using sockets for
# communicating with core components
# TODO(b/36577153): Remove this once there are no violations
@@ -343,7 +317,6 @@
hal_attribute(input_classifier);
hal_attribute(ir);
hal_attribute(keymaster);
-hal_attribute(keymint);
hal_attribute(light);
hal_attribute(lowpan);
hal_attribute(memtrack);
@@ -364,7 +337,6 @@
hal_attribute(tv_tuner);
hal_attribute(usb);
hal_attribute(usb_gadget);
-hal_attribute(uwb);
hal_attribute(vehicle);
hal_attribute(vibrator);
hal_attribute(vr);
@@ -386,16 +358,8 @@
attribute scheduler_service_server;
attribute sensor_service_server;
attribute stats_service_server;
-attribute system_suspend_internal_server;
attribute system_suspend_server;
attribute wifi_keystore_service_server;
# All types used for super partition block devices.
attribute super_block_device_type;
-
-# All types used for DMA-BUF heaps
-attribute dmabuf_heap_device_type;
-expandattribute dmabuf_heap_device_type false;
-
-# All types used for DSU metadata files.
-attribute gsi_metadata_file_type;
diff --git a/public/bootanim.te b/public/bootanim.te
index 88fe173..bd2bec6 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -27,10 +27,6 @@
# Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms;
-
-# Allow access to DMA-BUF system heap
-allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;
-
allow bootanim hal_graphics_allocator:fd use;
# Fences
@@ -41,3 +37,7 @@
# System file accesses.
allow bootanim system_file:dir r_dir_perms;
+
+# Read ro.boot.bootreason b/30654343
+get_prop(bootanim, bootloader_boot_reason_prop)
+
diff --git a/public/bootstat.te b/public/bootstat.te
index 5079c28..e91f2a5 100644
--- a/public/bootstat.te
+++ b/public/bootstat.te
@@ -8,6 +8,13 @@
allow bootstat bootstat_data_file:dir rw_dir_perms;
allow bootstat bootstat_data_file:file create_file_perms;
+# Collect metrics on boot time created by init
+get_prop(bootstat, boottime_prop)
+
+# Read/Write [persist.]sys.boot.reason and ro.boot.bootreason (write if empty)
+set_prop(bootstat, bootloader_boot_reason_prop)
+set_prop(bootstat, system_boot_reason_prop)
+set_prop(bootstat, last_boot_reason_prop)
allow bootstat metadata_file:dir search;
allow bootstat metadata_bootstat_file:dir rw_dir_perms;
allow bootstat metadata_bootstat_file:file create_file_perms;
@@ -25,6 +32,31 @@
# Allow bootstat write to statsd.
unix_socket_send(bootstat, statsdw, statsd)
+# ToDo: end
+
+neverallow {
+ domain
+ -bootanim
+ -bootstat
+ -dumpstate
+ userdebug_or_eng(`-incidentd')
+ -init
+ -recovery
+ -shell
+ -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:file r_file_perms;
+# ... and refine, as these components should not set the last boot reason
+neverallow { bootanim recovery } last_boot_reason_prop:file r_file_perms;
+
+neverallow {
+ domain
+ -bootstat
+ -init
+ -system_server
+} { bootloader_boot_reason_prop last_boot_reason_prop }:property_service set;
+# ... and refine ... for a ro propertly no less ... keep this _tight_
+neverallow system_server bootloader_boot_reason_prop:property_service set;
+
neverallow {
domain
-bootstat
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 7a29240..13ef1f7 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -13,7 +13,6 @@
hal_client_domain(cameraserver, hal_graphics_allocator)
allow cameraserver ion_device:chr_file rw_file_perms;
-allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms;
# Talk with graphics composer fences
allow cameraserver hal_graphics_composer:fd use;
@@ -27,7 +26,6 @@
allow cameraserver batterystats_service:service_manager find;
allow cameraserver cameraproxy_service:service_manager find;
allow cameraserver mediaserver_service:service_manager find;
-allow cameraserver package_native_service:service_manager find;
allow cameraserver processinfo_service:service_manager find;
allow cameraserver scheduling_policy_service:service_manager find;
allow cameraserver sensor_privacy_service:service_manager find;
diff --git a/public/charger.te b/public/charger.te
index 37359e3..4b341ea 100644
--- a/public/charger.te
+++ b/public/charger.te
@@ -7,7 +7,6 @@
# Read access to pseudo filesystems.
r_dir_file(charger, rootfs)
r_dir_file(charger, cgroup)
-r_dir_file(charger, cgroup_v2)
# Allow to read /sys/class/power_supply directory
allow charger sysfs_type:dir r_dir_perms;
@@ -37,4 +36,13 @@
allow charger tty_device:chr_file rw_file_perms;
allow charger proc_sysrq:file rw_file_perms;
+# charger needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(charger, system_prop)
+set_prop(charger, exported_system_prop)
+set_prop(charger, exported2_system_prop)
+set_prop(charger, exported3_system_prop)
+
+get_prop(charger, charger_prop)
+
hal_client_domain(charger, hal_health)
diff --git a/public/crash_dump.te b/public/crash_dump.te
index a6f0a94..5188d19 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -21,9 +21,6 @@
# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
allow crash_dump domain:fifo_file { append };
-# Read information from /proc/$PID.
-allow crash_dump domain:process getattr;
-
r_dir_file(crash_dump, domain)
allow crash_dump exec_type:file r_file_perms;
@@ -31,9 +28,6 @@
allow crash_dump dalvikcache_data_file:dir { search getattr };
allow crash_dump dalvikcache_data_file:file r_file_perms;
-# Read APEX data directories.
-allow crash_dump apex_module_data_file:dir { getattr search };
-
# Read APK files.
r_dir_file(crash_dump, apk_data_file);
@@ -62,13 +56,9 @@
core_data_file_type
vendor_file_type
}:dir search;
-dontaudit crash_dump system_data_file:{ lnk_file file } read;
+dontaudit crash_dump system_data_file:file read;
dontaudit crash_dump property_type:file read;
-# Suppress denials for files in /proc that are passed
-# across exec().
-dontaudit crash_dump proc_type:file rw_file_perms;
-
###
### neverallow assertions
###
diff --git a/public/credstore.te b/public/credstore.te
index 97d942d..db16a8d 100644
--- a/public/credstore.te
+++ b/public/credstore.te
@@ -12,8 +12,5 @@
add_service(credstore, credstore_service)
allow credstore sec_key_att_app_id_provider_service:service_manager find;
allow credstore dropbox_service:service_manager find;
-allow credstore authorization_service:service_manager find;
-allow credstore keystore:keystore2 get_auth_token;
r_dir_file(credstore, cgroup)
-r_dir_file(credstore, cgroup_v2)
diff --git a/public/device.te b/public/device.te
index cc2ef57..32563d6 100644
--- a/public/device.te
+++ b/public/device.te
@@ -6,18 +6,16 @@
type binder_device, dev_type, mlstrustedobject;
type hwbinder_device, dev_type, mlstrustedobject;
type vndbinder_device, dev_type;
-type block_device, dev_type, bdev_type;
+type block_device, dev_type;
type camera_device, dev_type;
-type dm_device, dev_type, bdev_type;
-type dm_user_device, dev_type, bdev_type;
+type dm_device, dev_type;
type keychord_device, dev_type;
type loop_control_device, dev_type;
-type loop_device, dev_type, bdev_type;
+type loop_device, dev_type;
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
-type ram_device, dev_type, bdev_type;
+type ram_device, dev_type;
type rtc_device, dev_type;
-type vd_device, dev_type;
type vold_device, dev_type;
type console_device, dev_type;
type fscklogs, dev_type;
@@ -31,7 +29,7 @@
type mtp_device, dev_type, mlstrustedobject;
type nfc_device, dev_type;
type ptmx_device, dev_type, mlstrustedobject;
-type kmsg_device, dev_type, mlstrustedobject;
+type kmsg_device, dev_type;
type kmsg_debug_device, dev_type;
type null_device, dev_type, mlstrustedobject;
type random_device, dev_type, mlstrustedobject;
@@ -46,18 +44,14 @@
type fuse_device, dev_type, mlstrustedobject;
type iio_device, dev_type;
type ion_device, dev_type, mlstrustedobject;
-type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
-type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
-type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
type qtaguid_device, dev_type;
type watchdog_device, dev_type;
-type uhid_device, dev_type, mlstrustedobject;
+type uhid_device, dev_type;
type uio_device, dev_type;
type tun_device, dev_type, mlstrustedobject;
type usbaccessory_device, dev_type, mlstrustedobject;
type usb_device, dev_type, mlstrustedobject;
type usb_serial_device, dev_type;
-type gnss_device, dev_type;
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
@@ -73,51 +67,48 @@
type rpmsg_device, dev_type;
# Partition layout block device
-type root_block_device, dev_type, bdev_type;
+type root_block_device, dev_type;
# factory reset protection block device
-type frp_block_device, dev_type, bdev_type;
+type frp_block_device, dev_type;
# System block device mounted on /system.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type system_block_device, dev_type, bdev_type;
+type system_block_device, dev_type;
# Recovery block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type recovery_block_device, dev_type, bdev_type;
+type recovery_block_device, dev_type;
# boot block device.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type boot_block_device, dev_type, bdev_type;
+type boot_block_device, dev_type;
# Userdata block device mounted on /data.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type userdata_block_device, dev_type, bdev_type;
+type userdata_block_device, dev_type;
# Cache block device mounted on /cache.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type cache_block_device, dev_type, bdev_type;
+type cache_block_device, dev_type;
# Block device for any swap partition.
-type swap_block_device, dev_type, bdev_type;
+type swap_block_device, dev_type;
# Metadata block device used for encryption metadata.
# Assign this type to the partition specified by the encryptable=
# mount option in your fstab file in the entry for userdata.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type metadata_block_device, dev_type, bdev_type;
+type metadata_block_device, dev_type;
# The 'misc' partition used by recovery and A/B.
# Documented at https://source.android.com/devices/bootloader/partitions-images
-type misc_block_device, dev_type, bdev_type;
+type misc_block_device, dev_type;
# 'super' partition to be used for logical partitioning.
-type super_block_device, super_block_device_type, dev_type, bdev_type;
+type super_block_device, super_block_device_type, dev_type;
# sdcard devices; normally vold uses the vold_block_device label and creates a
# separate device node. gsid, however, accesses the original devide node
# created through uevents, so we use a separate label.
-type sdcard_block_device, dev_type, bdev_type;
-
-# Userdata device file for filesystem tunables
-type userdata_sysdev, dev_type;
+type sdcard_block_device, dev_type;
diff --git a/public/dhcp.te b/public/dhcp.te
index 1d875ab..4f2369d 100644
--- a/public/dhcp.te
+++ b/public/dhcp.te
@@ -4,7 +4,6 @@
net_domain(dhcp)
allow dhcp cgroup:dir { create write add_name };
-allow dhcp cgroup_v2:dir { create write add_name };
allow dhcp self:global_capability_class_set { setgid setuid net_admin net_raw net_bind_service };
allow dhcp self:packet_socket create_socket_perms_no_ioctl;
allow dhcp self:netlink_route_socket nlmsg_write;
@@ -18,6 +17,9 @@
# For /proc/sys/net/ipv4/conf/*/promote_secondaries
allow dhcp proc_net_type:file write;
+set_prop(dhcp, dhcp_prop)
+set_prop(dhcp, pan_result_prop)
+
allow dhcp dhcp_data_file:dir create_dir_perms;
allow dhcp dhcp_data_file:file create_file_perms;
diff --git a/public/domain.te b/public/domain.te
index 799a2f1..8cb4950 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -66,7 +66,6 @@
allow domain device:dir search;
allow domain dev_type:lnk_file r_file_perms;
allow domain devpts:dir search;
-allow domain dmabuf_heap_device:dir r_dir_perms;
allow domain socket_device:dir r_dir_perms;
allow domain owntty_device:chr_file rw_file_perms;
allow domain null_device:chr_file rw_file_perms;
@@ -81,10 +80,6 @@
# /dev/binder can be accessed by ... everyone! :)
allow { domain -hwservicemanager -vndservicemanager } binder_device:chr_file rw_file_perms;
-# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
-# added to individual domains, but this sets safe defaults for all processes.
-allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
-
# /dev/binderfs needs to be accessed by everyone too!
allow domain binderfs:dir { getattr search };
allow domain binderfs_logs_proc:dir search;
@@ -99,34 +94,20 @@
allow domain property_info:file r_file_perms;
# Public readable properties
-get_prop(domain, aaudio_config_prop)
-get_prop(domain, arm64_memtag_prop)
-get_prop(domain, bootloader_prop)
-get_prop(domain, build_odm_prop)
-get_prop(domain, build_prop)
-get_prop(domain, build_vendor_prop)
get_prop(domain, debug_prop)
get_prop(domain, exported_config_prop)
get_prop(domain, exported_default_prop)
get_prop(domain, exported_dumpstate_prop)
+get_prop(domain, exported_fingerprint_prop)
+get_prop(domain, exported_radio_prop)
get_prop(domain, exported_secure_prop)
get_prop(domain, exported_system_prop)
-get_prop(domain, fingerprint_prop)
-get_prop(domain, hal_instrumentation_prop)
-get_prop(domain, hw_timeout_multiplier_prop)
-get_prop(domain, init_service_status_prop)
-get_prop(domain, libc_debug_prop)
+get_prop(domain, exported_vold_prop)
+get_prop(domain, exported2_default_prop)
get_prop(domain, logd_prop)
-get_prop(domain, mediadrm_config_prop)
-get_prop(domain, property_service_version_prop)
-get_prop(domain, soc_prop)
get_prop(domain, socket_hook_prop)
-get_prop(domain, surfaceflinger_prop)
-get_prop(domain, telephony_status_prop)
get_prop(domain, vendor_socket_hook_prop)
get_prop(domain, vndk_prop)
-get_prop(domain, vold_status_prop)
-get_prop(domain, vts_config_prop)
# Binder cache properties are world-readable
get_prop(domain, binder_cache_bluetooth_server_prop)
@@ -275,31 +256,23 @@
allow domain debugfs_tracing_debug:dir search;
allow domain debugfs_trace_marker:file w_file_perms;
-# Linux lockdown mode offers coarse-grained definitions for access controls.
-# The "confidentiality" level detects access to tracefs or the perf subsystem.
-# This overlaps with more precise declarations in Android's policy. The
-# debugfs_trace_marker above is an example in which all processes should have
-# some access to tracefs. Therefore, allow all domains to access this level.
-# The "integrity" level is however enforced.
-allow domain self:lockdown confidentiality;
-
# Filesystem access.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
-# Restrict all domains to an allowlist for common socket types. Additional
+# Restrict all domains to a whitelist for common socket types. Additional
# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this allowlist to domain does
+# defaults for all processes. Note that granting this whitelist to domain does
# not grant the ioctl permission on these socket types. That must be granted
# separately.
allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default allowlist for unix sockets.
+# default whitelist for unix sockets.
allowxperm domain { domain pdx_channel_socket_type }:{ unix_dgram_socket unix_stream_socket }
ioctl unpriv_unix_sock_ioctls;
-# Restrict PTYs to only allowed ioctls.
-# Note that granting this allowlist to domain does
+# Restrict PTYs to only whitelisted ioctls.
+# Note that granting this whitelist to domain does
# not grant the wider ioctl permission. That must be granted
# separately.
allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
@@ -315,7 +288,7 @@
# Allow a process to make a determination whether a file descriptor
# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this allowlist to domain does not grant the ioctl permission to
+# this whitelist to domain does not grant the ioctl permission to
# these files. That must be granted separately.
allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
allowxperm domain domain:fifo_file ioctl { TCGETS };
@@ -358,7 +331,7 @@
###
# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to an allowlist.
+# sockets must be restricted to a whitelist.
neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
# b/68014825 and https://android-review.googlesource.com/516535
@@ -373,7 +346,7 @@
# Do not allow any domain other than init to create unlabeled files.
neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
-# Limit device node creation to these allowed domains.
+# Limit device node creation to these whitelisted domains.
neverallow {
domain
-kernel
@@ -412,11 +385,13 @@
# that could be set from init.rc.
neverallow { domain -init } kernel:security setsecparam;
-# Only the kernel hwrng thread should be able to read from the HW RNG.
+# Only init, ueventd, shell and system_server should be able to access HW RNG
neverallow {
domain
- -shell # For CTS, restricted to just getattr in shell.te
- -ueventd # To create the /dev/hw_random file
+ -init
+ -shell # For CTS and is restricted to getattr in shell.te
+ -system_server
+ -ueventd
} hw_random_device:chr_file *;
# b/78174219 b/64114943
neverallow {
@@ -467,17 +442,22 @@
# Files from cache should never be executed
neverallow domain { cache_file cache_backup_file cache_private_backup_file cache_recovery_file }:file execute;
+# Protect most domains from executing arbitrary content from /data.
+neverallow {
+ domain
+ -appdomain
+} {
+ data_file_type
+ -dalvikcache_data_file
+ -system_data_file # shared libs in apks
+ -apk_data_file
+}:file no_x_file_perms;
+
# The test files and executables MUST not be accessible to any domain
neverallow { domain userdebug_or_eng(`-kernel') } nativetest_data_file:file_class_set no_w_file_perms;
neverallow domain nativetest_data_file:dir no_w_dir_perms;
neverallow { domain userdebug_or_eng(`-shell') } nativetest_data_file:file no_x_file_perms;
-neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
-neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
-neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *;
-neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
-
# Only the init property service should write to /data/property and /dev/__properties__
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
neverallow { domain -init } property_data_file:file { no_w_file_perms no_x_file_perms };
@@ -503,6 +483,7 @@
# Don't allow mounting on top of /system files or directories
neverallow * exec_type:dir_file_class_set mounton;
+neverallow { domain -init } { system_file_type vendor_file_type }:dir_file_class_set mounton;
# Nothing should be writing to files in the rootfs.
neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
@@ -538,28 +519,32 @@
# Require that domains explicitly label unknown properties, and do not allow
# anyone but init to modify unknown properties.
+neverallow { domain -init -vendor_init } default_prop:property_service set;
neverallow { domain -init -vendor_init } mmc_prop:property_service set;
neverallow { domain -init -vendor_init } vndk_prop:property_service set;
compatible_property_only(`
+ neverallow { domain -init } default_prop:property_service set;
neverallow { domain -init } mmc_prop:property_service set;
neverallow { domain -init -vendor_init } exported_default_prop:property_service set;
neverallow { domain -init } exported_secure_prop:property_service set;
+ neverallow { domain -init } exported2_default_prop:property_service set;
+ neverallow { domain -init -vendor_init } exported3_default_prop:property_service set;
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
neverallow { domain -init -vendor_init } storage_config_prop:property_service set;
- neverallow { domain -init -vendor_init } hw_timeout_multiplier_prop:property_service set;
')
+# Only core domains are allowed to access package_manager properties
+neverallow { domain -init -system_server } pm_prop:property_service set;
+neverallow { domain -coredomain } pm_prop:file no_rw_file_perms;
+
compatible_property_only(`
neverallow { domain -init -system_server -vendor_init } exported_pm_prop:property_service set;
neverallow { domain -coredomain -vendor_init } exported_pm_prop:file no_rw_file_perms;
')
-neverallow { domain -init } aac_drc_prop:property_service set;
-neverallow { domain -init } build_prop:property_service set;
-
# Do not allow reading device's serial number from system properties except form
-# a few allowed domains.
+# a few whitelisted domains.
neverallow {
domain
-adbd
@@ -578,6 +563,9 @@
-vendor_init
} serialno_prop:file r_file_perms;
+# Do not allow reading the last boot timestamp from system properties
+neverallow { domain -init -system_server -dumpstate } firstboot_prop:file r_file_perms;
+
neverallow {
domain
-init
@@ -649,6 +637,7 @@
neverallow {
domain
-coredomain
+ -binder_in_vendor_violators # TODO(b/131617943) remove once all violators are gone
} {
service_manager_type
-vendor_service
@@ -658,26 +647,19 @@
full_treble_only(`
# Vendor apps are permited to use only stable public services. If they were to use arbitrary
# services which can change any time framework/core is updated, breakage is likely.
- #
- # Note, this same logic applies to untrusted apps, but neverallows for these are separate.
neverallow {
appdomain
-coredomain
} {
service_manager_type
-
-app_api_service
- -vendor_service # must be @VintfStability to be used by an app
-ephemeral_app_api_service
-
- -apc_service
-audioserver_service # TODO(b/36783122) remove exemptions below once app_api_service is fixed
-cameraserver_service
-drmserver_service
+ -hal_light_service # TODO(b/148154485) remove once all violators are gone
-credstore_service
- -keystore_maintenance_service
-keystore_service
- -legacykeystore_service
-mediadrmserver_service
-mediaextractor_service
-mediametrics_service
@@ -687,7 +669,6 @@
-virtual_touchpad_service
-vr_hwc_service
-vr_manager_service
- userdebug_or_eng(`-hal_face_service')
}:service_manager find;
')
@@ -738,6 +719,25 @@
-socket_between_core_and_vendor_violators
});
')
+ # Vendor domains are not permitted to initiate communications to core domain sockets
+full_treble_only(`
+ neverallow_establish_socket_comms({
+ domain
+ -coredomain
+ -appdomain
+ -socket_between_core_and_vendor_violators
+ }, {
+ coredomain
+ -logd # Logging by writing to logd Unix domain socket is public API
+ -netd # netdomain needs this
+ -mdnsd # netdomain needs this
+ userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
+ -init
+ -tombstoned # linker to tombstoned
+ userdebug_or_eng(`-heapprofd')
+ userdebug_or_eng(`-traced_perf')
+ });
+')
# Vendor domains are not permitted to initiate create/open sockets owned by core domains
full_treble_only(`
@@ -781,7 +781,6 @@
dev_type
-coredomain_socket
-core_data_file_type
- -app_data_file_type
-unlabeled
}:sock_file ~{ append getattr ioctl read write };
')
@@ -806,7 +805,6 @@
} {
data_file_type
-core_data_file_type
- -app_data_file_type
}:file_class_set ~{ append getattr ioctl read write map };
')
full_treble_only(`
@@ -819,7 +817,6 @@
} {
data_file_type
-core_data_file_type
- -app_data_file_type
# TODO(b/72998741) Remove exemption. Further restricted in a subsequent
# neverallow. Currently only getattr and search are allowed.
-vendor_data_file
@@ -937,7 +934,7 @@
full_treble_only(`
# Do not allow vendor components to execute files from system
- # except for the ones allowed here.
+ # except for the ones whitelist here.
neverallow {
domain
-coredomain
@@ -957,25 +954,8 @@
')
full_treble_only(`
- # Do not allow coredomain to access entrypoint for files other
- # than system_file_type and postinstall_file
- neverallow coredomain {
- file_type
- -system_file_type
- -postinstall_file
- }:file entrypoint;
- # Do not allow domains other than coredomain to access entrypoint
- # for anything but vendor_file_type and init_exec for vendor_init.
- neverallow { domain -coredomain } {
- file_type
- -vendor_file_type
- -init_exec
- }:file entrypoint;
-')
-
-full_treble_only(`
# Do not allow system components to execute files from vendor
- # except for the ones allowed here.
+ # except for the ones whitelisted here.
neverallow {
coredomain
-init
@@ -987,7 +967,6 @@
-same_process_hal_file
-vndk_sp_file
-vendor_app_file
- -vendor_public_framework_file
-vendor_public_lib_file
}:file execute;
')
@@ -1004,8 +983,43 @@
')
full_treble_only(`
+ # Do not allow system components access to /vendor files except for the
+ # ones whitelisted here.
+ neverallow {
+ coredomain
+ # TODO(b/37168747): clean up fwk access to /vendor
+ -crash_dump
+ -init # starts vendor executables
+ -iorap_inode2filename
+ -iorap_prefetcherd
+ -kernel # loads /vendor/firmware
+ userdebug_or_eng(`-heapprofd')
+ -shell
+ -system_executes_vendor_violators
+ -traced_perf # library/binary access for symbolization
+ -ueventd # reads /vendor/ueventd.rc
+ -vold # loads incremental fs driver
+ } {
+ vendor_file_type
+ -same_process_hal_file
+ -vendor_app_file
+ -vendor_apex_file
+ -vendor_configs_file
+ -vendor_service_contexts_file
+ -vendor_framework_file
+ -vendor_idc_file
+ -vendor_keychars_file
+ -vendor_keylayout_file
+ -vendor_overlay_file
+ -vendor_public_lib_file
+ -vendor_task_profiles_file
+ -vndk_sp_file
+ }:file *;
+')
+
+full_treble_only(`
# Do not allow vendor components access to /system files except for the
- # ones allowed here.
+ # ones whitelisted here.
neverallow {
domain
-appdomain
@@ -1031,7 +1045,6 @@
-system_seccomp_policy_file
-system_security_cacerts_file
-system_zoneinfo_file
- -task_profiles_api_file
-task_profiles_file
userdebug_or_eng(`-tcpdump_exec')
}:file *;
@@ -1064,9 +1077,6 @@
neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:sock_file write;
neverallow { domain -dumpstate -incidentd -system_server } tombstoned_intercept_socket:unix_stream_socket connectto;
-# Never allow anyone but system_server to read heapdumps in /data/system/heapdump.
-neverallow { domain -init -system_server } heapdump_data_file:file read;
-
# Android does not support System V IPCs.
#
# The reason for this is due to the fact that, by design, they lead to global
@@ -1202,7 +1212,7 @@
# In addition to the symlink reading restrictions above, restrict
# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowed domains should
+# directory is untrustworthy, and non-whitelisted domains should
# not be trusting any content in those directories.
neverallow {
domain
@@ -1221,7 +1231,6 @@
-dumpstate
-init
-installd
- -iorap_inode2filename
-simpleperf_app_runner
-system_server # why?
userdebug_or_eng(`-uncrypt')
@@ -1310,6 +1319,24 @@
# separate server process).
neverallow * same_process_hwservice:hwservice_manager add;
+# On TREBLE devices, most coredomains should not access vendor_files.
+# TODO(b/71553434): Remove exceptions here.
+full_treble_only(`
+ neverallow {
+ coredomain
+ -appdomain
+ -bootanim
+ -crash_dump
+ -heapprofd
+ -init
+ -iorap_inode2filename
+ -iorap_prefetcherd
+ -kernel
+ -traced_perf
+ -ueventd
+ } vendor_file:file { no_w_file_perms no_x_file_perms open };
+')
+
# If an already existing file is opened with O_CREAT, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
@@ -1323,12 +1350,10 @@
# cgroupfs directories can be created, but not files within them.
neverallow domain cgroup:file create;
-neverallow domain cgroup_v2:file create;
dontaudit domain proc_type:dir write;
dontaudit domain sysfs_type:dir write;
dontaudit domain cgroup:file create;
-dontaudit domain cgroup_v2:file create;
# These are only needed in permissive mode - in enforcing mode the
# directory write check fails and so these are never attempted.
@@ -1353,7 +1378,7 @@
neverallow {
coredomain
-appdomain
- } {vendor_public_framework_file vendor_public_lib_file}:file { execute execute_no_trans };
+ } vendor_public_lib_file:file { execute execute_no_trans };
')
# Vendor domian must not have access to /mnt/product.
@@ -1393,8 +1418,3 @@
-untrusted_app_25
-untrusted_app_27
} ashmem_device:chr_file open;
-
-neverallow { domain -traced_probes -init -vendor_init } debugfs_tracing_printk_formats:file *;
-
-# Linux lockdown "integrity" level is enforced for user builds.
-neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
diff --git a/public/drmserver.te b/public/drmserver.te
index eede0fc..e2c6638 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -30,9 +30,7 @@
# /data/app/tlcd_sock socket file.
# Clearly, /data/app is the most logical place to create a socket. Not.
allow drmserver apk_data_file:dir rw_dir_perms;
-auditallow drmserver apk_data_file:dir { add_name write };
allow drmserver drmserver_socket:sock_file create_file_perms;
-auditallow drmserver drmserver_socket:sock_file create;
# Delete old socket file if present.
allow drmserver apk_data_file:sock_file unlink;
@@ -61,5 +59,4 @@
selinux_check_access(drmserver)
r_dir_file(drmserver, cgroup)
-r_dir_file(drmserver, cgroup_v2)
r_dir_file(drmserver, system_file)
diff --git a/public/dumpstate.te b/public/dumpstate.te
index 85a5796..8d99a3c 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -41,8 +41,8 @@
# TODO: scope this down.
allow dumpstate system_data_file:file r_file_perms;
-# Allow dumpstate to append into apps' private files.
-allow dumpstate { privapp_data_file app_data_file }:file append;
+# Allow dumpstate to append into privileged apps private files.
+allow dumpstate privapp_data_file:file append;
# Read dmesg
allow dumpstate self:global_capability2_class_set syslog;
@@ -76,12 +76,10 @@
# This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
hal_audio_server
- hal_audiocontrol_server
hal_bluetooth_server
hal_camera_server
hal_codec2_server
hal_drm_server
- hal_evs_server
hal_face_server
hal_fingerprint_server
hal_graphics_allocator_server
@@ -93,7 +91,6 @@
hal_power_stats_server
hal_sensors_server
hal_thermal_server
- hal_vehicle_server
hal_vr_server
system_suspend_server
}:process signal;
@@ -113,12 +110,10 @@
}:file r_file_perms;
# Other random bits of data we want to collect
-no_debugfs_restriction(`
- allow dumpstate debugfs:file r_file_perms;
- auditallow dumpstate debugfs:file r_file_perms;
+allow dumpstate debugfs:file r_file_perms;
+auditallow dumpstate debugfs:file r_file_perms;
- allow dumpstate debugfs_mmc:file r_file_perms;
-')
+allow dumpstate debugfs_mmc:file r_file_perms;
# df for
allow dumpstate {
@@ -136,25 +131,16 @@
# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
-r_dir_file(dumpstate, cgroup_v2)
# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain netd wificond })
+dump_hal(hal_identity)
dump_hal(hal_dumpstate)
dump_hal(hal_wifi)
dump_hal(hal_graphics_allocator)
-dump_hal(hal_light)
dump_hal(hal_neuralnetworks)
-dump_hal(hal_thermal)
-dump_hal(hal_power)
-dump_hal(hal_power_stats)
-dump_hal(hal_identity)
-dump_hal(hal_face)
-dump_hal(hal_fingerprint)
-dump_hal(hal_gnss)
-
# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)
@@ -178,10 +164,6 @@
allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
allow dumpstate bluetooth_logs_data_file:file r_file_perms;
-# For Nfc
-allow dumpstate nfc_logs_data_file:dir r_dir_perms;
-allow dumpstate nfc_logs_data_file:file r_file_perms;
-
# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
allow dumpstate gpu_device:chr_file rw_file_perms;
@@ -232,7 +214,7 @@
# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
- allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
+ allow dumpstate user_profile_data_file:dir r_dir_perms;
allow dumpstate user_profile_data_file:file r_file_perms;
')
@@ -275,6 +257,13 @@
allow dumpstate devpts:chr_file rw_file_perms;
+# Set properties.
