Snap for 8730993 from e498ed9f0eb2b91a90179717b2315d3fbaca19b9 to mainline-tzdata3-release
Change-Id: I9fe2c9c155524886974c68a05cb1f08501245707
diff --git a/Android.bp b/Android.bp
index 8e2a966..3afa1d1 100644
--- a/Android.bp
+++ b/Android.bp
@@ -45,6 +45,20 @@
cc_defaults { name: "selinux_policy_version", cflags: ["-DSEPOLICY_VERSION=30"], }
se_filegroup {
+ name: "26.0.board.compat.map",
+ srcs: [
+ "compat/26.0/26.0.cil",
+ ],
+}
+
+se_filegroup {
+ name: "27.0.board.compat.map",
+ srcs: [
+ "compat/27.0/27.0.cil",
+ ],
+}
+
+se_filegroup {
name: "28.0.board.compat.map",
srcs: [
"compat/28.0/28.0.cil",
@@ -66,16 +80,16 @@
}
se_filegroup {
- name: "31.0.board.compat.map",
+ name: "26.0.board.compat.cil",
srcs: [
- "compat/31.0/31.0.cil",
+ "compat/26.0/26.0.compat.cil",
],
}
se_filegroup {
- name: "32.0.board.compat.map",
+ name: "27.0.board.compat.cil",
srcs: [
- "compat/32.0/32.0.cil",
+ "compat/27.0/27.0.compat.cil",
],
}
@@ -101,16 +115,16 @@
}
se_filegroup {
- name: "31.0.board.compat.cil",
+ name: "26.0.board.ignore.map",
srcs: [
- "compat/31.0/31.0.compat.cil",
+ "compat/26.0/26.0.ignore.cil",
],
}
se_filegroup {
- name: "32.0.board.compat.cil",
+ name: "27.0.board.ignore.map",
srcs: [
- "compat/32.0/32.0.compat.cil",
+ "compat/27.0/27.0.ignore.cil",
],
}
@@ -135,63 +149,418 @@
],
}
-se_filegroup {
- name: "31.0.board.ignore.map",
- srcs: [
- "compat/31.0/31.0.ignore.cil",
- ],
+se_cil_compat_map {
+ name: "plat_26.0.cil",
+ stem: "26.0.cil",
+ bottom_half: [":26.0.board.compat.map"],
+ top_half: "plat_27.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_27.0.cil",
+ stem: "27.0.cil",
+ bottom_half: [":27.0.board.compat.map"],
+ top_half: "plat_28.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map"],
+ top_half: "plat_29.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map"],
+ top_half: "plat_30.0.cil",
+}
+
+se_cil_compat_map {
+ name: "plat_30.0.cil",
+ stem: "30.0.cil",
+ bottom_half: [":30.0.board.compat.map"],
+ // top_half: "plat_31.0.cil",
+}
+
+se_cil_compat_map {
+ name: "system_ext_26.0.cil",
+ stem: "26.0.cil",
+ bottom_half: [":26.0.board.compat.map"],
+ top_half: "system_ext_27.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_27.0.cil",
+ stem: "27.0.cil",
+ bottom_half: [":27.0.board.compat.map"],
+ top_half: "system_ext_28.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map"],
+ top_half: "system_ext_29.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map"],
+ top_half: "system_ext_30.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "system_ext_30.0.cil",
+ stem: "30.0.cil",
+ bottom_half: [":30.0.board.compat.map"],
+ // top_half: "system_ext_31.0.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_26.0.cil",
+ stem: "26.0.cil",
+ bottom_half: [":26.0.board.compat.map"],
+ top_half: "product_27.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_27.0.cil",
+ stem: "27.0.cil",
+ bottom_half: [":27.0.board.compat.map"],
+ top_half: "product_28.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_28.0.cil",
+ stem: "28.0.cil",
+ bottom_half: [":28.0.board.compat.map"],
+ top_half: "product_29.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_29.0.cil",
+ stem: "29.0.cil",
+ bottom_half: [":29.0.board.compat.map"],
+ top_half: "product_30.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_30.0.cil",
+ stem: "30.0.cil",
+ bottom_half: [":30.0.board.compat.map"],
+ // top_half: "product_31.0.cil",
+ product_specific: true,
+}
+
+se_cil_compat_map {
+ name: "26.0.ignore.cil",
+ bottom_half: [":26.0.board.ignore.map"],
+ top_half: "27.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "27.0.ignore.cil",
+ bottom_half: [":27.0.board.ignore.map"],
+ top_half: "28.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "28.0.ignore.cil",
+ bottom_half: [":28.0.board.ignore.map"],
+ top_half: "29.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "29.0.ignore.cil",
+ bottom_half: [":29.0.board.ignore.map"],
+ top_half: "30.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "30.0.ignore.cil",
+ bottom_half: [":30.0.board.ignore.map"],
+ // top_half: "31.0.ignore.cil",
+}
+
+se_cil_compat_map {
+ name: "system_ext_30.0.ignore.cil",
+ bottom_half: [":30.0.board.ignore.map"],
+ // top_half: "system_ext_31.0.ignore.cil",
+ system_ext_specific: true,
+}
+
+se_cil_compat_map {
+ name: "product_30.0.ignore.cil",
+ bottom_half: [":30.0.board.ignore.map"],
+ // top_half: "product_31.0.ignore.cil",
+ product_specific: true,
+}
+
+se_compat_cil {
+ name: "26.0.compat.cil",
+ srcs: [":26.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "27.0.compat.cil",
+ srcs: [":27.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "28.0.compat.cil",
+ srcs: [":28.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "29.0.compat.cil",
+ srcs: [":29.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "30.0.compat.cil",
+ srcs: [":30.0.board.compat.cil"],
+}
+
+se_compat_cil {
+ name: "system_ext_26.0.compat.cil",
+ srcs: [":26.0.board.compat.cil"],
+ stem: "26.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_27.0.compat.cil",
+ srcs: [":27.0.board.compat.cil"],
+ stem: "27.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_28.0.compat.cil",
+ srcs: [":28.0.board.compat.cil"],
+ stem: "28.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_29.0.compat.cil",
+ srcs: [":29.0.board.compat.cil"],
+ stem: "29.0.compat.cil",
+ system_ext_specific: true,
+}
+
+se_compat_cil {
+ name: "system_ext_30.0.compat.cil",
+ srcs: [":30.0.board.compat.cil"],
+ stem: "30.0.compat.cil",
+ system_ext_specific: true,
}
se_filegroup {
- name: "32.0.board.ignore.map",
- srcs: [
- "compat/32.0/32.0.ignore.cil",
- ],
-}
-
-se_build_files {
name: "file_contexts_files",
srcs: ["file_contexts"],
}
-se_build_files {
+se_filegroup {
name: "file_contexts_asan_files",
srcs: ["file_contexts_asan"],
}
-se_build_files {
+se_filegroup {
name: "file_contexts_overlayfs_files",
srcs: ["file_contexts_overlayfs"],
}
-se_build_files {
+se_filegroup {
name: "hwservice_contexts_files",
srcs: ["hwservice_contexts"],
}
-se_build_files {
+se_filegroup {
name: "property_contexts_files",
srcs: ["property_contexts"],
}
-se_build_files {
+se_filegroup {
name: "service_contexts_files",
srcs: ["service_contexts"],
}
-se_build_files {
+se_filegroup {
name: "keystore2_key_contexts_files",
srcs: ["keystore2_key_contexts"],
}
-se_build_files {
- name: "seapp_contexts_files",
- srcs: ["seapp_contexts"],
+file_contexts {
+ name: "plat_file_contexts",
+ srcs: [":file_contexts_files"],
+ product_variables: {
+ address_sanitize: {
+ srcs: [":file_contexts_asan_files"],
+ },
+ debuggable: {
+ srcs: [":file_contexts_overlayfs_files"],
+ },
+ },
+
+ flatten_apex: {
+ srcs: ["apex/*-file_contexts"],
+ },
+
+ recovery_available: true,
}
-se_build_files {
- name: "vndservice_contexts_files",
- srcs: ["vndservice_contexts"],
+file_contexts {
+ name: "vendor_file_contexts",
+ srcs: [":file_contexts_files"],
+ soc_specific: true,
+ recovery_available: true,
+}
+
+file_contexts {
+ name: "system_ext_file_contexts",
+ srcs: [":file_contexts_files"],
+ system_ext_specific: true,
+ recovery_available: true,
+}
+
+file_contexts {
+ name: "product_file_contexts",
+ srcs: [":file_contexts_files"],
+ product_specific: true,
+ recovery_available: true,
+}
+
+file_contexts {
+ name: "odm_file_contexts",
+ srcs: [":file_contexts_files"],
+ device_specific: true,
+ recovery_available: true,
+}
+
+hwservice_contexts {
+ name: "plat_hwservice_contexts",
+ srcs: [":hwservice_contexts_files"],
+}
+
+hwservice_contexts {
+ name: "system_ext_hwservice_contexts",
+ srcs: [":hwservice_contexts_files"],
+ system_ext_specific: true,
+}
+
+hwservice_contexts {
+ name: "product_hwservice_contexts",
+ srcs: [":hwservice_contexts_files"],
+ product_specific: true,
+}
+
+hwservice_contexts {
+ name: "vendor_hwservice_contexts",
+ srcs: [":hwservice_contexts_files"],
+ reqd_mask: true,
+ soc_specific: true,
+}
+
+hwservice_contexts {
+ name: "odm_hwservice_contexts",
+ srcs: [":hwservice_contexts_files"],
+ device_specific: true,
+}
+
+property_contexts {
+ name: "plat_property_contexts",
+ srcs: [":property_contexts_files"],
+ recovery_available: true,
+}
+
+property_contexts {
+ name: "system_ext_property_contexts",
+ srcs: [":property_contexts_files"],
+ system_ext_specific: true,
+ recovery_available: true,
+}
+
+property_contexts {
+ name: "product_property_contexts",
+ srcs: [":property_contexts_files"],
+ product_specific: true,
+ recovery_available: true,
+}
+
+property_contexts {
+ name: "vendor_property_contexts",
+ srcs: [":property_contexts_files"],
+ reqd_mask: true,
+ soc_specific: true,
+ recovery_available: true,
+}
+
+property_contexts {
+ name: "odm_property_contexts",
+ srcs: [":property_contexts_files"],
+ device_specific: true,
+ recovery_available: true,
+}
+
+service_contexts {
+ name: "plat_service_contexts",
+ srcs: [":service_contexts_files"],
+}
+
+service_contexts {
+ name: "system_ext_service_contexts",
+ srcs: [":service_contexts_files"],
+ system_ext_specific: true,
+}
+
+service_contexts {
+ name: "product_service_contexts",
+ srcs: [":service_contexts_files"],
+ product_specific: true,
+}
+
+service_contexts {
+ name: "vendor_service_contexts",
+ srcs: [":service_contexts_files"],
+ reqd_mask: true,
+ soc_specific: true,
+}
+
+keystore2_key_contexts {
+ name: "plat_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+}
+
+keystore2_key_contexts {
+ name: "system_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+ system_ext_specific: true,
+}
+
+keystore2_key_contexts {
+ name: "product_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+ product_specific: true,
+}
+
+keystore2_key_contexts {
+ name: "vendor_keystore2_key_contexts",
+ srcs: [":keystore2_key_contexts_files"],
+ reqd_mask: true,
+ soc_specific: true,
}
// For vts_treble_sys_prop_test
@@ -230,19 +599,6 @@
],
}
-se_build_files {
- name: "sepolicy_technical_debt",
- srcs: ["technical_debt.cil"],
-}
-
-reqd_mask_policy = [":se_build_files{.reqd_mask}"]
-plat_public_policy = [":se_build_files{.plat_public}"]
-plat_private_policy = [":se_build_files{.plat_private}"]
-system_ext_public_policy = [":se_build_files{.system_ext_public}"]
-system_ext_private_policy = [":se_build_files{.system_ext_private}"]
-product_public_policy = [":se_build_files{.product_public}"]
-product_private_policy = [":se_build_files{.product_private}"]
-
// reqd_policy_mask - a policy.conf file which contains only the bare minimum
// policy necessary to use checkpolicy.
//
@@ -253,7 +609,7 @@
// policy and subsequent removal of CIL policy that should not be exported.
se_policy_conf {
name: "reqd_policy_mask.conf",
- srcs: reqd_mask_policy,
+ srcs: [":se_build_files{.reqd_mask}"],
installable: false,
}
@@ -288,10 +644,7 @@
//
se_policy_conf {
name: "pub_policy.conf",
- srcs: plat_public_policy +
- system_ext_public_policy +
- product_public_policy +
- reqd_mask_policy,
+ srcs: [":se_build_files{.product_public}"], // product_ includes system and system_ext
installable: false,
}
@@ -305,9 +658,7 @@
se_policy_conf {
name: "system_ext_pub_policy.conf",
- srcs: plat_public_policy +
- system_ext_public_policy +
- reqd_mask_policy,
+ srcs: [":se_build_files{.system_ext_public}"], // system_ext_public includes system
installable: false,
}
@@ -321,8 +672,7 @@
se_policy_conf {
name: "plat_pub_policy.conf",
- srcs: plat_public_policy +
- reqd_mask_policy,
+ srcs: [":se_build_files{.plat_public}"],
installable: false,
}
@@ -341,37 +691,20 @@
// currently being attributized.
se_policy_conf {
name: "plat_sepolicy.conf",
- srcs: plat_public_policy +
- plat_private_policy,
+ srcs: [":se_build_files{.plat}"],
installable: false,
}
se_policy_cil {
name: "plat_sepolicy.cil",
src: ":plat_sepolicy.conf",
- additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
-}
-
-
-se_policy_conf {
- name: "apex_sepolicy-33.conf",
- srcs: plat_public_policy + plat_private_policy + ["com.android.sepolicy/33/*.te"],
- installable: false,
-}
-
-se_policy_cil {
- name: "apex_sepolicy-33.cil",
- src: ":apex_sepolicy-33.conf",
- filter_out: [":plat_sepolicy.cil"],
- installable: false,
- stem: "apex_sepolicy.cil",
+ additional_cil_files: ["private/technical_debt.cil"],
}
// userdebug_plat_policy.conf - the userdebug version plat_sepolicy.cil
se_policy_conf {
name: "userdebug_plat_sepolicy.conf",
- srcs: plat_public_policy +
- plat_private_policy,
+ srcs: [":se_build_files{.plat}"],
build_variant: "userdebug",
installable: false,
}
@@ -379,51 +712,15 @@
se_policy_cil {
name: "userdebug_plat_sepolicy.cil",
src: ":userdebug_plat_sepolicy.conf",
- additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
+ additional_cil_files: ["private/technical_debt.cil"],
debug_ramdisk: true,
- dist: {
- targets: ["droidcore"],
- },
-}
-
-// A copy of the userdebug_plat_policy in GSI.
-soong_config_module_type {
- name: "gsi_se_policy_cil",
- module_type: "se_policy_cil",
- config_namespace: "ANDROID",
- bool_variables: [
- "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",
- ],
- properties: [
- "enabled",
- "installable",
- ],
-}
-
-gsi_se_policy_cil {
- name: "system_ext_userdebug_plat_sepolicy.cil",
- stem: "userdebug_plat_sepolicy.cil",
- src: ":userdebug_plat_sepolicy.conf",
- additional_cil_files: [":sepolicy_technical_debt{.plat_private}"],
- system_ext_specific: true,
- enabled: false,
- installable: false,
- soong_config_variables: {
- PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: {
- enabled: true,
- installable: true,
- },
- },
}
// system_ext_policy.conf - A combination of the private and public system_ext
// policy which will ship with the device. System_ext policy is not attributized
se_policy_conf {
name: "system_ext_sepolicy.conf",
- srcs: plat_public_policy +
- plat_private_policy +
- system_ext_public_policy +
- system_ext_private_policy,
+ srcs: [":se_build_files{.system_ext}"],
installable: false,
}
@@ -439,12 +736,7 @@
// which will ship with the device. Product policy is not attributized
se_policy_conf {
name: "product_sepolicy.conf",
- srcs: plat_public_policy +
- plat_private_policy +
- system_ext_public_policy +
- system_ext_private_policy +
- product_public_policy +
- product_private_policy,
+ srcs: [":se_build_files{.product}"],
installable: false,
}
@@ -487,193 +779,24 @@
product_specific: true,
}
-// vendor/odm sepolicy
-//
-// If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
-// policy files of platform (system, system_ext, product) can't be mixed with
-// policy files of vendor (vendor, odm). If it's the case, platform policies and
-// vendor policies are separately built. More specifically,
-//
-// - Platform policy files needed to build vendor policies, such as plat_policy,
-// plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
-// prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
-//
-// - sepolicy_neverallows only checks platform policies, and a new module
-// sepolicy_neverallows_vendor checks vendor policies.
-//
-// - neverallow checks are turned off while compiling precompiled_sepolicy
-// module and sepolicy module.
-//
-// - Vendor policies are not checked on the compat test (compat.mk).
-//
-// In such scenario, we can grab platform policy files from the prebuilts/api
-// directory. But we need more than that: prebuilts of system_ext, product,
-// system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following
-// variables are introduced to specify such prebuilts.
-//
-// - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
-// - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
-// - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
-// - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
-// - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
-// - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
-//
-// Vendors are responsible for copying policy files from the old version of the
-// source tree as prebuilts, and for setting BOARD_*_POLICY variables so they
-// can be used to build vendor policies.
-//
-// To support both mixed build and normal build, platform policy files are
-// indirectly referred as {.(partition)_(scope)_for_vendor}. They will be equal
-// to {.(partition)_scope)} if BOARD_SEPOLICY_VERS == PLATFORM_SEPOLICY_VERSION.
-// Otherwise, they will be equal to the Makefile variables above.
-
-plat_public_policies_for_vendor = [
- ":se_build_files{.plat_public_for_vendor}",
- ":se_build_files{.system_ext_public_for_vendor}",
- ":se_build_files{.product_public_for_vendor}",
- ":se_build_files{.reqd_mask_for_vendor}",
-]
-
-plat_policies_for_vendor = [
- ":se_build_files{.plat_public_for_vendor}",
- ":se_build_files{.plat_private_for_vendor}",
- ":se_build_files{.system_ext_public_for_vendor}",
- ":se_build_files{.system_ext_private_for_vendor}",
- ":se_build_files{.product_public_for_vendor}",
- ":se_build_files{.product_private_for_vendor}",
-]
-
-se_policy_conf {
- name: "plat_policy_for_vendor.conf",
- srcs: plat_policies_for_vendor,
- installable: false,
-}
-
-se_policy_cil {
- name: "plat_policy_for_vendor.cil",
- src: ":plat_policy_for_vendor.conf",
- additional_cil_files: [":sepolicy_technical_debt{.plat_private_for_vendor}"],
- installable: false,
-}
-
-se_policy_conf {
- name: "reqd_policy_mask_for_vendor.conf",
- srcs: [":se_build_files{.reqd_mask_for_vendor}"],
- installable: false,
-}
-
-se_policy_cil {
- name: "reqd_policy_mask_for_vendor.cil",
- src: ":reqd_policy_mask_for_vendor.conf",
- secilc_check: false,
- installable: false,
-}
-
-se_policy_conf {
- name: "pub_policy_for_vendor.conf",
- srcs: plat_public_policies_for_vendor,
- installable: false,
-}
-
-se_policy_cil {
- name: "pub_policy_for_vendor.cil",
- src: ":pub_policy_for_vendor.conf",
- filter_out: [":reqd_policy_mask_for_vendor.cil"],
- secilc_check: false,
- installable: false,
-}
-
-se_versioned_policy {
- name: "plat_mapping_file_for_vendor",
- base: ":pub_policy_for_vendor.cil",
- mapping: true,
- version: "vendor",
- installable: false,
-}
-
// plat_pub_versioned.cil - the exported platform policy associated with the version
// that non-platform policy targets.
se_versioned_policy {
name: "plat_pub_versioned.cil",
- base: ":pub_policy_for_vendor.cil",
- target_policy: ":pub_policy_for_vendor.cil",
- version: "vendor",
- vendor: true,
-}
-
-// vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
-// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
-// policy and the platform public policy files in order to use checkpolicy.
-se_policy_conf {
- name: "vendor_sepolicy.conf",
- srcs: plat_public_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
- ":se_build_files{.vendor}",
- ],
- installable: false,
-}
-
-se_policy_cil {
- name: "vendor_sepolicy.cil.raw",
- src: ":vendor_sepolicy.conf",
- filter_out: [":reqd_policy_mask_for_vendor.cil"],
- secilc_check: false, // will be done in se_versioned_policy module
- installable: false,
-}
-
-se_versioned_policy {
- name: "vendor_sepolicy.cil",
- base: ":pub_policy_for_vendor.cil",
- target_policy: ":vendor_sepolicy.cil.raw",
- version: "vendor",
+ base: ":pub_policy.cil",
+ target_policy: ":pub_policy.cil",
+ version: "current",
dependent_cils: [
- ":plat_policy_for_vendor.cil",
- ":plat_pub_versioned.cil",
- ":plat_mapping_file_for_vendor",
+ ":plat_sepolicy.cil",
+ ":system_ext_sepolicy.cil",
+ ":product_sepolicy.cil",
+ ":plat_mapping_file",
+ ":system_ext_mapping_file",
+ ":product_mapping_file",
],
- filter_out: [":plat_pub_versioned.cil"],
vendor: true,
}
-// odm_policy.cil - the odl sepolicy. This needs attributization and to be combined
-// with the platform-provided policy. It makes use of the reqd_policy_mask files from private
-// policy and the platform public policy files in order to use checkpolicy.
-se_policy_conf {
- name: "odm_sepolicy.conf",
- srcs: plat_public_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
- ":se_build_files{.vendor}",
- ":se_build_files{.odm}",
- ],
- installable: false,
-}
-
-se_policy_cil {
- name: "odm_sepolicy.cil.raw",
- src: ":odm_sepolicy.conf",
- filter_out: [
- ":reqd_policy_mask_for_vendor.cil",
- ":vendor_sepolicy.cil",
- ],
- secilc_check: false, // will be done in se_versioned_policy module
- installable: false,
-}
-
-se_versioned_policy {
- name: "odm_sepolicy.cil",
- base: ":pub_policy_for_vendor.cil",
- target_policy: ":odm_sepolicy.cil.raw",
- version: "vendor",
- dependent_cils: [
- ":plat_policy_for_vendor.cil",
- ":plat_pub_versioned.cil",
- ":plat_mapping_file_for_vendor",
- ":vendor_sepolicy.cil",
- ],
- filter_out: [":plat_pub_versioned.cil", ":vendor_sepolicy.cil"],
- device_specific: true,
-}
-
//////////////////////////////////
// Precompiled sepolicy is loaded if and only if:
// - plat_sepolicy_and_mapping.sha256 equals
@@ -684,9 +807,6 @@
// AND
// - product_sepolicy_and_mapping.sha256 equals
// precompiled_sepolicy.product_sepolicy_and_mapping.sha256
-// AND
-// - apex_sepolicy.sha256 equals
-// precompiled_sepolicy.apex_sepolicy.sha256
// See system/core/init/selinux.cpp for details.
//////////////////////////////////
genrule {
@@ -704,20 +824,6 @@
}
genrule {
- name: "apex_sepolicy.sha256_gen",
- srcs: [":apex_sepolicy-33.cil"],
- out: ["apex_sepolicy.sha256"],
- cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
-}
-
-prebuilt_etc {
- name: "apex_sepolicy.sha256",
- filename: "apex_sepolicy.sha256",
- src: ":apex_sepolicy.sha256_gen",
- installable: false,
-}
-
-genrule {
name: "system_ext_sepolicy_and_mapping.sha256_gen",
srcs: [":system_ext_sepolicy.cil", ":system_ext_mapping_file"],
out: ["system_ext_sepolicy_and_mapping.sha256"],
@@ -754,15 +860,15 @@
}
soong_config_module_type {
- name: "precompiled_sepolicy_prebuilts_defaults",
+ name: "precompiled_sepolicy_defaults",
module_type: "prebuilt_defaults",
config_namespace: "ANDROID",
bool_variables: ["BOARD_USES_ODMIMAGE"],
properties: ["vendor", "device_specific"],
}
-precompiled_sepolicy_prebuilts_defaults {
- name: "precompiled_sepolicy_prebuilts",
+precompiled_sepolicy_defaults {
+ name: "precompiled_sepolicy",
soong_config_variables: {
BOARD_USES_ODMIMAGE: {
device_specific: true,
@@ -778,7 +884,7 @@
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
- defaults: ["precompiled_sepolicy_prebuilts"],
+ defaults: ["precompiled_sepolicy"],
name: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
src: ":plat_sepolicy_and_mapping.sha256_gen",
@@ -786,23 +892,11 @@
}
//////////////////////////////////
-// SHA-256 digest of the apex_sepolicy.cil against which precompiled_policy
-// was built.
-//////////////////////////////////
-prebuilt_etc {
- defaults: ["precompiled_sepolicy_prebuilts"],
- name: "precompiled_sepolicy.apex_sepolicy.sha256",
- filename: "precompiled_sepolicy.apex_sepolicy.sha256",
- src: ":apex_sepolicy.sha256_gen",
- relative_install_path: "selinux",
-}
-
-//////////////////////////////////
// SHA-256 digest of the system_ext_sepolicy.cil and system_ext_mapping_file against
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
- defaults: ["precompiled_sepolicy_prebuilts"],
+ defaults: ["precompiled_sepolicy"],
name: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
filename: "precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256",
src: ":system_ext_sepolicy_and_mapping.sha256_gen",
@@ -814,92 +908,13 @@
// which precompiled_policy was built.
//////////////////////////////////
prebuilt_etc {
- defaults: ["precompiled_sepolicy_prebuilts"],
+ defaults: ["precompiled_sepolicy"],
name: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
filename: "precompiled_sepolicy.product_sepolicy_and_mapping.sha256",
src: ":product_sepolicy_and_mapping.sha256_gen",
relative_install_path: "selinux",
}
-soong_config_module_type {
- name: "precompiled_se_policy_binary",
- module_type: "se_policy_binary",
- config_namespace: "ANDROID",
- bool_variables: ["BOARD_USES_ODMIMAGE", "IS_TARGET_MIXED_SEPOLICY"],
- value_variables: ["MIXED_SEPOLICY_VERSION"],
- properties: ["vendor", "device_specific", "srcs", "ignore_neverallow"],
-}
-
-precompiled_se_policy_binary {
- name: "precompiled_sepolicy",
- srcs: [
- ":plat_sepolicy.cil",
- ":apex_sepolicy-33.cil",
- ":plat_pub_versioned.cil",
- ":system_ext_sepolicy.cil",
- ":product_sepolicy.cil",
- ":vendor_sepolicy.cil",
- ":odm_sepolicy.cil",
- ],
- soong_config_variables: {
- BOARD_USES_ODMIMAGE: {
- device_specific: true,
- conditions_default: {
- vendor: true,
- },
- },
- IS_TARGET_MIXED_SEPOLICY: {
- ignore_neverallow: true,
- },
- MIXED_SEPOLICY_VERSION: {
- srcs: [
- ":plat_%s.cil",
- ":system_ext_%s.cil",
- ":product_%s.cil",
- ],
- conditions_default: {
- srcs: [
- ":plat_mapping_file",
- ":system_ext_mapping_file",
- ":product_mapping_file",
- ],
- },
- },
- },
- required: [
- "sepolicy_neverallows",
- "sepolicy_neverallows_vendor",
- ],
- dist: {
- targets: ["base-sepolicy-files-for-mapping"],
- },
-}
-
-// policy for recovery
-se_policy_conf {
- name: "recovery_sepolicy.conf",
- srcs: plat_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
- ":se_build_files{.vendor}",
- ":se_build_files{.odm}",
- ],
- target_recovery: true,
- installable: false,
-}
-
-se_policy_cil {
- name: "recovery_sepolicy.cil",
- src: ":recovery_sepolicy.conf",
- secilc_check: false, // will be done in se_policy_binary module
- installable: false,
-}
-
-se_policy_binary {
- name: "sepolicy.recovery",
- srcs: [":recovery_sepolicy.cil"],
- stem: "sepolicy",
- recovery: true,
-}
//////////////////////////////////
// SELinux policy embedded into CTS.
@@ -907,230 +922,68 @@
//////////////////////////////////
se_policy_conf {
name: "general_sepolicy.conf",
- srcs: plat_public_policy +
- plat_private_policy,
+ srcs: [":se_build_files{.plat}"],
build_variant: "user",
cts: true,
exclude_build_test: true,
}
//////////////////////////////////
-// Base system policy for treble sepolicy tests.
-// If system sepolicy is extended (e.g. by SoC vendors), their plat_pub_versioned.cil may differ
-// with system/sepolicy/prebuilts/api/{version}/plat_pub_versioned.cil. In that case,
-// BOARD_PLAT_PUB_VERSIONED_POLICY can be used to specify extended plat_pub_versioned.cil.
-// See treble_sepolicy_tests_for_release.mk for more details.
+// modules for microdroid
//////////////////////////////////
-se_policy_conf {
- name: "base_plat_sepolicy.conf",
- srcs: plat_public_policy +
- plat_private_policy,
- build_variant: "user",
- installable: false,
-}
-se_policy_cil {
- name: "base_plat_sepolicy.cil",
- src: ":base_plat_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
- installable: false,
- secilc_check: false, // done by se_policy_binary
-}
-
-se_policy_binary {
- name: "base_plat_sepolicy",
- srcs: [":base_plat_sepolicy.cil"],
- installable: false,
- dist: {
- targets: ["base-sepolicy-files-for-mapping"],
- },
-}
-
-se_policy_conf {
- name: "base_system_ext_sepolicy.conf",
- srcs: plat_public_policy +
- plat_private_policy +
- system_ext_public_policy +
- system_ext_private_policy,
- build_variant: "user",
- installable: false,
-}
-
-se_policy_cil {
- name: "base_system_ext_sepolicy.cil",
- src: ":base_system_ext_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
- system_ext_specific: true,
- installable: false,
- secilc_check: false, // done by se_policy_binary
-}
-
-se_policy_binary {
- name: "base_system_ext_sepolicy",
- srcs: [":base_system_ext_sepolicy.cil"],
- system_ext_specific: true,
- installable: false,
-}
-
-se_policy_conf {
- name: "base_product_sepolicy.conf",
- srcs: plat_public_policy +
- plat_private_policy +
- system_ext_public_policy +
- system_ext_private_policy +
- product_public_policy +
- product_private_policy,
- build_variant: "user",
- installable: false,
-}
-
-se_policy_cil {
- name: "base_product_sepolicy.cil",
- src: ":base_product_sepolicy.conf",
- additional_cil_files: ["private/technical_debt.cil"],
- product_specific: true,
- installable: false,
- secilc_check: false, // done by se_policy_binary
-}
-
-se_policy_binary {
- name: "base_product_sepolicy",
- srcs: [":base_product_sepolicy.cil"],
- product_specific: true,
- installable: false,
-}
-
-se_policy_conf {
- name: "base_plat_pub_policy.conf",
- srcs: plat_public_policy +
- reqd_mask_policy,
- build_variant: "user",
- installable: false,
-}
-
-se_policy_cil {
- name: "base_plat_pub_policy.cil",
- src: ":base_plat_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false,
- installable: false,
- dist: {
- targets: ["base-sepolicy-files-for-mapping"],
- },
-}
-
-se_policy_conf {
- name: "base_system_ext_pub_policy.conf",
- srcs: plat_public_policy +
- system_ext_public_policy +
- reqd_mask_policy,
- build_variant: "user",
- installable: false,
-}
-
-se_policy_cil {
- name: "base_system_ext_pub_policy.cil",
- src: ":base_system_ext_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false,
- installable: false,
-}
-
-se_policy_conf {
- name: "base_product_pub_policy.conf",
- srcs: plat_public_policy +
- system_ext_public_policy +
- product_public_policy +
- reqd_mask_policy,
- build_variant: "user",
- installable: false,
-}
-
-se_policy_cil {
- name: "base_product_pub_policy.cil",
- src: ":base_product_pub_policy.conf",
- filter_out: [":reqd_policy_mask.cil"],
- secilc_check: false,
- installable: false,
-}
-
-// bug_map - Bug tracking information for selinux denials loaded by auditd.
-se_filegroup {
- name: "bug_map_files",
- srcs: ["bug_map"],
-}
-
-se_bug_map {
- name: "plat_bug_map",
- srcs: [":bug_map_files"],
- stem: "bug_map",
-}
-
-se_bug_map {
- name: "system_ext_bug_map",
- srcs: [":bug_map_files"],
- stem: "bug_map",
- system_ext_specific: true,
-}
-
-se_bug_map {
- name: "vendor_bug_map",
- srcs: [":bug_map_files"],
- // Legacy file name of the vendor partition bug_map.
- stem: "selinux_denial_metadata",
- vendor: true,
-}
-
-se_neverallow_test {
- name: "sepolicy_neverallows",
- srcs: plat_public_policy +
- plat_private_policy +
- system_ext_public_policy +
- system_ext_private_policy +
- product_public_policy +
- product_private_policy,
-}
-
-se_neverallow_test {
- name: "sepolicy_neverallows_vendor",
- srcs: plat_policies_for_vendor + [
- ":se_build_files{.plat_vendor_for_vendor}",
- ":se_build_files{.vendor}",
- ":se_build_files{.odm}",
+// microdroid's system sepolicy is almost identical to host's system sepolicy, except that
+// microdroid doesn't have system_ext and product. So microdroid's plat_pub_versioned.cil is
+// generated with plat_pub_policy.cil (exported system), not pub_policy.cil (exported system +
+// system_ext + product). Other two files, plat_sepolicy.cil and plat_mapping_file, are copied from
+// host's files.
+se_versioned_policy {
+ name: "microdroid_plat_pub_versioned.cil",
+ stem: "plat_pub_versioned.cil",
+ base: ":plat_pub_policy.cil",
+ target_policy: ":plat_pub_policy.cil",
+ version: "current",
+ dependent_cils: [
+ ":plat_sepolicy.cil",
+ ":plat_mapping_file",
],
+ installable: false,
}
-//////////////////////////////////
-// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy
-// Additional directories can be specified via Makefile variables:
-// SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
-//////////////////////////////////
-se_freeze_test {
- name: "sepolicy_freeze_test",
+// microdroid's vendor sepolicy is a minimalized sepolicy needed for microdroid to boot. It just
+// contains system/sepolicy/public and system/sepolicy/vendor.
+se_policy_conf {
+ name: "microdroid_vendor_sepolicy.conf",
+ srcs: [":se_build_files{.plat_vendor}"],
+ installable: false,
}
-//////////////////////////////////
-// sepolicy_test checks various types of violations, which can't be easily done
-// by CIL itself. Refer tests/sepolicy_tests.py for more detail.
-//////////////////////////////////
-genrule {
- name: "sepolicy_test",
- srcs: [
- ":plat_file_contexts",
- ":vendor_file_contexts",
- ":system_ext_file_contexts",
- ":product_file_contexts",
- ":odm_file_contexts",
- ":precompiled_sepolicy",
+se_policy_cil {
+ name: "microdroid_vendor_sepolicy.cil.raw",
+ src: ":microdroid_vendor_sepolicy.conf",
+ filter_out: [":reqd_policy_mask.cil"],
+ secilc_check: false, // will be done in se_versioned_policy module
+ installable: false,
+}
+
+se_versioned_policy {
+ name: "microdroid_vendor_sepolicy.cil",
+ stem: "vendor_sepolicy.cil",
+ base: ":plat_pub_policy.cil",
+ target_policy: ":microdroid_vendor_sepolicy.cil.raw",
+ version: "current", // microdroid is bundled to system
+ dependent_cils: [
+ ":plat_sepolicy.cil",
+ ":microdroid_plat_pub_versioned.cil",
+ ":plat_mapping_file",
],
- tools: ["sepolicy_tests"],
- out: ["sepolicy_test"],
- cmd: "$(location sepolicy_tests) " +
- "-f $(location :plat_file_contexts) " +
- "-f $(location :vendor_file_contexts) " +
- "-f $(location :system_ext_file_contexts) " +
- "-f $(location :product_file_contexts) " +
- "-f $(location :odm_file_contexts) " +
- "-p $(location :precompiled_sepolicy) && " +
- "touch $(out)",
+ filter_out: [":microdroid_plat_pub_versioned.cil"],
+ installable: false,
+}
+
+sepolicy_vers {
+ name: "microdroid_plat_sepolicy_vers.txt",
+ version: "platform",
+ stem: "plat_sepolicy_vers.txt",
+ installable: false,
}
diff --git a/Android.mk b/Android.mk
index 8fd90b0..d9c5b3c 100644
--- a/Android.mk
+++ b/Android.mk
@@ -67,6 +67,10 @@
PRODUCT_PUBLIC_POLICY := $(PRODUCT_PUBLIC_SEPOLICY_DIRS)
PRODUCT_PRIVATE_POLICY := $(PRODUCT_PRIVATE_SEPOLICY_DIRS)
+# Extra sepolicy and prebuilts directories for sepolicy_freeze_test
+FREEZE_TEST_EXTRA_DIRS := $(SEPOLICY_FREEZE_TEST_EXTRA_DIRS)
+FREEZE_TEST_EXTRA_PREBUILT_DIRS := $(SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS)
+
ifneq (,$(SYSTEM_EXT_PUBLIC_POLICY)$(SYSTEM_EXT_PRIVATE_POLICY))
HAS_SYSTEM_EXT_SEPOLICY_DIR := true
endif
@@ -81,6 +85,55 @@
HAS_PRODUCT_SEPOLICY_DIR := true
endif
+# TODO: move to README when doing the README update and finalizing versioning.
+# BOARD_SEPOLICY_VERS must take the format "NN.m" and contain the sepolicy
+# version identifier corresponding to the sepolicy on which the non-platform
+# policy is to be based. If unspecified, this will build against the current
+# public platform policy in tree
+ifndef BOARD_SEPOLICY_VERS
+# The default platform policy version.
+BOARD_SEPOLICY_VERS := $(PLATFORM_SEPOLICY_VERSION)
+endif
+
+# If BOARD_SEPOLICY_VERS is set to a value other than PLATFORM_SEPOLICY_VERSION,
+# policy files of platform (system, system_ext, product) can't be mixed with
+# policy files of vendor (vendor, odm). If it's the case, platform policies and
+# vendor policies are separately built. More specifically,
+#
+# - Platform policy files needed to build vendor policies, such as plat_policy,
+# plat_mapping_cil, plat_pub_policy, reqd_policy_mask, are built from the
+# prebuilts (copy of platform policy files of version BOARD_SEPOLICY_VERS).
+#
+# - sepolicy_neverallows only checks platform policies, and a new module
+# sepolicy_neverallows_vendor checks vendor policies.
+#
+# - neverallow checks are turned off while compiling precompiled_sepolicy module
+# and sepolicy module.
+#
+# - Vendor policies are not checked on the compat test (compat.mk).
+#
+# In such scenario, we can grab platform policy files from the prebuilts/api
+# directory. But we need more than that: prebuilts of system_ext, product,
+# system/sepolicy/reqd_mask, and system/sepolicy/vendor. The following variables
+# are introduced to specify such prebuilts.
+#
+# - BOARD_REQD_MASK_POLICY (prebuilt of system/sepolicy/reqd_mask)
+# - BOARD_PLAT_VENDOR_POLICY (prebuilt of system/sepolicy/vendor)
+# - BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS (prebuilt of system_ext public)
+# - BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS (prebuilt of system_ext private)
+# - BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS (prebuilt of product public)
+# - BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS (prebuilt of product private)
+#
+# Vendors are responsible for copying policy files from the old version of the
+# source tree as prebuilts, and for setting BOARD_*_POLICY variables so they can
+# be used to build vendor policies. See prebuilt_policy.mk for more details.
+#
+# To support both mixed build and normal build, platform policy files are
+# indirectly referred by {partition}_{public|private}_policy_$(ver) variables
+# when building vendor policies. See vendor_sepolicy.cil and odm_sepolicy.cil
+# for more details.
+#
+# sepolicy.recovery is also compiled from vendor and plat prebuilt policies.
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS))
mixed_sepolicy_build := true
else
@@ -134,12 +187,12 @@
###########################################################
define build_policy
-$(strip $(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file))))))
+$(foreach type, $(1), $(foreach file, $(addsuffix /$(type), $(2)), $(sort $(wildcard $(file)))))
endef
# Builds paths for all policy files found in BOARD_VENDOR_SEPOLICY_DIRS.
# $(1): the set of policy name paths to build
-build_vendor_policy = $(call build_policy, $(1), $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+build_vendor_policy = $(call build_policy, $(1), $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
# Builds paths for all policy files found in BOARD_ODM_SEPOLICY_DIRS.
build_odm_policy = $(call build_policy, $(1), $(BOARD_ODM_SEPOLICY_DIRS))
@@ -332,7 +385,6 @@
plat_service_contexts_test \
plat_hwservice_contexts \
plat_hwservice_contexts_test \
- plat_bug_map \
searchpolicy \
# This conditional inclusion closely mimics the conditional logic
@@ -341,18 +393,15 @@
# The following files are only allowed for non-Treble devices.
LOCAL_REQUIRED_MODULES += \
sepolicy \
+ vendor_service_contexts \
endif # ($(PRODUCT_SEPOLICY_SPLIT),true)
ifneq ($(with_asan),true)
ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
LOCAL_REQUIRED_MODULES += \
- sepolicy_compat_test \
-
-# HACK: sepolicy_test is implemented as genrule
-# genrule modules aren't installable, so LOCAL_REQUIRED_MODULES doesn't work.
-# Instead, use LOCAL_ADDITIONAL_DEPENDENCIES with intermediate output
-LOCAL_ADDITIONAL_DEPENDENCIES += $(call intermediates-dir-for,ETC,sepolicy_test)/sepolicy_test
+ sepolicy_tests \
+ $(addsuffix _compat_test,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS)) \
ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
LOCAL_REQUIRED_MODULES += \
@@ -364,7 +413,13 @@
ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
LOCAL_REQUIRED_MODULES += \
- sepolicy_freeze_test
+ sepolicy_freeze_test \
+
+else
+ifneq (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
+$(error SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS\
+cannot be set before system/sepolicy freezes.)
+endif # (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
include $(BUILD_PHONY_PACKAGE)
@@ -410,7 +465,6 @@
system_ext_service_contexts \
system_ext_service_contexts_test \
system_ext_mac_permissions.xml \
- system_ext_bug_map \
$(addprefix system_ext_,$(addsuffix .compat.cil,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS))) \
endif
@@ -503,12 +557,9 @@
vendor_property_contexts_test \
vendor_seapp_contexts \
vendor_service_contexts \
- vendor_service_contexts_test \
vendor_hwservice_contexts \
vendor_hwservice_contexts_test \
- vendor_bug_map \
vndservice_contexts \
- vndservice_contexts_test \
ifdef BOARD_ODM_SEPOLICY_DIRS
LOCAL_REQUIRED_MODULES += \
@@ -526,35 +577,435 @@
LOCAL_REQUIRED_MODULES += selinux_policy_system_ext
LOCAL_REQUIRED_MODULES += selinux_policy_product
+LOCAL_REQUIRED_MODULES += \
+ selinux_denial_metadata \
+
# Builds an addtional userdebug sepolicy into the debug ramdisk.
LOCAL_REQUIRED_MODULES += \
userdebug_plat_sepolicy.cil \
include $(BUILD_PHONY_PACKAGE)
+#################################
+
+ifeq ($(mixed_sepolicy_build),true)
+include $(LOCAL_PATH)/prebuilt_policy.mk
+else
+reqd_policy_$(PLATFORM_SEPOLICY_VERSION) := $(REQD_MASK_POLICY)
+plat_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/public
+plat_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/private
+system_ext_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PUBLIC_POLICY)
+system_ext_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PRIVATE_POLICY)
+product_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PUBLIC_POLICY)
+product_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PRIVATE_POLICY)
+endif
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := sepolicy_neverallows
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# sepolicy_policy.conf - All of the policy for the device. This is only used to
+# check neverallow rules.
+# In a mixed build target, vendor policies are checked separately, on the module
+# sepolicy_neverallows_vendor.
+
+all_plat_policy := $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) \
+ $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY)
+ifeq ($(mixed_sepolicy_build),true)
+policy_files := $(call build_policy, $(sepolicy_build_files), $(all_plat_policy))
+else
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(all_plat_policy) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+endif
+
+sepolicy_policy.conf := $(intermediates)/policy.conf
+$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
+$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(sepolicy_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
+# check neverallow rules using sepolicy-analyze, similar to CTS.
+sepolicy_policy_2.conf := $(intermediates)/policy_2.conf
+$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true
+$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
+$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(sepolicy_policy_2.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf)
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \
+ $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
+ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
+ $(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1)
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \
+ ( echo "" 1>&2; \
+ echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \
+ echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \
+ echo "the policy." 1>&2; \
+ exit 1 )
+endif # ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) touch $@.tmp
+ $(hide) mv $@.tmp $@
+
+sepolicy_policy.conf :=
+sepolicy_policy_2.conf :=
+built_sepolicy_neverallows := $(LOCAL_BUILT_MODULE)
+
+#################################
+# sepolicy_neverallows_vendor: neverallow check module for vendors in a mixed build target
+ifeq ($(mixed_sepolicy_build),true)
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := sepolicy_neverallows_vendor
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# Check neverallow with prebuilt policy files
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(plat_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(product_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+
+# sepolicy_policy.conf - All of the policy for the device. This is only used to
+# check neverallow rules.
+sepolicy_policy.conf := $(intermediates)/policy_vendor.conf
+$(sepolicy_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(sepolicy_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(sepolicy_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
+$(sepolicy_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(sepolicy_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+# sepolicy_policy_2.conf - All of the policy for the device. This is only used to
+# check neverallow rules using sepolicy-analyze, similar to CTS.
+sepolicy_policy_2.conf := $(intermediates)/policy_vendor_2.conf
+$(sepolicy_policy_2.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy_policy_2.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy_policy_2.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(sepolicy_policy_2.conf): PRIVATE_EXCLUDE_BUILD_TEST := true
+$(sepolicy_policy_2.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy_policy_2.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(sepolicy_policy_2.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy_policy_2.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(sepolicy_policy_2.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
+$(sepolicy_policy_2.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(sepolicy_policy_2.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_1 := $(sepolicy_policy.conf)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY_2 := $(sepolicy_policy_2.conf)
+$(LOCAL_BUILT_MODULE): $(sepolicy_policy.conf) $(sepolicy_policy_2.conf) \
+ $(HOST_OUT_EXECUTABLES)/checkpolicy $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
+ifneq ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
+ $(POLICYVERS) -o $@.tmp $(PRIVATE_SEPOLICY_1)
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp neverallow -w -f $(PRIVATE_SEPOLICY_2) || \
+ ( echo "" 1>&2; \
+ echo "sepolicy-analyze failed. This is most likely due to the use" 1>&2; \
+ echo "of an expanded attribute in a neverallow assertion. Please fix" 1>&2; \
+ echo "the policy." 1>&2; \
+ exit 1 )
+endif # ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) touch $@.tmp
+ $(hide) mv $@.tmp $@
+
+sepolicy_policy.conf :=
+sepolicy_policy_2.conf :=
+built_sepolicy_neverallows += $(LOCAL_BUILT_MODULE)
+
+endif # ifeq ($(mixed_sepolicy_build),true)
+
##################################
-# Policy files are now built with Android.bp. Grab them from intermediate.
-# See Android.bp for details of policy files.
+# plat policy files are now built with Android.bp. Grab them from intermediate.
+# See Android.bp for details of plat policy files.
#
+reqd_policy_mask.cil := $(call intermediates-dir-for,ETC,reqd_policy_mask.cil)/reqd_policy_mask.cil
+reqd_policy_mask_$(PLATFORM_SEPOLICY_VERSION).cil := $(reqd_policy_mask.cil)
+
+pub_policy.cil := $(call intermediates-dir-for,ETC,pub_policy.cil)/pub_policy.cil
+pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(pub_policy.cil)
+
+system_ext_pub_policy.cil := $(call intermediates-dir-for,ETC,system_ext_pub_policy.cil)/system_ext_pub_policy.cil
+system_ext_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(system_ext_pub_policy.cil)
+
+plat_pub_policy.cil := $(call intermediates-dir-for,ETC,plat_pub_policy.cil)/plat_pub_policy.cil
+plat_pub_policy_$(PLATFORM_SEPOLICY_VERSION).cil := $(plat_pub_policy.cil)
+
built_plat_cil := $(call intermediates-dir-for,ETC,plat_sepolicy.cil)/plat_sepolicy.cil
+built_plat_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_cil)
+built_plat_mapping_cil := $(call intermediates-dir-for,ETC,plat_mapping_file)/plat_mapping_file
+built_plat_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_plat_mapping_cil)
ifdef HAS_SYSTEM_EXT_SEPOLICY
built_system_ext_cil := $(call intermediates-dir-for,ETC,system_ext_sepolicy.cil)/system_ext_sepolicy.cil
+built_system_ext_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_cil)
+built_system_ext_mapping_cil := $(call intermediates-dir-for,ETC,system_ext_mapping_file)/system_ext_mapping_file
+built_system_ext_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_system_ext_mapping_cil)
endif # ifdef HAS_SYSTEM_EXT_SEPOLICY
ifdef HAS_PRODUCT_SEPOLICY
built_product_cil := $(call intermediates-dir-for,ETC,product_sepolicy.cil)/product_sepolicy.cil
+built_product_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_cil)
+built_product_mapping_cil := $(call intermediates-dir-for,ETC,product_mapping_file)/product_mapping_file
+built_product_mapping_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_product_mapping_cil)
endif # ifdef HAS_PRODUCT_SEPOLICY
-built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
-built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
-built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
+built_pub_vers_cil := $(call intermediates-dir-for,ETC,plat_pub_versioned.cil)/plat_pub_versioned.cil
+built_pub_vers_cil_$(PLATFORM_SEPOLICY_VERSION) := $(built_pub_vers_cil)
+
+# b/37755687
+CHECKPOLICY_ASAN_OPTIONS := ASAN_OPTIONS=detect_leaks=0
#################################
-# sepolicy is also built with Android.bp.
-# This module is to keep compatibility with monolithic sepolicy devices.
include $(CLEAR_VARS)
+# vendor_policy.cil - the vendor sepolicy. This needs attributization and to be combined
+# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
+# policy and the platform public policy files in order to use checkpolicy.
+LOCAL_MODULE := vendor_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS))
+vendor_policy.conf := $(intermediates)/vendor_policy.conf
+$(vendor_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(vendor_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(vendor_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(vendor_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(vendor_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(vendor_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(vendor_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vendor_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(vendor_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(vendor_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(vendor_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(vendor_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
+$(vendor_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(vendor_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(vendor_policy.conf)
+$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
+$(LOCAL_BUILT_MODULE): PRIVATE_FILTER_CIL := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS))
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
+ $(vendor_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
+ $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS))
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
+ -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
+ -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL) \
+ -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@
+
+built_vendor_cil := $(LOCAL_BUILT_MODULE)
+vendor_policy.conf :=
+
+#################################
+include $(CLEAR_VARS)
+
+ifdef BOARD_ODM_SEPOLICY_DIRS
+# odm_policy.cil - the odm sepolicy. This needs attributization and to be combined
+# with the platform-provided policy. It makes use of the reqd_policy_mask files from private
+# policy and the platform public policy files in order to use checkpolicy.
+LOCAL_MODULE := odm_sepolicy.cil
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# Use either prebuilt policy files or current policy files, depending on BOARD_SEPOLICY_VERS
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(reqd_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+odm_policy.conf := $(intermediates)/odm_policy.conf
+$(odm_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(odm_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(odm_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(odm_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(odm_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(odm_policy.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(odm_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(odm_policy.conf): PRIVATE_SEPOLICY_SPLIT := $(PRODUCT_SEPOLICY_SPLIT)
+$(odm_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(odm_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(odm_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
+$(odm_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(odm_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(odm_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+$(LOCAL_BUILT_MODULE): PRIVATE_POL_CONF := $(odm_policy.conf)
+$(LOCAL_BUILT_MODULE): PRIVATE_REQD_MASK := $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_CIL := $(pub_policy_$(BOARD_SEPOLICY_VERS).cil)
+$(LOCAL_BUILT_MODULE): PRIVATE_VERS := $(BOARD_SEPOLICY_VERS)
+$(LOCAL_BUILT_MODULE): PRIVATE_DEP_CIL_FILES := $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+$(built_vendor_cil)
+$(LOCAL_BUILT_MODULE) : PRIVATE_FILTER_CIL_FILES := $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_vendor_cil)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/build_sepolicy \
+ $(odm_policy.conf) $(reqd_policy_mask_$(BOARD_SEPOLICY_VERS).cil) \
+ $(pub_policy_$(BOARD_SEPOLICY_VERS).cil) $(built_plat_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_system_ext_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) $(built_plat_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_system_ext_mapping_cil_$(BOARD_SEPOLICY_VERS)) $(built_product_mapping_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_vendor_cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) build_cil \
+ -i $(PRIVATE_POL_CONF) -m $(PRIVATE_REQD_MASK) -c $(CHECKPOLICY_ASAN_OPTIONS) \
+ -b $(PRIVATE_BASE_CIL) -d $(PRIVATE_DEP_CIL_FILES) -f $(PRIVATE_FILTER_CIL_FILES) \
+ -t $(PRIVATE_VERS) -p $(POLICYVERS) -o $@
+
+built_odm_cil := $(LOCAL_BUILT_MODULE)
+odm_policy.conf :=
+odm_policy_raw :=
+endif
+
+#################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := precompiled_sepolicy
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_PROPRIETARY_MODULE := true
+
+ifeq ($(BOARD_USES_ODMIMAGE),true)
+LOCAL_MODULE_PATH := $(TARGET_OUT_ODM)/etc/selinux
+else
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+endif
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+all_cil_files := \
+ $(built_plat_cil) \
+ $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
+ $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_vendor_cil)
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+all_cil_files += $(built_system_ext_cil)
+endif
+
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY
+all_cil_files += $(built_product_cil)
+endif
+
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
+endif
+
+ifdef BOARD_ODM_SEPOLICY_DIRS
+all_cil_files += $(built_odm_cil)
+endif
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
+# Neverallow checks are skipped in a mixed build target.