+# dumpstate_prop is used to share state with the Shell app.
+set_prop(dumpstate, dumpstate_prop)
+set_prop(dumpstate, exported_dumpstate_prop)
+# dumpstate_options_prop is used to pass extra command-line args.
+set_prop(dumpstate, dumpstate_options_prop)
+
# Read any system properties
get_prop(dumpstate, property_type)
@@ -298,9 +287,6 @@
allow dumpstate proc_pressure_mem:file r_file_perms;
allow dumpstate proc_pressure_io:file r_file_perms;
-# Allow dumpstate to run ps
-allow dumpstate proc_pid_max:file r_file_perms;
-
# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);
@@ -345,25 +331,8 @@
allow hal_rebootescrow_server dumpstate:fifo_file write;
allow hal_rebootescrow_server dumpstate:fd use;
-binder_call(dumpstate, hal_authsecret_server)
-allow hal_authsecret_server dumpstate:fifo_file write;
-allow hal_authsecret_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_keymint_server)
-allow hal_keymint_server dumpstate:fifo_file write;
-allow hal_keymint_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_memtrack_server)
-allow hal_memtrack_server dumpstate:fifo_file write;
-allow hal_memtrack_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_oemlock_server)
-allow hal_oemlock_server dumpstate:fifo_file write;
-allow hal_oemlock_server dumpstate:fd use;
-
-binder_call(dumpstate, hal_weaver_server)
-allow hal_weaver_server dumpstate:fifo_file write;
-allow hal_weaver_server dumpstate:fd use;
+# Allow dumpstate to kill vendor dumpstate service by init
+set_prop(dumpstate, ctl_dumpstate_prop)
#Access /data/misc/snapshotctl_log
allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
@@ -372,9 +341,6 @@
#Allow access to /dev/binderfs/binder_logs
allow dumpstate binderfs_logs:dir r_dir_perms;
allow dumpstate binderfs_logs:file r_file_perms;
-allow dumpstate binderfs_logs_proc:file r_file_perms;
-
-allow dumpstate apex_info_file:file getattr;
###
### neverallow rules
diff --git a/public/fastbootd.te b/public/fastbootd.te
index e167a5e..8787817 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -23,12 +23,22 @@
allow fastbootd device:dir r_dir_perms;
+ # Reboot the device
+ set_prop(fastbootd, powerctl_prop)
+
+ # Read serial number of the device from system properties
+ get_prop(fastbootd, serialno_prop)
+
# For dev/block/by-name dir
allow fastbootd block_device:dir r_dir_perms;
# Needed for DM_DEV_CREATE ioctl call
allow fastbootd self:capability sys_admin;
+ # Set sys.usb.ffs.ready.
+ set_prop(fastbootd, ffs_prop)
+ set_prop(fastbootd, exported_ffs_prop)
+
unix_socket_connect(fastbootd, recovery, recovery)
# Required for flashing
@@ -48,9 +58,9 @@
# libfiemap.
allow fastbootd metadata_block_device:blk_file r_file_perms;
allow fastbootd {rootfs tmpfs}:dir mounton;
- allow fastbootd metadata_file:dir { search getattr mounton };
- allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
- allow fastbootd gsi_metadata_file_type:file create_file_perms;
+ allow fastbootd metadata_file:dir { search getattr };
+ allow fastbootd gsi_metadata_file:dir rw_dir_perms;
+ allow fastbootd gsi_metadata_file:file create_file_perms;
allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
@@ -97,14 +107,27 @@
vendor_file_type
}:{ file lnk_file } unlink;
allow fastbootd tmpfs:dir rw_dir_perms;
- # Fetch vendor_boot partition
- allow fastbootd boot_block_device:blk_file r_file_perms;
+ allow fastbootd labeledfs:filesystem { mount unmount };
+ get_prop(fastbootd, persistent_properties_ready_prop)
')
# Allow using libfiemap/gsid directly (no binder in recovery).
- allow fastbootd gsi_metadata_file_type:dir search;
+ set_prop(fastbootd, gsid_prop)
+ allow fastbootd gsi_metadata_file:dir search;
allow fastbootd ota_metadata_file:dir rw_dir_perms;
allow fastbootd ota_metadata_file:file create_file_perms;
+
+ # Determine allocation scheme (whether B partitions needs to be
+ # at the second half of super.
+ get_prop(fastbootd, virtual_ab_prop)
+
+ # Needed for TCP protocol
+ allow fastbootd node:tcp_socket node_bind;
+ allow fastbootd port:tcp_socket name_bind;
+ allow fastbootd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
+
+ # Get fastbootd protocol property
+ get_prop(fastbootd, fastbootd_protocol_prop)
')
###
diff --git a/public/file.te b/public/file.te
index dc788ac..91257e2 100644
--- a/public/file.te
+++ b/public/file.te
@@ -21,7 +21,6 @@
type proc_bluetooth_writable, fs_type, proc_type;
type proc_abi, fs_type, proc_type;
type proc_asound, fs_type, proc_type;
-type proc_bootconfig, fs_type, proc_type;
type proc_buddyinfo, fs_type, proc_type;
type proc_cmdline, fs_type, proc_type;
type proc_cpuinfo, fs_type, proc_type;
@@ -34,11 +33,9 @@
type proc_hung_task, fs_type, proc_type;
type proc_interrupts, fs_type, proc_type;
type proc_iomem, fs_type, proc_type;
-type proc_kallsyms, fs_type, proc_type;
type proc_keys, fs_type, proc_type;
type proc_kmsg, fs_type, proc_type;
type proc_loadavg, fs_type, proc_type;
-type proc_locks, fs_type, proc_type;
type proc_lowmemorykiller, fs_type, proc_type;
type proc_max_map_count, fs_type, proc_type;
type proc_meminfo, fs_type, proc_type;
@@ -77,24 +74,18 @@
type proc_vmallocinfo, fs_type, proc_type;
type proc_vmstat, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
-type proc_vendor_sched, proc_type, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type fusectlfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
-type cgroup_v2, fs_type;
+type cgroup_bpf, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
type sysfs_batteryinfo, fs_type, sysfs_type;
-type sysfs_block, fs_type, sysfs_type, sysfs_block_type;
type sysfs_bluetooth_writable, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_devfreq_cur, fs_type, sysfs_type;
-type sysfs_devfreq_dir, fs_type, sysfs_type;
type sysfs_devices_block, fs_type, sysfs_type;
type sysfs_dm, fs_type, sysfs_type;
type sysfs_dm_verity, fs_type, sysfs_type;
-type sysfs_dma_heap, fs_type, sysfs_type;
-type sysfs_dmabuf_stats, fs_type, sysfs_type;
type sysfs_dt_firmware_android, fs_type, sysfs_type;
type sysfs_extcon, fs_type, sysfs_type;
type sysfs_ion, fs_type, sysfs_type;
@@ -116,17 +107,8 @@
type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
type sysfs_fs_f2fs, sysfs_type, fs_type;
-type sysfs_fs_incfs_features, sysfs_type, fs_type;
-type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
-type sysfs_vendor_sched, sysfs_type, fs_type;
-userdebug_or_eng(`
- typeattribute sysfs_vendor_sched mlstrustedobject;
-')
type fs_bpf, fs_type;
-type fs_bpf_tethering, fs_type;
type configfs, fs_type;
-# /sys/devices/cs_etm
-type sysfs_devices_cs_etm, fs_type, sysfs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
# /sys/module/lowmemorykiller
@@ -134,7 +116,7 @@
# /sys/module/wlan/parameters/fwpath
type sysfs_wlan_fwpath, fs_type, sysfs_type;
type sysfs_vibrator, fs_type, sysfs_type;
-type sysfs_uhid, fs_type, sysfs_type;
+
type sysfs_thermal, sysfs_type, fs_type;
type sysfs_zram, fs_type, sysfs_type;
@@ -151,14 +133,12 @@
type debugfs, fs_type, debugfs_type;
type debugfs_kprobes, fs_type, debugfs_type;
type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject, tracefs_type;
-type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
-type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
+type debugfs_trace_marker, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing_debug, fs_type, debugfs_type, mlstrustedobject;
+type debugfs_tracing_instances, fs_type, debugfs_type;
type debugfs_wakeup_sources, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
+type debugfs_wifi_tracing, fs_type, debugfs_type;
type securityfs, fs_type;
type pstorefs, fs_type;
@@ -199,14 +179,10 @@
type system_zoneinfo_file, system_file_type, file_type;
# Cgroups description file under /system/etc/cgroups.json
type cgroup_desc_file, system_file_type, file_type;
-# Cgroups description file under /system/etc/task_profiles/cgroups_*.json
-type cgroup_desc_api_file, system_file_type, file_type;
# Vendor cgroups description file under /vendor/etc/cgroups.json
type vendor_cgroup_desc_file, vendor_file_type, file_type;
# Task profiles file under /system/etc/task_profiles.json
type task_profiles_file, system_file_type, file_type;
-# Task profiles file under /system/etc/task_profiles/task_profiles_*.json
-type task_profiles_api_file, system_file_type, file_type;
# Vendor task profiles file under /vendor/etc/task_profiles.json
type vendor_task_profiles_file, vendor_file_type, file_type;
# Type for /system/apex/com.android.art
@@ -237,9 +213,6 @@
# Type for all vendor public libraries. These libs should only be exposed to
# apps. ABI stability of these libs is vendor's responsibility.
type vendor_public_lib_file, vendor_file_type, file_type;
-# Type for all vendor public libraries for system. These libs should only be exposed to
-# system. ABI stability of these libs is vendor's responsibility.
-type vendor_public_framework_file, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
@@ -251,9 +224,7 @@
# Vold files within /metadata
type vold_metadata_file, file_type;
# GSI files within /metadata
-type gsi_metadata_file, gsi_metadata_file_type, file_type;
-# DSU (GSI) files within /metadata that are globally readable.
-type gsi_public_metadata_file, gsi_metadata_file_type, file_type;
+type gsi_metadata_file, file_type;
# system_server shares Weaver slot information in /metadata
type password_slot_metadata_file, file_type;
# APEX files within /metadata
@@ -262,12 +233,8 @@
type ota_metadata_file, file_type;
# property files within /metadata/bootstat
type metadata_bootstat_file, file_type;
-# userspace reboot files within /metadata/userspacereboot
-type userspace_reboot_metadata_file, file_type;
# Staged install files within /metadata/staged-install
type staged_install_file, file_type;
-# Metadata information within /metadata/watchdog
-type watchdog_metadata_file, file_type;
# Type for /dev/cpu_variant:.*.
type dev_cpu_variant, file_type;
@@ -318,7 +285,6 @@
# /data/ota_package
type ota_package_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profiles
-type user_profile_root_file, file_type, data_file_type, core_data_file_type;
type user_profile_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/misc/profman
type profman_dump_data_file, file_type, data_file_type, core_data_file_type;
@@ -327,7 +293,7 @@
# /data/resource-cache
type resourcecache_data_file, file_type, data_file_type, core_data_file_type;
# /data/local - writable by shell
-type shell_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
+type shell_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/property
type property_data_file, file_type, data_file_type, core_data_file_type;
# /data/bootchart
@@ -338,8 +304,6 @@
type heapdump_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/nativetest
type nativetest_data_file, file_type, data_file_type, core_data_file_type;
-# /data/local/tests
-type shell_test_data_file, file_type, data_file_type, core_data_file_type;
# /data/system_de/0/ringtones
type ringtone_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# /data/preloads
@@ -376,9 +340,6 @@
# Mount point used for APEX images
type apex_mnt_dir, file_type;
-# /apex/apex-info-list.xml created by apexd
-type apex_info_file, file_type;
-
# /postinstall: Mount point used by update_engine to run postinstall.
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
@@ -391,17 +352,13 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
-type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type;
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
-type apex_ota_reserved_file, file_type, data_file_type, core_data_file_type;
type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
-type apex_scheduling_data_file, file_type, data_file_type, core_data_file_type;
type apex_wifi_data_file, file_type, data_file_type, core_data_file_type;
-type appcompat_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;
-type bluetooth_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+type bluetooth_data_file, file_type, data_file_type, core_data_file_type;
type bluetooth_logs_data_file, file_type, data_file_type, core_data_file_type;
type bootstat_data_file, file_type, data_file_type, core_data_file_type;
type boottrace_data_file, file_type, data_file_type, core_data_file_type;
@@ -416,11 +373,10 @@
type misc_user_data_file, file_type, data_file_type, core_data_file_type;
type net_data_file, file_type, data_file_type, core_data_file_type;
type network_watchlist_data_file, file_type, data_file_type, core_data_file_type;
-type nfc_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
-type nfc_logs_data_file, file_type, data_file_type, core_data_file_type;
-type radio_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
+type nfc_data_file, file_type, data_file_type, core_data_file_type;
+type radio_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type recovery_data_file, file_type, data_file_type, core_data_file_type;
-type shared_relro_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+type shared_relro_file, file_type, data_file_type, core_data_file_type;
type snapshotctl_log_data_file, file_type, data_file_type, core_data_file_type;
type stats_data_file, file_type, data_file_type, core_data_file_type;
type systemkeys_data_file, file_type, data_file_type, core_data_file_type;
@@ -437,14 +393,13 @@
# /data/misc/trace for method traces on userdebug / eng builds
type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type gsi_data_file, file_type, data_file_type, core_data_file_type;
-type radio_core_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectories - app sandboxes
-type app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+type app_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectories - priv-app sandboxes
-type privapp_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type;
+type privapp_data_file, file_type, data_file_type, core_data_file_type;
# /data/data subdirectory for system UID apps.
-type system_app_data_file, file_type, data_file_type, core_data_file_type, app_data_file_type, mlstrustedobject;
+type system_app_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
# Compatibility with type name used in Android 4.3 and 4.4.
# Default type for anything under /cache
type cache_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
@@ -506,7 +461,6 @@
type recovery_socket, file_type, coredomain_socket;
type rild_socket, file_type;
type rild_debug_socket, file_type;
-type snapuserd_socket, file_type, coredomain_socket;
type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
@@ -554,9 +508,6 @@
# service_contexts file
type service_contexts_file, system_file_type, file_type;
-# keystore2_key_contexts_file
-type keystore2_key_contexts_file, system_file_type, file_type;
-
# vendor service_contexts file
type vendor_service_contexts_file, vendor_file_type, file_type;
@@ -569,16 +520,10 @@
# vndservice_contexts file
type vndservice_contexts_file, file_type;
-# /sys/kernel/tracing/instances/bootreceiver for monitoring kernel memory corruptions.
-type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
-
-# kernel modules
-type vendor_kernel_modules, vendor_file_type, file_type;
-
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
-allow cgroup_v2 tmpfs:filesystem associate;
+allow cgroup_bpf tmpfs:filesystem associate;
allow cgroup_rc_file tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
@@ -588,7 +533,6 @@
allow dev_type tmpfs:filesystem associate;
allow app_fuse_file app_fusefs:filesystem associate;
allow postinstall_file self:filesystem associate;
-allow proc_net proc:filesystem associate;
# asanwrapper (run a sanitized app_process, to be used with wrap properties)
with_asan(`type asanwrapper_exec, exec_type, file_type;')
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index 8cf2411..ff7a884 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -18,7 +18,6 @@
# Need to add auth tokens to KeyStore
use_keystore(fingerprintd)
allow fingerprintd keystore:keystore_key { add_auth };
-allow fingerprintd keystore:keystore2 { add_auth };
# For permissions checking
binder_call(fingerprintd, system_server);
diff --git a/public/flags_health_check.te b/public/flags_health_check.te
index 25a7768..6315d44 100644
--- a/public/flags_health_check.te
+++ b/public/flags_health_check.te
@@ -2,9 +2,33 @@
type flags_health_check, domain, coredomain;
type flags_health_check_exec, system_file_type, exec_type, file_type;
+set_prop(flags_health_check, device_config_boot_count_prop)
+set_prop(flags_health_check, device_config_reset_performed_prop)
+set_prop(flags_health_check, device_config_runtime_native_boot_prop)
+set_prop(flags_health_check, device_config_runtime_native_prop)
+set_prop(flags_health_check, device_config_input_native_boot_prop)
+set_prop(flags_health_check, device_config_netd_native_prop)
+set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_media_native_prop)
+set_prop(flags_health_check, device_config_storage_native_boot_prop)
+set_prop(flags_health_check, device_config_sys_traced_prop)
+set_prop(flags_health_check, device_config_window_manager_native_boot_prop)
+set_prop(flags_health_check, device_config_configuration_prop)
+
allow flags_health_check server_configurable_flags_data_file:dir rw_dir_perms;
allow flags_health_check server_configurable_flags_data_file:file create_file_perms;
+# system property device_config_boot_count_prop is used for deciding when to perform server
+# configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a
+# wrong timing, trigger server configurable flag related disaster recovery, which will override
+# server configured values of all flags with default values.
+neverallow { domain -init -flags_health_check } device_config_boot_count_prop:property_service set;
+
+# system property device_config_reset_performed_prop is used for indicating whether server
+# configurable flags have been reset during booting. Mistakenly modified by unrelated components can
+# cause bad server configurable flags synced back to device.
+neverallow { domain -init -flags_health_check } device_config_reset_performed_prop:property_service set;
+
# server_configurable_flags_data_file is used for storing whether server configurable flags which
# have been reset during current booting. Mistakenly modified by unrelated components can
# cause bad server configurable flags synced back to device.
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index d48c5f8..dc46d07 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -23,9 +23,6 @@
# Need to add auth tokens to KeyStore
use_keystore(gatekeeperd)
allow gatekeeperd keystore:keystore_key { add_auth };
-allow gatekeeperd keystore:keystore2 { add_auth };
-allow gatekeeperd authorization_service:service_manager find;
-
# For permissions checking
allow gatekeeperd system_server:binder call;
@@ -38,5 +35,7 @@
# For hardware properties retrieval
allow gatekeeperd hardware_properties_service:service_manager find;
+# For checking whether GSI is running
+get_prop(gatekeeperd, gsid_prop)
+
r_dir_file(gatekeeperd, cgroup)
-r_dir_file(gatekeeperd, cgroup_v2)
diff --git a/public/hal_audio.te b/public/hal_audio.te
index d1970b9..5958f2c 100644
--- a/public/hal_audio.te
+++ b/public/hal_audio.te
@@ -3,7 +3,6 @@
binder_call(hal_audio_server, hal_audio_client)
hal_attribute_hwservice(hal_audio, hal_audio_hwservice)
-hal_attribute_service(hal_audio, hal_audio_service)
allow hal_audio ion_device:chr_file r_file_perms;
@@ -34,6 +33,5 @@
# Only audio HAL may directly access the audio hardware
neverallow { halserverdomain -hal_audio_server -hal_omx_server } audio_device:chr_file *;
-get_prop(hal_audio, audio_config_prop)
get_prop(hal_audio, bluetooth_a2dp_offload_prop)
get_prop(hal_audio, bluetooth_audio_hal_prop)
diff --git a/public/hal_audiocontrol.te b/public/hal_audiocontrol.te
index 6f45b0e..4a52b89 100644
--- a/public/hal_audiocontrol.te
+++ b/public/hal_audiocontrol.te
@@ -3,6 +3,3 @@
binder_call(hal_audiocontrol_server, hal_audiocontrol_client)
hal_attribute_hwservice(hal_audiocontrol, hal_audiocontrol_hwservice)
-hal_attribute_service(hal_audiocontrol, hal_audiocontrol_service)
-
-binder_call(hal_audiocontrol_server, servicemanager)
diff --git a/public/hal_authsecret.te b/public/hal_authsecret.te
index bbcdb9a..daf8d48 100644
--- a/public/hal_authsecret.te
+++ b/public/hal_authsecret.te
@@ -2,6 +2,3 @@
binder_call(hal_authsecret_client, hal_authsecret_server)
hal_attribute_hwservice(hal_authsecret, hal_authsecret_hwservice)
-hal_attribute_service(hal_authsecret, hal_authsecret_service)
-
-binder_call(hal_authsecret_server, servicemanager)
diff --git a/public/hal_bootctl.te b/public/hal_bootctl.te
index a1f3d7f..be9975f 100644
--- a/public/hal_bootctl.te
+++ b/public/hal_bootctl.te
@@ -3,4 +3,3 @@
binder_call(hal_bootctl_server, hal_bootctl_client)
hal_attribute_hwservice(hal_bootctl, hal_bootctl_hwservice)
-allow hal_bootctl_server proc_bootconfig:file r_file_perms;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 45fad56..77216e4 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -9,8 +9,6 @@
allow hal_camera video_device:chr_file rw_file_perms;
allow hal_camera camera_device:chr_file rw_file_perms;
allow hal_camera ion_device:chr_file rw_file_perms;
-allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms;
-
# Both the client and the server need to use the graphics allocator
allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
diff --git a/public/hal_can.te b/public/hal_can.te
index 959d1d9..c75495b 100644
--- a/public/hal_can.te
+++ b/public/hal_can.te
@@ -1,9 +1,9 @@
# CAN controller
binder_call(hal_can_controller_client, hal_can_controller_server)
-binder_call(hal_can_controller_server, hal_can_controller_client)
-hal_attribute_hwservice(hal_can_controller, hal_can_controller_hwservice)
+add_hwservice(hal_can_controller_server, hal_can_controller_hwservice)
+allow hal_can_controller_client hal_can_controller_hwservice:hwservice_manager find;
# CAN bus
binder_call(hal_can_bus_client, hal_can_bus_server)
-binder_call(hal_can_bus_server, hal_can_bus_client)
-hal_attribute_hwservice(hal_can_bus, hal_can_bus_hwservice)
+add_hwservice(hal_can_bus_server, hal_can_bus_hwservice)
+allow hal_can_bus_client hal_can_bus_hwservice:hwservice_manager find;
diff --git a/public/hal_cas.te b/public/hal_cas.te
index e699a6b..7de6a13 100644
--- a/public/hal_cas.te
+++ b/public/hal_cas.te
@@ -16,10 +16,6 @@
allow hal_cas cgroup:dir { search write };
allow hal_cas cgroup:file w_file_perms;
-r_dir_file(hal_cas, cgroup_v2)
-allow hal_cas cgroup_v2:dir { search write };
-allow hal_cas cgroup_v2:file w_file_perms;
-
# Allow access to ion memory allocation device
allow hal_cas ion_device:chr_file rw_file_perms;
allow hal_cas hal_graphics_allocator:fd use;
diff --git a/public/hal_codec2.te b/public/hal_codec2.te
index a379bb3..8c7816a 100644
--- a/public/hal_codec2.te
+++ b/public/hal_codec2.te
@@ -1,7 +1,5 @@
get_prop(hal_codec2_client, media_variant_prop)
get_prop(hal_codec2_server, media_variant_prop)
-get_prop(hal_codec2_client, codec2_config_prop)
-get_prop(hal_codec2_server, codec2_config_prop)
binder_call(hal_codec2_client, hal_codec2_server)
binder_call(hal_codec2_server, hal_codec2_client)
diff --git a/public/hal_drm.te b/public/hal_drm.te
index bb1bd91..5987491 100644
--- a/public/hal_drm.te
+++ b/public/hal_drm.te
@@ -20,10 +20,6 @@
allow hal_drm cgroup:dir { search write };
allow hal_drm cgroup:file w_file_perms;
-r_dir_file(hal_drm, cgroup_v2)
-allow hal_drm cgroup_v2:dir { search write };
-allow hal_drm cgroup_v2:file w_file_perms;
-
# Allow access to ion memory allocation device
allow hal_drm ion_device:chr_file rw_file_perms;
allow hal_drm hal_graphics_allocator:fd use;
diff --git a/public/hal_dumpstate.te b/public/hal_dumpstate.te
index 9f854e3..b7676ed 100644
--- a/public/hal_dumpstate.te
+++ b/public/hal_dumpstate.te
@@ -2,8 +2,6 @@
binder_call(hal_dumpstate_client, hal_dumpstate_server)
binder_call(hal_dumpstate_server, hal_dumpstate_client)
-set_prop(hal_dumpstate_server, hal_dumpstate_config_prop)
-
hal_attribute_hwservice(hal_dumpstate, hal_dumpstate_hwservice)
# write bug reports in /data/data/com.android.shell/files/bugreports/bugreport
diff --git a/public/hal_face.te b/public/hal_face.te
index 0134576..b250586 100644
--- a/public/hal_face.te
+++ b/public/hal_face.te
@@ -3,9 +3,6 @@
binder_call(hal_face_server, hal_face_client)
hal_attribute_hwservice(hal_face, hal_face_hwservice)
-hal_attribute_service(hal_face, hal_face_service)
-
-binder_call(hal_face_server, servicemanager)
# Allow access to the ion memory allocation device.
allow hal_face ion_device:chr_file r_file_perms;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 444cfda..b673e29 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -3,9 +3,6 @@
binder_call(hal_fingerprint_server, hal_fingerprint_client)
hal_attribute_hwservice(hal_fingerprint, hal_fingerprint_hwservice)
-hal_attribute_service(hal_fingerprint, hal_fingerprint_service)
-
-binder_call(hal_fingerprint_server, servicemanager)
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
@@ -14,7 +11,6 @@
allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
r_dir_file(hal_fingerprint, cgroup)
-r_dir_file(hal_fingerprint, cgroup_v2)
r_dir_file(hal_fingerprint, sysfs)
diff --git a/public/hal_gnss.te b/public/hal_gnss.te
index 832bc8d..9bfc4ec 100644
--- a/public/hal_gnss.te
+++ b/public/hal_gnss.te
@@ -3,7 +3,3 @@
binder_call(hal_gnss_server, hal_gnss_client)
hal_attribute_hwservice(hal_gnss, hal_gnss_hwservice)
-hal_attribute_service(hal_gnss, hal_gnss_service)
-binder_call(hal_gnss_server, servicemanager)
-binder_call(hal_gnss_client, servicemanager)
-
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 3ec6b96..991e147 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -8,7 +8,6 @@
# GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
-allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:global_capability_class_set sys_nice;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index 1c69c99..cb4a130 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -16,7 +16,6 @@
# GPU device access
allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
allow hal_graphics_composer ion_device:chr_file r_file_perms;
-allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
allow hal_graphics_composer hal_graphics_allocator:fd use;
# Access /dev/graphics/fb0.
diff --git a/public/hal_health_storage.te b/public/hal_health_storage.te
index 4938a16..61e609b 100644
--- a/public/hal_health_storage.te
+++ b/public/hal_health_storage.te
@@ -2,10 +2,4 @@
binder_call(hal_health_storage_client, hal_health_storage_server)
binder_call(hal_health_storage_server, hal_health_storage_client)
-binder_use(hal_health_storage_server)
-
hal_attribute_hwservice(hal_health_storage, hal_health_storage_hwservice)
-hal_attribute_service(hal_health_storage, hal_health_storage_service)
-
-# Allow ReadDefaultFstab().
-read_fstab(hal_health_storage_server)
diff --git a/public/hal_identity.te b/public/hal_identity.te
index 8d558ad..3a95743 100644
--- a/public/hal_identity.te
+++ b/public/hal_identity.te
@@ -1,6 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_identity_client, hal_identity_server)
-hal_attribute_service(hal_identity, hal_identity_service)
-
+add_service(hal_identity_server, hal_identity_service)
binder_call(hal_identity_server, servicemanager)
+
+allow hal_identity_client hal_identity_service:service_manager find;
diff --git a/public/hal_keymint.te b/public/hal_keymint.te
deleted file mode 100644
index 9c65e22..0000000
--- a/public/hal_keymint.te
+++ /dev/null
@@ -1,8 +0,0 @@
-binder_call(hal_keymint_client, hal_keymint_server)
-
-hal_attribute_service(hal_keymint, hal_keymint_service)
-hal_attribute_service(hal_keymint, hal_remotelyprovisionedcomponent_service)
-binder_call(hal_keymint_server, servicemanager)
-
-allow hal_keymint tee_device:chr_file rw_file_perms;
-allow hal_keymint ion_device:chr_file r_file_perms;
diff --git a/public/hal_light.te b/public/hal_light.te
index 40829b6..7054d7b 100644
--- a/public/hal_light.te
+++ b/public/hal_light.te
@@ -3,11 +3,15 @@
binder_call(hal_light_server, hal_light_client)
hal_attribute_hwservice(hal_light, hal_light_hwservice)
-hal_attribute_service(hal_light, hal_light_service)
-binder_call(hal_light_server, servicemanager)
+# client finds and uses server via service_manager
+allow hal_light_client hal_light_service:service_manager find;
binder_use(hal_light_client)
+# server adds itself via service_manager
+add_service(hal_light_server, hal_light_service)
+binder_call(hal_light_server, servicemanager)
+
allow hal_light_server dumpstate:fifo_file write;
allow hal_light sysfs_leds:lnk_file read;
diff --git a/public/hal_memtrack.te b/public/hal_memtrack.te
index 30a4480..ed93a29 100644
--- a/public/hal_memtrack.te
+++ b/public/hal_memtrack.te
@@ -2,6 +2,3 @@
binder_call(hal_memtrack_client, hal_memtrack_server)
hal_attribute_hwservice(hal_memtrack, hal_memtrack_hwservice)
-
-hal_attribute_service(hal_memtrack, hal_memtrack_service)
-binder_call(hal_memtrack_server, servicemanager)
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 7497dec..228d990 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -21,9 +21,6 @@
# Allow NN HAL service to use a client-provided fd residing in /storage
allow hal_neuralnetworks_server storage_file:file { getattr map read };
-# Allow NN HAL service to read a client-provided fd residing in /data/app/.
-allow hal_neuralnetworks_server apk_data_file:file { getattr map read };
-
# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
# property to determine whether to deny NNAPI extensions use for apps
# on product partition (apps in GSI are not allowed to use NNAPI extensions).
@@ -31,11 +28,3 @@
# This property is only expected to be found in /product/build.prop,
# allow to be set only by init.
neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
-
-# Define sepolicy for NN AIDL HAL service
-hal_attribute_service(hal_neuralnetworks, hal_neuralnetworks_service)
-binder_call(hal_neuralnetworks_server, servicemanager)
-
-binder_use(hal_neuralnetworks_server)
-
-allow hal_neuralnetworks_server dumpstate:fifo_file write;
diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te
index 105689b..4117878 100644
--- a/public/hal_neverallows.te
+++ b/public/hal_neverallows.te
@@ -8,7 +8,6 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
- -hal_uwb_server
} self:global_capability_class_set { net_admin net_raw };
# Unless a HAL's job is to communicate over the network, or control network
@@ -26,17 +25,8 @@
-hal_wifi_hostapd_server
-hal_wifi_supplicant_server
-hal_telephony_server
- -hal_uwb_server
} domain:{ tcp_socket udp_socket rawip_socket } *;
-# The UWB HAL is not actually a networking HAL but may need to bring up and down
-# interfaces. Restrict it to only these networking operations.