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(all_cil_files) $(built_sepolicy_neverallows)
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) \
+ $(PRIVATE_CIL_FILES) -o $@ -f /dev/null
+
+built_precompiled_sepolicy := $(LOCAL_BUILT_MODULE)
+all_cil_files :=
+
+#################################
+# Precompiled sepolicy is loaded if and only if:
+# - plat_sepolicy_and_mapping.sha256 equals
+# precompiled_sepolicy.plat_sepolicy_and_mapping.sha256
+# AND
+# - system_ext_sepolicy_and_mapping.sha256 equals
+# precompiled_sepolicy.system_ext_sepolicy_and_mapping.sha256
+# AND
+# - product_sepolicy_and_mapping.sha256 equals
+# precompiled_sepolicy.product_sepolicy_and_mapping.sha256
+# See system/core/init/selinux.cpp for details.
+#################################
+
+#################################
+include $(CLEAR_VARS)
+# build this target so that we can still perform neverallow checks
+
LOCAL_MODULE := sepolicy
LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
LOCAL_LICENSE_CONDITIONS := notice unencumbered
@@ -565,8 +1016,111 @@
include $(BUILD_SYSTEM)/base_rules.mk
-$(LOCAL_BUILT_MODULE): $(built_sepolicy)
- $(copy-file-to-target)
+all_cil_files := \
+ $(built_plat_cil) \
+ $(TARGET_OUT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil \
+ $(built_pub_vers_cil_$(BOARD_SEPOLICY_VERS)) \
+ $(built_vendor_cil)
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+all_cil_files += $(built_system_ext_cil)
+endif
+
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+all_cil_files += $(TARGET_OUT_SYSTEM_EXT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY
+all_cil_files += $(built_product_cil)
+endif
+
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(TARGET_OUT_PRODUCT)/etc/selinux/mapping/$(BOARD_SEPOLICY_VERS).cil
+endif
+
+ifdef BOARD_ODM_SEPOLICY_DIRS
+all_cil_files += $(built_odm_cil)
+endif
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
+# Neverallow checks are skipped in a mixed build target.
+$(LOCAL_BUILT_MODULE): PRIVATE_NEVERALLOW_ARG := $(if $(filter $(PLATFORM_SEPOLICY_VERSION),$(BOARD_SEPOLICY_VERS)),$(NEVERALLOW_ARG),-N)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files) \
+$(built_sepolicy_neverallows)
+ @mkdir -p $(dir $@)
+ $(hide) $< -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $(PRIVATE_CIL_FILES) -o $@.tmp -f /dev/null
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
+ $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
+ echo "==========" 1>&2; \
+ echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
+ echo "List of invalid domains:" 1>&2; \
+ cat $@.permissivedomains 1>&2; \
+ exit 1; \
+ fi
+ $(hide) mv $@.tmp $@
+
+built_sepolicy := $(LOCAL_BUILT_MODULE)
+all_cil_files :=
+
+#################################
+include $(CLEAR_VARS)
+
+# keep concrete sepolicy for neverallow checks
+# If SELINUX_IGNORE_NEVERALLOWS is set, we use sed to remove the neverallow lines before compiling.
+
+LOCAL_MODULE := sepolicy.recovery
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_STEM := sepolicy
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+# We use vendor version's policy files because recovery partition is vendor-owned.
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(plat_public_policy_$(BOARD_SEPOLICY_VERS)) $(plat_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(system_ext_public_policy_$(BOARD_SEPOLICY_VERS)) $(system_ext_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(product_public_policy_$(BOARD_SEPOLICY_VERS)) $(product_private_policy_$(BOARD_SEPOLICY_VERS)) \
+ $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_ODM_SEPOLICY_DIRS))
+sepolicy.recovery.conf := $(intermediates)/sepolicy.recovery.conf
+$(sepolicy.recovery.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(sepolicy.recovery.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(sepolicy.recovery.conf): PRIVATE_TARGET_BUILD_VARIANT := $(TARGET_BUILD_VARIANT)
+$(sepolicy.recovery.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(sepolicy.recovery.conf): PRIVATE_TGT_WITH_NATIVE_COVERAGE := $(with_native_coverage)
+$(sepolicy.recovery.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(sepolicy.recovery.conf): PRIVATE_TGT_RECOVERY := -D target_recovery=true
+$(sepolicy.recovery.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
+$(sepolicy.recovery.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(sepolicy.recovery.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+ifeq ($(SELINUX_IGNORE_NEVERALLOWS),true)
+ $(hide) sed -z 's/\n\s*neverallow[^;]*;/\n/g' $@ > $@.neverallow
+ $(hide) mv $@.neverallow $@
+endif
+
+$(LOCAL_BUILT_MODULE): $(sepolicy.recovery.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+ $(HOST_OUT_EXECUTABLES)/sepolicy-analyze
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -c \
+ $(POLICYVERS) -o $@.tmp $<
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $@.tmp permissive > $@.permissivedomains
+ $(hide) if [ "$(TARGET_BUILD_VARIANT)" = "user" -a -s $@.permissivedomains ]; then \
+ echo "==========" 1>&2; \
+ echo "ERROR: permissive domains not allowed in user builds" 1>&2; \
+ echo "List of invalid domains:" 1>&2; \
+ cat $@.permissivedomains 1>&2; \
+ exit 1; \
+ fi
+ $(hide) mv $@.tmp $@
+
+sepolicy.recovery.conf :=
##################################
# TODO - remove this. Keep around until we get the filesystem creation stuff taken care of.
@@ -668,8 +1222,76 @@
file_contexts.modules.tmp :=
##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := selinux_denial_metadata
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+bug_files := $(call build_policy, bug_map, $(LOCAL_PATH) $(PLAT_PRIVATE_POLICY) $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(PLAT_PUBLIC_POLICY))
+
+$(LOCAL_BUILT_MODULE) : $(bug_files)
+ @mkdir -p $(dir $@)
+ cat $^ > $@
+
+bug_files :=
+
+##################################
+include $(LOCAL_PATH)/seapp_contexts.mk
+
+##################################
+include $(LOCAL_PATH)/contexts_tests.mk
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := vndservice_contexts
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := ETC
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_PATH := $(TARGET_OUT_VENDOR)/etc/selinux
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+vnd_svcfiles := $(call build_policy, vndservice_contexts, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+
+vndservice_contexts.tmp := $(intermediates)/vndservice_contexts.tmp
+$(vndservice_contexts.tmp): PRIVATE_SVC_FILES := $(vnd_svcfiles)
+$(vndservice_contexts.tmp): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(vndservice_contexts.tmp): $(vnd_svcfiles) $(M4)
+ @mkdir -p $(dir $@)
+ $(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_SVC_FILES) > $@
+
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(vndservice_contexts.tmp) $(built_sepolicy) $(HOST_OUT_EXECUTABLES)/checkfc $(ACP)
+ @mkdir -p $(dir $@)
+ sed -e 's/#.*$$//' -e '/^$$/d' $< > $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/checkfc -e -v $(PRIVATE_SEPOLICY) $@
+
+vnd_svcfiles :=
+vndservice_contexts.tmp :=
+
+##################################
include $(LOCAL_PATH)/mac_permissions.mk
+#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := sepolicy_tests
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
all_fc_files := $(TARGET_OUT)/etc/selinux/plat_file_contexts
all_fc_files += $(TARGET_OUT_VENDOR)/etc/selinux/vendor_file_contexts
ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
@@ -683,35 +1305,287 @@
endif
all_fc_args := $(foreach file, $(all_fc_files), -f $(file))
+$(LOCAL_BUILT_MODULE): ALL_FC_ARGS := $(all_fc_args)
+$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $(built_sepolicy)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/sepolicy_tests $(all_fc_files) $(built_sepolicy)
+ @mkdir -p $(dir $@)
+ $(hide) $(HOST_OUT_EXECUTABLES)/sepolicy_tests -l $(HOST_OUT)/lib64/libsepolwrap.$(SHAREDLIB_EXT) \
+ $(ALL_FC_ARGS) -p $(PRIVATE_SEPOLICY)
+ $(hide) touch $@
+
##################################
+intermediates := $(call intermediates-dir-for,ETC,built_plat_sepolicy,,,,)
+
+# plat_sepolicy - the current platform policy only, built into a policy binary.
+# TODO - this currently excludes partner extensions, but support should be added
+# to enable partners to add their own compatibility mapping
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY))
+base_plat_policy.conf := $(intermediates)/base_plat_policy.conf
+$(base_plat_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_plat_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_plat_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_plat_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_plat_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_plat_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_plat_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_plat_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_plat_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_plat_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(base_plat_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
+$(base_plat_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_plat_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+built_plat_sepolicy := $(intermediates)/built_plat_sepolicy
+$(built_plat_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(built_plat_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(built_plat_sepolicy): $(base_plat_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/secilc \
+$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+$(built_sepolicy_neverallows)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+base_plat_pub_policy.conf := $(intermediates)/base_plat_pub_policy.conf
+$(base_plat_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_plat_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_plat_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_plat_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_plat_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_plat_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_plat_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_plat_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_plat_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_SYSPROP_OWNER := $(enforce_sysprop_owner)
+$(base_plat_pub_policy.conf): PRIVATE_ENFORCE_DEBUGFS_RESTRICTION := $(enforce_debugfs_restriction)
+$(base_plat_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_plat_pub_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+
+base_plat_pub_policy.cil := $(intermediates)/base_plat_pub_policy.cil
+$(base_plat_pub_policy.cil): PRIVATE_POL_CONF := $(base_plat_pub_policy.conf)
+$(base_plat_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(base_plat_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_plat_pub_policy.conf) $(reqd_policy_mask.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+
+#####################################################
+intermediates := $(call intermediates-dir-for,ETC,built_system_ext_sepolicy,,,,)
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY))
+base_system_ext_policy.conf := $(intermediates)/base_system_ext_policy.conf
+$(base_system_ext_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_system_ext_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_system_ext_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_system_ext_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_system_ext_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_system_ext_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_system_ext_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_system_ext_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_system_ext_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_system_ext_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_system_ext_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+built_system_ext_sepolicy := $(intermediates)/built_system_ext_sepolicy
+$(built_system_ext_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(built_system_ext_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(built_system_ext_sepolicy): $(base_system_ext_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/secilc \
+$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+$(built_sepolicy_neverallows)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+base_system_ext_pub_policy.conf := $(intermediates)/base_system_ext_pub_policy.conf
+$(base_system_ext_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_system_ext_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_system_ext_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_system_ext_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_system_ext_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_system_ext_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_system_ext_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_system_ext_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_system_ext_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_system_ext_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_system_ext_pub_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+
+base_system_ext_pub_policy.cil := $(intermediates)/base_system_ext_pub_policy.cil
+$(base_system_ext_pub_policy.cil): PRIVATE_POL_CONF := $(base_system_ext_pub_policy.conf)
+$(base_system_ext_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(base_system_ext_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_system_ext_pub_policy.conf) $(reqd_policy_mask.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+
+################################################################################
+intermediates := $(call intermediates-dir-for,ETC,built_product_sepolicy,,,,)
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+ $(PLAT_PUBLIC_POLICY) $(PLAT_PRIVATE_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(SYSTEM_EXT_PRIVATE_POLICY) \
+ $(PRODUCT_PUBLIC_POLICY) $(PRODUCT_PRIVATE_POLICY))
+base_product_policy.conf := $(intermediates)/base_product_policy.conf
+$(base_product_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_product_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_product_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_product_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_product_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_product_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_product_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_product_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_product_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_product_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_product_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+ $(hide) sed '/^\s*dontaudit.*;/d' $@ | sed '/^\s*dontaudit/,/;/d' > $@.dontaudit
+
+built_product_sepolicy := $(intermediates)/built_product_sepolicy
+$(built_product_sepolicy): PRIVATE_ADDITIONAL_CIL_FILES := \
+ $(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY))
+$(built_product_sepolicy): PRIVATE_NEVERALLOW_ARG := $(NEVERALLOW_ARG)
+$(built_product_sepolicy): $(base_product_policy.conf) $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/secilc \
+$(call build_policy, $(sepolicy_build_cil_workaround_files), $(PLAT_PRIVATE_POLICY)) \
+$(built_sepolicy_neverallows)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $(HOST_OUT_EXECUTABLES)/checkpolicy -M -C -c \
+ $(POLICYVERS) -o $@ $<
+ $(hide) cat $(PRIVATE_ADDITIONAL_CIL_FILES) >> $@
+ $(hide) $(HOST_OUT_EXECUTABLES)/secilc -m -M true -G -c $(POLICYVERS) $(PRIVATE_NEVERALLOW_ARG) $@ -o $@ -f /dev/null
+
+
+policy_files := $(call build_policy, $(sepolicy_build_files), \
+$(PLAT_PUBLIC_POLICY) $(SYSTEM_EXT_PUBLIC_POLICY) $(PRODUCT_PUBLIC_POLICY) $(REQD_MASK_POLICY))
+base_product_pub_policy.conf := $(intermediates)/base_product_pub_policy.conf
+$(base_product_pub_policy.conf): PRIVATE_MLS_SENS := $(MLS_SENS)
+$(base_product_pub_policy.conf): PRIVATE_MLS_CATS := $(MLS_CATS)
+$(base_product_pub_policy.conf): PRIVATE_TARGET_BUILD_VARIANT := user
+$(base_product_pub_policy.conf): PRIVATE_TGT_ARCH := $(my_target_arch)
+$(base_product_pub_policy.conf): PRIVATE_TGT_WITH_ASAN := $(with_asan)
+$(base_product_pub_policy.conf): PRIVATE_ADDITIONAL_M4DEFS := $(LOCAL_ADDITIONAL_M4DEFS)
+$(base_product_pub_policy.conf): PRIVATE_SEPOLICY_SPLIT := true
+$(base_product_pub_policy.conf): PRIVATE_COMPATIBLE_PROPERTY := $(PRODUCT_COMPATIBLE_PROPERTY)
+$(base_product_pub_policy.conf): PRIVATE_TREBLE_SYSPROP_NEVERALLOW := $(treble_sysprop_neverallow)
+$(base_product_pub_policy.conf): PRIVATE_POLICY_FILES := $(policy_files)
+$(base_product_pub_policy.conf): $(policy_files) $(M4)
+ $(transform-policy-to-conf)
+
+base_product_pub_policy.cil := $(intermediates)/base_product_pub_policy.cil
+$(base_product_pub_policy.cil): PRIVATE_POL_CONF := $(base_product_pub_policy.conf)
+$(base_product_pub_policy.cil): PRIVATE_REQD_MASK := $(reqd_policy_mask.cil)
+$(base_product_pub_policy.cil): $(HOST_OUT_EXECUTABLES)/checkpolicy \
+$(HOST_OUT_EXECUTABLES)/build_sepolicy $(base_product_pub_policy.conf) $(reqd_policy_mask.cil)
+ @mkdir -p $(dir $@)
+ $(hide) $(CHECKPOLICY_ASAN_OPTIONS) $< -C -M -c $(POLICYVERS) -o $@ $(PRIVATE_POL_CONF)
+ $(hide) $(HOST_OUT_EXECUTABLES)/build_sepolicy -a $(HOST_OUT_EXECUTABLES) filter_out \
+ -f $(PRIVATE_REQD_MASK) -t $@
+
+ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
# Tests for Treble compatibility of current platform policy and vendor policy of
# given release version.
-ifeq ($(PRODUCT_SEPOLICY_SPLIT),true)
-
-built_plat_sepolicy := $(call intermediates-dir-for,ETC,base_plat_sepolicy)/base_plat_sepolicy
-built_system_ext_sepolicy := $(call intermediates-dir-for,ETC,base_system_ext_sepolicy)/base_system_ext_sepolicy
-built_product_sepolicy := $(call intermediates-dir-for,ETC,base_product_sepolicy)/base_product_sepolicy
-
-base_plat_pub_policy.cil := $(call intermediates-dir-for,ETC,base_plat_pub_policy.cil)/base_plat_pub_policy.cil
-base_system_ext_pub_polcy.cil := $(call intermediates-dir-for,ETC,base_system_ext_pub_polcy.cil)/base_system_ext_pub_polcy.cil
-base_product_pub_policy.cil := $(call intermediates-dir-for,ETC,base_product_pub_policy.cil)/base_product_pub_policy.cil
-
-$(foreach v,$(PLATFORM_SEPOLICY_COMPAT_VERSIONS), \
- $(eval version_under_treble_tests := $(v)) \
- $(eval include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk) \
-)
+version_under_treble_tests := 26.0
+include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
+version_under_treble_tests := 27.0
+include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
+version_under_treble_tests := 28.0
+include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
+version_under_treble_tests := 29.0
+include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
+version_under_treble_tests := 30.0
+include $(LOCAL_PATH)/treble_sepolicy_tests_for_release.mk
endif # PRODUCT_SEPOLICY_SPLIT
-built_plat_sepolicy :=
-built_system_ext_sepolicy :=
-built_product_sepolicy :=
-base_plat_pub_policy.cil :=
-base_system_ext_pub_polcy.cil :=
-base_product_pub_policy.cil :=
+version_under_treble_tests := 26.0
+include $(LOCAL_PATH)/compat.mk
+version_under_treble_tests := 27.0
+include $(LOCAL_PATH)/compat.mk
+version_under_treble_tests := 28.0
+include $(LOCAL_PATH)/compat.mk
+version_under_treble_tests := 29.0
+include $(LOCAL_PATH)/compat.mk
+version_under_treble_tests := 30.0
+include $(LOCAL_PATH)/compat.mk
+
+base_plat_policy.conf :=
+base_plat_pub_policy.conf :=
+plat_sepolicy :=
all_fc_files :=
all_fc_args :=
#################################
+include $(CLEAR_VARS)
+LOCAL_MODULE := sepolicy_freeze_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+define ziplist
+$(if $(and $1,$2), "$(firstword $1) $(firstword $2)"\
+ $(call ziplist,$(wordlist 2,$(words $1),$1),$(wordlist 2,$(words $2),$2)))
+endef
+
+base_plat_public := $(LOCAL_PATH)/public
+base_plat_private := $(LOCAL_PATH)/private
+base_plat_public_prebuilt := \
+ $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/public
+base_plat_private_prebuilt := \
+ $(LOCAL_PATH)/prebuilts/api/$(PLATFORM_SEPOLICY_VERSION)/private
+
+all_frozen_files := $(call build_policy,$(sepolicy_build_files), \
+$(base_plat_public) $(base_plat_private) $(base_plat_public_prebuilt) $(base_plat_private_prebuilt))
+
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC := $(base_plat_public)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE := $(base_plat_private)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PUBLIC_PREBUILT := $(base_plat_public_prebuilt)
+$(LOCAL_BUILT_MODULE): PRIVATE_BASE_PLAT_PRIVATE_PREBUILT := $(base_plat_private_prebuilt)
+$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA := $(sort $(FREEZE_TEST_EXTRA_DIRS))
+$(LOCAL_BUILT_MODULE): PRIVATE_EXTRA_PREBUILT := $(sort $(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
+$(LOCAL_BUILT_MODULE): $(all_frozen_files)
+ifneq ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+ @diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PUBLIC_PREBUILT) $(PRIVATE_BASE_PLAT_PUBLIC)
+ @diff -rq -x bug_map $(PRIVATE_BASE_PLAT_PRIVATE_PREBUILT) $(PRIVATE_BASE_PLAT_PRIVATE)
+ifneq (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
+ @for pair in $(call ziplist, $(PRIVATE_EXTRA_PREBUILT), $(PRIVATE_EXTRA)); \
+ do diff -rq -x bug_map $$pair; done
+endif # (,$(FREEZE_TEST_EXTRA_DIRS)$(FREEZE_TEST_EXTRA_PREBUILT_DIRS))
+endif # ($(PLATFORM_SEPOLICY_VERSION),$(TOT_SEPOLICY_VERSION))
+ $(hide) touch $@
+
+base_plat_public :=
+base_plat_private :=
+base_plat_public_prebuilt :=
+base_plat_private_prebuilt :=
+all_frozen_files :=
+
+#################################
build_vendor_policy :=
@@ -720,14 +1594,27 @@
built_plat_cil :=
built_system_ext_cil :=
built_product_cil :=
+built_pub_vers_cil :=
+built_plat_mapping_cil :=
+built_system_ext_mapping_cil :=
+built_product_mapping_cil :=
+built_vendor_cil :=
+built_odm_cil :=
+built_precompiled_sepolicy :=
built_sepolicy :=
built_sepolicy_neverallows :=
built_plat_svc :=
built_vendor_svc :=
+built_plat_sepolicy :=
treble_sysprop_neverallow :=
enforce_sysprop_owner :=
enforce_debugfs_restriction :=
+mapping_policy :=
my_target_arch :=
+pub_policy.cil :=
+system_ext_pub_policy.cil :=
+plat_pub_policy.cil :=
+reqd_policy_mask.cil :=
sepolicy_build_files :=
sepolicy_build_cil_workaround_files :=
with_asan :=
diff --git a/METADATA b/METADATA
index 5a356a4..cdcfa70 100644
--- a/METADATA
+++ b/METADATA
@@ -1,4 +1,6 @@
third_party {
- license_note: "would be UNENCUMBERED save for: tests/combine_maps.py and build/soong/"
+ # would be UNENCUMBERED save for
+ # tests/combine_maps.py
+ # build/soong/
license_type: NOTICE
}
diff --git a/OWNERS b/OWNERS
index 61eecb2..866b7b6 100644
--- a/OWNERS
+++ b/OWNERS
@@ -5,7 +5,7 @@
inseob@google.com
jbires@google.com
jeffv@google.com
+jgalenson@google.com
jiyong@google.com
smoreland@google.com
trong@google.com
-tweek@google.com
diff --git a/README b/README
new file mode 100644
index 0000000..f14ac67
--- /dev/null
+++ b/README
@@ -0,0 +1,114 @@
+This directory contains the core Android SELinux policy configuration.
+It defines the domains and types for the AOSP services and apps common to
+all devices. Device-specific policy should be placed under a
+separate device/<vendor>/<board>/sepolicy subdirectory and linked
+into the policy build as described below.
+
+Policy Generation:
+
+Additional, per device, policy files can be added into the
+policy build. These files should have each line including the
+final line terminated by a newline character (0x0A). This
+will allow files to be concatenated and processed whenever
+the m4(1) macro processor is called by the build process.
+Adding the newline will also make the intermediate text files
+easier to read when debugging build failures. The sets of file,
+service and property contexts files will automatically have a
+newline inserted between each file as these are common failure
+points.
+
+These device policy files can be configured through the use of
+the BOARD_VENDOR_SEPOLICY_DIRS variable. This variable should be set
+in the BoardConfig.mk file in the device or vendor directories.
+
+BOARD_VENDOR_SEPOLICY_DIRS contains a list of directories to search
+for additional policy files. Order matters in this list.
+For example, if you have 2 instances of widget.te files in the
+BOARD_VENDOR_SEPOLICY_DIRS search path, then the first one found (at the
+first search dir containing the file) will be concatenated first.
+Reviewing out/target/product/<device>/obj/ETC/sepolicy_intermediates/policy.conf
+will help sort out ordering issues.
+
+Example BoardConfig.mk Usage:
+From the Tuna device BoardConfig.mk, device/samsung/tuna/BoardConfig.mk
+
+BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
+
+Alongside vendor sepolicy dirs, OEMs can also amend the public and private
+policy of the product and system_ext partitions:
+
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/public
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/private
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/private
+
+The old BOARD_PLAT_PUBLIC_SEPOLICY_DIR and BOARD_PLAT_PRIVATE_SEPOLICY_DIR
+variables have been deprecated in favour of SYSTEM_EXT_*.
+
+Additionally, OEMs can specify BOARD_SEPOLICY_M4DEFS to pass arbitrary m4
+definitions during the build. A definition consists of a string in the form
+of macro-name=value. Spaces must NOT be present. This is useful for building modular
+policies, policy generation, conditional file paths, etc. It is supported in
+the following file types:
+ * All *.te and SE Linux policy files as passed to checkpolicy
+ * file_contexts
+ * service_contexts
+ * property_contexts
+ * keys.conf
+
+Example BoardConfig.mk Usage:
+BOARD_SEPOLICY_M4DEFS += btmodule=foomatic \
+ btdevice=/dev/gps
+
+SPECIFIC POLICY FILE INFORMATION
+
+mac_permissions.xml:
+ ABOUT:
+ The mac_permissions.xml file is used for controlling the mmac solutions
+ as well as mapping a public base16 signing key with an arbitrary seinfo
+ string. Details of the files contents can be found in a comment at the
+ top of that file. The seinfo string, previously mentioned, is the same string
+ that is referenced in seapp_contexts.
+
+ It is important to note the final processed version of this file
+ is stripped of comments and whitespace. This is to preserve space on the
+ system.img. If one wishes to view it in a more human friendly format,
+ the "tidy" or "xmllint" command will assist you.
+
+ TOOLING:
+ insertkeys.py
+ Is a helper script for mapping arbitrary tags in the signature stanzas of
+ mac_permissions.xml to public keys found in pem files. This script takes
+ a mac_permissions.xml file(s) and configuration file in order to operate.
+ Details of the configuration file (keys.conf) can be found in the subsection
+ keys.conf. This tool is also responsible for stripping the comments and
+ whitespace during processing.
+
+ keys.conf
+ The keys.conf file is used for controlling the mapping of "tags" found in
+ the mac_permissions.xml signature stanzas with actual public keys found in
+ pem files. The configuration file is processed via m4.
+
+ The script allows for mapping any string contained in TARGET_BUILD_VARIANT
+ with specific path to a pem file. Typically TARGET_BUILD_VARIANT is either
+ user, eng or userdebug. Additionally, one can specify "ALL" to map a path to
+ any string specified in TARGET_BUILD_VARIANT. All tags are matched verbatim
+ and all options are matched lowercase. The options are "tolowered" automatically
+ for the user, it is convention to specify tags and options in all uppercase
+ and tags start with @. The option arguments can also use environment variables
+ via the familiar $VARIABLE syntax. This is often useful for setting a location
+ to ones release keys.
+
+ Often times, one will need to integrate an application that was signed by a separate
+ organization and may need to extract the pem file for the insertkeys/keys.conf tools.
+ Extraction of the public key in the pem format is possible via openssl. First you need
+ to unzip the apk, once it is unzipped, cd into the META_INF directory and then execute
+ openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM -print_certs
+ On some occasions CERT.RSA has a different name, and you will need to adjust for that.
+ After extracting the pem, you can rename it, and configure keys.conf and
+ mac_permissions.xml to pick up the change. You MUST open the generated pem file in a text
+ editor and strip out anything outside the opening and closing scissor lines. Failure to do
+ so WILL cause a compile time issue thrown by insertkeys.py
+
+ NOTE: The pem files are base64 encoded and PackageManagerService, mac_permissions.xml
+ and setool all use base16 encodings.
diff --git a/README.md b/README.md
deleted file mode 100644
index 16d7e45..0000000
--- a/README.md
+++ /dev/null
@@ -1,117 +0,0 @@
-# Android SEPolicy
-
-This directory contains the core Android SELinux policy configuration.
-It defines the domains and types for the AOSP services and apps common to
-all devices. Device-specific policy should be placed under a
-separate `device/<vendor>/<board>/sepolicy` subdirectory and linked
-into the policy build as described below.
-
-## Policy Generation
-
-Additional, per device, policy files can be added into the
-policy build. These files should have each line including the
-final line terminated by a newline character (`0x0A`). This
-will allow files to be concatenated and processed whenever
-the `m4`(1) macro processor is called by the build process.
-Adding the newline will also make the intermediate text files
-easier to read when debugging build failures. The sets of file,
-service and property contexts files will automatically have a
-newline inserted between each file as these are common failure
-points.
-
-These device policy files can be configured through the use of
-the `BOARD_VENDOR_SEPOLICY_DIRS` variable. This variable should be set
-in the BoardConfig.mk file in the device or vendor directories.
-
-`BOARD_VENDOR_SEPOLICY_DIRS` contains a list of directories to search
-for additional policy files. Order matters in this list.
-For example, if you have 2 instances of widget.te files in the
-`BOARD_VENDOR_SEPOLICY_DIRS` search path, then the first one found (at the
-first search dir containing the file) will be concatenated first.
-Reviewing `out/target/product/<device>/obj/ETC/vendor_sepolicy.conf_intermediates/vendor_sepolicy.conf`
-will help sort out ordering issues.
-
-Example `BoardConfig.mk` Usage:
-From the Tuna device `BoardConfig.mk`, `device/samsung/tuna/BoardConfig.mk`
-
- BOARD_VENDOR_SEPOLICY_DIRS += device/samsung/tuna/sepolicy
-
-Alongside vendor sepolicy dirs, OEMs can also amend the public and private
-policy of the product and system_ext partitions:
-
- SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/public
- SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/systemext/private
- PRODUCT_PUBLIC_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/public
- PRODUCT_PRIVATE_SEPOLICY_DIRS += device/acme/roadrunner-sepolicy/product/private
-
-The old `BOARD_PLAT_PUBLIC_SEPOLICY_DIR` and `BOARD_PLAT_PRIVATE_SEPOLICY_DIR`
-variables have been deprecated in favour of `SYSTEM_EXT_*`.
-
-Additionally, OEMs can specify `BOARD_SEPOLICY_M4DEFS` to pass arbitrary `m4`
-definitions during the build. A definition consists of a string in the form
-of `macro-name=value`. Spaces must **NOT** be present. This is useful for building modular
-policies, policy generation, conditional file paths, etc. It is supported in
-the following file types:
-* All `*.te` and SELinux policy files as passed to `checkpolicy`
-* `file_contexts`
-* `service_contexts`
-* `property_contexts`
-* `keys.conf`
-
-Example BoardConfig.mk Usage:
-
- BOARD_SEPOLICY_M4DEFS += btmodule=foomatic \
- btdevice=/dev/gps
-
-## SPECIFIC POLICY FILE INFORMATION
-
-### mac_permissions.xml
-The `mac_permissions.xml` file is used for controlling the mmac solutions
-as well as mapping a public base16 signing key with an arbitrary seinfo
-string. Details of the files contents can be found in a comment at the
-top of that file. The seinfo string, previously mentioned, is the same string
-that is referenced in seapp_contexts.
-
-It is important to note the final processed version of this file
-is stripped of comments and whitespace. This is to preserve space on the
-system.img. If one wishes to view it in a more human friendly format,
-the `tidy` or `xmllint` command will assist you.
-
-### insertkeys.py
-Is a helper script for mapping arbitrary tags in the signature stanzas of
-`mac_permissions.xml` to public keys found in pem files. This script takes
-a `mac_permissions.xml` file(s) and configuration file in order to operate.
-Details of the configuration file (`keys.conf`) can be found in the subsection
-keys.conf. This tool is also responsible for stripping the comments and
-whitespace during processing.
-
-### keys.conf
-The `keys.conf` file is used for controlling the mapping of "tags" found in
-the `mac_permissions.xml` signature stanzas with actual public keys found in
-pem files. The configuration file is processed via `m4`.
-
-The script allows for mapping any string contained in `TARGET_BUILD_VARIANT`
-with specific path to a pem file. Typically `TARGET_BUILD_VARIANT` is either
-user, eng or userdebug. Additionally, one can specify "ALL" to map a path to
-any string specified in `TARGET_BUILD_VARIANT`. All tags are matched verbatim
-and all options are matched lowercase. The options are **tolowered** automatically
-for the user, it is convention to specify tags and options in all uppercase
-and tags start with @. The option arguments can also use environment variables
-via the familiar `$VARIABLE` syntax. This is often useful for setting a location
-to ones release keys.
-
-Often times, one will need to integrate an application that was signed by a separate
-organization and may need to extract the pem file for the `insertkeys/keys.conf` tools.
-Extraction of the public key in the pem format is possible via `openssl`. First you need
-to unzip the apk, once it is unzipped, `cd` into the `META_INF` directory and then execute
-
- openssl pkcs7 -inform DER -in CERT.RSA -out CERT.pem -outform PEM -print_certs
-
-On some occasions `CERT.RSA` has a different name, and you will need to adjust for that.
-After extracting the pem, you can rename it, and configure `keys.conf` and
-`mac_permissions.xml` to pick up the change. You **MUST** open the generated pem file in a text
-editor and strip out anything outside the opening and closing scissor lines. Failure to do
-so **WILL** cause a compile time issue thrown by insertkeys.py
-
-**NOTE:** The pem files are base64 encoded and `PackageManagerService`, `mac_permissions.xml`
- and `setool` all use base16 encodings.
diff --git a/TEST_MAPPING b/TEST_MAPPING
index cf99902..db12ffe 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -14,12 +14,6 @@
}
]
- },
- {
- "name": "MicrodroidHostTestCases"
- },
- {
- "name": "ComposHostTestCases"
}
]
}
diff --git a/apex/Android.bp b/apex/Android.bp
index 8f11771..b5199f0 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -22,11 +22,6 @@
}
filegroup {
- name: "apex_file_contexts_files",
- srcs: ["*-file_contexts"],
-}
-
-filegroup {
name: "apex.test-file_contexts",
srcs: [
"apex.test-file_contexts",
@@ -188,9 +183,9 @@
}
filegroup {
- name: "com.android.sepolicy-file_contexts",
+ name: "com.android.telephony-file_contexts",
srcs: [
- "com.android.sepolicy-file_contexts",
+ "com.android.telephony-file_contexts",
],
}
@@ -202,13 +197,6 @@
}
filegroup {
- name: "com.android.uwb-file_contexts",
- srcs: [
- "com.android.uwb-file_contexts",
- ],
-}
-
-filegroup {
name: "com.android.virt-file_contexts",
srcs: [
"com.android.virt-file_contexts",
@@ -242,24 +230,3 @@
"com.android.extservices-file_contexts",
],
}
-
-filegroup {
- name: "com.android.adservices-file_contexts",
- srcs: [
- "com.android.adservices-file_contexts",
- ],
-}
-
-filegroup {
- name: "com.android.car.framework-file_contexts",
- srcs: [
- "com.android.car.framework-file_contexts",
- ],
-}
-
-filegroup {
- name: "com.android.ondevicepersonalization-file_contexts",
- srcs: [
- "com.android.ondevicepersonalization-file_contexts",
- ],
-}
diff --git a/apex/apex.test-file_contexts b/apex/apex.test-file_contexts
index 0623d9a..a14e14b 100644
--- a/apex/apex.test-file_contexts
+++ b/apex/apex.test-file_contexts
@@ -1,2 +1,4 @@
+/bin/apex_test_preInstallHook u:object_r:apex_test_prepostinstall_exec:s0
+/bin/apex_test_postInstallHook u:object_r:apex_test_prepostinstall_exec:s0
(/.*)? u:object_r:system_file:s0
/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
diff --git a/apex/com.android.adservices-file_contexts b/apex/com.android.adservices-file_contexts
deleted file mode 100644
index 9398505..0000000
--- a/apex/com.android.adservices-file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.art-file_contexts b/apex/com.android.art-file_contexts
index 2533cac..d2a8626 100644
--- a/apex/com.android.art-file_contexts
+++ b/apex/com.android.art-file_contexts
@@ -2,7 +2,6 @@
# System files
#
(/.*)? u:object_r:system_file:s0
-/bin/artd u:object_r:artd_exec:s0
/bin/dex2oat(32|64)? u:object_r:dex2oat_exec:s0
/bin/dexoptanalyzer u:object_r:dexoptanalyzer_exec:s0
/bin/odrefresh u:object_r:odrefresh_exec:s0
diff --git a/apex/com.android.bluetooth-file_contexts b/apex/com.android.bluetooth.updatable-file_contexts
similarity index 100%
rename from apex/com.android.bluetooth-file_contexts
rename to apex/com.android.bluetooth.updatable-file_contexts
diff --git a/apex/com.android.car.framework-file_contexts b/apex/com.android.car.framework-file_contexts
deleted file mode 100644
index 44527bc..0000000
--- a/apex/com.android.car.framework-file_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-(/.*)? u:object_r:system_file:s0
-/lib(64)?(/.*)? u:object_r:system_lib_file:s0
diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
index 799c2c4..83b4b58 100644
--- a/apex/com.android.compos-file_contexts
+++ b/apex/com.android.compos-file_contexts
@@ -1,5 +1 @@
(/.*)? u:object_r:system_file:s0
-/bin/compos_key_helper u:object_r:compos_key_helper_exec:s0
-/bin/compos_verify u:object_r:compos_verify_exec:s0
-/bin/composd u:object_r:composd_exec:s0
-/bin/compsvc u:object_r:compos_exec:s0
diff --git a/apex/com.android.ondevicepersonalization-file_contexts b/apex/com.android.ondevicepersonalization-file_contexts
deleted file mode 100644
index 9398505..0000000
--- a/apex/com.android.ondevicepersonalization-file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.sepolicy-file_contexts b/apex/com.android.sepolicy-file_contexts
deleted file mode 100644
index 83b4b58..0000000
--- a/apex/com.android.sepolicy-file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.telephony-file_contexts b/apex/com.android.telephony-file_contexts
new file mode 100644
index 0000000..f3a65d4
--- /dev/null
+++ b/apex/com.android.telephony-file_contexts
@@ -0,0 +1 @@
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.tethering-file_contexts b/apex/com.android.tethering-file_contexts
index 1b578ea..9398505 100644
--- a/apex/com.android.tethering-file_contexts
+++ b/apex/com.android.tethering-file_contexts
@@ -1,2 +1 @@
-(/.*)? u:object_r:system_file:s0
-/bin/for-system/clatd u:object_r:clatd_exec:s0
+(/.*)? u:object_r:system_file:s0
diff --git a/apex/com.android.uwb-file_contexts b/apex/com.android.uwb-file_contexts
deleted file mode 100644
index f6b21da..0000000
--- a/apex/com.android.uwb-file_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-(/.*)? u:object_r:system_file:s0
-/lib(64)?(/.*) u:object_r:system_lib_file:s0
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index cc712ff..4703eba 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,4 +1,3 @@
-(/.*)? u:object_r:system_file:s0
-/bin/crosvm u:object_r:crosvm_exec:s0
-/bin/fd_server u:object_r:fd_server_exec:s0
-/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
+(/.*)? u:object_r:system_file:s0
+/bin/crosvm u:object_r:crosvm_exec:s0
+/bin/virtmanager u:object_r:virtmanager_exec:s0
diff --git a/build/Android.bp b/build/Android.bp
index a7d56f8..5298f71 100644
--- a/build/Android.bp
+++ b/build/Android.bp
@@ -31,4 +31,12 @@
"secilc",
"version_policy",
],
+ version: {
+ py2: {
+ enabled: true,
+ },
+ py3: {
+ enabled: false,
+ },
+ },
}
diff --git a/build/build_sepolicy.py b/build/build_sepolicy.py
old mode 100755
new mode 100644
index ce0548a..285bfea
--- a/build/build_sepolicy.py
+++ b/build/build_sepolicy.py
@@ -1,5 +1,3 @@
-#!/usr/bin/env python3
-#
# Copyright 2018 - The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
diff --git a/build/file_utils.py b/build/file_utils.py
index e3210ed..9f95f52 100644
--- a/build/file_utils.py
+++ b/build/file_utils.py
@@ -39,7 +39,7 @@
patterns.extend(open(f).readlines())
# Copy lines that are not in the pattern.
- tmp_output = tempfile.NamedTemporaryFile(mode='w+')
+ tmp_output = tempfile.NamedTemporaryFile()
with open(input_file, 'r') as in_file:
tmp_output.writelines(line for line in in_file.readlines()
if line not in patterns)
diff --git a/build/soong/Android.bp b/build/soong/Android.bp
index 8518d4d..2282112 100644
--- a/build/soong/Android.bp
+++ b/build/soong/Android.bp
@@ -31,7 +31,6 @@
"soong-sysprop",
],
srcs: [
- "bug_map.go",
"build_files.go",
"cil_compat_map.go",
"compat_cil.go",
@@ -39,8 +38,6 @@
"policy.go",
"selinux.go",
"selinux_contexts.go",
- "sepolicy_freeze.go",
- "sepolicy_neverallow.go",
"sepolicy_vers.go",
"versioned_policy.go",
],
diff --git a/build/soong/bug_map.go b/build/soong/bug_map.go
deleted file mode 100644
index 00df33c..0000000
--- a/build/soong/bug_map.go
+++ /dev/null
@@ -1,112 +0,0 @@
-// Copyright 2021 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package selinux
-
-import (
- "github.com/google/blueprint/proptools"
-
- "android/soong/android"
-)
-
-func init() {
- android.RegisterModuleType("se_bug_map", bugMapFactory)
-}
-
-// se_bug_map collects and installs selinux denial bug tracking information to be loaded by auditd.
-func bugMapFactory() android.Module {
- c := &bugMap{}
- c.AddProperties(&c.properties)
- android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
- return c
-}
-
-type bugMap struct {
- android.ModuleBase
- properties bugMapProperties
- installSource android.Path
- installPath android.InstallPath
-}
-
-type bugMapProperties struct {
- // List of source files. Can reference se_filegroup type modules with the ":module" syntax.
- Srcs []string `android:"path"`
-
- // Output file name. Defaults to module name if unspecified.
- Stem *string
-}
-
-func (b *bugMap) stem() string {
- return proptools.StringDefault(b.properties.Stem, b.Name())
-}
-
-func (b *bugMap) expandSeSources(ctx android.ModuleContext) android.Paths {
- srcPaths := make(android.Paths, 0, len(b.properties.Srcs))
- for _, src := range b.properties.Srcs {
- if m := android.SrcIsModule(src); m != "" {
- module := android.GetModuleFromPathDep(ctx, m, "")
- if module == nil {
- // Error would have been handled by ExtractSourcesDeps
- continue
- }
- if fg, ok := module.(*fileGroup); ok {
- if b.SocSpecific() {
- srcPaths = append(srcPaths, fg.VendorSrcs()...)
- srcPaths = append(srcPaths, fg.SystemVendorSrcs()...)
- } else if b.SystemExtSpecific() {
- srcPaths = append(srcPaths, fg.SystemExtPrivateSrcs()...)
- } else {
- srcPaths = append(srcPaths, fg.SystemPrivateSrcs()...)
- }
- } else {
- ctx.PropertyErrorf("srcs", "%q is not an se_filegroup", m)
- }
- } else {
- srcPaths = append(srcPaths, android.PathForModuleSrc(ctx, src))
- }
- }
- return android.FirstUniquePaths(srcPaths)
-}
-
-func (b *bugMap) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- if !b.SocSpecific() && !b.SystemExtSpecific() && !b.Platform() {
- ctx.ModuleErrorf("Selinux bug_map can only be installed in system, system_ext and vendor partitions")
- }
-
- srcPaths := b.expandSeSources(ctx)
- out := android.PathForModuleGen(ctx, b.Name())
- ctx.Build(pctx, android.BuildParams{
- Rule: android.Cat,
- Inputs: srcPaths,
- Output: out,
- Description: "Combining bug_map for " + b.Name(),
- })
-
- b.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
- b.installSource = out
- ctx.InstallFile(b.installPath, b.stem(), b.installSource)
-}
-
-func (b *bugMap) AndroidMkEntries() []android.AndroidMkEntries {
- return []android.AndroidMkEntries{android.AndroidMkEntries{
- Class: "ETC",
- OutputFile: android.OptionalPathForPath(b.installSource),
- ExtraEntries: []android.AndroidMkExtraEntriesFunc{
- func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetPath("LOCAL_MODULE_PATH", b.installPath)
- entries.SetString("LOCAL_INSTALLED_MODULE_STEM", b.stem())
- },
- },
- }}
-}
diff --git a/build/soong/build_files.go b/build/soong/build_files.go
index 6cc40c6..5de6122 100644
--- a/build/soong/build_files.go
+++ b/build/soong/build_files.go
@@ -17,6 +17,7 @@
import (
"fmt"
"path/filepath"
+ "sort"
"strings"
"android/soong/android"
@@ -28,8 +29,8 @@
// se_build_files gathers policy files from sepolicy dirs, and acts like a filegroup. A tag with
// partition(plat, system_ext, product) and scope(public, private) is used to select directories.
-// Supported tags are: "plat_public", "plat_private", "system_ext_public", "system_ext_private",
-// "product_public", "product_private", and "reqd_mask".
+// Supported tags are: "plat", "plat_public", "system_ext", "system_ext_public", "product",
+// "product_public", and "reqd_mask".
func buildFilesFactory() android.Module {
module := &buildFiles{}
module.AddProperties(&module.properties)
@@ -85,53 +86,114 @@
var _ android.OutputFileProducer = (*buildFiles)(nil)
+type partition int
+
+const (
+ system partition = iota
+ system_ext
+ product
+)
+
+type scope int
+
+const (
+ public scope = iota
+ private
+)
+
type sepolicyDir struct {
- tag string
- paths []string
+ partition partition
+ scope scope
+ paths []string
+}
+
+func (p partition) String() string {
+ switch p {
+ case system:
+ return "plat"
+ case system_ext:
+ return "system_ext"
+ case product:
+ return "product"
+ default:
+ panic(fmt.Sprintf("Unknown partition %#v", p))
+ }
}
func (b *buildFiles) GenerateAndroidBuildActions(ctx android.ModuleContext) {
+ // Sepolicy directories should be included in the following order.
+ // - system_public
+ // - system_private
+ // - system_ext_public
+ // - system_ext_private
+ // - product_public
+ // - product_private
+ dirs := []sepolicyDir{
+ sepolicyDir{partition: system, scope: public, paths: []string{filepath.Join(ctx.ModuleDir(), "public")}},
+ sepolicyDir{partition: system, scope: private, paths: []string{filepath.Join(ctx.ModuleDir(), "private")}},
+ sepolicyDir{partition: system_ext, scope: public, paths: ctx.DeviceConfig().SystemExtPublicSepolicyDirs()},
+ sepolicyDir{partition: system_ext, scope: private, paths: ctx.DeviceConfig().SystemExtPrivateSepolicyDirs()},
+ sepolicyDir{partition: product, scope: public, paths: ctx.Config().ProductPublicSepolicyDirs()},
+ sepolicyDir{partition: product, scope: private, paths: ctx.Config().ProductPrivateSepolicyDirs()},
+ }
+
+ if !sort.SliceIsSorted(dirs, func(i, j int) bool {
+ if dirs[i].partition != dirs[j].partition {
+ return dirs[i].partition < dirs[j].partition
+ }
+
+ return dirs[i].scope < dirs[j].scope
+ }) {
+ panic("dirs is not sorted")
+ }
+
+ // Exported cil policy files are built with the following policies.
+ //
+ // - plat_pub_policy.cil: exported 'system'
+ // - system_ext_pub_policy.cil: exported 'system' and 'system_ext'
+ // - pub_policy.cil: exported 'system', 'system_ext', and 'product'
+ //
+ // cil policy files are built with the following policies.
+ //
+ // - plat_policy.cil: 'system', including private
+ // - system_ext_policy.cil: 'system_ext', including private
+ // - product_sepolicy.cil: 'product', including private
+ //
+ // gatherDirsFor collects all needed directories for given partition and scope. For example,
+ //
+ // - gatherDirsFor(system_ext, private) will return system + system_ext (including private)
+ // - gatherDirsFor(product, public) will return system + system_ext + product (public only)
+ //
+ // "dirs" should be sorted before calling this.
+ gatherDirsFor := func(p partition, s scope) []string {
+ var ret []string
+
+ for _, d := range dirs {
+ if d.partition <= p && d.scope <= s {
+ ret = append(ret, d.paths...)
+ }
+ }
+
+ return ret
+ }
+
+ reqdMaskDir := filepath.Join(ctx.ModuleDir(), "reqd_mask")
+
b.srcs = make(map[string]android.Paths)
- b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
- b.srcs[".plat_public"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "public"))
- b.srcs[".plat_private"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "private"))
- b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
- b.srcs[".system_ext_public"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs()...)
- b.srcs[".system_ext_private"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPrivateSepolicyDirs()...)
- b.srcs[".product_public"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs()...)
- b.srcs[".product_private"] = b.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs()...)
- b.srcs[".vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs()...)
- b.srcs[".odm"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs()...)
+ b.srcs[".reqd_mask"] = b.findSrcsInDirs(ctx, reqdMaskDir)
- if ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() {
- // vendor uses the same source with plat policy
- b.srcs[".reqd_mask_for_vendor"] = b.srcs[".reqd_mask"]
- b.srcs[".plat_vendor_for_vendor"] = b.srcs[".plat_vendor"]
- b.srcs[".plat_public_for_vendor"] = b.srcs[".plat_public"]
- b.srcs[".plat_private_for_vendor"] = b.srcs[".plat_private"]
- b.srcs[".system_ext_public_for_vendor"] = b.srcs[".system_ext_public"]
- b.srcs[".system_ext_private_for_vendor"] = b.srcs[".system_ext_private"]
- b.srcs[".product_public_for_vendor"] = b.srcs[".product_public"]
- b.srcs[".product_private_for_vendor"] = b.srcs[".product_private"]
- } else {
- // use vendor-supplied plat prebuilts
- b.srcs[".reqd_mask_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy()...)
- b.srcs[".plat_vendor_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardPlatVendorPolicy()...)
- b.srcs[".plat_public_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "public"))
- b.srcs[".plat_private_for_vendor"] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ctx.DeviceConfig().BoardSepolicyVers(), "private"))
- b.srcs[".system_ext_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPublicPrebuiltDirs()...)
- b.srcs[".system_ext_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardSystemExtPrivatePrebuiltDirs()...)
- b.srcs[".product_public_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPublicPrebuiltDirs()...)
- b.srcs[".product_private_for_vendor"] = b.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardProductPrivatePrebuiltDirs()...)
+ for _, p := range []partition{system, system_ext, product} {
+ b.srcs["."+p.String()] = b.findSrcsInDirs(ctx, gatherDirsFor(p, private)...)
+
+ // reqd_mask is needed for public policies
+ b.srcs["."+p.String()+"_public"] = b.findSrcsInDirs(ctx, append(gatherDirsFor(p, public), reqdMaskDir)...)
}
- // directories used for compat tests and Treble tests
- for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
- b.srcs[".plat_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "public"))
- b.srcs[".plat_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.ModuleDir(), "prebuilts", "api", ver, "private"))
- b.srcs[".system_ext_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
- b.srcs[".system_ext_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().SystemExtSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "private"))
- b.srcs[".product_public_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().ProductSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "public"))
- b.srcs[".product_private_"+ver] = b.findSrcsInDirs(ctx, filepath.Join(ctx.DeviceConfig().ProductSepolicyPrebuiltApiDir(), "prebuilts", "api", ver, "private"))
- }
+ // A special tag, "plat_vendor", includes minimized vendor policies required to boot.
+ // - system/sepolicy/public
+ // - system/sepolicy/reqd_mask
+ // - system/sepolicy/vendor
+ // This is for minimized vendor partition, e.g. microdroid's vendor
+ platVendorDir := filepath.Join(ctx.ModuleDir(), "vendor")
+ b.srcs[".plat_vendor"] = b.findSrcsInDirs(ctx, append(gatherDirsFor(system, public), reqdMaskDir, platVendorDir)...)
}
diff --git a/build/soong/cil_compat_map.go b/build/soong/cil_compat_map.go
index 78e870e..f304e62 100644
--- a/build/soong/cil_compat_map.go
+++ b/build/soong/cil_compat_map.go
@@ -64,7 +64,7 @@
// compatibility mapping file. bottom_half may reference the outputs of
// other modules that produce source files like genrule or filegroup using
// the syntax ":module". srcs has to be non-empty.
- Bottom_half []string `android:"path"`
+ Bottom_half []string
// name of the output
Stem *string
}
@@ -97,7 +97,7 @@
expandedSrcFiles := make(android.Paths, 0, len(srcFiles))
for _, s := range srcFiles {
if m := android.SrcIsModule(s); m != "" {
- module := android.GetModuleFromPathDep(ctx, m, "")
+ module := ctx.GetDirectDepWithTag(m, android.SourceDepTag)
if module == nil {
// Error will have been handled by ExtractSourcesDeps
continue
@@ -161,6 +161,7 @@
}
func (c *cilCompatMap) DepsMutator(ctx android.BottomUpMutatorContext) {
+ android.ExtractSourcesDeps(ctx, c.properties.Bottom_half)
if c.properties.Top_half != nil {
ctx.AddDependency(c, TopHalfDepTag, String(c.properties.Top_half))
}
@@ -172,7 +173,7 @@
Class: "ETC",
}
ret.Extra = append(ret.Extra, func(w io.Writer, outputFile android.Path) {
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.String())
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", c.installPath.ToMakePath().String())
if c.properties.Stem != nil {
fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", String(c.properties.Stem))
}
@@ -181,15 +182,7 @@
}
var _ CilCompatMapGenerator = (*cilCompatMap)(nil)
-var _ android.OutputFileProducer = (*cilCompatMap)(nil)
func (c *cilCompatMap) GeneratedMapFile() android.Path {
return c.installSource
}
-
-func (c *cilCompatMap) OutputFiles(tag string) (android.Paths, error) {
- if tag == "" {
- return android.Paths{c.installSource}, nil
- }
- return nil, fmt.Errorf("Unknown tag %q", tag)
-}
diff --git a/build/soong/compat_cil.go b/build/soong/compat_cil.go
index e7b3af2..230fdc3 100644
--- a/build/soong/compat_cil.go
+++ b/build/soong/compat_cil.go
@@ -15,21 +15,13 @@
package selinux
import (
- "fmt"
-
"github.com/google/blueprint/proptools"
"android/soong/android"
)
-var (
- compatTestDepTag = dependencyTag{name: "compat_test"}
-)
-
func init() {
- ctx := android.InitRegistrationContext
- ctx.RegisterModuleType("se_compat_cil", compatCilFactory)
- ctx.RegisterSingletonModuleType("se_compat_test", compatTestFactory)
+ android.RegisterModuleType("se_compat_cil", compatCilFactory)
}
// se_compat_cil collects and installs backwards compatibility cil files.