-neverallow hal_uwb_server self:global_capability_class_set { net_raw };
-
-# Subset of socket_class_set likely to be usable for communication or accessible through net_admin.
-# udp_socket is required to use interface ioctls.
-neverallow hal_uwb_server domain:{ socket tcp_socket rawip_socket netlink_socket packet_socket key_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket qipcrtr_socket xdp_socket } *;
-
###
# HALs are defined as an attribute and so a given domain could hypothetically
# have multiple HALs in it (or even all of them) with the subsequent policy of
diff --git a/public/hal_oemlock.te b/public/hal_oemlock.te
index 9f38fa5..26b2b42 100644
--- a/public/hal_oemlock.te
+++ b/public/hal_oemlock.te
@@ -2,6 +2,3 @@
binder_call(hal_oemlock_client, hal_oemlock_server)
hal_attribute_hwservice(hal_oemlock, hal_oemlock_hwservice)
-hal_attribute_service(hal_oemlock, hal_oemlock_service)
-
-binder_call(hal_oemlock_server, servicemanager)
diff --git a/public/hal_power.te b/public/hal_power.te
index aae32a0..c94771b 100644
--- a/public/hal_power.te
+++ b/public/hal_power.te
@@ -3,7 +3,8 @@
binder_call(hal_power_server, hal_power_client)
hal_attribute_hwservice(hal_power, hal_power_hwservice)
-hal_attribute_service(hal_power, hal_power_service)
+add_service(hal_power_server, hal_power_service)
binder_call(hal_power_server, servicemanager)
binder_call(hal_power_client, servicemanager)
+allow hal_power_client hal_power_service:service_manager find;
diff --git a/public/hal_power_stats.te b/public/hal_power_stats.te
index 4076eff..2c04008 100644
--- a/public/hal_power_stats.te
+++ b/public/hal_power_stats.te
@@ -3,7 +3,3 @@
binder_call(hal_power_stats_server, hal_power_stats_client)
hal_attribute_hwservice(hal_power_stats, hal_power_stats_hwservice)
-hal_attribute_service(hal_power_stats, hal_power_stats_service)
-
-binder_call(hal_power_stats_server, servicemanager)
-binder_call(hal_power_stats_client, servicemanager)
diff --git a/public/hal_rebootescrow.te b/public/hal_rebootescrow.te
index d16333b..4352630 100644
--- a/public/hal_rebootescrow.te
+++ b/public/hal_rebootescrow.te
@@ -1,6 +1,7 @@
# HwBinder IPC from client to server
binder_call(hal_rebootescrow_client, hal_rebootescrow_server)
-hal_attribute_service(hal_rebootescrow, hal_rebootescrow_service)
-
+add_service(hal_rebootescrow_server, hal_rebootescrow_service)
binder_use(hal_rebootescrow_server)
+
+allow hal_rebootescrow_client hal_rebootescrow_service:service_manager find;
diff --git a/public/hal_telephony.te b/public/hal_telephony.te
index f0cf075..3e4b65d 100644
--- a/public/hal_telephony.te
+++ b/public/hal_telephony.te
@@ -11,8 +11,6 @@
allow hal_telephony_server self:global_capability_class_set { setpcap setgid setuid net_admin net_raw };
allow hal_telephony_server cgroup:dir create_dir_perms;
allow hal_telephony_server cgroup:{ file lnk_file } r_file_perms;
-allow hal_telephony_server cgroup_v2:dir create_dir_perms;
-allow hal_telephony_server cgroup_v2:{ file lnk_file } r_file_perms;
allow hal_telephony_server radio_device:chr_file rw_file_perms;
allow hal_telephony_server radio_device:blk_file r_file_perms;
allow hal_telephony_server efs_file:dir create_dir_perms;
@@ -22,10 +20,10 @@
allow hal_telephony_server bluetooth_efs_file:dir r_dir_perms;
# property service
-get_prop(hal_telephony_server, telephony_config_prop)
-set_prop(hal_telephony_server, radio_control_prop)
set_prop(hal_telephony_server, radio_prop)
-set_prop(hal_telephony_server, telephony_status_prop)
+set_prop(hal_telephony_server, exported_radio_prop)
+set_prop(hal_telephony_server, exported2_radio_prop)
+set_prop(hal_telephony_server, exported3_radio_prop)
allow hal_telephony_server tty_device:chr_file rw_file_perms;
diff --git a/public/hal_vibrator.te b/public/hal_vibrator.te
index c902495..a34621d 100644
--- a/public/hal_vibrator.te
+++ b/public/hal_vibrator.te
@@ -3,10 +3,12 @@
binder_call(hal_vibrator_server, hal_vibrator_client);
hal_attribute_hwservice(hal_vibrator, hal_vibrator_hwservice)
-hal_attribute_service(hal_vibrator, hal_vibrator_service)
+add_service(hal_vibrator_server, hal_vibrator_service)
binder_call(hal_vibrator_server, servicemanager)
+allow hal_vibrator_client hal_vibrator_service:service_manager find;
+
allow hal_vibrator_server dumpstate:fifo_file write;
# vibrator sysfs rw access
diff --git a/public/hal_weaver.te b/public/hal_weaver.te
index 2b34989..36d1306 100644
--- a/public/hal_weaver.te
+++ b/public/hal_weaver.te
@@ -2,6 +2,3 @@
binder_call(hal_weaver_client, hal_weaver_server)
hal_attribute_hwservice(hal_weaver, hal_weaver_hwservice)
-hal_attribute_service(hal_weaver, hal_weaver_service)
-
-binder_call(hal_weaver_server, servicemanager)
diff --git a/public/hal_wifi.te b/public/hal_wifi.te
index 2e4fa78..ecc1359 100644
--- a/public/hal_wifi.te
+++ b/public/hal_wifi.te
@@ -7,9 +7,8 @@
r_dir_file(hal_wifi, proc_net_type)
r_dir_file(hal_wifi, sysfs_type)
-set_prop(hal_wifi_server, wifi_hal_prop)
+set_prop(hal_wifi, exported_wifi_prop)
set_prop(hal_wifi, wifi_prop)
-userdebug_or_eng(`get_prop(hal_wifi, persist_vendor_debug_wifi_prop)')
# allow hal wifi set interfaces up and down and get the factory MAC
allow hal_wifi self:udp_socket create_socket_perms;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 7361af1..6004c33 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -4,7 +4,7 @@
hal_attribute_hwservice(hal_wifi_supplicant, hal_wifi_supplicant_hwservice)
-# in addition to ioctls allowlisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
+# in addition to ioctls whitelisted for all domains, grant hal_wifi_supplicant priv_sock_ioctls.
allowxperm hal_wifi_supplicant self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(hal_wifi_supplicant, sysfs_type)
@@ -13,22 +13,12 @@
allow hal_wifi_supplicant kernel:system module_request;
allow hal_wifi_supplicant self:global_capability_class_set { setuid net_admin setgid net_raw };
allow hal_wifi_supplicant cgroup:dir create_dir_perms;
-allow hal_wifi_supplicant cgroup_v2:dir create_dir_perms;
allow hal_wifi_supplicant self:netlink_route_socket nlmsg_write;
allow hal_wifi_supplicant self:netlink_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:netlink_generic_socket create_socket_perms_no_ioctl;
allow hal_wifi_supplicant self:packet_socket create_socket_perms;
allowxperm hal_wifi_supplicant self:packet_socket ioctl { unpriv_sock_ioctls priv_sock_ioctls unpriv_tty_ioctls };
-use_keystore(hal_wifi_supplicant)
-binder_use(hal_wifi_supplicant_server)
-
-# Allow the WI-FI HAL to use keys in the keystore namespace wifi_key.
-allow hal_wifi_supplicant wifi_key:keystore2_key {
- get_info
- use
-};
-
###
### neverallow rules
###
diff --git a/public/healthd.te b/public/healthd.te
index 05acb84..7ea23e1 100644
--- a/public/healthd.te
+++ b/public/healthd.te
@@ -11,7 +11,6 @@
allow healthd sysfs:dir r_dir_perms;
r_dir_file(healthd, rootfs)
r_dir_file(healthd, cgroup)
-r_dir_file(healthd, cgroup_v2)
allow healthd self:global_capability_class_set { sys_tty_config };
allow healthd self:global_capability_class_set sys_boot;
@@ -48,3 +47,10 @@
allow healthd tty_device:chr_file rw_file_perms;
allow healthd ashmem_device:chr_file execute;
allow healthd proc_sysrq:file rw_file_perms;
+
+# Healthd needs to tell init to continue the boot
+# process when running in charger mode.
+set_prop(healthd, system_prop)
+set_prop(healthd, exported_system_prop)
+set_prop(healthd, exported2_system_prop)
+set_prop(healthd, exported3_system_prop)
diff --git a/public/hwservice.te b/public/hwservice.te
index 11b77f0..6f223dd 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -58,6 +58,7 @@
type system_net_netd_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type system_suspend_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
type system_wifi_keystore_hwservice, hwservice_manager_type, coredomain_hwservice, protected_hwservice;
+type thermalcallback_hwservice, hwservice_manager_type, protected_hwservice;
# Following is the hwservices that are explicitly not marked with protected_hwservice.
# These are directly accessible from untrusted apps.
diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index 7ec1872..7f03815 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -10,6 +10,8 @@
# to do this is granted in the hwbinder_use macro.
allow hwservicemanager self:binder set_context_mgr;
+set_prop(hwservicemanager, hwservicemanager_prop)
+
# Scan through /system/lib64/hw looking for installed HALs
allow hwservicemanager system_file:dir r_dir_perms;
diff --git a/public/init.te b/public/init.te
index ea5a979..403b4c5 100644
--- a/public/init.te
+++ b/public/init.te
@@ -16,12 +16,6 @@
userdebug_or_eng(`
allow init kmsg_debug_device:chr_file { open write relabelto };
')
-
-# allow init to mount and unmount debugfs in debug builds
-userdebug_or_eng(`
- allow init debugfs:dir mounton;
-')
-
# /dev/__properties__
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
@@ -33,7 +27,7 @@
allow init device:file relabelfrom;
allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
# /dev/socket
-allow init { device socket_device dm_user_device }:dir relabelto;
+allow init { device socket_device }:dir relabelto;
# allow init to establish connection and communicate with lmkd
unix_socket_connect(init, lmkd, lmkd)
# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
@@ -43,7 +37,6 @@
allow init tmpfs:blk_file getattr;
allow init block_device:{ dir blk_file lnk_file } relabelto;
allow init dm_device:{ chr_file blk_file } relabelto;
-allow init dm_user_device:chr_file relabelto;
allow init kernel:fd use;
# restorecon for early mount device symlinks
allow init tmpfs:lnk_file { getattr read relabelfrom };
@@ -103,6 +96,7 @@
postinstall_mnt_dir
mirror_data_file
}:dir mounton;
+allow init cgroup_bpf:dir { create mounton };
# Mount bpf fs on sys/fs/bpf
allow init fs_bpf:dir mounton;
@@ -129,10 +123,7 @@
allow init cgroup:file rw_file_perms;
allow init cgroup_rc_file:file rw_file_perms;
allow init cgroup_desc_file:file r_file_perms;
-allow init cgroup_desc_api_file:file r_file_perms;
allow init vendor_cgroup_desc_file:file r_file_perms;
-allow init cgroup_v2:dir { mounton create_dir_perms};
-allow init cgroup_v2:file rw_file_perms;
# /config
allow init configfs:dir mounton;
@@ -162,19 +153,7 @@
# which should all be assigned the contextmount_type attribute.
# This can be done in device-specific policy via type or typeattribute
# declarations.
-allow init {
- fs_type
- enforce_debugfs_restriction(`-debugfs_type')
-}:filesystem ~relabelto;
-
-# Allow init to mount/unmount debugfs in non-user builds.
-enforce_debugfs_restriction(`
- userdebug_or_eng(`allow init debugfs_type:filesystem { mount unmount };')
-')
-
-# Allow init to mount tracefs in /sys/kernel/tracing
-allow init debugfs_tracing_debug:filesystem mount;
-
+allow init fs_type:filesystem ~relabelto;
allow init unlabeled:filesystem ~relabelto;
allow init contextmount_type:filesystem relabelto;
@@ -224,7 +203,6 @@
allow init {
file_type
- -apex_info_file
-app_data_file
-exec_type
-gsi_data_file
@@ -240,11 +218,8 @@
-system_file_type
-vendor_file_type
-vold_data_file
- enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
-allow init tracefs_type:file { create_file_perms relabelfrom };
-
allow init {
file_type
-app_data_file
@@ -293,8 +268,8 @@
-privapp_data_file
}:dir_file_class_set relabelto;
-allow init { sysfs no_debugfs_restriction(`debugfs') debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type no_debugfs_restriction(`debugfs_type') tracefs_type }:{ dir file lnk_file } { relabelto getattr };
+allow init { sysfs debugfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
+allow init { sysfs_type debugfs_type }:{ dir file lnk_file } { relabelto getattr };
allow init dev_type:dir create_dir_perms;
allow init dev_type:lnk_file create;
@@ -315,7 +290,6 @@
-sdcard_type
-sysfs_type
-rootfs
- enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr };
allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
@@ -325,6 +299,7 @@
devpts
dm_device
hwbinder_device
+ hw_random_device
input_device
kmsg_device
null_device
@@ -336,6 +311,13 @@
zero_device
}:chr_file { read open };
+# chown/chmod on devices.
+allow init {
+ dev_type
+ -keychord_device
+ -port_device
+}:chr_file setattr;
+
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
@@ -358,7 +340,6 @@
allow init {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
- proc_bootconfig
proc_cmdline
proc_diskstats
proc_kmsg # Open /proc/kmsg for logd service.
@@ -392,10 +373,8 @@
# init chmod/chown access to /proc files.
allow init {
proc_cmdline
- proc_bootconfig
proc_kmsg
proc_net
- proc_pagetypeinfo
proc_qtaguid_stat
proc_slabinfo
proc_sysrq
@@ -431,7 +410,6 @@
LOOP_CTL_GET_FREE
LOOP_SET_BLOCK_SIZE
LOOP_SET_DIRECT_IO
- LOOP_GET_STATUS
};
# Allow init to write to vibrator/trigger
@@ -543,6 +521,10 @@
# system/core/fs_mgr/fs_mgr.c - fs_mgr_swapon_all
allow init swap_block_device:blk_file rw_file_perms;
+# Read from /dev/hw_random if present.
+# system/core/init/init.c - mix_hwrng_into_linux_rng_action
+allow init hw_random_device:chr_file r_file_perms;
+
# Create and access /dev files without a specific type,
# e.g. /dev/.coldboot_done, /dev/.booting
# TODO: Move these files into their own type unless they are
@@ -557,9 +539,6 @@
allow init dm_device:chr_file rw_file_perms;
allow init dm_device:blk_file rw_file_perms;
-# Access dm-user for OTA boot
-allow init dm_user_device:chr_file rw_file_perms;
-
# Access metadata block device for storing dm-verity state
allow init metadata_block_device:blk_file rw_file_perms;
@@ -598,7 +577,6 @@
allow init vold_metadata_file:file getattr;
allow init metadata_bootstat_file:dir create_dir_perms;
allow init metadata_bootstat_file:file w_file_perms;
-allow init userspace_reboot_metadata_file:file w_file_perms;
# Allow init to touch PSI monitors
allow init proc_pressure_mem:file { rw_file_perms setattr };
@@ -610,9 +588,6 @@
# stat the root dir of fuse filesystems (for the mount handler)
allow init fuse:dir { search getattr };
-# allow filesystem tuning
-allow init userdata_sysdev:file create_file_perms;
-
###
### neverallow rules
###
diff --git a/public/inputflinger.te b/public/inputflinger.te
index b62c06d..c3f4da8 100644
--- a/public/inputflinger.te
+++ b/public/inputflinger.te
@@ -13,4 +13,3 @@
allow inputflinger input_device:chr_file rw_file_perms;
r_dir_file(inputflinger, cgroup)
-r_dir_file(inputflinger, cgroup_v2)
diff --git a/public/installd.te b/public/installd.te
index 08060e3..c8cc89d 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -26,7 +26,6 @@
allow installd oemfs:dir r_dir_perms;
allow installd oemfs:file r_file_perms;
allow installd cgroup:dir create_dir_perms;
-allow installd cgroup_v2:dir create_dir_perms;
allow installd mnt_expand_file:dir { search getattr };
# Check validity of SELinux context before use.
selinux_check_context(installd)
@@ -112,18 +111,37 @@
# upon creation via setfilecon or running restorecon_recursive,
# setting owner/mode, creating symlinks within them, and deleting them
# upon package uninstall.
-allow installd app_data_file_type:dir { create_dir_perms relabelfrom relabelto };
-allow installd app_data_file_type:notdevfile_class_set { create_file_perms relabelfrom relabelto };
-# Similar for the files under /data/misc/profiles/
-allow installd user_profile_root_file:dir { create_dir_perms relabelfrom };
-allow installd user_profile_data_file:dir { create_dir_perms relabelto };
-allow installd user_profile_data_file:file create_file_perms;
-allow installd user_profile_data_file:file unlink;
+# Types extracted from seapp_contexts type= fields.
+allow installd {
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ app_data_file
+ privapp_data_file
+}:dir { create_dir_perms relabelfrom relabelto };
+
+allow installd {
+ system_app_data_file
+ bluetooth_data_file
+ nfc_data_file
+ radio_data_file
+ shell_data_file
+ app_data_file
+ privapp_data_file
+}:notdevfile_class_set { create_file_perms relabelfrom relabelto };
# Allow zygote to unmount mirror directories
allow installd labeledfs:filesystem unmount;
+# Similar for the files under /data/misc/profiles/
+allow installd user_profile_data_file:dir create_dir_perms;
+allow installd user_profile_data_file:file create_file_perms;
+allow installd user_profile_data_file:dir rmdir;
+allow installd user_profile_data_file:file unlink;
+
# Files created/updated by profman dumps.
allow installd profman_dump_data_file:dir { search add_name write };
allow installd profman_dump_data_file:file { create setattr open write };
@@ -157,13 +175,6 @@
# Allow installd to read /proc/filesystems
allow installd proc_filesystems:file r_file_perms;
-#add for move app to sd card
-get_prop(installd, storage_config_prop)
-
-# Allow installd to access apps installed on the Incremental File System
-# Accessing files on the Incremental File System uses fds opened in the context of vold.
-allow installd vold:fd use;
-
###
### Neverallow rules
###
diff --git a/public/ioctl_defines b/public/ioctl_defines
index 5ac4d94..4cc3bba 100644
--- a/public/ioctl_defines
+++ b/public/ioctl_defines
@@ -132,13 +132,7 @@
define(`BC_REPLY', `0x40406301')
define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
define(`BC_TRANSACTION', `0x40406300')
-define(`BINDER_ENABLE_ONEWAY_SPAM_DETECTION', `0x40046210')
-define(`BINDER_FREEZE', `0x400c620e')
-define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
-define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
-define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c')
define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
-define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d')
define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
define(`BINDER_SET_MAX_THREADS', `0x40046205')
@@ -192,7 +186,6 @@
define(`BR_INCREFS', `0x80107207')
define(`BR_NOOP', `0x0000720c')
define(`BR_OK', `0x00007201')
-define(`BR_ONEWAY_SPAM_SUSPECT', `0x00007213')
define(`BR_RELEASE', `0x80107209')
define(`BR_REPLY', `0x80407203')
define(`BR_SPAWN_LOOPER', `0x0000720d')
@@ -698,30 +691,21 @@
define(`EVIOCSKEYCODE', `0x40084504')
define(`EVIOCSKEYCODE_V2', `0x40284504')
define(`EVIOCSREP', `0x40084503')
-define(`F2FS_IOC_START_ATOMIC_WRITE', `0xf501')
-define(`F2FS_IOC_COMMIT_ATOMIC_WRITE', `0xf502')
-define(`F2FS_IOC_START_VOLATILE_WRITE', `0xf503')
-define(`F2FS_IOC_RELEASE_VOLATILE_WRITE', `0xf504')
define(`F2FS_IOC_ABORT_VOLATILE_WRITE', `0xf505')
-define(`F2FS_IOC_GARBAGE_COLLECT', `0xf506')
-define(`F2FS_IOC_WRITE_CHECKPOINT', `0xf507')
+define(`F2FS_IOC_COMMIT_ATOMIC_WRITE', `0xf502')
define(`F2FS_IOC_DEFRAGMENT', `0xf508')
-define(`F2FS_IOC_MOVE_RANGE', `0xf509')
define(`F2FS_IOC_FLUSH_DEVICE', `0xf50a')
+define(`F2FS_IOC_GARBAGE_COLLECT', `0xf506')
define(`F2FS_IOC_GARBAGE_COLLECT_RANGE', `0xf50b')
define(`F2FS_IOC_GET_FEATURES', `0xf50c')
-define(`F2FS_IOC_SET_PIN_FILE', `0xf50d')
define(`F2FS_IOC_GET_PIN_FILE', `0xf50e')
+define(`F2FS_IOC_MOVE_RANGE', `0xf509')
define(`F2FS_IOC_PRECACHE_EXTENTS', `0xf50f')
-define(`F2FS_IOC_RESIZE_FS', `0xf510')
-define(`F2FS_IOC_GET_COMPRESS_BLOCKS', `0xf511')
-define(`F2FS_IOC_RELEASE_COMPRESS_BLOCKS', `0xf512')
-define(`F2FS_IOC_RESERVE_COMPRESS_BLOCKS', `0xf513')
-define(`F2FS_IOC_SEC_TRIM_FILE', `0xf514')
-define(`F2FS_IOC_GET_COMPRESS_OPTION', `0xf515')
-define(`F2FS_IOC_SET_COMPRESS_OPTION', `0xf516')
-define(`F2FS_IOC_DECOMPRESS_FILE', `0xf517')
-define(`F2FS_IOC_COMPRESS_FILE', `0xf518')
+define(`F2FS_IOC_RELEASE_VOLATILE_WRITE', `0xf504')
+define(`F2FS_IOC_SET_PIN_FILE', `0xf50d')
+define(`F2FS_IOC_START_ATOMIC_WRITE', `0xf501')
+define(`F2FS_IOC_START_VOLATILE_WRITE', `0xf503')
+define(`F2FS_IOC_WRITE_CHECKPOINT', `0xf507')
define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
@@ -1075,12 +1059,6 @@
define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
-define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
-define(`INCFS_IOCTL_CREATE_MAPPED_FILE', `0x00006723')
-define(`INCFS_IOCTL_GET_BLOCK_COUNT', `0x00006724')
-define(`INCFS_IOCTL_GET_READ_TIMEOUTS', `0x00006725')
-define(`INCFS_IOCTL_SET_READ_TIMEOUTS', `0x00006726')
-define(`INCFS_IOCTL_GET_LAST_READ_ERROR', `0x00006727')
define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
@@ -1392,7 +1370,6 @@
define(`LOGGER_SET_VERSION', `0x0000ae06')
define(`LOOP_CHANGE_FD', `0x00004c06')
define(`LOOP_CLR_FD', `0x00004c01')
-define(`LOOP_CONFIGURE', `0x00004c0a')
define(`LOOP_CTL_ADD', `0x00004c80')
define(`LOOP_CTL_GET_FREE', `0x00004c82')
define(`LOOP_CTL_REMOVE', `0x00004c81')
diff --git a/public/ioctl_macros b/public/ioctl_macros
index 47a5157..5cbfae5 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -49,8 +49,8 @@
# commonly used TTY ioctls
# merge with unpriv_unix_sock_ioctls?
define(`unpriv_tty_ioctls', `{
- TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TCSETSW TCSETSF TIOCGWINSZ TIOCSWINSZ
- TIOCSCTTY TCFLSH TIOCSPGRP TIOCGPGRP
+ TIOCOUTQ FIOCLEX FIONCLEX TCGETS TCSETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY
+ TCSETSW TCFLSH TIOCSPGRP TIOCGPGRP
}')
# point to point ioctls
@@ -66,11 +66,3 @@
PPPIOCBUNDLE PPPIOCGMPFLAGS PPPIOCSMPFLAGS PPPIOCSMPMTU
PPPIOCSMPMRU PPPIOCGCOMPRESSORS PPPIOCSCOMPRESSOR PPPIOCGIFNAME
}')
-
-# unprivileged binder ioctls
-define(`unpriv_binder_ioctls', `{
-BINDER_WRITE_READ BINDER_SET_IDLE_TIMEOUT BINDER_SET_MAX_THREADS
-BINDER_SET_IDLE_PRIORITY BINDER_SET_CONTEXT_MGR BINDER_THREAD_EXIT
-BINDER_VERSION BINDER_GET_NODE_DEBUG_INFO BINDER_GET_NODE_INFO_FOR_REF
-BINDER_SET_CONTEXT_MGR_EXT BINDER_ENABLE_ONEWAY_SPAM_DETECTION
-}')
diff --git a/public/iorap_inode2filename.te b/public/iorap_inode2filename.te
index 6f119ee..4041ddd 100644
--- a/public/iorap_inode2filename.te
+++ b/public/iorap_inode2filename.te
@@ -21,18 +21,24 @@
allow iorap_inode2filename apex_mnt_dir:file { getattr };
allow iorap_inode2filename apk_data_file:dir { getattr open read search };
allow iorap_inode2filename apk_data_file:file { getattr };
-allow iorap_inode2filename app_data_file_type:dir { getattr open read search };
-allow iorap_inode2filename app_data_file_type:file { getattr };
+allow iorap_inode2filename app_data_file:dir { getattr open read search };
+allow iorap_inode2filename app_data_file:file { getattr };
allow iorap_inode2filename backup_data_file:dir { getattr open read search };
allow iorap_inode2filename backup_data_file:file { getattr };
+allow iorap_inode2filename bluetooth_data_file:dir { getattr open read search };
+allow iorap_inode2filename bluetooth_data_file:file { getattr };
allow iorap_inode2filename bootchart_data_file:dir { getattr open read search };
allow iorap_inode2filename bootchart_data_file:file { getattr };
allow iorap_inode2filename metadata_file:dir { getattr open read search search };
allow iorap_inode2filename metadata_file:file { getattr };
allow iorap_inode2filename packages_list_file:dir { getattr open read search };
allow iorap_inode2filename packages_list_file:file { getattr };
+allow iorap_inode2filename privapp_data_file:dir { getattr open read search };
+allow iorap_inode2filename privapp_data_file:file { getattr };
allow iorap_inode2filename property_data_file:dir { getattr open read search };
allow iorap_inode2filename property_data_file:file { getattr };
+allow iorap_inode2filename radio_data_file:dir { getattr open read search };
+allow iorap_inode2filename radio_data_file:file { getattr };
allow iorap_inode2filename resourcecache_data_file:dir { getattr open read search };
allow iorap_inode2filename resourcecache_data_file:file { getattr };
allow iorap_inode2filename recovery_data_file:dir { getattr open read search };
@@ -45,6 +51,8 @@
allow iorap_inode2filename staging_data_file:file { getattr };
allow iorap_inode2filename system_bootstrap_lib_file:dir { getattr open read search };
allow iorap_inode2filename system_bootstrap_lib_file:file { getattr };
+allow iorap_inode2filename system_app_data_file:dir { getattr open read search };
+allow iorap_inode2filename system_app_data_file:file { getattr };
allow iorap_inode2filename system_data_file:dir { getattr open read search };
allow iorap_inode2filename system_data_file:file { getattr };
allow iorap_inode2filename system_data_file:lnk_file { getattr open read };
@@ -52,7 +60,6 @@
allow iorap_inode2filename textclassifier_data_file:dir { getattr open read search };
allow iorap_inode2filename textclassifier_data_file:file { getattr };
allow iorap_inode2filename toolbox_exec:file getattr;
-allow iorap_inode2filename user_profile_root_file:dir { getattr open read search };
allow iorap_inode2filename user_profile_data_file:dir { getattr open read search };
allow iorap_inode2filename user_profile_data_file:file { getattr };
allow iorap_inode2filename unencrypted_data_file:dir { getattr open read search };
diff --git a/public/iorap_prefetcherd.te b/public/iorap_prefetcherd.te
index 4b218fb..ad9db14 100644
--- a/public/iorap_prefetcherd.te
+++ b/public/iorap_prefetcherd.te
@@ -39,7 +39,6 @@
allow iorap_prefetcherd system_data_file:dir { open read search };
allow iorap_prefetcherd system_data_file:file { open read };
allow iorap_prefetcherd system_data_file:lnk_file { open read };
-allow iorap_prefetcherd user_profile_root_file:dir { open read search };
allow iorap_prefetcherd user_profile_data_file:dir { open read search };
allow iorap_prefetcherd user_profile_data_file:file { open read };
allow iorap_prefetcherd vendor_overlay_file:dir { open read search };
diff --git a/public/kernel.te b/public/kernel.te
index 9aa40cc..35018e9 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -5,12 +5,7 @@
# Root fs.
r_dir_file(kernel, rootfs)
-
-# Used to read androidboot.selinux property
-allow kernel {
- proc_bootconfig
- proc_cmdline
-}:file r_file_perms;
+allow kernel proc_cmdline:file r_file_perms;
# Get SELinux enforcing status.
allow kernel selinuxfs:dir r_dir_perms;
diff --git a/public/keystore.te b/public/keystore.te
index b7d5090..27c4624 100644
--- a/public/keystore.te
+++ b/public/keystore.te
@@ -1,4 +1,4 @@
-type keystore, domain, keystore2_key_type;
+type keystore, domain;
type keystore_exec, system_file_type, exec_type, file_type;
# keystore daemon
@@ -13,21 +13,13 @@
allow keystore keystore_exec:file { getattr };
add_service(keystore, keystore_service)
-add_service(keystore, remoteprovisioning_service)
allow keystore sec_key_att_app_id_provider_service:service_manager find;
allow keystore dropbox_service:service_manager find;
-add_service(keystore, apc_service)
-add_service(keystore, keystore_compat_hal_service)
-add_service(keystore, authorization_service)
-add_service(keystore, keystore_maintenance_service)
-add_service(keystore, keystore_metrics_service)
-add_service(keystore, legacykeystore_service)
# Check SELinux permissions.
selinux_check_access(keystore)
r_dir_file(keystore, cgroup)
-r_dir_file(keystore, cgroup_v2)
###
### Neverallow rules
@@ -41,5 +33,4 @@
neverallow { domain -keystore -init } keystore_data_file:dir *;
neverallow { domain -keystore -init } keystore_data_file:notdevfile_class_set *;
-# TODO(b/186868271): Remove the crash dump exception soon-ish (maybe by May 14, 2021?)
-neverallow { domain userdebug_or_eng(`-crash_dump') } keystore:process ptrace;
+neverallow * keystore:process ptrace;
diff --git a/public/keystore_keys.te b/public/keystore_keys.te
deleted file mode 100644
index 3c35984..0000000
--- a/public/keystore_keys.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# A keystore2 namespace for WI-FI.