@@ -49,7 +41,7 @@
type compatCilProperties struct {
// List of source files. Can reference se_filegroup type modules with the ":module" syntax.
- Srcs []string `android:"path"`
+ Srcs []string
// Output file name. Defaults to module name if unspecified.
Stem *string
@@ -63,7 +55,7 @@
srcPaths := make(android.Paths, 0, len(c.properties.Srcs))
for _, src := range c.properties.Srcs {
if m := android.SrcIsModule(src); m != "" {
- module := android.GetModuleFromPathDep(ctx, m, "")
+ module := ctx.GetDirectDepWithTag(m, android.SourceDepTag)
if module == nil {
// Error would have been handled by ExtractSourcesDeps
continue
@@ -84,6 +76,10 @@
return srcPaths
}
+func (c *compatCil) DepsMutator(ctx android.BottomUpMutatorContext) {
+ android.ExtractSourcesDeps(ctx, c.properties.Srcs)
+}
+
func (c *compatCil) GenerateAndroidBuildActions(ctx android.ModuleContext) {
if c.ProductSpecific() || c.SocSpecific() || c.DeviceSpecific() {
ctx.ModuleErrorf("Compat cil files only support system and system_ext partitions")
@@ -109,162 +105,9 @@
OutputFile: android.OptionalPathForPath(c.installSource),
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
}}
}
-
-func (c *compatCil) OutputFiles(tag string) (android.Paths, error) {
- switch tag {
- case "":
- return android.Paths{c.installSource}, nil
- default:
- return nil, fmt.Errorf("unsupported module reference tag %q", tag)
- }
-}
-
-var _ android.OutputFileProducer = (*compatCil)(nil)
-
-// se_compat_test checks if compat files ({ver}.cil, {ver}.compat.cil) files are compatible with
-// current policy.
-func compatTestFactory() android.SingletonModule {
- f := &compatTestModule{}
- android.InitAndroidModule(f)
- android.AddLoadHook(f, func(ctx android.LoadHookContext) {
- f.loadHook(ctx)
- })
- return f
-}
-
-type compatTestModule struct {
- android.SingletonModuleBase
-
- compatTestTimestamp android.ModuleOutPath
-}
-
-func (f *compatTestModule) createPlatPubVersionedModule(ctx android.LoadHookContext, ver string) {
- confName := fmt.Sprintf("pub_policy_%s.conf", ver)
- cilName := fmt.Sprintf("pub_policy_%s.cil", ver)
- platPubVersionedName := fmt.Sprintf("plat_pub_versioned_%s.cil", ver)
-
- ctx.CreateModule(policyConfFactory, &nameProperties{
- Name: proptools.StringPtr(confName),
- }, &policyConfProperties{
- Srcs: []string{
- fmt.Sprintf(":se_build_files{.plat_public_%s}", ver),
- fmt.Sprintf(":se_build_files{.system_ext_public_%s}", ver),
- fmt.Sprintf(":se_build_files{.product_public_%s}", ver),
- ":se_build_files{.reqd_mask}",
- },
- Installable: proptools.BoolPtr(false),
- })
-
- ctx.CreateModule(policyCilFactory, &nameProperties{
- Name: proptools.StringPtr(cilName),
- }, &policyCilProperties{
- Src: proptools.StringPtr(":" + confName),
- Filter_out: []string{":reqd_policy_mask.cil"},
- Secilc_check: proptools.BoolPtr(false),
- Installable: proptools.BoolPtr(false),
- })
-
- ctx.CreateModule(versionedPolicyFactory, &nameProperties{
- Name: proptools.StringPtr(platPubVersionedName),
- }, &versionedPolicyProperties{
- Base: proptools.StringPtr(":" + cilName),
- Target_policy: proptools.StringPtr(":" + cilName),
- Version: proptools.StringPtr(ver),
- Installable: proptools.BoolPtr(false),
- })
-}
-
-func (f *compatTestModule) createCompatTestModule(ctx android.LoadHookContext, ver string) {
- srcs := []string{
- ":plat_sepolicy.cil",
- ":system_ext_sepolicy.cil",
- ":product_sepolicy.cil",
- fmt.Sprintf(":plat_%s.cil", ver),
- fmt.Sprintf(":%s.compat.cil", ver),
- fmt.Sprintf(":system_ext_%s.cil", ver),
- fmt.Sprintf(":system_ext_%s.compat.cil", ver),
- fmt.Sprintf(":product_%s.cil", ver),
- }
-
- if ver == ctx.DeviceConfig().BoardSepolicyVers() {
- srcs = append(srcs,
- ":plat_pub_versioned.cil",
- ":vendor_sepolicy.cil",
- ":odm_sepolicy.cil",
- )
- } else {
- srcs = append(srcs, fmt.Sprintf(":plat_pub_versioned_%s.cil", ver))
- }
-
- compatTestName := fmt.Sprintf("%s_compat_test", ver)
- ctx.CreateModule(policyBinaryFactory, &nameProperties{
- Name: proptools.StringPtr(compatTestName),
- }, &policyBinaryProperties{
- Srcs: srcs,
- Ignore_neverallow: proptools.BoolPtr(true),
- Installable: proptools.BoolPtr(false),
- })
-}
-
-func (f *compatTestModule) loadHook(ctx android.LoadHookContext) {
- for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
- f.createPlatPubVersionedModule(ctx, ver)
- f.createCompatTestModule(ctx, ver)
- }
-}
-
-func (f *compatTestModule) DepsMutator(ctx android.BottomUpMutatorContext) {
- for _, ver := range ctx.DeviceConfig().PlatformSepolicyCompatVersions() {
- ctx.AddDependency(f, compatTestDepTag, fmt.Sprintf("%s_compat_test", ver))
- }
-}
-
-func (f *compatTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
- // does nothing; se_compat_test is a singeton because two compat test modules don't make sense.
-}
-
-func (f *compatTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- var inputs android.Paths
- ctx.VisitDirectDepsWithTag(compatTestDepTag, func(child android.Module) {
- o, ok := child.(android.OutputFileProducer)
- if !ok {
- panic(fmt.Errorf("Module %q should be an OutputFileProducer but it isn't", ctx.OtherModuleName(child)))
- }
-
- outputs, err := o.OutputFiles("")
- if err != nil {
- panic(fmt.Errorf("Module %q error while producing output: %v", ctx.OtherModuleName(child), err))
- }
- if len(outputs) != 1 {
- panic(fmt.Errorf("Module %q should produce exactly one output, but did %q", ctx.OtherModuleName(child), outputs.Strings()))
- }
-
- inputs = append(inputs, outputs[0])
- })
-
- f.compatTestTimestamp = android.PathForModuleOut(ctx, "timestamp")
- rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().Text("touch").Output(f.compatTestTimestamp).Implicits(inputs)
- rule.Build("compat", "compat test timestamp for: "+f.Name())
-}
-
-func (f *compatTestModule) AndroidMkEntries() []android.AndroidMkEntries {
- return []android.AndroidMkEntries{android.AndroidMkEntries{
- Class: "FAKE",
- // OutputFile is needed, even though BUILD_PHONY_PACKAGE doesn't use it.
- // Without OutputFile this module won't be exported to Makefile.
- OutputFile: android.OptionalPathForPath(f.compatTestTimestamp),
- Include: "$(BUILD_PHONY_PACKAGE)",
- ExtraEntries: []android.AndroidMkExtraEntriesFunc{
- func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetString("LOCAL_ADDITIONAL_DEPENDENCIES", f.compatTestTimestamp.String())
- },
- },
- }}
-}
diff --git a/build/soong/filegroup.go b/build/soong/filegroup.go
index 9dd4bd9..0d426af 100644
--- a/build/soong/filegroup.go
+++ b/build/soong/filegroup.go
@@ -137,6 +137,7 @@
func (fg *fileGroup) GenerateAndroidBuildActions(ctx android.ModuleContext) {
fg.systemPublicSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "public"))
fg.systemPrivateSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "private"))
+ fg.systemVendorSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "vendor"))
fg.systemReqdMaskSrcs = fg.findSrcsInDir(ctx, filepath.Join(ctx.ModuleDir(), "reqd_mask"))
fg.systemExtPublicSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().SystemExtPublicSepolicyDirs())
@@ -145,11 +146,6 @@
fg.productPublicSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPublicSepolicyDirs())
fg.productPrivateSrcs = fg.findSrcsInDirs(ctx, ctx.Config().ProductPrivateSepolicyDirs())
- systemVendorDirs := ctx.DeviceConfig().BoardPlatVendorPolicy()
- if len(systemVendorDirs) == 0 || ctx.DeviceConfig().PlatformSepolicyVersion() == ctx.DeviceConfig().BoardSepolicyVers() {
- systemVendorDirs = []string{filepath.Join(ctx.ModuleDir(), "vendor")}
- }
- fg.systemVendorSrcs = fg.findSrcsInDirs(ctx, systemVendorDirs)
fg.vendorReqdMaskSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().BoardReqdMaskPolicy())
fg.vendorSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().VendorSepolicyDirs())
fg.odmSrcs = fg.findSrcsInDirs(ctx, ctx.DeviceConfig().OdmSepolicyDirs())
diff --git a/build/soong/policy.go b/build/soong/policy.go
index b1840da..75fbdf1 100644
--- a/build/soong/policy.go
+++ b/build/soong/policy.go
@@ -17,9 +17,7 @@
import (
"fmt"
"os"
- "sort"
"strconv"
- "strings"
"github.com/google/blueprint/proptools"
@@ -33,35 +31,9 @@
PolicyVers = 30
)
-// This order should be kept. checkpolicy syntax requires it.
-var policyConfOrder = []string{
- "security_classes",
- "initial_sids",
- "access_vectors",
- "global_macros",
- "neverallow_macros",
- "mls_macros",
- "mls_decl",
- "mls",
- "policy_capabilities",
- "te_macros",
- "attributes",
- "ioctl_defines",
- "ioctl_macros",
- "*.te",
- "roles_decl",
- "roles",
- "users",
- "initial_sid_contexts",
- "fs_use",
- "genfs_contexts",
- "port_contexts",
-}
-
func init() {
android.RegisterModuleType("se_policy_conf", policyConfFactory)
android.RegisterModuleType("se_policy_cil", policyCilFactory)
- android.RegisterModuleType("se_policy_binary", policyBinaryFactory)
}
type policyConfProperties struct {
@@ -83,14 +55,8 @@
// Whether to build CTS specific policy or not. Default is false
Cts *bool
- // Whether to build recovery specific policy or not. Default is false
- Target_recovery *bool
-
// Whether this module is directly installable to one of the partitions. Default is true
Installable *bool
-
- // Desired number of MLS categories. Defaults to 1024
- Mls_cats *int64
}
type policyConf struct {
@@ -136,10 +102,6 @@
return proptools.Bool(c.properties.Cts)
}
-func (c *policyConf) isTargetRecovery() bool {
- return proptools.Bool(c.properties.Target_recovery)
-}
-
func (c *policyConf) withAsan(ctx android.ModuleContext) string {
isAsanDevice := android.InList("address", ctx.Config().SanitizeDevice())
return strconv.FormatBool(proptools.BoolDefault(c.properties.With_asan, isAsanDevice))
@@ -149,9 +111,6 @@
if c.cts() {
return "cts"
}
- if c.isTargetRecovery() {
- return "false"
- }
return strconv.FormatBool(ctx.DeviceConfig().SepolicySplit())
}
@@ -159,9 +118,6 @@
if c.cts() {
return "cts"
}
- if c.isTargetRecovery() {
- return "false"
- }
return "true"
}
@@ -169,9 +125,6 @@
if c.cts() {
return "cts"
}
- if c.isTargetRecovery() {
- return "false"
- }
return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenTrebleSyspropNeverallow())
}
@@ -179,9 +132,6 @@
if c.cts() {
return "cts"
}
- if c.isTargetRecovery() {
- return "false"
- }
return strconv.FormatBool(!ctx.DeviceConfig().BuildBrokenEnforceSyspropOwner())
}
@@ -192,34 +142,14 @@
return strconv.FormatBool(ctx.DeviceConfig().BuildDebugfsRestrictionsEnabled())
}
-func (c *policyConf) mlsCats() int {
- return proptools.IntDefault(c.properties.Mls_cats, MlsCats)
-}
-
-func findPolicyConfOrder(name string) int {
- for idx, pattern := range policyConfOrder {
- if pattern == name || (pattern == "*.te" && strings.HasSuffix(name, ".te")) {
- return idx
- }
- }
- // name is not matched
- return len(policyConfOrder)
-}
-
func (c *policyConf) transformPolicyToConf(ctx android.ModuleContext) android.OutputPath {
- conf := android.PathForModuleOut(ctx, c.stem()).OutputPath
+ conf := android.PathForModuleOut(ctx, "conf").OutputPath
rule := android.NewRuleBuilder(pctx, ctx)
-
- srcs := android.PathsForModuleSrc(ctx, c.properties.Srcs)
- sort.SliceStable(srcs, func(x, y int) bool {
- return findPolicyConfOrder(srcs[x].Base()) < findPolicyConfOrder(srcs[y].Base())
- })
-
rule.Command().Tool(ctx.Config().PrebuiltBuildTool(ctx, "m4")).
Flag("--fatal-warnings").
FlagForEachArg("-D ", ctx.DeviceConfig().SepolicyM4Defs()).
FlagWithArg("-D mls_num_sens=", strconv.Itoa(MlsSens)).
- FlagWithArg("-D mls_num_cats=", strconv.Itoa(c.mlsCats())).
+ FlagWithArg("-D mls_num_cats=", strconv.Itoa(MlsCats)).
FlagWithArg("-D target_arch=", ctx.DeviceConfig().DeviceArch()).
FlagWithArg("-D target_with_asan=", c.withAsan(ctx)).
FlagWithArg("-D target_with_dexpreopt=", strconv.FormatBool(ctx.DeviceConfig().WithDexpreopt())).
@@ -232,9 +162,8 @@
FlagWithArg("-D target_exclude_build_test=", strconv.FormatBool(proptools.Bool(c.properties.Exclude_build_test))).
FlagWithArg("-D target_requires_insecure_execmem_for_swiftshader=", strconv.FormatBool(ctx.DeviceConfig().RequiresInsecureExecmemForSwiftshader())).
FlagWithArg("-D target_enforce_debugfs_restriction=", c.enforceDebugfsRestrictions(ctx)).
- FlagWithArg("-D target_recovery=", strconv.FormatBool(c.isTargetRecovery())).
Flag("-s").
- Inputs(srcs).
+ Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
Text("> ").Output(conf)
rule.Build("conf", "Transform policy to conf: "+ctx.ModuleName())
@@ -246,13 +175,13 @@
}
func (c *policyConf) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- if !c.installable() {
- c.SkipInstall()
- }
-
c.installSource = c.transformPolicyToConf(ctx)
c.installPath = android.PathForModuleInstall(ctx, "etc")
ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+
+ if !c.installable() {
+ c.SkipInstall()
+ }
}
func (c *policyConf) AndroidMkEntries() []android.AndroidMkEntries {
@@ -262,7 +191,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.installable())
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
@@ -396,10 +325,6 @@
conf := android.PathForModuleSrc(ctx, *c.properties.Src)
cil := c.compileConfToCil(ctx, conf)
- if !c.Installable() {
- c.SkipInstall()
- }
-
if c.InstallInDebugRamdisk() {
// for userdebug_plat_sepolicy.cil
c.installPath = android.PathForModuleInstall(ctx)
@@ -408,6 +333,10 @@
}
c.installSource = cil
ctx.InstallFile(c.installPath, c.stem(), c.installSource)
+
+ if !c.Installable() {
+ c.SkipInstall()
+ }
}
func (c *policyCil) AndroidMkEntries() []android.AndroidMkEntries {
@@ -417,7 +346,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.Installable())
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
+ entries.SetPath("LOCAL_MODULE_PATH", c.installPath.ToMakePath())
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
},
},
@@ -432,139 +361,3 @@
}
var _ android.OutputFileProducer = (*policyCil)(nil)
-
-type policyBinaryProperties struct {
- // Name of the output. Default is {module_name}
- Stem *string
-
- // Cil files to be compiled.
- Srcs []string `android:"path"`
-
- // Whether to ignore neverallow when running secilc check. Defaults to
- // SELINUX_IGNORE_NEVERALLOWS.
- Ignore_neverallow *bool
-
- // Whether this module is directly installable to one of the partitions. Default is true
- Installable *bool
-}
-
-type policyBinary struct {
- android.ModuleBase
-
- properties policyBinaryProperties
-
- installSource android.Path
- installPath android.InstallPath
-}
-
-// se_policy_binary compiles cil files to a binary sepolicy file with secilc. Usually sources of
-// se_policy_binary come from outputs of se_policy_cil modules.
-func policyBinaryFactory() android.Module {
- c := &policyBinary{}
- c.AddProperties(&c.properties)
- android.InitAndroidArchModule(c, android.DeviceSupported, android.MultilibCommon)
- return c
-}
-
-func (c *policyBinary) InstallInRoot() bool {
- return c.InstallInRecovery()
-}
-
-func (c *policyBinary) Installable() bool {
- return proptools.BoolDefault(c.properties.Installable, true)
-}
-
-func (c *policyBinary) stem() string {
- return proptools.StringDefault(c.properties.Stem, c.Name())
-}
-
-func (c *policyBinary) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- if len(c.properties.Srcs) == 0 {
- ctx.PropertyErrorf("srcs", "must be specified")
- return
- }
- bin := android.PathForModuleOut(ctx, c.stem()+"_policy")
- rule := android.NewRuleBuilder(pctx, ctx)
- secilcCmd := rule.Command().BuiltTool("secilc").
- Flag("-m"). // Multiple decls
- FlagWithArg("-M ", "true"). // Enable MLS
- Flag("-G"). // expand and remove auto generated attributes
- FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
- Inputs(android.PathsForModuleSrc(ctx, c.properties.Srcs)).
- FlagWithOutput("-o ", bin).
- FlagWithArg("-f ", os.DevNull)
-
- if proptools.BoolDefault(c.properties.Ignore_neverallow, ctx.Config().SelinuxIgnoreNeverallows()) {
- secilcCmd.Flag("-N")
- }
- rule.Temporary(bin)
-
- // permissive check is performed only in user build (not debuggable).
- if !ctx.Config().Debuggable() {
- permissiveDomains := android.PathForModuleOut(ctx, c.stem()+"_permissive")
- rule.Command().BuiltTool("sepolicy-analyze").
- Input(bin).
- Text("permissive").
- Text(" > ").
- Output(permissiveDomains)
- rule.Temporary(permissiveDomains)
-
- msg := `==========\n` +
- `ERROR: permissive domains not allowed in user builds\n` +
- `List of invalid domains:`
-
- rule.Command().Text("if test").
- FlagWithInput("-s ", permissiveDomains).
- Text("; then echo").
- Flag("-e").
- Text(`"` + msg + `"`).
- Text("&& cat ").
- Input(permissiveDomains).
- Text("; exit 1; fi")
- }
-
- out := android.PathForModuleOut(ctx, c.stem())
- rule.Command().Text("cp").
- Flag("-f").
- Input(bin).
- Output(out)
-
- rule.DeleteTemporaryFiles()
- rule.Build("secilc", "Compiling cil files for "+ctx.ModuleName())
-
- if !c.Installable() {
- c.SkipInstall()
- }
-
- if c.InstallInRecovery() {
- // install in root
- c.installPath = android.PathForModuleInstall(ctx)
- } else {
- c.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
- }
- c.installSource = out
- ctx.InstallFile(c.installPath, c.stem(), c.installSource)
-}
-
-func (c *policyBinary) AndroidMkEntries() []android.AndroidMkEntries {
- return []android.AndroidMkEntries{android.AndroidMkEntries{
- OutputFile: android.OptionalPathForPath(c.installSource),
- Class: "ETC",
- ExtraEntries: []android.AndroidMkExtraEntriesFunc{
- func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !c.Installable())
- entries.SetPath("LOCAL_MODULE_PATH", c.installPath)
- entries.SetString("LOCAL_INSTALLED_MODULE_STEM", c.stem())
- },
- },
- }}
-}
-
-func (c *policyBinary) OutputFiles(tag string) (android.Paths, error) {
- if tag == "" {
- return android.Paths{c.installSource}, nil
- }
- return nil, fmt.Errorf("Unknown tag %q", tag)
-}
-
-var _ android.OutputFileProducer = (*policyBinary)(nil)
diff --git a/build/soong/selinux_contexts.go b/build/soong/selinux_contexts.go
index 463a978..a9aed60 100644
--- a/build/soong/selinux_contexts.go
+++ b/build/soong/selinux_contexts.go
@@ -17,7 +17,6 @@
import (
"fmt"
"io"
- "os"
"strings"
"github.com/google/blueprint"
@@ -31,15 +30,19 @@
// Filenames under sepolicy directories, which will be used to generate contexts file.
Srcs []string `android:"path"`
- // Output file name. Defaults to module name
- Stem *string
-
Product_variables struct {
+ Debuggable struct {
+ Srcs []string
+ }
+
Address_sanitize struct {
- Srcs []string `android:"path"`
+ Srcs []string
}
}
+ // Whether reqd_mask directory is included to sepolicy directories or not.
+ Reqd_mask *bool
+
// Whether the comments in generated contexts file will be removed or not.
Remove_comment *bool
@@ -55,24 +58,15 @@
// Apex paths, /system/apex/{apex_name}, will be amended to the paths of file_contexts
// entries.
Flatten_apex struct {
- Srcs []string `android:"path"`
+ Srcs []string
}
}
-type seappProperties struct {
- // Files containing neverallow rules.
- Neverallow_files []string `android:"path"`
-
- // Precompiled sepolicy binary file which will be fed to checkseapp.
- Sepolicy *string `android:"path"`
-}
-
type selinuxContextsModule struct {
android.ModuleBase
properties selinuxContextsProperties
fileContextsProperties fileContextsProperties
- seappProperties seappProperties
build func(ctx android.ModuleContext, inputs android.Paths) android.Path
deps func(ctx android.BottomUpMutatorContext)
outputPath android.Path
@@ -92,14 +86,6 @@
android.RegisterModuleType("property_contexts", propertyFactory)
android.RegisterModuleType("service_contexts", serviceFactory)
android.RegisterModuleType("keystore2_key_contexts", keystoreKeyFactory)
- android.RegisterModuleType("seapp_contexts", seappFactory)
- android.RegisterModuleType("vndservice_contexts", vndServiceFactory)
-
- android.RegisterModuleType("file_contexts_test", fileContextsTestFactory)
- android.RegisterModuleType("property_contexts_test", propertyContextsTestFactory)
- android.RegisterModuleType("hwservice_contexts_test", hwserviceContextsTestFactory)
- android.RegisterModuleType("service_contexts_test", serviceContextsTestFactory)
- android.RegisterModuleType("vndservice_contexts_test", vndServiceContextsTestFactory)
}
func (m *selinuxContextsModule) InstallInRoot() bool {
@@ -134,10 +120,6 @@
}
}
-func (m *selinuxContextsModule) stem() string {
- return proptools.StringDefault(m.properties.Stem, m.Name())
-}
-
func (m *selinuxContextsModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
if m.InRecovery() {
// Installing context files at the root of the recovery partition
@@ -151,21 +133,61 @@
if reuseDeps, ok := dep.(*selinuxContextsModule); ok {
m.outputPath = reuseDeps.outputPath
- ctx.InstallFile(m.installPath, m.stem(), m.outputPath)
+ ctx.InstallFile(m.installPath, m.Name(), m.outputPath)
return
}
}
- m.outputPath = m.build(ctx, android.PathsForModuleSrc(ctx, m.properties.Srcs))
- ctx.InstallFile(m.installPath, m.stem(), m.outputPath)
+ var inputs android.Paths
+
+ ctx.VisitDirectDepsWithTag(android.SourceDepTag, func(dep android.Module) {
+ segroup, ok := dep.(*fileGroup)
+ if !ok {
+ ctx.ModuleErrorf("srcs dependency %q is not an selinux filegroup",
+ ctx.OtherModuleName(dep))
+ return
+ }
+
+ if ctx.ProductSpecific() {
+ inputs = append(inputs, segroup.ProductPrivateSrcs()...)
+ } else if ctx.SocSpecific() {
+ if ctx.DeviceConfig().BoardSepolicyVers() == ctx.DeviceConfig().PlatformSepolicyVersion() {
+ inputs = append(inputs, segroup.SystemVendorSrcs()...)
+ }
+ inputs = append(inputs, segroup.VendorSrcs()...)
+ } else if ctx.DeviceSpecific() {
+ inputs = append(inputs, segroup.OdmSrcs()...)
+ } else if ctx.SystemExtSpecific() {
+ inputs = append(inputs, segroup.SystemExtPrivateSrcs()...)
+ } else {
+ inputs = append(inputs, segroup.SystemPrivateSrcs()...)
+ inputs = append(inputs, segroup.SystemPublicSrcs()...)
+ }
+
+ if proptools.Bool(m.properties.Reqd_mask) {
+ if ctx.SocSpecific() || ctx.DeviceSpecific() {
+ inputs = append(inputs, segroup.VendorReqdMaskSrcs()...)
+ } else {
+ inputs = append(inputs, segroup.SystemReqdMaskSrcs()...)
+ }
+ }
+ })
+
+ for _, src := range m.properties.Srcs {
+ // Module sources are handled above with VisitDirectDepsWithTag
+ if android.SrcIsModule(src) == "" {
+ inputs = append(inputs, android.PathForModuleSrc(ctx, src))
+ }
+ }
+
+ m.outputPath = m.build(ctx, inputs)
+ ctx.InstallFile(m.installPath, ctx.ModuleName(), m.outputPath)
}
func newModule() *selinuxContextsModule {
m := &selinuxContextsModule{}
m.AddProperties(
&m.properties,
- &m.fileContextsProperties,
- &m.seappProperties,
)
android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
android.AddLoadHook(m, func(ctx android.LoadHookContext) {
@@ -178,6 +200,10 @@
// TODO: clean this up to use build/soong/android/variable.go after b/79249983
var srcs []string
+ if ctx.Config().Debuggable() {
+ srcs = append(srcs, m.properties.Product_variables.Debuggable.Srcs...)
+ }
+
for _, sanitize := range ctx.Config().SanitizeDevice() {
if sanitize == "address" {
srcs = append(srcs, m.properties.Product_variables.Address_sanitize.Srcs...)
@@ -189,32 +215,38 @@
}
func (m *selinuxContextsModule) AndroidMk() android.AndroidMkData {
- nameSuffix := ""
- if m.InRecovery() && !m.onlyInRecovery() {
- nameSuffix = ".recovery"
- }
return android.AndroidMkData{
- Class: "ETC",
- OutputFile: android.OptionalPathForPath(m.outputPath),
- SubName: nameSuffix,
- Extra: []android.AndroidMkExtraFunc{
- func(w io.Writer, outputFile android.Path) {
- fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.String())
- fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", m.stem())
- },
+ Custom: func(w io.Writer, name, prefix, moduleDir string, data android.AndroidMkData) {
+ nameSuffix := ""
+ if m.InRecovery() && !m.onlyInRecovery() {
+ nameSuffix = ".recovery"
+ }
+ fmt.Fprintln(w, "\ninclude $(CLEAR_VARS)")
+ fmt.Fprintln(w, "LOCAL_PATH :=", moduleDir)
+ fmt.Fprintln(w, "LOCAL_MODULE :=", name+nameSuffix)
+ data.Entries.WriteLicenseVariables(w)
+ fmt.Fprintln(w, "LOCAL_MODULE_CLASS := ETC")
+ if m.Owner() != "" {
+ fmt.Fprintln(w, "LOCAL_MODULE_OWNER :=", m.Owner())
+ }
+ fmt.Fprintln(w, "LOCAL_MODULE_TAGS := optional")
+ fmt.Fprintln(w, "LOCAL_PREBUILT_MODULE_FILE :=", m.outputPath.String())
+ fmt.Fprintln(w, "LOCAL_MODULE_PATH :=", m.installPath.ToMakePath().String())
+ fmt.Fprintln(w, "LOCAL_INSTALLED_MODULE_STEM :=", name)
+ fmt.Fprintln(w, "include $(BUILD_PREBUILT)")
},
}
}
func (m *selinuxContextsModule) ImageMutatorBegin(ctx android.BaseModuleContext) {
- if proptools.Bool(m.properties.Recovery_available) && m.ModuleBase.InstallInRecovery() {
+ if proptools.Bool(m.properties.Recovery_available) && m.InstallInRecovery() {
ctx.PropertyErrorf("recovery_available",
"doesn't make sense at the same time as `recovery: true`")
}
}
func (m *selinuxContextsModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
- return !m.ModuleBase.InstallInRecovery()
+ return !m.InstallInRecovery()
}
func (m *selinuxContextsModule) RamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
@@ -230,7 +262,7 @@
}
func (m *selinuxContextsModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
- return m.ModuleBase.InstallInRecovery() || proptools.Bool(m.properties.Recovery_available)
+ return m.InstallInRecovery() || proptools.Bool(m.properties.Recovery_available)
}
func (m *selinuxContextsModule) ExtraImageVariations(ctx android.BaseModuleContext) []string {
@@ -243,7 +275,7 @@
var _ android.ImageInterface = (*selinuxContextsModule)(nil)
func (m *selinuxContextsModule) buildGeneralContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
- builtContext := android.PathForModuleGen(ctx, ctx.ModuleName()+"_m4out")
+ ret := android.PathForModuleGen(ctx, ctx.ModuleName()+"_m4out")
rule := android.NewRuleBuilder(pctx, ctx)
@@ -252,40 +284,37 @@
Text("--fatal-warnings -s").
FlagForEachArg("-D", ctx.DeviceConfig().SepolicyM4Defs()).
Inputs(inputs).
- FlagWithOutput("> ", builtContext)
+ FlagWithOutput("> ", ret)
if proptools.Bool(m.properties.Remove_comment) {
- rule.Temporary(builtContext)
+ rule.Temporary(ret)
remove_comment_output := android.PathForModuleGen(ctx, ctx.ModuleName()+"_remove_comment")
rule.Command().
Text("sed -e 's/#.*$//' -e '/^$/d'").
- Input(builtContext).
+ Input(ret).
FlagWithOutput("> ", remove_comment_output)
- builtContext = remove_comment_output
+ ret = remove_comment_output
}
if proptools.Bool(m.properties.Fc_sort) {
- rule.Temporary(builtContext)
+ rule.Temporary(ret)
sorted_output := android.PathForModuleGen(ctx, ctx.ModuleName()+"_sorted")
rule.Command().
Tool(ctx.Config().HostToolPath(ctx, "fc_sort")).
- FlagWithInput("-i ", builtContext).
+ FlagWithInput("-i ", ret).
FlagWithOutput("-o ", sorted_output)
- builtContext = sorted_output
+ ret = sorted_output
}
- ret := android.PathForModuleGen(ctx, m.stem())
- rule.Temporary(builtContext)
- rule.Command().Text("cp").Input(builtContext).Output(ret)
+ rule.Build("selinux_contexts", "building contexts: "+m.Name())
rule.DeleteTemporaryFiles()
- rule.Build("selinux_contexts", "building contexts: "+m.Name())
return ret
}
@@ -298,18 +327,25 @@
rule := android.NewRuleBuilder(pctx, ctx)
if ctx.Config().FlattenApex() {
- for _, path := range android.PathsForModuleSrc(ctx, m.fileContextsProperties.Flatten_apex.Srcs) {
- out := android.PathForModuleGen(ctx, "flattened_apex", path.Rel())
- apex_path := "/system/apex/" + strings.Replace(
- strings.TrimSuffix(path.Base(), "-file_contexts"),
- ".", "\\\\.", -1)
+ for _, src := range m.fileContextsProperties.Flatten_apex.Srcs {
+ if m := android.SrcIsModule(src); m != "" {
+ ctx.ModuleErrorf(
+ "Module srcs dependency %q is not supported for flatten_apex.srcs", m)
+ return nil
+ }
+ for _, path := range android.PathsForModuleSrcExcludes(ctx, []string{src}, nil) {
+ out := android.PathForModuleGen(ctx, "flattened_apex", path.Rel())
+ apex_path := "/system/apex/" + strings.Replace(
+ strings.TrimSuffix(path.Base(), "-file_contexts"),
+ ".", "\\\\.", -1)
- rule.Command().
- Text("awk '/object_r/{printf(\""+apex_path+"%s\\n\",$0)}'").
- Input(path).
- FlagWithOutput("> ", out)
+ rule.Command().
+ Text("awk '/object_r/{printf(\""+apex_path+"%s\\n\",$0)}'").
+ Input(path).
+ FlagWithOutput("> ", out)
- inputs = append(inputs, out)
+ inputs = append(inputs, out)
+ }
}
}
@@ -319,6 +355,7 @@
func fileFactory() android.Module {
m := newModule()
+ m.AddProperties(&m.fileContextsProperties)
m.build = m.buildFileContexts
return m
}
@@ -441,31 +478,6 @@
return builtCtxFile
}
-func (m *selinuxContextsModule) buildSeappContexts(ctx android.ModuleContext, inputs android.Paths) android.Path {
- neverallowFile := android.PathForModuleGen(ctx, "neverallow")
- ret := android.PathForModuleGen(ctx, m.stem())
-
- rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().Text("(grep").
- Flag("-ihe").
- Text("'^neverallow'").
- Inputs(android.PathsForModuleSrc(ctx, m.seappProperties.Neverallow_files)).
- Text(os.DevNull). // to make grep happy even when Neverallow_files is empty
- Text(">").
- Output(neverallowFile).
- Text("|| true)") // to make ninja happy even when result is empty
-
- rule.Temporary(neverallowFile)
- rule.Command().BuiltTool("checkseapp").
- FlagWithInput("-p ", android.PathForModuleSrc(ctx, proptools.String(m.seappProperties.Sepolicy))).
- FlagWithOutput("-o ", ret).
- Inputs(inputs).
- Input(neverallowFile)
-
- rule.Build("seapp_contexts", "Building seapp_contexts: "+m.Name())
- return ret
-}
-
func hwServiceFactory() android.Module {
m := newModule()
m.build = m.buildHwServiceContexts
@@ -490,178 +502,3 @@
m.build = m.buildGeneralContexts
return m
}
-
-func seappFactory() android.Module {
- m := newModule()
- m.build = m.buildSeappContexts
- return m
-}
-
-func vndServiceFactory() android.Module {
- m := newModule()
- m.build = m.buildGeneralContexts
- android.AddLoadHook(m, func(ctx android.LoadHookContext) {
- if !ctx.SocSpecific() {
- ctx.ModuleErrorf(m.Name(), "must set vendor: true")
- return
- }
- })
- return m
-}
-
-var _ android.OutputFileProducer = (*selinuxContextsModule)(nil)
-
-// Implements android.OutputFileProducer
-func (m *selinuxContextsModule) OutputFiles(tag string) (android.Paths, error) {
- if tag == "" {
- return []android.Path{m.outputPath}, nil
- }
- return nil, fmt.Errorf("unsupported module reference tag %q", tag)
-}
-
-type contextsTestProperties struct {
- // Contexts files to be tested.
- Srcs []string `android:"path"`
-
- // Precompiled sepolicy binary to be tesed together.
- Sepolicy *string `android:"path"`
-}
-
-type contextsTestModule struct {
- android.ModuleBase
-
- // Name of the test tool. "checkfc" or "property_info_checker"
- tool string
-
- // Additional flags to be passed to the tool.
- flags []string
-
- properties contextsTestProperties
- testTimestamp android.ModuleOutPath
-}
-
-// checkfc parses a context file and checks for syntax errors.
-// If -s is specified, the service backend is used to verify binder services.
-// If -l is specified, the service backend is used to verify hwbinder services.
-// Otherwise, context_file is assumed to be a file_contexts file
-// If -e is specified, then the context_file is allowed to be empty.
-
-// file_contexts_test tests given file_contexts files with checkfc.
-func fileContextsTestFactory() android.Module {
- m := &contextsTestModule{tool: "checkfc" /* no flags: file_contexts file check */}
- m.AddProperties(&m.properties)
- android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
- return m
-}
-
-// property_contexts_test tests given property_contexts files with property_info_checker.
-func propertyContextsTestFactory() android.Module {
- m := &contextsTestModule{tool: "property_info_checker"}
- m.AddProperties(&m.properties)
- android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
- return m
-}
-
-// hwservice_contexts_test tests given hwservice_contexts files with checkfc.
-func hwserviceContextsTestFactory() android.Module {
- m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-l" /* hwbinder services */}}
- m.AddProperties(&m.properties)
- android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
- return m
-}
-
-// service_contexts_test tests given service_contexts files with checkfc.
-func serviceContextsTestFactory() android.Module {
- // checkfc -s: service_contexts test
- m := &contextsTestModule{tool: "checkfc", flags: []string{"-s" /* binder services */}}
- m.AddProperties(&m.properties)
- android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
- return m
-}
-
-// vndservice_contexts_test tests given vndservice_contexts files with checkfc.
-func vndServiceContextsTestFactory() android.Module {
- m := &contextsTestModule{tool: "checkfc", flags: []string{"-e" /* allow empty */, "-v" /* vnd service */}}
- m.AddProperties(&m.properties)
- android.InitAndroidArchModule(m, android.DeviceSupported, android.MultilibCommon)
- return m
-}
-
-func (m *contextsTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- tool := m.tool
- if tool != "checkfc" && tool != "property_info_checker" {
- panic(fmt.Errorf("%q: unknown tool name: %q", ctx.ModuleName(), tool))
- }
-
- if len(m.properties.Srcs) == 0 {
- ctx.PropertyErrorf("srcs", "can't be empty")
- return
- }
-
- if proptools.String(m.properties.Sepolicy) == "" {
- ctx.PropertyErrorf("sepolicy", "can't be empty")
- return
- }
-
- srcs := android.PathsForModuleSrc(ctx, m.properties.Srcs)
- sepolicy := android.PathForModuleSrc(ctx, proptools.String(m.properties.Sepolicy))
-
- rule := android.NewRuleBuilder(pctx, ctx)
- rule.Command().BuiltTool(tool).
- Flags(m.flags).
- Input(sepolicy).
- Inputs(srcs)
-
- m.testTimestamp = android.PathForModuleOut(ctx, "timestamp")
- rule.Command().Text("touch").Output(m.testTimestamp)
- rule.Build("contexts_test", "running contexts test: "+ctx.ModuleName())
-}
-
-func (m *contextsTestModule) AndroidMkEntries() []android.AndroidMkEntries {
- return []android.AndroidMkEntries{android.AndroidMkEntries{
- Class: "FAKE",
- // OutputFile is needed, even though BUILD_PHONY_PACKAGE doesn't use it.
- // Without OutputFile this module won't be exported to Makefile.
- OutputFile: android.OptionalPathForPath(m.testTimestamp),
- Include: "$(BUILD_PHONY_PACKAGE)",
- ExtraEntries: []android.AndroidMkExtraEntriesFunc{
- func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetString("LOCAL_ADDITIONAL_DEPENDENCIES", m.testTimestamp.String())
- },
- },
- }}
-}
-
-// contextsTestModule implements ImageInterface to be able to include recovery_available contexts
-// modules as its sources.
-func (m *contextsTestModule) ImageMutatorBegin(ctx android.BaseModuleContext) {
-}
-
-func (m *contextsTestModule) CoreVariantNeeded(ctx android.BaseModuleContext) bool {
- return true
-}
-
-func (m *contextsTestModule) RamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
- return false
-}
-
-func (m *contextsTestModule) VendorRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
- return false
-}
-
-func (m *contextsTestModule) DebugRamdiskVariantNeeded(ctx android.BaseModuleContext) bool {
- return false
-}
-
-func (m *contextsTestModule) RecoveryVariantNeeded(ctx android.BaseModuleContext) bool {
- return false
-}
-
-func (m *contextsTestModule) ExtraImageVariations(ctx android.BaseModuleContext) []string {
- return nil
-}
-
-func (m *contextsTestModule) SetImageVariation(ctx android.BaseModuleContext, variation string, module android.Module) {
-}
-
-var _ android.ImageInterface = (*contextsTestModule)(nil)
diff --git a/build/soong/sepolicy_freeze.go b/build/soong/sepolicy_freeze.go
deleted file mode 100644
index c5513d0..0000000
--- a/build/soong/sepolicy_freeze.go
+++ /dev/null
@@ -1,121 +0,0 @@
-// Copyright 2021 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package selinux
-
-import (
- "path/filepath"
- "sort"
-
- "android/soong/android"
-)
-
-func init() {
- ctx := android.InitRegistrationContext
- ctx.RegisterSingletonModuleType("se_freeze_test", freezeTestFactory)
-}
-
-// se_freeze_test compares the plat sepolicy with the prebuilt sepolicy. Additional directories can
-// be specified via Makefile variables: SEPOLICY_FREEZE_TEST_EXTRA_DIRS and
-// SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS.
-func freezeTestFactory() android.SingletonModule {
- f := &freezeTestModule{}
- android.InitAndroidModule(f)
- return f
-}
-
-type freezeTestModule struct {
- android.SingletonModuleBase
- freezeTestTimestamp android.ModuleOutPath
-}
-
-func (f *freezeTestModule) GenerateSingletonBuildActions(ctx android.SingletonContext) {
- // does nothing; se_freeze_test is a singeton because two freeze test modules don't make sense.
-}
-
-func (f *freezeTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- platformVersion := ctx.DeviceConfig().PlatformSepolicyVersion()
- totVersion := ctx.DeviceConfig().TotSepolicyVersion()
-
- extraDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraDirs()
- extraPrebuiltDirs := ctx.DeviceConfig().SepolicyFreezeTestExtraPrebuiltDirs()
- f.freezeTestTimestamp = android.PathForModuleOut(ctx, "freeze_test")
-
- if platformVersion == totVersion {
- if len(extraDirs) > 0 || len(extraPrebuiltDirs) > 0 {
- ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS or SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS cannot be set before system/sepolicy freezes.")
- return
- }
-
- // we still build a rule to prevent possible regression
- android.WriteFileRule(ctx, f.freezeTestTimestamp, ";; no freeze tests needed before system/sepolicy freezes")
- return
- }
-
- if len(extraDirs) != len(extraPrebuiltDirs) {
- ctx.ModuleErrorf("SEPOLICY_FREEZE_TEST_EXTRA_DIRS and SEPOLICY_FREEZE_TEST_EXTRA_PREBUILT_DIRS must have the same number of directories.")
- return
- }
-
- platPublic := filepath.Join(ctx.ModuleDir(), "public")
- platPrivate := filepath.Join(ctx.ModuleDir(), "private")
- prebuiltPublic := filepath.Join(ctx.ModuleDir(), "prebuilts", "api", platformVersion, "public")
- prebuiltPrivate := filepath.Join(ctx.ModuleDir(), "prebuilts", "api", platformVersion, "private")
-
- sourceDirs := append(extraDirs, platPublic, platPrivate)
- prebuiltDirs := append(extraPrebuiltDirs, prebuiltPublic, prebuiltPrivate)
-
- var implicits []string
- for _, dir := range append(sourceDirs, prebuiltDirs...) {
- glob, err := ctx.GlobWithDeps(dir+"/**/*", []string{"bug_map"} /* exclude */)
- if err != nil {
- ctx.ModuleErrorf("failed to glob sepolicy dir %q: %s", dir, err.Error())
- return
- }
- implicits = append(implicits, glob...)
- }
- sort.Strings(implicits)
-
- rule := android.NewRuleBuilder(pctx, ctx)
-
- for idx, _ := range sourceDirs {
- rule.Command().Text("diff").
- Flag("-r").
- Flag("-q").
- FlagWithArg("-x ", "bug_map"). // exclude
- Text(sourceDirs[idx]).
- Text(prebuiltDirs[idx])
- }
-
- rule.Command().Text("touch").
- Output(f.freezeTestTimestamp).
- Implicits(android.PathsForSource(ctx, implicits))
-
- rule.Build("sepolicy_freeze_test", "sepolicy_freeze_test")
-}
-
-func (f *freezeTestModule) AndroidMkEntries() []android.AndroidMkEntries {
- return []android.AndroidMkEntries{android.AndroidMkEntries{
- Class: "FAKE",
- // OutputFile is needed, even though BUILD_PHONY_PACKAGE doesn't use it.
- // Without OutputFile this module won't be exported to Makefile.
- OutputFile: android.OptionalPathForPath(f.freezeTestTimestamp),
- Include: "$(BUILD_PHONY_PACKAGE)",
- ExtraEntries: []android.AndroidMkExtraEntriesFunc{
- func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetString("LOCAL_ADDITIONAL_DEPENDENCIES", f.freezeTestTimestamp.String())
- },
- },
- }}
-}
diff --git a/build/soong/sepolicy_neverallow.go b/build/soong/sepolicy_neverallow.go
deleted file mode 100644
index 98dd3cf..0000000
--- a/build/soong/sepolicy_neverallow.go
+++ /dev/null
@@ -1,188 +0,0 @@
-// Copyright 2021 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package selinux
-
-import (
- "github.com/google/blueprint/proptools"
-
- "fmt"
- "strconv"
-
- "android/soong/android"
-)
-
-func init() {
- ctx := android.InitRegistrationContext
- ctx.RegisterModuleType("se_neverallow_test", neverallowTestFactory)
-}
-
-type neverallowTestProperties struct {
- // Policy files to be tested.
- Srcs []string `android:"path"`
-}
-
-type neverallowTestModule struct {
- android.ModuleBase
- properties neverallowTestProperties
- testTimestamp android.ModuleOutPath
-}
-
-type nameProperties struct {
- Name *string
-}
-
-var checkpolicyTag = dependencyTag{name: "checkpolicy"}
-var sepolicyAnalyzeTag = dependencyTag{name: "sepolicy_analyze"}
-
-// se_neverallow_test builds given policy files and checks whether any neverallow violations exist.
-// This module creates two conf files, one with build test and one without build test. Policy with
-// build test will be compiled with checkpolicy, and policy without build test will be tested with
-// sepolicy-analyze's neverallow tool. This module's check can be skipped by setting
-// SELINUX_IGNORE_NEVERALLOWS := true.
-func neverallowTestFactory() android.Module {
- n := &neverallowTestModule{}
- n.AddProperties(&n.properties)
- android.InitAndroidModule(n)
- android.AddLoadHook(n, func(ctx android.LoadHookContext) {
- n.loadHook(ctx)
- })
- return n
-}
-
-// Child conf module name for checkpolicy test.
-func (n *neverallowTestModule) checkpolicyConfModuleName() string {
- return n.Name() + ".checkpolicy.conf"
-}
-
-// Child conf module name for sepolicy-analyze test.
-func (n *neverallowTestModule) sepolicyAnalyzeConfModuleName() string {
- return n.Name() + ".sepolicy_analyze.conf"
-}
-
-func (n *neverallowTestModule) loadHook(ctx android.LoadHookContext) {
- checkpolicyConf := n.checkpolicyConfModuleName()
- ctx.CreateModule(policyConfFactory, &nameProperties{
- Name: proptools.StringPtr(checkpolicyConf),
- }, &policyConfProperties{
- Srcs: n.properties.Srcs,
- Build_variant: proptools.StringPtr("user"),
- Installable: proptools.BoolPtr(false),
- })
-
- sepolicyAnalyzeConf := n.sepolicyAnalyzeConfModuleName()
- ctx.CreateModule(policyConfFactory, &nameProperties{
- Name: proptools.StringPtr(sepolicyAnalyzeConf),
- }, &policyConfProperties{
- Srcs: n.properties.Srcs,
- Build_variant: proptools.StringPtr("user"),
- Exclude_build_test: proptools.BoolPtr(true),
- Installable: proptools.BoolPtr(false),
- })
-}
-
-func (n *neverallowTestModule) DepsMutator(ctx android.BottomUpMutatorContext) {
- ctx.AddDependency(n, checkpolicyTag, n.checkpolicyConfModuleName())
- ctx.AddDependency(n, sepolicyAnalyzeTag, n.sepolicyAnalyzeConfModuleName())
-}
-
-func (n *neverallowTestModule) GenerateAndroidBuildActions(ctx android.ModuleContext) {
- n.testTimestamp = android.PathForModuleOut(ctx, "timestamp")
- if ctx.Config().SelinuxIgnoreNeverallows() {
- // just touch
- android.WriteFileRule(ctx, n.testTimestamp, "")
- return
- }
-
- var checkpolicyConfPaths android.Paths
- var sepolicyAnalyzeConfPaths android.Paths
-
- ctx.VisitDirectDeps(func(child android.Module) {
- depTag := ctx.OtherModuleDependencyTag(child)
- if depTag != checkpolicyTag && depTag != sepolicyAnalyzeTag {
- return
- }
-
- o, ok := child.(android.OutputFileProducer)
- if !ok {
- panic(fmt.Errorf("Module %q isn't an OutputFileProducer", ctx.OtherModuleName(child)))
- }
-
- outputs, err := o.OutputFiles("")
- if err != nil {
- panic(fmt.Errorf("Module %q error while producing output: %v", ctx.OtherModuleName(child), err))
- }
-
- switch ctx.OtherModuleDependencyTag(child) {
- case checkpolicyTag:
- checkpolicyConfPaths = outputs
- case sepolicyAnalyzeTag:
- sepolicyAnalyzeConfPaths = outputs
- }
- })
-
- if len(checkpolicyConfPaths) != 1 {
- panic(fmt.Errorf("Module %q should produce exactly one output", n.checkpolicyConfModuleName()))
- }
-
- if len(sepolicyAnalyzeConfPaths) != 1 {
- panic(fmt.Errorf("Module %q should produce exactly one output", n.sepolicyAnalyzeConfModuleName()))
- }
-
- checkpolicyConfPath := checkpolicyConfPaths[0]
- sepolicyAnalyzeConfPath := sepolicyAnalyzeConfPaths[0]
-
- rule := android.NewRuleBuilder(pctx, ctx)
-
- // Step 1. Build a binary policy from the conf file including build test
- binaryPolicy := android.PathForModuleOut(ctx, "policy")
- rule.Command().BuiltTool("checkpolicy").
- Flag("-M").
- FlagWithArg("-c ", strconv.Itoa(PolicyVers)).
- FlagWithOutput("-o ", binaryPolicy).
- Input(checkpolicyConfPath)
- rule.Build("neverallow_checkpolicy", "Neverallow check: "+ctx.ModuleName())
-
- // Step 2. Run sepolicy-analyze with the conf file without the build test and binary policy
- // file from Step 1
- rule = android.NewRuleBuilder(pctx, ctx)
- msg := `sepolicy-analyze failed. This is most likely due to the use\n` +
- `of an expanded attribute in a neverallow assertion. Please fix\n` +
- `the policy.`
-
- rule.Command().BuiltTool("sepolicy-analyze").
- Input(binaryPolicy).
- Text("neverallow").
- Flag("-w").
- FlagWithInput("-f ", sepolicyAnalyzeConfPath).
- Text("|| (echo").
- Flag("-e").
- Text(`"` + msg + `"`).
- Text("; exit 1)")
-
- rule.Command().Text("touch").Output(n.testTimestamp)
- rule.Build("neverallow_sepolicy-analyze", "Neverallow check: "+ctx.ModuleName())
-}
-
-func (n *neverallowTestModule) AndroidMkEntries() []android.AndroidMkEntries {
- return []android.AndroidMkEntries{android.AndroidMkEntries{
- OutputFile: android.OptionalPathForPath(n.testTimestamp),
- Class: "ETC",
- ExtraEntries: []android.AndroidMkExtraEntriesFunc{
- func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", true)
- },
- },
- }}
-}
diff --git a/build/soong/sepolicy_vers.go b/build/soong/sepolicy_vers.go
index ca40173..0d938e7 100644
--- a/build/soong/sepolicy_vers.go
+++ b/build/soong/sepolicy_vers.go
@@ -82,13 +82,13 @@
rule.Command().Text("echo").Text(ver).Text(">").Output(out)
rule.Build("sepolicy_vers", v.Name())
- if !v.installable() {
- v.SkipInstall()
- }
-
v.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
v.installSource = out
ctx.InstallFile(v.installPath, v.stem(), v.installSource)
+
+ if !v.installable() {
+ v.SkipInstall()
+ }
}
func (v *sepolicyVers) AndroidMkEntries() []android.AndroidMkEntries {
@@ -97,7 +97,7 @@
OutputFile: android.OptionalPathForPath(v.installSource),
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
- entries.SetPath("LOCAL_MODULE_PATH", v.installPath)
+ entries.SetPath("LOCAL_MODULE_PATH", v.installPath.ToMakePath())
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", v.stem())
},
},
diff --git a/build/soong/versioned_policy.go b/build/soong/versioned_policy.go
index c316d2a..f25cd59 100644
--- a/build/soong/versioned_policy.go
+++ b/build/soong/versioned_policy.go
@@ -35,8 +35,8 @@
// Output file name. Defaults to {name} if target_policy is set, {version}.cil if mapping is set
Stem *string
- // Target sepolicy version. Can be a specific version number (e.g. "30.0" for R), "current"
- // (PLATFORM_SEPOLICY_VERSION), or "vendor" (BOARD_SEPOLICY_VERS). Defaults to "current"
+ // Target sepolicy version. Can be a specific version number (e.g. "30.0" for R) or "current"
+ // (PLATFORM_SEPOLICY_VERSION). Defaults to "current"
Version *string
// If true, generate mapping file from given base cil file. Cannot be set with target_policy.
@@ -90,8 +90,6 @@
version := proptools.StringDefault(m.properties.Version, "current")
if version == "current" {
version = ctx.DeviceConfig().PlatformSepolicyVersion()
- } else if version == "vendor" {
- version = ctx.DeviceConfig().BoardSepolicyVers()
}
var stem string
@@ -153,16 +151,16 @@
rule.Build("mapping", "Versioning mapping file "+ctx.ModuleName())
- if !m.installable() {
- m.SkipInstall()
- }
-
m.installSource = out
m.installPath = android.PathForModuleInstall(ctx, "etc", "selinux")
if subdir := proptools.String(m.properties.Relative_install_path); subdir != "" {
m.installPath = m.installPath.Join(ctx, subdir)
}
ctx.InstallFile(m.installPath, m.installSource.Base(), m.installSource)
+
+ if !m.installable() {
+ m.SkipInstall()
+ }
}
func (m *versionedPolicy) AndroidMkEntries() []android.AndroidMkEntries {
@@ -172,7 +170,7 @@
ExtraEntries: []android.AndroidMkExtraEntriesFunc{
func(ctx android.AndroidMkExtraEntriesContext, entries *android.AndroidMkEntries) {
entries.SetBool("LOCAL_UNINSTALLABLE_MODULE", !m.installable())
- entries.SetPath("LOCAL_MODULE_PATH", m.installPath)
+ entries.SetPath("LOCAL_MODULE_PATH", m.installPath.ToMakePath())
entries.SetString("LOCAL_INSTALLED_MODULE_STEM", m.installSource.Base())
},
},
diff --git a/com.android.sepolicy/33/Android.bp b/com.android.sepolicy/33/Android.bp
deleted file mode 100644
index f3387ac..0000000
--- a/com.android.sepolicy/33/Android.bp
+++ /dev/null
@@ -1,56 +0,0 @@
-// Copyright (C) 2021 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package {
- // http://go/android-license-faq
- // A large-scale-change added 'default_applicable_licenses' to import
- // the below license kinds from "system_sepolicy_license":
- // SPDX-license-identifier-Apache-2.0
- default_applicable_licenses: ["system_sepolicy_license"],
-}
-
-genrule {
- name: "apex_file_contexts-33.gen",
- defaults: ["sepolicy_file_contexts_gen_default"],
- srcs: ["file_contexts"],
- out: ["apex_file_contexts-33"],
-}
-
-prebuilt_etc {
- name: "apex_file_contexts-33",
- filename: "apex_file_contexts",
- src: ":apex_file_contexts-33.gen",
- installable: false,
-}
-
-prebuilt_etc {
- name: "apex_property_contexts-33",
- filename: "apex_property_contexts",
- src: "property_contexts",
- installable: false,
-}
-
-prebuilt_etc {
- name: "apex_service_contexts-33",
- filename: "apex_service_contexts",
- src: "service_contexts",
- installable: false,
-}
-
-prebuilt_etc {
- name: "apex_seapp_contexts-33",
- filename: "apex_seapp_contexts",
- src: "seapp_contexts",
- installable: false,
-}
diff --git a/com.android.sepolicy/33/file_contexts b/com.android.sepolicy/33/file_contexts
deleted file mode 100644
index 14f99f9..0000000
--- a/com.android.sepolicy/33/file_contexts
+++ /dev/null
@@ -1 +0,0 @@
-/dev/selinux/apex_test u:object_r:sepolicy_test_file:s0
diff --git a/com.android.sepolicy/33/property_contexts b/com.android.sepolicy/33/property_contexts
deleted file mode 100644
index e69de29..0000000
--- a/com.android.sepolicy/33/property_contexts
+++ /dev/null
diff --git a/com.android.sepolicy/33/seapp_contexts b/com.android.sepolicy/33/seapp_contexts
deleted file mode 100644
index e69de29..0000000
--- a/com.android.sepolicy/33/seapp_contexts
+++ /dev/null
diff --git a/com.android.sepolicy/33/service_contexts b/com.android.sepolicy/33/service_contexts
deleted file mode 100644
index e69de29..0000000
--- a/com.android.sepolicy/33/service_contexts
+++ /dev/null
diff --git a/com.android.sepolicy/33/shell.te b/com.android.sepolicy/33/shell.te
deleted file mode 100644
index 757328e..0000000
--- a/com.android.sepolicy/33/shell.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow shell sepolicy_test_file:file r_file_perms;
-
diff --git a/com.android.sepolicy/Android.bp b/com.android.sepolicy/Android.bp
deleted file mode 100644
index 1e042f3..0000000
--- a/com.android.sepolicy/Android.bp
+++ /dev/null
@@ -1,28 +0,0 @@
-// Copyright (C) 2021 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package {
- // http://go/android-license-faq
- // A large-scale-change added 'default_applicable_licenses' to import
- // the below license kinds from "system_sepolicy_license":
- // SPDX-license-identifier-Apache-2.0
- default_applicable_licenses: ["system_sepolicy_license"],
-}
-
-genrule_defaults {
- name: "sepolicy_file_contexts_gen_default",
- tools: ["fc_sort"],
- cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
- "$(location fc_sort) -i $(out).tmp -o $(out)",
-}
diff --git a/compat.mk b/compat.mk
new file mode 100644
index 0000000..4aed864
--- /dev/null
+++ b/compat.mk
@@ -0,0 +1,56 @@
+version := $(version_under_treble_tests)
+
+include $(CLEAR_VARS)
+#################################
+# build this target to ensure the compat permissions files all build against the current policy
+#
+LOCAL_MODULE := $(version)_compat_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_REQUIRED_MODULES := $(version).compat.cil
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+all_cil_files := \
+ $(built_plat_cil) \
+ $(built_plat_mapping_cil) \
+ $(built_pub_vers_cil) \
+ $(ALL_MODULES.$(version).compat.cil.BUILT) \
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY
+all_cil_files += $(built_system_ext_cil)
+endif
+
+ifdef HAS_SYSTEM_EXT_PUBLIC_SEPOLICY
+all_cil_files += $(built_system_ext_mapping_cil)
+endif
+
+ifdef HAS_PRODUCT_SEPOLICY
+all_cil_files += $(built_product_cil)
+endif
+
+ifdef HAS_PRODUCT_PUBLIC_SEPOLICY
+all_cil_files += $(built_product_mapping_cil)
+endif
+
+ifneq ($(mixed_sepolicy_build),true)
+
+all_cil_files += $(built_vendor_cil)
+
+ifdef BOARD_ODM_SEPOLICY_DIRS
+all_cil_files += $(built_odm_cil)
+endif
+
+endif # ifneq ($(mixed_sepolicy_build),true)
+
+$(LOCAL_BUILT_MODULE): PRIVATE_CIL_FILES := $(all_cil_files)
+$(LOCAL_BUILT_MODULE): $(HOST_OUT_EXECUTABLES)/secilc $(HOST_OUT_EXECUTABLES)/sepolicy-analyze $(all_cil_files)
+ @mkdir -p $(dir $@)
+ $(hide) $< -m -N -M true -G -c $(POLICYVERS) $(PRIVATE_CIL_FILES) -o $@ -f /dev/null
+
+all_cil_files :=
+version :=
+version_under_treble_tests :=
diff --git a/compat/Android.bp b/compat/Android.bp
deleted file mode 100644
index bc8409a..0000000
--- a/compat/Android.bp
+++ /dev/null
@@ -1,275 +0,0 @@
-// Copyright (C) 2021 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// This file contains module definitions for compatibility files.
-
-package {
- // See: http://go/android-license-faq
- // A large-scale-change added 'default_applicable_licenses' to import
- // all of the 'license_kinds' from "system_sepolicy_license"
- // to get the below license kinds:
- // SPDX-license-identifier-Apache-2.0
- default_applicable_licenses: ["system_sepolicy_license"],
-}
-
-se_cil_compat_map {
- name: "plat_28.0.cil",
- stem: "28.0.cil",
- bottom_half: [":28.0.board.compat.map"],
- top_half: "plat_29.0.cil",
-}
-
-se_cil_compat_map {
- name: "plat_29.0.cil",
- stem: "29.0.cil",
- bottom_half: [":29.0.board.compat.map"],
- top_half: "plat_30.0.cil",
-}
-
-se_cil_compat_map {
- name: "plat_30.0.cil",
- stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
- top_half: "plat_31.0.cil",
-}
-
-se_cil_compat_map {
- name: "plat_31.0.cil",
- stem: "31.0.cil",
- bottom_half: [":31.0.board.compat.map"],
- top_half: "plat_32.0.cil",
-}
-
-se_cil_compat_map {
- name: "plat_32.0.cil",
- stem: "32.0.cil",
- bottom_half: [":32.0.board.compat.map"],
- // top_half: "plat_33.0.cil",
-}
-
-se_cil_compat_map {
- name: "system_ext_28.0.cil",
- stem: "28.0.cil",
- bottom_half: [":28.0.board.compat.map"],
- top_half: "system_ext_29.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_29.0.cil",
- stem: "29.0.cil",
- bottom_half: [":29.0.board.compat.map"],
- top_half: "system_ext_30.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_30.0.cil",
- stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
- top_half: "system_ext_31.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_31.0.cil",
- stem: "31.0.cil",
- bottom_half: [":31.0.board.compat.map"],
- top_half: "system_ext_32.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_32.0.cil",
- stem: "32.0.cil",
- bottom_half: [":32.0.board.compat.map"],
- // top_half: "system_ext_33.0.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_28.0.cil",
- stem: "28.0.cil",
- bottom_half: [":28.0.board.compat.map"],
- top_half: "product_29.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_29.0.cil",
- stem: "29.0.cil",
- bottom_half: [":29.0.board.compat.map"],
- top_half: "product_30.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_30.0.cil",
- stem: "30.0.cil",
- bottom_half: [":30.0.board.compat.map"],
- top_half: "product_31.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_31.0.cil",
- stem: "31.0.cil",
- bottom_half: [":31.0.board.compat.map"],
- top_half: "product_32.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_32.0.cil",
- stem: "32.0.cil",
- bottom_half: [":32.0.board.compat.map"],
- // top_half: "product_33.0.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "28.0.ignore.cil",
- bottom_half: [":28.0.board.ignore.map"],
- top_half: "29.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "29.0.ignore.cil",
- bottom_half: [":29.0.board.ignore.map"],
- top_half: "30.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
- top_half: "31.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "31.0.ignore.cil",
- bottom_half: [":31.0.board.ignore.map"],
- top_half: "32.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "32.0.ignore.cil",
- bottom_half: [":32.0.board.ignore.map"],
- // top_half: "33.0.ignore.cil",
-}
-
-se_cil_compat_map {
- name: "system_ext_30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
- top_half: "system_ext_31.0.ignore.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_31.0.ignore.cil",
- bottom_half: [":31.0.board.ignore.map"],
- top_half: "system_ext_32.0.ignore.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "system_ext_32.0.ignore.cil",
- bottom_half: [":32.0.board.ignore.map"],
- // top_half: "system_ext_33.0.ignore.cil",
- system_ext_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_30.0.ignore.cil",
- bottom_half: [":30.0.board.ignore.map"],
- top_half: "product_31.0.ignore.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_31.0.ignore.cil",
- bottom_half: [":31.0.board.ignore.map"],
- top_half: "product_32.0.ignore.cil",
- product_specific: true,
-}
-
-se_cil_compat_map {
- name: "product_32.0.ignore.cil",
- bottom_half: [":32.0.board.ignore.map"],
- // top_half: "product_33.0.ignore.cil",
- product_specific: true,
-}
-
-se_compat_cil {
- name: "28.0.compat.cil",
- srcs: [":28.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "29.0.compat.cil",
- srcs: [":29.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "30.0.compat.cil",
- srcs: [":30.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "31.0.compat.cil",
- srcs: [":31.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "32.0.compat.cil",
- srcs: [":32.0.board.compat.cil"],
-}
-
-se_compat_cil {
- name: "system_ext_28.0.compat.cil",
- srcs: [":28.0.board.compat.cil"],
- stem: "28.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_29.0.compat.cil",
- srcs: [":29.0.board.compat.cil"],
- stem: "29.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_30.0.compat.cil",
- srcs: [":30.0.board.compat.cil"],
- stem: "30.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_31.0.compat.cil",
- srcs: [":31.0.board.compat.cil"],
- stem: "31.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_cil {
- name: "system_ext_32.0.compat.cil",
- srcs: [":32.0.board.compat.cil"],
- stem: "32.0.compat.cil",
- system_ext_specific: true,
-}
-
-se_compat_test {
- name: "sepolicy_compat_test",
-}
diff --git a/contexts/Android.bp b/contexts/Android.bp
deleted file mode 100644
index 2a5a058..0000000
--- a/contexts/Android.bp
+++ /dev/null
@@ -1,477 +0,0 @@
-// Copyright (C) 2021 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-// This file contains module definitions for various contexts files.
-
-package {
- // See: http://go/android-license-faq
- // A large-scale-change added 'default_applicable_licenses' to import
- // all of the 'license_kinds' from "system_sepolicy_license"
- // to get the below license kinds:
- // SPDX-license-identifier-Apache-2.0
- default_applicable_licenses: ["system_sepolicy_license"],
-}
-
-file_contexts {
- name: "plat_file_contexts",
- srcs: [":file_contexts_files{.plat_private}"],
- product_variables: {
- address_sanitize: {
- srcs: [":file_contexts_asan_files{.plat_private}"],
- },
- debuggable: {
- srcs: [":file_contexts_overlayfs_files{.plat_private}"],
- },
- },
-
- flatten_apex: {
- srcs: [":apex_file_contexts_files"],
- },
-}
-
-file_contexts {
- name: "plat_file_contexts.recovery",
- srcs: [":file_contexts_files{.plat_private}"],
- stem: "plat_file_contexts",
- product_variables: {
- address_sanitize: {
- srcs: [":file_contexts_asan_files{.plat_private}"],
- },
- debuggable: {
- srcs: [":file_contexts_overlayfs_files{.plat_private}"],
- },
- },
-
- flatten_apex: {
- srcs: [":apex_file_contexts_files"],
- },
-
- recovery: true,
-}
-
-file_contexts {
- name: "vendor_file_contexts",
- srcs: [
- ":file_contexts_files{.plat_vendor_for_vendor}",
- ":file_contexts_files{.vendor}",
- ],
- soc_specific: true,
-}
-
-file_contexts {
- name: "vendor_file_contexts.recovery",
- srcs: [
- ":file_contexts_files{.plat_vendor_for_vendor}",
- ":file_contexts_files{.vendor}",
- ],
- stem: "vendor_file_contexts",
- recovery: true,
-}
-
-file_contexts {
- name: "system_ext_file_contexts",
- srcs: [":file_contexts_files{.system_ext_private}"],
- system_ext_specific: true,
-}
-
-file_contexts {
- name: "system_ext_file_contexts.recovery",
- srcs: [":file_contexts_files{.system_ext_private}"],
- stem: "system_ext_file_contexts",
- recovery: true,
-}
-
-file_contexts {
- name: "product_file_contexts",
- srcs: [":file_contexts_files{.product_private}"],
- product_specific: true,
-}
-
-file_contexts {
- name: "product_file_contexts.recovery",
- srcs: [":file_contexts_files{.product_private}"],
- stem: "product_file_contexts",
- recovery: true,
-}
-
-file_contexts {
- name: "odm_file_contexts",
- srcs: [":file_contexts_files{.odm}"],
- device_specific: true,
-}
-
-file_contexts {
- name: "odm_file_contexts.recovery",
- srcs: [":file_contexts_files{.odm}"],
- stem: "odm_file_contexts",
- recovery: true,
-}
-
-hwservice_contexts {
- name: "plat_hwservice_contexts",
- srcs: [":hwservice_contexts_files{.plat_private}"],
-}
-
-hwservice_contexts {
- name: "system_ext_hwservice_contexts",
- srcs: [":hwservice_contexts_files{.system_ext_private}"],
- system_ext_specific: true,
-}
-
-hwservice_contexts {
- name: "product_hwservice_contexts",
- srcs: [":hwservice_contexts_files{.product_private}"],
- product_specific: true,
-}
-
-hwservice_contexts {
- name: "vendor_hwservice_contexts",
- srcs: [
- ":hwservice_contexts_files{.plat_vendor_for_vendor}",
- ":hwservice_contexts_files{.vendor}",
- ":hwservice_contexts_files{.reqd_mask_for_vendor}",
- ],
- soc_specific: true,
-}
-
-hwservice_contexts {
- name: "odm_hwservice_contexts",
- srcs: [":hwservice_contexts_files{.odm}"],
- device_specific: true,
-}
-
-property_contexts {
- name: "plat_property_contexts",
- srcs: [":property_contexts_files{.plat_private}"],
-}
-
-property_contexts {
- name: "plat_property_contexts.recovery",
- srcs: [":property_contexts_files{.plat_private}"],
- stem: "plat_property_contexts",
- recovery: true,
-}
-
-property_contexts {
- name: "system_ext_property_contexts",
- srcs: [":property_contexts_files{.system_ext_private}"],
- system_ext_specific: true,
- recovery_available: true,
-}
-
-property_contexts {
- name: "product_property_contexts",
- srcs: [":property_contexts_files{.product_private}"],
- product_specific: true,
- recovery_available: true,
-}
-
-property_contexts {
- name: "vendor_property_contexts",
- srcs: [
- ":property_contexts_files{.plat_vendor_for_vendor}",
- ":property_contexts_files{.vendor}",
- ":property_contexts_files{.reqd_mask_for_vendor}",
- ],
- soc_specific: true,
- recovery_available: true,
-}
-
-property_contexts {
- name: "odm_property_contexts",
- srcs: [":property_contexts_files{.odm}"],
- device_specific: true,
- recovery_available: true,
-}
-
-service_contexts {
- name: "plat_service_contexts",
- srcs: [":service_contexts_files{.plat_private}"],
-}
-
-service_contexts {
- name: "plat_service_contexts.recovery",
- srcs: [":service_contexts_files{.plat_private}"],
- stem: "plat_service_contexts",
- recovery: true,
-}
-
-service_contexts {
- name: "system_ext_service_contexts",
- srcs: [":service_contexts_files{.system_ext_private}"],
- system_ext_specific: true,
- recovery_available: true,
-}
-
-service_contexts {
- name: "product_service_contexts",
- srcs: [":service_contexts_files{.product_private}"],
- product_specific: true,
- recovery_available: true,
-}
-
-service_contexts {
- name: "vendor_service_contexts",
- srcs: [
- ":service_contexts_files{.plat_vendor_for_vendor}",
- ":service_contexts_files{.vendor}",
- ":service_contexts_files{.reqd_mask_for_vendor}",
- ],
- soc_specific: true,
- recovery_available: true,
-}
-
-keystore2_key_contexts {
- name: "plat_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files{.plat_private}"],
-}
-
-keystore2_key_contexts {
- name: "system_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files{.system_ext_private}"],
- system_ext_specific: true,
-}
-
-keystore2_key_contexts {
- name: "product_keystore2_key_contexts",
- srcs: [":keystore2_key_contexts_files{.product_private}"],
- product_specific: true,
-}
-
-keystore2_key_contexts {
- name: "vendor_keystore2_key_contexts",
- srcs: [
- ":keystore2_key_contexts_files{.plat_vendor_for_vendor}",
- ":keystore2_key_contexts_files{.vendor}",
- ":keystore2_key_contexts_files{.reqd_mask_for_vendor}",
- ],
- soc_specific: true,
-}
-
-seapp_contexts {
- name: "plat_seapp_contexts",
- srcs: [":seapp_contexts_files{.plat_private}"],
- sepolicy: ":precompiled_sepolicy",
-}
-
-seapp_contexts {
- name: "system_ext_seapp_contexts",
- srcs: [":seapp_contexts_files{.system_ext_private}"],
- neverallow_files: [":seapp_contexts_files{.plat_private}"],
- system_ext_specific: true,
- sepolicy: ":precompiled_sepolicy",
-}
-
-seapp_contexts {
- name: "product_seapp_contexts",
- srcs: [":seapp_contexts_files{.product_private}"],
- neverallow_files: [
- ":seapp_contexts_files{.plat_private}",
- ":seapp_contexts_files{.system_ext_private}",
- ],
- product_specific: true,
- sepolicy: ":precompiled_sepolicy",
-}
-
-seapp_contexts {
- name: "vendor_seapp_contexts",
- srcs: [
- ":seapp_contexts_files{.plat_vendor_for_vendor}",
- ":seapp_contexts_files{.vendor}",
- ":seapp_contexts_files{.reqd_mask_for_vendor}",
- ],
- neverallow_files: [
- ":seapp_contexts_files{.plat_private_for_vendor}",
- ":seapp_contexts_files{.system_ext_private_for_vendor}",
- ":seapp_contexts_files{.product_private_for_vendor}",
- ],
- soc_specific: true,
- sepolicy: ":precompiled_sepolicy",
-}
-
-seapp_contexts {
- name: "odm_seapp_contexts",
- srcs: [
- ":seapp_contexts_files{.odm}",
- ],
- neverallow_files: [
- ":seapp_contexts_files{.plat_private_for_vendor}",
- ":seapp_contexts_files{.system_ext_private_for_vendor}",
- ":seapp_contexts_files{.product_private_for_vendor}",
- ],
- device_specific: true,
- sepolicy: ":precompiled_sepolicy",
-}
-
-vndservice_contexts {
- name: "vndservice_contexts",
- srcs: [
- ":vndservice_contexts_files{.plat_vendor_for_vendor}",
- ":vndservice_contexts_files{.vendor}",
- ":vndservice_contexts_files{.reqd_mask_for_vendor}",
- ],
- soc_specific: true,
-}
-
-// for CTS
-genrule {
- name: "plat_seapp_neverallows",
- srcs: [
- ":seapp_contexts_files{.plat_private}",
- ":seapp_contexts_files{.system_ext_private}",
- ":seapp_contexts_files{.product_private}",
- ],
- out: ["plat_seapp_neverallows"],
- cmd: "grep -ihe '^neverallow' $(in) > $(out) || true",
-}
-
-//////////////////////////////////
-// Run host-side test with contexts files and the sepolicy file
-file_contexts_test {
- name: "plat_file_contexts_test",
- srcs: [":plat_file_contexts"],
- sepolicy: ":precompiled_sepolicy",
-}
-
-file_contexts_test {
- name: "system_ext_file_contexts_test",
- srcs: [":system_ext_file_contexts"],
- sepolicy: ":precompiled_sepolicy",
-}
-
-file_contexts_test {
- name: "product_file_contexts_test",
- srcs: [":product_file_contexts"],
- sepolicy: ":precompiled_sepolicy",
-}
-
-file_contexts_test {
- name: "vendor_file_contexts_test",
- srcs: [":vendor_file_contexts"],
- sepolicy: ":precompiled_sepolicy",
-}
-
-file_contexts_test {
- name: "odm_file_contexts_test",
- srcs: [":odm_file_contexts"],
- sepolicy: ":precompiled_sepolicy",
-}
-
-hwservice_contexts_test {
- name: "plat_hwservice_contexts_test",
- srcs: [":plat_hwservice_contexts"],
- sepolicy: ":precompiled_sepolicy",
-}
-
-hwservice_contexts_test {
- name: "system_ext_hwservice_contexts_test",
- srcs: [":system_ext_hwservice_contexts"],
- sepolicy: ":precompiled_sepolicy",
-}
-
-hwservice_contexts_test {
- name: "product_hwservice_contexts_test",
- srcs: [":product_hwservice_contexts"],
- sepolicy: ":precompiled_sepolicy",
-}
-
-hwservice_contexts_test {
- name: "vendor_hwservice_contexts_test",
- srcs: [":vendor_hwservice_contexts"],
- sepolicy: ":precompiled_sepolicy",
-}
-
-hwservice_contexts_test {
- name: "odm_hwservice_contexts_test",
- srcs: [":odm_hwservice_contexts"],
- sepolicy: ":precompiled_sepolicy",
-}
-
-property_contexts_test {
- name: "plat_property_contexts_test",
- srcs: [":plat_property_contexts"],
- sepolicy: ":precompiled_sepolicy",
-}
-
-property_contexts_test {
- name: "system_ext_property_contexts_test",
- srcs: [
- ":plat_property_contexts",
- ":system_ext_property_contexts",
- ],
- sepolicy: ":precompiled_sepolicy",
-}
-
-property_contexts_test {
- name: "product_property_contexts_test",
- srcs: [
- ":plat_property_contexts",
- ":system_ext_property_contexts",
- ":product_property_contexts",
- ],
- sepolicy: ":precompiled_sepolicy",
-}
-
-property_contexts_test {
- name: "vendor_property_contexts_test",
- srcs: [
- ":plat_property_contexts",
- ":system_ext_property_contexts",
- ":product_property_contexts",
- ":vendor_property_contexts",
- ],
- sepolicy: ":precompiled_sepolicy",
-}
-
-property_contexts_test {
- name: "odm_property_contexts_test",
- srcs: [
- ":plat_property_contexts",
- ":system_ext_property_contexts",
- ":product_property_contexts",
- ":vendor_property_contexts",
- ":odm_property_contexts",
- ],
- sepolicy: ":precompiled_sepolicy",
-}
-
-service_contexts_test {
- name: "plat_service_contexts_test",
- srcs: [":plat_service_contexts"],
- sepolicy: ":precompiled_sepolicy",
-}
-
-service_contexts_test {
- name: "system_ext_service_contexts_test",
- srcs: [":system_ext_service_contexts"],
- sepolicy: ":precompiled_sepolicy",
-}
-
-service_contexts_test {
- name: "product_service_contexts_test",
- srcs: [":product_service_contexts"],
- sepolicy: ":precompiled_sepolicy",
-}
-
-service_contexts_test {
- name: "vendor_service_contexts_test",
- srcs: [":vendor_service_contexts"],
- sepolicy: ":precompiled_sepolicy",
-}
-
-vndservice_contexts_test {
- name: "vndservice_contexts_test",
- srcs: [":vndservice_contexts"],
- sepolicy: ":precompiled_sepolicy",
-}
diff --git a/contexts_tests.mk b/contexts_tests.mk
new file mode 100644
index 0000000..1189b83
--- /dev/null
+++ b/contexts_tests.mk
@@ -0,0 +1,337 @@
+# Copyright (C) 2019 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+include $(CLEAR_VARS)
+
+# TODO: move tests into Soong after refactoring sepolicy module (b/130693869)
+
+# Run host-side test with contexts files and the sepolicy file.
+# $(1): names of modules containing context files
+# $(2): path to the host tool
+# $(3): additional argument to be passed to the tool
+define run_contexts_test
+my_contexts := $(foreach m,$(1),$$(call intermediates-dir-for,ETC,$(m))/$(m))
+$$(LOCAL_BUILT_MODULE): PRIVATE_CONTEXTS := $$(my_contexts)
+$$(LOCAL_BUILT_MODULE): PRIVATE_SEPOLICY := $$(built_sepolicy)
+$$(LOCAL_BUILT_MODULE): $(2) $$(my_contexts) $$(built_sepolicy)
+ $$(hide) $$< $(3) $$(PRIVATE_SEPOLICY) $$(PRIVATE_CONTEXTS)
+ $$(hide) mkdir -p $$(dir $$@)
+ $$(hide) touch $$@
+my_contexts :=
+endef
+
+checkfc := $(HOST_OUT_EXECUTABLES)/checkfc
+property_info_checker := $(HOST_OUT_EXECUTABLES)/property_info_checker
+
+##################################
+LOCAL_MODULE := plat_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+$(eval $(call run_contexts_test, plat_file_contexts, $(checkfc),))
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := system_ext_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, system_ext_file_contexts, $(checkfc),))
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, product_file_contexts, $(checkfc),))
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := vendor_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, vendor_file_contexts, $(checkfc),))
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := odm_file_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, odm_file_contexts, $(checkfc),))
+
+##################################
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, plat_hwservice_contexts, $(checkfc), -e -l))
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := system_ext_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, system_ext_hwservice_contexts, $(checkfc), -e -l))
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, product_hwservice_contexts, $(checkfc), -e -l))
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := vendor_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, vendor_hwservice_contexts, $(checkfc), -e -l))
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := odm_hwservice_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, odm_hwservice_contexts, $(checkfc), -e -l))
+
+##################################
+
+pc_modules := plat_property_contexts
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
+
+##################################
+
+ifdef HAS_SYSTEM_EXT_SEPOLICY_DIR
+
+pc_modules += system_ext_property_contexts
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := system_ext_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
+
+endif
+
+##################################
+
+pc_modules += vendor_property_contexts
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := vendor_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
+
+##################################
+
+ifdef BOARD_ODM_SEPOLICY_DIRS
+
+pc_modules += odm_property_contexts
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := odm_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
+
+endif
+
+##################################
+
+ifdef HAS_PRODUCT_SEPOLICY_DIR
+
+pc_modules += product_property_contexts
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_property_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, $(pc_modules), $(property_info_checker),))
+
+endif
+
+pc_modules :=
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := plat_service_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, plat_service_contexts, $(checkfc), -s))
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := system_ext_service_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, system_ext_service_contexts, $(checkfc), -s))
+
+##################################
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := product_service_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, product_service_contexts, $(checkfc), -s))
+
+##################################
+# nonplat_service_contexts is only allowed on non-full-treble devices
+ifneq ($(PRODUCT_SEPOLICY_SPLIT),true)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := vendor_service_contexts_test
+LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_unencumbered
+LOCAL_LICENSE_CONDITIONS := notice unencumbered
+LOCAL_NOTICE_FILE := $(LOCAL_PATH)/NOTICE
+LOCAL_MODULE_CLASS := FAKE
+LOCAL_MODULE_TAGS := optional
+
+include $(BUILD_SYSTEM)/base_rules.mk
+
+$(eval $(call run_contexts_test, vendor_service_contexts, $(checkfc), -s))
+
+endif
+
+checkfc :=
+property_info_checker :=
+run_contexts_test :=
diff --git a/mac_permissions.mk b/mac_permissions.mk
index dbdf144..566c82b 100644
--- a/mac_permissions.mk
+++ b/mac_permissions.mk
@@ -22,16 +22,16 @@
$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
# Should be synced with keys.conf.
-all_plat_keys := platform sdk_sandbox media networkstack shared testkey
+all_plat_keys := platform media networkstack shared testkey
all_plat_keys := $(all_plat_keys:%=$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))/%.x509.pem)
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_plat_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
+$(LOCAL_BUILT_MODULE): $(plat_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
$(all_plat_mac_perms_files) $(all_plat_keys)
@mkdir -p $(dir $@)
$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
MAINLINE_SEPOLICY_DEV_CERTIFICATES="$(MAINLINE_SEPOLICY_DEV_CERTIFICATES)" \
- $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+ $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
all_plat_keys :=
all_plat_mac_perms_files :=
@@ -63,10 +63,10 @@
$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_system_ext_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(system_ext_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
+$(LOCAL_BUILT_MODULE): $(system_ext_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
$(all_system_ext_mac_perms_files)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+ $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
system_ext_mac_perms_keys.tmp :=
all_system_ext_mac_perms_files :=
@@ -97,10 +97,10 @@
$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_product_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
+$(LOCAL_BUILT_MODULE): $(product_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
$(all_product_mac_perms_files)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+ $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
product_mac_perms_keys.tmp :=
all_product_mac_perms_files :=
@@ -119,8 +119,8 @@
include $(BUILD_SYSTEM)/base_rules.mk
-all_vendor_mac_perms_keys := $(call build_policy, keys.conf, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
-all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(BOARD_PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(BOARD_REQD_MASK_POLICY))
+all_vendor_mac_perms_keys := $(call build_policy, keys.conf, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
+all_vendor_mac_perms_files := $(call build_policy, mac_permissions.xml, $(PLAT_VENDOR_POLICY) $(BOARD_VENDOR_SEPOLICY_DIRS) $(REQD_MASK_POLICY))
# Build keys.conf
vendor_mac_perms_keys.tmp := $(intermediates)/vendor_keys.tmp
@@ -131,11 +131,11 @@
$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_vendor_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
+$(LOCAL_BUILT_MODULE): $(vendor_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
$(all_vendor_mac_perms_files)
@mkdir -p $(dir $@)
$(hide) DEFAULT_SYSTEM_DEV_CERTIFICATE="$(dir $(DEFAULT_SYSTEM_DEV_CERTIFICATE))" \
- $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+ $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
vendor_mac_perms_keys.tmp :=
all_vendor_mac_perms_files :=
@@ -166,10 +166,10 @@
$(hide) $(M4) --fatal-warnings -s $(PRIVATE_ADDITIONAL_M4DEFS) $(PRIVATE_KEYS) > $@
$(LOCAL_BUILT_MODULE): PRIVATE_MAC_PERMS_FILES := $(all_odm_mac_perms_files)
-$(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys \
+$(LOCAL_BUILT_MODULE): $(odm_mac_perms_keys.tmp) $(HOST_OUT_EXECUTABLES)/insertkeys.py \
$(all_odm_mac_perms_files)
@mkdir -p $(dir $@)
- $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
+ $(hide) $(HOST_OUT_EXECUTABLES)/insertkeys.py -t $(TARGET_BUILD_VARIANT) -c $(TOP) $< -o $@ $(PRIVATE_MAC_PERMS_FILES)
odm_mac_perms_keys.tmp :=
all_odm_mac_perms_files :=
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
deleted file mode 100644
index 0628a5b..0000000
--- a/microdroid/Android.bp
+++ /dev/null
@@ -1,295 +0,0 @@
-// Copyright (C) 2021 The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package {
- // http://go/android-license-faq
- // A large-scale-change added 'default_applicable_licenses' to import
- // the below license kinds from "system_sepolicy_license":
- // SPDX-license-identifier-Apache-2.0
- default_applicable_licenses: ["system_sepolicy_license"],
-}
-
-system_policy_files = [
- "system/private/security_classes",
- "system/private/initial_sids",
- "system/private/access_vectors",
- "system/public/global_macros",
- "system/public/neverallow_macros",
- "system/private/mls_macros",
- "system/private/mls_decl",
- "system/private/mls",
- "system/private/policy_capabilities",
- "system/public/te_macros",
- "system/public/attributes",
- "system/private/attributes",
- "system/public/ioctl_defines",
- "system/public/ioctl_macros",
- "system/public/*.te",
- "system/private/*.te",
- "system/private/roles_decl",
- "system/public/roles",
- "system/private/users",
- "system/private/initial_sid_contexts",
- "system/private/fs_use",
- "system/private/genfs_contexts",
- "system/private/port_contexts",
-]
-
-reqd_mask_files = [
- "reqd_mask/security_classes",
- "reqd_mask/initial_sids",
- "reqd_mask/access_vectors",
- "reqd_mask/mls_macros",
- "reqd_mask/mls_decl",
- "reqd_mask/mls",
- "reqd_mask/reqd_mask.te",
- "reqd_mask/roles_decl",
- "reqd_mask/roles",
- "reqd_mask/users",
- "reqd_mask/initial_sid_contexts",
-]
-
-system_public_policy_files = [
- "reqd_mask/security_classes",
- "reqd_mask/initial_sids",
- "reqd_mask/access_vectors",
- "system/public/global_macros",
- "system/public/neverallow_macros",
- "reqd_mask/mls_macros",
- "reqd_mask/mls_decl",
- "reqd_mask/mls",
- "system/public/te_macros",
- "system/public/attributes",
- "system/public/ioctl_defines",
- "system/public/ioctl_macros",
- "system/public/*.te",
- "reqd_mask/reqd_mask.te",
- "reqd_mask/roles_decl",
- "reqd_mask/roles",
- "system/public/roles",
- "reqd_mask/users",
- "reqd_mask/initial_sid_contexts",
-]
-
-vendor_policy_files = [
- "reqd_mask/security_classes",
- "reqd_mask/initial_sids",
- "reqd_mask/access_vectors",
- "system/public/global_macros",
- "system/public/neverallow_macros",
- "reqd_mask/mls_macros",
- "reqd_mask/mls_decl",
- "reqd_mask/mls",
- "system/public/te_macros",
- "system/public/attributes",
- "system/public/ioctl_defines",
- "system/public/ioctl_macros",
- "system/public/*.te",
- "reqd_mask/reqd_mask.te",
- "vendor/*.te",
- "reqd_mask/roles_decl",
- "reqd_mask/roles",
- "system/public/roles",
- "reqd_mask/users",
- "reqd_mask/initial_sid_contexts",
-]
-
-se_policy_conf {
- name: "microdroid_reqd_policy_mask.conf",
- srcs: reqd_mask_files,
- installable: false,
- mls_cats: 1,
-}
-
-se_policy_cil {
- name: "microdroid_reqd_policy_mask.cil",
- src: ":microdroid_reqd_policy_mask.conf",
- secilc_check: false,
- installable: false,
-}
-
-se_policy_conf {
- name: "microdroid_plat_sepolicy.conf",
- srcs: system_policy_files,
- installable: false,
- mls_cats: 1,
-}
-
-se_policy_cil {
- name: "microdroid_plat_sepolicy.cil",
- stem: "plat_sepolicy.cil",
- src: ":microdroid_plat_sepolicy.conf",
- installable: false,
-}
-
-se_policy_conf {
- name: "microdroid_plat_pub_policy.conf",
- srcs: system_public_policy_files,
- installable: false,
- mls_cats: 1,
-}
-
-se_policy_cil {
- name: "microdroid_plat_pub_policy.cil",
- src: ":microdroid_plat_pub_policy.conf",
- filter_out: [":microdroid_reqd_policy_mask.cil"],
- secilc_check: false,
- installable: false,
-}
-
-se_versioned_policy {
- name: "microdroid_plat_mapping_file",
- base: ":microdroid_plat_pub_policy.cil",
- mapping: true,
- version: "current",
- relative_install_path: "mapping", // install to /system/etc/selinux/mapping
- installable: false,
-}
-
-se_versioned_policy {
- name: "microdroid_plat_pub_versioned.cil",
- stem: "plat_pub_versioned.cil",
- base: ":microdroid_plat_pub_policy.cil",
- target_policy: ":microdroid_plat_pub_policy.cil",
- version: "current",
- dependent_cils: [
- ":microdroid_plat_sepolicy.cil",
- ":microdroid_plat_mapping_file",
- ],
- installable: false,
-}
-
-se_policy_conf {
- name: "microdroid_vendor_sepolicy.conf",
- srcs: vendor_policy_files,
- installable: false,
- mls_cats: 1,
-}
-
-se_policy_cil {
- name: "microdroid_vendor_sepolicy.cil.raw",
- src: ":microdroid_vendor_sepolicy.conf",
- filter_out: [":microdroid_reqd_policy_mask.cil"],
- secilc_check: false, // will be done in se_versioned_policy module
- installable: false,
-}
-
-se_versioned_policy {
- name: "microdroid_vendor_sepolicy.cil",
- stem: "vendor_sepolicy.cil",
- base: ":microdroid_plat_pub_policy.cil",
- target_policy: ":microdroid_vendor_sepolicy.cil.raw",
- version: "current", // microdroid is bundled to system
- dependent_cils: [
- ":microdroid_plat_sepolicy.cil",
- ":microdroid_plat_pub_versioned.cil",
- ":microdroid_plat_mapping_file",
- ],
- filter_out: [":microdroid_plat_pub_versioned.cil"],
- installable: false,
-}
-
-sepolicy_vers {
- name: "microdroid_plat_sepolicy_vers.txt",
- version: "platform",
- stem: "plat_sepolicy_vers.txt",
- installable: false,
-}
-
-// sepolicy sha256 for vendor
-genrule {
- name: "microdroid_plat_sepolicy_and_mapping.sha256_gen",
- srcs: [":microdroid_plat_sepolicy.cil", ":microdroid_plat_mapping_file"],
- out: ["microdroid_plat_sepolicy_and_mapping.sha256"],
- cmd: "cat $(in) | sha256sum | cut -d' ' -f1 > $(out)",
-}
-
-prebuilt_etc {
- name: "microdroid_plat_sepolicy_and_mapping.sha256",
- src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen",
- filename: "plat_sepolicy_and_mapping.sha256",
- relative_install_path: "selinux",
- installable: false,
-}
-
-prebuilt_etc {
- name: "microdroid_precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
- src: ":microdroid_plat_sepolicy_and_mapping.sha256_gen",
- filename: "precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
- relative_install_path: "selinux",
- installable: false,
-}
-
-se_policy_binary {
- name: "microdroid_precompiled_sepolicy",
- stem: "precompiled_sepolicy",
- srcs: [
- ":microdroid_plat_sepolicy.cil",
- ":microdroid_plat_mapping_file",
- ":microdroid_plat_pub_versioned.cil",
- ":microdroid_vendor_sepolicy.cil",
- ],
- installable: false,
-}
-
-genrule {
- name: "microdroid_file_contexts.gen",
- srcs: ["system/private/file_contexts"],
- tools: ["fc_sort"],
- out: ["file_contexts"],
- cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
- "$(location fc_sort) -i $(out).tmp -o $(out)",
-}
-
-prebuilt_etc {
- name: "microdroid_file_contexts",
- filename: "plat_file_contexts",
- src: ":microdroid_file_contexts.gen",
- relative_install_path: "selinux",
- installable: false,
-}
-
-genrule {
- name: "microdroid_vendor_file_contexts.gen",
- srcs: ["vendor/file_contexts"],
- tools: ["fc_sort"],
- out: ["file_contexts"],
- cmd: "sed -e 's/#.*$$//' -e '/^$$/d' $(in) > $(out).tmp && " +
- "$(location fc_sort) -i $(out).tmp -o $(out)",
-}
-
-prebuilt_etc {
- name: "microdroid_property_contexts",
- filename: "plat_property_contexts",
- src: "system/private/property_contexts",
- relative_install_path: "selinux",
- installable: false,
-}
-
-prebuilt_etc {
- name: "microdroid_service_contexts",
- filename: "plat_service_contexts",
- src: "system/private/service_contexts",
- relative_install_path: "selinux",
- installable: false,
-}
-
-// For CTS
-se_policy_conf {
- name: "microdroid_general_sepolicy.conf",
- srcs: system_policy_files,
- exclude_build_test: true,
- installable: false,
- mls_cats: 1,
-}
diff --git a/microdroid/TEST_MAPPING b/microdroid/TEST_MAPPING
deleted file mode 100644
index f6e1c4f..0000000
--- a/microdroid/TEST_MAPPING
+++ /dev/null
@@ -1,7 +0,0 @@
-{
- "imports": [
- {
- "path": "packages/modules/Virtualization"
- }
- ]
-}
diff --git a/microdroid/reqd_mask/access_vectors b/microdroid/reqd_mask/access_vectors
deleted file mode 100644
index 22f2ffa..0000000
--- a/microdroid/reqd_mask/access_vectors
+++ /dev/null
@@ -1,777 +0,0 @@
-#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- map
- unlink
- link
- rename
- execute
- quotaon
- mounton
- audit_access
- open
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
-
-
-#
-# Define a common prefix for socket access vectors.
-#
-
-common socket
-{
-# inherited from file
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- map
-# socket-specific
- bind
- connect
- listen
- accept
- getopt
- setopt
- shutdown
- recvfrom
- sendto
- name_bind
-}
-
-#
-# Define a common prefix for ipc access vectors.
-#
-
-common ipc
-{
- create
- destroy
- getattr
- setattr
- read
- write
- associate
- unix_read
- unix_write
-}
-
-#
-# Define a common for capability access vectors.
-#
-common cap
-{
- # The capabilities are defined in include/linux/capability.h
- # Capabilities >= 32 are defined in the cap2 common.
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
-
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
- setfcap
-}
-
-common cap2
-{
- mac_override # unused by SELinux
- mac_admin
- syslog
- wake_alarm
- block_suspend
- audit_read
- perfmon
-}
-
-#
-# Define the access vectors.
-#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
-
-class filesystem
-{
- mount
- remount
- unmount
- getattr
- relabelfrom
- relabelto
- associate
- quotamod
- quotaget
- watch
-}
-
-class dir
-inherits file
-{
- add_name
- remove_name
- reparent
- search
- rmdir
-}
-
-class file
-inherits file
-{
- execute_no_trans
- entrypoint
-}
-
-class anon_inode
-inherits file
-
-class lnk_file
-inherits file
-
-class chr_file
-inherits file
-{
- execute_no_trans
- entrypoint
-}
-
-class blk_file
-inherits file
-
-class sock_file
-inherits file
-
-class fifo_file
-inherits file
-
-class fd
-{
- use
-}
-
-
-#
-# Define the access vector interpretation for network-related objects.
-#
-
-class socket
-inherits socket
-
-class tcp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class udp_socket
-inherits socket
-{
- node_bind
-}
-
-class rawip_socket
-inherits socket
-{
- node_bind
-}
-
-class node
-{
- recvfrom
- sendto
-}
-
-class netif
-{
- ingress
- egress
-}
-
-class netlink_socket
-inherits socket
-
-class packet_socket
-inherits socket
-
-class key_socket
-inherits socket
-
-class unix_stream_socket
-inherits socket
-{
- connectto
-}
-
-class unix_dgram_socket
-inherits socket
-
-#
-# Define the access vector interpretation for process-related objects
-#
-
-class process
-{
- fork
- transition
- sigchld # commonly granted from child to parent
- sigkill # cannot be caught or ignored
- sigstop # cannot be caught or ignored
- signull # for kill(pid, 0)
- signal # all other signals
- ptrace
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- share
- getattr
- setexec
- setfscreate
- noatsecure
- siginh
- setrlimit
- rlimitinh
- dyntransition
- setcurrent
- execmem
- execstack
- execheap
- setkeycreate
- setsockcreate
- getrlimit
-}
-
-class process2
-{
- nnp_transition
- nosuid_transition
-}
-
-#
-# Define the access vector interpretation for ipc-related objects
-#
-
-class ipc
-inherits ipc
-
-class sem
-inherits ipc
-
-class msgq
-inherits ipc
-{
- enqueue
-}
-
-class msg
-{
- send
- receive
-}
-
-class shm
-inherits ipc
-{
- lock
-}
-
-
-#
-# Define the access vector interpretation for the security server.
-#
-
-class security
-{
- compute_av
- compute_create
- compute_member
- check_context
- load_policy
- compute_relabel
- compute_user
- setenforce # was avc_toggle in system class
- setbool
- setsecparam
- setcheckreqprot
- read_policy
- validate_trans
-}
-
-
-#
-# Define the access vector interpretation for system operations.
-#
-
-class system
-{
- ipc_info
- syslog_read
- syslog_mod
- syslog_console
- module_request
- module_load
-}
-
-#
-# Define the access vector interpretation for controlling capabilities
-#
-
-class capability
-inherits cap
-
-class capability2
-inherits cap2
-
-#
-# Extended Netlink classes
-#
-class netlink_route_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_readpriv
-}
-
-class netlink_tcpdiag_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_nflog_socket
-inherits socket
-
-class netlink_xfrm_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_selinux_socket
-inherits socket
-
-class netlink_audit_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_relay
- nlmsg_readpriv
- nlmsg_tty_audit
-}
-
-class netlink_dnrt_socket
-inherits socket
-
-# Define the access vector interpretation for controlling
-# access to IPSec network data by association
-#
-class association
-{
- sendto
- recvfrom
- setcontext
- polmatch
-}
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-inherits socket
-
-class appletalk_socket
-inherits socket
-
-class packet
-{
- send
- recv
- relabelto
- forward_in
- forward_out
-}
-
-class key
-{
- view
- read
- write
- search
- link
- setattr
- create
-}
-
-class dccp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class memprotect
-{
- mmap_zero
-}
-
-# network peer labels
-class peer
-{
- recv
-}
-
-class kernel_service
-{
- use_as_override
- create_files_as
-}
-
-class tun_socket
-inherits socket
-{
- attach_queue
-}
-
-class binder
-{
- impersonate
- call
- set_context_mgr
- transfer
-}
-
-class netlink_iscsi_socket
-inherits socket
-
-class netlink_fib_lookup_socket
-inherits socket
-
-class netlink_connector_socket
-inherits socket
-
-class netlink_netfilter_socket
-inherits socket
-
-class netlink_generic_socket
-inherits socket
-
-class netlink_scsitransport_socket
-inherits socket
-
-class netlink_rdma_socket
-inherits socket
-
-class netlink_crypto_socket
-inherits socket
-
-class infiniband_pkey
-{
- access
-}
-
-class infiniband_endport
-{
- manage_subnet
-}
-
-#
-# Define the access vector interpretation for controlling capabilities
-# in user namespaces
-#
-
-class cap_userns
-inherits cap
-
-class cap2_userns
-inherits cap2
-
-
-#
-# Define the access vector interpretation for the new socket classes
-# enabled by the extended_socket_class policy capability.
-#
-
-#
-# The next two classes were previously mapped to rawip_socket and therefore
-# have the same definition as rawip_socket (until further permissions
-# are defined).
-#
-class sctp_socket
-inherits socket
-{
- node_bind
- name_connect
- association
-}
-
-class icmp_socket
-inherits socket
-{
- node_bind
-}
-
-#
-# The remaining network socket classes were previously
-# mapped to the socket class and therefore have the
-# same definition as socket.
-#
-
-class ax25_socket
-inherits socket
-
-class ipx_socket
-inherits socket
-
-class netrom_socket
-inherits socket
-
-class atmpvc_socket
-inherits socket
-
-class x25_socket
-inherits socket
-
-class rose_socket
-inherits socket
-
-class decnet_socket
-inherits socket
-
-class atmsvc_socket
-inherits socket
-
-class rds_socket
-inherits socket
-
-class irda_socket
-inherits socket
-
-class pppox_socket
-inherits socket
-
-class llc_socket
-inherits socket
-
-class can_socket
-inherits socket
-
-class tipc_socket
-inherits socket
-
-class bluetooth_socket
-inherits socket
-
-class iucv_socket
-inherits socket
-
-class rxrpc_socket
-inherits socket
-
-class isdn_socket
-inherits socket
-
-class phonet_socket
-inherits socket
-
-class ieee802154_socket
-inherits socket
-
-class caif_socket
-inherits socket
-
-class alg_socket
-inherits socket
-
-class nfc_socket
-inherits socket
-
-class vsock_socket
-inherits socket
-
-class kcm_socket
-inherits socket
-
-class qipcrtr_socket
-inherits socket
-
-class smc_socket
-inherits socket
-
-class bpf
-{
- map_create
- map_read
- map_write
- prog_load
- prog_run
-}
-
-class property_service
-{
- set
-}
-
-class service_manager
-{
- add
- find
- list
-}
-
-class hwservice_manager
-{
- add
- find
- list
-}
-
-class keystore_key
-{
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
- gen_unique_id
-}
-
-class keystore2
-{
- add_auth
- change_password
- change_user
- clear_ns
- clear_uid
- early_boot_ended
- get_auth_token
- get_state
- list
- lock
- report_off_body
- reset
- unlock
-}
-
-class keystore2_key
-{
- convert_storage_key_to_ephemeral
- delete
- gen_unique_id
- get_info
- grant
- manage_blob
- rebind
- req_forced_op
- update
- use
- use_dev_id
-}
-
-class drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-}
-
-class xdp_socket
-inherits socket
-
-class perf_event
-{
- open
- cpu
- kernel
- tracepoint
- read
- write
-}
-
-class lockdown
-{
- integrity
- confidentiality
-}
diff --git a/microdroid/reqd_mask/initial_sid_contexts b/microdroid/reqd_mask/initial_sid_contexts
deleted file mode 100644
index aa465cd..0000000
--- a/microdroid/reqd_mask/initial_sid_contexts
+++ /dev/null
@@ -1 +0,0 @@
-sid reqd_mask u:r:reqd_mask_type:s0
diff --git a/microdroid/reqd_mask/initial_sids b/microdroid/reqd_mask/initial_sids
deleted file mode 100644
index 366cfb1..0000000
--- a/microdroid/reqd_mask/initial_sids
+++ /dev/null
@@ -1,3 +0,0 @@
-sid reqd_mask
-
-# FLASK
diff --git a/microdroid/reqd_mask/keys.conf b/microdroid/reqd_mask/keys.conf
deleted file mode 100644
index ce7166b..0000000
--- a/microdroid/reqd_mask/keys.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-# empty keys.conf file - used to generate an empty nonplat_mac_permissions.xml
-# on devices without any keys.conf or mac_permissions additions.
diff --git a/microdroid/reqd_mask/mac_permissions.xml b/microdroid/reqd_mask/mac_permissions.xml
deleted file mode 100644
index ef9c6dd..0000000
--- a/microdroid/reqd_mask/mac_permissions.xml
+++ /dev/null
@@ -1,3 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<policy>
-</policy>
diff --git a/microdroid/reqd_mask/mls b/microdroid/reqd_mask/mls
deleted file mode 100644
index d276924..0000000
--- a/microdroid/reqd_mask/mls
+++ /dev/null
@@ -1 +0,0 @@
-mlsconstrain binder { set_context_mgr } (l1 eq l2);
diff --git a/microdroid/reqd_mask/mls_decl b/microdroid/reqd_mask/mls_decl
deleted file mode 100644
index dd53bea..0000000
--- a/microdroid/reqd_mask/mls_decl
+++ /dev/null
@@ -1,10 +0,0 @@
-#########################################
-# MLS declarations
-#
-
-# Generate the desired number of sensitivities and categories.