-type wifi_key, keystore2_key_type;
diff --git a/public/lmkd.te b/public/lmkd.te
index de6052d..67e93e1 100644
--- a/public/lmkd.te
+++ b/public/lmkd.te
@@ -26,11 +26,9 @@
# Clean up old cgroups
allow lmkd cgroup:dir { remove_name rmdir };
-allow lmkd cgroup_v2:dir { remove_name rmdir };
# Allow to read memcg stats
allow lmkd cgroup:file r_file_perms;
-allow lmkd cgroup_v2:file r_file_perms;
# Set self to SCHED_FIFO
allow lmkd self:global_capability_class_set sys_nice;
@@ -38,6 +36,9 @@
allow lmkd proc_zoneinfo:file r_file_perms;
allow lmkd proc_vmstat:file r_file_perms;
+# Set sys.lmk.* properties.
+set_prop(lmkd, system_lmk_prop)
+
# live lock watchdog process allowed to look through /proc/
allow lmkd domain:dir { search open read };
allow lmkd domain:file { open read };
diff --git a/public/logd.te b/public/logd.te
index 8187179..57e29d9 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -4,7 +4,6 @@
# Read access to pseudo filesystems.
r_dir_file(logd, cgroup)
-r_dir_file(logd, cgroup_v2)
r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)
@@ -24,6 +23,9 @@
')
allow logd runtime_event_log_tags_file:file rw_file_perms;
+# Access device logging gating property
+get_prop(logd, device_logging_prop)
+
r_dir_file(logd, domain)
allow logd kernel:system syslog_mod;
@@ -39,9 +41,6 @@
# expected to be locally cached).
dontaudit domain runtime_event_log_tags_file:file { map open read };
-# Logd sets defaults if certain properties are empty.
-set_prop(logd, logd_prop)
-
###
### Neverallow rules
###
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index 06f7928..859ec9c 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -20,7 +20,6 @@
hal_client_domain(mediaextractor, hal_allocator)
r_dir_file(mediaextractor, cgroup)
-r_dir_file(mediaextractor, cgroup_v2)
allow mediaextractor proc_meminfo:file r_file_perms;
crash_dump_fallback(mediaextractor)
@@ -41,6 +40,8 @@
# scan extractor library directory to dynamically load extractors
allow mediaextractor system_file:dir { read open };
+get_prop(mediaextractor, device_config_media_native_prop)
+
###
### neverallow rules
###
diff --git a/public/mediametrics.te b/public/mediametrics.te
index 468c0d0..0e56b07 100644
--- a/public/mediametrics.te
+++ b/public/mediametrics.te
@@ -12,7 +12,6 @@
allow mediametrics system_server:fd use;
r_dir_file(mediametrics, cgroup)
-r_dir_file(mediametrics, cgroup_v2)
allow mediametrics proc_meminfo:file r_file_perms;
# allows interactions with dumpsys to GMScore
diff --git a/public/mediaserver.te b/public/mediaserver.te
index ad460e1..52d3581 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -9,7 +9,6 @@
r_dir_file(mediaserver, sdcard_type)
r_dir_file(mediaserver, cgroup)
-r_dir_file(mediaserver, cgroup_v2)
# stat /proc/self
allow mediaserver proc:lnk_file getattr;
@@ -35,6 +34,8 @@
allow mediaserver video_device:dir r_dir_perms;
allow mediaserver video_device:chr_file rw_file_perms;
+set_prop(mediaserver, audio_prop)
+
# Read resources from open apk files passed over Binder.
allow mediaserver apk_data_file:file { read getattr };
allow mediaserver asec_apk_file:file { read getattr };
@@ -76,7 +77,6 @@
allow mediaserver mediametrics_service:service_manager find;
allow mediaserver media_session_service:service_manager find;
allow mediaserver permission_service:service_manager find;
-allow mediaserver permission_checker_service:service_manager find;
allow mediaserver power_service:service_manager find;
allow mediaserver processinfo_service:service_manager find;
allow mediaserver scheduling_policy_service:service_manager find;
@@ -121,8 +121,6 @@
allow mediaserver preloads_media_file:file { getattr read ioctl };
allow mediaserver ion_device:chr_file r_file_perms;
-allow mediaserver dmabuf_system_heap_device:chr_file r_file_perms;
-allow mediaserver dmabuf_system_secure_heap_device:chr_file r_file_perms;
allow mediaserver hal_graphics_allocator:fd use;
allow mediaserver hal_graphics_composer:fd use;
allow mediaserver hal_camera:fd use;
diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te
index 5726842..2acdeea 100644
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@@ -11,6 +11,8 @@
hal_client_domain(mediaswcodec, hal_allocator)
hal_client_domain(mediaswcodec, hal_graphics_allocator)
+get_prop(mediaswcodec, device_config_media_native_prop)
+
crash_dump_fallback(mediaswcodec)
# mediaswcodec_server should never execute any executable without a
@@ -23,5 +25,3 @@
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
-allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
-allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
diff --git a/public/mediatranscoding.te b/public/mediatranscoding.te
new file mode 100644
index 0000000..386535b
--- /dev/null
+++ b/public/mediatranscoding.te
@@ -0,0 +1,26 @@
+# mediatranscoding - daemon for transcoding video and image.
+type mediatranscoding, domain;
+type mediatranscoding_exec, system_file_type, exec_type, file_type;
+
+binder_use(mediatranscoding)
+binder_service(mediatranscoding)
+
+add_service(mediatranscoding, mediatranscoding_service)
+
+allow mediatranscoding system_server:fd use;
+
+# mediatranscoding should never execute any executable without a
+# domain transition
+neverallow mediatranscoding { file_type fs_type }:file execute_no_trans;
+
+# The goal of the mediaserver split is to place media processing code into
+# restrictive sandboxes with limited responsibilities and thus limited
+# permissions. Example: Audioserver is only responsible for controlling audio
+# hardware and processing audio content. Cameraserver does the same for camera
+# hardware/content. Etc.
+#
+# Media processing code is inherently risky and thus should have limited
+# permissions and be isolated from the rest of the system and network.
+# Lengthier explanation here:
+# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
+neverallow mediatranscoding domain:{ tcp_socket udp_socket rawip_socket } *;
diff --git a/public/netd.te b/public/netd.te
index ff0bff6..8005406 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -3,7 +3,7 @@
type netd_exec, system_file_type, exec_type, file_type;
net_domain(netd)
-# in addition to ioctls allowlisted for all domains, grant netd priv_sock_ioctls.
+# in addition to ioctls whitelisted for all domains, grant netd priv_sock_ioctls.
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
@@ -36,10 +36,8 @@
not_full_treble(`allow netd vendor_file:file x_file_perms;')
allow netd devpts:chr_file rw_file_perms;
-# Acquire advisory lock on /system/etc/xtables.lock. If this file doesn't
-# exist, suppress the denial.
+# Acquire advisory lock on /system/etc/xtables.lock
allow netd system_file:file lock;
-dontaudit netd system_file:dir write;
# Allow netd to write to qtaguid ctrl file.
# TODO: Add proper rules to prevent other process to access qtaguid_proc file
@@ -62,7 +60,7 @@
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
-r_dir_file(netd, cgroup_v2)
+r_dir_file(netd, cgroup_bpf)
allow netd fs_bpf:dir search;
allow netd fs_bpf:file { read write };
@@ -83,6 +81,9 @@
# Allow netd to spawn dnsmasq in it's own domain
allow netd dnsmasq:process signal;
+set_prop(netd, ctl_mdnsd_prop)
+set_prop(netd, netd_stable_secret_prop)
+
# Allow netd to publish a binder service and make binder calls.
binder_use(netd)
add_service(netd, netd_service)
@@ -112,6 +113,8 @@
# Allow netd to register as hal server.
add_hwservice(netd, system_net_netd_hwservice)
hwbinder_use(netd)
+get_prop(netd, hwservicemanager_prop)
+get_prop(netd, device_config_netd_native_prop)
###
### Neverallow rules
@@ -128,7 +131,7 @@
neverallow netd system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data
-neverallow netd { app_data_file_type system_data_file }:dir_file_class_set write;
+neverallow netd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
# only system_server, dumpstate and network stack app may find netd service
neverallow {
@@ -154,6 +157,14 @@
neverallow { appdomain -network_stack } netd:binder call;
neverallow netd { appdomain -network_stack userdebug_or_eng(`-su') }:binder call;
+# persist.netd.stable_secret contains RFC 7217 secret key which should never be
+# leaked to other processes. Make sure it never leaks.
+neverallow { domain -netd -init -dumpstate } netd_stable_secret_prop:file r_file_perms;
+
+# We want to ensure that no other process ever tries tampering with persist.netd.stable_secret,
+# the RFC 7217 secret key managed by netd. Doing so could compromise user privacy.
+neverallow { domain -netd -init } netd_stable_secret_prop:property_service set;
+
# If an already existing file is opened with O_CREATE, the kernel might generate
# a false report of a create denial. Silence these denials and make sure that
# inappropriate permissions are not granted.
@@ -172,5 +183,3 @@
dontaudit netd self:capability sys_module;
dontaudit netd kernel:system module_request;
-
-dontaudit netd appdomain:unix_stream_socket { read write };
diff --git a/public/otapreopt_chroot.te b/public/otapreopt_chroot.te
deleted file mode 100644
index db8dd1a..0000000
--- a/public/otapreopt_chroot.te
+++ /dev/null
@@ -1,4 +0,0 @@
-# otapreopt_chroot seclabel
-
-# TODO: Only present to allow mediatek/wembley-sepolicy to see it for validation reasons.
-type otapreopt_chroot, domain;
diff --git a/public/performanced.te b/public/performanced.te
index d694fda..7dcb5ea 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -28,4 +28,3 @@
# Access /dev/cpuset/cpuset.cpus
r_dir_file(performanced, cgroup)
-r_dir_file(performanced, cgroup_v2)
diff --git a/public/profman.te b/public/profman.te
index c014d79..8ff6271 100644
--- a/public/profman.te
+++ b/public/profman.te
@@ -22,10 +22,6 @@
allow profman { privapp_data_file app_data_file }:file { getattr read write lock map };
allow profman { privapp_data_file app_data_file }:dir { getattr read search };
-# Allow query ART device config properties
-get_prop(profman, device_config_runtime_native_prop)
-get_prop(profman, device_config_runtime_native_boot_prop)
-
###
### neverallow rules
###
diff --git a/public/property.te b/public/property.te
index 1d3f358..9a93518 100644
--- a/public/property.te
+++ b/public/property.te
@@ -1,8 +1,4 @@
# Properties used only in /system
-#
-# DO NOT ADD system_internal_prop here.
-# Instead, add to private/property.te.
-# TODO(b/150331497): move these to private/property.te
system_internal_prop(apexd_prop)
system_internal_prop(bootloader_boot_reason_prop)
system_internal_prop(device_config_activity_manager_native_boot_prop)
@@ -11,7 +7,25 @@
system_internal_prop(device_config_media_native_prop)
system_internal_prop(device_config_netd_native_prop)
system_internal_prop(device_config_reset_performed_prop)
+system_internal_prop(device_config_runtime_native_boot_prop)
+system_internal_prop(device_config_runtime_native_prop)
+system_internal_prop(device_config_storage_native_boot_prop)
+system_internal_prop(device_config_sys_traced_prop)
+system_internal_prop(device_config_window_manager_native_boot_prop)
+system_internal_prop(device_config_configuration_prop)
system_internal_prop(firstboot_prop)
+system_internal_prop(fastbootd_protocol_prop)
+system_internal_prop(gsid_prop)
+system_internal_prop(init_perf_lsm_hooks_prop)
+system_internal_prop(init_svc_debug_prop)
+system_internal_prop(last_boot_reason_prop)
+system_internal_prop(netd_stable_secret_prop)
+system_internal_prop(pm_prop)
+system_internal_prop(userspace_reboot_log_prop)
+system_internal_prop(userspace_reboot_test_prop)
+system_internal_prop(system_adbd_prop)
+system_internal_prop(adbd_prop)
+system_internal_prop(traced_perf_enabled_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -52,42 +66,21 @@
')
# Properties which can't be written outside system
-system_restricted_prop(aac_drc_prop)
-system_restricted_prop(arm64_memtag_prop)
+
+# Properties used by binder caches
system_restricted_prop(binder_cache_bluetooth_server_prop)
system_restricted_prop(binder_cache_system_server_prop)
system_restricted_prop(binder_cache_telephony_server_prop)
-system_restricted_prop(boot_status_prop)
-system_restricted_prop(bootanim_system_prop)
-system_restricted_prop(bootloader_prop)
system_restricted_prop(boottime_public_prop)
system_restricted_prop(bq_config_prop)
-system_restricted_prop(build_bootimage_prop)
-system_restricted_prop(build_prop)
-system_restricted_prop(charger_status_prop)
-system_restricted_prop(device_config_runtime_native_boot_prop)
-system_restricted_prop(device_config_runtime_native_prop)
-system_restricted_prop(fingerprint_prop)
-system_restricted_prop(hal_instrumentation_prop)
-system_restricted_prop(init_service_status_prop)
-system_restricted_prop(libc_debug_prop)
system_restricted_prop(module_sdkextensions_prop)
system_restricted_prop(nnapi_ext_deny_product_prop)
-system_restricted_prop(power_debug_prop)
-system_restricted_prop(property_service_version_prop)
-system_restricted_prop(provisioned_prop)
system_restricted_prop(restorecon_prop)
-system_restricted_prop(retaildemo_prop)
system_restricted_prop(socket_hook_prop)
-system_restricted_prop(sqlite_log_prop)
system_restricted_prop(surfaceflinger_display_prop)
system_restricted_prop(system_boot_reason_prop)
system_restricted_prop(system_jvmti_agent_prop)
-system_restricted_prop(ab_update_gki_prop)
-system_restricted_prop(usb_prop)
system_restricted_prop(userspace_reboot_exported_prop)
-system_restricted_prop(vold_status_prop)
-system_restricted_prop(vts_status_prop)
compatible_property_only(`
# DO NOT ADD ANY PROPERTIES HERE
@@ -95,17 +88,24 @@
system_restricted_prop(cppreopt_prop)
system_restricted_prop(dalvik_prop)
system_restricted_prop(debuggerd_prop)
+ system_restricted_prop(default_prop)
system_restricted_prop(device_logging_prop)
system_restricted_prop(dhcp_prop)
system_restricted_prop(dumpstate_prop)
+ system_restricted_prop(exported2_default_prop)
system_restricted_prop(exported3_system_prop)
system_restricted_prop(exported_dumpstate_prop)
+ system_restricted_prop(exported_fingerprint_prop)
system_restricted_prop(exported_secure_prop)
+ system_restricted_prop(exported_vold_prop)
+ system_restricted_prop(ffs_prop)
+ system_restricted_prop(fingerprint_prop)
system_restricted_prop(heapprofd_prop)
system_restricted_prop(net_radio_prop)
system_restricted_prop(pan_result_prop)
system_restricted_prop(persist_debug_prop)
system_restricted_prop(shell_prop)
+ system_restricted_prop(system_radio_prop)
system_restricted_prop(test_harness_prop)
system_restricted_prop(theme_prop)
system_restricted_prop(use_memfd_prop)
@@ -113,67 +113,25 @@
')
# Properties which can be written only by vendor_init
-system_vendor_config_prop(apexd_config_prop)
-system_vendor_config_prop(aaudio_config_prop)
system_vendor_config_prop(apk_verity_prop)
-system_vendor_config_prop(audio_config_prop)
-system_vendor_config_prop(bootanim_config_prop)
-system_vendor_config_prop(build_config_prop)
-system_vendor_config_prop(build_odm_prop)
-system_vendor_config_prop(build_vendor_prop)
-system_vendor_config_prop(camera_calibration_prop)
-system_vendor_config_prop(camera_config_prop)
-system_vendor_config_prop(camera2_extensions_prop)
-system_vendor_config_prop(camerax_extensions_prop)
-system_vendor_config_prop(charger_config_prop)
-system_vendor_config_prop(codec2_config_prop)
system_vendor_config_prop(cpu_variant_prop)
-system_vendor_config_prop(dalvik_config_prop)
-system_vendor_config_prop(debugfs_restriction_prop)
-system_vendor_config_prop(drm_service_config_prop)
+system_vendor_config_prop(exported_audio_prop)
system_vendor_config_prop(exported_camera_prop)
system_vendor_config_prop(exported_config_prop)
system_vendor_config_prop(exported_default_prop)
-system_vendor_config_prop(ffs_config_prop)
-system_vendor_config_prop(framework_watchdog_config_prop)
+system_vendor_config_prop(exported3_default_prop)
system_vendor_config_prop(graphics_config_prop)
-system_vendor_config_prop(hdmi_config_prop)
-system_vendor_config_prop(hw_timeout_multiplier_prop)
system_vendor_config_prop(incremental_prop)
-system_vendor_config_prop(keyguard_config_prop)
-system_vendor_config_prop(lmkd_config_prop)
-system_vendor_config_prop(media_config_prop)
system_vendor_config_prop(media_variant_prop)
-system_vendor_config_prop(mediadrm_config_prop)
-system_vendor_config_prop(mm_events_config_prop)
-system_vendor_config_prop(oem_unlock_prop)
-system_vendor_config_prop(packagemanager_config_prop)
-system_vendor_config_prop(recovery_config_prop)
-system_vendor_config_prop(sendbug_config_prop)
-system_vendor_config_prop(soc_prop)
system_vendor_config_prop(storage_config_prop)
-system_vendor_config_prop(storagemanager_config_prop)
-system_vendor_config_prop(surfaceflinger_prop)
-system_vendor_config_prop(suspend_prop)
-system_vendor_config_prop(systemsound_config_prop)
-system_vendor_config_prop(telephony_config_prop)
-system_vendor_config_prop(tombstone_config_prop)
-system_vendor_config_prop(usb_config_prop)
system_vendor_config_prop(userspace_reboot_config_prop)
system_vendor_config_prop(vehicle_hal_prop)
system_vendor_config_prop(vendor_security_patch_level_prop)
system_vendor_config_prop(vendor_socket_hook_prop)
-system_vendor_config_prop(virtual_ab_prop)
system_vendor_config_prop(vndk_prop)
-system_vendor_config_prop(vts_config_prop)
-system_vendor_config_prop(vold_config_prop)
-system_vendor_config_prop(wifi_config_prop)
-system_vendor_config_prop(zram_config_prop)
-system_vendor_config_prop(zygote_config_prop)
-system_vendor_config_prop(dck_prop)
+system_vendor_config_prop(virtual_ab_prop)
# Properties with no restrictions
-system_public_prop(adbd_config_prop)
system_public_prop(audio_prop)
system_public_prop(bluetooth_a2dp_offload_prop)
system_public_prop(bluetooth_audio_hal_prop)
@@ -182,15 +140,22 @@
system_public_prop(ctl_interface_start_prop)
system_public_prop(ctl_start_prop)
system_public_prop(ctl_stop_prop)
-system_public_prop(dalvik_runtime_prop)
system_public_prop(debug_prop)
system_public_prop(dumpstate_options_prop)
system_public_prop(exported_system_prop)
+system_public_prop(exported2_config_prop)
+system_public_prop(exported2_radio_prop)
+system_public_prop(exported2_system_prop)
+system_public_prop(exported2_vold_prop)
+system_public_prop(exported3_radio_prop)
system_public_prop(exported_bluetooth_prop)
+system_public_prop(exported_dalvik_prop)
+system_public_prop(exported_ffs_prop)
system_public_prop(exported_overlay_prop)
system_public_prop(exported_pm_prop)
-system_public_prop(ffs_control_prop)
-system_public_prop(hal_dumpstate_config_prop)
+system_public_prop(exported_radio_prop)
+system_public_prop(exported_system_radio_prop)
+system_public_prop(exported_wifi_prop)
system_public_prop(sota_prop)
system_public_prop(hwservicemanager_prop)
system_public_prop(lmkd_prop)
@@ -202,29 +167,15 @@
system_public_prop(nfc_prop)
system_public_prop(ota_prop)
system_public_prop(powerctl_prop)
-system_public_prop(qemu_hw_prop)
-system_public_prop(qemu_sf_lcd_density_prop)
-system_public_prop(radio_control_prop)
system_public_prop(radio_prop)
system_public_prop(serialno_prop)
-system_public_prop(surfaceflinger_color_prop)
system_public_prop(system_prop)
-system_public_prop(telephony_status_prop)
-system_public_prop(usb_control_prop)
-system_public_prop(vold_post_fs_data_prop)
-system_public_prop(wifi_hal_prop)
system_public_prop(wifi_log_prop)
system_public_prop(wifi_prop)
-system_public_prop(zram_control_prop)
-
-# Properties which don't have entries on property_contexts
-system_internal_prop(default_prop)
# Properties used in default HAL implementations
vendor_internal_prop(rebootescrow_hal_prop)
-vendor_public_prop(persist_vendor_debug_wifi_prop)
-
# Properties which are public for devices launching with Android O or earlier
# This should not be used for any new properties.
not_compatible_property(`
@@ -268,30 +219,31 @@
system_public_prop(cppreopt_prop)
system_public_prop(dalvik_prop)
system_public_prop(debuggerd_prop)
+ system_public_prop(default_prop)
system_public_prop(device_logging_prop)
system_public_prop(dhcp_prop)
system_public_prop(dumpstate_prop)
+ system_public_prop(exported2_default_prop)
system_public_prop(exported3_system_prop)
system_public_prop(exported_dumpstate_prop)
+ system_public_prop(exported_fingerprint_prop)
system_public_prop(exported_secure_prop)
+ system_public_prop(exported_vold_prop)
+ system_public_prop(ffs_prop)
+ system_public_prop(fingerprint_prop)
system_public_prop(heapprofd_prop)
system_public_prop(net_radio_prop)
system_public_prop(pan_result_prop)
system_public_prop(persist_debug_prop)
system_public_prop(shell_prop)
+ system_public_prop(system_radio_prop)
system_public_prop(test_harness_prop)
system_public_prop(theme_prop)
system_public_prop(use_memfd_prop)
system_public_prop(vold_prop)
')
-not_compatible_property(`
- vendor_public_prop(vendor_default_prop)
-')
-
-compatible_property_only(`
- vendor_internal_prop(vendor_default_prop)
-')
+type vendor_default_prop, property_type;
typeattribute log_prop log_property_type;
typeattribute log_tag_prop log_property_type;
@@ -299,6 +251,54 @@
allow property_type tmpfs:filesystem associate;
+###
+### Neverallow rules
+###
+
+treble_sysprop_neverallow(`
+
+# TODO(b/131162102): uncomment these after assigning ownership attributes to all properties
+# neverallow domain {
+# property_type
+# -system_property_type
+# -product_property_type
+# -vendor_property_type
+# }:file no_rw_file_perms;
+
+neverallow { domain -coredomain } {
+ system_property_type
+ system_internal_property_type
+ -system_restricted_property_type
+ -system_public_property_type
+}:file no_rw_file_perms;
+
+neverallow { domain -coredomain } {
+ system_property_type
+ -system_public_property_type
+}:property_service set;
+
+# init is in coredomain, but should be able to read/write all props.
+# dumpstate is also in coredomain, but should be able to read all props.
+neverallow { coredomain -init -dumpstate } {
+ vendor_property_type
+ vendor_internal_property_type
+ -vendor_restricted_property_type
+ -vendor_public_property_type
+}:file no_rw_file_perms;
+
+neverallow { coredomain -init } {
+ vendor_property_type
+ -vendor_public_property_type
+}:property_service set;
+
+')
+
+# There is no need to perform ioctl or advisory locking operations on
+# property files. If this neverallow is being triggered, it is
+# likely that the policy is using r_file_perms directly instead of
+# the get_prop() macro.