-gen_sens(mls_num_sens)
-gen_cats(mls_num_cats)
-
-# Generate level definitions for each sensitivity and category.
-gen_levels(mls_num_sens,mls_num_cats)
diff --git a/microdroid/reqd_mask/mls_macros b/microdroid/reqd_mask/mls_macros
deleted file mode 100644
index 83e0542..0000000
--- a/microdroid/reqd_mask/mls_macros
+++ /dev/null
@@ -1,54 +0,0 @@
-########################################
-#
-# gen_cats(N)
-#
-# declares categores c0 to c(N-1)
-#
-define(`decl_cats',`dnl
-category c$1;
-ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
-')
-
-define(`gen_cats',`decl_cats(0,decr($1))')
-
-########################################
-#
-# gen_sens(N)
-#
-# declares sensitivites s0 to s(N-1) with dominance
-# in increasing numeric order with s0 lowest, s(N-1) highest
-#
-define(`decl_sens',`dnl
-sensitivity s$1;
-ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
-')
-
-define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
-
-define(`gen_sens',`
-# Each sensitivity has a name and zero or more aliases.
-decl_sens(0,decr($1))
-
-# Define the ordering of the sensitivity levels (least to greatest)
-dominance { gen_dominance(0,decr($1)) }
-')
-
-########################################
-#
-# gen_levels(N,M)
-#
-# levels from s0 to (N-1) with categories c0 to (M-1)
-#
-define(`decl_levels',`dnl
-level s$1:c0.c$3;
-ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
-')
-
-define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
-
-########################################
-#
-# Basic level names for system low and high
-#
-define(`mls_systemlow',`s0')
-define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
diff --git a/microdroid/reqd_mask/property_contexts b/microdroid/reqd_mask/property_contexts
deleted file mode 100644
index 8e0bdbb..0000000
--- a/microdroid/reqd_mask/property_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-# empty property_contexts file - this file is used to generate an empty
-# non-platform property context for devices without any property_contexts
-# customizations.
diff --git a/microdroid/reqd_mask/reqd_mask.te b/microdroid/reqd_mask/reqd_mask.te
deleted file mode 100644
index f77eef4..0000000
--- a/microdroid/reqd_mask/reqd_mask.te
+++ /dev/null
@@ -1 +0,0 @@
-type reqd_mask_type;
diff --git a/microdroid/reqd_mask/roles b/microdroid/reqd_mask/roles
deleted file mode 100644
index 926cb7a..0000000
--- a/microdroid/reqd_mask/roles
+++ /dev/null
@@ -1 +0,0 @@
-role r types reqd_mask_type;
diff --git a/microdroid/reqd_mask/roles_decl b/microdroid/reqd_mask/roles_decl
deleted file mode 100644
index c84fcba..0000000
--- a/microdroid/reqd_mask/roles_decl
+++ /dev/null
@@ -1 +0,0 @@
-role r;
diff --git a/microdroid/reqd_mask/seapp_contexts b/microdroid/reqd_mask/seapp_contexts
deleted file mode 100644
index 0f4e0ad..0000000
--- a/microdroid/reqd_mask/seapp_contexts
+++ /dev/null
@@ -1,2 +0,0 @@
-# empty seapp_contexts file - used to generate an empty seapp_contexts for
-# devices without any non-platform seapp_contexts customizations.
diff --git a/microdroid/reqd_mask/security_classes b/microdroid/reqd_mask/security_classes
deleted file mode 100644
index 200b030..0000000
--- a/microdroid/reqd_mask/security_classes
+++ /dev/null
@@ -1,167 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class security
-class process
-class system
-class capability
-
-# file-related classes
-class filesystem
-class file
-class anon_inode
-class dir
-class fd
-class lnk_file
-class chr_file
-class blk_file
-class sock_file
-class fifo_file
-
-# network-related classes
-class socket
-class tcp_socket
-class udp_socket
-class rawip_socket
-class node
-class netif
-class netlink_socket
-class packet_socket
-class key_socket
-class unix_stream_socket
-class unix_dgram_socket
-
-# sysv-ipc-related classes
-class sem
-class msg
-class msgq
-class shm
-class ipc
-
-# extended netlink sockets
-class netlink_route_socket
-class netlink_tcpdiag_socket
-class netlink_nflog_socket
-class netlink_xfrm_socket
-class netlink_selinux_socket
-class netlink_audit_socket
-class netlink_dnrt_socket
-
-# IPSec association
-class association
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-
-class appletalk_socket
-
-class packet
-
-# Kernel access key retention
-class key
-
-class dccp_socket
-
-class memprotect
-
-# network peer labels
-class peer
-
-# Capabilities >= 32
-class capability2
-
-# kernel services that need to override task security, e.g. cachefiles
-class kernel_service
-
-class tun_socket
-
-class binder
-
-# Updated netlink classes for more recent netlink protocols.
-class netlink_iscsi_socket
-class netlink_fib_lookup_socket
-class netlink_connector_socket
-class netlink_netfilter_socket
-class netlink_generic_socket
-class netlink_scsitransport_socket
-class netlink_rdma_socket
-class netlink_crypto_socket
-
-# Infiniband
-class infiniband_pkey
-class infiniband_endport
-
-# Capability checks when on a non-init user namespace
-class cap_userns
-class cap2_userns
-
-# New socket classes introduced by extended_socket_class policy capability.
-# These two were previously mapped to rawip_socket.
-class sctp_socket
-class icmp_socket
-# These were previously mapped to socket.
-class ax25_socket
-class ipx_socket
-class netrom_socket
-class atmpvc_socket
-class x25_socket
-class rose_socket
-class decnet_socket
-class atmsvc_socket
-class rds_socket
-class irda_socket
-class pppox_socket
-class llc_socket
-class can_socket
-class tipc_socket
-class bluetooth_socket
-class iucv_socket
-class rxrpc_socket
-class isdn_socket
-class phonet_socket
-class ieee802154_socket
-class caif_socket
-class alg_socket
-class nfc_socket
-class vsock_socket
-class kcm_socket
-class qipcrtr_socket
-class smc_socket
-
-class process2
-
-class bpf
-
-class xdp_socket
-
-class perf_event
-
-# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
-class lockdown
-
-# Property service
-class property_service # userspace
-
-# Service manager
-class service_manager # userspace
-
-# hardware service manager # userspace
-class hwservice_manager
-
-# Legacy Keystore key permissions
-class keystore_key # userspace
-
-# Keystore 2.0 permissions
-class keystore2 # userspace
-
-# Keystore 2.0 key permissions
-class keystore2_key # userspace
-
-class drmservice # userspace
-# FLASK
diff --git a/microdroid/reqd_mask/service_contexts b/microdroid/reqd_mask/service_contexts
deleted file mode 100644
index 481967b..0000000
--- a/microdroid/reqd_mask/service_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-# empty service_contexts file - this file is used to generate an empty
-# non-platform service_context for devices without any service_contexts
-# customizations.
diff --git a/microdroid/reqd_mask/users b/microdroid/reqd_mask/users
deleted file mode 100644
index 51b7b57..0000000
--- a/microdroid/reqd_mask/users
+++ /dev/null
@@ -1 +0,0 @@
-user u roles { r } level s0 range s0 - mls_systemhigh;
diff --git a/microdroid/system/private/access_vectors b/microdroid/system/private/access_vectors
deleted file mode 100644
index 477f78f..0000000
--- a/microdroid/system/private/access_vectors
+++ /dev/null
@@ -1,787 +0,0 @@
-#
-# Define common prefixes for access vectors
-#
-# common common_name { permission_name ... }
-
-
-#
-# Define a common prefix for file access vectors.
-#
-
-common file
-{
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- map
- unlink
- link
- rename
- execute
- quotaon
- mounton
- audit_access
- open
- execmod
- watch
- watch_mount
- watch_sb
- watch_with_perm
- watch_reads
-}
-
-
-#
-# Define a common prefix for socket access vectors.
-#
-
-common socket
-{
-# inherited from file
- ioctl
- read
- write
- create
- getattr
- setattr
- lock
- relabelfrom
- relabelto
- append
- map
-# socket-specific
- bind
- connect
- listen
- accept
- getopt
- setopt
- shutdown
- recvfrom
- sendto
- name_bind
-}
-
-#
-# Define a common prefix for ipc access vectors.
-#
-
-common ipc
-{
- create
- destroy
- getattr
- setattr
- read
- write
- associate
- unix_read
- unix_write
-}
-
-#
-# Define a common for capability access vectors.
-#
-common cap
-{
- # The capabilities are defined in include/linux/capability.h
- # Capabilities >= 32 are defined in the cap2 common.
- # Care should be taken to ensure that these are consistent with
- # those definitions. (Order matters)
-
- chown
- dac_override
- dac_read_search
- fowner
- fsetid
- kill
- setgid
- setuid
- setpcap
- linux_immutable
- net_bind_service
- net_broadcast
- net_admin
- net_raw
- ipc_lock
- ipc_owner
- sys_module
- sys_rawio
- sys_chroot
- sys_ptrace
- sys_pacct
- sys_admin
- sys_boot
- sys_nice
- sys_resource
- sys_time
- sys_tty_config
- mknod
- lease
- audit_write
- audit_control
- setfcap
-}
-
-common cap2
-{
- mac_override # unused by SELinux
- mac_admin
- syslog
- wake_alarm
- block_suspend
- audit_read
- perfmon
-}
-
-#
-# Define the access vectors.
-#
-# class class_name [ inherits common_name ] { permission_name ... }
-
-
-#
-# Define the access vector interpretation for file-related objects.
-#
-
-class filesystem
-{
- mount
- remount
- unmount
- getattr
- relabelfrom
- relabelto
- associate
- quotamod
- quotaget
- watch
-}
-
-class dir
-inherits file
-{
- add_name
- remove_name
- reparent
- search
- rmdir
-}
-
-class file
-inherits file
-{
- execute_no_trans
- entrypoint
-}
-
-class anon_inode
-inherits file
-
-class lnk_file
-inherits file
-
-class chr_file
-inherits file
-{
- execute_no_trans
- entrypoint
-}
-
-class blk_file
-inherits file
-
-class sock_file
-inherits file
-
-class fifo_file
-inherits file
-
-class fd
-{
- use
-}
-
-
-#
-# Define the access vector interpretation for network-related objects.
-#
-
-class socket
-inherits socket
-
-class tcp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class udp_socket
-inherits socket
-{
- node_bind
-}
-
-class rawip_socket
-inherits socket
-{
- node_bind
-}
-
-class node
-{
- recvfrom
- sendto
-}
-
-class netif
-{
- ingress
- egress
-}
-
-class netlink_socket
-inherits socket
-
-class packet_socket
-inherits socket
-
-class key_socket
-inherits socket
-
-class unix_stream_socket
-inherits socket
-{
- connectto
-}
-
-class unix_dgram_socket
-inherits socket
-
-#
-# Define the access vector interpretation for process-related objects
-#
-
-class process
-{
- fork
- transition
- sigchld # commonly granted from child to parent
- sigkill # cannot be caught or ignored
- sigstop # cannot be caught or ignored
- signull # for kill(pid, 0)
- signal # all other signals
- ptrace
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- share
- getattr
- setexec
- setfscreate
- noatsecure
- siginh
- setrlimit
- rlimitinh
- dyntransition
- setcurrent
- execmem
- execstack
- execheap
- setkeycreate
- setsockcreate
- getrlimit
-}
-
-class process2
-{
- nnp_transition
- nosuid_transition
-}
-
-#
-# Define the access vector interpretation for ipc-related objects
-#
-
-class ipc
-inherits ipc
-
-class sem
-inherits ipc
-
-class msgq
-inherits ipc
-{
- enqueue
-}
-
-class msg
-{
- send
- receive
-}
-
-class shm
-inherits ipc
-{
- lock
-}
-
-
-#
-# Define the access vector interpretation for the security server.
-#
-
-class security
-{
- compute_av
- compute_create
- compute_member
- check_context
- load_policy
- compute_relabel
- compute_user
- setenforce # was avc_toggle in system class
- setbool
- setsecparam
- setcheckreqprot
- read_policy
- validate_trans
-}
-
-
-#
-# Define the access vector interpretation for system operations.
-#
-
-class system
-{
- ipc_info
- syslog_read
- syslog_mod
- syslog_console
- module_request
- module_load
-}
-
-#
-# Define the access vector interpretation for controlling capabilities
-#
-
-class capability
-inherits cap
-
-class capability2
-inherits cap2
-
-#
-# Extended Netlink classes
-#
-class netlink_route_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_readpriv
-}
-
-class netlink_tcpdiag_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_nflog_socket
-inherits socket
-
-class netlink_xfrm_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
-}
-
-class netlink_selinux_socket
-inherits socket
-
-class netlink_audit_socket
-inherits socket
-{
- nlmsg_read
- nlmsg_write
- nlmsg_relay
- nlmsg_readpriv
- nlmsg_tty_audit
-}
-
-class netlink_dnrt_socket
-inherits socket
-
-# Define the access vector interpretation for controlling
-# access to IPSec network data by association
-#
-class association
-{
- sendto
- recvfrom
- setcontext
- polmatch
-}
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-inherits socket
-
-class appletalk_socket
-inherits socket
-
-class packet
-{
- send
- recv
- relabelto
- forward_in
- forward_out
-}
-
-class key
-{
- view
- read
- write
- search
- link
- setattr
- create
-}
-
-class dccp_socket
-inherits socket
-{
- node_bind
- name_connect
-}
-
-class memprotect
-{
- mmap_zero
-}
-
-# network peer labels
-class peer
-{
- recv
-}
-
-class kernel_service
-{
- use_as_override
- create_files_as
-}
-
-class tun_socket
-inherits socket
-{
- attach_queue
-}
-
-class binder
-{
- impersonate
- call
- set_context_mgr
- transfer
-}
-
-class netlink_iscsi_socket
-inherits socket
-
-class netlink_fib_lookup_socket
-inherits socket
-
-class netlink_connector_socket
-inherits socket
-
-class netlink_netfilter_socket
-inherits socket
-
-class netlink_generic_socket
-inherits socket
-
-class netlink_scsitransport_socket
-inherits socket
-
-class netlink_rdma_socket
-inherits socket
-
-class netlink_crypto_socket
-inherits socket
-
-class infiniband_pkey
-{
- access
-}
-
-class infiniband_endport
-{
- manage_subnet
-}
-
-#
-# Define the access vector interpretation for controlling capabilities
-# in user namespaces
-#
-
-class cap_userns
-inherits cap
-
-class cap2_userns
-inherits cap2
-
-
-#
-# Define the access vector interpretation for the new socket classes
-# enabled by the extended_socket_class policy capability.
-#
-
-#
-# The next two classes were previously mapped to rawip_socket and therefore
-# have the same definition as rawip_socket (until further permissions
-# are defined).
-#
-class sctp_socket
-inherits socket
-{
- node_bind
- name_connect
- association
-}
-
-class icmp_socket
-inherits socket
-{
- node_bind
-}
-
-#
-# The remaining network socket classes were previously
-# mapped to the socket class and therefore have the
-# same definition as socket.
-#
-
-class ax25_socket
-inherits socket
-
-class ipx_socket
-inherits socket
-
-class netrom_socket
-inherits socket
-
-class atmpvc_socket
-inherits socket
-
-class x25_socket
-inherits socket
-
-class rose_socket
-inherits socket
-
-class decnet_socket
-inherits socket
-
-class atmsvc_socket
-inherits socket
-
-class rds_socket
-inherits socket
-
-class irda_socket
-inherits socket
-
-class pppox_socket
-inherits socket
-
-class llc_socket
-inherits socket
-
-class can_socket
-inherits socket
-
-class tipc_socket
-inherits socket
-
-class bluetooth_socket
-inherits socket
-
-class iucv_socket
-inherits socket
-
-class rxrpc_socket
-inherits socket
-
-class isdn_socket
-inherits socket
-
-class phonet_socket
-inherits socket
-
-class ieee802154_socket
-inherits socket
-
-class caif_socket
-inherits socket
-
-class alg_socket
-inherits socket
-
-class nfc_socket
-inherits socket
-
-class vsock_socket
-inherits socket
-
-class kcm_socket
-inherits socket
-
-class qipcrtr_socket
-inherits socket
-
-class smc_socket
-inherits socket
-
-class bpf
-{
- map_create
- map_read
- map_write
- prog_load
- prog_run
-}
-
-class property_service
-{
- set
-}
-
-class service_manager
-{
- add
- find
- list
-}
-
-class hwservice_manager
-{
- add
- find
- list
-}
-
-class keystore_key
-{
- get_state
- get
- insert
- delete
- exist
- list
- reset
- password
- lock
- unlock
- is_empty
- sign
- verify
- grant
- duplicate
- clear_uid
- add_auth
- user_changed
- gen_unique_id
-}
-
-class keystore2
-{
- add_auth
- change_password
- change_user
- clear_ns
- clear_uid
- early_boot_ended
- get_auth_token
- get_state
- list
- lock
- report_off_body
- reset
- unlock
-}
-
-class keystore2_key
-{
- convert_storage_key_to_ephemeral
- delete
- gen_unique_id
- get_info
- grant
- manage_blob
- rebind
- req_forced_op
- update
- use
- use_dev_id
-}
-
-class diced
-{
- demote
- demote_self
- derive
- get_attestation_chain
- use_seal
- use_sign
-}
-
-class drmservice {
- consumeRights
- setPlaybackStatus
- openDecryptSession
- closeDecryptSession
- initializeDecryptUnit
- decrypt
- finalizeDecryptUnit
- pread
-}
-
-class xdp_socket
-inherits socket
-
-class perf_event
-{
- open
- cpu
- kernel
- tracepoint
- read
- write
-}
-
-class lockdown
-{
- integrity
- confidentiality
-}
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
deleted file mode 100644
index ed74ddd..0000000
--- a/microdroid/system/private/adbd.te
+++ /dev/null
@@ -1,57 +0,0 @@
-typeattribute adbd coredomain;
-
-init_daemon_domain(adbd)
-
-domain_auto_trans(adbd, shell_exec, shell)
-
-userdebug_or_eng(`
- allow adbd self:process setcurrent;
- allow adbd su:process dyntransition;
-')
-
-# Do not sanitize the environment or open fds of the shell. Allow signaling
-# created processes.
-allow adbd shell:process { noatsecure signal };
-
-# Set UID and GID to shell. Set supplementary groups.
-allow adbd self:global_capability_class_set { setuid setgid };
-
-# Drop capabilities from bounding set on user builds.
-allow adbd self:global_capability_class_set setpcap;
-
-# adbd probes for vsock support. Do not generate denials when
-# this occurs. (b/123569840)
-dontaudit adbd self:{ socket vsock_socket } create;
-
-# Allow adbd inside vm to forward vm's vsock.
-allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-
-# Use a pseudo tty.
-allow adbd devpts:chr_file rw_file_perms;
-
-# adb push/pull /data/local/tmp.
-allow adbd shell_data_file:dir create_dir_perms;
-allow adbd shell_data_file:file create_file_perms;
-
-allow adbd tmpfs:dir search;
-
-allow adbd rootfs:dir r_dir_perms;
-
-# Connect to shell and use a socket transferred from it.
-# Used for e.g. abb.
-allow adbd shell:unix_stream_socket { read write shutdown };
-allow adbd shell:fd use;
-
-set_prop(adbd, shell_prop)
-
-# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
-set_prop(adbd, adbd_prop)
-
-# Allow pulling the SELinux policy for CTS purposes
-allow adbd selinuxfs:dir r_dir_perms;
-allow adbd selinuxfs:file r_file_perms;
-allow adbd kernel:security read_policy;
-
-# adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
-# TODO(b/200902288): patch adb and remove this rule
-dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
deleted file mode 100644
index 275a455..0000000
--- a/microdroid/system/private/apexd.te
+++ /dev/null
@@ -1,102 +0,0 @@
-typeattribute apexd coredomain;
-
-init_daemon_domain(apexd)
-
-# allow apexd to create loop devices with /dev/loop-control
-allow apexd loop_control_device:chr_file rw_file_perms;
-# allow apexd to access loop devices
-allow apexd loop_device:blk_file rw_file_perms;
-allowxperm apexd loop_device:blk_file ioctl {
- LOOP_GET_STATUS64
- LOOP_SET_STATUS64
- LOOP_SET_FD
- LOOP_SET_BLOCK_SIZE
- LOOP_SET_DIRECT_IO
- LOOP_CLR_FD
- BLKFLSBUF
- LOOP_CONFIGURE
-};
-# Allow apexd to access /dev/block
-allow apexd dev_type:dir r_dir_perms;
-allow apexd dev_type:blk_file getattr;
-
-#allow apexd to access virtual disks
-allow apexd vd_device:blk_file r_file_perms;
-
-# allow apexd to access /dev/block/dm-* (device-mapper entries)
-allow apexd dm_device:chr_file rw_file_perms;
-allow apexd dm_device:blk_file rw_file_perms;
-
-# sys_admin is required to access the device-mapper and mount
-# dac_override, chown, and fowner are needed for snapshot and restore
-allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };
-
-# Note: fsetid is deliberately not included above. fsetid checks are
-# triggered by chmod on a directory or file owned by a group other
-# than one of the groups assigned to the current process to see if
-# the setgid bit should be cleared, regardless of whether the setgid
-# bit was even set. We do not appear to truly need this capability
-# for apexd to operate.
-dontaudit apexd self:global_capability_class_set fsetid;
-
-# allow apexd to create a mount point in /apex
-allow apexd apex_mnt_dir:dir create_dir_perms;
-# allow apexd to mount in /apex
-allow apexd apex_mnt_dir:filesystem { mount unmount };
-allow apexd apex_mnt_dir:dir mounton;
-# allow apexd to create symlinks in /apex
-allow apexd apex_mnt_dir:lnk_file create_file_perms;
-# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
-allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
-allow apexd apex_info_file:file relabelto;
-# apexd needs to update /apex/apex-info-list.xml after non-staged APEX update.
-allow apexd apex_info_file:file rw_file_perms;
-
-# Unmount and mount filesystems
-allow apexd labeledfs:filesystem { mount unmount };
-
-# /sys directory tree traversal
-allow apexd sysfs_type:dir search;
-# Access to /sys/class/block
-allow apexd sysfs_type:dir r_dir_perms;
-allow apexd sysfs_type:file r_file_perms;
-# Configure read-ahead of dm-verity and loop devices
-# for dm-X
-allow apexd sysfs_dm:dir r_dir_perms;
-allow apexd sysfs_dm:file rw_file_perms;
-# for loopX
-allow apexd sysfs_loop:dir r_dir_perms;
-allow apexd sysfs_loop:file rw_file_perms;
-
-# Allow apexd to log to the kernel.
-allow apexd kmsg_device:chr_file w_file_perms;
-
-# Apex pre- & post-install permission.
-
-# Allow self-execute for the fork mount helper.
-allow apexd apexd_exec:file execute_no_trans;
-
-# Unshare and make / private so that hooks cannot influence the
-# running system.
-allow apexd rootfs:dir mounton;
-
-# apexd is using bootstrap bionic
-use_bootstrap_libs(apexd)
-
-# Allow apexd to read file contexts when performing restorecon
-allow apexd file_contexts_file:file r_file_perms;
-
-#-------------------------------------------
-allow apexd kmsg_device:chr_file w_file_perms;
-
-# apexd can set apexd sysprop
-set_prop(apexd, apexd_prop)
-
-# Allow apexd to stop itself
-set_prop(apexd, ctl_apexd_prop)
-
-# apexd uses it to decide whether it needs to keep retrying polling for loop device.
-get_prop(apexd, cold_boot_done_prop)
-
-# apexd uses this to determine where there metadata partition is.
-get_prop(apexd, apexd_payload_metadata_prop)
diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
deleted file mode 100644
index 0545744..0000000
--- a/microdroid/system/private/apkdmverity.te
+++ /dev/null
@@ -1,39 +0,0 @@
-# apkdmverity is a program that protects a signed APK file using dm-verity.
-
-type apkdmverity, domain, coredomain;
-type apkdmverity_exec, exec_type, file_type, system_file_type;
-
-# apkdmverity is using bootstrap bionic
-use_bootstrap_libs(apkdmverity)
-
-# apkdmverity accesses "payload metadata disk" which points to
-# a /dev/vd* block device file.
-allow apkdmverity block_device:dir r_dir_perms;
-allow apkdmverity block_device:lnk_file r_file_perms;
-allow apkdmverity vd_device:blk_file r_file_perms;
-
-# allow apkdmverity to create dm-verity devices
-allow apkdmverity dm_device:{chr_file blk_file} rw_file_perms;
-# sys_admin is required to access the device-mapper and mount
-allow apkdmverity self:global_capability_class_set sys_admin;
-
-# allow apkdmverity to create loop devices with /dev/loop-control
-allow apkdmverity loop_control_device:chr_file rw_file_perms;
-
-# allow apkdmverity to read the roothash passed from microdroid_manager
-get_prop(apkdmverity, microdroid_manager_roothash_prop)
-
-# allow apkdmverity to access loop devices
-allow apkdmverity loop_device:blk_file rw_file_perms;
-allowxperm apkdmverity loop_device:blk_file ioctl {
- LOOP_CONFIGURE
-};
-
-# allow apkdmverity to log to the kernel
-allow apkdmverity kmsg_device:chr_file w_file_perms;
-
-# apkdmverity is forked from microdroid_manager
-allow apkdmverity microdroid_manager:fd use;
-
-# Only microdroid_manager can run apkdmverity
-neverallow { domain -microdroid_manager } apkdmverity:process { transition dyntransition };
diff --git a/microdroid/system/private/attributes b/microdroid/system/private/attributes
deleted file mode 100644
index 792d600..0000000
--- a/microdroid/system/private/attributes
+++ /dev/null
@@ -1 +0,0 @@
-#
diff --git a/microdroid/system/private/authfs.te b/microdroid/system/private/authfs.te
deleted file mode 100644
index 23e881d..0000000
--- a/microdroid/system/private/authfs.te
+++ /dev/null
@@ -1,25 +0,0 @@
-# authfs is a FUSE-based filesystem to support "remote" file access normally
-# over vsock, backed by a file server backend on Android.
-
-type authfs, domain, coredomain;
-type authfs_exec, exec_type, file_type, system_file_type;
-
-allow authfs self:vsock_socket create_socket_perms_no_ioctl;
-
-# Allow basic rules to implement FUSE.
-# TODO(195554831): Move the privilege to authfs_service
-allow authfs fuse_device:chr_file rw_file_perms;
-allow authfs self:global_capability_class_set sys_admin;
-
-# Allow mounting authfs.
-# TODO(195554831): Move the privilege to authfs_service.
-allow authfs fuse:filesystem relabelfrom;
-allow authfs authfs_fuse:filesystem { mount relabelfrom relabelto };
-allow authfs authfs_data_file:dir { mounton search };
-
-# Allow authfs to access extra APK mount.
-allow authfs extra_apk_file:file r_file_perms;
-allow authfs extra_apk_file:dir search;
-
-# TODO(195568812): Don't pass FD 0,1,2 unnecessarily.
-allow authfs authfs_service:fd use;
diff --git a/microdroid/system/private/authfs_service.te b/microdroid/system/private/authfs_service.te
deleted file mode 100644
index e7e9ef0..0000000
--- a/microdroid/system/private/authfs_service.te
+++ /dev/null
@@ -1,33 +0,0 @@
-# authfs_service is a binder service running on microdroid. It serves the
-# client's request and manages the mount/unmount of individual authfs instances
-# (a FUSE based filesystem). The service then can pass file descriptor on authfs
-# to the client for remote file access.
-
-type authfs_service, domain, coredomain;
-type authfs_service_exec, exec_type, file_type, system_file_type;
-
-# Allow domain transition from init.
-init_daemon_domain(authfs_service)
-
-# Allow running as a binder service.
-binder_call(authfs_service, servicemanager)
-add_service(authfs_service, authfs_binder_service)
-
-# Allow domain transition into authfs.
-domain_auto_trans(authfs_service, authfs_exec, authfs)
-
-# Allow mounting the FUSE filesystem.
-allow authfs_service self:global_capability_class_set sys_admin;
-
-# Allow creating/deleting mount directories.
-allow authfs_service authfs_data_file:dir create_dir_perms;
-
-# Allow opening a file from the FUSE mount.
-# Note: authfs_service doesn't really need to read and write the file, but the
-# check seems to happen on open anyway.
-allow authfs_service authfs_fuse:dir search;
-allow authfs_service authfs_fuse:file { open read write };
-
-# Allow killing the authfs process and unmount.
-allow authfs_service authfs:process sigkill;
-allow authfs_service authfs_fuse:filesystem unmount;
diff --git a/microdroid/system/private/bug_map b/microdroid/system/private/bug_map
deleted file mode 100644
index 5b042ae..0000000
--- a/microdroid/system/private/bug_map
+++ /dev/null
@@ -1,35 +0,0 @@
-dnsmasq netd fifo_file b/77868789
-dnsmasq netd unix_stream_socket b/77868789
-gmscore_app system_data_file dir b/146166941
-init app_data_file file b/77873135
-init cache_file blk_file b/77873135
-init logpersist file b/77873135
-init nativetest_data_file dir b/77873135
-init pstorefs dir b/77873135
-init shell_data_file dir b/77873135
-init shell_data_file file b/77873135
-init shell_data_file lnk_file b/77873135
-init shell_data_file sock_file b/77873135
-init system_data_file chr_file b/77873135
-isolated_app privapp_data_file dir b/119596573
-isolated_app app_data_file dir b/120394782
-mediaextractor app_data_file file b/77923736
-mediaextractor radio_data_file file b/77923736
-mediaprovider cache_file blk_file b/77925342
-mediaprovider mnt_media_rw_file dir b/77925342
-mediaprovider shell_data_file dir b/77925342
-mediaswcodec ashmem_device chr_file b/142679232
-netd priv_app unix_stream_socket b/77870037
-netd untrusted_app unix_stream_socket b/77870037
-netd untrusted_app_25 unix_stream_socket b/77870037
-netd untrusted_app_27 unix_stream_socket b/77870037
-netd untrusted_app_29 unix_stream_socket b/77870037
-platform_app nfc_data_file dir b/74331887
-system_server crash_dump process b/73128755
-system_server overlayfs_file file b/142390309
-system_server sdcardfs file b/77856826
-system_server zygote process b/77856826
-untrusted_app untrusted_app netlink_route_socket b/155595000
-vold system_data_file file b/124108085
-zygote untrusted_app_25 process b/77925912
-zygote labeledfs filesystem b/170748799
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
deleted file mode 100644
index 386f11e..0000000
--- a/microdroid/system/private/compos.te
+++ /dev/null
@@ -1,38 +0,0 @@
-# TODO(b/193504816): move this to compos APEX
-type compos, domain, coredomain, microdroid_payload;
-type compos_exec, exec_type, file_type, system_file_type;
-
-# Expose RPC Binder service over vsock
-allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-
-# Allow using various binder services
-binder_use(compos);
-allow compos authfs_binder_service:service_manager find;
-binder_call(compos, authfs_service);
-
-# Read artifacts created by odrefresh and create signature files.
-allow compos authfs_fuse:dir rw_dir_perms;
-allow compos authfs_fuse:file create_file_perms;
-
-# Allow locating the authfs mount directory.
-allow compos authfs_data_file:dir search;
-
-# Run derive_classpath in our domain
-allow compos derive_classpath_exec:file rx_file_perms;
-allow compos apex_mnt_dir:dir r_dir_perms;
-# Ignore harmless denials on /proc/self/fd
-dontaudit compos self:dir write;
-# See b/35323867#comment3
-dontaudit compos self:global_capability_class_set dac_override;
-
-# Allow settings system properties that ART expects.
-set_prop(compos, dalvik_config_prop)
-set_prop(compos, device_config_runtime_native_boot_prop)
-
-# Allow running odrefresh in its own domain
-domain_auto_trans(compos, odrefresh_exec, odrefresh)
-
-# Allow running compos_key_helper in its own domain
-domain_auto_trans(compos, compos_key_helper_exec, compos_key_helper)
-# And killing it on error
-allow compos compos_key_helper:process sigkill;
diff --git a/microdroid/system/private/compos_key_helper.te b/microdroid/system/private/compos_key_helper.te
deleted file mode 100644
index 56f8d2a..0000000
--- a/microdroid/system/private/compos_key_helper.te
+++ /dev/null
@@ -1,20 +0,0 @@
-# Helper process for compos to perform key derivation & signing
-type compos_key_helper, domain, coredomain;
-type compos_key_helper_exec, exec_type, file_type, system_file_type;
-
-# This domain has access to DICE secrets & the private signing key.
-# Block crash dumps to ensure the secrets are not leaked.
-typeattribute compos_key_helper no_crash_dump_domain;
-
-# Allow using DICE binder service
-binder_use(compos_key_helper);
-allow compos_key_helper dice_node_service:service_manager find;
-binder_call(compos_key_helper, diced);
-allow compos_key_helper diced:diced { get_attestation_chain derive };
-
-# Communicate with compos via stdin/stdout pipes
-allow compos_key_helper compos:fd use;
-allow compos_key_helper compos:fifo_file { getattr read write };
-
-# Write to /dev/kmsg.
-allow compos_key_helper kmsg_device:chr_file rw_file_perms;
diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
deleted file mode 100644
index 61dfa0b..0000000
--- a/microdroid/system/private/crash_dump.te
+++ /dev/null
@@ -1,72 +0,0 @@
-# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
-# which will result in an audit log even when it's allowed to trace.
-dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
-
-allow crash_dump kmsg_debug_device:chr_file { open append };
-
-# Use inherited file descriptors
-allow crash_dump domain:fd use;
-
-# Read/write IPC pipes inherited from crashing processes.
-allow crash_dump domain:fifo_file { read write };
-
-# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
-allow crash_dump domain:fifo_file { append };
-
-# Read information from /proc/$PID.
-allow crash_dump domain:process getattr;
-
-r_dir_file(crash_dump, domain)
-allow crash_dump exec_type:file r_file_perms;
-
-# Read all /vendor
-r_dir_file(crash_dump, vendor_file)
-
-# Talk to tombstoned
-unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
-
-# Append to tombstone files.
-allow crash_dump tombstone_data_file:file { append getattr };
-
-# crash_dump writes out logcat logs at the bottom of tombstones,
-# which is super useful in some cases.
-unix_socket_connect(crash_dump, logdr, logd)
-
-# Crash dump is not intended to access the following files. Since these
-# are WAI, suppress the denials to clean up the logs.
-dontaudit crash_dump {
- core_data_file_type
- vendor_file_type
-}:dir search;
-dontaudit crash_dump system_data_file:{ lnk_file file } read;
-dontaudit crash_dump property_type:file read;
-
-# Suppress denials for files in /proc that are passed
-# across exec().
-dontaudit crash_dump proc_type:file rw_file_perms;
-
-typeattribute crash_dump coredomain;
-
-# Crash dump does not need to access devices passed across exec().
-dontaudit crash_dump { devpts dev_type }:chr_file { read write };
-
-allow crash_dump {
- domain
- -apexd
- -crash_dump
- -init
- -kernel
- -logd
- -no_crash_dump_domain
- -ueventd
- -vendor_init
-}:process { ptrace signal sigchld sigstop sigkill };
-
-userdebug_or_eng(`
- allow crash_dump {
- apexd
- logd
- }:process { ptrace signal sigchld sigstop sigkill };
-')
-
-neverallow crash_dump no_crash_dump_domain:process ptrace;
diff --git a/microdroid/system/private/derive_classpath.te b/microdroid/system/private/derive_classpath.te
deleted file mode 100644
index e439692..0000000
--- a/microdroid/system/private/derive_classpath.te
+++ /dev/null
@@ -1 +0,0 @@
-type derive_classpath_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/system/private/dex2oat.te b/microdroid/system/private/dex2oat.te
deleted file mode 100644
index d259e1c..0000000
--- a/microdroid/system/private/dex2oat.te
+++ /dev/null
@@ -1,36 +0,0 @@
-# dex2oat
-type dex2oat, domain, coredomain;
-type dex2oat_exec, system_file_type, exec_type, file_type;
-
-userfaultfd_use(dex2oat)
-
-allow dex2oat tmpfs:file { read getattr map };
-
-# Allow dex2oat to use FDs from authfs_service via compos.
-allow dex2oat authfs_service:fd use;
-allow dex2oat compos:fd use;
-allow dex2oat odrefresh:fd use;
-
-# Allow dex2oat to read/write FDs on authfs_fuse filesystem.
-allow dex2oat authfs_fuse:file { read write getattr map };
-
-# Allow to search in authfs directories.
-allow dex2oat authfs_data_file:dir { search };
-allow dex2oat authfs_fuse:dir { search };
-
-# Minijail uses pipe for the parent process to signal the child (as a fallback
-# mechanism, since Android does not support minijail's preload).
-# TODO(196109647): We can probably remove this once the minijail preload is
-# supported on Android.
-allow dex2oat compos:fifo_file read;
-
-# Allow acquiring advisory lock on /system/framework/<arch>/*
-allow dex2oat system_file:file lock;
-
-# Allow dex2oat to read /apex/apex-info-list.xml
-allow dex2oat apex_info_file:file r_file_perms;
-
-# Don't audit because we don't configure the compiler through system properties
-# in the VM.
-dontaudit dex2oat dalvik_config_prop:file { open read getattr map };
-dontaudit dex2oat device_config_runtime_native_prop:file { open read getattr map };
diff --git a/microdroid/system/private/diced.te b/microdroid/system/private/diced.te
deleted file mode 100644
index 2dba244..0000000
--- a/microdroid/system/private/diced.te
+++ /dev/null
@@ -1,23 +0,0 @@
-type diced, domain, coredomain;
-type diced_exec, system_file_type, exec_type, file_type;
-
-# Block crash dumps to ensure the DICE secrets are not leaked.
-typeattribute diced no_crash_dump_domain;
-
-# diced can be started by init
-init_daemon_domain(diced)
-
-# diced can talk to dice HAL
-hal_client_domain(diced, hal_dice)
-
-# diced hosts AIDL services
-binder_use(diced)
-binder_service(diced)
-add_service(diced, dice_node_service)
-add_service(diced, dice_maintenance_service)
-
-# diced can check SELinux permissions.
-selinux_check_access(diced)
-
-# diced is using bootstrap bionic
-use_bootstrap_libs(diced)
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
deleted file mode 100644
index d87df40..0000000
--- a/microdroid/system/private/domain.te
+++ /dev/null
@@ -1,598 +0,0 @@
-# Rules for all domains.
-
-# Allow reaping by init.
-allow domain init:process sigchld;
-
-# Intra-domain accesses.
-allow domain self:process {
- fork
- sigchld
- sigkill
- sigstop
- signull
- signal
- getsched
- setsched
- getsession
- getpgid
- setpgid
- getcap
- setcap
- getattr
- setrlimit
-};
-allow domain self:fd use;
-allow domain proc:dir r_dir_perms;
-allow domain proc_net_type:dir search;
-r_dir_file(domain, self)
-allow domain self:{ fifo_file file } rw_file_perms;
-allow domain self:unix_dgram_socket { create_socket_perms sendto };
-allow domain self:unix_stream_socket { create_stream_socket_perms connectto };
-
-# Inherit or receive open files from others.
-allow domain init:fd use;
-
-# Root fs.
-allow domain tmpfs:dir { getattr search };
-allow domain rootfs:dir search;
-allow domain rootfs:lnk_file { read getattr };
-
-# Device accesses.
-allow domain device:dir search;
-allow domain dev_type:lnk_file r_file_perms;
-allow domain devpts:dir search;
-allow domain socket_device:dir r_dir_perms;
-allow domain owntty_device:chr_file rw_file_perms;
-allow domain null_device:chr_file rw_file_perms;
-allow domain zero_device:chr_file rw_file_perms;
-
-# /dev/binder can be accessed by ... everyone! :)
-allow domain binder_device:chr_file rw_file_perms;
-
-# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
-# added to individual domains, but this sets safe defaults for all processes.
-allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
-
-# /dev/binderfs needs to be accessed by everyone too!
-allow domain binderfs:dir { getattr search };
-allow domain binderfs_logs_proc:dir search;
-
-allow { domain -servicemanager } hwbinder_device:chr_file rw_file_perms;
-allow domain ptmx_device:chr_file rw_file_perms;
-allow domain random_device:chr_file rw_file_perms;
-allow domain proc_random:dir r_dir_perms;
-allow domain proc_random:file r_file_perms;
-allow domain properties_device:dir { search getattr };
-allow domain properties_serial:file r_file_perms;
-allow domain property_info:file r_file_perms;
-
-allow domain property_contexts_file:file r_file_perms;
-
-dontaudit domain property_type:file audit_access;
-
-allow domain init:key search;
-
-# logd access
-unix_socket_send(domain, logdw, logd)
-
-# Directory/link file access for path resolution.
-allow domain {
- system_file
- system_lib_file
- system_seccomp_policy_file
- system_security_cacerts_file
-}:dir r_dir_perms;
-allow domain system_file:lnk_file { getattr read };
-
-# Global access to /system/etc/security/cacerts/*, /system/etc/seccomp_policy/*, /system/lib[64]/*,
-# /(system|product|system_ext)/etc/(group|passwd), linker and its config.
-allow domain system_seccomp_policy_file:file r_file_perms;
-# cacerts are accessible from public Java API.
-allow domain system_security_cacerts_file:file r_file_perms;
-allow domain system_group_file:file r_file_perms;
-allow domain system_passwd_file:file r_file_perms;
-allow domain system_linker_exec:file { execute read open getattr map };
-allow domain system_linker_config_file:file r_file_perms;
-allow domain system_lib_file:file { execute read open getattr map };
-# To allow following symlinks at /system/bin/linker, /system/lib/libc.so, etc.
-allow domain system_linker_exec:lnk_file { read open getattr };
-allow domain system_lib_file:lnk_file { read open getattr };
-
-allow domain system_event_log_tags_file:file r_file_perms;
-
-allow coredomain system_file:file { execute read open getattr map };
-
-# All domains get access to /vendor/etc
-allow domain vendor_configs_file:dir r_dir_perms;
-allow domain vendor_configs_file:file { read open getattr map };
-
-# Allow all domains to be able to follow /system/vendor and/or
-# /vendor/odm symlinks.
-allow domain vendor_file_type:lnk_file { getattr open read };
-
-# This is required to be able to search & read /vendor/lib64
-# in order to lookup vendor libraries. The execute permission
-# for coredomains is granted *only* for same process HALs
-allow domain vendor_file:dir { getattr search };
-
-# Allow reading and executing out of /vendor to all vendor domains
-allow { domain -coredomain } vendor_file_type:dir r_dir_perms;
-allow { domain -coredomain } vendor_file_type:file { read open getattr execute map };
-allow { domain -coredomain } vendor_file_type:lnk_file { getattr read };
-
-# read and stat any sysfs symlinks
-allow domain sysfs:lnk_file { getattr read };
-
-# Lots of processes access current CPU information
-r_dir_file(domain, sysfs_devices_system_cpu)
-
-# If kernel CONFIG_TRANSPARENT_HUGEPAGE is enabled, libjemalloc5 (statically
-# included by libc) reads /sys/kernel/mm/transparent_hugepage/enabled.
-allow domain sysfs_transparent_hugepage:dir search;
-allow domain sysfs_transparent_hugepage:file r_file_perms;
-
-allow coredomain system_data_file:dir getattr;
-# /data has the label system_data_root_file. Vendor components need the search
-# permission on system_data_root_file for path traversal to /data/vendor.
-allow domain system_data_root_file:dir { search getattr } ;
-allow domain system_data_file:dir search;
-# TODO restrict this to non-coredomain
-allow domain vendor_data_file:dir { getattr search };
-
-# required by the dynamic linker
-allow domain proc:lnk_file { getattr read };
-
-# /proc/cpuinfo
-allow domain proc_cpuinfo:file r_file_perms;
-
-# profiling needs to read /proc/sys/kernel/perf_event_max_sample_rate
-allow domain proc_perf:file r_file_perms;
-
-# toybox loads libselinux which stats /sys/fs/selinux/
-allow domain selinuxfs:dir search;
-allow domain selinuxfs:file getattr;
-allow domain sysfs:dir search;
-allow domain selinuxfs:filesystem getattr;
-
-# Almost all processes log tracing information to
-# /sys/kernel/debug/tracing/trace_marker
-# The reason behind this is documented in b/6513400
-allow domain debugfs:dir search;
-allow domain debugfs_tracing:dir search;
-allow domain debugfs_tracing_debug:dir search;
-allow domain debugfs_trace_marker:file w_file_perms;
-
-# Linux lockdown mode offers coarse-grained definitions for access controls.
-# The "confidentiality" level detects access to tracefs or the perf subsystem.
-# This overlaps with more precise declarations in Android's policy. The
-# debugfs_trace_marker above is an example in which all processes should have
-# some access to tracefs. Therefore, allow all domains to access this level.
-# The "integrity" level is however enforced.
-allow domain self:lockdown confidentiality;
-
-# Filesystem access.
-allow domain fs_type:filesystem getattr;
-allow domain fs_type:dir getattr;
-
-# Restrict all domains to an allowlist for common socket types. Additional
-# ioctl commands may be added to individual domains, but this sets safe
-# defaults for all processes. Note that granting this allowlist to domain does
-# not grant the ioctl permission on these socket types. That must be granted
-# separately.
-allowxperm domain domain:{ icmp_socket rawip_socket tcp_socket udp_socket }
- ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };
-# default allowlist for unix sockets.
-allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
- ioctl unpriv_unix_sock_ioctls;
-
-# Restrict PTYs to only allowed ioctls.
-# Note that granting this allowlist to domain does
-# not grant the wider ioctl permission. That must be granted
-# separately.
-allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
-
-# All domains must clearly enumerate what ioctls they use
-# on filesystem objects (plain files, directories, symbolic links,
-# named pipes, and named sockets). We start off with a safe set.
-allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX };
-
-# If a domain has ioctl access to tun_device, it must clearly enumerate the
-# ioctls used. Safe defaults are listed below.
-allowxperm domain tun_device:chr_file ioctl { FIOCLEX FIONCLEX };
-
-# Allow a process to make a determination whether a file descriptor
-# for a plain file or pipe (fifo_file) is a tty. Note that granting
-# this allowlist to domain does not grant the ioctl permission to
-# these files. That must be granted separately.
-allowxperm domain { file_type fs_type }:file ioctl { TCGETS };
-allowxperm domain domain:fifo_file ioctl { TCGETS };
-
-# If a domain has access to perform an ioctl on a block device, allow these
-# very common, benign ioctls
-allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };
-
-# read APEX dir and stat any symlink pointing to APEXs.
-allow domain apex_mnt_dir:dir { getattr search };
-allow domain apex_mnt_dir:lnk_file r_file_perms;
-
-allow domain self:global_capability_class_set audit_control;
-allow domain self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-
-# globally readable properties
-get_prop(domain, arm64_memtag_prop)
-get_prop(domain, bootloader_prop)
-get_prop(domain, build_prop)
-get_prop(domain, debug_prop)
-get_prop(domain, fingerprint_prop)
-get_prop(domain, init_service_status_prop)
-get_prop(domain, libc_debug_prop)
-get_prop(domain, log_tag_prop)
-get_prop(domain, logd_prop)
-get_prop(domain, property_service_version_prop)
-
-allow domain linkerconfig_file:dir search;
-allow domain linkerconfig_file:file r_file_perms;
-
-#-----------------------------------------
-# Path resolution access in cgroups.
-allow domain cgroup:dir search;
-allow { domain } cgroup:dir w_dir_perms;
-allow { domain } cgroup:file w_file_perms;
-
-allow domain cgroup_v2:dir search;
-allow { domain } cgroup_v2:dir w_dir_perms;
-allow { domain } cgroup_v2:file w_file_perms;
-
-allow domain cgroup_rc_file:dir search;
-allow domain cgroup_rc_file:file r_file_perms;
-allow domain task_profiles_file:file r_file_perms;
-allow domain task_profiles_api_file:file r_file_perms;
-
-# cgroupfs directories can be created, but not files within them.
-neverallow domain cgroup:file create;
-neverallow domain cgroup_v2:file create;
-
-dontaudit domain proc_type:dir write;
-dontaudit domain sysfs_type:dir write;
-dontaudit domain cgroup:file create;
-dontaudit domain cgroup_v2:file create;
-
-#-----------------------------------------
-# Allow access to fsverity keyring.
-allow domain kernel:key search;
-
-# Transition to crash_dump when /system/bin/crash_dump* is executed.
-# This occurs when the process crashes.
-domain_auto_trans({domain -no_crash_dump_domain}, crash_dump_exec, crash_dump);
-allow domain crash_dump:process sigchld;
-
-# Properties that microdroid doesn't have but some still want to read.
-dontaudit domain { heapprofd_prop timezone_prop }:file r_file_perms;
-
-###
-### neverallow rules
-###
-
-# Don't allow raw read/write/open access to generic devices.
-# Rather force a relabel to a more specific type.
-neverallow domain device:chr_file { open read write };
-
-# No executable memory unless backed by an unmodified file
-neverallow * self:process { execmem execheap execstack };
-neverallow * *:file execmod;
-
-# All ioctls on file-like objects (except chr_file and blk_file) and
-# sockets must be restricted to an allowlist.
-neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 };
-
-# b/68014825 and https://android-review.googlesource.com/516535
-# rfc6093 says that processes should not use the TCP urgent mechanism
-neverallowxperm domain domain:socket_class_set ioctl { SIOCATMARK };
-
-# TIOCSTI is only ever used for exploits. Block it.
-# b/33073072, b/7530569
-# http://www.openwall.com/lists/oss-security/2016/09/26/14
-neverallowxperm * devpts:chr_file ioctl TIOCSTI;
-
-# Do not allow any domain other than init to create unlabeled files.
-neverallow { domain -init } unlabeled:dir_file_class_set create;
-
-# Limit device node creation to these allowed domains.
-neverallow {
- domain
- -kernel
- -init
- -ueventd
-} self:global_capability_class_set mknod;
-
-# No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
-neverallow * self:memprotect mmap_zero;
-
-# No domain needs mac_override as it is unused by SELinux.
-neverallow * self:global_capability2_class_set mac_override;
-
-# Disallow attempts to set contexts not defined in current policy
-# This helps guarantee that unknown or dangerous contents will not ever
-# be set.
-neverallow * self:global_capability2_class_set mac_admin;
-
-# Once the policy has been loaded there shall be none to modify the policy.
-# It is sealed.
-neverallow * kernel:security load_policy;
-
-# Only init prior to switching context should be able to set enforcing mode.
-# init starts in kernel domain and switches to init domain via setcon in
-# the init.rc, so the setenforce occurs while still in kernel. After
-# switching domains, there is never any need to setenforce again by init.
-neverallow * kernel:security setenforce;
-neverallow { domain -kernel } kernel:security setcheckreqprot;
-
-# No booleans in AOSP policy, so no need to ever set them.
-neverallow * kernel:security setbool;
-
-# Adjusting the AVC cache threshold.
-# Not presently allowed to anything in policy, but possibly something
-# that could be set from init.rc.
-neverallow { domain -init } kernel:security setsecparam;
-
-# Only the kernel hwrng thread should be able to read from the HW RNG.
-neverallow {
- domain
- -shell # For CTS, restricted to just getattr in shell.te
- -ueventd # To create the /dev/hw_random file
-} hw_random_device:chr_file *;
-
-# Ensure that all entrypoint executables are in exec_type.
-neverallow * { file_type -exec_type }:file entrypoint;
-
-# Only init should be able to configure kernel usermodehelpers or
-# security-sensitive proc settings.
-neverallow { domain -init } usermodehelper:file { append write };
-neverallow { domain -init -ueventd } sysfs_usermodehelper:file { append write };
-neverallow { domain -init -vendor_init } proc_security:file { append open read write };
-
-# Init can't do anything with binder calls. If this neverallow rule is being
-# triggered, it's probably due to a service with no SELinux domain.
-neverallow * init:binder *;
-neverallow * vendor_init:binder *;
-
-# Don't allow raw read/write/open access to block_device
-# Rather force a relabel to a more specific type
-neverallow { domain -kernel -init } block_device:blk_file { open read write };
-
-# Do not allow renaming of block files or character files
-# Ability to do so can lead to possible use in an exploit chain
-# e.g. https://googleprojectzero.blogspot.com/2016/12/chrome-os-exploit-one-byte-overflow-and.html
-neverallow * *:{ blk_file chr_file } rename;
-
-# Only the init property service should write to /data/property and /dev/__properties__
-neverallow { domain -init } property_type:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_device:file { no_w_file_perms no_x_file_perms };
-neverallow { domain -init } properties_serial:file { no_w_file_perms no_x_file_perms };
-
-# Nobody should be doing writes to /system & /vendor
-# These partitions are intended to be read-only and must never be
-# modified. Doing so would violate important Android security guarantees
-# and invalidate dm-verity signatures.
-neverallow {
- domain
- with_asan(`-asan_extract')
-} {
- system_file_type
- vendor_file_type
- exec_type
-}:dir_file_class_set { create write setattr relabelfrom append unlink link rename };
-
-neverallow { domain -kernel with_asan(`-asan_extract') } { system_file_type vendor_file_type exec_type }:dir_file_class_set relabelto;
-
-# Don't allow mounting on top of /system files or directories
-neverallow * exec_type:dir_file_class_set mounton;
-
-# Nothing should be writing to files in the rootfs.
-neverallow * rootfs:file { create write setattr relabelto append unlink link rename };
-
-# Restrict context mounts to specific types marked with
-# the contextmount_type attribute.