+neverallow domain property_type:file { ioctl lock };
+
# core_property_type should not be used for new properties or
# device specific properties. Properties with this attribute
# are readable to everyone, which is overly broad and should
@@ -312,8 +312,11 @@
typeattribute dalvik_prop core_property_type;
typeattribute debuggerd_prop core_property_type;
typeattribute debug_prop core_property_type;
+typeattribute default_prop core_property_type;
typeattribute dhcp_prop core_property_type;
typeattribute dumpstate_prop core_property_type;
+typeattribute ffs_prop core_property_type;
+typeattribute fingerprint_prop core_property_type;
typeattribute logd_prop core_property_type;
typeattribute net_radio_prop core_property_type;
typeattribute nfc_prop core_property_type;
@@ -325,6 +328,293 @@
typeattribute restorecon_prop core_property_type;
typeattribute shell_prop core_property_type;
typeattribute system_prop core_property_type;
-typeattribute usb_prop core_property_type;
+typeattribute system_radio_prop core_property_type;
typeattribute vold_prop core_property_type;
+neverallow * {
+ core_property_type
+ -audio_prop
+ -config_prop
+ -cppreopt_prop
+ -dalvik_prop
+ -debuggerd_prop
+ -debug_prop
+ -default_prop
+ -dhcp_prop
+ -dumpstate_prop
+ -ffs_prop
+ -fingerprint_prop
+ -logd_prop
+ -net_radio_prop
+ -nfc_prop
+ -ota_prop
+ -pan_result_prop
+ -persist_debug_prop
+ -powerctl_prop
+ -radio_prop
+ -restorecon_prop
+ -shell_prop
+ -system_prop
+ -system_radio_prop
+ -vold_prop
+}:file no_rw_file_perms;
+
+# sigstop property is only used for debugging; should only be set by su which is permissive
+# for userdebug/eng
+neverallow {
+ domain
+ -init
+ -vendor_init
+} ctl_sigstop_prop:property_service set;
+
+# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
+# in the audit log
+dontaudit domain {
+ ctl_bootanim_prop
+ ctl_bugreport_prop
+ ctl_console_prop
+ ctl_default_prop
+ ctl_dumpstate_prop
+ ctl_fuse_prop
+ ctl_mdnsd_prop
+ ctl_rildaemon_prop
+}:property_service set;
+
+neverallow {
+ domain
+ -init
+} init_svc_debug_prop:property_service set;
+
+neverallow {
+ domain
+ -init
+ -dumpstate
+ userdebug_or_eng(`-su')
+} init_svc_debug_prop:file no_rw_file_perms;
+
+compatible_property_only(`
+# Prevent properties from being set
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_init
+ } {
+ core_property_type
+ extended_core_property_type
+ exported_config_prop
+ exported_dalvik_prop
+ exported_default_prop
+ exported_dumpstate_prop
+ exported_ffs_prop
+ exported_fingerprint_prop
+ exported_system_prop
+ exported_system_radio_prop
+ exported_vold_prop
+ exported2_config_prop
+ exported2_default_prop
+ exported2_system_prop
+ exported2_vold_prop
+ exported3_default_prop
+ exported3_system_prop
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_nfc_server
+ } {
+ nfc_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ -vendor_init
+ } {
+ exported_radio_prop
+ exported3_radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ } {
+ exported2_radio_prop
+ radio_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ } {
+ bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ -vendor_init
+ } {
+ exported_bluetooth_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_camera_server
+ -cameraserver
+ -vendor_init
+ } {
+ exported_camera_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi_server
+ -wificond
+ } {
+ wifi_prop
+ }:property_service set;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi_server
+ -wificond
+ -vendor_init
+ } {
+ exported_wifi_prop
+ }:property_service set;
+
+# Prevent properties from being read
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -vendor_init
+ } {
+ core_property_type
+ extended_core_property_type
+ exported_dalvik_prop
+ exported_ffs_prop
+ exported_system_radio_prop
+ exported2_config_prop
+ exported2_system_prop
+ exported2_vold_prop
+ exported3_default_prop
+ exported3_system_prop
+ -debug_prop
+ -logd_prop
+ -nfc_prop
+ -powerctl_prop
+ -radio_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_nfc_server
+ } {
+ nfc_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -appdomain
+ -hal_telephony_server
+ } {
+ radio_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -bluetooth
+ -hal_bluetooth_server
+ } {
+ bluetooth_prop
+ }:file no_rw_file_perms;
+
+ neverallow {
+ domain
+ -coredomain
+ -hal_wifi_server
+ -wificond
+ } {
+ wifi_prop
+ }:file no_rw_file_perms;
+')
+
+compatible_property_only(`
+ # Neverallow coredomain to set vendor properties
+ neverallow {
+ coredomain
+ -init
+ -system_writes_vendor_properties_violators
+ } {
+ property_type
+ -system_property_type
+ -extended_core_property_type
+ }:property_service set;
+')
+
+neverallow {
+ -init
+ -system_server
+} {
+ userspace_reboot_log_prop
+}:property_service set;
+
+neverallow {
+ # Only allow init and system_server to set system_adbd_prop
+ -init
+ -system_server
+} {
+ system_adbd_prop
+}:property_service set;
+
+neverallow {
+ # Only allow init and adbd to set adbd_prop
+ -init
+ -adbd
+} {
+ adbd_prop
+}:property_service set;
+
+neverallow {
+ # Only allow init and shell to set userspace_reboot_test_prop
+ -init
+ -shell
+} {
+ userspace_reboot_test_prop
+}:property_service set;
+
+neverallow {
+ -init
+ -vendor_init
+} {
+ graphics_config_prop
+}:property_service set;
+
+neverallow {
+ -init
+ -surfaceflinger
+} {
+ surfaceflinger_display_prop
+}:property_service set;
diff --git a/public/property_contexts b/public/property_contexts
new file mode 100644
index 0000000..6a99e3f
--- /dev/null
+++ b/public/property_contexts
@@ -0,0 +1,476 @@
+# vendor-init-readable
+persist.radio.airplane_mode_on u:object_r:exported2_radio_prop:s0 exact bool
+
+# vendor-init-settable
+af.fast_track_multiplier u:object_r:exported3_default_prop:s0 exact int
+audio.camerasound.force u:object_r:exported_audio_prop:s0 exact bool
+audio.deep_buffer.media u:object_r:exported3_default_prop:s0 exact bool
+audio.offload.video u:object_r:exported3_default_prop:s0 exact bool
+audio.offload.min.duration.secs u:object_r:exported3_default_prop:s0 exact int
+camera.disable_zsl_mode u:object_r:exported3_default_prop:s0 exact bool
+camera.fifo.disable u:object_r:exported3_default_prop:s0 exact int
+dalvik.vm.appimageformat u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.backgroundgctype u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.boot-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.boot-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.boot-image u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.checkjni u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.dex2oat64.enabled u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.dexopt.secondary u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.execution-mode u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.extra-opts u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.foreground-heap-growth-multiplier u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.gctype u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapgrowthlimit u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapmaxfree u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapminfree u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapsize u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heapstartsize u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.heaptargetutilization u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.hot-startup-method-samples u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.image-dex2oat-Xms u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-Xmx u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-cpu-set u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-filter u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-flags u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.image-dex2oat-threads u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.isa.arm.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.arm.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.arm64.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.arm64.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.mips.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.mips.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.mips64.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.mips64.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.unknown.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.unknown.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.x86.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.x86.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.x86_64.features u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.isa.x86_64.variant u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.jitinitialsize u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.jitmaxsize u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.jitprithreadweight u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.jitthreshold u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.jittransitionweight u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.jniopts u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.lockprof.threshold u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.method-trace u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.method-trace-file u:object_r:exported_dalvik_prop:s0 exact string
+dalvik.vm.method-trace-file-siz u:object_r:exported_dalvik_prop:s0 exact int
+dalvik.vm.method-trace-stream u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilesystemserver u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.profilebootclasspath u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.usejit u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.usejitprofiles u:object_r:exported_dalvik_prop:s0 exact bool
+dalvik.vm.zygote.max-boot-retry u:object_r:exported_dalvik_prop:s0 exact int
+drm.service.enabled u:object_r:exported3_default_prop:s0 exact bool
+external_storage.projid.enabled u:object_r:storage_config_prop:s0 exact bool
+external_storage.casefold.enabled u:object_r:storage_config_prop:s0 exact bool
+external_storage.sdcardfs.enabled u:object_r:storage_config_prop:s0 exact bool
+keyguard.no_require_sim u:object_r:exported3_default_prop:s0 exact bool
+media.recorder.show_manufacturer_and_model u:object_r:exported3_default_prop:s0 exact bool
+media.stagefright.cache-params u:object_r:exported3_default_prop:s0 exact string
+media.stagefright.thumbnail.prefer_hw_codecs u:object_r:exported3_default_prop:s0 exact bool
+persist.bluetooth.a2dp_offload.cap u:object_r:bluetooth_a2dp_offload_prop:s0 exact string
+persist.bluetooth.a2dp_offload.disabled u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+persist.bluetooth.bluetooth_audio_hal.disabled u:object_r:bluetooth_audio_hal_prop:s0 exact bool
+persist.bluetooth.btsnoopenable u:object_r:exported_bluetooth_prop:s0 exact bool
+persist.config.calibration_fac u:object_r:exported3_default_prop:s0 exact string
+persist.dbg.volte_avail_ovr u:object_r:exported3_default_prop:s0 exact int
+persist.dbg.vt_avail_ovr u:object_r:exported3_default_prop:s0 exact int
+persist.dbg.wfc_avail_ovr u:object_r:exported3_default_prop:s0 exact int
+persist.radio.multisim.config u:object_r:exported3_radio_prop:s0 exact string
+persist.sys.dalvik.vm.lib.2 u:object_r:exported2_system_prop:s0 exact string
+persist.sys.media.avsync u:object_r:exported2_system_prop:s0 exact bool
+persist.sys.hdmi.keep_awake u:object_r:exported2_system_prop:s0 exact bool
+persist.sys.sf.color_mode u:object_r:exported2_system_prop:s0 exact int
+persist.sys.sf.color_saturation u:object_r:exported2_system_prop:s0 exact string
+persist.sys.sf.native_mode u:object_r:exported2_system_prop:s0 exact int
+pm.dexopt.ab-ota u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.bg-dexopt u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.disable_bg_dexopt u:object_r:exported_pm_prop:s0 exact bool
+pm.dexopt.downgrade_after_inactive_days u:object_r:exported_pm_prop:s0 exact int
+pm.dexopt.first-boot u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.inactive u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.install u:object_r:exported_pm_prop:s0 exact string
+pm.dexopt.shared u:object_r:exported_pm_prop:s0 exact string
+ro.af.client_heap_size_kbyte u:object_r:exported3_default_prop:s0 exact int
+ro.apk_verity.mode u:object_r:apk_verity_prop:s0 exact int
+ro.audio.monitorRotation u:object_r:exported3_default_prop:s0 exact bool
+ro.bluetooth.a2dp_offload.supported u:object_r:bluetooth_a2dp_offload_prop:s0 exact bool
+ro.boot.vendor.overlay.theme u:object_r:exported_overlay_prop:s0 exact string
+ro.boot.wificountrycode u:object_r:exported3_default_prop:s0 exact string
+ro.bt.bdaddr_path u:object_r:exported_bluetooth_prop:s0 exact string
+ro.camera.notify_nfc u:object_r:exported3_default_prop:s0 exact int
+ro.camera.enableLazyHal u:object_r:exported3_default_prop:s0 exact bool
+ro.com.android.dataroaming u:object_r:exported3_default_prop:s0 exact bool
+ro.com.android.prov_mobiledata u:object_r:exported3_default_prop:s0 exact bool
+ro.config.alarm_alert u:object_r:exported2_config_prop:s0 exact string
+ro.config.media_vol_steps u:object_r:exported2_config_prop:s0 exact int
+ro.config.notification_sound u:object_r:exported2_config_prop:s0 exact string
+ro.config.per_app_memcg u:object_r:exported3_default_prop:s0 exact bool
+ro.config.ringtone u:object_r:exported2_config_prop:s0 exact string
+ro.control_privapp_permissions u:object_r:exported3_default_prop:s0 exact string
+ro.cp_system_other_odex u:object_r:exported3_default_prop:s0 exact int
+ro.crypto.allow_encrypt_override u:object_r:exported2_vold_prop:s0 exact bool
+ro.crypto.dm_default_key.options_format.version u:object_r:exported2_vold_prop:s0 exact int
+ro.crypto.fde_algorithm u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.fde_sector_size u:object_r:exported2_vold_prop:s0 exact int
+ro.crypto.scrypt_params u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.set_dun u:object_r:exported2_vold_prop:s0 exact bool
+ro.crypto.volume.contents_mode u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.filenames_mode u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.metadata.encryption u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.metadata.method u:object_r:exported2_vold_prop:s0 exact string
+ro.crypto.volume.options u:object_r:exported2_vold_prop:s0 exact string
+ro.dalvik.vm.native.bridge u:object_r:exported_dalvik_prop:s0 exact string
+ro.enable_boot_charger_mode u:object_r:exported3_default_prop:s0 exact bool
+ro.gfx.driver.0 u:object_r:exported3_default_prop:s0 exact string
+ro.gfx.angle.supported u:object_r:exported3_default_prop:s0 exact bool
+ro.hdmi.device_type u:object_r:exported3_default_prop:s0 exact string
+ro.hdmi.wake_on_hotplug u:object_r:exported3_default_prop:s0 exact bool
+ro.lmk.critical u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.critical_upgrade u:object_r:exported3_default_prop:s0 exact bool
+ro.lmk.debug u:object_r:exported3_default_prop:s0 exact bool
+ro.lmk.downgrade_pressure u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.kill_heaviest_task u:object_r:exported3_default_prop:s0 exact bool
+ro.lmk.kill_timeout_ms u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.low u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.medium u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.psi_partial_stall_ms u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.psi_complete_stall_ms u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.swap_free_low_percentage u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.thrashing_limit u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.thrashing_limit_decay u:object_r:exported3_default_prop:s0 exact int
+ro.lmk.use_minfree_levels u:object_r:exported3_default_prop:s0 exact bool
+ro.lmk.upgrade_pressure u:object_r:exported3_default_prop:s0 exact int
+ro.minui.default_rotation u:object_r:exported3_default_prop:s0 exact string
+ro.minui.overscan_percent u:object_r:exported3_default_prop:s0 exact int
+ro.minui.pixel_format u:object_r:exported3_default_prop:s0 exact string
+ro.oem_unlock_supported u:object_r:exported3_default_prop:s0 exact int
+ro.opengles.version u:object_r:exported3_default_prop:s0 exact int
+ro.radio.noril u:object_r:exported3_default_prop:s0 exact string
+ro.rebootescrow.device u:object_r:rebootescrow_hal_prop:s0 exact string
+ro.retaildemo.video_path u:object_r:exported3_default_prop:s0 exact string
+ro.statsd.enable u:object_r:exported3_default_prop:s0 exact bool
+ro.sf.disable_triple_buffer u:object_r:exported3_default_prop:s0 exact bool
+ro.sf.lcd_density u:object_r:exported3_default_prop:s0 exact int
+ro.storage_manager.enabled u:object_r:exported3_default_prop:s0 exact bool
+ro.telephony.call_ring.multiple u:object_r:exported3_default_prop:s0 exact bool
+ro.telephony.default_cdma_sub u:object_r:exported3_default_prop:s0 exact int
+ro.telephony.default_network u:object_r:exported3_default_prop:s0 exact string
+ro.vehicle.hal u:object_r:vehicle_hal_prop:s0 exact string
+ro.vendor.build.security_patch u:object_r:vendor_security_patch_level_prop:s0 exact string
+ro.media.xml_variant.codecs u:object_r:media_variant_prop:s0 exact string
+ro.media.xml_variant.codecs_performance u:object_r:media_variant_prop:s0 exact string
+ro.media.xml_variant.profiles u:object_r:media_variant_prop:s0 exact string
+ro.zram.mark_idle_delay_mins u:object_r:exported3_default_prop:s0 exact int
+ro.zram.first_wb_delay_mins u:object_r:exported3_default_prop:s0 exact int
+ro.zram.periodic_wb_delay_hours u:object_r:exported3_default_prop:s0 exact int
+ro.zygote u:object_r:exported3_default_prop:s0 exact string
+sendbug.preferred.domain u:object_r:exported3_default_prop:s0 exact string
+sys.usb.controller u:object_r:exported2_system_prop:s0 exact string
+sys.usb.ffs.max_read u:object_r:exported_ffs_prop:s0 exact int
+sys.usb.ffs.max_write u:object_r:exported_ffs_prop:s0 exact int
+sys.usb.ffs.ready u:object_r:exported_ffs_prop:s0 exact bool
+sys.usb.mtp.device_type u:object_r:exported2_system_prop:s0 exact int
+sys.usb.ffs.mtp.ready u:object_r:exported_ffs_prop:s0 exact bool
+sys.usb.state u:object_r:exported2_system_prop:s0 exact string
+telephony.lteOnCdmaDevice u:object_r:exported3_default_prop:s0 exact int
+telephony.active_modems.max_count u:object_r:exported3_default_prop:s0 exact int
+tombstoned.max_tombstone_count u:object_r:exported3_default_prop:s0 exact int
+vold.post_fs_data_done u:object_r:exported2_vold_prop:s0 exact int
+vts.native_server.on u:object_r:exported3_default_prop:s0 exact bool
+wlan.driver.status u:object_r:exported_wifi_prop:s0 exact enum ok unloaded
+zram.force_writeback u:object_r:exported3_default_prop:s0 exact bool
+
+# vendor-init-readable
+apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
+dev.bootcomplete u:object_r:exported3_system_prop:s0 exact bool
+persist.sys.device_provisioned u:object_r:exported3_system_prop:s0 exact string
+persist.sys.theme u:object_r:theme_prop:s0 exact string
+persist.sys.usb.usbradio.config u:object_r:exported3_system_prop:s0 exact string
+sys.boot_completed u:object_r:exported3_system_prop:s0 exact bool
+sys.retaildemo.enabled u:object_r:exported3_system_prop:s0 exact int
+sys.user.0.ce_available u:object_r:exported3_system_prop:s0 exact bool
+sys.vdso u:object_r:exported3_system_prop:s0 exact string
+
+# vendor-init-settable
+persist.sys.zram_enabled u:object_r:exported2_system_prop:s0 exact bool
+sys.usb.config u:object_r:exported_system_radio_prop:s0 exact string
+sys.usb.configfs u:object_r:exported_system_radio_prop:s0 exact int
+
+# public-readable
+aac_drc_boost u:object_r:exported2_default_prop:s0 exact int
+aac_drc_cut u:object_r:exported2_default_prop:s0 exact int
+aac_drc_enc_target_level u:object_r:exported2_default_prop:s0 exact int
+aac_drc_heavy u:object_r:exported2_default_prop:s0 exact int
+aac_drc_reference_level u:object_r:exported2_default_prop:s0 exact int
+build.version.extensions. u:object_r:module_sdkextensions_prop:s0 prefix int
+ro.aac_drc_effect_type u:object_r:exported2_default_prop:s0 exact int
+drm.64bit.enabled u:object_r:exported2_default_prop:s0 exact bool
+dumpstate.dry_run u:object_r:exported_dumpstate_prop:s0 exact bool
+dumpstate.unroot u:object_r:exported_dumpstate_prop:s0 exact bool
+hal.instrumentation.enable u:object_r:exported2_default_prop:s0 exact bool
+init.svc.bugreport u:object_r:exported2_default_prop:s0 exact string
+init.svc.console u:object_r:exported2_default_prop:s0 exact string
+init.svc.dumpstatez u:object_r:exported2_default_prop:s0 exact string
+init.svc.mediadrm u:object_r:exported2_default_prop:s0 exact string
+init.svc.surfaceflinger u:object_r:exported2_default_prop:s0 exact string
+init.svc.tombstoned u:object_r:exported2_default_prop:s0 exact string
+init.svc.zygote u:object_r:exported2_default_prop:s0 exact string
+libc.debug.malloc.options u:object_r:exported2_default_prop:s0 exact string
+libc.debug.malloc.program u:object_r:exported2_default_prop:s0 exact string
+libc.debug.hooks.enable u:object_r:exported2_default_prop:s0 exact string
+net.redirect_socket_calls.hooked u:object_r:socket_hook_prop:s0 exact bool
+persist.sys.locale u:object_r:exported_system_prop:s0 exact string
+persist.sys.timezone u:object_r:exported_system_prop:s0 exact string
+persist.sys.test_harness u:object_r:test_harness_prop:s0 exact bool
+ro.adb.secure u:object_r:exported_secure_prop:s0 exact bool
+ro.arch u:object_r:exported2_default_prop:s0 exact string
+ro.audio.ignore_effects u:object_r:exported2_default_prop:s0 exact bool
+ro.baseband u:object_r:exported2_default_prop:s0 exact string
+ro.boot.avb_version u:object_r:exported2_default_prop:s0 exact string
+ro.boot.baseband u:object_r:exported2_default_prop:s0 exact string
+ro.boot.bootdevice u:object_r:exported2_default_prop:s0 exact string
+ro.boot.bootloader u:object_r:exported2_default_prop:s0 exact string
+ro.boot.boottime u:object_r:exported2_default_prop:s0 exact string
+ro.boottime.init.mount.data u:object_r:boottime_public_prop:s0 exact string
+ro.boottime.init.fsck.data u:object_r:boottime_public_prop:s0 exact string
+ro.boot.console u:object_r:exported2_default_prop:s0 exact string
+ro.boot.hardware u:object_r:exported2_default_prop:s0 exact string
+ro.boot.hardware.color u:object_r:exported2_default_prop:s0 exact string
+ro.boot.hardware.sku u:object_r:exported2_default_prop:s0 exact string
+ro.boot.keymaster u:object_r:exported2_default_prop:s0 exact string
+ro.boot.mode u:object_r:exported2_default_prop:s0 exact string
+ro.boot.vbmeta.avb_version u:object_r:exported2_default_prop:s0 exact string
+ro.boot.verifiedbootstate u:object_r:exported2_default_prop:s0 exact string
+ro.boot.veritymode u:object_r:exported2_default_prop:s0 exact string
+ro.boot.dynamic_partitions u:object_r:exported_default_prop:s0 exact string
+ro.boot.dynamic_partitions_retrofit u:object_r:exported_default_prop:s0 exact string
+ro.bootloader u:object_r:exported2_default_prop:s0 exact string
+ro.build.date u:object_r:exported2_default_prop:s0 exact string
+ro.build.date.utc u:object_r:exported2_default_prop:s0 exact int
+ro.build.description u:object_r:exported2_default_prop:s0 exact string
+ro.build.display.id u:object_r:exported2_default_prop:s0 exact string
+ro.build.fingerprint u:object_r:exported_fingerprint_prop:s0 exact string
+ro.build.host u:object_r:exported2_default_prop:s0 exact string
+ro.build.id u:object_r:exported2_default_prop:s0 exact string
+ro.build.product u:object_r:exported2_default_prop:s0 exact string
+ro.build.system_root_image u:object_r:exported2_default_prop:s0 exact bool
+ro.build.tags u:object_r:exported2_default_prop:s0 exact string
+ro.build.user u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.base_os u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.codename u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.incremental u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.preview_sdk u:object_r:exported2_default_prop:s0 exact int
+ro.build.version.release u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.release_or_codename u:object_r:exported2_default_prop:s0 exact string
+ro.build.version.sdk u:object_r:exported2_default_prop:s0 exact int
+ro.build.version.security_patch u:object_r:exported2_default_prop:s0 exact string
+ro.crypto.state u:object_r:exported_vold_prop:s0 exact enum encrypted unencrypted unsupported
+ro.crypto.type u:object_r:exported_vold_prop:s0 exact enum block file none
+ro.debuggable u:object_r:exported2_default_prop:s0 exact int
+ro.hardware u:object_r:exported2_default_prop:s0 exact string
+ro.product.brand u:object_r:exported2_default_prop:s0 exact string
+ro.product.cpu.abi u:object_r:exported2_default_prop:s0 exact string
+ro.product.cpu.abilist u:object_r:exported2_default_prop:s0 exact string
+ro.product.device u:object_r:exported2_default_prop:s0 exact string
+ro.product.manufacturer u:object_r:exported2_default_prop:s0 exact string
+ro.product.model u:object_r:exported2_default_prop:s0 exact string
+ro.product.name u:object_r:exported2_default_prop:s0 exact string
+ro.property_service.version u:object_r:exported2_default_prop:s0 exact int
+ro.revision u:object_r:exported2_default_prop:s0 exact string
+ro.secure u:object_r:exported_secure_prop:s0 exact int
+ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
+service.bootanim.exit u:object_r:exported_system_prop:s0 exact int
+sys.boot_from_charger_mode u:object_r:exported_system_prop:s0 exact int
+sys.init.userspace_reboot.in_progress u:object_r:userspace_reboot_exported_prop:s0 exact bool
+sys.use_memfd u:object_r:use_memfd_prop:s0 exact bool
+vold.decrypt u:object_r:exported_vold_prop:s0 exact string
+
+# vendor-init-settable|public-readable
+aaudio.hw_burst_min_usec u:object_r:exported_default_prop:s0 exact int
+aaudio.minimum_sleep_usec u:object_r:exported_default_prop:s0 exact int
+aaudio.mixer_bursts u:object_r:exported_default_prop:s0 exact int
+aaudio.mmap_exclusive_policy u:object_r:exported_default_prop:s0 exact int
+aaudio.mmap_policy u:object_r:exported_default_prop:s0 exact int
+aaudio.wakeup_delay_usec u:object_r:exported_default_prop:s0 exact int
+config.disable_cameraservice u:object_r:exported_camera_prop:s0 exact bool
+gsm.sim.operator.numeric u:object_r:exported_radio_prop:s0 exact string
+media.mediadrmservice.enable u:object_r:exported_default_prop:s0 exact bool
+persist.rcs.supported u:object_r:exported_default_prop:s0 exact int
+rcs.publish.status u:object_r:exported_radio_prop:s0 exact string
+ro.bionic.2nd_arch u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.2nd_cpu_variant u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.arch u:object_r:cpu_variant_prop:s0 exact string
+ro.bionic.cpu_variant u:object_r:cpu_variant_prop:s0 exact string
+ro.board.platform u:object_r:exported_default_prop:s0 exact string
+ro.boot.fake_battery u:object_r:exported_default_prop:s0 exact int
+ro.boot.fstab_suffix u:object_r:exported_default_prop:s0 exact string
+ro.boot.hardware.revision u:object_r:exported_default_prop:s0 exact string
+ro.boot.product.hardware.sku u:object_r:exported_default_prop:s0 exact string
+ro.boot.product.vendor.sku u:object_r:exported_default_prop:s0 exact string
+ro.boot.slot_suffix u:object_r:exported_default_prop:s0 exact string
+ro.bootimage.build.date u:object_r:exported_default_prop:s0 exact string
+ro.bootimage.build.date.utc u:object_r:exported_default_prop:s0 exact int
+ro.bootimage.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.boringcrypto.hwrand u:object_r:exported_default_prop:s0 exact bool
+ro.build.ab_update u:object_r:exported_default_prop:s0 exact string
+ro.build.expect.baseband u:object_r:exported_default_prop:s0 exact string
+ro.build.expect.bootloader u:object_r:exported_default_prop:s0 exact string
+ro.carrier u:object_r:exported_default_prop:s0 exact string
+ro.config.low_ram u:object_r:exported_config_prop:s0 exact bool
+ro.config.vc_call_vol_steps u:object_r:exported_config_prop:s0 exact int
+ro.frp.pst u:object_r:exported_default_prop:s0 exact string
+ro.hardware.activity_recognition u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.a2dp u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.hearing_aid u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.primary u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio.usb u:object_r:exported_default_prop:s0 exact string
+ro.hardware.audio_policy u:object_r:exported_default_prop:s0 exact string
+ro.hardware.bootctrl u:object_r:exported_default_prop:s0 exact string
+ro.hardware.camera u:object_r:exported_default_prop:s0 exact string
+ro.hardware.consumerir u:object_r:exported_default_prop:s0 exact string
+ro.hardware.context_hub u:object_r:exported_default_prop:s0 exact string
+ro.hardware.egl u:object_r:exported_default_prop:s0 exact string
+ro.hardware.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.hardware.flp u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gatekeeper u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gps u:object_r:exported_default_prop:s0 exact string
+ro.hardware.gralloc u:object_r:exported_default_prop:s0 exact string
+ro.hardware.hdmi_cec u:object_r:exported_default_prop:s0 exact string
+ro.hardware.hwcomposer u:object_r:exported_default_prop:s0 exact string
+ro.hardware.input u:object_r:exported_default_prop:s0 exact string
+ro.hardware.keystore u:object_r:exported_default_prop:s0 exact string
+ro.hardware.keystore_desede u:object_r:exported_default_prop:s0 exact string
+ro.hardware.lights u:object_r:exported_default_prop:s0 exact string
+ro.hardware.local_time u:object_r:exported_default_prop:s0 exact string
+ro.hardware.memtrack u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc_nci u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nfc_tag u:object_r:exported_default_prop:s0 exact string
+ro.hardware.nvram u:object_r:exported_default_prop:s0 exact string
+ro.hardware.power u:object_r:exported_default_prop:s0 exact string
+ro.hardware.radio u:object_r:exported_default_prop:s0 exact string
+ro.hardware.sensors u:object_r:exported_default_prop:s0 exact string
+ro.hardware.sound_trigger u:object_r:exported_default_prop:s0 exact string
+ro.hardware.thermal u:object_r:exported_default_prop:s0 exact string
+ro.hardware.tv_input u:object_r:exported_default_prop:s0 exact string
+ro.hardware.type u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vehicle u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vibrator u:object_r:exported_default_prop:s0 exact string
+ro.hardware.virtual_device u:object_r:exported_default_prop:s0 exact string
+ro.hardware.vulkan u:object_r:exported_default_prop:s0 exact string
+ro.hwui.use_vulkan u:object_r:exported_default_prop:s0 exact bool
+ro.kernel.qemu u:object_r:exported_default_prop:s0 exact bool
+ro.kernel.qemu. u:object_r:exported_default_prop:s0
+ro.kernel.android.bootanim u:object_r:exported_default_prop:s0 exact int
+ro.kernel.ebpf.supported u:object_r:exported_default_prop:s0 exact bool
+ro.odm.build.date u:object_r:exported_default_prop:s0 exact string
+ro.odm.build.date.utc u:object_r:exported_default_prop:s0 exact int
+ro.odm.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.odm.build.version.incremental u:object_r:exported_default_prop:s0 exact string
+ro.oem.key1 u:object_r:exported_default_prop:s0 exact string
+ro.product.board u:object_r:exported_default_prop:s0 exact string
+ro.product.cpu.abilist32 u:object_r:exported_default_prop:s0 exact string
+ro.product.cpu.abilist64 u:object_r:exported_default_prop:s0 exact string
+ro.product.first_api_level u:object_r:exported_default_prop:s0 exact int
+ro.product.odm.brand u:object_r:exported_default_prop:s0 exact string
+ro.product.odm.device u:object_r:exported_default_prop:s0 exact string
+ro.product.odm.manufacturer u:object_r:exported_default_prop:s0 exact string
+ro.product.odm.model u:object_r:exported_default_prop:s0 exact string
+ro.product.odm.name u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.brand u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.device u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.manufacturer u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.model u:object_r:exported_default_prop:s0 exact string
+ro.product.vendor.name u:object_r:exported_default_prop:s0 exact string
+ro.product.vndk.version u:object_r:vndk_prop:s0 exact string
+ro.telephony.iwlan_operation_mode u:object_r:exported_radio_prop:s0 exact enum default legacy AP-assisted
+ro.vendor.build.date u:object_r:exported_default_prop:s0 exact string
+ro.vendor.build.date.utc u:object_r:exported_default_prop:s0 exact int
+ro.vendor.build.fingerprint u:object_r:exported_default_prop:s0 exact string
+ro.vendor.build.version.incremental u:object_r:exported_default_prop:s0 exact string
+ro.vendor.build.version.sdk u:object_r:exported_default_prop:s0 exact int
+ro.vndk.lite u:object_r:vndk_prop:s0 exact bool
+ro.vndk.version u:object_r:vndk_prop:s0 exact string
+ro.vts.coverage u:object_r:exported_default_prop:s0 exact int
+wifi.active.interface u:object_r:exported_wifi_prop:s0 exact string
+wifi.aware.interface u:object_r:exported_wifi_prop:s0 exact string
+wifi.concurrent.interface u:object_r:exported_default_prop:s0 exact string
+wifi.direct.interface u:object_r:exported_default_prop:s0 exact string
+wifi.interface u:object_r:exported_default_prop:s0 exact string
+ro.apex.updatable u:object_r:exported_default_prop:s0 exact bool
+ro.init.userspace_reboot.is_supported u:object_r:userspace_reboot_config_prop:s0 exact bool
+
+# public-readable
+ro.boot.revision u:object_r:exported2_default_prop:s0 exact string
+ro.bootmode u:object_r:exported2_default_prop:s0 exact string
+ro.build.type u:object_r:exported2_default_prop:s0 exact string
+sys.shutdown.requested u:object_r:exported_system_prop:s0 exact string
+
+# Using Sysprop as API. So the ro.surface_flinger.* are guaranteed to be API-stable
+ro.surface_flinger.default_composition_dataspace u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.default_composition_pixel_format u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.force_hwc_copy_for_virtual_displays u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.has_HDR_display u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.has_wide_color_display u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.max_frame_buffer_acquired_buffers u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.max_graphics_height u:object_r:exported3_default_prop:s0 exact int
+ro.surface_flinger.max_graphics_width u:object_r:exported3_default_prop:s0 exact int
+ro.surface_flinger.max_virtual_display_dimension u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.primary_display_orientation u:object_r:exported_default_prop:s0 exact enum ORIENTATION_0 ORIENTATION_180 ORIENTATION_270 ORIENTATION_90
+ro.surface_flinger.present_time_offset_from_vsync_ns u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.running_without_sync_framework u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.start_graphics_allocator_service u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_color_management u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_context_priority u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_vr_flinger u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.vsync_event_phase_offset_ns u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.vsync_sf_event_phase_offset_ns u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.wcg_composition_dataspace u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.wcg_composition_pixel_format u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.display_primary_red u:object_r:exported_default_prop:s0 exact string
+ro.surface_flinger.display_primary_green u:object_r:exported_default_prop:s0 exact string
+ro.surface_flinger.display_primary_blue u:object_r:exported_default_prop:s0 exact string
+ro.surface_flinger.display_primary_white u:object_r:exported_default_prop:s0 exact string
+ro.surface_flinger.protected_contents u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.set_idle_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_touch_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.set_display_power_timer_ms u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.support_kernel_idle_timer u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_smart_90_for_video u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.use_content_detection_for_refresh_rate u:object_r:exported_default_prop:s0 exact bool
+ro.surface_flinger.color_space_agnostic_dataspace u:object_r:exported_default_prop:s0 exact int
+ro.surface_flinger.refresh_rate_switching u:object_r:exported_default_prop:s0 exact bool
+
+# Binder cache properties. These are world-readable
+cache_key.app_inactive u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_compat_change_enabled u:object_r:binder_cache_system_server_prop:s0
+cache_key.get_packages_for_uid u:object_r:binder_cache_system_server_prop:s0
+cache_key.has_system_feature u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_interactive u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_power_save_mode u:object_r:binder_cache_system_server_prop:s0
+cache_key.is_user_unlocked u:object_r:binder_cache_system_server_prop:s0
+cache_key.volume_list u:object_r:binder_cache_system_server_prop:s0
+cache_key.display_info u:object_r:binder_cache_system_server_prop:s0
+cache_key.location_enabled u:object_r:binder_cache_system_server_prop:s0
+cache_key.package_info u:object_r:binder_cache_system_server_prop:s0
+
+cache_key.bluetooth. u:object_r:binder_cache_bluetooth_server_prop:s0 prefix string
+cache_key.system_server. u:object_r:binder_cache_system_server_prop:s0 prefix string
+cache_key.telephony. u:object_r:binder_cache_telephony_server_prop:s0 prefix string
+
+# Graphics related properties
+graphics.gpu.profiler.support u:object_r:graphics_config_prop:s0 exact bool
+graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
diff --git a/public/racoon.te b/public/racoon.te
index e4b299e..6888740 100644
--- a/public/racoon.te
+++ b/public/racoon.te
@@ -12,7 +12,6 @@
allow racoon tun_device:chr_file r_file_perms;
allowxperm racoon tun_device:chr_file ioctl TUNSETIFF;
allow racoon cgroup:dir { add_name create };
-allow racoon cgroup_v2:dir { add_name create };
allow racoon kernel:system module_request;
allow racoon self:key_socket create_socket_perms_no_ioctl;
diff --git a/public/radio.te b/public/radio.te
index e03b706..34eaf83 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -11,12 +11,21 @@
# Data file accesses.
allow radio radio_data_file:dir create_dir_perms;
allow radio radio_data_file:notdevfile_class_set create_file_perms;
-allow radio radio_core_data_file:dir r_dir_perms;
-allow radio radio_core_data_file:file r_file_perms;
+
allow radio net_data_file:dir search;
allow radio net_data_file:file r_file_perms;
+# Property service
+set_prop(radio, radio_prop)
+set_prop(radio, exported_radio_prop)
+set_prop(radio, exported2_radio_prop)
+set_prop(radio, exported3_radio_prop)
+set_prop(radio, net_radio_prop)
+
+# ctl interface
+set_prop(radio, ctl_rildaemon_prop)
+
add_service(radio, radio_service)
allow radio audioserver_service:service_manager find;
allow radio cameraserver_service:service_manager find;
diff --git a/public/recovery.te b/public/recovery.te
index 3649888..63a9cea 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -32,7 +32,7 @@
# Mount filesystems.
allow recovery rootfs:dir mounton;
allow recovery tmpfs:dir mounton;
- allow recovery { fs_type enforce_debugfs_restriction(`-debugfs_type') }:filesystem ~relabelto;
+ allow recovery fs_type:filesystem ~relabelto;
allow recovery unlabeled:filesystem ~relabelto;
allow recovery contextmount_type:filesystem relabelto;
@@ -108,6 +108,26 @@
# Read files on /oem.
r_dir_file(recovery, oemfs);
+ # Reboot the device
+ set_prop(recovery, powerctl_prop)
+
+ # Read serial number of the device from system properties
+ get_prop(recovery, serialno_prop)
+
+ # Set sys.usb.ffs.ready when starting minadbd for sideload.