-neverallow * {fs_type -contextmount_type}:filesystem relabelto;
-
-# Ensure that context mount types are not writable, to ensure that
-# the write to /system restriction above is not bypassed via context=
-# mount to another type.
-neverallow * { contextmount_type -authfs_fuse }:dir_file_class_set
- { create relabelfrom relabelto append link rename };
-neverallow domain { contextmount_type -authfs_fuse }:dir_file_class_set { write unlink };
-
-# Do not allow service_manager add for default service labels.
-# Instead domains should use a more specific type such as
-# system_app_service rather than the generic type.
-# New service_types are defined in {,hw,vnd}service.te and new mappings
-# from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager *;
-
-neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
-
-neverallow { domain -init } build_prop:property_service set;
-
-# Only (hw|vnd|)servicemanager should be able to register with binder as the context manager
-# The service managers are only allowed to access their own device node
-neverallow servicemanager hwbinder_device:chr_file no_rw_file_perms;
-neverallow servicemanager vndbinder_device:chr_file no_rw_file_perms;
-
-# system services cant add vendor services
-neverallow {
- coredomain
-} vendor_service:service_manager add;
-
-# Never allow anyone to connect or write to
-# the tombstoned intercept socket.
-neverallow { domain } tombstoned_intercept_socket:sock_file write;
-neverallow { domain } tombstoned_intercept_socket:unix_stream_socket connectto;
-
-# Android does not support System V IPCs.
-#
-# The reason for this is due to the fact that, by design, they lead to global
-# kernel resource leakage.
-#
-# For example, there is no way to automatically release a SysV semaphore
-# allocated in the kernel when:
-#
-# - a buggy or malicious process exits
-# - a non-buggy and non-malicious process crashes or is explicitly killed.
-#
-# Killing processes automatically to make room for new ones is an
-# important part of Android's application lifecycle implementation. This means
-# that, even assuming only non-buggy and non-malicious code, it is very likely
-# that over time, the kernel global tables used to implement SysV IPCs will fill
-# up.
-neverallow * *:{ shm sem msg msgq } *;
-
-# Do not mount on top of symlinks, fifos, or sockets.
-# Feature parity with Chromium LSM.
-neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
-
-# Nobody should be able to execute su on user builds.
-# On userdebug/eng builds, only shell, and
-# su itself execute su.
-neverallow { domain userdebug_or_eng(`-shell -su') } su_exec:file no_x_file_perms;
-
-neverallow { domain -init } proc:{ file dir } mounton;
-
-# Ensure that all types assigned to processes are included
-# in the domain attribute, so that all allow and neverallow rules
-# written on domain are applied to all processes.
-# This is achieved by ensuring that it is impossible to transition
-# from a domain to a non-domain type and vice versa.
-# TODO - rework this: neverallow domain ~domain:process { transition dyntransition };
-neverallow ~domain domain:process { transition dyntransition };
-
-#
-# Only system_app and system_server should be creating or writing
-# their files. The proper way to share files is to setup
-# type transitions to a more specific type or assigning a type
-# to its parent directory via a file_contexts entry.
-# Example type transition:
-# mydomain.te:file_type_auto_trans(mydomain, system_data_file, new_file_type)
-#
-neverallow {
- domain
- -init
- -vendor_init
- -toolbox # TODO(b/141108496) We want to remove toolbox
- with_asan(`-asan_extract')
-} system_data_file:file no_w_file_perms;
-
-#
-# Only these domains should transition to shell domain. This domain is
-# permissible for the "shell user". If you need a process to exec a shell
-# script with differing privilege, define a domain and set up a transition.
-#
-neverallow {
- domain
- -adbd
- -init
-} shell:process { transition dyntransition };
-
-# Minimize read access to shell-writable symlinks.
-# This is to prevent malicious symlink attacks.
-neverallow {
- domain
- -shell
-} shell_data_file:lnk_file read;
-
-# In addition to the symlink reading restrictions above, restrict
-# write access to shell owned directories. The /data/local/tmp
-# directory is untrustworthy, and non-allowed domains should
-# not be trusting any content in those directories.
-neverallow {
- domain
- -adbd
- -init
- -vendor_init
- -shell
-} shell_data_file:dir no_w_dir_perms;
-
-neverallow {
- domain
- -adbd
- -init
- -vendor_init
- -shell
-} shell_data_file:dir { open search };
-
-# servicemanager is the only process which handles the
-# service_manager list request
-neverallow * ~{
- servicemanager
- }:service_manager list;
-
-# only service_manager_types can be added to service_manager
-# TODO - rework this: neverallow * ~service_manager_type:service_manager { add find };
-
-# Prevent assigning non property types to properties
-# TODO - rework this: neverallow * ~property_type:property_service set;
-
-# Domain types should never be assigned to any files other
-# than the /proc/pid files associated with a process. The
-# executable file used to enter a domain should be labeled
-# with its own _exec type, not with the domain type.
-# Conventionally, this looks something like:
-# $ cat mydaemon.te
-# type mydaemon, domain;
-# type mydaemon_exec, exec_type, file_type;
-# init_daemon_domain(mydaemon)
-# $ grep mydaemon file_contexts
-# /system/bin/mydaemon -- u:object_r:mydaemon_exec:s0
-neverallow * domain:file { execute execute_no_trans entrypoint };
-
-# Do not allow access to the generic debugfs label. This is too broad.
-# Instead, if access to part of debugfs is desired, it should have a
-# more specific label.
-neverallow { domain -init -vendor_init } debugfs:{ file lnk_file } no_rw_file_perms;
-
-# Do not allow executable files in debugfs.
-neverallow domain debugfs_type:file { execute execute_no_trans };
-
-# Don't allow access to the FUSE control filesystem, except to init's
-neverallow { domain -init -vendor_init } fusectlfs:file no_rw_file_perms;
-
-# Enforce restrictions on kernel module origin.
-# Do not allow kernel module loading except from system,
-# vendor, and boot partitions.
-neverallow * ~{ system_file_type vendor_file_type rootfs }:system module_load;
-
-# Only allow filesystem caps to be set at build time. Runtime changes
-# to filesystem capabilities are not permitted.
-neverallow * self:global_capability_class_set setfcap;
-
-# Enforce AT_SECURE for executing crash_dump.
-neverallow domain crash_dump:process noatsecure;
-
-# If an already existing file is opened with O_CREAT, the kernel might generate
-# a false report of a create denial. Silence these denials and make sure that
-# inappropriate permissions are not granted.
-
-# These filesystems don't allow files or directories to be created, so the permission
-# to do so should never be granted.
-neverallow domain {
- proc_type
- sysfs_type
-}:dir { add_name create link remove_name rename reparent rmdir write };
-
-# cgroupfs directories can be created, but not files within them.
-neverallow domain cgroup:file create;
-neverallow domain cgroup_v2:file create;
-
-# Only apps targetting < Q are allowed to open /dev/ashmem directly.
-# Apps must use ASharedMemory NDK API. Native code must use libcutils API.
-neverallow {
- domain
-} ashmem_device:chr_file open;
-
-neverallow { domain -init -vendor_init } debugfs_tracing_printk_formats:file *;
-
-# Linux lockdown "integrity" level is enforced for user builds.
-neverallow { domain userdebug_or_eng(`-domain') } self:lockdown integrity;
-
-# These domains must not be crash dumped
-neverallow no_crash_dump_domain crash_dump_exec:file no_x_file_perms;
-neverallow no_crash_dump_domain crash_dump:process { transition dyntransition };
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
deleted file mode 100644
index d15f9ba..0000000
--- a/microdroid/system/private/file.te
+++ /dev/null
@@ -1,19 +0,0 @@
-allow fs_type self:filesystem associate;
-allow cgroup tmpfs:filesystem associate;
-allow cgroup_v2 tmpfs:filesystem associate;
-allow cgroup_rc_file tmpfs:filesystem associate;
-allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
-allow dev_type tmpfs:filesystem associate;
-allow extra_apk_file zipfusefs:filesystem associate;
-allow file_type labeledfs:filesystem associate;
-allow file_type tmpfs:filesystem associate;
-allow file_type rootfs:filesystem associate;
-allow proc_net proc:filesystem associate;
-allow sysfs_type sysfs:filesystem associate;
-allow system_data_file tmpfs:filesystem associate;
-
-type authfs_fuse, fs_type, contextmount_type;
-
-# /dev/selinux/test - used to verify that apex sepolicy is loaded and
-# property labeled.
-type sepolicy_test_file, file_type;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
deleted file mode 100644
index 83eceb0..0000000
--- a/microdroid/system/private/file_contexts
+++ /dev/null
@@ -1,172 +0,0 @@
-###########################################
-# Root
-/ u:object_r:rootfs:s0
-
-# Data files
-/build\.prop u:object_r:rootfs:s0
-/init\..* u:object_r:rootfs:s0
-
-# Executables
-/init u:object_r:init_exec:s0
-
-# For kernel modules
-/lib(/.*)? u:object_r:rootfs:s0
-
-# Empty directories
-/lost\+found u:object_r:rootfs:s0
-/debug_ramdisk u:object_r:tmpfs:s0
-/mnt u:object_r:tmpfs:s0
-/proc u:object_r:rootfs:s0
-/second_stage_resources u:object_r:tmpfs:s0
-/sys u:object_r:sysfs:s0
-/apex u:object_r:apex_mnt_dir:s0
-
-/apex/(\.(bootstrap|default)-)?apex-info-list.xml u:object_r:apex_info_file:s0
-
-# Symlinks
-/bin u:object_r:rootfs:s0
-/d u:object_r:rootfs:s0
-/etc u:object_r:rootfs:s0
-
-##########################
-# Devices
-#
-/dev(/.*)? u:object_r:device:s0
-/dev/ashmem u:object_r:ashmem_device:s0
-/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0
-/dev/binder u:object_r:binder_device:s0
-/dev/block(/.*)? u:object_r:block_device:s0
-/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
-/dev/block/loop[0-9]* u:object_r:loop_device:s0
-/dev/block/vd[a-z][0-9]* u:object_r:vd_device:s0
-/dev/block/ram[0-9]* u:object_r:ram_device:s0
-/dev/block/zram[0-9]* u:object_r:ram_device:s0
-/dev/console u:object_r:console_device:s0
-/dev/dma_heap(/.*)? u:object_r:dmabuf_heap_device:s0
-/dev/dma_heap/system u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/system-uncached u:object_r:dmabuf_system_heap_device:s0
-/dev/dma_heap/system-secure(.*) u:object_r:dmabuf_system_secure_heap_device:s0
-/dev/dm-user(/.*)? u:object_r:dm_user_device:s0
-/dev/device-mapper u:object_r:dm_device:s0
-/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
-/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
-/dev/fuse u:object_r:fuse_device:s0
-/dev/hvc0 u:object_r:serial_device:s0
-/dev/hvc1 u:object_r:serial_device:s0
-/dev/hvc2 u:object_r:serial_device:s0
-/dev/hw_random u:object_r:hw_random_device:s0
-/dev/hwbinder u:object_r:hwbinder_device:s0
-/dev/loop-control u:object_r:loop_control_device:s0
-/dev/ppp u:object_r:ppp_device:s0
-/dev/ptmx u:object_r:ptmx_device:s0
-/dev/kmsg u:object_r:kmsg_device:s0
-/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
-/dev/kvm u:object_r:kvm_device:s0
-/dev/null u:object_r:null_device:s0
-/dev/open-dice0 u:object_r:open_dice_device:s0
-/dev/random u:object_r:random_device:s0
-/dev/rtc[0-9] u:object_r:rtc_device:s0
-/dev/socket(/.*)? u:object_r:socket_device:s0
-/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/logd u:object_r:logd_socket:s0
-/dev/socket/logdr u:object_r:logdr_socket:s0
-/dev/socket/logdw u:object_r:logdw_socket:s0
-/dev/socket/property_service u:object_r:property_socket:s0
-/dev/socket/statsdw u:object_r:statsdw_socket:s0
-/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
-/dev/socket/tombstoned_java_trace u:object_r:tombstoned_java_trace_socket:s0
-/dev/socket/tombstoned_intercept u:object_r:tombstoned_intercept_socket:s0
-/dev/sys/block/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
-/dev/sys/fs/by-name/userdata(/.*)? u:object_r:userdata_sysdev:s0
-/dev/tty u:object_r:owntty_device:s0
-/dev/tty[0-9]* u:object_r:tty_device:s0
-/dev/ttyS[0-9]* u:object_r:serial_device:s0
-/dev/tun u:object_r:tun_device:s0
-/dev/uhid u:object_r:uhid_device:s0
-/dev/uinput u:object_r:uhid_device:s0
-/dev/uio[0-9]* u:object_r:uio_device:s0
-/dev/urandom u:object_r:random_device:s0
-/dev/vhost-vsock u:object_r:kvm_device:s0
-/dev/vndbinder u:object_r:vndbinder_device:s0
-/dev/vsock u:object_r:vsock_device:s0
-/dev/zero u:object_r:zero_device:s0
-/dev/__properties__ u:object_r:properties_device:s0
-/dev/__properties__/property_info u:object_r:property_info:s0
-#############################
-# Linker configuration
-#
-/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
-#############################
-# System files
-#
-/system(/.*)? u:object_r:system_file:s0
-/system/lib(64)?(/.*)? u:object_r:system_lib_file:s0
-/system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
-/system/bin/apexd u:object_r:apexd_exec:s0
-/system/bin/tombstone_transmit.microdroid u:object_r:tombstone_transmit_exec:s0
-/system/bin/linker(64)? u:object_r:system_linker_exec:s0
-/system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
-/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/diced.microdroid u:object_r:diced_exec:s0
-/system/bin/servicemanager.microdroid u:object_r:servicemanager_exec:s0
-/system/bin/init u:object_r:init_exec:s0
-/system/bin/logcat -- u:object_r:logcat_exec:s0
-/system/bin/logd u:object_r:logd_exec:s0
-/system/bin/sh -- u:object_r:shell_exec:s0
-/system/bin/tombstoned u:object_r:tombstoned_exec:s0
-/system/bin/toolbox -- u:object_r:toolbox_exec:s0
-/system/bin/toybox -- u:object_r:toolbox_exec:s0
-/system/bin/zipfuse u:object_r:zipfuse_exec:s0
-/system/bin/microdroid_launcher u:object_r:microdroid_app_exec:s0
-/system/bin/microdroid_manager u:object_r:microdroid_manager_exec:s0
-/system/bin/apkdmverity u:object_r:apkdmverity_exec:s0
-/system/bin/authfs u:object_r:authfs_exec:s0
-/system/bin/authfs_service u:object_r:authfs_service_exec:s0
-/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
-/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
-/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
-/system/etc/group u:object_r:system_group_file:s0
-/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
-/system/etc/passwd u:object_r:system_passwd_file:s0
-/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
-/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
-/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
-/system/etc/selinux/plat_service_contexts u:object_r:service_contexts_file:s0
-/system/etc/selinux/plat_file_contexts u:object_r:file_contexts_file:s0
-/system/etc/selinux/plat_sepolicy\.cil u:object_r:sepolicy_file:s0
-/system/etc/selinux/plat_and_mapping_sepolicy\.cil\.sha256 u:object_r:sepolicy_file:s0
-/system/etc/task_profiles\.json u:object_r:task_profiles_file:s0
-/system/etc/task_profiles/task_profiles_[0-9]+\.json u:object_r:task_profiles_api_file:s0
-
-#############################
-# Vendor files
-#
-/vendor(/.*)? u:object_r:vendor_file:s0
-/vendor/etc(/.*)? u:object_r:vendor_configs_file:s0
-/vendor/etc/vintf(/.*)? u:object_r:vendor_configs_file:s0
-
-#############################
-# Data files
-#
-# NOTE: When modifying existing label rules, changes may also need to
-# propagate to the "Expanded data files" section.
-#
-/data u:object_r:system_data_root_file:s0
-/data/(.*)? u:object_r:system_data_file:s0
-/data/local/tests(/.*)? u:object_r:shell_test_data_file:s0
-/data/local/tmp(/.*)? u:object_r:shell_data_file:s0
-/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
-/data/local/traces(/.*)? u:object_r:trace_data_file:s0
-/data/misc/authfs(/.*)? u:object_r:authfs_data_file:s0
-/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
-/data/vendor(/.*)? u:object_r:vendor_data_file:s0
-
-# microdroid doesn't use anr, but tombstoned tries to read this.
-# So marking /data/anr as tombstone_data_file
-/data/anr(/.*)? u:object_r:tombstone_data_file:s0
-
-#############################
-# Directory for extra apks
-/mnt/extra-apk u:object_r:extra_apk_file:s0
diff --git a/microdroid/system/private/fs_use b/microdroid/system/private/fs_use
deleted file mode 100644
index 93d7f1b..0000000
--- a/microdroid/system/private/fs_use
+++ /dev/null
@@ -1,27 +0,0 @@
-# Label inodes via getxattr.
-fs_use_xattr yaffs2 u:object_r:labeledfs:s0;
-fs_use_xattr jffs2 u:object_r:labeledfs:s0;
-fs_use_xattr ext2 u:object_r:labeledfs:s0;
-fs_use_xattr ext3 u:object_r:labeledfs:s0;
-fs_use_xattr ext4 u:object_r:labeledfs:s0;
-fs_use_xattr xfs u:object_r:labeledfs:s0;
-fs_use_xattr btrfs u:object_r:labeledfs:s0;
-fs_use_xattr f2fs u:object_r:labeledfs:s0;
-fs_use_xattr squashfs u:object_r:labeledfs:s0;
-fs_use_xattr overlay u:object_r:labeledfs:s0;
-fs_use_xattr erofs u:object_r:labeledfs:s0;
-fs_use_xattr incremental-fs u:object_r:labeledfs:s0;
-fs_use_xattr virtiofs u:object_r:labeledfs:s0;
-
-# Label inodes from task label.
-fs_use_task pipefs u:object_r:pipefs:s0;
-fs_use_task sockfs u:object_r:sockfs:s0;
-
-# Label inodes from combination of task label and fs label.
-# Define type_transition rules if you want per-domain types.
-fs_use_trans devpts u:object_r:devpts:s0;
-fs_use_trans tmpfs u:object_r:tmpfs:s0;
-fs_use_trans devtmpfs u:object_r:device:s0;
-fs_use_trans shm u:object_r:shm:s0;
-fs_use_trans mqueue u:object_r:mqueue:s0;
-
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
deleted file mode 100644
index 254dbe8..0000000
--- a/microdroid/system/private/genfs_contexts
+++ /dev/null
@@ -1,380 +0,0 @@
-# Label inodes with the fs label.
-genfscon rootfs / u:object_r:rootfs:s0
-# proc labeling can be further refined (longest matching prefix).
-genfscon proc / u:object_r:proc:s0
-genfscon proc /asound u:object_r:proc_asound:s0
-genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
-genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
-genfscon proc /cmdline u:object_r:proc_cmdline:s0
-genfscon proc /config.gz u:object_r:config_gz:s0
-genfscon proc /diskstats u:object_r:proc_diskstats:s0
-genfscon proc /filesystems u:object_r:proc_filesystems:s0
-genfscon proc /interrupts u:object_r:proc_interrupts:s0
-genfscon proc /iomem u:object_r:proc_iomem:s0
-genfscon proc /kallsyms u:object_r:proc_kallsyms:s0
-genfscon proc /keys u:object_r:proc_keys:s0
-genfscon proc /kmsg u:object_r:proc_kmsg:s0
-genfscon proc /loadavg u:object_r:proc_loadavg:s0
-genfscon proc /locks u:object_r:proc_locks:s0
-genfscon proc /lowmemorykiller u:object_r:proc_lowmemorykiller:s0
-genfscon proc /meminfo u:object_r:proc_meminfo:s0
-genfscon proc /misc u:object_r:proc_misc:s0
-genfscon proc /modules u:object_r:proc_modules:s0
-genfscon proc /mounts u:object_r:proc_mounts:s0
-genfscon proc /net u:object_r:proc_net:s0
-genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
-genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
-genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
-genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
-genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
-genfscon proc /pagetypeinfo u:object_r:proc_pagetypeinfo:s0
-genfscon proc /pressure/cpu u:object_r:proc_pressure_cpu:s0
-genfscon proc /pressure/io u:object_r:proc_pressure_io:s0
-genfscon proc /pressure/memory u:object_r:proc_pressure_mem:s0
-genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
-genfscon proc /softirqs u:object_r:proc_timer:s0
-genfscon proc /stat u:object_r:proc_stat:s0
-genfscon proc /swaps u:object_r:proc_swaps:s0
-genfscon proc /sysrq-trigger u:object_r:proc_sysrq:s0
-genfscon proc /kpageflags u:object_r:proc_kpageflags:s0
-genfscon proc /sys/abi/swp u:object_r:proc_abi:s0
-genfscon proc /sys/fs/pipe-max-size u:object_r:proc_pipe_conf:s0
-genfscon proc /sys/fs/protected_hardlinks u:object_r:proc_security:s0
-genfscon proc /sys/fs/protected_symlinks u:object_r:proc_security:s0
-genfscon proc /sys/fs/suid_dumpable u:object_r:proc_security:s0
-genfscon proc /sys/fs/verity/require_signatures u:object_r:proc_fs_verity:s0
-genfscon proc /sys/kernel/core_pattern u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/core_pipe_limit u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/domainname u:object_r:proc_hostname:s0
-genfscon proc /sys/kernel/dmesg_restrict u:object_r:proc_security:s0
-genfscon proc /sys/kernel/hostname u:object_r:proc_hostname:s0
-genfscon proc /sys/kernel/hotplug u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/hung_task_ u:object_r:proc_hung_task:s0
-genfscon proc /sys/kernel/kptr_restrict u:object_r:proc_security:s0
-genfscon proc /sys/kernel/modprobe u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/modules_disabled u:object_r:proc_security:s0
-genfscon proc /sys/kernel/panic_on_oops u:object_r:proc_panic:s0
-genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
-genfscon proc /sys/kernel/perf_event_paranoid u:object_r:proc_perf:s0
-genfscon proc /sys/kernel/perf_cpu_time_max_percent u:object_r:proc_perf:s0
-genfscon proc /sys/kernel/perf_event_mlock_kb u:object_r:proc_perf:s0
-genfscon proc /sys/kernel/pid_max u:object_r:proc_pid_max:s0
-genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
-genfscon proc /sys/kernel/random u:object_r:proc_random:s0
-genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
-genfscon proc /sys/kernel/sched_child_runs_first u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_latency_ns u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_rt_period_us u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_rt_runtime_us u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_schedstats u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_util_clamp_max u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_util_clamp_min u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_util_clamp_min_rt_default u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
-genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
-genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
-genfscon proc /sys/net u:object_r:proc_net:s0
-genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
-genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
-genfscon proc /sys/vm/extra_free_kbytes u:object_r:proc_extra_free_kbytes:s0
-genfscon proc /sys/vm/max_map_count u:object_r:proc_max_map_count:s0
-genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
-genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
-genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0
-genfscon proc /sys/vm/page-cluster u:object_r:proc_page_cluster:s0
-genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0
-genfscon proc /sys/vm/overcommit_memory u:object_r:proc_overcommit_memory:s0
-genfscon proc /sys/vm/min_free_order_shift u:object_r:proc_min_free_order_shift:s0
-genfscon proc /timer_list u:object_r:proc_timer:s0
-genfscon proc /timer_stats u:object_r:proc_timer:s0
-genfscon proc /tty/drivers u:object_r:proc_tty_drivers:s0
-genfscon proc /uid/ u:object_r:proc_uid_time_in_state:s0
-genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0
-genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0
-genfscon proc /uid_io/stats u:object_r:proc_uid_io_stats:s0
-genfscon proc /uid_procstat/set u:object_r:proc_uid_procstat_set:s0
-genfscon proc /uid_time_in_state u:object_r:proc_uid_time_in_state:s0
-genfscon proc /uid_concurrent_active_time u:object_r:proc_uid_concurrent_active_time:s0
-genfscon proc /uid_concurrent_policy_time u:object_r:proc_uid_concurrent_policy_time:s0
-genfscon proc /uid_cpupower/ u:object_r:proc_uid_cpupower:s0
-genfscon proc /uptime u:object_r:proc_uptime:s0
-genfscon proc /version u:object_r:proc_version:s0
-genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
-genfscon proc /vmstat u:object_r:proc_vmstat:s0
-genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
-
-genfscon fusectl / u:object_r:fusectlfs:s0
-
-# selinuxfs booleans can be individually labeled.
-genfscon selinuxfs / u:object_r:selinuxfs:s0
-genfscon cgroup / u:object_r:cgroup:s0
-genfscon cgroup2 / u:object_r:cgroup_v2:s0
-# sysfs labels can be set by userspace.
-genfscon sysfs / u:object_r:sysfs:s0
-genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_etm:s0
-genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
-genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
-genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
-genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
-genfscon sysfs /class/net u:object_r:sysfs_net:s0
-genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /class/rfkill/rfkill1/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /class/rfkill/rfkill2/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /class/rfkill/rfkill3/state u:object_r:sysfs_bluetooth_writable:s0
-genfscon sysfs /class/rtc u:object_r:sysfs_rtc:s0
-genfscon sysfs /class/switch u:object_r:sysfs_switch:s0
-genfscon sysfs /class/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /devices/platform/nfc-power/nfc_power u:object_r:sysfs_nfc_power_writable:s0
-genfscon sysfs /devices/virtual/android_usb u:object_r:sysfs_android_usb:s0
-genfscon sysfs /devices/virtual/block/ u:object_r:sysfs_devices_block:s0
-genfscon sysfs /devices/virtual/block/dm- u:object_r:sysfs_dm:s0
-genfscon sysfs /devices/virtual/block/loop u:object_r:sysfs_loop:s0
-genfscon sysfs /devices/virtual/block/zram0 u:object_r:sysfs_zram:s0
-genfscon sysfs /devices/virtual/block/zram1 u:object_r:sysfs_zram:s0
-genfscon sysfs /devices/virtual/block/zram0/uevent u:object_r:sysfs_zram_uevent:s0
-genfscon sysfs /devices/virtual/block/zram1/uevent u:object_r:sysfs_zram_uevent:s0
-genfscon sysfs /devices/virtual/misc/hw_random u:object_r:sysfs_hwrandom:s0
-genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
-genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
-genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
-genfscon sysfs /firmware/devicetree/base/chosen/avf,new-instance u:object_r:sysfs_dt_avf:s0
-genfscon sysfs /firmware/devicetree/base/chosen/avf,strict-boot u:object_r:sysfs_dt_avf:s0
-genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
-genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
-genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
-genfscon sysfs /fs/incremental-fs/features u:object_r:sysfs_fs_incfs_features:s0
-genfscon sysfs /fs/incremental-fs/instances u:object_r:sysfs_fs_incfs_metrics:s0
-genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0
-genfscon sysfs /power/state u:object_r:sysfs_power:s0
-genfscon sysfs /power/suspend_stats u:object_r:sysfs_suspend_stats:s0
-genfscon sysfs /power/wakeup_count u:object_r:sysfs_power:s0
-genfscon sysfs /power/wake_lock u:object_r:sysfs_wake_lock:s0
-genfscon sysfs /power/wake_unlock u:object_r:sysfs_wake_lock:s0
-genfscon sysfs /kernel/memory_state_time u:object_r:sysfs_power:s0
-genfscon sysfs /kernel/dma_heap u:object_r:sysfs_dma_heap:s0
-genfscon sysfs /kernel/ion u:object_r:sysfs_ion:s0
-genfscon sysfs /kernel/ipv4 u:object_r:sysfs_ipv4:s0
-genfscon sysfs /kernel/mm/transparent_hugepage u:object_r:sysfs_transparent_hugepage:s0
-genfscon sysfs /kernel/notes u:object_r:sysfs_kernel_notes:s0
-genfscon sysfs /kernel/uevent_helper u:object_r:sysfs_usermodehelper:s0
-genfscon sysfs /kernel/wakeup_reasons u:object_r:sysfs_wakeup_reasons:s0
-genfscon sysfs /kernel/dmabuf/buffers u:object_r:sysfs_dmabuf_stats:s0
-genfscon sysfs /module/dm_verity/parameters/prefetch_cluster u:object_r:sysfs_dm_verity:s0
-genfscon sysfs /module/lowmemorykiller u:object_r:sysfs_lowmemorykiller:s0
-genfscon sysfs /module/tcp_cubic/parameters u:object_r:sysfs_net:s0
-genfscon sysfs /module/wlan/parameters/fwpath u:object_r:sysfs_wlan_fwpath:s0
-genfscon sysfs /devices/virtual/timed_output/vibrator/enable u:object_r:sysfs_vibrator:s0
-genfscon sysfs /devices/virtual/misc/uhid u:object_r:sysfs_uhid:s0
-
-genfscon debugfs /kprobes u:object_r:debugfs_kprobes:s0
-genfscon debugfs /mmc0 u:object_r:debugfs_mmc:s0
-genfscon debugfs /tracing u:object_r:debugfs_tracing_debug:s0
-genfscon tracefs / u:object_r:debugfs_tracing_debug:s0
-genfscon debugfs /tracing/tracing_on u:object_r:debugfs_tracing:s0
-genfscon tracefs /tracing_on u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/trace u:object_r:debugfs_tracing:s0
-genfscon tracefs /trace u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/per_cpu/cpu u:object_r:debugfs_tracing:s0
-genfscon tracefs /per_cpu/cpu u:object_r:debugfs_tracing:s0
-
-genfscon debugfs /tracing/instances u:object_r:debugfs_tracing_instances:s0
-genfscon tracefs /instances u:object_r:debugfs_tracing_instances:s0
-genfscon debugfs /tracing/instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
-genfscon tracefs /instances/bootreceiver u:object_r:debugfs_bootreceiver_tracing:s0
-genfscon debugfs /tracing/instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
-genfscon tracefs /instances/mm_events u:object_r:debugfs_mm_events_tracing:s0
-genfscon debugfs /tracing/instances/wifi u:object_r:debugfs_wifi_tracing:s0
-genfscon tracefs /instances/wifi u:object_r:debugfs_wifi_tracing:s0
-genfscon debugfs /tracing/trace_marker u:object_r:debugfs_trace_marker:s0
-genfscon tracefs /trace_marker u:object_r:debugfs_trace_marker:s0
-genfscon debugfs /wakeup_sources u:object_r:debugfs_wakeup_sources:s0
-genfscon debugfs /tracing/printk_formats u:object_r:debugfs_tracing_printk_formats:s0
-genfscon tracefs /printk_formats u:object_r:debugfs_tracing_printk_formats:s0
-
-genfscon debugfs /tracing/events/header_page u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
-
-genfscon tracefs /events/header_page u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_get_data_block/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_iget/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_enter/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_sync_file_exit/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_write_begin/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/f2fs/f2fs_write_end/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_da_write_begin/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_da_write_end/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_es_lookup_extent_enter/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_es_lookup_extent_exit/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_load_inode/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_sync_file_enter/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ext4/ext4_sync_file_exit/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/block/block_rq_issue/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/block/block_rq_complete/ u:object_r:debugfs_tracing:s0
-
-genfscon tracefs /trace_clock u:object_r:debugfs_tracing:s0
-genfscon tracefs /buffer_size_kb u:object_r:debugfs_tracing:s0
-genfscon tracefs /options/overwrite u:object_r:debugfs_tracing:s0
-genfscon tracefs /options/print-tgid u:object_r:debugfs_tracing:s0
-genfscon tracefs /options/record-tgid u:object_r:debugfs_tracing:s0
-genfscon tracefs /saved_cmdlines_size u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cgroup/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/clock_enable/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/clock_disable/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/sync/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/fence/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/dma_fence/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/task/task_rename/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/task/task_newtask/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ftrace/print/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/cpuhp/cpuhp_pause/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/ipi/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/irq/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
-genfscon tracefs /events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
-
-genfscon debugfs /tracing/trace_clock u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/buffer_size_kb u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/options/overwrite u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/options/print-tgid u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/options/record-tgid u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/saved_cmdlines_size u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_switch/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_wakeup/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_wakeup_new/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_waking/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_blocked_reason/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_cpu_hotplug/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_process_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_process_free/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sched/sched_pi_setprio/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cgroup/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_frequency/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_idle/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/clock_enable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/clock_disable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_end/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_wake/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/vmscan/mm_vmscan_kswapd_sleep/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction_received/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_lock/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_locked/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_unlock/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_transaction_alloc_buf/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/binder/binder_set_priority/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/lowmemorykiller/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/sync/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/fence/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/dma_fence/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/filemap/mm_filemap_add_to_page_cache/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/filemap/mm_filemap_delete_from_page_cache/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/kmem/rss_stat/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/kmem/ion_heap_grow/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/kmem/ion_heap_shrink/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ion/ion_stat/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/mm_event/mm_event_record/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/oom/oom_score_adj_update/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/oom/mark_victim/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/task/task_rename/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/task/task_newtask/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ftrace/print/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/gpu_mem/gpu_mem_total u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/thermal/thermal_temperature/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/thermal/cdev_update/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cpuhp/cpuhp_enter/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/cpuhp/cpuhp_exit/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/ipi/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/irq/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/clk/clk_enable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/clk/clk_disable/ u:object_r:debugfs_tracing:s0
-genfscon debugfs /tracing/events/clk/clk_set_rate/ u:object_r:debugfs_tracing:s0
-
-genfscon debugfs /kcov u:object_r:debugfs_kcov:s0
-
-genfscon securityfs / u:object_r:securityfs:s0
-
-genfscon binder /binder u:object_r:binder_device:s0
-genfscon binder /hwbinder u:object_r:hwbinder_device:s0
-genfscon binder /vndbinder u:object_r:vndbinder_device:s0
-genfscon binder /binder_logs u:object_r:binderfs_logs:s0
-genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
-
-genfscon inotifyfs / u:object_r:inotify:s0
-genfscon vfat / u:object_r:vfat:s0
-genfscon binder / u:object_r:binderfs:s0
-genfscon exfat / u:object_r:exfat:s0
-genfscon debugfs / u:object_r:debugfs:s0
-genfscon fuse / u:object_r:fuse:s0
-genfscon configfs / u:object_r:configfs:s0
-genfscon sdcardfs / u:object_r:sdcardfs:s0
-genfscon esdfs / u:object_r:sdcardfs:s0
-genfscon pstore / u:object_r:pstorefs:s0
-genfscon functionfs / u:object_r:functionfs:s0
-genfscon usbfs / u:object_r:usbfs:s0
-genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
-genfscon bpf / u:object_r:fs_bpf:s0
-genfscon bpf /tethering u:object_r:fs_bpf_tethering:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
deleted file mode 100644
index 708d537..0000000
--- a/microdroid/system/private/init.te
+++ /dev/null
@@ -1,437 +0,0 @@
-typeattribute init coredomain;
-
-tmpfs_domain(init)
-
-domain_trans(init, shell_exec, shell)
-domain_trans(init, init_exec, ueventd)
-domain_trans(init, init_exec, vendor_init)
-
-# Allow init to figure out name of dm-device from it's /dev/block/dm-XX path.
-# This is useful in case of remounting ext4 userdata into checkpointing mode,
-# since it potentially requires tearing down dm-devices (e.g. dm-bow, dm-crypto)
-# that userdata is mounted onto.
-allow init sysfs_dm:file read;
-
-# Second-stage init performs a test for whether the kernel has SELinux hooks
-# for the perf_event_open() syscall. This is done by testing for the syscall
-# outcomes corresponding to this policy.
-allow init self:perf_event { open cpu };
-allow init self:global_capability2_class_set perfmon;
-dontaudit init self:perf_event { kernel tracepoint read write };
-
-# Allow init to restore contexts of vd_device(/dev/block/vd[..]) when labeling
-# /dev/block.
-allow init vd_device:blk_file relabelto;
-
-# chown/chmod on devices.
-allow init {
- dev_type
- -hw_random_device
- -kvm_device
-}:chr_file setattr;
-
-# /dev/__null__ node created by init.
-allow init tmpfs:chr_file { create setattr unlink rw_file_perms };
-
-# /dev/__properties__
-allow init properties_device:dir relabelto;
-allow init properties_serial:file { write relabelto };
-allow init property_type:file { append create getattr map open read relabelto rename setattr unlink write };
-# /dev/__properties__/property_info
-allow init properties_device:file create_file_perms;
-allow init property_info:file relabelto;
-# /dev/event-log-tags
-allow init device:file relabelfrom;
-allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
-# /dev/socket
-allow init { device socket_device dm_user_device }:dir relabelto;
-# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
-# and /dev/urandom
-allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
-# /dev/device-mapper, /dev/block(/.*)?
-allow init tmpfs:{ chr_file blk_file } relabelfrom;
-allow init tmpfs:blk_file getattr;
-allow init block_device:{ dir blk_file lnk_file } relabelto;
-allow init dm_device:{ chr_file blk_file } relabelto;
-allow init dm_user_device:chr_file relabelto;
-allow init kernel:fd use;
-# restorecon for early mount device symlinks
-allow init tmpfs:lnk_file { getattr read relabelfrom };
-
-# setrlimit
-allow init self:global_capability_class_set sys_resource;
-
-# Remove /dev/.booting and load /debug_ramdisk/* files
-allow init tmpfs:file { getattr unlink };
-
-# Access pty created for fsck.
-allow init devpts:chr_file { read write open };
-
-# Access /dev/__null__ node created prior to initial policy load.
-allow init tmpfs:chr_file write;
-
-# Access /dev/console.
-allow init console_device:chr_file rw_file_perms;
-
-# Access /dev/tty0.
-allow init tty_device:chr_file rw_file_perms;
-
-# Call mount(2).
-allow init self:global_capability_class_set sys_admin;
-
-# Call setns(2).
-allow init self:global_capability_class_set sys_chroot;
-
-# Create and mount on directories in /.
-allow init rootfs:dir create_dir_perms;
-allow init {
- rootfs
- cgroup
- linkerconfig_file
- system_data_file
- system_data_root_file
- system_file
- vendor_file
-}:dir mounton;
-
-# Mount bpf fs on sys/fs/bpf
-allow init fs_bpf:dir mounton;
-
-# Mount on /dev/usb-ffs/adb.
-allow init device:dir mounton;
-
-# Mount tmpfs on /apex
-allow init apex_mnt_dir:dir mounton;
-
-# Create and remove symlinks in /.
-allow init rootfs:lnk_file { create unlink };
-
-# Mount debugfs on /sys/kernel/debug.
-allow init sysfs:dir mounton;
-
-# Create cgroups mount points in tmpfs and mount cgroups on them.
-allow init tmpfs:dir create_dir_perms;
-allow init tmpfs:dir mounton;
-allow init cgroup:dir create_dir_perms;
-allow init cgroup:file rw_file_perms;
-allow init cgroup_rc_file:file rw_file_perms;
-allow init cgroup_desc_file:file r_file_perms;
-allow init cgroup_desc_api_file:file r_file_perms;
-allow init cgroup_v2:dir { mounton create_dir_perms};
-allow init cgroup_v2:file rw_file_perms;
-
-# Use tmpfs as /data, used for booting when /data is encrypted
-allow init tmpfs:dir relabelfrom;
-
-# Create directories under /dev/cpuctl after chowning it to system.
-allow init self:global_capability_class_set { dac_override dac_read_search };
-
-allow init self:global_capability_class_set { sys_rawio mknod };
-
-# Mounting filesystems from block devices.
-allow init dev_type:blk_file r_file_perms;
-allowxperm init dev_type:blk_file ioctl BLKROSET;
-
-# Mounting filesystems.
-# Only allow relabelto for types used in context= mount options,
-# which should all be assigned the contextmount_type attribute.
-# This can be done in device-specific policy via type or typeattribute
-# declarations.
-allow init {
- fs_type
-}:filesystem ~relabelto;
-
-# Allow init to mount tracefs in /sys/kernel/tracing
-allow init debugfs_tracing_debug:filesystem mount;
-
-allow init unlabeled:filesystem ~relabelto;
-allow init contextmount_type:filesystem relabelto;
-
-# Allow read-only access to context= mounted filesystems.
-allow init contextmount_type:dir r_dir_perms;
-allow init contextmount_type:notdevfile_class_set r_file_perms;
-
-# restorecon /adb_keys or any other rootfs files and directories to a more
-# specific type.
-allow init rootfs:{ dir file } relabelfrom;
-
-# mkdir, symlink, write, rm/rmdir, chown/chmod, restorecon/restorecon_recursive from init.rc files.
-# chown/chmod require open+read+setattr required for open()+fchown/fchmod().
-# system/core/init.rc requires at least cache_file and data_file_type.
-# init.<board>.rc files often include device-specific types, so
-# we just allow all file types except /system files here.
-allow init self:global_capability_class_set { chown fowner fsetid };
-
-allow init {
- file_type
- -exec_type
- -system_file_type
- -vendor_file_type
-}:dir { create search getattr open read setattr ioctl };
-
-allow init {
- file_type
- -exec_type
- -shell_data_file
- -system_file_type
- -vendor_file_type
-}:dir { write add_name remove_name rmdir relabelfrom };
-
-allow init {
- file_type
- -apex_info_file
- -exec_type
- -runtime_event_log_tags_file
- -shell_data_file
- -system_file_type
- -vendor_file_type
-}:file { create getattr open read write setattr relabelfrom unlink map };
-
-allow init tracefs_type:file { create_file_perms relabelfrom };
-
-allow init {
- file_type
- -exec_type
- -shell_data_file
- -system_file_type
- -vendor_file_type
-}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-
-allow init {
- file_type
- -apex_mnt_dir
- -exec_type
- -shell_data_file
- -system_file_type
- -vendor_file_type
-}:lnk_file { create getattr setattr relabelfrom unlink };
-
-allow init {
- file_type
- -system_file_type
- -vendor_file_type
- -exec_type
-}:dir_file_class_set relabelto;
-
-allow init { sysfs debugfs_tracing debugfs_tracing_debug }:{ dir file lnk_file } { getattr relabelfrom };
-allow init { sysfs_type tracefs_type }:{ dir file lnk_file } { relabelto getattr };
-allow init dev_type:dir create_dir_perms;
-allow init dev_type:lnk_file create;
-
-# chown/chmod on pseudo files.
-allow init {
- fs_type
- -contextmount_type
- -proc_type
- -fusefs_type
- -sysfs_type
- -rootfs
-}:file { open read setattr };
-allow init { fs_type -contextmount_type -fusefs_type -rootfs }:dir { open read setattr search };
-
-allow init {
- binder_device
- console_device
- devpts
- dm_device
- hwbinder_device
- kmsg_device
- null_device
- owntty_device
- ptmx_device
- random_device
- tty_device
- zero_device
-}:chr_file { read open };
-
-# Any operation that can modify the kernel ring buffer, e.g. clear
-# or a read that consumes the messages that were read.
-allow init kernel:system syslog_mod;
-allow init self:global_capability2_class_set syslog;
-
-# init access to /proc.
-r_dir_file(init, proc_net_type)
-allow init proc_filesystems:file r_file_perms;
-
-allow init {
- proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
- proc_bootconfig
- proc_cmdline
- proc_diskstats
- proc_kmsg # Open /proc/kmsg for logd service.
- proc_meminfo
- proc_stat # Read /proc/stat for bootchart.
- proc_uptime
- proc_version
-}:file r_file_perms;
-
-allow init {
- proc_abi
- proc_dirty
- proc_hostname
- proc_hung_task
- proc_extra_free_kbytes
- proc_net_type
- proc_max_map_count
- proc_min_free_order_shift
- proc_overcommit_memory # /proc/sys/vm/overcommit_memory
- proc_panic
- proc_page_cluster
- proc_perf
- proc_sched
- proc_sysrq
-}:file w_file_perms;
-
-allow init {
- proc_security
-}:file rw_file_perms;
-
-# init chmod/chown access to /proc files.
-allow init {
- proc_cmdline
- proc_bootconfig
- proc_kmsg
- proc_net
- proc_pagetypeinfo
- proc_qtaguid_stat
- proc_slabinfo
- proc_sysrq
- proc_qtaguid_ctrl
- proc_vmallocinfo
-}:file setattr;
-
-# init access to /sys files.
-allow init {
- sysfs_android_usb
- sysfs_dm_verity
- sysfs_leds
- sysfs_power
- sysfs_fs_f2fs
- sysfs_dm
-}:file w_file_perms;
-
-allow init {
- sysfs_dt_firmware_android
- sysfs_fs_ext4_features
-}:file r_file_perms;
-
-allow init {
- sysfs_zram
-}:file rw_file_perms;
-
-# allow init to create loop devices with /dev/loop-control
-allow init loop_control_device:chr_file rw_file_perms;
-allow init loop_device:blk_file rw_file_perms;
-allowxperm init loop_device:blk_file ioctl {
- LOOP_SET_FD
- LOOP_CLR_FD
- LOOP_CTL_GET_FREE
- LOOP_SET_BLOCK_SIZE
- LOOP_SET_DIRECT_IO
- LOOP_GET_STATUS
-};
-
-# init chmod/chown access to /sys files.
-allow init {
- sysfs_android_usb
- sysfs_devices_system_cpu
- sysfs_ipv4
- sysfs_leds
- sysfs_lowmemorykiller
- sysfs_power
- sysfs_vibrator
- sysfs_wake_lock
- sysfs_zram
-}:file setattr;
-
-allow init self:global_capability_class_set net_admin;
-
-# Reboot.
-allow init self:global_capability_class_set sys_boot;
-
-# Support "adb shell stop"
-allow init self:global_capability_class_set kill;
-allow init domain:process { getpgid sigkill signal };
-
-# Init creates /data/local/tmp at boot
-allow init shell_data_file:dir { open create read getattr setattr search };
-allow init shell_data_file:file { getattr };
-
-# Set UID, GID, and adjust capability bounding set for services.
-allow init self:global_capability_class_set { setuid setgid setpcap };
-
-# For bootchart to read the /proc/$pid/cmdline file of each process,
-# we need to have following line to allow init to have access
-# to different domains.
-r_dir_file(init, domain)
-
-# Use setexeccon(), setfscreatecon(), and setsockcreatecon().
-# setexec is for services with seclabel options.
-# setfscreate is for labeling directories and socket files.
-# setsockcreate is for labeling local/unix domain sockets.
-allow init self:process { setexec setfscreate setsockcreate };
-
-# Get file context
-allow init file_contexts_file:file r_file_perms;
-
-# sepolicy access
-allow init sepolicy_file:file r_file_perms;
-
-# Perform SELinux access checks on setting properties.
-selinux_check_access(init)
-
-# Ask the kernel for the new context on services to label their sockets.
-allow init kernel:security compute_create;
-
-# Create sockets for the services.
-allow init domain:unix_stream_socket { create bind setopt };
-allow init domain:unix_dgram_socket { create bind setopt };
-
-# Set any property.
-allow init property_type:property_service set;
-
-# Send an SELinux userspace denial to the kernel audit subsystem,
-# so it can be picked up and processed by logd. These denials are
-# generated when an attempt to set a property is denied by policy.
-allow init self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_relay };
-allow init self:global_capability_class_set audit_write;
-
-# Run "ifup lo" to bring up the localhost interface
-allow init self:udp_socket { create ioctl };
-# in addition to unpriv ioctls granted to all domains, init also needs:
-allowxperm init self:udp_socket ioctl SIOCSIFFLAGS;
-allow init self:global_capability_class_set net_raw;
-
-# Set scheduling info for psi monitor thread.
-# TODO: delete or revise this line b/131761776
-allow init kernel:process { getsched setsched };
-
-# Create and access /dev files without a specific type,
-# e.g. /dev/.coldboot_done, /dev/.booting
-# TODO: Move these files into their own type unless they are
-# only ever accessed by init.
-allow init device:file create_file_perms;
-
-# Access device mapper for setting up dm-verity
-allow init dm_device:chr_file rw_file_perms;
-allow init dm_device:blk_file rw_file_perms;
-
-# linux keyring configuration
-allow init init:key { write search setattr };
-
-r_dir_file(init, system_file)
-r_dir_file(init, vendor_file_type)
-
-allow init system_data_file:file { getattr read };
-allow init system_data_file:lnk_file r_file_perms;
-
-# Allow init to touch PSI monitors
-allow init proc_pressure_mem:file { rw_file_perms setattr };
-
-# init is using bootstrap bionic
-use_bootstrap_libs(init)
-
-# stat the root dir of fuse filesystems (for the mount handler)
-allow init fuse:dir { search getattr };
-
-set_prop(init, property_type)
diff --git a/microdroid/system/private/initial_sid_contexts b/microdroid/system/private/initial_sid_contexts
deleted file mode 100644
index 9819051..0000000
--- a/microdroid/system/private/initial_sid_contexts
+++ /dev/null
@@ -1,27 +0,0 @@
-sid kernel u:r:kernel:s0
-sid security u:object_r:kernel:s0
-sid unlabeled u:object_r:unlabeled:s0
-sid fs u:object_r:labeledfs:s0
-sid file u:object_r:unlabeled:s0
-sid file_labels u:object_r:unlabeled:s0
-sid init u:object_r:unlabeled:s0
-sid any_socket u:object_r:unlabeled:s0
-sid port u:object_r:port:s0
-sid netif u:object_r:netif:s0
-sid netmsg u:object_r:unlabeled:s0
-sid node u:object_r:node:s0
-sid igmp_packet u:object_r:unlabeled:s0
-sid icmp_socket u:object_r:unlabeled:s0
-sid tcp_socket u:object_r:unlabeled:s0
-sid sysctl_modprobe u:object_r:unlabeled:s0
-sid sysctl u:object_r:proc:s0
-sid sysctl_fs u:object_r:unlabeled:s0
-sid sysctl_kernel u:object_r:unlabeled:s0
-sid sysctl_net u:object_r:unlabeled:s0
-sid sysctl_net_unix u:object_r:unlabeled:s0
-sid sysctl_vm u:object_r:unlabeled:s0
-sid sysctl_dev u:object_r:unlabeled:s0
-sid kmod u:object_r:unlabeled:s0
-sid policy u:object_r:unlabeled:s0
-sid scmp_packet u:object_r:unlabeled:s0
-sid devnull u:object_r:null_device:s0
diff --git a/microdroid/system/private/initial_sids b/microdroid/system/private/initial_sids
deleted file mode 100644
index 91ac816..0000000
--- a/microdroid/system/private/initial_sids
+++ /dev/null
@@ -1,35 +0,0 @@
-# FLASK
-
-#
-# Define initial security identifiers
-#
-
-sid kernel
-sid security
-sid unlabeled
-sid fs
-sid file
-sid file_labels
-sid init
-sid any_socket
-sid port
-sid netif
-sid netmsg
-sid node
-sid igmp_packet
-sid icmp_socket
-sid tcp_socket
-sid sysctl_modprobe
-sid sysctl
-sid sysctl_fs
-sid sysctl_kernel
-sid sysctl_net
-sid sysctl_net_unix
-sid sysctl_vm
-sid sysctl_dev
-sid kmod
-sid policy
-sid scmp_packet
-sid devnull
-
-# FLASK
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
deleted file mode 100644
index e81173d..0000000
--- a/microdroid/system/private/kernel.te
+++ /dev/null
@@ -1,96 +0,0 @@
-typeattribute kernel coredomain;
-
-domain_auto_trans(kernel, init_exec, init)
-
-# The following sections are for the transition period during a Virtual A/B
-# OTA. Once sepolicy is loaded, snapuserd must be re-launched in the correct
-# context, and with properly labelled devices. This must be done before
-# enabling enforcement, eg, in permissive mode while still in the kernel
-# context.
-allow kernel tmpfs:blk_file { getattr relabelfrom };
-allow kernel tmpfs:chr_file { getattr relabelfrom };
-allow kernel tmpfs:lnk_file { getattr relabelfrom };
-allow kernel tmpfs:dir { open read relabelfrom };
-
-allow kernel block_device:blk_file relabelto;
-allow kernel block_device:lnk_file relabelto;
-allow kernel dm_device:chr_file relabelto;
-allow kernel dm_device:blk_file relabelto;
-allow kernel dm_user_device:dir { read open search relabelto };
-allow kernel dm_user_device:chr_file relabelto;
-allow kernel kmsg_device:chr_file relabelto;
-allow kernel null_device:chr_file relabelto;
-allow kernel random_device:chr_file relabelto;
-allow kernel kmsg_device:chr_file write;
-allow kernel vd_device:blk_file read;
-
-allow kernel self:global_capability_class_set sys_nice;
-
-# Root fs.
-r_dir_file(kernel, rootfs)
-
-# Used to read androidboot.selinux property
-allow kernel {
- proc_bootconfig
- proc_cmdline
-}:file r_file_perms;
-
-# Get SELinux enforcing status.
-allow kernel selinuxfs:dir r_dir_perms;
-allow kernel selinuxfs:file r_file_perms;
-
-# Get file contexts during first stage
-allow kernel file_contexts_file:file r_file_perms;
-
-# Allow init relabel itself.
-allow kernel rootfs:file relabelfrom;
-allow kernel init_exec:file relabelto;
-# TODO: investigate why we need this.
-allow kernel init:process share;
-
-# cgroup filesystem initialization prior to setting the cgroup root directory label.
-allow kernel unlabeled:dir search;
-
-# Initial setenforce by init prior to switching to init domain.
-# We use dontaudit instead of allow to prevent a kernel spawned userspace
-# process from turning off SELinux once enabled.
-dontaudit kernel self:security setenforce;
-
-# Init reboot before switching selinux domains under certain error
-# conditions. Allow it.
-# As part of rebooting, init writes "u" to /proc/sysrq-trigger to
-# remount filesystems read-only. /data is not mounted at this point,
-# so we could ignore this. For now, we allow it.
-allow kernel self:global_capability_class_set sys_boot;
-allow kernel proc_sysrq:file w_file_perms;
-
-# Allow writing to /dev/kmsg which was created prior to loading policy.
-allow kernel tmpfs:chr_file write;
-
-# Set checkreqprot by init.rc prior to switching to init domain.
-allow kernel selinuxfs:file write;
-allow kernel self:security setcheckreqprot;
-
-# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel { sdcard_type fuse }:file { read write };
-
-# Allow the kernel to read APEX file descriptors and (staged) data files;
-# Needed because APEX uses the loopback driver, which issues requests from
-# a kernel thread in earlier kernel version.
-allow kernel apexd:fd use;
-
-#-----------------------------------------
-allow kernel apkdmverity:fd use;
-
-# Some contexts are changed before the device is flipped into enforcing mode
-# during the setup of Apex sepolicy. These denials can be suppressed since
-# the permissions should not be allowed after the device is flipped into
-# enforcing mode.
-dontaudit kernel device:dir { open read relabelto };
-dontaudit kernel tmpfs:file { getattr open read relabelfrom };
-dontaudit kernel {
- file_contexts_file
- property_contexts_file
- sepolicy_test_file
- service_contexts_file
-}:file relabelto;
diff --git a/microdroid/system/private/keys.conf b/microdroid/system/private/keys.conf
deleted file mode 100644
index 362e73d..0000000
--- a/microdroid/system/private/keys.conf
+++ /dev/null
@@ -1,28 +0,0 @@
-#
-# Maps an arbitrary tag [TAGNAME] with the string contents found in
-# TARGET_BUILD_VARIANT. Common convention is to start TAGNAME with an @ and
-# name it after the base file name of the pem file.
-#
-# Each tag (section) then allows one to specify any string found in
-# TARGET_BUILD_VARIANT. Typcially this is user, eng, and userdebug. Another
-# option is to use ALL which will match ANY TARGET_BUILD_VARIANT string.
-#
-
-[@PLATFORM]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/platform.x509.pem
-
-[@MEDIA]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
-
-[@NETWORK_STACK]
-ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
-
-[@SHARED]
-ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
-
-# Example of ALL TARGET_BUILD_VARIANTS
-[@RELEASE]
-ENG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-USER : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-USERDEBUG : $DEFAULT_SYSTEM_DEV_CERTIFICATE/testkey.x509.pem
-
diff --git a/microdroid/system/private/linkerconfig.te b/microdroid/system/private/linkerconfig.te
deleted file mode 100644
index 4d8db0c..0000000
--- a/microdroid/system/private/linkerconfig.te
+++ /dev/null
@@ -1,21 +0,0 @@
-type linkerconfig, domain, coredomain;
-type linkerconfig_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(linkerconfig)
-
-## Read and write linkerconfig subdirectory.
-allow linkerconfig linkerconfig_file:dir create_dir_perms;
-allow linkerconfig linkerconfig_file:file create_file_perms;
-
-# Allow linkerconfig to log to the kernel.
-allow linkerconfig kmsg_device:chr_file w_file_perms;
-
-# Allow linkerconfig to be invoked with logwrapper from init.
-allow linkerconfig devpts:chr_file { read write };
-
-# Allow linkerconfig to scan for apex modules
-allow linkerconfig apex_mnt_dir:dir r_dir_perms;
-
-# Allow linkerconfig to read apex-info-list.xml
-allow linkerconfig apex_info_file:file r_file_perms;
-
diff --git a/microdroid/system/private/logcat.te b/microdroid/system/private/logcat.te
deleted file mode 100644
index a26cff3..0000000
--- a/microdroid/system/private/logcat.te
+++ /dev/null
@@ -1,19 +0,0 @@
-# logcat in Microdroid runs as a daemon process. It reads logs from logd and
-# emits the logs to the virtual serial console.
-typeattribute logcat coredomain;
-
-# logcat can be executed from init
-init_daemon_domain(logcat)
-
-# logcat can append to the virtual console devices
-allow logcat device:dir r_dir_perms;
-allow logcat serial_device:chr_file ra_file_perms;
-
-# logcat can get logs from logd
-read_logd(logcat)
-
-# Allow logcat to read ro.logd.ready so that it waits until logd is ready to
-# accept commands
-get_prop(logcat, logd_prop)
-
-allow logcat self:global_capability_class_set { sys_nice };
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
deleted file mode 100644
index 46cdb7d..0000000
--- a/microdroid/system/private/logd.te
+++ /dev/null
@@ -1,44 +0,0 @@
-typeattribute logd coredomain;
-
-init_daemon_domain(logd)
-
-allow logd adbd:dir search;
-allow logd adbd:file { getattr open read };
-allow logd device:dir search;
-allow logd init:dir search;
-allow logd init:fd use;
-allow logd init:file { getattr open read };
-allow logd kernel:dir search;
-allow logd kernel:file { getattr open read };
-allow logd kernel:system { syslog_mod syslog_read };
-allow logd linkerconfig_file:dir search;
-allow logd microdroid_manager:dir search;
-allow logd microdroid_manager:file { getattr open read };
-allow logd null_device:chr_file { open read };
-#allow logd proc_kmsg:file read;
-r_dir_file(logd, cgroup)
-r_dir_file(logd, cgroup_v2)
-r_dir_file(logd, proc_kmsg)
-r_dir_file(logd, proc_meminfo)
-allow logd self:fifo_file { read write };
-allow logd self:file { getattr open read };
-allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
-allow logd self:global_capability2_class_set syslog;
-#allow logd self:netlink_audit_socket getopt;
-allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-allow logd kmsg_device:chr_file { getattr w_file_perms };
-r_dir_file(logd, domain)
-allow logd self:unix_stream_socket { accept getopt setopt shutdown };
-allow logd servicemanager:dir search;
-allow logd servicemanager:file { open read };
-allow logd tombstoned:dir search;
-allow logd tombstoned:file { getattr open read };
-allow logd ueventd:dir search;
-allow logd ueventd:file { getattr open read };
-control_logd(logd)
-read_runtime_log_tags(logd)
-
-# Logd sets defaults if certain properties are empty.
-set_prop(logd, logd_prop)
-
-dontaudit domain runtime_event_log_tags_file:file { map open read };
diff --git a/microdroid/system/private/mac_permissions.xml b/microdroid/system/private/mac_permissions.xml
deleted file mode 100644
index 7fc37c1..0000000
--- a/microdroid/system/private/mac_permissions.xml
+++ /dev/null
@@ -1,62 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<policy>
-
-<!--
-
- * A signature is a hex encoded X.509 certificate or a tag defined in
- keys.conf and is required for each signer tag. The signature can
- either appear as a set of attached cert child tags or as an attribute.
- * A signer tag must contain a seinfo tag XOR multiple package stanzas.
- * Each signer/package tag is allowed to contain one seinfo tag. This tag
- represents additional info that each app can use in setting a SELinux security
- context on the eventual process as well as the apps data directory.
- * seinfo assignments are made according to the following rules:
- - Stanzas with package name refinements will be checked first.
- - Stanzas w/o package name refinements will be checked second.
- - The "default" seinfo label is automatically applied.
-
- * valid stanzas can take one of the following forms:
-
- // single cert protecting seinfo
- <signer signature="@PLATFORM" >
- <seinfo value="platform" />
- </signer>
-
- // multiple certs protecting seinfo (all contained certs must match)
- <signer>
- <cert signature="@PLATFORM1"/>
- <cert signature="@PLATFORM2"/>
- <seinfo value="platform" />
- </signer>
-
- // single cert protecting explicitly named app
- <signer signature="@PLATFORM" >
- <package name="com.android.foo">
- <seinfo value="bar" />
- </package>
- </signer>
-
- // multiple certs protecting explicitly named app (all certs must match)
- <signer>
- <cert signature="@PLATFORM1"/>
- <cert signature="@PLATFORM2"/>
- <package name="com.android.foo">
- <seinfo value="bar" />
- </package>
- </signer>
--->
-
- <!-- Platform dev key in AOSP -->
- <signer signature="@PLATFORM" >
- <seinfo value="platform" />
- </signer>
-
- <!-- Media key in AOSP -->
- <signer signature="@MEDIA" >
- <seinfo value="media" />
- </signer>
-
- <signer signature="@NETWORK_STACK" >
- <seinfo value="network_stack" />
- </signer>
-</policy>
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
deleted file mode 100644
index de58326..0000000
--- a/microdroid/system/private/microdroid_app.te
+++ /dev/null
@@ -1,17 +0,0 @@
-# microdroid_app is a domain for microdroid_launcher, which is a binary that
-# loads a shared library from an apk and executes it by calling an entry point
-# in the library. This can be considered as the native counterpart of
-# app_process for Java.
-#
-# Both microdroid_launcher and payload from the shared library run in the
-# context of microdroid_app.
-
-type microdroid_app, domain, coredomain, microdroid_payload;
-type microdroid_app_exec, exec_type, file_type, system_file_type;
-
-# Talk to binder services (for diced)
-binder_use(microdroid_app);
-
-allow microdroid_app dice_node_service:service_manager find;
-binder_call(microdroid_app, diced);
-allow microdroid_app diced:diced { get_attestation_chain derive };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
deleted file mode 100644
index 21731cc..0000000
--- a/microdroid/system/private/microdroid_manager.te
+++ /dev/null
@@ -1,86 +0,0 @@
-# microdroid_manager is a daemon running in the microdroid.
-
-type microdroid_manager, domain, coredomain;
-type microdroid_manager_exec, exec_type, file_type, system_file_type;
-
-# allow domain transition from init
-init_daemon_domain(microdroid_manager)
-
-# microdroid_manager accesses a virtual disk block device to read VM payload
-# It needs write access as it updates the instance image
-allow microdroid_manager block_device:dir r_dir_perms;
-allow microdroid_manager block_device:lnk_file r_file_perms;
-allow microdroid_manager vd_device:blk_file rw_file_perms;
-# microdroid_manager verifies DM-verity mounted APK payload
-allow microdroid_manager dm_device:blk_file r_file_perms;
-
-# microdroid_manager can query AVF flags in the device tree
-allow microdroid_manager sysfs_dt_avf:file r_file_perms;
-
-# Allow microdroid_manager to do blkflsbuf on instance disk image. The ioctl
-# requires sys_admin cap as well.
-allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
-allow microdroid_manager self:global_capability_class_set sys_admin;
-
-# Allow microdroid_manager to start payload tasks
-domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
-domain_auto_trans(microdroid_manager, compos_exec, compos)
-
-# Allow microdroid_manager to start apk verity binaries
-domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
-domain_auto_trans(microdroid_manager, zipfuse_exec, zipfuse)
-
-# Let microdroid_manager kernel-log.
-allow microdroid_manager kmsg_device:chr_file w_file_perms;
-
-# Let microdroid_manager read a config file from /mnt/apk (fusefs)
-# TODO(b/188400186) remove the below rule
-userdebug_or_eng(`
- r_dir_file(microdroid_manager, fuse)
-')
-
-# Let microdroid_manager to create a vsock connection back to the host VM
-allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
-
-# microdroid_manager is using bootstrap bionic
-use_bootstrap_libs(microdroid_manager)
-
-# microdroid_manager can talk to diced over binder
-binder_use(microdroid_manager)
-binder_call(microdroid_manager, diced)
-allow microdroid_manager { dice_node_service dice_maintenance_service }:service_manager find;
-allow microdroid_manager diced:diced { derive demote_self };
-
-# microdroid_manager create /apex/vm-payload-metadata for apexd
-# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
-allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
-allow microdroid_manager apex_mnt_dir:file create_file_perms;
-
-# Allow microdroid_manager to start the services apexd-vm, apkdmverity,tombstone_transmit & zipfuse
-set_prop(microdroid_manager, ctl_apexd_vm_prop)
-set_prop(microdroid_manager, ctl_apkdmverity_prop)
-set_prop(microdroid_manager, ctl_seriallogging_prop)
-set_prop(microdroid_manager, ctl_tombstone_transmit_prop)
-set_prop(microdroid_manager, ctl_zipfuse_prop)
-
-# Allow microdroid_manager to wait for linkerconfig to be ready
-get_prop(microdroid_manager, apex_config_prop)
-
-# Allow microdroid_manager to pass the roothash to apkdmverity
-set_prop(microdroid_manager, microdroid_manager_roothash_prop)
-
-# Allow microdroid_manager to shutdown the device when verification fails
-set_prop(microdroid_manager, powerctl_prop)
-
-# Allow microdroid_manager to read bootconfig so that it can reject a bootconfig
-# that is different from what is recorded in the instance.img file.
-allow microdroid_manager proc_bootconfig:file r_file_perms;
-
-# Allow microdroid_manager to handle extra_apks
-allow microdroid_manager extra_apk_file:dir create_dir_perms;
-
-# Domains other than microdroid can't write extra_apks
-neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
-neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
-
-neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
deleted file mode 100644
index fea0768..0000000
--- a/microdroid/system/private/microdroid_payload.te
+++ /dev/null
@@ -1,37 +0,0 @@
-# microdroid_payload is an attribute for microdroid payload processes.
-# Domains should have microdroid_payload to be run from microdroid_manager.
-
-# Allow to communicate use, read and write over the adb connection.
-allow microdroid_payload adbd:fd use;
-allow microdroid_payload adbd:unix_stream_socket { read write };
-
-# microdroid_launcher is launched by microdroid_manager with fork/execvp.
-allow microdroid_payload microdroid_manager:fd use;
-
-# Allow to use FDs inherited from the shell. This includes the FD opened for
-# the microdroid_launcher executable itself and the FD for adb connection.
-# TODO(b/186396070) remove this when this is executed from microdroid_manager
-userdebug_or_eng(`
- allow microdroid_payload shell:fd use;
-')
-
-# Allow to use terminal
-allow microdroid_payload devpts:chr_file rw_file_perms;
-
-# Allow to set debug prop
-set_prop(microdroid_payload, debug_prop)
-
-# Allow microdroid_payload to use vsock inherited from microdroid_manager
-allow microdroid_payload microdroid_manager:vsock_socket { read write };
-
-# Write to /dev/kmsg.
-allow microdroid_payload kmsg_device:chr_file rw_file_perms;
-
-# Only microdroid_payload and apk verity binaries can be run by microdroid_manager
-neverallow microdroid_manager { domain -crash_dump -microdroid_payload -apkdmverity -zipfuse }:process transition;
-
-# Allow microdroid_payload to open binder servers via vsock.
-allow microdroid_payload self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-
-# Payload can read extra apks
-r_dir_file(microdroid_payload, extra_apk_file)
diff --git a/microdroid/system/private/mls b/microdroid/system/private/mls
deleted file mode 100644
index cee6675..0000000
--- a/microdroid/system/private/mls
+++ /dev/null
@@ -1,12 +0,0 @@
-#################################################
-# MLS policy constraints
-#
-
-# We aren't using MLS in Microdroid. But the policy grammar requires
-# at least one MLS declaration, and checkpolicy enforces this. We
-# don't want to disable MLS, since we share some file labels with the
-# host (e.g. files in APEXes) which does have MLS. So we include this
-# fairly harmless constraint.
-
-# Process transition: Require equivalence.
-mlsconstrain process { transition dyntransition } (h1 eq h2 and l1 eq l2);
diff --git a/microdroid/system/private/mls_decl b/microdroid/system/private/mls_decl
deleted file mode 100644
index dd53bea..0000000
--- a/microdroid/system/private/mls_decl
+++ /dev/null
@@ -1,10 +0,0 @@
-#########################################
-# MLS declarations
-#
-
-# Generate the desired number of sensitivities and categories.
-gen_sens(mls_num_sens)
-gen_cats(mls_num_cats)
-
-# Generate level definitions for each sensitivity and category.
-gen_levels(mls_num_sens,mls_num_cats)
diff --git a/microdroid/system/private/mls_macros b/microdroid/system/private/mls_macros
deleted file mode 100644
index 83e0542..0000000
--- a/microdroid/system/private/mls_macros
+++ /dev/null
@@ -1,54 +0,0 @@
-########################################
-#
-# gen_cats(N)
-#
-# declares categores c0 to c(N-1)
-#
-define(`decl_cats',`dnl
-category c$1;
-ifelse(`$1',`$2',,`decl_cats(incr($1),$2)')dnl
-')
-
-define(`gen_cats',`decl_cats(0,decr($1))')
-
-########################################
-#
-# gen_sens(N)
-#
-# declares sensitivites s0 to s(N-1) with dominance
-# in increasing numeric order with s0 lowest, s(N-1) highest
-#
-define(`decl_sens',`dnl
-sensitivity s$1;
-ifelse(`$1',`$2',,`decl_sens(incr($1),$2)')dnl
-')
-
-define(`gen_dominance',`s$1 ifelse(`$1',`$2',,`gen_dominance(incr($1),$2)')')
-
-define(`gen_sens',`
-# Each sensitivity has a name and zero or more aliases.
-decl_sens(0,decr($1))
-
-# Define the ordering of the sensitivity levels (least to greatest)
-dominance { gen_dominance(0,decr($1)) }
-')
-
-########################################
-#
-# gen_levels(N,M)
-#
-# levels from s0 to (N-1) with categories c0 to (M-1)
-#
-define(`decl_levels',`dnl
-level s$1:c0.c$3;
-ifelse(`$1',`$2',,`decl_levels(incr($1),$2,$3)')dnl
-')
-
-define(`gen_levels',`decl_levels(0,decr($1),decr($2))')
-
-########################################
-#
-# Basic level names for system low and high
-#
-define(`mls_systemlow',`s0')
-define(`mls_systemhigh',`s`'decr(mls_num_sens):c0.c`'decr(mls_num_cats)')
diff --git a/microdroid/system/private/net.te b/microdroid/system/private/net.te
deleted file mode 100644
index 1b2fd41..0000000
--- a/microdroid/system/private/net.te
+++ /dev/null
@@ -1,16 +0,0 @@
-## Network types
-type node, node_type;
-type netif, netif_type;
-type port, port_type;
-
-###
-### Domain with network access
-###
-
-allow netdomain self:tcp_socket create_stream_socket_perms;
-allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
-
-allow netdomain port_type:tcp_socket name_connect;
-allow netdomain node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
-allow netdomain port_type:udp_socket name_bind;
-allow netdomain port_type:tcp_socket name_bind;
diff --git a/microdroid/system/private/odrefresh.te b/microdroid/system/private/odrefresh.te
deleted file mode 100644
index c236637..0000000
--- a/microdroid/system/private/odrefresh.te
+++ /dev/null
@@ -1,44 +0,0 @@
-# odrefresh
-type odrefresh, domain, coredomain;
-type odrefresh_exec, system_file_type, exec_type, file_type;
-
-# Run dex2oat in its own sandbox.
-domain_auto_trans(odrefresh, dex2oat_exec, dex2oat)
-
-# Allow odrefresh to kill dex2oat if compilation times out.
-allow odrefresh dex2oat:process sigkill;
-
-userfaultfd_use(odrefresh)
-
-# Allow odrefresh to read /apex/apex-info-list.xml to gather information of
-# the current APEXes.
-allow odrefresh apex_info_file:file r_file_perms;
-
-# The policies above are mirrored from Android's, while the below are tailored for using in CompOS.
-
-# Allow odrefresh to read/write/lookup files/directories on authfs.
-allow odrefresh authfs_fuse:file create_file_perms;
-allow odrefresh authfs_fuse:dir create_dir_perms;
-
-# Allow odrefresh to check the parent directory exists.
-allow odrefresh authfs_data_file:dir { search getattr };
-
-# Minijail uses pipe for the parent process to signal the child (as a fallback
-# mechanism, since Android does not support minijail's preload).
-# TODO(196109647): We can probably remove this once the minijail preload is
-# supported on Android.
-allow odrefresh compos:fifo_file read;
-
-# Allow using FDs from the parent. It's possible that this could be avoided,
-# if we close fd 0-2 before execute. But minijial replaces them with /dev/null
-# (unless specified otherwise). Without allowing the use, the execution will
-# fail immediately. See b/210909688.
-allow odrefresh compos:fd use;
-
-# Allow odrefresh to read all dalvik system properties. odrefresh needs to record the relevant ones
-# in the output for later verification check.
-get_prop(odrefresh, dalvik_config_prop)
-get_prop(odrefresh, device_config_runtime_native_boot_prop)
-
-# Silently ignore the write to properties, e.g. for setting boot animation progress.
-dontaudit odrefresh property_socket:sock_file write;
diff --git a/microdroid/system/private/policy_capabilities b/microdroid/system/private/policy_capabilities
deleted file mode 100644
index 9290e3a..0000000
--- a/microdroid/system/private/policy_capabilities
+++ /dev/null
@@ -1,20 +0,0 @@
-# Enable new networking controls.
-policycap network_peer_controls;
-
-# Enable open permission check.
-policycap open_perms;
-
-# Enable separate security classes for
-# all network address families previously
-# mapped to the socket class and for
-# ICMP and SCTP sockets previously mapped
-# to the rawip_socket class.
-policycap extended_socket_class;
-
-# Enable NoNewPrivileges support. Requires libsepol 2.7+
-# and kernel 4.14 (estimated).
-#
-# Checks enabled;
-# process2: nnp_transition, nosuid_transition
-#
-policycap nnp_nosuid_transition;
diff --git a/microdroid/system/private/port_contexts b/microdroid/system/private/port_contexts
deleted file mode 100644
index 2f40b38..0000000
--- a/microdroid/system/private/port_contexts
+++ /dev/null
@@ -1 +0,0 @@
-# This file can't be empty, but is unused on microdroid
diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
deleted file mode 100644
index 6e795dc..0000000
--- a/microdroid/system/private/property.te
+++ /dev/null
@@ -1,37 +0,0 @@
-# Declare ART properties for CompOS
-system_public_prop(dalvik_config_prop)
-system_restricted_prop(device_config_runtime_native_prop)
-system_restricted_prop(device_config_runtime_native_boot_prop)
-
-# Don't audit legacy ctl. property handling. We only want the newer permission check to appear
-# in the audit log
-dontaudit domain {
- ctl_console_prop
- ctl_default_prop
- ctl_fuse_prop
-}:property_service set;
-
-###
-### Neverallow rules
-###
-
-# microdroid_manager_roothash_prop can only be set by microdroid_manager
-# and read by apkdmverity
-neverallow {
- domain
- -init
- -microdroid_manager
-} microdroid_manager_roothash_prop:property_service set;
-
-neverallow {
- domain
- -init
- -microdroid_manager
- -apkdmverity
-} microdroid_manager_roothash_prop:file no_rw_file_perms;
-
-# apexd_payload_metadata_prop can only set by init
-neverallow {
- domain
- -init
-} apexd_payload_metadata_prop:property_service set;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
deleted file mode 100644
index 6f65eff..0000000
--- a/microdroid/system/private/property_contexts
+++ /dev/null
@@ -1,160 +0,0 @@
-# property contexts for microdroid
-# microdroid only uses much fewer properties than normal Android, so every property is listed as
-# an exact entry. The only wildcards are "debug.*", "init.svc_debug_pid.*", "ctl.*", and
-# process-dependent properties like "arm64.memtag.*" and "log.tag.*".
-
-debug. u:object_r:debug_prop:s0 prefix
-persist.debug. u:object_r:debug_prop:s0 prefix
-
-init.svc_debug_pid. u:object_r:init_svc_debug_prop:s0 prefix int
-
-ctl.sigstop_on$ u:object_r:ctl_sigstop_prop:s0
-ctl.sigstop_off$ u:object_r:ctl_sigstop_prop:s0
-ctl.start$ u:object_r:ctl_start_prop:s0
-ctl.stop$ u:object_r:ctl_stop_prop:s0
-ctl.restart$ u:object_r:ctl_restart_prop:s0
-ctl.interface_start$ u:object_r:ctl_interface_start_prop:s0
-ctl.interface_stop$ u:object_r:ctl_interface_stop_prop:s0
-ctl.interface_restart$ u:object_r:ctl_interface_restart_prop:s0
-
-ctl.start$adbd u:object_r:ctl_adbd_prop:s0
-ctl.stop$adbd u:object_r:ctl_adbd_prop:s0
-ctl.restart$adbd u:object_r:ctl_adbd_prop:s0
-
-ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
-
-ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
-ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
-ctl.start$seriallogging u:object_r:ctl_seriallogging_prop:s0
-ctl.start$tombstone_transmit u:object_r:ctl_tombstone_transmit_prop:s0
-ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
-
-ctl.console u:object_r:ctl_console_prop:s0
-ctl.fuse_ u:object_r:ctl_fuse_prop:s0
-ctl. u:object_r:ctl_default_prop:s0
-
-sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0 exact bool
-sys.powerctl u:object_r:powerctl_prop:s0
-
-service.adb.root u:object_r:shell_prop:s0 exact bool
-
-ro.logd.kernel u:object_r:logd_prop:s0 exact bool
-logd.ready u:object_r:logd_prop:s0 exact bool
-
-ro.config.low_ram u:object_r:build_prop:s0 exact bool
-
-ro.boottime.adbd u:object_r:boottime_prop:s0 exact int
-ro.boottime.apexd-vm u:object_r:boottime_prop:s0 exact int
-ro.boottime.apkdmverity u:object_r:boottime_prop:s0 exact int
-ro.boottime.authfs_service u:object_r:boottime_prop:s0 exact int
-ro.boottime.init u:object_r:boottime_prop:s0 exact int
-ro.boottime.init.cold_boot_wait u:object_r:boottime_prop:s0 exact int
-ro.boottime.init.first_stage u:object_r:boottime_prop:s0 exact int
-ro.boottime.init.modules u:object_r:boottime_prop:s0 exact int
-ro.boottime.init.selinux u:object_r:boottime_prop:s0 exact int
-ro.boottime.logd u:object_r:boottime_prop:s0 exact int
-ro.boottime.logd-reinit u:object_r:boottime_prop:s0 exact int
-ro.boottime.microdroid_manager u:object_r:boottime_prop:s0 exact int
-ro.boottime.servicemanager u:object_r:boottime_prop:s0 exact int
-ro.boottime.tombstoned u:object_r:boottime_prop:s0 exact int
-ro.boottime.ueventd u:object_r:boottime_prop:s0 exact int
-ro.boottime.zipfuse u:object_r:boottime_prop:s0 exact int
-
-ro.build.fingerprint u:object_r:fingerprint_prop:s0 exact string
-
-apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
-ro.apex.updatable u:object_r:apexd_prop:s0 exact bool
-
-ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool
-
-sys.usb.controller u:object_r:usb_control_prop:s0 exact string
-persist.sys.usb.config u:object_r:usb_control_prop:s0 exact string
-
-init.svc.apexd-vm u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.apkdmverity u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd-reinit u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.servicemanager u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.ueventd u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.zipfuse u:object_r:init_service_status_private_prop:s0 exact string
-
-init.svc.adbd u:object_r:init_service_status_prop:s0 exact string
-init.svc.tombstoned u:object_r:init_service_status_prop:s0 exact string
-
-ro.boot.adb.enabled u:object_r:bootloader_prop:s0 exact bool
-ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string
-ro.boot.boot_devices u:object_r:bootloader_prop:s0 exact string
-ro.boot.first_stage_console u:object_r:bootloader_prop:s0 exact string
-ro.boot.force_normal_boot u:object_r:bootloader_prop:s0 exact string
-ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
-ro.boot.logd.enabled u:object_r:bootloader_prop:s0 exact bool
-ro.boot.microdroid.app_debuggable u:object_r:bootloader_prop:s0 exact bool
-ro.boot.microdroid.debuggable u:object_r:bootloader_prop:s0 exact bool
-ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
-ro.boot.tombstone_transmit.enabled u:object_r:bootloader_prop:s0 exact bool
-ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
-ro.boot.vbmeta.device_state u:object_r:bootloader_prop:s0 exact string
-ro.boot.vbmeta.digest u:object_r:bootloader_prop:s0 exact string
-ro.boot.vbmeta.hash_alg u:object_r:bootloader_prop:s0 exact string
-ro.boot.vbmeta.invalidate_on_error u:object_r:bootloader_prop:s0 exact string
-ro.boot.vbmeta.size u:object_r:bootloader_prop:s0 exact string
-ro.boot.verifiedbootstate u:object_r:bootloader_prop:s0 exact string
-ro.boot.veritymode u:object_r:bootloader_prop:s0 exact string
-
-ro.baseband u:object_r:bootloader_prop:s0 exact string
-ro.bootloader u:object_r:bootloader_prop:s0 exact string
-ro.bootmode u:object_r:bootloader_prop:s0 exact string
-ro.hardware u:object_r:bootloader_prop:s0 exact string
-ro.revision u:object_r:bootloader_prop:s0 exact string
-
-ro.build.id u:object_r:build_prop:s0 exact string
-ro.build.version.codename u:object_r:build_prop:s0 exact string
-ro.build.version.release u:object_r:build_prop:s0 exact string
-ro.build.version.sdk u:object_r:build_prop:s0 exact int
-ro.build.version.security_patch u:object_r:build_prop:s0 exact string
-ro.debuggable u:object_r:build_prop:s0 exact bool
-ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
-ro.adb.secure u:object_r:build_prop:s0 exact bool
-
-ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
-
-apex_config.done u:object_r:apex_config_prop:s0 exact bool
-
-microdroid_manager.apk_root_hash u:object_r:microdroid_manager_roothash_prop:s0 exact string
-
-dev.mnt.blk.root u:object_r:dev_mnt_prop:s0 exact string
-dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
-dev.mnt.dev.root u:object_r:dev_mnt_prop:s0 exact string
-dev.mnt.dev.vendor u:object_r:dev_mnt_prop:s0 exact string
-
-gsid.image_installed u:object_r:gsid_prop:s0 exact bool
-ro.gsid.image_running u:object_r:gsid_prop:s0 exact bool
-
-service.adb.listen_addrs u:object_r:adbd_prop:s0 exact string
-
-persist.adb.wifi.guid u:object_r:adbd_prop:s0 exact string
-
-log.tag u:object_r:log_tag_prop:s0 prefix
-persist.log.tag u:object_r:log_tag_prop:s0 prefix
-
-libc.debug.malloc.options u:object_r:libc_debug_prop:s0 exact string
-libc.debug.malloc.program u:object_r:libc_debug_prop:s0 exact string
-libc.debug.hooks.enable u:object_r:libc_debug_prop:s0 exact string
-
-arm64.memtag. u:object_r:arm64_memtag_prop:s0 prefix string
-
-persist.sys.timezone u:object_r:timezone_prop:s0 exact string
-
-ro.vndk.version u:object_r:build_prop:s0 exact string
-
-heapprofd.enable u:object_r:heapprofd_prop:s0 exact bool
-
-# ART properties for CompOS
-dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
-ro.dalvik.vm. u:object_r:dalvik_config_prop:s0 prefix
-persist.device_config.runtime_native. u:object_r:device_config_runtime_native_prop:s0 prefix
-persist.device_config.runtime_native_boot. u:object_r:device_config_runtime_native_boot_prop:s0 prefix
-
-apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
diff --git a/microdroid/system/private/roles_decl b/microdroid/system/private/roles_decl
deleted file mode 100644
index c84fcba..0000000
--- a/microdroid/system/private/roles_decl
+++ /dev/null
@@ -1 +0,0 @@
-role r;
diff --git a/microdroid/system/private/seapp_contexts b/microdroid/system/private/seapp_contexts
deleted file mode 100644
index 2f40b38..0000000
--- a/microdroid/system/private/seapp_contexts
+++ /dev/null
@@ -1 +0,0 @@
-# This file can't be empty, but is unused on microdroid
diff --git a/microdroid/system/private/security_classes b/microdroid/system/private/security_classes
deleted file mode 100644
index 0d3cc80..0000000
--- a/microdroid/system/private/security_classes
+++ /dev/null
@@ -1,170 +0,0 @@
-# FLASK
-
-#
-# Define the security object classes
-#
-
-# Classes marked as userspace are classes
-# for userspace object managers
-
-class security
-class process
-class system
-class capability
-
-# file-related classes
-class filesystem
-class file
-class anon_inode
-class dir
-class fd
-class lnk_file
-class chr_file
-class blk_file
-class sock_file
-class fifo_file
-
-# network-related classes
-class socket
-class tcp_socket
-class udp_socket
-class rawip_socket
-class node
-class netif
-class netlink_socket
-class packet_socket
-class key_socket
-class unix_stream_socket
-class unix_dgram_socket
-
-# sysv-ipc-related classes
-class sem
-class msg
-class msgq
-class shm
-class ipc
-
-# extended netlink sockets
-class netlink_route_socket
-class netlink_tcpdiag_socket
-class netlink_nflog_socket
-class netlink_xfrm_socket
-class netlink_selinux_socket
-class netlink_audit_socket
-class netlink_dnrt_socket
-
-# IPSec association
-class association
-
-# Updated Netlink class for KOBJECT_UEVENT family.
-class netlink_kobject_uevent_socket
-
-class appletalk_socket
-
-class packet
-
-# Kernel access key retention
-class key
-
-class dccp_socket
-
-class memprotect
-
-# network peer labels
-class peer
-
-# Capabilities >= 32
-class capability2
-
-# kernel services that need to override task security, e.g. cachefiles
-class kernel_service
-
-class tun_socket
-
-class binder
-
-# Updated netlink classes for more recent netlink protocols.
-class netlink_iscsi_socket
-class netlink_fib_lookup_socket
-class netlink_connector_socket
-class netlink_netfilter_socket
-class netlink_generic_socket
-class netlink_scsitransport_socket
-class netlink_rdma_socket
-class netlink_crypto_socket
-
-# Infiniband
-class infiniband_pkey
-class infiniband_endport
-
-# Capability checks when on a non-init user namespace
-class cap_userns
-class cap2_userns
-
-# New socket classes introduced by extended_socket_class policy capability.
-# These two were previously mapped to rawip_socket.
-class sctp_socket
-class icmp_socket
-# These were previously mapped to socket.
-class ax25_socket
-class ipx_socket
-class netrom_socket
-class atmpvc_socket
-class x25_socket
-class rose_socket
-class decnet_socket
-class atmsvc_socket
-class rds_socket
-class irda_socket
-class pppox_socket
-class llc_socket
-class can_socket
-class tipc_socket
-class bluetooth_socket
-class iucv_socket
-class rxrpc_socket
-class isdn_socket
-class phonet_socket
-class ieee802154_socket
-class caif_socket
-class alg_socket
-class nfc_socket
-class vsock_socket
-class kcm_socket
-class qipcrtr_socket
-class smc_socket
-
-class process2
-
-class bpf
-
-class xdp_socket
-
-class perf_event
-
-# Introduced in https://github.com/torvalds/linux/commit/59438b46471ae6cdfb761afc8c9beaf1e428a331
-class lockdown
-
-# Property service
-class property_service # userspace
-
-# Service manager
-class service_manager # userspace
-
-# hardware service manager # userspace
-class hwservice_manager
-
-# Legacy Keystore key permissions
-class keystore_key # userspace
-
-# Keystore 2.0 permissions
-class keystore2 # userspace
-
-# Keystore 2.0 key permissions
-class keystore2_key # userspace
-
-# Diced permissions
-class diced # userspace
-
-class drmservice # userspace
-# FLASK
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
deleted file mode 100644
index 9a27306..0000000
--- a/microdroid/system/private/service_contexts
+++ /dev/null
@@ -1,9 +0,0 @@
-android.hardware.security.dice.IDiceDevice/default u:object_r:hal_dice_service:s0
-
-adb u:object_r:adb_service:s0
-android.security.dice.IDiceMaintenance u:object_r:dice_maintenance_service:s0
-android.security.dice.IDiceNode u:object_r:dice_node_service:s0
-apexservice u:object_r:apex_service:s0
-authfs_service u:object_r:authfs_binder_service:s0
-manager u:object_r:service_manager_service:s0
-* u:object_r:default_android_service:s0
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
deleted file mode 100644
index d51c827..0000000
--- a/microdroid/system/private/servicemanager.te
+++ /dev/null
@@ -1,29 +0,0 @@
-typeattribute servicemanager coredomain;
-
-init_daemon_domain(servicemanager)
-
-selinux_check_access(servicemanager)
-
-# Note that we do not use the binder_* macros here.
-# servicemanager is unique in that it only provides
-# name service (aka context manager) for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains. It never passes its own references
-# or initiates a Binder IPC.
-allow servicemanager self:binder set_context_mgr;
-allow servicemanager {
- domain
- -init
- -vendor_init
-}:binder transfer;
-
-allow servicemanager service_contexts_file:file r_file_perms;
-
-allow servicemanager vendor_service_contexts_file:file r_file_perms;
-
-add_service(servicemanager, service_manager_service)
-
-set_prop(servicemanager, ctl_interface_start_prop)
-
-# servicemanager is using bootstrap bionic
-use_bootstrap_libs(servicemanager)
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
deleted file mode 100644
index c93b488..0000000
--- a/microdroid/system/private/shell.te
+++ /dev/null
@@ -1,41 +0,0 @@
-typeattribute shell coredomain;
-
-# allow shell input injection
-allow shell uhid_device:chr_file rw_file_perms;
-
-# Perform SELinux access checks, needed for CTS
-selinux_check_access(shell)
-selinux_check_context(shell)
-
-# Allow shell to run adb shell cmd stats commands. Needed for CTS.
-binder_call(shell, statsd);
-
-# Allow shell to launch microdroid_launcher in its own domain
-# TODO(b/186396070) remove this when microdroid_manager can do this
-domain_auto_trans(shell, microdroid_app_exec, microdroid_app)
-domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
-
-# Connect to adbd and use a socket transferred from it.
-# This is used for e.g. adb backup/restore.
-allow shell adbd:unix_stream_socket connectto;
-allow shell adbd:fd use;
-allow shell adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
-
-# filesystem test for insecure chr_file's is done
-# via a host side test
-allow shell dev_type:dir r_dir_perms;
-allow shell dev_type:chr_file getattr;
-
-# filesystem test for insucre blk_file's is done
-# via hostside test
-allow shell dev_type:blk_file getattr;
-
-# Test tool automatically tries to access /sys/class/power_supply.
-# Suppressing it as we don't need power_supply in microdroid.
-dontaudit shell sysfs:dir r_dir_perms;
-
-# Test tool tries to read various service status properties.
-get_prop(shell, init_service_status_prop)
-get_prop(shell, init_service_status_private_prop)
-
-set_prop(shell, log_tag_prop)
diff --git a/microdroid/system/private/statsd.te b/microdroid/system/private/statsd.te
deleted file mode 100644
index 437f505..0000000
--- a/microdroid/system/private/statsd.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute statsd coredomain;
-
-init_daemon_domain(statsd)
diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
deleted file mode 100644
index 1196262..0000000
--- a/microdroid/system/private/su.te
+++ /dev/null
@@ -1,9 +0,0 @@
-userdebug_or_eng(`
- typeattribute su coredomain;
-
- domain_auto_trans(shell, su_exec, su)
-
- # su is also permissive to permit setenforce.
- permissive su;
-
-')
diff --git a/microdroid/system/private/tombstone_transmit.te b/microdroid/system/private/tombstone_transmit.te
deleted file mode 100644
index 588ebff..0000000
--- a/microdroid/system/private/tombstone_transmit.te
+++ /dev/null
@@ -1,8 +0,0 @@
-type tombstone_transmit, domain, coredomain;
-type tombstone_transmit_exec, exec_type, system_file_type, file_type;
-
-init_daemon_domain(tombstone_transmit)
-
-r_dir_file(tombstone_transmit, tombstone_data_file)
-
-allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;
diff --git a/microdroid/system/private/tombstoned.te b/microdroid/system/private/tombstoned.te
deleted file mode 100644
index 2567a23..0000000
--- a/microdroid/system/private/tombstoned.te
+++ /dev/null
@@ -1,12 +0,0 @@
-typeattribute tombstoned coredomain;
-
-init_daemon_domain(tombstoned)
-
-# Write to arbitrary pipes given to us.
-allow tombstoned domain:fd use;
-allow tombstoned domain:fifo_file write;
-
-allow tombstoned domain:dir r_dir_perms;
-allow tombstoned domain:file r_file_perms;
-allow tombstoned tombstone_data_file:dir rw_dir_perms;
-allow tombstoned tombstone_data_file:file { create_file_perms link };
diff --git a/microdroid/system/private/toolbox.te b/microdroid/system/private/toolbox.te
deleted file mode 100644
index a2b958d..0000000
--- a/microdroid/system/private/toolbox.te
+++ /dev/null
@@ -1,3 +0,0 @@
-typeattribute toolbox coredomain;
-
-init_daemon_domain(toolbox)
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
deleted file mode 100644
index a855509..0000000
--- a/microdroid/system/private/ueventd.te
+++ /dev/null
@@ -1,53 +0,0 @@
-typeattribute ueventd coredomain;
-
-tmpfs_domain(ueventd)
-
-# Write to /dev/kmsg.
-allow ueventd kmsg_device:chr_file rw_file_perms;
-
-allow ueventd self:global_capability_class_set { chown mknod net_admin setgid fsetid sys_rawio dac_override dac_read_search fowner setuid };
-allow ueventd device:file create_file_perms;
-
-r_dir_file(ueventd, rootfs)
-
-# ueventd needs write access to files in /sys to regenerate uevents
-allow ueventd sysfs_type:file w_file_perms;
-r_dir_file(ueventd, sysfs_type)
-allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
-allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
-allow ueventd tmpfs:chr_file rw_file_perms;
-allow ueventd dev_type:dir create_dir_perms;
-allow ueventd dev_type:lnk_file { create unlink };
-allow ueventd dev_type:chr_file { getattr create setattr unlink };
-allow ueventd dev_type:blk_file { getattr relabelfrom relabelto create setattr unlink };
-allow ueventd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# Get SELinux enforcing status.
-r_dir_file(ueventd, selinuxfs)
-
-# Access for /vendor/ueventd.rc and /vendor/firmware
-r_dir_file(ueventd, vendor_file_type)
-
-# Access for /apex/*/firmware
-allow ueventd apex_mnt_dir:dir r_dir_perms;
-
-# Get file contexts for new device nodes
-allow ueventd file_contexts_file:file r_file_perms;
-
-# Use setfscreatecon() to label /dev directories and files.
-allow ueventd self:process setfscreate;
-
-# Allow ueventd to read androidboot.android_dt_dir from kernel cmdline or bootconfig.
-allow ueventd proc_cmdline:file r_file_perms;
-allow ueventd proc_bootconfig:file r_file_perms;
-
-# ueventd loads modules in response to modalias events.
-allow ueventd self:global_capability_class_set sys_module;
-allow ueventd vendor_file:system module_load;
-allow ueventd kernel:key search;
-
-# ueventd is using bootstrap bionic
-use_bootstrap_libs(ueventd)
-
-# ueventd sets ro.cold_boot_done to signal to init that cold boot has completed.
-set_prop(ueventd, cold_boot_done_prop)
diff --git a/microdroid/system/private/users b/microdroid/system/private/users
deleted file mode 100644
index 51b7b57..0000000
--- a/microdroid/system/private/users
+++ /dev/null
@@ -1 +0,0 @@
-user u roles { r } level s0 range s0 - mls_systemhigh;
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
deleted file mode 100644
index 6652e27..0000000
--- a/microdroid/system/private/zipfuse.te
+++ /dev/null
@@ -1,50 +0,0 @@
-# zipfuse is a FUSE daemon running in the microdroid. It mounts
-# /dev/block/by-name/microdroid-apk whose content is from an apk file on
-# /mnt/apk so that the entries in the apk file are seen as regular files. See
-# packages/modules/Virtualization/zipfuse.
-
-type zipfuse, domain, coredomain;
-type zipfuse_exec, exec_type, file_type, system_file_type;
-
-# zipfuse is using bootstrap bionic
-use_bootstrap_libs(zipfuse)
-
-# allow basic rules to implement FUSE
-allow zipfuse fuse_device:chr_file rw_file_perms;
-allow zipfuse self:global_capability_class_set sys_admin;
-
-# allow access to /dev/vd* block device files and also access to the symlinks
-# /dev/block/by-name/*
-allow zipfuse block_device:dir r_dir_perms;
-allow zipfuse block_device:lnk_file r_file_perms;
-
-# /dev/block/by-name/microdroid-apk is mapped to /dev/block/dm-*
-allow zipfuse dm_device:blk_file r_file_perms;
-
-# allow mounting on /mnt/apk
-allow zipfuse tmpfs:dir mounton;
-
-# allow mounting with fscontext=u:object_r:zipfusefs:s0
-type zipfusefs, fs_type, contextmount_type;
-allow zipfuse fuse:filesystem relabelfrom;
-allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
-
-# allow mounting with context=u:object_r:system_file:s0 so that files provided
-# by zipfuse are treated the same as the other files in /system or /apex
-allow system_file zipfusefs:filesystem associate;
-
-# allow zipfuse to log to the kernel
-allow zipfuse kmsg_device:chr_file w_file_perms;
-
-# allow zipfuse to handle extra apks
-r_dir_file(zipfuse, extra_apk_file)
-allow zipfuse extra_apk_file:dir mounton;
-
-# zipfuse is forked from microdroid_manager
-allow zipfuse microdroid_manager:fd use;
-
-# Only microdroid_manager can run zipfuse
-neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };
-
-# only zipfuse can mount on extra_apk_file
-neverallow { domain -zipfuse } extra_apk_file:dir mounton;
diff --git a/microdroid/system/public/adbd.te b/microdroid/system/public/adbd.te
deleted file mode 100644
index a41d4a3..0000000
--- a/microdroid/system/public/adbd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type adbd, domain;
-type adbd_exec, exec_type, file_type, system_file_type;
diff --git a/microdroid/system/public/apexd.te b/microdroid/system/public/apexd.te
deleted file mode 100644
index f80c1da..0000000
--- a/microdroid/system/public/apexd.te
+++ /dev/null
@@ -1,5 +0,0 @@
-type apexd, domain, coredomain;
-type apexd_exec, file_type, exec_type, system_file_type;
-
-binder_use(apexd)
-add_service(apexd, apex_service)
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
deleted file mode 100644
index 00b5f2b..0000000
--- a/microdroid/system/public/attributes
+++ /dev/null
@@ -1,172 +0,0 @@
-######################################
-# Attribute declarations
-#
-
-# All types used for devices.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# in tools/checkfc.c
-attribute dev_type;
-
-# TODO(b/202520796) Remove this attribute once the sc-dev branch stops using it.
-attribute bdev_type;
-
-# All types used for processes.
-attribute domain;
-
-# All types used for filesystems.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute fs_type;
-
-# All types used for context= mounts.
-attribute contextmount_type;
-
-# All types used for files that can exist on a labeled fs.
-# Do not use for pseudo file types.
-# On change, update CHECK_FC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute file_type;
-
-# All types used for domain entry points.
-attribute exec_type;
-
-# All types used for /data files.
-attribute data_file_type;
-expandattribute data_file_type false;
-# All types in /data, not in /data/vendor
-attribute core_data_file_type;
-expandattribute core_data_file_type false;
-
-# All types in /system
-attribute system_file_type;
-
-# All types in /vendor
-attribute vendor_file_type;
-
-# All types used for procfs files.
-attribute proc_type;
-expandattribute proc_type false;
-
-# Types in /proc/net, excluding qtaguid types.
-# TODO(b/9496886) Lock down access to /proc/net.
-# This attribute is used to audit access to proc_net. it is temporary and will
-# be removed.
-attribute proc_net_type;
-expandattribute proc_net_type true;
-
-# All types used for sysfs files.
-attribute sysfs_type;
-
-# All types use for debugfs files.
-attribute debugfs_type;
-
-# All types used for tracefs files.
-attribute tracefs_type;
-
-# Attribute used for all sdcards
-attribute sdcard_type;
-
-# All types used for nodes/hosts.
-attribute node_type;
-
-# All types used for network interfaces.
-attribute netif_type;
-
-# All types used for network ports.
-attribute port_type;
-
-# All types used for property service
-# On change, update CHECK_PC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute property_type;
-
-# Properties used for representing ownership. All properties should have one
-# of: system_property_type, product_property_type, or vendor_property_type.
-
-# All properties defined by /system.
-attribute system_property_type;
-expandattribute system_property_type false;
-
-# All /system-defined properties used only in /system.
-attribute system_internal_property_type;
-expandattribute system_internal_property_type false;
-
-# All /system-defined properties which can't be written outside /system.
-attribute system_restricted_property_type;
-expandattribute system_restricted_property_type false;
-
-# All /system-defined properties with no restrictions.
-attribute system_public_property_type;
-expandattribute system_public_property_type false;
-
-# All properties defined by /product.
-# Currently there are no enforcements between /system and /product, so for now
-# /product attributes are just replaced to /system attributes.
-define(`product_property_type', `system_property_type')
-define(`product_internal_property_type', `system_internal_property_type')
-define(`product_restricted_property_type', `system_restricted_property_type')
-define(`product_public_property_type', `system_public_property_type')
-
-# All properties defined by /vendor.
-attribute vendor_property_type;
-expandattribute vendor_property_type false;
-
-# All /vendor-defined properties used only in /vendor.
-attribute vendor_internal_property_type;
-expandattribute vendor_internal_property_type false;
-
-# All /vendor-defined properties which can't be written outside /vendor.
-attribute vendor_restricted_property_type;
-expandattribute vendor_restricted_property_type false;
-
-# All /vendor-defined properties with no restrictions.
-attribute vendor_public_property_type;
-expandattribute vendor_public_property_type false;
-
-# services which served by vendor and also using the copy of libbinder on
-# system (for instance via libbinder_ndk). services using a different copy
-# of libbinder currently need their own context manager (e.g.
-# vndservicemanager)
-attribute vendor_service;
-
-# All types used for services managed by servicemanager.
-# On change, update CHECK_SC_ASSERT_ATTRS
-# definition in tools/checkfc.c.
-attribute service_manager_type;
-
-# All domains used for apps with network access.
-attribute netdomain;
-
-# All domains used for apps with bluetooth access.
-attribute bluetoothdomain;
-
-# All domains used for binder service domains.