+ set_prop(recovery, ffs_prop)
+ set_prop(recovery, exported_ffs_prop)
+
+ # Set sys.usb.config when switching into fastboot.
+ set_prop(recovery, system_radio_prop)
+ set_prop(recovery, exported_system_radio_prop)
+
+ # Read ro.boot.bootreason
+ get_prop(recovery, bootloader_boot_reason_prop)
+
+ # Read storage properties (for correctly formatting filesystems)
+ get_prop(recovery, storage_config_prop)
+
# Use setfscreatecon() to label files for OTA updates.
allow recovery self:process setfscreate;
@@ -127,12 +147,22 @@
allowxperm recovery super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
# Allow using libfiemap/gsid directly (no binder in recovery).
- allow recovery gsi_metadata_file_type:dir search;
+ set_prop(recovery, gsid_prop)
+ allow recovery gsi_metadata_file:dir search;
allow recovery ota_metadata_file:dir rw_dir_perms;
allow recovery ota_metadata_file:file create_file_perms;
# Allow mounting /metadata for writing update states
allow recovery metadata_file:dir { getattr mounton };
+
+ # These are needed to allow recovery to manage network
+ allow recovery self:netlink_route_socket { create write read nlmsg_readpriv nlmsg_read };
+ allow recovery self:global_capability_class_set net_admin;
+ allow recovery self:tcp_socket { create ioctl };
+ allowxperm recovery self:tcp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS };
+
+ # Set fastbootd protocol property
+ set_prop(recovery, fastbootd_protocol_prop)
')
###
diff --git a/public/sdcardd.te b/public/sdcardd.te
index bb1c919..1ae3770 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -2,7 +2,6 @@
type sdcardd_exec, system_file_type, exec_type, file_type;
allow sdcardd cgroup:dir create_dir_perms;
-allow sdcardd cgroup_v2:dir create_dir_perms;
allow sdcardd fuse_device:chr_file rw_file_perms;
allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
allow sdcardd sdcardfs:filesystem remount;
diff --git a/public/service.te b/public/service.te
index ba7837d..f27772e 100644
--- a/public/service.te
+++ b/public/service.te
@@ -1,8 +1,6 @@
type aidl_lazy_test_service, service_manager_type;
-type apc_service, service_manager_type;
type apex_service, service_manager_type;
type audioserver_service, service_manager_type;
-type authorization_service, service_manager_type;
type batteryproperties_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type bluetooth_service, service_manager_type;
type cameraserver_service, service_manager_type;
@@ -11,18 +9,15 @@
type drmserver_service, service_manager_type;
type dumpstate_service, service_manager_type;
type fingerprintd_service, service_manager_type;
+type hal_fingerprint_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
-type gpu_service, app_api_service, ephemeral_app_api_service, service_manager_type;
+type gpu_service, app_api_service, service_manager_type;
type idmap_service, service_manager_type;
type iorapd_service, service_manager_type;
type incident_service, service_manager_type;
type installd_service, service_manager_type;
type credstore_service, app_api_service, service_manager_type;
-type keystore_compat_hal_service, service_manager_type;
-type keystore_maintenance_service, service_manager_type;
-type keystore_metrics_service, service_manager_type;
type keystore_service, service_manager_type;
-type legacykeystore_service, service_manager_type;
type lpdump_service, service_manager_type;
type mediaserver_service, service_manager_type;
type mediametrics_service, service_manager_type;
@@ -32,17 +27,13 @@
type netd_service, service_manager_type;
type nfc_service, service_manager_type;
type radio_service, service_manager_type;
-type remoteprovisioning_service, service_manager_type;
type secure_element_service, service_manager_type;
type service_manager_service, service_manager_type;
type storaged_service, service_manager_type;
type surfaceflinger_service, app_api_service, ephemeral_app_api_service, service_manager_type;
type system_app_service, service_manager_type;
-type system_suspend_control_internal_service, service_manager_type;
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
-type update_engine_stable_service, service_manager_type;
-type virtualization_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vr_hwc_service, service_manager_type;
@@ -56,7 +47,6 @@
type adb_service, system_api_service, system_server_service, service_manager_type;
type alarm_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type app_binding_service, system_server_service, service_manager_type;
-type app_hibernation_service, system_api_service, system_server_service, service_manager_type;
type app_integrity_service, system_api_service, system_server_service, service_manager_type;
type app_prediction_service, app_api_service, system_server_service, service_manager_type;
type app_search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -95,13 +85,11 @@
type dbinfo_service, system_api_service, system_server_service, service_manager_type;
type device_config_service, system_server_service, service_manager_type;
type device_policy_service, app_api_service, system_server_service, service_manager_type;
-type device_state_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type deviceidle_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type device_identifiers_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type devicestoragemonitor_service, system_server_service, service_manager_type;
type diskstats_service, system_api_service, system_server_service, service_manager_type;
type display_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type domain_verification_service, app_api_service, system_server_service, service_manager_type;
type color_display_service, system_api_service, system_server_service, service_manager_type;
type external_vibrator_service, system_server_service, service_manager_type;
type file_integrity_service, app_api_service, system_server_service, service_manager_type;
@@ -114,19 +102,15 @@
type lowpan_service, system_api_service, system_server_service, service_manager_type;
type ethernet_service, app_api_service, system_server_service, service_manager_type;
type biometric_service, app_api_service, system_server_service, service_manager_type;
-type bugreport_service, app_api_service, system_server_service, service_manager_type;
+type bugreport_service, system_api_service, system_server_service, service_manager_type;
type platform_compat_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type face_service, app_api_service, system_server_service, service_manager_type;
type fingerprint_service, app_api_service, system_server_service, service_manager_type;
-type fwk_stats_service, app_api_service, system_server_service, service_manager_type;
-type game_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type gfxinfo_service, system_api_service, system_server_service, service_manager_type;
-type gnss_time_update_service, system_server_service, service_manager_type;
type graphicsstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type hardware_service, system_server_service, service_manager_type;
type hardware_properties_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type hdmi_control_service, app_api_service, system_server_service, service_manager_type;
-type hint_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type hdmi_control_service, system_api_service, system_server_service, service_manager_type;
type imms_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type incremental_service, system_server_service, service_manager_type;
type input_method_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -135,22 +119,16 @@
type iris_service, app_api_service, system_server_service, service_manager_type;
type jobscheduler_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type launcherapps_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type legacy_permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type light_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type location_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type location_time_zone_manager_service, system_server_service, service_manager_type;
-type lock_settings_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type lock_settings_service, system_api_service, system_server_service, service_manager_type;
type looper_stats_service, system_server_service, service_manager_type;
-type media_communication_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type media_metrics_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_projection_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_router_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type media_session_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type meminfo_service, system_api_service, system_server_service, service_manager_type;
-type memtrackproxy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type midi_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type mount_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type music_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netpolicy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type netstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type network_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -161,21 +139,16 @@
type oem_lock_service, system_api_service, system_server_service, service_manager_type;
type otadexopt_service, system_server_service, service_manager_type;
type overlay_service, system_api_service, system_server_service, service_manager_type;
-type pac_proxy_service, app_api_service, system_server_service, service_manager_type;
type package_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type package_native_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type people_service, app_api_service, system_server_service, service_manager_type;
type permission_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type permissionmgr_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type permission_checker_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type persistent_data_block_service, system_api_service, system_server_service, service_manager_type;
type pinner_service, system_server_service, service_manager_type;
-type powerstats_service, app_api_service, system_server_service, service_manager_type;
type power_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type print_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type processinfo_service, system_server_service, service_manager_type;
type procstats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type reboot_readiness_service, app_api_service, system_server_service, service_manager_type;
type recovery_service, system_server_service, service_manager_type;
type registry_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type restrictions_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -186,7 +159,6 @@
type samplingprofiler_service, system_server_service, service_manager_type;
type scheduling_policy_service, system_server_service, service_manager_type;
type search_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type search_ui_service, app_api_service, system_server_service, service_manager_type;
type sec_key_att_app_id_provider_service, app_api_service, system_server_service, service_manager_type;
type sensorservice_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type sensor_privacy_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -195,25 +167,20 @@
type settings_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type shortcut_service, app_api_service, system_server_service, service_manager_type;
type slice_service, app_api_service, system_server_service, service_manager_type;
-type smartspace_service, app_api_service, system_server_service, service_manager_type;
type statusbar_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type storagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type system_config_service, system_api_service, system_server_service, service_manager_type;
-type system_server_dumper_service, system_api_service, system_server_service, service_manager_type;
type system_update_service, system_server_service, service_manager_type;
type soundtrigger_middleware_service, system_server_service, service_manager_type;
-type speech_recognition_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type task_service, system_server_service, service_manager_type;
type testharness_service, system_server_service, service_manager_type;
type textclassification_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type textservices_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type texttospeech_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type telecom_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type thermal_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type timedetector_service, app_api_service, system_server_service, service_manager_type;
+type timedetector_service, system_server_service, service_manager_type;
type timezone_service, system_server_service, service_manager_type;
-type timezonedetector_service, app_api_service, system_server_service, service_manager_type;
-type translation_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
+type timezonedetector_service, system_server_service, service_manager_type;
type trust_service, app_api_service, system_server_service, service_manager_type;
type tv_input_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type tv_tuner_resource_mgr_service, app_api_service, system_server_service, service_manager_type;
@@ -223,12 +190,8 @@
type usagestats_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type usb_service, app_api_service, system_server_service, service_manager_type;
type user_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type uwb_service, app_api_service, system_server_service, service_manager_type;
-type vcn_management_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type vibrator_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vibrator_manager_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
type voiceinteraction_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
-type vpn_management_service, app_api_service, system_server_service, service_manager_type;
type vr_manager_service, system_server_service, service_manager_type;
type wallpaper_service, app_api_service, system_server_service, service_manager_type;
type webviewupdate_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
@@ -247,27 +210,11 @@
### HAL Services
###
-type hal_audio_service, vendor_service, protected_service, service_manager_type;
-type hal_audiocontrol_service, vendor_service, service_manager_type;
-type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
-type hal_face_service, vendor_service, protected_service, service_manager_type;
-type hal_fingerprint_service, vendor_service, protected_service, service_manager_type;
-type hal_gnss_service, vendor_service, protected_service, service_manager_type;
-type hal_health_storage_service, vendor_service, protected_service, service_manager_type;
-type hal_identity_service, vendor_service, protected_service, service_manager_type;
-type hal_keymint_service, vendor_service, protected_service, service_manager_type;
-type hal_light_service, vendor_service, protected_service, service_manager_type;
-type hal_memtrack_service, vendor_service, protected_service, service_manager_type;
-type hal_neuralnetworks_service, vendor_service, service_manager_type;
-type hal_oemlock_service, vendor_service, protected_service, service_manager_type;
-type hal_power_service, vendor_service, protected_service, service_manager_type;
-type hal_power_stats_service, vendor_service, protected_service, service_manager_type;
-type hal_rebootescrow_service, vendor_service, protected_service, service_manager_type;
-type hal_remotelyprovisionedcomponent_service, vendor_service, protected_service, service_manager_type;
-type hal_secureclock_service, vendor_service, protected_service, service_manager_type;
-type hal_sharedsecret_service, vendor_service, protected_service, service_manager_type;
-type hal_vibrator_service, vendor_service, protected_service, service_manager_type;
-type hal_weaver_service, vendor_service, protected_service, service_manager_type;
+type hal_identity_service, vendor_service, service_manager_type;
+type hal_light_service, vendor_service, service_manager_type;
+type hal_power_service, vendor_service, service_manager_type;
+type hal_rebootescrow_service, vendor_service, service_manager_type;
+type hal_vibrator_service, vendor_service, service_manager_type;
###
### Neverallow rules
diff --git a/public/shared_relro.te b/public/shared_relro.te
index 6dd5bd7..8e58e42 100644
--- a/public/shared_relro.te
+++ b/public/shared_relro.te
@@ -1,2 +1,11 @@
# Process which creates/updates shared RELRO files to be used by other apps.
type shared_relro, domain;
+
+# Grant write access to the shared relro files/directory.
+allow shared_relro shared_relro_file:dir rw_dir_perms;
+allow shared_relro shared_relro_file:file create_file_perms;
+
+# Needs to contact the "webviewupdate" and "activity" services
+allow shared_relro activity_service:service_manager find;
+allow shared_relro webviewupdate_service:service_manager find;
+allow shared_relro package_service:service_manager find;
diff --git a/public/shell.te b/public/shell.te
index 70a7fb4..c0412eb 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -25,13 +25,6 @@
allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms;
-# Access /data/local/tests.
-allow shell shell_test_data_file:dir create_dir_perms;
-allow shell shell_test_data_file:file create_file_perms;
-allow shell shell_test_data_file:file rx_file_perms;
-allow shell shell_test_data_file:lnk_file create_file_perms;
-allow shell shell_test_data_file:sock_file create_file_perms;
-
# Read and delete from /data/local/traces.
allow shell trace_data_file:file { r_file_perms unlink };
allow shell trace_data_file:dir { r_dir_perms remove_name write };
@@ -65,12 +58,60 @@
r_dir_file(shell, apk_data_file)
+# Set properties.
+set_prop(shell, shell_prop)
+set_prop(shell, ctl_bugreport_prop)
+set_prop(shell, ctl_dumpstate_prop)
+set_prop(shell, dumpstate_prop)
+set_prop(shell, exported_dumpstate_prop)
+set_prop(shell, debug_prop)
+set_prop(shell, powerctl_prop)
+set_prop(shell, log_tag_prop)
+set_prop(shell, wifi_log_prop)
+# Allow shell to start/stop traced via the persist.traced.enable
+# property (which also takes care of /data/misc initialization).
+set_prop(shell, traced_enabled_prop)
+# adjust is_loggable properties
+userdebug_or_eng(`set_prop(shell, log_prop)')
+# logpersist script
+userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
+# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
+# property.
+set_prop(shell, heapprofd_enabled_prop)
+# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
+# property.
+set_prop(shell, traced_perf_enabled_prop)
+# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
+set_prop(shell, ctl_gsid_prop)
+# Allow shell to enable Dynamic System Update
+set_prop(shell, dynamic_system_prop)
+# Allow shell to mock an OTA using persist.pm.mock-upgrade
+set_prop(shell, mock_ota_prop)
+
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
allow shell boottrace_data_file:dir rw_dir_perms;
allow shell boottrace_data_file:file create_file_perms;
+ set_prop(shell, persist_debug_prop)
')
+# Read device's serial number from system properties
+get_prop(shell, serialno_prop)
+
+# Allow shell to read the vendor security patch level for CTS
+get_prop(shell, vendor_security_patch_level_prop)
+
+# Read state of logging-related properties
+get_prop(shell, device_logging_prop)
+
+# Read state of boot reason properties
+get_prop(shell, bootloader_boot_reason_prop)
+get_prop(shell, last_boot_reason_prop)
+get_prop(shell, system_boot_reason_prop)
+
+# Allow reading the outcome of perf_event_open LSM support test for CTS.
+get_prop(shell, init_perf_lsm_hooks_prop)
+
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
@@ -85,7 +126,6 @@
-installd_service
-iorapd_service
-netd_service
- -system_suspend_control_internal_service
-system_suspend_control_service
-virtual_touchpad_service
-vold_service
@@ -123,10 +163,6 @@
allow shell sysfs_net:dir r_dir_perms;
r_dir_file(shell, cgroup)
-allow shell cgroup_desc_file:file r_file_perms;
-allow shell cgroup_desc_api_file:file r_file_perms;
-allow shell vendor_cgroup_desc_file:file r_file_perms;
-r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
@@ -158,9 +194,6 @@
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;
-# allow shell to list /sys/class/block/ to get storage type for CTS
-allow shell sysfs_block:dir r_dir_perms;
-
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
diff --git a/public/simpleperf_app_runner.te b/public/simpleperf_app_runner.te
index 2ed007e..b7ff7a0 100644
--- a/public/simpleperf_app_runner.te
+++ b/public/simpleperf_app_runner.te
@@ -27,8 +27,7 @@
allow simpleperf_app_runner seapp_contexts_file:file r_file_perms;
# simpleperf_app_runner passes pipe fds.
-# simpleperf_app_runner writes app type (debuggable or profileable) to pipe fds.
-allow simpleperf_app_runner shell:fifo_file { read write };
+allow simpleperf_app_runner shell:fifo_file read;
# simpleperf_app_runner checks shell data paths.
# simpleperf_app_runner passes shell data fds.
diff --git a/public/stats_service_server.te b/public/stats_service_server.te
index ab8e58a..564ae23 100644
--- a/public/stats_service_server.te
+++ b/public/stats_service_server.te
@@ -1,4 +1 @@
add_hwservice(stats_service_server, fwk_stats_hwservice)
-add_service(stats_service_server, fwk_stats_service)
-
-binder_use(stats_service_server)
diff --git a/public/statsd.te b/public/statsd.te
index 670f4c7..435bbdf 100644
--- a/public/statsd.te
+++ b/public/statsd.te
@@ -33,14 +33,6 @@
allow statsd gpu_service:service_manager find;
binder_call(statsd, gpuservice)
-# Allow statsd to interact with keystore to pull atoms
-allow statsd keystore_service:service_manager find;
-binder_call(statsd, keystore)
-
-# Allow statsd to interact with mediametrics
-allow statsd mediametrics_service:service_manager find;
-binder_call(statsd, mediametrics)
-
# Allow logd access.
read_logd(statsd)
control_logd(statsd)
diff --git a/public/su.te b/public/su.te
index 074ff2e..99d4603 100644
--- a/public/su.te
+++ b/public/su.te
@@ -18,7 +18,6 @@
vndbinder_use(su)
dontaudit su self:capability_class_set *;
- dontaudit su self:capability2 *;
dontaudit su kernel:security *;
dontaudit su { kernel file_type }:system *;
dontaudit su self:memprotect *;
@@ -48,7 +47,6 @@
dontaudit su hwservicemanager:hwservice_manager list;
dontaudit su vndservicemanager:service_manager list;
dontaudit su keystore:keystore_key *;
- dontaudit su keystore:keystore2 *;
dontaudit su domain:drmservice *;
dontaudit su unlabeled:filesystem *;
dontaudit su postinstall_file:filesystem *;
diff --git a/public/system_server.te b/public/system_server.te
index edefadf..ff18bdf 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -4,14 +4,3 @@
#
type system_server, domain;
type system_server_tmpfs, file_type, mlstrustedobject;
-
-# Power controls for debugging/diagnostics
-get_prop(system_server, power_debug_prop)
-set_prop(system_server, power_debug_prop)
-
-neverallow {
- domain
- -init
- -vendor_init
- -system_server
-} power_debug_prop:property_service set;
diff --git a/public/system_suspend_internal_server.te b/public/system_suspend_internal_server.te
deleted file mode 100644
index 67bff77..0000000
--- a/public/system_suspend_internal_server.te
+++ /dev/null
@@ -1,11 +0,0 @@
-# To serve ISuspendControlServiceInternal.
-add_service(system_suspend_internal_server, system_suspend_control_internal_service)
-
-neverallow {
- domain
- -atrace # tracing
- -dumpstate # bug reports
- -system_suspend_internal_server # implements system_suspend_control_internal_service
- -system_server # configures system_suspend via ISuspendControlServiceInternal
- -traceur_app # tracing
-} system_suspend_control_internal_service:service_manager find;
diff --git a/public/te_macros b/public/te_macros
index 7dc5062..56f97752 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -163,21 +163,6 @@
domain_auto_trans(init, $1_exec, $1)
')
-####################################
-# userfaultfd_use(domain)
-# Allow domain to create/use userfaultfd.
-define(`userfaultfd_use', `
-# Set up a type_transition to "userfaultfd" named anonymous inode object.
-type $1_userfaultfd;
-type_transition $1 $1:anon_inode $1_userfaultfd "[userfaultfd]";
-# Allow domain to create/use userfaultfd anon_inode.
-allow $1 $1_userfaultfd:anon_inode { create ioctl read };
-# Other domains may not use userfaultfd anon_inodes created by this domain.
-neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
-# This domain may not use userfaultfd anon_inodes created by other domains.
-neverallow $1 ~$1_userfaultfd:anon_inode *;
-')
-
#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.
@@ -185,7 +170,6 @@
typeattribute $1 appdomain;
# Label tmpfs objects for all apps.
type_transition $1 tmpfs:file appdomain_tmpfs;
-userfaultfd_use($1)
allow $1 appdomain_tmpfs:file { execute getattr map read write };
neverallow { $1 -runas_app -shell -simpleperf } { domain -$1 }:file no_rw_file_perms;
neverallow { appdomain -runas_app -shell -simpleperf -$1 } $1:file no_rw_file_perms;
@@ -483,12 +467,6 @@
define(`recovery_only', ifelse(target_recovery, `true', $1, ))
#####################################
-# Not recovery
-# SELinux rules which apply only to non-recovery (normal) mode
-#
-define(`not_recovery', ifelse(target_recovery, `true', , $1))
-
-#####################################
# Full TREBLE only
# SELinux rules which apply only to full TREBLE devices
#
@@ -506,23 +484,6 @@
define(`not_full_treble', ifelse(target_full_treble, `true', , $1))
#####################################
-# enforce_debugfs_restriction
-# SELinux rules which apply to devices that enable debugfs restrictions.
-# The keyword "cts" is used to insert markers to only CTS test the neverallows
-# added by the macro for S-launch devices and newer.
-define(`enforce_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', $1,
-ifelse(target_enforce_debugfs_restriction, `cts',
-# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
-$1
-# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
-, )))
-
-#####################################
-# no_debugfs_restriction
-# SELinux rules which apply to devices that do not have debugfs restrictions in non-user builds.
-define(`no_debugfs_restriction', ifelse(target_enforce_debugfs_restriction, `true', , $1))
-
-#####################################
# Compatible property only
# SELinux rules which apply only to devices with compatible property
#
@@ -633,9 +594,7 @@
allow keystore $1:dir search;
allow keystore $1:file { read open };
allow keystore $1:process getattr;
- allow $1 apc_service:service_manager find;
allow $1 keystore_service:service_manager find;
- allow $1 legacykeystore_service:service_manager find;
binder_call($1, keystore)
binder_call(keystore, $1)
')
@@ -695,47 +654,46 @@
add_hwservice($1_server, $2)
build_test_only(`
- # if you are hitting this neverallow, try using:
- # hal_client_domain(<your domain>, hal_<foo>)
- # instead
neverallow { domain -$1_client -$1_server } $2:hwservice_manager find;
')
')
-###########################################
-# hal_attribute_service(attribute, service)
-# Ability for domain to get a service to service_manager
-# and find it. It also creates a neverallow preventing
-# others from adding it.
-#
-# Used to pair hal_foo_client with hal_foo_service
-define(`hal_attribute_service', `
- allow $1_client $2:service_manager find;
- add_service($1_server, $2)
-
- build_test_only(`
- # if you are hitting this neverallow, try using:
- # hal_client_domain(<your domain>, hal_<foo>)
- # instead
- neverallow {
- domain
- -$1_client
- -$1_server
- # some services are allowed to find all services
- -atrace
- -dumpstate
- -shell
- -system_app
- -traceur_app
- } $2:service_manager find;
- ')
-')
-
###################################
# can_profile_heap(domain)
+# Allow processes within the domain to have their heap profiled by heapprofd.
+#
+# Note that profiling is performed differently between debug and user builds.
+# There are two modes for profiling:
+# * forked
+# * central.
+# On user builds, the default is to allow only forked mode. If it is desired
+# to allow central mode as well for a domain, use can_profile_heap_central.
+# On userdebug, this macro allows both forked and central.
+define(`can_profile_heap', `
+ # Allow central daemon to send signal for client initialization.
+ allow heapprofd $1:process signal;
+
+ # Allow executing a private heapprofd process to handle profiling on
+ # user builds (also debug builds for testing & development purposes).
+ allow $1 heapprofd_exec:file rx_file_perms;
+
+ # Allow directory & file read to the central heapprofd daemon, as it scans
+ # /proc/[pid]/cmdline for by-process-name profiling configs.
+ # Note that this excludes /proc/[pid]/mem, as it requires ptrace capabilities.
+ allow heapprofd $1:file r_file_perms;
+ allow heapprofd $1:dir r_dir_perms;
+
+ # Profilability on user implies profilability on userdebug and eng.
+ userdebug_or_eng(`
+ can_profile_heap_central($1)
+ ')
+')
+
+###################################
+# can_profile_heap_central(domain)
# Allow processes within the domain to have their heap profiled by central
# heapprofd.
-define(`can_profile_heap', `
+define(`can_profile_heap_central', `
# Allow central daemon to send signal for client initialization.
allow heapprofd $1:process signal;
# Allow connecting to the daemon.
@@ -826,19 +784,19 @@
#####################################
# treble_sysprop_neverallow(rules)
-# SELinux neverallow rules which enforces the accessibility of each property
+# SELinux neverallow rules which enforces the owner of each property and accessibility
# outside the owner.
#
-# For devices launching with R or later, exported properties must be explicitly marked as
-# "restricted" or "public", depending on the accessibility outside the owner.
+# For devices launching with R or later, all properties must be explicitly marked as one of:
+# system_property_type, vendor_property_type, or product_property_type.
+# Also, exported properties must be explicitly marked as "restricted" or "public",
+# depending on the accessibility outside the owner.
# For devices launching with Q or eariler, this neverallow rules can be relaxed with defining
# BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW := true on BoardConfig.mk.
# See {partition}_{accessibility}_prop macros below.
#
# CTS uses these rules only for devices launching with R or later.
#
-# TODO(b/131162102): deprecate BUILD_BROKEN_TREBLE_SYSPROP_NEVERALLOW
-#
define(`treble_sysprop_neverallow', ifelse(target_treble_sysprop_neverallow, `true', $1,
ifelse(target_treble_sysprop_neverallow, `cts',
# BEGIN_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
@@ -846,25 +804,6 @@
# END_LAUNCHING_WITH_R_ONLY -- this marker is used by CTS -- do not modify
, )))
-#####################################
-# enforce_sysprop_owner(rules)
-# SELinux neverallow rules which enforces the owner of each property.
-#
-# For devices launching with S or later, all properties must be explicitly marked as one of:
-# system_property_type, vendor_property_type, or product_property_type.
-# For devices launching with R or eariler, this neverallow rules can be relaxed with defining
-# BUILD_BROKEN_ENFORCE_SYSPROP_OWNER := true on BoardConfig.mk.
-# See {partition}_{accessibility}_prop macros below.
-#
-# CTS uses these ules only for devices launching with S or later.
-#
-define(`enforce_sysprop_owner', ifelse(target_enforce_sysprop_owner, `true', $1,
-ifelse(target_enforce_sysprop_owner, `cts',
-# BEGIN_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
-$1
-# END_LAUNCHING_WITH_S_ONLY -- this marker is used by CTS -- do not modify
-, )))
-
###########################################
# define_prop(name, owner, scope)
# Define a property with given owner and scope
@@ -982,12 +921,3 @@
# Define a /vendor-owned property with no restrictions
#
define(`vendor_public_prop', `define_prop($1, vendor, public)')
-
-#####################################
-# read_fstab(domain)
-# Ability to call ReadDefaultFstab() and ReadFstabFromFile().
-#
-define(`read_fstab', `
- allow $1 { metadata_file gsi_metadata_file_type }:dir search;
- allow $1 gsi_public_metadata_file:file r_file_perms;
-')
diff --git a/public/traced.te b/public/traced.te
index 922d46e..ec5b850 100644
--- a/public/traced.te
+++ b/public/traced.te
@@ -1,3 +1,2 @@
type traced, domain, coredomain, mlstrustedsubject;
-type traced_tmpfs, file_type;
diff --git a/public/traceur_app.te b/public/traceur_app.te
index ce9b844..7e2cc84 100644
--- a/public/traceur_app.te
+++ b/public/traceur_app.te
@@ -3,6 +3,11 @@
allow traceur_app servicemanager:service_manager list;
allow traceur_app hwservicemanager:hwservice_manager list;
+# Allow Traceur to enable traced if necessary.
+set_prop(traceur_app, traced_enabled_prop)
+
+set_prop(traceur_app, debug_prop)
+
allow traceur_app {
service_manager_type
-apex_service
diff --git a/public/ueventd.te b/public/ueventd.te
index d5d4301..fc503b8 100644
--- a/public/ueventd.te
+++ b/public/ueventd.te
@@ -31,18 +31,14 @@
# Access for /vendor/ueventd.rc and /vendor/firmware
r_dir_file(ueventd, { vendor_file_type -vendor_app_file -vendor_overlay_file })
-# Access for /apex/*/firmware
-allow ueventd apex_mnt_dir:dir r_dir_perms;
-
# Get file contexts for new device nodes
allow ueventd file_contexts_file:file r_file_perms;
# Use setfscreatecon() to label /dev directories and files.
allow ueventd self:process setfscreate;
-# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
+# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline.
allow ueventd proc_cmdline:file r_file_perms;
-allow ueventd proc_bootconfig:file r_file_perms;
# Everything is labeled as rootfs in recovery mode. ueventd has to execute
# the dynamic linker and shared libraries.
@@ -63,6 +59,10 @@
allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+# ueventd can set properties, particularly it sets ro.cold_boot_done to signal
+# to init that cold boot has completed.
+set_prop(ueventd, cold_boot_done_prop)
+
# Allow ueventd to run shell scripts from vendor
allow ueventd vendor_shell_exec:file execute;
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 3b04671..4114b2a 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -22,6 +22,9 @@
# Write to /dev/socket/uncrypt
unix_socket_connect(uncrypt, uncrypt, uncrypt)
+# Set a property to reboot the device.
+set_prop(uncrypt, powerctl_prop)
+
# Raw writes to block device
allow uncrypt self:global_capability_class_set sys_rawio;
allow uncrypt misc_block_device:blk_file w_file_perms;
@@ -32,15 +35,12 @@
r_dir_file(uncrypt, rootfs)
-# Access to bootconfig is needed when calling ReadDefaultFstab.
-allow uncrypt {
- proc_bootconfig
- proc_cmdline
-
-}:file r_file_perms;
+# uncrypt reads /proc/cmdline
+allow uncrypt proc_cmdline:file r_file_perms;
# Read files in /sys
r_dir_file(uncrypt, sysfs_dt_firmware_android)
-# Allow ReadDefaultFstab().
-read_fstab(uncrypt)
+# Suppress the denials coming from ReadDefaultFstab call.
+dontaudit uncrypt gsi_metadata_file:dir search;
+dontaudit uncrypt metadata_file:dir search;
diff --git a/public/update_engine.te b/public/update_engine.te
index ab7090b..8b767be 100644
--- a/public/update_engine.te
+++ b/public/update_engine.te
@@ -35,7 +35,6 @@
# Register the service to perform Binder IPC.
binder_use(update_engine)
add_service(update_engine, update_engine_service)
-add_service(update_engine, update_engine_stable_service)
# Allow update_engine to call the callback function provided by priv_app/GMS core.
binder_call(update_engine, priv_app)
@@ -64,11 +63,21 @@
# read directories on /system and /vendor
allow update_engine system_file:dir r_dir_perms;
-# Allow ReadDefaultFstab().
+# Allow to start gsid service.
+set_prop(update_engine, ctl_gsid_prop)
+
+# Allow to set the OTA related properties, e.g. ota.warm_reset.
+set_prop(update_engine, ota_prop)
+
+# Allow to get the DSU status
+get_prop(update_engine, gsid_prop)
+
# update_engine tries to determine the parent path for all devices (e.g.
# /dev/block/by-name) by reading the default fstab and looking for the misc
-# device.
-read_fstab(update_engine)
+# device. ReadDefaultFstab() checks whether a GSI is running by checking
+# gsi_metadata_file. We never apply OTAs when GSI is running, so just deny
+# the access.
+dontaudit update_engine gsi_metadata_file:dir search;
# Allow to write to snapshotctl_log logs.
# TODO(b/148818798) revert when parent bug is fixed.
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index e8fd29e..57d8e7e 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -33,7 +33,7 @@
# labels on the mounted filesystem to postinstall_file.
allow update_engine_common postinstall_mnt_dir:dir { mounton getattr search };
allow update_engine_common postinstall_file:filesystem { mount unmount relabelfrom relabelto };
-allow update_engine_common labeledfs:filesystem { mount unmount relabelfrom };
+allow update_engine_common labeledfs:filesystem relabelfrom;
# Allow update_engine_common to read and execute postinstall_file.
allow update_engine_common postinstall_file:file rx_file_perms;
@@ -59,20 +59,12 @@
# Needed because libdm reads sysfs to validate when a dm path is ready.
r_dir_file(update_engine_common, sysfs_dm)
-# Scan files in /sys/fs/ext4 and /sys/fs/f2fs for device-mapper diagnostics.
-allow update_engine_common sysfs:dir r_dir_perms;
-allow update_engine_common sysfs_fs_f2fs:dir r_dir_perms;
-
# read / write on /dev/device-mapper to map / unmap devices
allow update_engine_common dm_device:chr_file rw_file_perms;
# apply / verify updates on devices mapped via device mapper
allow update_engine_common dm_device:blk_file rw_file_perms;
-# read /dev/dm-user, so that we can inotify wait for control devices to be
-# asynchronously created by ueventd.
-allow update_engine dm_user_device:dir r_dir_perms;
-
# read / write metadata on super device to resize partitions
allow update_engine_common super_block_device_type:blk_file rw_file_perms;
@@ -88,10 +80,6 @@
# Allow to read Virtual A/B feature flags.
get_prop(update_engine_common, virtual_ab_prop)
-# Allow to read GKI related flags.
-get_prop(update_engine_common, ab_update_gki_prop)
-get_prop(update_engine_common, build_bootimage_prop)
-
# Allow to read/write/create OTA metadata files for snapshot status and COW file status.
allow update_engine_common metadata_file:dir search;
allow update_engine_common ota_metadata_file:dir rw_dir_perms;
diff --git a/public/update_verifier.te b/public/update_verifier.te
index 68b43f0..f881aeb 100644
--- a/public/update_verifier.te
+++ b/public/update_verifier.te
@@ -24,6 +24,12 @@
# Write to kernel message.
allow update_verifier kmsg_device:chr_file { getattr w_file_perms };
+# Allow update_verifier to reboot the device.
+set_prop(update_verifier, powerctl_prop)
+
+# Allow to set the OTA related properties e.g. ota.warm_reset.
+set_prop(update_verifier, ota_prop)
+
# Use Boot Control HAL
hal_client_domain(update_verifier, hal_bootctl)
diff --git a/public/usbd.te b/public/usbd.te
index 6f34954..991e7be 100644
--- a/public/usbd.te
+++ b/public/usbd.te
@@ -1,2 +1,5 @@
type usbd, domain;
type usbd_exec, system_file_type, exec_type, file_type;
+
+# Start/stop adbd via ctl.start adbd
+set_prop(usbd, ctl_adbd_prop)
diff --git a/public/userdata_sysdev.te b/public/userdata_sysdev.te
deleted file mode 100644
index 9974f36..0000000
--- a/public/userdata_sysdev.te
+++ /dev/null
@@ -1 +0,0 @@
-allow userdata_sysdev sysfs:filesystem associate;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 0999f48..36bb5cb 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -16,8 +16,6 @@
# Create cgroups mount points in tmpfs and mount cgroups on them.
allow vendor_init cgroup:dir create_dir_perms;
allow vendor_init cgroup:file w_file_perms;
-allow vendor_init cgroup_v2:dir create_dir_perms;
-allow vendor_init cgroup_v2:file w_file_perms;
# /config
allow vendor_init configfs:dir mounton;
@@ -57,9 +55,8 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file_type
+ -gsi_metadata_file
-apex_metadata_file
- -userspace_reboot_metadata_file
}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
allow vendor_init unlabeled:{ dir notdevfile_class_set } { getattr relabelfrom };
@@ -75,11 +72,8 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file_type
+ -gsi_metadata_file
-apex_metadata_file
- -apex_info_file
- -userspace_reboot_metadata_file
- enforce_debugfs_restriction(`-debugfs_type')
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
@@ -92,9 +86,8 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file_type
+ -gsi_metadata_file
-apex_metadata_file
- -userspace_reboot_metadata_file
}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow vendor_init {
@@ -108,9 +101,8 @@
-unlabeled
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file_type
+ -gsi_metadata_file
-apex_metadata_file
- -userspace_reboot_metadata_file
}:lnk_file { create getattr setattr relabelfrom unlink };
allow vendor_init {
@@ -123,9 +115,8 @@
-system_file_type
-vendor_file_type
-vold_metadata_file
- -gsi_metadata_file_type
+ -gsi_metadata_file
-apex_metadata_file
- -userspace_reboot_metadata_file
}:dir_file_class_set relabelto;
allow vendor_init dev_type:dir create_dir_perms;
@@ -144,11 +135,8 @@
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
-proc_uid_concurrent_policy_time
- enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr map };
-allow vendor_init tracefs_type:file { open read setattr map };
-
allow vendor_init {
fs_type
-contextmount_type
@@ -159,6 +147,15 @@
-proc_uid_concurrent_policy_time
}:dir { open read setattr search };
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+ dev_type
+ -keychord_device
+ -port_device
+ -lowpan_device
+ -hw_random_device
+}:chr_file setattr;
+
allow vendor_init dev_type:blk_file getattr;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
@@ -192,9 +189,6 @@
allow vendor_init system_bootstrap_lib_file:dir r_dir_perms;
allow vendor_init system_bootstrap_lib_file:file { execute read open getattr map };
-# allow filesystem tuning
-allow vendor_init userdata_sysdev:file create_file_perms;
-
# Everything is labeled as rootfs in recovery mode. Vendor init has to execute
# the dynamic linker and shared libraries.
recovery_only(`
@@ -212,59 +206,50 @@
# Get file context
allow vendor_init file_contexts_file:file r_file_perms;
-# Allow vendor_init to (re)set nice
-allow vendor_init self:capability sys_nice;
-
set_prop(vendor_init, apk_verity_prop)
set_prop(vendor_init, bluetooth_a2dp_offload_prop)
set_prop(vendor_init, bluetooth_audio_hal_prop)
-set_prop(vendor_init, camera2_extensions_prop)
-set_prop(vendor_init, camerax_extensions_prop)
set_prop(vendor_init, cpu_variant_prop)
-set_prop(vendor_init, dalvik_runtime_prop)
set_prop(vendor_init, debug_prop)
+set_prop(vendor_init, exported_audio_prop)
set_prop(vendor_init, exported_bluetooth_prop)
set_prop(vendor_init, exported_camera_prop)
set_prop(vendor_init, exported_config_prop)
+set_prop(vendor_init, exported_dalvik_prop)
set_prop(vendor_init, exported_default_prop)
+set_prop(vendor_init, exported_ffs_prop)
set_prop(vendor_init, exported_overlay_prop)
set_prop(vendor_init, exported_pm_prop)
-set_prop(vendor_init, ffs_control_prop)
-set_prop(vendor_init, hw_timeout_multiplier_prop)
+set_prop(vendor_init, exported_radio_prop)
+set_prop(vendor_init, exported_system_radio_prop)
+set_prop(vendor_init, exported_wifi_prop)
+set_prop(vendor_init, exported2_config_prop)
+set_prop(vendor_init, exported2_system_prop)
+set_prop(vendor_init, exported2_vold_prop)
+set_prop(vendor_init, exported3_default_prop)
+set_prop(vendor_init, exported3_radio_prop)
set_prop(vendor_init, incremental_prop)
set_prop(vendor_init, lmkd_prop)
set_prop(vendor_init, logd_prop)
set_prop(vendor_init, log_tag_prop)
set_prop(vendor_init, log_prop)
-set_prop(vendor_init, qemu_hw_prop)
-set_prop(vendor_init, radio_control_prop)
set_prop(vendor_init, rebootescrow_hal_prop)
set_prop(vendor_init, serialno_prop)
-set_prop(vendor_init, soc_prop)
-set_prop(vendor_init, surfaceflinger_color_prop)
-set_prop(vendor_init, usb_control_prop)
+set_prop(vendor_init, storage_config_prop)
set_prop(vendor_init, userspace_reboot_config_prop)
set_prop(vendor_init, vehicle_hal_prop)
set_prop(vendor_init, vendor_default_prop)
set_prop(vendor_init, vendor_security_patch_level_prop)
set_prop(vendor_init, vndk_prop)
set_prop(vendor_init, virtual_ab_prop)
-set_prop(vendor_init, vold_post_fs_data_prop)
-set_prop(vendor_init, wifi_hal_prop)
set_prop(vendor_init, wifi_log_prop)
-set_prop(vendor_init, zram_control_prop)
-get_prop(vendor_init, boot_status_prop)
+get_prop(vendor_init, exported2_radio_prop)
get_prop(vendor_init, exported3_system_prop)
-get_prop(vendor_init, ota_prop)
-get_prop(vendor_init, power_debug_prop)
-get_prop(vendor_init, provisioned_prop)
-get_prop(vendor_init, retaildemo_prop)
get_prop(vendor_init, surfaceflinger_display_prop)
-get_prop(vendor_init, test_harness_prop)
get_prop(vendor_init, theme_prop)
-set_prop(vendor_init, dck_prop)
+get_prop(vendor_init, ota_prop)
###
### neverallow rules
diff --git a/public/vendor_misc_writer.te b/public/vendor_misc_writer.te
index 3bc3a9f..dee9941 100644
--- a/public/vendor_misc_writer.te
+++ b/public/vendor_misc_writer.te
@@ -8,9 +8,6 @@
# Silence the denial when calling libfstab's ReadDefaultFstab, which tries to
# load DT fstab.
-dontaudit vendor_misc_writer proc_cmdline:file r_file_perms;
+dontaudit vendor_misc_writer proc_cmdline:file read;
+dontaudit vendor_misc_writer metadata_file:dir search;
dontaudit vendor_misc_writer sysfs_dt_firmware_android:dir search;
-dontaudit vendor_misc_writer proc_bootconfig:file r_file_perms;
-
-# Allow ReadDefaultFstab().
-read_fstab(vendor_misc_writer)
diff --git a/public/vendor_modprobe.te b/public/vendor_modprobe.te
deleted file mode 100644
index 529c4aa..0000000
--- a/public/vendor_modprobe.te
+++ /dev/null
@@ -1 +0,0 @@
-type vendor_modprobe, domain;
diff --git a/public/vendor_shell.te b/public/vendor_shell.te
index 5d7cb31..7d30acb 100644
--- a/public/vendor_shell.te
+++ b/public/vendor_shell.te
@@ -17,5 +17,3 @@
allow vendor_shell console_device:chr_file rw_file_perms;
allow vendor_shell input_device:dir r_dir_perms;
allow vendor_shell input_device:chr_file rw_file_perms;
-
-userdebug_or_eng(`set_prop(vendor_shell, persist_vendor_debug_wifi_prop)')
diff --git a/public/vendor_toolbox.te b/public/vendor_toolbox.te
index 63f938d..eb292ca 100644
--- a/public/vendor_toolbox.te
+++ b/public/vendor_toolbox.te
@@ -7,7 +7,7 @@
# or read, execute the vendor_toolbox file.
full_treble_only(`
# Do not allow non-vendor domains to transition
- # to vendor toolbox except for the allowlisted domains.
+ # to vendor toolbox except for the whitelisted domains.
neverallow {
coredomain
-init
diff --git a/public/vold.te b/public/vold.te
index 7796ba8..1d125d3 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -23,7 +23,6 @@
r_dir_file(vold, metadata_file)
allow vold {
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
- proc_bootconfig
proc_cmdline
proc_drop_caches
proc_filesystems
@@ -67,14 +66,9 @@
-vold
} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
-# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
-# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
-# location of the file's blocks on the raw block device to erase.
-allowxperm vold {
- vold_data_file
- vold_metadata_file
-}:file ioctl {
- F2FS_IOC_SEC_TRIM_FILE
+# Find the location on the raw block device where the
+# crypto key is stored so it can be destroyed
+allowxperm vold vold_data_file:file ioctl {
FS_IOC_FIEMAP
};
@@ -130,7 +124,7 @@
# Allow to mount incremental file system on /data/incremental and create files
allow vold apk_data_file:dir { mounton rw_dir_perms };
# Allow to create and write files in /data/incremental
-allow vold apk_data_file:file { rw_file_perms unlink };
+allow vold apk_data_file:file rw_file_perms;
# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
allow vold apk_tmp_file:dir { mounton r_dir_perms };
# Allow to read incremental control file and call selinux restorecon on it
@@ -154,7 +148,7 @@
allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms;
-allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD };
+allowxperm vold dm_device:blk_file ioctl BLKSECDISCARD;
# For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
@@ -197,6 +191,19 @@
# Set scheduling policy of kernel processes
allow vold kernel:process setsched;
+# Property Service
+set_prop(vold, vold_prop)
+set_prop(vold, exported_vold_prop)
+set_prop(vold, exported2_vold_prop)
+set_prop(vold, powerctl_prop)
+set_prop(vold, ctl_fuse_prop)
+set_prop(vold, restorecon_prop)
+set_prop(vold, ota_prop)
+set_prop(vold, boottime_prop)
+set_prop(vold, boottime_public_prop)
+get_prop(vold, storage_config_prop)
+get_prop(vold, incremental_prop)
+
# ASEC
allow vold asec_image_file:file create_file_perms;
allow vold asec_image_file:dir rw_dir_perms;
@@ -241,7 +248,6 @@
# Access metadata block device used for encryption meta-data.
allow vold metadata_block_device:blk_file rw_file_perms;
-allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
# Allow vold to manipulate /data/unencrypted
allow vold unencrypted_data_file:{ file } create_file_perms;
@@ -281,7 +287,7 @@
allow vold toolbox_exec:file rx_file_perms;
# Prepare profile dir for users.
-allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
+allow vold user_profile_data_file:dir create_dir_perms;
# Raw writes to misc block device
allow vold misc_block_device:blk_file w_file_perms;
@@ -291,11 +297,9 @@
dontaudit vold self:global_capability_class_set sys_resource;
-# Allow ReadDefaultFstab().
-read_fstab(vold)
-
-# vold might need to search loopback apex files
-allow vold vendor_apex_file:file r_file_perms;
+# vold needs to know whether we're running a GSI.
+allow vold gsi_metadata_file:dir r_dir_perms;
+allow vold gsi_metadata_file:file r_file_perms;
neverallow {
domain
@@ -340,6 +344,15 @@
neverallow { domain -vold -init } restorecon_prop:property_service set;
+neverallow {
+ domain
+ -system_server
+ -vdc
+ -vold
+ -update_verifier
+ -apexd
+} vold_service:service_manager find;
+
neverallow vold {
domain
-hal_health_storage_server
@@ -349,7 +362,6 @@
-healthd
-hwservicemanager
-iorapd_service
- -keystore
-servicemanager
-system_server
userdebug_or_eng(`-su')
diff --git a/public/wificond.te b/public/wificond.te
index 254fcbc..b429884 100644
--- a/public/wificond.te
+++ b/public/wificond.te
@@ -8,6 +8,10 @@
add_service(wificond, wifinl80211_service)
+set_prop(wificond, exported_wifi_prop)
+set_prop(wificond, wifi_prop)
+set_prop(wificond, ctl_default_prop)
+
# create sockets to set interfaces up and down
allow wificond self:udp_socket create_socket_perms;
# setting interface state up/down is a privileged ioctl
@@ -29,15 +33,10 @@
#### Offer the Wifi Keystore HwBinder service ###
hwbinder_use(wificond)
+get_prop(wificond, hwservicemanager_prop)
typeattribute wificond wifi_keystore_service_server;
add_hwservice(wificond, system_wifi_keystore_hwservice)
# Allow keystore binder access to serve the HwBinder service.
allow wificond keystore_service:service_manager find;
allow wificond keystore:keystore_key get;
-
-# Allow keystore2 binder access to serve the HwBinder service.
-allow wificond wifi_key:keystore2_key {
- get_info
- use
-};
diff --git a/seapp_contexts.mk b/seapp_contexts.mk
index b33b820..462fa27 100644
--- a/seapp_contexts.mk
+++ b/seapp_contexts.mk
@@ -1,8 +1,5 @@
include $(CLEAR_VARS)
LOCAL_MODULE := plat_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/selinux
@@ -23,9 +20,6 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := system_ext_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_SYSTEM_EXT)/etc/selinux
@@ -49,9 +43,6 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := product_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_PRODUCT)/etc/selinux
@@ -75,9 +66,6 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := vendor_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
@@ -101,9 +89,6 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := odm_seapp_contexts
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
@@ -127,9 +112,6 @@
##################################
include $(CLEAR_VARS)
LOCAL_MODULE := plat_seapp_neverallows
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_TAGS := tests
diff --git a/tests/Android.bp b/tests/Android.bp
index 6a86188..926b5e4 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -1,11 +1,3 @@
-package {
- // http://go/android-license-faq
- // A large-scale-change added 'default_applicable_licenses' to import
- // the below license kinds from "system_sepolicy_license":
- // SPDX-license-identifier-Apache-2.0
- default_applicable_licenses: ["system_sepolicy_license"],
-}
-
cc_library_host_shared {
name: "libsepolwrap",
srcs: ["sepol_wrap.cpp"],
@@ -87,8 +79,3 @@
],
defaults: ["py2_only"],
}
-
-python_binary_host {
- name: "check_prop_prefix",
- srcs: ["check_prop_prefix.py"],
-}
diff --git a/tests/check_prop_prefix.py b/tests/check_prop_prefix.py
deleted file mode 100644
index 68511ce..0000000
--- a/tests/check_prop_prefix.py
+++ /dev/null
@@ -1,89 +0,0 @@
-#!/usr/bin/env python3
-
-# Copyright 2021 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-import argparse
-import re
-import sys
-
-# A line should look like:
-# {prop_name} u:object_r:{context_name}:s0
-line_regex = re.compile(r'^(\S+)\s+u:object_r:([^:]+):s0.*$')
-
-# Parses a line in property_contexts and return a (prop, ctx) tuple.
-# Raises an error for any malformed entries.
-def parse_line(line):
- matched = line_regex.match(line)
- if not matched:
- raise ValueError('malformed entry "' + line + '" in property_contexts')
-
- return matched.group(1, 2)
-
-def parse_args():
- parser = argparse.ArgumentParser(
- description="Finds any violations in property_contexts, with given allowed prefixes. "
- "If any violations are found, return a nonzero (failure) exit code.")
- parser.add_argument("--property-contexts", help="Path to property_contexts file.")
- parser.add_argument("--allowed-property-prefix", action="extend", nargs="*",
- help="Allowed property prefixes. If empty, any properties are allowed.")
- parser.add_argument("--allowed-context-prefix", action="extend", nargs="*",
- help="Allowed context prefixes. If empty, any contexts are allowed.")
- parser.add_argument('--strict', action='store_true',
- help="Make the script fail if any violations are found.")
-
- return parser.parse_args()
-
-args = parse_args()
-
-violations = []
-
-with open(args.property_contexts, 'r') as f:
- lines = f.read().split('\n')
-
-for line in lines:
- tokens = line.strip()
- # if this line empty or a comment, skip
- if tokens == '' or tokens[0] == '#':
- continue
-
- prop, context = parse_line(line)
-
- violated = False
-
- if args.allowed_property_prefix and not prop.startswith(tuple(args.allowed_property_prefix)):
- violated = True
-
- if args.allowed_context_prefix and not context.startswith(tuple(args.allowed_context_prefix)):
- violated = True
-
- if violated:
- violations.append(line)
-
-if len(violations) > 0:
- print('******************************')
- print('%d violations found:' % len(violations))
- print('\n'.join(violations))
- print('******************************')
- print('%s contains properties which are not properly namespaced.' % args.property_contexts)
- print('This is enforced by VTS, so please fix such offending properties.')
- if args.allowed_property_prefix:
- print('Allowed property prefixes for %s: %s' % (args.property_contexts, args.allowed_property_prefix))
- if args.allowed_context_prefix:
- print('Allowed context prefixes for %s: %s' % (args.property_contexts, args.allowed_context_prefix))
- if args.strict:
- print('You can temporarily disable this check with setting BUILD_BROKEN_VENDOR_PROPERTY_NAMESPACE := true in BoardConfig.mk.')
- print('But property namespace is enforced by VTS, and you will need to fix such violations to pass VTS.')
- print('See test/vts-testcase/security/system_property/vts_treble_sys_prop_test.py for the detail of the VTS.')
- sys.exit(1)
diff --git a/tests/policy.py b/tests/policy.py
index 40229b8..0f51e2f 100644
--- a/tests/policy.py
+++ b/tests/policy.py
@@ -52,11 +52,11 @@
__policydbP = None
__BUFSIZE = 2048
- def AssertPathTypesDoNotHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr, ExcludedTypes = []):
+ def AssertPathTypesDoNotHaveAttr(self, MatchPrefix, DoNotMatchPrefix, Attr):
# Query policy for the types associated with Attr
- TypesPol = self.QueryTypeAttribute(Attr, True) - set(ExcludedTypes)
+ TypesPol = self.QueryTypeAttribute(Attr, True)
# Search file_contexts to find types associated with input paths.
- TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ TypesFc = self.__GetTypesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
violators = TypesFc.intersection(TypesPol)
ret = ""
if len(violators) > 0:
@@ -65,8 +65,6 @@
ret += " must not be associated with the "
ret += "\"" + Attr + "\" attribute: "
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
- ret += " corresponding to files: "
- ret += " ".join(str(x) for x in sorted(Files)) + "\n"
return ret
# Check that all types for "filesystem" have "attribute" associated with them
@@ -93,7 +91,7 @@
TypesPol = self.QueryTypeAttribute(Attr, True)
# Search file_contexts to find paths/types that should be associated with
# Attr.
- TypesFc, Files = self.__GetTypesAndFilesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
+ TypesFc = self.__GetTypesByFilePathPrefix(MatchPrefix, DoNotMatchPrefix)
violators = TypesFc.difference(TypesPol)
ret = ""
@@ -103,19 +101,6 @@
ret += " must be associated with the "
ret += "\"" + Attr + "\" attribute: "
ret += " ".join(str(x) for x in sorted(violators)) + "\n"
- ret += " corresponding to files: "
- ret += " ".join(str(x) for x in sorted(Files)) + "\n"
- return ret
-
- def AssertPropertyOwnersAreExclusive(self):
- systemProps = self.QueryTypeAttribute('system_property_type', True)
- vendorProps = self.QueryTypeAttribute('vendor_property_type', True)
- violators = systemProps.intersection(vendorProps)
- ret = ""
- if len(violators) > 0:
- ret += "The following types have both system_property_type "
- ret += "and vendor_property_type: "
- ret += " ".join(str(x) for x in sorted(violators)) + "\n"
return ret
# Return all file_contexts entries that map to the input Type.
@@ -276,9 +261,8 @@
# Return types that match MatchPrefixes but do not match
# DoNotMatchPrefixes
- def __GetTypesAndFilesByFilePathPrefix(self, MatchPrefixes, DoNotMatchPrefixes):
+ def __GetTypesByFilePathPrefix(self, MatchPrefixes, DoNotMatchPrefixes):
Types = set()
- Files = set()
MatchPrefixesWithIndex = []
for MatchPrefix in MatchPrefixes:
@@ -290,8 +274,7 @@
if MatchPathPrefixes(PathType[0], DoNotMatchPrefixes):
continue
Types.add(PathType[1])
- Files.add(PathType[0])
- return Types, Files
+ return Types
def __GetTERules(self, policydbP, avtabIterP, Rules):
if Rules is None:
diff --git a/tests/sepolicy_tests.py b/tests/sepolicy_tests.py
index edd1708..f8dc466 100644
--- a/tests/sepolicy_tests.py
+++ b/tests/sepolicy_tests.py
@@ -12,22 +12,7 @@
return pol.AssertPathTypesHaveAttr(["/data/"], [], "data_file_type")
def TestSystemTypeViolations(pol):
- partitions = ["/system/", "/system_ext/", "/product/"]
- exceptions = [
- # devices before treble don't have a vendor partition
- "/system/vendor/",
-
- # overlay files are mounted over vendor
- "/product/overlay/",
- "/product/vendor_overlay/",
- "/system/overlay/",
- "/system/product/overlay/",
- "/system/product/vendor_overlay/",
- "/system/system_ext/overlay/",
- "/system_ext/overlay/",
- ]
-
- return pol.AssertPathTypesHaveAttr(partitions, exceptions, "system_file_type")
+ return pol.AssertPathTypesHaveAttr(["/system/"], [], "system_file_type")
def TestProcTypeViolations(pol):
return pol.AssertGenfsFilesystemTypesHaveAttr("proc", "proc_type")
@@ -46,48 +31,12 @@
return ret
def TestVendorTypeViolations(pol):
- partitions = ["/vendor/", "/odm/"]
- exceptions = [
- "/vendor/etc/selinux/",
- "/vendor/odm/etc/selinux/",
- "/odm/etc/selinux/",
- ]
- return pol.AssertPathTypesHaveAttr(partitions, exceptions, "vendor_file_type")
+ return pol.AssertPathTypesHaveAttr(["/vendor/"], [], "vendor_file_type")
def TestCoreDataTypeViolations(pol):
return pol.AssertPathTypesHaveAttr(["/data/"], ["/data/vendor",
"/data/vendor_ce", "/data/vendor_de"], "core_data_file_type")
-def TestPropertyTypeViolations(pol):
- return pol.AssertPropertyOwnersAreExclusive()
-
-def TestAppDataTypeViolations(pol):
- # Types with the app_data_file_type should only be used for app data files
- # (/data/data/package.name etc) via seapp_contexts, and never applied
- # explicitly to other files.
- partitions = [
- "/data/",
- "/vendor/",
- "/odm/",
- "/product/",
- ]
- exceptions = [
- # These are used for app data files for the corresponding user and
- # assorted other files.
- # TODO(b/172812577): Use different types for the different purposes
- "shell_data_file",
- "bluetooth_data_file",
- "nfc_data_file",
- "radio_data_file",
- ]
- return pol.AssertPathTypesDoNotHaveAttr(partitions, [], "app_data_file_type",
- exceptions)
-def TestDmaHeapDevTypeViolations(pol):
- return pol.AssertPathTypesHaveAttr(["/dev/dma_heap/"], [],
- "dmabuf_heap_device_type")
-
-
-
###
# extend OptionParser to allow the same option flag to be used multiple times.
# This is used to allow multiple file_contexts files and tests to be
@@ -113,9 +62,6 @@
"TestDebugfsTypeViolations",
"TestVendorTypeViolations",
"TestCoreDataTypeViolations",
- "TestPropertyTypeViolations",
- "TestAppDataTypeViolations",
- "TestDmaHeapDevTypeViolations",
]
if __name__ == '__main__':
@@ -169,12 +115,6 @@
results += TestVendorTypeViolations(pol)
if options.test is None or "TestCoreDataTypeViolations" in options.test:
results += TestCoreDataTypeViolations(pol)
- if options.test is None or "TestPropertyTypeViolations" in options.test:
- results += TestPropertyTypeViolations(pol)
- if options.test is None or "TestAppDataTypeViolations" in options.test:
- results += TestAppDataTypeViolations(pol)
- if options.test is None or "TestDmaHeapDevTypeViolations" in options.test:
- results += TestDmaHeapDevTypeViolations(pol)
if len(results) > 0:
sys.exit(results)
diff --git a/tests/treble_sepolicy_tests.py b/tests/treble_sepolicy_tests.py
index 9209b66..cf1e856 100644
--- a/tests/treble_sepolicy_tests.py
+++ b/tests/treble_sepolicy_tests.py
@@ -13,15 +13,33 @@
Use file_contexts and policy to verify Treble requirements
are not violated.
'''
-coredomainAllowlist = {
- # TODO: how do we make sure vendor_init doesn't have bad coupling with
- # /vendor? It is the only system process which is not coredomain.
- 'vendor_init',
- # TODO(b/152813275): need to avoid allowlist for rootdir
- "modprobe",
- "slideshow",
- "healthd",
+###
+# Differentiate between domains that are part of the core Android platform and
+# domains introduced by vendors
+coreAppdomain = {
+ 'bluetooth',
+ 'ephemeral_app',
+ 'isolated_app',
+ 'nfc',
+ 'platform_app',
+ 'priv_app',
+ 'radio',
+ 'shared_relro',
+ 'shell',
+ 'system_app',
+ 'untrusted_app',
+ 'untrusted_app_25',
}
+coredomainWhitelist = {
+ 'adbd',
+ 'kernel',
+ 'postinstall',
+ 'postinstall_dexopt',
+ 'recovery',
+ 'system_server',
+ 'vendor_init',
+ }
+coredomainWhitelist |= coreAppdomain
class scontext:
def __init__(self):
@@ -32,7 +50,6 @@
self.attributes = set()
self.entrypoints = []
self.entrypointpaths = []
- self.error = ""
def PrintScontexts():
for d in sorted(alldomains.keys()):
@@ -85,42 +102,32 @@
global alldomains
global coredomains
for d in alldomains:
- domain = alldomains[d]
# TestCoredomainViolations will verify if coredomain was incorrectly
# applied.
- if "coredomain" in domain.attributes:
- domain.coredomain = True
+ if "coredomain" in alldomains[d].attributes:
+ alldomains[d].coredomain = True
coredomains.add(d)
# check whether domains are executed off of /system or /vendor
- if d in coredomainAllowlist:
+ if d in coredomainWhitelist:
continue
- # TODO(b/153112003): add checks to prevent app domains from being
- # incorrectly labeled as coredomain. Apps don't have entrypoints as
- # they're always dynamically transitioned to by zygote.
+ # TODO, add checks to prevent app domains from being incorrectly
+ # labeled as coredomain. Apps don't have entrypoints as they're always
+ # dynamically transitioned to by zygote.
if d in appdomains:
continue
- # TODO(b/153112747): need to handle cases where there is a dynamic
- # transition OR there happens to be no context in AOSP files.
- if not domain.entrypointpaths:
+ if not alldomains[d].entrypointpaths:
continue
-
- for path in domain.entrypointpaths:
- vendor = any(MatchPathPrefix(path, prefix) for prefix in
- ["/vendor", "/odm"])
- system = any(MatchPathPrefix(path, prefix) for prefix in
- ["/init", "/system_ext", "/product" ])
-
- # only mark entrypoint as system if it is not in legacy /system/vendor
- if MatchPathPrefix(path, "/system/vendor"):
- vendor = True
- elif MatchPathPrefix(path, "/system"):
- system = True
-
- if not vendor and not system:
- domain.error += "Unrecognized entrypoint for " + d + " at " + path + "\n"
-
- domain.fromSystem = domain.fromSystem or system
- domain.fromVendor = domain.fromVendor or vendor
+ for path in alldomains[d].entrypointpaths:
+ # Processes with entrypoint on /system
+ if ((MatchPathPrefix(path, "/system") and not
+ MatchPathPrefix(path, "/system/vendor")) or
+ MatchPathPrefix(path, "/init") or
+ MatchPathPrefix(path, "/charger")):
+ alldomains[d].fromSystem = True
+ # Processes with entrypoint on /vendor or /system/vendor
+ if (MatchPathPrefix(path, "/vendor") or
+ MatchPathPrefix(path, "/system/vendor")):
+ alldomains[d].fromVendor = True
###
# Add the entrypoint type and path(s) to each domain.
@@ -188,15 +195,6 @@
# verify that all domains launched from /system have the coredomain
# attribute
ret = ""
-
- for d in alldomains:
- domain = alldomains[d]
- if domain.fromSystem and domain.fromVendor:
- ret += "The following domain is system and vendor: " + d + "\n"
-
- for domain in alldomains.values():
- ret += domain.error
-
violators = []
for d in alldomains:
domain = alldomains[d]
@@ -294,7 +292,7 @@
return ret
def TestViolatorAttributes():
- ret = ""
+ ret = TestViolatorAttribute("binder_in_vendor_violators")
ret += TestViolatorAttribute("socket_between_core_and_vendor_violators")
ret += TestViolatorAttribute("vendor_executes_system_violators")
return ret
diff --git a/tools/Android.bp b/tools/Android.bp
index a6a15a5..2809c9d 100644
--- a/tools/Android.bp
+++ b/tools/Android.bp
@@ -14,14 +14,6 @@
* limitations under the License.
*/
-package {
- // http://go/android-license-faq
- // A large-scale-change added 'default_applicable_licenses' to import
- // the below license kinds from "system_sepolicy_license":
- // SPDX-license-identifier-Apache-2.0
- default_applicable_licenses: ["system_sepolicy_license"],
-}
-
cc_defaults {
name: "sepolicy_tools_defaults",
cflags: [
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index 2b06c11..6d60a12 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -20,8 +20,6 @@
#define log_warn(fmt, ...) log_msg(stderr, "Warning: ", fmt, ##__VA_ARGS__)
#define log_info(fmt, ...) if (logging_verbose ) { log_msg(stdout, "Info: ", fmt, ##__VA_ARGS__); }
-#define APP_DATA_REQUIRED_ATTRIB "app_data_file_type"
-
/**
* Initializes an empty, static list.
*/
@@ -194,8 +192,7 @@
/* validation call backs */
static bool validate_bool(char *value, char **errmsg);
static bool validate_levelFrom(char *value, char **errmsg);
-static bool validate_domain(char *value, char **errmsg);
-static bool validate_type(char *value, char **errmsg);
+static bool validate_selinux_type(char *value, char **errmsg);
static bool validate_selinux_level(char *value, char **errmsg);
static bool validate_uint(char *value, char **errmsg);
@@ -216,8 +213,8 @@
{ .name = "minTargetSdkVersion", .dir = dir_in, .fn_validate = validate_uint },
{ .name = "fromRunAs", .dir = dir_in, .fn_validate = validate_bool },
/*Outputs*/
- { .name = "domain", .dir = dir_out, .fn_validate = validate_domain },
- { .name = "type", .dir = dir_out, .fn_validate = validate_type },
+ { .name = "domain", .dir = dir_out, .fn_validate = validate_selinux_type },
+ { .name = "type", .dir = dir_out, .fn_validate = validate_selinux_type },
{ .name = "levelFromUid", .dir = dir_out, .fn_validate = validate_bool },
{ .name = "levelFrom", .dir = dir_out, .fn_validate = validate_levelFrom },
{ .name = "level", .dir = dir_out, .fn_validate = validate_selinux_level },
@@ -298,39 +295,28 @@
}
/**
- * Look up a type in the policy.
+ * Checks for a type in the policy.
* @param db
* The policy db to search
* @param type
* The type to search for
- * @param flavor
- * The expected flavor of type
* @return
- * Pointer to the type's datum if it exists in the policy with the expected
- * flavor, NULL otherwise.
+ * 1 if the type is found, 0 otherwise.
* @warning
- * This function should not be called if libsepol is not linked statically
- * to this executable and LINK_SEPOL_STATIC is not defined.
+ * This function always returns 1 if libsepol is not linked
+ * statically to this executable and LINK_SEPOL_STATIC is not
+ * defined.
*/
-static type_datum_t *find_type(sepol_policydb_t *db, char *type, uint32_t flavor) {
+static int check_type(sepol_policydb_t *db, char *type) {
- policydb_t *d = &db->p;
- hashtab_datum_t dat = hashtab_search(d->p_types.table, type);
- if (!dat) {
- return NULL;
- }
- type_datum_t *type_dat = (type_datum_t *) dat;
- if (type_dat->flavor != flavor) {
- return NULL;
- }
- return type_dat;
-}
-
-static bool type_has_attribute(sepol_policydb_t *db, type_datum_t *type_dat,
- type_datum_t *attrib_dat) {
- policydb_t *d = &db->p;
- ebitmap_t *attr_bits = &d->type_attr_map[type_dat->s.value - 1];
- return ebitmap_get_bit(attr_bits, attrib_dat->s.value - 1) != 0;
+ int rc = 1;
+#if defined(LINK_SEPOL_STATIC)
+ policydb_t *d = (policydb_t *)db;
+ hashtab_datum_t dat;
+ dat = hashtab_search(d->p_types.table, type);
+ rc = (dat == NULL) ? 0 : 1;
+#endif
+ return rc;
}
static bool match_regex(key_map *assert, const key_map *check) {
@@ -389,7 +375,7 @@
static bool validate_levelFrom(char *value, char **errmsg) {
- if (strcasecmp(value, "none") && strcasecmp(value, "all") &&
+ if(strcasecmp(value, "none") && strcasecmp(value, "all") &&
strcasecmp(value, "app") && strcasecmp(value, "user")) {
*errmsg = "Expecting one of: \"none\", \"all\", \"app\" or \"user\"";
return false;
@@ -397,9 +383,8 @@
return true;
}
-static bool validate_domain(char *value, char **errmsg) {
+static bool validate_selinux_type(char *value, char **errmsg) {
-#if defined(LINK_SEPOL_STATIC)
/*
* No policy file present means we cannot check
* SE Linux types
@@ -408,45 +393,10 @@
return true;
}
- if (!find_type(pol.db, value, TYPE_TYPE)) {
+ if(!check_type(pol.db, value)) {
*errmsg = "Expecting a valid SELinux type";
return false;
}
-#endif
-
- return true;
-}
-
-static bool validate_type(char *value, char **errmsg) {
-
-#if defined(LINK_SEPOL_STATIC)
- /*
- * No policy file present means we cannot check
- * SE Linux types
- */
- if (!pol.policy_file) {
- return true;
- }
-
- type_datum_t *type_dat = find_type(pol.db, value, TYPE_TYPE);
- if (!type_dat) {
- *errmsg = "Expecting a valid SELinux type";
- return false;
- }
-
- type_datum_t *attrib_dat = find_type(pol.db, APP_DATA_REQUIRED_ATTRIB,
- TYPE_ATTRIB);
- if (!attrib_dat) {
- /* If the policy doesn't contain the attribute, we can't check it */
- return true;
- }
-
- if (!type_has_attribute(pol.db, type_dat, attrib_dat)) {
- *errmsg = "Missing required attribute " APP_DATA_REQUIRED_ATTRIB;
- return false;
- }
-
-#endif
return true;
}
@@ -509,7 +459,7 @@
log_info("Validating %s=%s\n", key, value);
/*
- * Neverallows are completely skipped from validity checking so you can match
+ * Neverallows are completely skipped from sanity checking so you can match
* un-unspecified inputs.
*/
if (is_neverallow) {
@@ -857,7 +807,7 @@
oom:
log_error("Out of memory!\n");
err:
- if (new_map) {
+ if(new_map) {
rule_map_free(new_map, false);
for (; i < num_of_keys; i++) {
k = &(keys[i]);
@@ -1063,7 +1013,7 @@
* when you want to override the outputs for a given input set, as well as
* checking for duplicate entries.
*/
- if (f) {
+ if(f) {
log_info("Existing entry found!\n");
tmp = (hash_entry *)f->data;
cmp = rule_map_cmp(rm, tmp->r);
@@ -1085,7 +1035,7 @@
e.data = entry;
f = hsearch(e, ENTER);
- if (f == NULL) {
+ if(f == NULL) {
goto oom;
}
@@ -1193,7 +1143,7 @@
err:
log_error("Reading file: \"%s\" line: %zu name: \"%s\" value: \"%s\"\n",
in_file->name, lineno, name, value);
- if (found_whitespace && name && !strcasecmp(name, "neverallow")) {
+ if(found_whitespace && name && !strcasecmp(name, "neverallow")) {
log_error("perhaps whitespace before neverallow\n");
}
exit(EXIT_FAILURE);
diff --git a/tools/insertkeys.py b/tools/insertkeys.py
index 51b4ab6..ca1e432 100755
--- a/tools/insertkeys.py
+++ b/tools/insertkeys.py
@@ -56,7 +56,7 @@
# If we ended the certificate trip the flag
inCert = False
- # Check the input
+ # Sanity check the input
if len(base64Key) == 0:
sys.exit("Empty certficate , certificate "+ str(certNo) + " found in file: "
+ path)
diff --git a/tools/sepolicy-analyze/Android.bp b/tools/sepolicy-analyze/Android.bp
index bb6b701..ff40c16 100644
--- a/tools/sepolicy-analyze/Android.bp
+++ b/tools/sepolicy-analyze/Android.bp
@@ -1,11 +1,3 @@
-package {
- // http://go/android-license-faq
- // A large-scale-change added 'default_applicable_licenses' to import
- // the below license kinds from "system_sepolicy_license":
- // legacy_unencumbered
- default_applicable_licenses: ["system_sepolicy_license"],
-}
-
cc_binary_host {
name: "sepolicy-analyze",
defaults: ["sepolicy_tools_defaults"],
diff --git a/treble_sepolicy_tests_for_release.mk b/treble_sepolicy_tests_for_release.mk
index 1f27727..0195e5f 100644
--- a/treble_sepolicy_tests_for_release.mk
+++ b/treble_sepolicy_tests_for_release.mk
@@ -5,33 +5,9 @@
# permissions granted do not violate the treble model. Also ensure that treble
# compatibility guarantees are upheld between SELinux version bumps.
LOCAL_MODULE := treble_sepolicy_tests_$(version)
-LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
-LOCAL_LICENSE_CONDITIONS := notice unencumbered
-LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
LOCAL_MODULE_CLASS := FAKE
LOCAL_MODULE_TAGS := optional
-# BOARD_SYSTEM_EXT_PREBUILT_DIR can be set as system_ext prebuilt dir in sepolicy
-# make file of the system_ext partition.
-SYSTEM_EXT_PREBUILT_POLICY := $(BOARD_SYSTEM_EXT_PREBUILT_DIR)
-# BOARD_PRODUCT_PREBUILT_DIR can be set as product prebuilt dir in sepolicy
-# make file of the product partition.
-PRODUCT_PREBUILT_POLICY := $(BOARD_PRODUCT_PREBUILT_DIR)
-# BOARD_PLAT_PUB_VERSIONED_POLICY - path_to_plat_pub_versioned_of_vendor
-# plat_pub_versioned.cil should be in
-# $(BOARD_PLAT_PUB_VERSIONED_POLICY)/prebuilts/api/$(version) dir.
-# plat_pub_versioned.cil should have platform, system_ext and product sepolicies
-# similar to system/sepolicy/prebuilts/api/$(version/plat_pub_verioned.cil file.
-# In order to enable treble sepolicy tests for platform, system_ext and product
-# sepolicies SYSTEM_EXT_PREBUILT_POLICY , PRODUCT_PREBUILT_POLICY and
-# BOARD_PLAT_PUB_VERSIONED_POLICY should be set.
-IS_TREBLE_TEST_ENABLED_PARTNER := false
-ifeq ($(filter 26.0 27.0 28.0 29.0,$(version)),)
-ifneq (,$(BOARD_PLAT_PUB_VERSIONED_POLICY))
-IS_TREBLE_TEST_ENABLED_PARTNER := true
-endif # (,$(BOARD_PLAT_PUB_VERSIONED_POLICY))
-endif # ($(filter 26.0 27.0 28.0 29.0,$(version)),)
-
include $(BUILD_SYSTEM)/base_rules.mk
# $(version)_plat - the platform policy shipped as part of the $(version) release. This is
@@ -40,20 +16,6 @@
# been maintained by our mapping files.
$(version)_PLAT_PUBLIC_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/public
$(version)_PLAT_PRIVATE_POLICY := $(LOCAL_PATH)/prebuilts/api/$(version)/private
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
-$(version)_PLAT_PUBLIC_POLICY += \
- $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY += \
- $(SYSTEM_EXT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
-endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
-ifneq (,$(PRODUCT_PREBUILT_POLICY))
-$(version)_PLAT_PUBLIC_POLICY += \
- $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/public
-$(version)_PLAT_PRIVATE_POLICY += \
- $(PRODUCT_PREBUILT_POLICY)/prebuilts/api/$(version)/private
-endif # (,$(PRODUCT_PREBUILT_POLICY))
-endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
policy_files := $(call build_policy, $(sepolicy_build_files), $($(version)_PLAT_PUBLIC_POLICY) $($(version)_PLAT_PRIVATE_POLICY))
$(version)_plat_policy.conf := $(intermediates)/$(version)_plat_policy.conf
$($(version)_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
@@ -87,6 +49,7 @@
$(version)_plat_policy.conf :=
+
# $(version)_compat - the current plat_sepolicy.cil built with the compatibility file
# targeting the $(version) SELinux release. This ensures that our policy will build
# when used on a device that has non-platform policy targetting the $(version) release.
@@ -95,21 +58,6 @@
$(version)_mapping.ignore.cil := \
$(call intermediates-dir-for,ETC,$(version).ignore.cil)/$(version).ignore.cil
$(version)_prebuilts_dir := $(LOCAL_PATH)/prebuilts/api/$(version)
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY))
-$(version)_mapping.cil += \
- $(call intermediates-dir-for,ETC,system_ext_$(version).cil)/system_ext_$(version).cil
-$(version)_mapping.ignore.cil += \
- $(call intermediates-dir-for,ETC,system_ext_$(version).ignore.cil)/system_ext_$(version).ignore.cil
-endif # (,$(SYSTEM_EXT_PREBUILT_POLICY))
-ifneq (,$(PRODUCT_PREBUILT_POLICY))
-$(version)_mapping.cil += \
- $(call intermediates-dir-for,ETC,product_$(version).cil)/product_$(version).cil
-$(version)_mapping.ignore.cil += \
- $(call intermediates-dir-for,ETC,product_$(version).ignore.cil)/product_$(version).ignore.cil
-endif # (,$(PRODUCT_PREBUILT_POLICY))
-$(version)_prebuilts_dir := $(BOARD_PLAT_PUB_VERSIONED_POLICY)/prebuilts/api/$(version)
-endif #($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
# vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace
# nonplat_sepolicy.cil.
@@ -119,18 +67,10 @@
$(version)_nonplat := $($(version)_prebuilts_dir)/nonplat_sepolicy.cil
endif
-cil_files := $(built_plat_cil)
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-ifneq (,$(SYSTEM_EXT_PREBUILT_POLICY)
-cil_files += $(built_system_ext_cil)
-endif # (,$(SYSTEM_EXT_PREBUILT_POLICY)
-ifneq (,$(PRODUCT_PREBUILT_POLICY)
-cil_files += $(built_product_cil)
-endif # (,$(PRODUCT_PREBUILT_POLICY)
-endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-cil_files += $($(version)_mapping.cil) $($(version)_nonplat)
-$($(version)_compat): PRIVATE_CIL_FILES := $(cil_files)
-$($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc $(cil_files)
+$($(version)_compat): PRIVATE_CIL_FILES := \
+$(built_plat_cil) $($(version)_mapping.cil) $($(version)_nonplat)
+$($(version)_compat): $(HOST_OUT_EXECUTABLES)/secilc \
+$(built_plat_cil) $($(version)_mapping.cil) $($(version)_nonplat)
$(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -N -c $(POLICYVERS) \
$(PRIVATE_CIL_FILES) -o $@ -f /dev/null
@@ -143,47 +83,32 @@
mkdir -p $(dir $@)
cat $^ > $@
-ifeq ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
-built_sepolicy_files := $(built_product_sepolicy)
-public_cil_files := $(base_product_pub_policy.cil)
-else
-built_sepolicy_files := $(built_plat_sepolicy)
-public_cil_files := $(base_plat_pub_policy.cil)
-endif # ($(IS_TREBLE_TEST_ENABLED_PARTNER),true)
$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_OLD := $(built_$(version)_plat_sepolicy)
$(LOCAL_BUILT_MODULE): PRIVATE_COMBINED_MAPPING := $($(version)_mapping.combined.cil)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_sepolicy_files)
-$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(public_cil_files)
+$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_SEPOLICY := $(built_plat_sepolicy)
+$(LOCAL_BUILT_MODULE): PRIVATE_PLAT_PUB_SEPOLICY := $(base_plat_pub_policy.cil)
$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE :=
ifeq ($(PRODUCT_FULL_TREBLE_OVERRIDE),true)
# TODO(b/113124961): remove fake-treble
$(LOCAL_BUILT_MODULE): PRIVATE_FAKE_TREBLE := --fake-treble
endif # PRODUCT_FULL_TREBLE_OVERRIDE = true
$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests \
- $(all_fc_files) $(built_sepolicy) \
- $(built_sepolicy_files) \
- $(public_cil_files) \
+ $(all_fc_files) $(built_sepolicy) $(built_plat_sepolicy) \
+ $(base_plat_pub_policy.cil) \
$(built_$(version)_plat_sepolicy) $($(version)_compat) $($(version)_mapping.combined.cil)
@mkdir -p $(dir $@)
$(hide) $(HOST_OUT_EXECUTABLES)/treble_sepolicy_tests -l \
- $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
- -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
- -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
- -u $(PRIVATE_PLAT_PUB_SEPOLICY) \
- $(PRIVATE_FAKE_TREBLE)
+ $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) $(ALL_FC_ARGS) \
+ -b $(PRIVATE_PLAT_SEPOLICY) -m $(PRIVATE_COMBINED_MAPPING) \
+ -o $(PRIVATE_SEPOLICY_OLD) -p $(PRIVATE_SEPOLICY) \
+ -u $(PRIVATE_PLAT_PUB_SEPOLICY) \
+ $(PRIVATE_FAKE_TREBLE)
$(hide) touch $@
-$(version)_SYSTEM_EXT_PUBLIC_POLICY :=
-$(version)_SYSTEM_EXT_PRIVATE_POLICY :=
-$(version)_PRODUCT_PUBLIC_POLICY :=
-$(version)_PRODUCT_PRIVATE_POLICY :=
$(version)_PLAT_PUBLIC_POLICY :=
$(version)_PLAT_PRIVATE_POLICY :=
-built_sepolicy_files :=
-public_cil_files :=
-cil_files :=
$(version)_compat :=
$(version)_mapping.cil :=
$(version)_mapping.combined.cil :=
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 12e5d9f..1b2bc23 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -3,20 +3,15 @@
#
/(vendor|system/vendor)/bin/hw/android\.hardware\.atrace@1\.0-service u:object_r:hal_atrace_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.audio(@2\.0-|\.)service u:object_r:hal_audio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.audio@7\.0-service\.example u:object_r:hal_audio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol-service.example u:object_r:hal_audiocontrol_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@1\.0-service u:object_r:hal_audiocontrol_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.audiocontrol@2\.0-service u:object_r:hal_audiocontrol_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.can@1\.0-service u:object_r:hal_can_socketcan_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.evs@1\.[0-9]-service u:object_r:hal_evs_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.automotive\.vehicle@2\.0-(service|protocan-service) u:object_r:hal_vehicle_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service u:object_r:hal_bluetooth_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.[0-9]+-service\.btlinux u:object_r:hal_bluetooth_btlinux_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.2-service\.example u:object_r:hal_fingerprint_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.example u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.face@1\.[0-9]+-service\.example u:object_r:hal_face_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-9]+-service u:object_r:hal_bootctl_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.broadcastradio@\d+\.\d+-service u:object_r:hal_broadcastradio_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@2\.[0-9]+-service_64 u:object_r:hal_camera_default_exec:s0
@@ -33,7 +28,6 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.cas@1\.[0-2]-service-lazy u:object_r:hal_cas_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.[0-1]-service\.example u:object_r:hal_dumpstate_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service u:object_r:hal_gatekeeper_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss-service.example u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service u:object_r:hal_gnss_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.allocator@3\.0-service u:object_r:hal_graphics_allocator_default_exec:s0
@@ -43,7 +37,6 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.0-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health@2\.1-service u:object_r:hal_health_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage@1\.0-service u:object_r:hal_health_storage_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.health\.storage-service\.default u:object_r:hal_health_storage_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.identity-service.example u:object_r:hal_identity_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.input\.classifier@1\.0-service u:object_r:hal_input_classifier_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.ir@1\.0-service u:object_r:hal_ir_default_exec:s0
@@ -55,14 +48,12 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.lights-service\.example u:object_r:hal_light_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.lowpan@1\.0-service u:object_r:hal_lowpan_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service.example u:object_r:hal_memtrack_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.1-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.media\.omx@1\.0-service u:object_r:mediacodec_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service u:object_r:hal_power_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.power-service\.example u:object_r:hal_power_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.power.stats-service\.example u:object_r:hal_power_stats_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.power-service.example u:object_r:hal_power_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service u:object_r:hal_power_stats_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio\.config@1\.0-service u:object_r:hal_radio_config_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.2-radio-service u:object_r:hal_radio_default_exec:s0
@@ -70,12 +61,11 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.rebootescrow-service\.default u:object_r:hal_rebootescrow_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0
/(vendor|system/vendor)/bin/hw/rild u:object_r:rild_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service u:object_r:hal_thermal_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service u:object_r:hal_tv_cec_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.0-service u:object_r:hal_tv_cec_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.input@1\.0-service u:object_r:hal_tv_input_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.[01]-service u:object_r:hal_tv_tuner_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.tuner@1\.0-service u:object_r:hal_tv_tuner_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service u:object_r:hal_usb_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget@1\.1-service u:object_r:hal_usb_gadget_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator@1\.0-service u:object_r:hal_vibrator_default_exec:s0
@@ -85,7 +75,6 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.wifi@1\.0-service-lazy u:object_r:hal_wifi_default_exec:s0
/(vendor|system/vendor)/bin/hw/hostapd u:object_r:hal_wifi_hostapd_default_exec:s0
/(vendor|system/vendor)/bin/hw/wpa_supplicant u:object_r:hal_wifi_supplicant_default_exec:s0
-/(vendor|system/vendor)/bin/install-recovery\.sh u:object_r:vendor_install_recovery_exec:s0
/(vendor|system/vendor)/bin/vndservicemanager u:object_r:vndservicemanager_exec:s0
#############################
diff --git a/vendor/hal_bootctl_default.te b/vendor/hal_bootctl_default.te
index 2b94313..ac30370 100644
--- a/vendor/hal_bootctl_default.te
+++ b/vendor/hal_bootctl_default.te
@@ -9,7 +9,10 @@
allow hal_bootctl_default proc_cmdline:file r_file_perms;
allow hal_bootctl_default sysfs_dt_firmware_android:dir search;
allow hal_bootctl_default sysfs_dt_firmware_android:file r_file_perms;
-read_fstab(hal_bootctl_default)
+
+# ReadDefaultFstab looks for /metadata/gsi/booted. We don't care about getting
+# a GSI-corrected fstab.
+dontaudit hal_bootctl_default metadata_file:dir search;
# Needed for reading/writing misc partition.
allow hal_bootctl_default block_device:dir search;
diff --git a/vendor/hal_can_socketcan.te b/vendor/hal_can_socketcan.te
index 7498788..afa1311 100644
--- a/vendor/hal_can_socketcan.te
+++ b/vendor/hal_can_socketcan.te
@@ -25,8 +25,6 @@
# Un-publishing ICanBus interfaces
allow hal_can_socketcan hidl_manager_hwservice:hwservice_manager find;
-allow hal_can_socketcan sysfs:dir r_dir_perms;
-
allow hal_can_socketcan usb_serial_device:chr_file { ioctl read write open };
allowxperm hal_can_socketcan usb_serial_device:chr_file ioctl {
TCGETS
diff --git a/vendor/hal_gnss_default.te b/vendor/hal_gnss_default.te
index cea362f..92af53b 100644
--- a/vendor/hal_gnss_default.te
+++ b/vendor/hal_gnss_default.te
@@ -3,5 +3,3 @@
type hal_gnss_default_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(hal_gnss_default)
-
-allow hal_gnss_default gnss_device:chr_file rw_file_perms;
diff --git a/vendor/hal_keymint_default.te b/vendor/hal_keymint_default.te
deleted file mode 100644
index 3b86a1b..0000000
--- a/vendor/hal_keymint_default.te
+++ /dev/null
@@ -1,10 +0,0 @@
-type hal_keymint_default, domain;
-hal_server_domain(hal_keymint_default, hal_keymint)
-
-type hal_keymint_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_keymint_default)
-
-hal_attribute_service(hal_keymint, hal_secureclock_service)
-hal_attribute_service(hal_keymint, hal_sharedsecret_service)
-
-get_prop(hal_keymint_default, vendor_security_patch_level_prop);
diff --git a/vendor/hal_oemlock_default.te b/vendor/hal_oemlock_default.te
deleted file mode 100644
index 8597f2c..0000000
--- a/vendor/hal_oemlock_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_oemlock_default, domain;
-hal_server_domain(hal_oemlock_default, hal_oemlock)
-
-type hal_oemlock_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_oemlock_default)
diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index 8752364..f00b25a 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -13,7 +13,6 @@
# android.hardware.graphics.allocator
allow hal_sensors_default hal_graphics_allocator_default:fd use;
allow hal_sensors_default ion_device:chr_file r_file_perms;
-allow hal_sensors_default dmabuf_system_heap_device:chr_file r_file_perms;
# allow sensor hal to use lock for keeping system awake for wake up
# events delivery.
diff --git a/vendor/hal_tv_tuner_default.te b/vendor/hal_tv_tuner_default.te
index 639c7bd..abe1e77 100644
--- a/vendor/hal_tv_tuner_default.te
+++ b/vendor/hal_tv_tuner_default.te
@@ -5,6 +5,3 @@
init_daemon_domain(hal_tv_tuner_default)
allow hal_tv_tuner_default ion_device:chr_file r_file_perms;
-
-# Access to /dev/dma_heap/system
-allow hal_tv_tuner_default dmabuf_system_heap_device:chr_file r_file_perms;
diff --git a/vendor/hal_vehicle_default.te b/vendor/hal_vehicle_default.te
index 56a47b7..dcb03a8 100644
--- a/vendor/hal_vehicle_default.te
+++ b/vendor/hal_vehicle_default.te
@@ -7,4 +7,6 @@
init_daemon_domain(hal_vehicle_default)
# communication with CAN bus HAL
-hal_client_domain(hal_vehicle_default, hal_can_bus)
+allow hal_vehicle_default hal_can_bus_hwservice:hwservice_manager find;
+allow hal_vehicle_default hal_can_socketcan:binder { call transfer };
+allow hal_can_socketcan hal_vehicle_default:binder { call transfer };
diff --git a/vendor/hal_weaver_default.te b/vendor/hal_weaver_default.te
deleted file mode 100644
index 0dd7679..0000000
--- a/vendor/hal_weaver_default.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type hal_weaver_default, domain;
-hal_server_domain(hal_weaver_default, hal_weaver)
-
-type hal_weaver_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_weaver_default)
diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te
index f78b58f..d6d0de1 100644
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@@ -18,15 +18,11 @@
allow mediacodec gpu_device:chr_file rw_file_perms;
allow mediacodec ion_device:chr_file rw_file_perms;
-allow mediacodec dmabuf_system_heap_device:chr_file r_file_perms;
allow mediacodec video_device:chr_file rw_file_perms;
allow mediacodec video_device:dir search;
crash_dump_fallback(mediacodec)
-# get aac_drc_* properties
-get_prop(mediacodec, aac_drc_prop)
-
# mediacodec should never execute any executable without a domain transition
neverallow mediacodec { file_type fs_type }:file execute_no_trans;
diff --git a/vendor/vendor_modprobe.te b/vendor/vendor_modprobe.te
index 3f5918c..61df9e0 100644
--- a/vendor/vendor_modprobe.te
+++ b/vendor/vendor_modprobe.te
@@ -1,9 +1,10 @@
+type vendor_modprobe, domain;
+
# For the use of /vendor/bin/modprobe from vendor init.rc fragments
domain_trans(init, vendor_toolbox_exec, vendor_modprobe)
allow vendor_modprobe proc_modules:file r_file_perms;
allow vendor_modprobe proc_cmdline:file r_file_perms;
-allow vendor_modprobe kmsg_device:chr_file w_file_perms;
allow vendor_modprobe self:global_capability_class_set sys_module;
allow vendor_modprobe kernel:key search;