-attribute binderservicedomain;
-
-# All core domains (as opposed to vendor/device-specific domains)
-attribute coredomain;
-
-# All socket devices owned by core domain components
-attribute coredomain_socket;
-expandattribute coredomain_socket false;
-
-# All HAL servers
-attribute halserverdomain;
-# All HAL clients
-attribute halclientdomain;
-expandattribute halclientdomain true;
-
-# HALs
-hal_attribute(dice);
-
-# All types used for DMA-BUF heaps
-attribute dmabuf_heap_device_type;
-expandattribute dmabuf_heap_device_type false;
-
-attribute fusefs_type;
-
-# All types run from microdroid_manager as a payload
-attribute microdroid_payload;
-
-# Domains that are blocked from producing a crash dump
-attribute no_crash_dump_domain;
diff --git a/microdroid/system/public/crash_dump.te b/microdroid/system/public/crash_dump.te
deleted file mode 100644
index d59b034..0000000
--- a/microdroid/system/public/crash_dump.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type crash_dump, domain;
-type crash_dump_exec, system_file_type, exec_type, file_type;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
deleted file mode 100644
index f99084c..0000000
--- a/microdroid/system/public/device.te
+++ /dev/null
@@ -1,41 +0,0 @@
-type ashmem_device, dev_type;
-type ashmem_libcutils_device, dev_type;
-type binder_device, dev_type;
-type block_device, dev_type;
-type console_device, dev_type;
-type device, dev_type, fs_type;
-type dm_device, dev_type;
-type dm_user_device, dev_type;
-type dmabuf_heap_device, dev_type, dmabuf_heap_device_type;
-type dmabuf_system_heap_device, dev_type, dmabuf_heap_device_type;
-type dmabuf_system_secure_heap_device, dev_type, dmabuf_heap_device_type;
-type fuse_device, dev_type;
-type hw_random_device, dev_type;
-type hwbinder_device, dev_type;
-type kmsg_debug_device, dev_type;
-type kmsg_device, dev_type;
-type kvm_device, dev_type;
-type loop_control_device, dev_type;
-type loop_device, dev_type;
-type null_device, dev_type;
-type open_dice_device, dev_type;
-type owntty_device, dev_type;
-type ppp_device, dev_type;
-type properties_device, dev_type;
-type properties_serial, dev_type;
-type property_info, dev_type;
-type ptmx_device, dev_type;
-type ram_device, dev_type;
-type random_device, dev_type;
-type rtc_device, dev_type;
-type serial_device, dev_type;
-type socket_device, dev_type;
-type tty_device, dev_type;
-type tun_device, dev_type;
-type uhid_device, dev_type;
-type uio_device, dev_type;
-type userdata_sysdev, dev_type;
-type vd_device, dev_type;
-type vndbinder_device, dev_type;
-type vsock_device, dev_type;
-type zero_device, dev_type;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
deleted file mode 100644
index 57be060..0000000
--- a/microdroid/system/public/file.te
+++ /dev/null
@@ -1,200 +0,0 @@
-type system_linker_exec, file_type, system_file_type;
-
-# file types
-type adbd_socket, file_type, coredomain_socket;
-type apex_info_file, file_type;
-type apex_mnt_dir, file_type;
-type authfs_data_file, file_type, data_file_type, core_data_file_type;
-type cgroup_desc_api_file, file_type, system_file_type;
-type cgroup_desc_file, file_type, system_file_type;
-type cgroup_rc_file, file_type;
-type extra_apk_file, file_type;
-type file_contexts_file, file_type, system_file_type;
-type linkerconfig_file, file_type;
-type logd_socket, file_type, coredomain_socket;
-type logdr_socket, file_type, coredomain_socket;
-type logdw_socket, file_type, coredomain_socket;
-type nativetest_data_file, file_type, data_file_type, core_data_file_type;
-type property_contexts_file, file_type, system_file_type;
-type property_socket, file_type, coredomain_socket;
-type runtime_event_log_tags_file, file_type;
-type sepolicy_file, file_type, system_file_type;
-type service_contexts_file, file_type, system_file_type;
-type shell_data_file, file_type, data_file_type, core_data_file_type;
-type shell_test_data_file, file_type, data_file_type, core_data_file_type;
-type statsdw_socket, file_type, coredomain_socket;
-type system_bootstrap_lib_file, file_type, system_file_type;
-type system_data_file, file_type, data_file_type, core_data_file_type;
-type system_data_root_file, file_type, data_file_type, core_data_file_type;
-type system_event_log_tags_file, file_type, system_file_type;
-type system_file, file_type, system_file_type;
-type system_group_file, file_type, system_file_type;
-type system_lib_file, file_type, system_file_type;
-type system_linker_config_file, file_type, system_file_type;
-type system_passwd_file, file_type, system_file_type;
-type system_seccomp_policy_file, file_type, system_file_type;
-type system_security_cacerts_file, file_type, system_file_type;
-type task_profiles_api_file, file_type, system_file_type;
-type task_profiles_file, file_type, system_file_type;
-type tombstone_data_file, file_type, data_file_type, core_data_file_type;
-type tombstoned_crash_socket, file_type, coredomain_socket;
-type tombstoned_intercept_socket, file_type, coredomain_socket;
-type tombstoned_java_trace_socket, file_type;
-type trace_data_file, file_type, data_file_type, core_data_file_type;
-type unlabeled, file_type;
-type vendor_configs_file, file_type, vendor_file_type;
-type vendor_data_file, file_type, data_file_type;
-type vendor_file, file_type, vendor_file_type;
-type vendor_service_contexts_file, vendor_file_type, file_type;
-
-# file system types
-type binderfs, fs_type;
-type binderfs_logs, fs_type;
-type binderfs_logs_proc, fs_type;
-type binfmt_miscfs, fs_type;
-type cgroup, fs_type;
-type cgroup_v2, fs_type;
-type config_gz, fs_type, proc_type;
-type configfs, fs_type;
-type debugfs, fs_type, debugfs_type;
-type debugfs_bootreceiver_tracing, fs_type, debugfs_type, tracefs_type;
-type debugfs_kcov, fs_type, debugfs_type;
-type debugfs_kprobes, fs_type, debugfs_type;
-type debugfs_mm_events_tracing, fs_type, debugfs_type, tracefs_type;
-type debugfs_mmc, fs_type, debugfs_type;
-type debugfs_trace_marker, fs_type, debugfs_type, tracefs_type;
-type debugfs_tracing, fs_type, debugfs_type, tracefs_type;
-type debugfs_tracing_debug, fs_type, debugfs_type, tracefs_type;
-type debugfs_tracing_instances, fs_type, debugfs_type, tracefs_type;
-type debugfs_tracing_printk_formats, fs_type, debugfs_type, tracefs_type;
-type debugfs_wakeup_sources, fs_type, debugfs_type;
-type debugfs_wifi_tracing, fs_type, debugfs_type, tracefs_type;
-type devpts, fs_type;
-type devtmpfs;
-type exfat, fs_type, sdcard_type;
-type fs_bpf, fs_type;
-type fs_bpf_tethering, fs_type;
-type functionfs, fs_type;
-type fuse, fs_type, fusefs_type;
-type fusectlfs, fs_type;
-type inotify, fs_type;
-type labeledfs, fs_type;
-type mqueue, fs_type;
-type pipefs, fs_type;
-type proc, fs_type, proc_type;
-type proc_abi, fs_type, proc_type;
-type proc_asound, fs_type, proc_type;
-type proc_bootconfig, fs_type, proc_type;
-type proc_buddyinfo, fs_type, proc_type;
-type proc_cmdline, fs_type, proc_type;
-type proc_cpuinfo, fs_type, proc_type;
-type proc_dirty, fs_type, proc_type;
-type proc_diskstats, fs_type, proc_type;
-type proc_drop_caches, fs_type, proc_type;
-type proc_extra_free_kbytes, fs_type, proc_type;
-type proc_filesystems, fs_type, proc_type;
-type proc_fs_verity, fs_type, proc_type;
-type proc_hostname, fs_type, proc_type;
-type proc_hung_task, fs_type, proc_type;
-type proc_interrupts, fs_type, proc_type;
-type proc_iomem, fs_type, proc_type;
-type proc_kallsyms, fs_type, proc_type;
-type proc_keys, fs_type, proc_type;
-type proc_kmsg, fs_type, proc_type;
-type proc_kpageflags, fs_type, proc_type;
-type proc_loadavg, fs_type, proc_type;
-type proc_locks, fs_type, proc_type;
-type proc_lowmemorykiller, fs_type, proc_type;
-type proc_max_map_count, fs_type, proc_type;
-type proc_meminfo, fs_type, proc_type;
-type proc_min_free_order_shift, fs_type, proc_type;
-type proc_misc, fs_type, proc_type;
-type proc_modules, fs_type, proc_type;
-type proc_mounts, fs_type, proc_type;
-type proc_net, fs_type, proc_type, proc_net_type;
-type proc_net_tcp_udp, fs_type, proc_type;
-type proc_overcommit_memory, fs_type, proc_type;
-type proc_page_cluster, fs_type, proc_type;
-type proc_pagetypeinfo, fs_type, proc_type;
-type proc_panic, fs_type, proc_type;
-type proc_perf, fs_type, proc_type;
-type proc_pid_max, fs_type, proc_type;
-type proc_pipe_conf, fs_type, proc_type;
-type proc_pressure_cpu, fs_type, proc_type;
-type proc_pressure_io, fs_type, proc_type;
-type proc_pressure_mem, fs_type, proc_type;
-type proc_qtaguid_ctrl, fs_type, proc_type;
-type proc_qtaguid_stat, fs_type, proc_type;
-type proc_random, fs_type, proc_type;
-type proc_sched, fs_type, proc_type;
-type proc_security, fs_type, proc_type;
-type proc_slabinfo, fs_type, proc_type;
-type proc_stat, fs_type, proc_type;
-type proc_swaps, fs_type, proc_type;
-type proc_sysrq, fs_type, proc_type;
-type proc_timer, fs_type, proc_type;
-type proc_tty_drivers, fs_type, proc_type;
-type proc_uid_concurrent_active_time, fs_type, proc_type;
-type proc_uid_concurrent_policy_time, fs_type, proc_type;
-type proc_uid_cpupower, fs_type, proc_type;
-type proc_uid_cputime_removeuid, fs_type, proc_type;
-type proc_uid_cputime_showstat, fs_type, proc_type;
-type proc_uid_io_stats, fs_type, proc_type;
-type proc_uid_procstat_set, fs_type, proc_type;
-type proc_uid_time_in_state, fs_type, proc_type;
-type proc_uptime, fs_type, proc_type;
-type proc_version, fs_type, proc_type;
-type proc_vmallocinfo, fs_type, proc_type;
-type proc_vmstat, fs_type, proc_type;
-type proc_zoneinfo, fs_type, proc_type;
-type pstorefs, fs_type;
-type rootfs, fs_type;
-type sdcardfs, fs_type, sdcard_type;
-type securityfs, fs_type;
-type selinuxfs, fs_type;
-type shm, fs_type;
-type sockfs, fs_type;
-type sysfs, fs_type, sysfs_type;
-type sysfs_android_usb, fs_type, sysfs_type;
-type sysfs_bluetooth_writable, fs_type, sysfs_type;
-type sysfs_devices_block, fs_type, sysfs_type;
-type sysfs_devices_cs_etm, fs_type, sysfs_type;
-type sysfs_devices_system_cpu, fs_type, sysfs_type;
-type sysfs_dm, fs_type, sysfs_type;
-type sysfs_dm_verity, fs_type, sysfs_type;
-type sysfs_dma_heap, fs_type, sysfs_type;
-type sysfs_dmabuf_stats, fs_type, sysfs_type;
-type sysfs_dt_avf, fs_type, sysfs_type;
-type sysfs_dt_firmware_android, fs_type, sysfs_type;
-type sysfs_extcon, fs_type, sysfs_type;
-type sysfs_fs_ext4_features, fs_type, sysfs_type;
-type sysfs_fs_f2fs, fs_type, sysfs_type;
-type sysfs_fs_incfs_features, fs_type, sysfs_type;
-type sysfs_fs_incfs_metrics, fs_type, sysfs_type;
-type sysfs_hwrandom, fs_type, sysfs_type;
-type sysfs_ion, fs_type, sysfs_type;
-type sysfs_ipv4, fs_type, sysfs_type;
-type sysfs_kernel_notes, fs_type, sysfs_type;
-type sysfs_leds, fs_type, sysfs_type;
-type sysfs_loop, fs_type, sysfs_type;
-type sysfs_lowmemorykiller, fs_type, sysfs_type;
-type sysfs_net, fs_type, sysfs_type;
-type sysfs_nfc_power_writable, fs_type, sysfs_type;
-type sysfs_power, fs_type, sysfs_type;
-type sysfs_rtc, fs_type, sysfs_type;
-type sysfs_suspend_stats, fs_type, sysfs_type;
-type sysfs_switch, fs_type, sysfs_type;
-type sysfs_transparent_hugepage, fs_type, sysfs_type;
-type sysfs_uhid, fs_type, sysfs_type;
-type sysfs_usermodehelper, fs_type, sysfs_type;
-type sysfs_vibrator, fs_type, sysfs_type;
-type sysfs_wake_lock, fs_type, sysfs_type;
-type sysfs_wakeup, fs_type, sysfs_type;
-type sysfs_wakeup_reasons, fs_type, sysfs_type;
-type sysfs_wlan_fwpath, fs_type, sysfs_type;
-type sysfs_zram, fs_type, sysfs_type;
-type sysfs_zram_uevent, fs_type, sysfs_type;
-type tmpfs, fs_type;
-type usbfs, fs_type;
-type usermodehelper, fs_type, proc_type;
-type vfat, fs_type, sdcard_type;
diff --git a/microdroid/system/public/global_macros b/microdroid/system/public/global_macros
deleted file mode 100644
index 2c87fde..0000000
--- a/microdroid/system/public/global_macros
+++ /dev/null
@@ -1,51 +0,0 @@
-#####################################
-# Common groupings of object classes.
-#
-define(`capability_class_set', `{ capability capability2 cap_userns cap2_userns }')
-define(`global_capability_class_set', `{ capability cap_userns }')
-define(`global_capability2_class_set', `{ capability2 cap2_userns }')
-
-define(`devfile_class_set', `{ chr_file blk_file }')
-define(`notdevfile_class_set', `{ file lnk_file sock_file fifo_file }')
-define(`file_class_set', `{ devfile_class_set notdevfile_class_set }')
-define(`dir_file_class_set', `{ dir file_class_set }')
-
-define(`socket_class_set', `{ socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket appletalk_socket netlink_route_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket netlink_rdma_socket netlink_crypto_socket sctp_socket icmp_socket ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket }')
-define(`dgram_socket_class_set', `{ udp_socket unix_dgram_socket }')
-define(`stream_socket_class_set', `{ tcp_socket unix_stream_socket sctp_socket }')
-define(`unpriv_socket_class_set', `{ tcp_socket udp_socket unix_stream_socket unix_dgram_socket sctp_socket }')
-define(`network_socket_class_set', `{ icmp_socket rawip_socket tcp_socket udp_socket }')
-
-define(`ipc_class_set', `{ sem msgq shm ipc }')
-
-#####################################
-# Common groupings of permissions.
-#
-define(`x_file_perms', `{ getattr execute execute_no_trans map }')
-define(`r_file_perms', `{ getattr open read ioctl lock map watch watch_reads }')
-define(`w_file_perms', `{ open append write lock map }')
-define(`rx_file_perms', `{ r_file_perms x_file_perms }')
-define(`ra_file_perms', `{ r_file_perms append }')
-define(`rw_file_perms', `{ r_file_perms w_file_perms }')
-define(`rwx_file_perms', `{ rw_file_perms x_file_perms }')
-define(`create_file_perms', `{ create rename setattr unlink rw_file_perms }')
-
-define(`r_dir_perms', `{ open getattr read search ioctl lock watch watch_reads }')
-define(`w_dir_perms', `{ open search write add_name remove_name lock }')
-define(`ra_dir_perms', `{ r_dir_perms add_name write }')
-define(`rw_dir_perms', `{ r_dir_perms w_dir_perms }')
-define(`create_dir_perms', `{ create reparent rename rmdir setattr rw_dir_perms }')
-
-define(`r_ipc_perms', `{ getattr read associate unix_read }')
-define(`w_ipc_perms', `{ write unix_write }')
-define(`rw_ipc_perms', `{ r_ipc_perms w_ipc_perms }')
-define(`create_ipc_perms', `{ create setattr destroy rw_ipc_perms }')
-
-#####################################
-# Common socket permission sets.
-define(`rw_socket_perms', `{ ioctl read getattr write setattr lock append bind connect getopt setopt shutdown map }')
-define(`rw_socket_perms_no_ioctl', `{ read getattr write setattr lock append bind connect getopt setopt shutdown map }')
-define(`create_socket_perms', `{ create rw_socket_perms }')
-define(`create_socket_perms_no_ioctl', `{ create rw_socket_perms_no_ioctl }')
-define(`rw_stream_socket_perms', `{ rw_socket_perms listen accept }')
-define(`create_stream_socket_perms', `{ create rw_stream_socket_perms }')
diff --git a/microdroid/system/public/hal_dice.te b/microdroid/system/public/hal_dice.te
deleted file mode 100644
index 92222c5..0000000
--- a/microdroid/system/public/hal_dice.te
+++ /dev/null
@@ -1,4 +0,0 @@
-binder_call(hal_dice_client, hal_dice_server)
-
-hal_attribute_service(hal_dice, hal_dice_service)
-binder_call(hal_dice_server, servicemanager)
diff --git a/microdroid/system/public/init.te b/microdroid/system/public/init.te
deleted file mode 100644
index b4def39..0000000
--- a/microdroid/system/public/init.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# init is its own domain.
-type init, domain;
-type init_exec, system_file_type, exec_type, file_type;
-type init_tmpfs, file_type;
-
-allow init tmpfs:chr_file relabelfrom;
-allow init kmsg_device:chr_file { getattr write relabelto };
-allow init kmsg_debug_device:chr_file { open write relabelto };
diff --git a/microdroid/system/public/ioctl_defines b/microdroid/system/public/ioctl_defines
deleted file mode 100644
index 5ac4d94..0000000
--- a/microdroid/system/public/ioctl_defines
+++ /dev/null
@@ -1,2751 +0,0 @@
-define(`ADD_NEW_DISK', `0x40140921')
-define(`ADV7842_CMD_RAM_TEST', `0x000056c0')
-define(`AGPIOC_ACQUIRE', `0x00004101')
-define(`AGPIOC_ALLOCATE', `0xc0084106')
-define(`AGPIOC_BIND', `0x40084108')
-define(`AGPIOC_CHIPSET_FLUSH', `0x0000410a')
-define(`AGPIOC_DEALLOCATE', `0x40044107')
-define(`AGPIOC_INFO', `0x80084100')
-define(`AGPIOC_PROTECT', `0x40084105')
-define(`AGPIOC_RELEASE', `0x00004102')
-define(`AGPIOC_RESERVE', `0x40084104')
-define(`AGPIOC_SETUP', `0x40084103')
-define(`AGPIOC_UNBIND', `0x40084109')
-define(`AMDKFD_IOC_CREATE_QUEUE', `0xc0584b02')
-define(`AMDKFD_IOC_DESTROY_QUEUE', `0xc0084b03')
-define(`AMDKFD_IOC_GET_CLOCK_COUNTERS', `0xc0284b05')
-define(`AMDKFD_IOC_GET_PROCESS_APERTURES', `0x81904b06')
-define(`AMDKFD_IOC_GET_VERSION', `0x80084b01')
-define(`AMDKFD_IOC_SET_MEMORY_POLICY', `0x40204b04')
-define(`AMDKFD_IOC_UPDATE_QUEUE', `0x40184b07')
-define(`ANDROID_ALARM_SET_RTC', `0x40106105')
-define(`ANDROID_ALARM_WAIT', `0x00006101')
-define(`APEI_ERST_CLEAR_RECORD', `0x40084501')
-define(`APEI_ERST_GET_RECORD_COUNT', `0x80044502')
-define(`APM_IOC_STANDBY', `0x00004101')
-define(`APM_IOC_SUSPEND', `0x00004102')
-define(`ASHMEM_GET_NAME', `0x81007702')
-define(`ASHMEM_GET_PIN_STATUS', `0x00007709')
-define(`ASHMEM_GET_PROT_MASK', `0x00007706')
-define(`ASHMEM_GET_SIZE', `0x00007704')
-define(`ASHMEM_PIN', `0x40087707')
-define(`ASHMEM_PURGE_ALL_CACHES', `0x0000770a')
-define(`ASHMEM_SET_NAME', `0x41007701')
-define(`ASHMEM_SET_PROT_MASK', `0x40087705')
-define(`ASHMEM_SET_SIZE', `0x40087703')
-define(`ASHMEM_UNPIN', `0x40087708')
-define(`ATM_ADDADDR', `0x40106188')
-define(`ATM_ADDLECSADDR', `0x4010618e')
-define(`ATM_ADDPARTY', `0x401061f4')
-define(`ATMARPD_CTRL', `0x000061e1')
-define(`ATMARP_ENCAP', `0x000061e5')
-define(`ATMARP_MKIP', `0x000061e2')
-define(`ATMARP_SETENTRY', `0x000061e3')
-define(`ATM_DELADDR', `0x40106189')
-define(`ATM_DELLECSADDR', `0x4010618f')
-define(`ATM_DROPPARTY', `0x400461f5')
-define(`ATM_GETADDR', `0x40106186')
-define(`ATM_GETCIRANGE', `0x4010618a')
-define(`ATM_GETESI', `0x40106185')
-define(`ATM_GETLECSADDR', `0x40106190')
-define(`ATM_GETLINKRATE', `0x40106181')
-define(`ATM_GETLOOP', `0x40106152')
-define(`ATM_GETNAMES', `0x40106183')
-define(`ATM_GETSTAT', `0x40106150')
-define(`ATM_GETSTATZ', `0x40106151')
-define(`ATM_GETTYPE', `0x40106184')
-define(`ATMLEC_CTRL', `0x000061d0')
-define(`ATMLEC_DATA', `0x000061d1')
-define(`ATMLEC_MCAST', `0x000061d2')
-define(`ATMMPC_CTRL', `0x000061d8')
-define(`ATMMPC_DATA', `0x000061d9')
-define(`ATM_NEWBACKENDIF', `0x400261f3')
-define(`ATM_QUERYLOOP', `0x40106154')
-define(`ATM_RSTADDR', `0x40106187')
-define(`ATM_SETBACKEND', `0x400261f2')
-define(`ATM_SETCIRANGE', `0x4010618b')
-define(`ATM_SETESI', `0x4010618c')
-define(`ATM_SETESIF', `0x4010618d')
-define(`ATM_SETLOOP', `0x40106153')
-define(`ATM_SETSC', `0x400461f1')
-define(`ATMSIGD_CTRL', `0x000061f0')
-define(`ATMTCP_CREATE', `0x0000618e')
-define(`ATMTCP_REMOVE', `0x0000618f')
-define(`AUDIO_BILINGUAL_CHANNEL_SELECT', `0x00006f14')
-define(`AUDIO_CHANNEL_SELECT', `0x00006f09')
-define(`AUDIO_CLEAR_BUFFER', `0x00006f0c')
-define(`AUDIO_CONTINUE', `0x00006f04')
-define(`AUDIO_GET_CAPABILITIES', `0x80046f0b')
-define(`AUDIO_GET_PTS', `0x80086f13')
-define(`AUDIO_GET_STATUS', `0x80206f0a')
-define(`AUDIO_PAUSE', `0x00006f03')
-define(`AUDIO_PLAY', `0x00006f02')
-define(`AUDIO_SELECT_SOURCE', `0x00006f05')
-define(`AUDIO_SET_ATTRIBUTES', `0x40026f11')
-define(`AUDIO_SET_AV_SYNC', `0x00006f07')
-define(`AUDIO_SET_BYPASS_MODE', `0x00006f08')
-define(`AUDIO_SET_EXT_ID', `0x00006f10')
-define(`AUDIO_SET_ID', `0x00006f0d')
-define(`AUDIO_SET_KARAOKE', `0x400c6f12')
-define(`AUDIO_SET_MIXER', `0x40086f0e')
-define(`AUDIO_SET_MUTE', `0x00006f06')
-define(`AUDIO_SET_STREAMTYPE', `0x00006f0f')
-define(`AUDIO_STOP', `0x00006f01')
-define(`AUTOFS_DEV_IOCTL_ASKUMOUNT', `0xc018937d')
-define(`AUTOFS_DEV_IOCTL_CATATONIC', `0xc0189379')
-define(`AUTOFS_DEV_IOCTL_CLOSEMOUNT', `0xc0189375')
-define(`AUTOFS_DEV_IOCTL_EXPIRE', `0xc018937c')
-define(`AUTOFS_DEV_IOCTL_FAIL', `0xc0189377')
-define(`AUTOFS_DEV_IOCTL_ISMOUNTPOINT', `0xc018937e')
-define(`AUTOFS_DEV_IOCTL_OPENMOUNT', `0xc0189374')
-define(`AUTOFS_DEV_IOCTL_PROTOSUBVER', `0xc0189373')
-define(`AUTOFS_DEV_IOCTL_PROTOVER', `0xc0189372')
-define(`AUTOFS_DEV_IOCTL_READY', `0xc0189376')
-define(`AUTOFS_DEV_IOCTL_REQUESTER', `0xc018937b')
-define(`AUTOFS_DEV_IOCTL_SETPIPEFD', `0xc0189378')
-define(`AUTOFS_DEV_IOCTL_TIMEOUT', `0xc018937a')
-define(`AUTOFS_DEV_IOCTL_VERSION', `0xc0189371')
-define(`AUTOFS_IOC_ASKUMOUNT', `0x80049370')
-define(`AUTOFS_IOC_CATATONIC', `0x00009362')
-define(`AUTOFS_IOC_EXPIRE', `0x810c9365')
-define(`AUTOFS_IOC_EXPIRE_MULTI', `0x40049366')
-define(`AUTOFS_IOC_FAIL', `0x00009361')
-define(`AUTOFS_IOC_PROTOSUBVER', `0x80049367')
-define(`AUTOFS_IOC_PROTOVER', `0x80049363')
-define(`AUTOFS_IOC_READY', `0x00009360')
-define(`AUTOFS_IOC_SETTIMEOUT', `0xc0089364')
-define(`AUTOFS_IOC_SETTIMEOUT32', `0xc0049364')
-define(`BC_ACQUIRE', `0x40046305')
-define(`BC_ACQUIRE_DONE', `0x40106309')
-define(`BC_ACQUIRE_RESULT', `0x40046302')
-define(`BC_ATTEMPT_ACQUIRE', `0x4008630a')
-define(`BC_CLEAR_DEATH_NOTIFICATION', `0x400c630f')
-define(`BC_DEAD_BINDER_DONE', `0x40086310')
-define(`BC_DECREFS', `0x40046307')
-define(`BC_ENTER_LOOPER', `0x0000630c')
-define(`BC_EXIT_LOOPER', `0x0000630d')
-define(`BC_FREE_BUFFER', `0x40086303')
-define(`BC_INCREFS', `0x40046304')
-define(`BC_INCREFS_DONE', `0x40106308')
-define(`BC_REGISTER_LOOPER', `0x0000630b')
-define(`BC_RELEASE', `0x40046306')
-define(`BC_REPLY', `0x40406301')
-define(`BC_REQUEST_DEATH_NOTIFICATION', `0x400c630e')
-define(`BC_TRANSACTION', `0x40406300')
-define(`BINDER_ENABLE_ONEWAY_SPAM_DETECTION', `0x40046210')
-define(`BINDER_FREEZE', `0x400c620e')
-define(`BINDER_GET_FROZEN_INFO', `0xc00c620f')
-define(`BINDER_GET_NODE_DEBUG_INFO', `0xc018620b')
-define(`BINDER_GET_NODE_INFO_FOR_REF', `0xc018620c')
-define(`BINDER_SET_CONTEXT_MGR', `0x40046207')
-define(`BINDER_SET_CONTEXT_MGR_EXT', `0x4018620d')
-define(`BINDER_SET_IDLE_PRIORITY', `0x40046206')
-define(`BINDER_SET_IDLE_TIMEOUT', `0x40086203')
-define(`BINDER_SET_MAX_THREADS', `0x40046205')
-define(`BINDER_THREAD_EXIT', `0x40046208')
-define(`BINDER_VERSION', `0xc0046209')
-define(`BINDER_WRITE_READ', `0xc0306201')
-define(`BLKALIGNOFF', `0x0000127a')
-define(`BLKBSZGET', `0x80081270')
-define(`BLKBSZSET', `0x40081271')
-define(`BLKDISCARD', `0x00001277')
-define(`BLKDISCARDZEROES', `0x0000127c')
-define(`BLKFLSBUF', `0x00001261')
-define(`BLKFRAGET', `0x00001265')
-define(`BLKFRASET', `0x00001264')
-define(`BLKGETSIZE', `0x00001260')
-define(`BLKGETSIZE64', `0x80081272')
-define(`BLKI2OGRSTRAT', `0x80043201')
-define(`BLKI2OGWSTRAT', `0x80043202')
-define(`BLKI2OSRSTRAT', `0x40043203')
-define(`BLKI2OSWSTRAT', `0x40043204')
-define(`BLKIOMIN', `0x00001278')
-define(`BLKIOOPT', `0x00001279')
-define(`BLKPBSZGET', `0x0000127b')
-define(`BLKPG', `0x00001269')
-define(`BLKRAGET', `0x00001263')
-define(`BLKRASET', `0x00001262')
-define(`BLKROGET', `0x0000125e')
-define(`BLKROSET', `0x0000125d')
-define(`BLKROTATIONAL', `0x0000127e')
-define(`BLKRRPART', `0x0000125f')
-define(`BLKSECDISCARD', `0x0000127d')
-define(`BLKSECTGET', `0x00001267')
-define(`BLKSECTSET', `0x00001266')
-define(`BLKSSZGET', `0x00001268')
-define(`BLKTRACESETUP', `0xc0481273')
-define(`BLKTRACESTART', `0x00001274')
-define(`BLKTRACESTOP', `0x00001275')
-define(`BLKTRACETEARDOWN', `0x00001276')
-define(`BLKZEROOUT', `0x0000127f')
-define(`BR2684_SETFILT', `0x401c6190')
-define(`BR_ACQUIRE', `0x80107208')
-define(`BR_ACQUIRE_RESULT', `0x80047204')
-define(`BR_ATTEMPT_ACQUIRE', `0x8018720b')
-define(`BR_CLEAR_DEATH_NOTIFICATION_DONE', `0x80087210')
-define(`BR_DEAD_BINDER', `0x8008720f')
-define(`BR_DEAD_REPLY', `0x00007205')
-define(`BR_DECREFS', `0x8010720a')
-define(`BR_ERROR', `0x80047200')
-define(`BR_FAILED_REPLY', `0x00007211')
-define(`BR_FINISHED', `0x0000720e')
-define(`BR_INCREFS', `0x80107207')
-define(`BR_NOOP', `0x0000720c')
-define(`BR_OK', `0x00007201')
-define(`BR_ONEWAY_SPAM_SUSPECT', `0x00007213')
-define(`BR_RELEASE', `0x80107209')
-define(`BR_REPLY', `0x80407203')
-define(`BR_SPAWN_LOOPER', `0x0000720d')
-define(`BR_TRANSACTION', `0x80407202')
-define(`BR_TRANSACTION_COMPLETE', `0x00007206')
-define(`BT819_FIFO_RESET_HIGH', `0x00006201')
-define(`BT819_FIFO_RESET_LOW', `0x00006200')
-define(`BTRFS_IOC_ADD_DEV', `0x5000940a')
-define(`BTRFS_IOC_BALANCE', `0x5000940c')
-define(`BTRFS_IOC_BALANCE_CTL', `0x40049421')
-define(`BTRFS_IOC_BALANCE_PROGRESS', `0x84009422')
-define(`BTRFS_IOC_BALANCE_V2', `0xc4009420')
-define(`BTRFS_IOC_CLONE', `0x40049409')
-define(`BTRFS_IOC_CLONE_RANGE', `0x4020940d')
-define(`BTRFS_IOC_DEFAULT_SUBVOL', `0x40089413')
-define(`BTRFS_IOC_DEFRAG', `0x50009402')
-define(`BTRFS_IOC_DEFRAG_RANGE', `0x40309410')
-define(`BTRFS_IOC_DEVICES_READY', `0x90009427')
-define(`BTRFS_IOC_DEV_INFO', `0xd000941e')
-define(`BTRFS_IOC_DEV_REPLACE', `0xca289435')
-define(`BTRFS_IOC_FILE_EXTENT_SAME', `0xc0189436')
-define(`BTRFS_IOC_FS_INFO', `0x8400941f')
-define(`BTRFS_IOC_GET_DEV_STATS', `0xc4089434')
-define(`BTRFS_IOC_GET_FEATURES', `0x80189439')
-define(`BTRFS_IOC_GET_FSLABEL', `0x81009431')
-define(`BTRFS_IOC_GET_SUPPORTED_FEATURES', `0x80489439')
-define(`BTRFS_IOC_INO_LOOKUP', `0xd0009412')
-define(`BTRFS_IOC_INO_PATHS', `0xc0389423')
-define(`BTRFS_IOC_LOGICAL_INO', `0xc0389424')
-define(`BTRFS_IOC_QGROUP_ASSIGN', `0x40189429')
-define(`BTRFS_IOC_QGROUP_CREATE', `0x4010942a')
-define(`BTRFS_IOC_QGROUP_LIMIT', `0x8030942b')
-define(`BTRFS_IOC_QUOTA_CTL', `0xc0109428')
-define(`BTRFS_IOC_QUOTA_RESCAN', `0x4040942c')
-define(`BTRFS_IOC_QUOTA_RESCAN_STATUS', `0x8040942d')
-define(`BTRFS_IOC_QUOTA_RESCAN_WAIT', `0x0000942e')
-define(`BTRFS_IOC_RESIZE', `0x50009403')
-define(`BTRFS_IOC_RM_DEV', `0x5000940b')
-define(`BTRFS_IOC_SCAN_DEV', `0x50009404')
-define(`BTRFS_IOC_SCRUB', `0xc400941b')
-define(`BTRFS_IOC_SCRUB_CANCEL', `0x0000941c')
-define(`BTRFS_IOC_SCRUB_PROGRESS', `0xc400941d')
-define(`BTRFS_IOC_SEND', `0x40489426')
-define(`BTRFS_IOC_SET_FEATURES', `0x40309439')
-define(`BTRFS_IOC_SET_FSLABEL', `0x41009432')
-define(`BTRFS_IOC_SET_RECEIVED_SUBVOL', `0xc0c89425')
-define(`BTRFS_IOC_SNAP_CREATE', `0x50009401')
-define(`BTRFS_IOC_SNAP_CREATE_V2', `0x50009417')
-define(`BTRFS_IOC_SNAP_DESTROY', `0x5000940f')
-define(`BTRFS_IOC_SPACE_INFO', `0xc0109414')
-define(`BTRFS_IOC_START_SYNC', `0x80089418')
-define(`BTRFS_IOC_SUBVOL_CREATE', `0x5000940e')
-define(`BTRFS_IOC_SUBVOL_CREATE_V2', `0x50009418')
-define(`BTRFS_IOC_SUBVOL_GETFLAGS', `0x80089419')
-define(`BTRFS_IOC_SUBVOL_SETFLAGS', `0x4008941a')
-define(`BTRFS_IOC_SYNC', `0x00009408')
-define(`BTRFS_IOC_TRANS_END', `0x00009407')
-define(`BTRFS_IOC_TRANS_START', `0x00009406')
-define(`BTRFS_IOC_TREE_SEARCH', `0xd0009411')
-define(`BTRFS_IOC_TREE_SEARCH_V2', `0xc0709411')
-define(`BTRFS_IOC_WAIT_SYNC', `0x40089416')
-define(`CA_GET_CAP', `0x80106f81')
-define(`CA_GET_DESCR_INFO', `0x80086f83')
-define(`CA_GET_MSG', `0x810c6f84')
-define(`CA_GET_SLOT_INFO', `0x800c6f82')
-define(`CAPI_CLR_FLAGS', `0x80044325')
-define(`CAPI_GET_ERRCODE', `0x80024321')
-define(`CAPI_GET_FLAGS', `0x80044323')
-define(`CAPI_GET_MANUFACTURER', `0xc0044306')
-define(`CAPI_GET_PROFILE', `0xc0404309')
-define(`CAPI_GET_SERIAL', `0xc0044308')
-define(`CAPI_GET_VERSION', `0xc0104307')
-define(`CAPI_INSTALLED', `0x80024322')
-define(`CAPI_MANUFACTURER_CMD', `0xc0104320')
-define(`CAPI_NCCI_GETUNIT', `0x80044327')
-define(`CAPI_NCCI_OPENCOUNT', `0x80044326')
-define(`CAPI_REGISTER', `0x400c4301')
-define(`CAPI_SET_FLAGS', `0x80044324')
-define(`CA_RESET', `0x00006f80')
-define(`CA_SEND_MSG', `0x410c6f85')
-define(`CA_SET_DESCR', `0x40106f86')
-define(`CA_SET_PID', `0x40086f87')
-define(`CCISS_BIG_PASSTHRU', `0xc0604212')
-define(`CCISS_DEREGDISK', `0x0000420c')
-define(`CCISS_GETBUSTYPES', `0x80044207')
-define(`CCISS_GETDRIVVER', `0x80044209')
-define(`CCISS_GETFIRMVER', `0x80044208')
-define(`CCISS_GETHEARTBEAT', `0x80044206')
-define(`CCISS_GETINTINFO', `0x80084202')
-define(`CCISS_GETLUNINFO', `0x800c4211')
-define(`CCISS_GETNODENAME', `0x80104204')
-define(`CCISS_GETPCIINFO', `0x80084201')
-define(`CCISS_PASSTHRU', `0xc058420b')
-define(`CCISS_REGNEWD', `0x0000420e')
-define(`CCISS_REGNEWDISK', `0x4004420d')
-define(`CCISS_RESCANDISK', `0x00004210')
-define(`CCISS_REVALIDVOLS', `0x0000420a')
-define(`CCISS_SETINTINFO', `0x40084203')
-define(`CCISS_SETNODENAME', `0x40104205')
-define(`CDROMAUDIOBUFSIZ', `0x00005382')
-define(`CDROM_CHANGER_NSLOTS', `0x00005328')
-define(`CDROM_CLEAR_OPTIONS', `0x00005321')
-define(`CDROMCLOSETRAY', `0x00005319')
-define(`CDROM_DEBUG', `0x00005330')
-define(`CDROM_DISC_STATUS', `0x00005327')
-define(`CDROM_DRIVE_STATUS', `0x00005326')
-define(`CDROMEJECT', `0x00005309')
-define(`CDROMEJECT_SW', `0x0000530f')
-define(`CDROM_GET_CAPABILITY', `0x00005331')
-define(`CDROM_GET_MCN', `0x00005311')
-define(`CDROMGETSPINDOWN', `0x0000531d')
-define(`CDROM_LAST_WRITTEN', `0x00005395')
-define(`CDROM_LOCKDOOR', `0x00005329')
-define(`CDROM_MEDIA_CHANGED', `0x00005325')
-define(`CDROMMULTISESSION', `0x00005310')
-define(`CDROM_NEXT_WRITABLE', `0x00005394')
-define(`CDROMPAUSE', `0x00005301')
-define(`CDROMPLAYBLK', `0x00005317')
-define(`CDROMPLAYMSF', `0x00005303')
-define(`CDROMPLAYTRKIND', `0x00005304')
-define(`CDROMREADALL', `0x00005318')
-define(`CDROMREADAUDIO', `0x0000530e')
-define(`CDROMREADCOOKED', `0x00005315')
-define(`CDROMREADMODE1', `0x0000530d')
-define(`CDROMREADMODE2', `0x0000530c')
-define(`CDROMREADRAW', `0x00005314')
-define(`CDROMREADTOCENTRY', `0x00005306')
-define(`CDROMREADTOCHDR', `0x00005305')
-define(`CDROMRESET', `0x00005312')
-define(`CDROMRESUME', `0x00005302')
-define(`CDROMSEEK', `0x00005316')
-define(`CDROM_SELECT_DISC', `0x00005323')
-define(`CDROM_SELECT_SPEED', `0x00005322')
-define(`CDROM_SEND_PACKET', `0x00005393')
-define(`CDROM_SET_OPTIONS', `0x00005320')
-define(`CDROMSETSPINDOWN', `0x0000531e')
-define(`CDROMSTART', `0x00005308')
-define(`CDROMSTOP', `0x00005307')
-define(`CDROMSUBCHNL', `0x0000530b')
-define(`CDROMVOLCTRL', `0x0000530a')
-define(`CDROMVOLREAD', `0x00005313')
-define(`CHIOEXCHANGE', `0x401c6302')
-define(`CHIOGELEM', `0x406c6310')
-define(`CHIOGPARAMS', `0x80146306')
-define(`CHIOGPICKER', `0x80046304')
-define(`CHIOGSTATUS', `0x40106308')
-define(`CHIOGVPARAMS', `0x80706313')
-define(`CHIOINITELEM', `0x00006311')
-define(`CHIOMOVE', `0x40146301')
-define(`CHIOPOSITION', `0x400c6303')
-define(`CHIOSPICKER', `0x40046305')
-define(`CHIOSVOLTAG', `0x40306312')
-define(`CIOC_KERNEL_VERSION', `0xc008630a')
-define(`CLEAR_ARRAY', `0x00000920')
-define(`CM_IOCARDOFF', `0x00006304')
-define(`CM_IOCGATR', `0xc0086301')
-define(`CM_IOCGSTATUS', `0x80086300')
-define(`CM_IOCSPTS', `0x40086302')
-define(`CM_IOCSRDR', `0x00006303')
-define(`CM_IOSDBGLVL', `0x400863fa')
-define(`CXL_IOCTL_GET_PROCESS_ELEMENT', `0x8004ca01')
-define(`CXL_IOCTL_START_WORK', `0x4040ca00')
-define(`DM_DEV_CREATE', `0xc138fd03')
-define(`DM_DEV_REMOVE', `0xc138fd04')
-define(`DM_DEV_RENAME', `0xc138fd05')
-define(`DM_DEV_SET_GEOMETRY', `0xc138fd0f')
-define(`DM_DEV_STATUS', `0xc138fd07')
-define(`DM_DEV_SUSPEND', `0xc138fd06')
-define(`DM_DEV_WAIT', `0xc138fd08')
-define(`DM_LIST_DEVICES', `0xc138fd02')
-define(`DM_LIST_VERSIONS', `0xc138fd0d')
-define(`DM_REMOVE_ALL', `0xc138fd01')
-define(`DM_TABLE_CLEAR', `0xc138fd0a')
-define(`DM_TABLE_DEPS', `0xc138fd0b')
-define(`DM_TABLE_LOAD', `0xc138fd09')
-define(`DM_TABLE_STATUS', `0xc138fd0c')
-define(`DM_TARGET_MSG', `0xc138fd0e')
-define(`DM_VERSION', `0xc138fd00')
-define(`DMX_ADD_PID', `0x40026f33')
-define(`DMX_GET_CAPS', `0x80086f30')
-define(`DMX_GET_PES_PIDS', `0x800a6f2f')
-define(`DMX_GET_STC', `0xc0106f32')
-define(`DMX_REMOVE_PID', `0x40026f34')
-define(`DMX_SET_BUFFER_SIZE', `0x00006f2d')
-define(`DMX_SET_FILTER', `0x403c6f2b')
-define(`DMX_SET_PES_FILTER', `0x40146f2c')
-define(`DMX_SET_SOURCE', `0x40046f31')
-define(`DMX_START', `0x00006f29')
-define(`DMX_STOP', `0x00006f2a')
-define(`DRM_IOCTL_ADD_BUFS', `0xc0206416')
-define(`DRM_IOCTL_ADD_CTX', `0xc0086420')
-define(`DRM_IOCTL_ADD_DRAW', `0xc0046427')
-define(`DRM_IOCTL_ADD_MAP', `0xc0286415')
-define(`DRM_IOCTL_AGP_ACQUIRE', `0x00006430')
-define(`DRM_IOCTL_AGP_ALLOC', `0xc0206434')
-define(`DRM_IOCTL_AGP_BIND', `0x40106436')
-define(`DRM_IOCTL_AGP_ENABLE', `0x40086432')
-define(`DRM_IOCTL_AGP_FREE', `0x40206435')
-define(`DRM_IOCTL_AGP_INFO', `0x80386433')
-define(`DRM_IOCTL_AGP_RELEASE', `0x00006431')
-define(`DRM_IOCTL_AGP_UNBIND', `0x40106437')
-define(`DRM_IOCTL_AUTH_MAGIC', `0x40046411')
-define(`DRM_IOCTL_BLOCK', `0xc0046412')
-define(`DRM_IOCTL_CONTROL', `0x40086414')
-define(`DRM_IOCTL_DMA', `0xc0406429')
-define(`DRM_IOCTL_DROP_MASTER', `0x0000641f')
-define(`DRM_IOCTL_EXYNOS_G2D_EXEC', `0xc0086462')
-define(`DRM_IOCTL_EXYNOS_G2D_GET_VER', `0xc0086460')
-define(`DRM_IOCTL_EXYNOS_G2D_SET_CMDLIST', `0xc0286461')
-define(`DRM_IOCTL_EXYNOS_GEM_CREATE', `0xc0106440')
-define(`DRM_IOCTL_EXYNOS_GEM_GET', `0xc0106444')
-define(`DRM_IOCTL_EXYNOS_IPP_CMD_CTRL', `0xc0086473')
-define(`DRM_IOCTL_EXYNOS_IPP_GET_PROPERTY', `0xc0506470')
-define(`DRM_IOCTL_EXYNOS_IPP_QUEUE_BUF', `0xc0286472')
-define(`DRM_IOCTL_EXYNOS_IPP_SET_PROPERTY', `0xc0606471')
-define(`DRM_IOCTL_EXYNOS_VIDI_CONNECTION', `0xc0106447')
-define(`DRM_IOCTL_FINISH', `0x4008642c')
-define(`DRM_IOCTL_FREE_BUFS', `0x4010641a')
-define(`DRM_IOCTL_GEM_CLOSE', `0x40086409')
-define(`DRM_IOCTL_GEM_FLINK', `0xc008640a')
-define(`DRM_IOCTL_GEM_OPEN', `0xc010640b')
-define(`DRM_IOCTL_GET_CAP', `0xc010640c')
-define(`DRM_IOCTL_GET_CLIENT', `0xc0286405')
-define(`DRM_IOCTL_GET_CTX', `0xc0086423')
-define(`DRM_IOCTL_GET_MAGIC', `0x80046402')
-define(`DRM_IOCTL_GET_MAP', `0xc0286404')
-define(`DRM_IOCTL_GET_SAREA_CTX', `0xc010641d')
-define(`DRM_IOCTL_GET_STATS', `0x80f86406')
-define(`DRM_IOCTL_GET_UNIQUE', `0xc0106401')
-define(`DRM_IOCTL_I810_CLEAR', `0x400c6442')
-define(`DRM_IOCTL_I810_COPY', `0x40106447')
-define(`DRM_IOCTL_I810_DOCOPY', `0x00006448')
-define(`DRM_IOCTL_I810_FLIP', `0x0000644e')
-define(`DRM_IOCTL_I810_FLUSH', `0x00006443')
-define(`DRM_IOCTL_I810_FSTATUS', `0x0000644a')
-define(`DRM_IOCTL_I810_GETAGE', `0x00006444')
-define(`DRM_IOCTL_I810_GETBUF', `0xc0186445')
-define(`DRM_IOCTL_I810_INIT', `0x40406440')
-define(`DRM_IOCTL_I810_MC', `0x4020644c')
-define(`DRM_IOCTL_I810_OV0FLIP', `0x0000644b')
-define(`DRM_IOCTL_I810_OV0INFO', `0x80086449')
-define(`DRM_IOCTL_I810_RSTATUS', `0x0000644d')
-define(`DRM_IOCTL_I810_SWAP', `0x00006446')
-define(`DRM_IOCTL_I810_VERTEX', `0x400c6441')
-define(`DRM_IOCTL_I915_ALLOC', `0xc0186448')
-define(`DRM_IOCTL_I915_BATCHBUFFER', `0x40206443')
-define(`DRM_IOCTL_I915_CMDBUFFER', `0x4020644b')
-define(`DRM_IOCTL_I915_DESTROY_HEAP', `0x4004644c')
-define(`DRM_IOCTL_I915_FLIP', `0x00006442')
-define(`DRM_IOCTL_I915_FLUSH', `0x00006441')
-define(`DRM_IOCTL_I915_FREE', `0x40086449')
-define(`DRM_IOCTL_I915_GEM_BUSY', `0xc0086457')
-define(`DRM_IOCTL_I915_GEM_CONTEXT_CREATE', `0xc008646d')
-define(`DRM_IOCTL_I915_GEM_CONTEXT_DESTROY', `0x4008646e')
-define(`DRM_IOCTL_I915_GEM_CREATE', `0xc010645b')
-define(`DRM_IOCTL_I915_GEM_ENTERVT', `0x00006459')
-define(`DRM_IOCTL_I915_GEM_EXECBUFFER', `0x40286454')
-define(`DRM_IOCTL_I915_GEM_EXECBUFFER2', `0x40406469')
-define(`DRM_IOCTL_I915_GEM_GET_APERTURE', `0x80106463')
-define(`DRM_IOCTL_I915_GEM_GET_CACHING', `0xc0086470')
-define(`DRM_IOCTL_I915_GEM_GET_TILING', `0xc0106462')
-define(`DRM_IOCTL_I915_GEM_INIT', `0x40106453')
-define(`DRM_IOCTL_I915_GEM_LEAVEVT', `0x0000645a')
-define(`DRM_IOCTL_I915_GEM_MADVISE', `0xc00c6466')
-define(`DRM_IOCTL_I915_GEM_MMAP', `0xc020645e')
-define(`DRM_IOCTL_I915_GEM_MMAP_GTT', `0xc0106464')
-define(`DRM_IOCTL_I915_GEM_PIN', `0xc0186455')
-define(`DRM_IOCTL_I915_GEM_PREAD', `0x4020645c')
-define(`DRM_IOCTL_I915_GEM_PWRITE', `0x4020645d')
-define(`DRM_IOCTL_I915_GEM_SET_CACHING', `0x4008646f')
-define(`DRM_IOCTL_I915_GEM_SET_DOMAIN', `0x400c645f')
-define(`DRM_IOCTL_I915_GEM_SET_TILING', `0xc0106461')
-define(`DRM_IOCTL_I915_GEM_SW_FINISH', `0x40046460')
-define(`DRM_IOCTL_I915_GEM_THROTTLE', `0x00006458')
-define(`DRM_IOCTL_I915_GEM_UNPIN', `0x40086456')
-define(`DRM_IOCTL_I915_GEM_USERPTR', `0xc0186473')
-define(`DRM_IOCTL_I915_GEM_WAIT', `0xc010646c')
-define(`DRM_IOCTL_I915_GETPARAM', `0xc0106446')
-define(`DRM_IOCTL_I915_GET_PIPE_FROM_CRTC_ID', `0xc0086465')
-define(`DRM_IOCTL_I915_GET_RESET_STATS', `0xc0186472')
-define(`DRM_IOCTL_I915_GET_SPRITE_COLORKEY', `0xc014646b')
-define(`DRM_IOCTL_I915_GET_VBLANK_PIPE', `0x8004644e')
-define(`DRM_IOCTL_I915_HWS_ADDR', `0x40106451')
-define(`DRM_IOCTL_I915_INIT', `0x40446440')
-define(`DRM_IOCTL_I915_INIT_HEAP', `0x400c644a')
-define(`DRM_IOCTL_I915_IRQ_EMIT', `0xc0086444')
-define(`DRM_IOCTL_I915_IRQ_WAIT', `0x40046445')
-define(`DRM_IOCTL_I915_OVERLAY_ATTRS', `0xc02c6468')
-define(`DRM_IOCTL_I915_OVERLAY_PUT_IMAGE', `0x402c6467')
-define(`DRM_IOCTL_I915_REG_READ', `0xc0106471')
-define(`DRM_IOCTL_I915_SETPARAM', `0x40086447')
-define(`DRM_IOCTL_I915_SET_SPRITE_COLORKEY', `0xc014646b')
-define(`DRM_IOCTL_I915_SET_VBLANK_PIPE', `0x4004644d')
-define(`DRM_IOCTL_I915_VBLANK_SWAP', `0xc00c644f')
-define(`DRM_IOCTL_INFO_BUFS', `0xc0106418')
-define(`DRM_IOCTL_IRQ_BUSID', `0xc0106403')
-define(`DRM_IOCTL_LOCK', `0x4008642a')
-define(`DRM_IOCTL_MAP_BUFS', `0xc0186419')
-define(`DRM_IOCTL_MARK_BUFS', `0x40206417')
-define(`DRM_IOCTL_MGA_BLIT', `0x40346448')
-define(`DRM_IOCTL_MGA_CLEAR', `0x40146444')
-define(`DRM_IOCTL_MGA_DMA_BOOTSTRAP', `0xc020644c')
-define(`DRM_IOCTL_MGA_FLUSH', `0x40086441')
-define(`DRM_IOCTL_MGA_GETPARAM', `0xc0106449')
-define(`DRM_IOCTL_MGA_ILOAD', `0x400c6447')
-define(`DRM_IOCTL_MGA_INDICES', `0x40106446')
-define(`DRM_IOCTL_MGA_INIT', `0x40806440')
-define(`DRM_IOCTL_MGA_RESET', `0x00006442')
-define(`DRM_IOCTL_MGA_SET_FENCE', `0x4004644a')
-define(`DRM_IOCTL_MGA_SWAP', `0x00006443')
-define(`DRM_IOCTL_MGA_VERTEX', `0x400c6445')
-define(`DRM_IOCTL_MGA_WAIT_FENCE', `0xc004644b')
-define(`DRM_IOCTL_MOD_CTX', `0x40086422')
-define(`DRM_IOCTL_MODE_ADDFB', `0xc01c64ae')
-define(`DRM_IOCTL_MODE_ADDFB2', `0xc04464b8')
-define(`DRM_IOCTL_MODE_ATTACHMODE', `0xc04864a8')
-define(`DRM_IOCTL_MODE_CREATE_DUMB', `0xc02064b2')
-define(`DRM_IOCTL_MODE_CURSOR', `0xc01c64a3')
-define(`DRM_IOCTL_MODE_CURSOR2', `0xc02464bb')
-define(`DRM_IOCTL_MODE_DESTROY_DUMB', `0xc00464b4')
-define(`DRM_IOCTL_MODE_DETACHMODE', `0xc04864a9')
-define(`DRM_IOCTL_MODE_DIRTYFB', `0xc01864b1')
-define(`DRM_IOCTL_MODE_GETCONNECTOR', `0xc05064a7')
-define(`DRM_IOCTL_MODE_GETCRTC', `0xc06864a1')
-define(`DRM_IOCTL_MODE_GETENCODER', `0xc01464a6')
-define(`DRM_IOCTL_MODE_GETFB', `0xc01c64ad')
-define(`DRM_IOCTL_MODE_GETGAMMA', `0xc02064a4')
-define(`DRM_IOCTL_MODE_GETPLANE', `0xc02064b6')
-define(`DRM_IOCTL_MODE_GETPLANERESOURCES', `0xc01064b5')
-define(`DRM_IOCTL_MODE_GETPROPBLOB', `0xc01064ac')
-define(`DRM_IOCTL_MODE_GETPROPERTY', `0xc04064aa')
-define(`DRM_IOCTL_MODE_GETRESOURCES', `0xc04064a0')
-define(`DRM_IOCTL_MODE_MAP_DUMB', `0xc01064b3')
-define(`DRM_IOCTL_MODE_OBJ_GETPROPERTIES', `0xc02064b9')
-define(`DRM_IOCTL_MODE_OBJ_SETPROPERTY', `0xc01864ba')
-define(`DRM_IOCTL_MODE_PAGE_FLIP', `0xc01864b0')
-define(`DRM_IOCTL_MODE_RMFB', `0xc00464af')
-define(`DRM_IOCTL_MODE_SETCRTC', `0xc06864a2')
-define(`DRM_IOCTL_MODESET_CTL', `0x40086408')
-define(`DRM_IOCTL_MODE_SETGAMMA', `0xc02064a5')
-define(`DRM_IOCTL_MODE_SETPLANE', `0xc03064b7')
-define(`DRM_IOCTL_MODE_SETPROPERTY', `0xc01064ab')
-define(`DRM_IOCTL_MSM_GEM_CPU_FINI', `0x40046445')
-define(`DRM_IOCTL_MSM_GEM_CPU_PREP', `0x40186444')
-define(`DRM_IOCTL_MSM_GEM_INFO', `0xc0106443')
-define(`DRM_IOCTL_MSM_GEM_NEW', `0xc0106442')
-define(`DRM_IOCTL_MSM_GEM_SUBMIT', `0xc0206446')
-define(`DRM_IOCTL_MSM_GET_PARAM', `0xc0106440')
-define(`DRM_IOCTL_MSM_WAIT_FENCE', `0x40186447')
-define(`DRM_IOCTL_NEW_CTX', `0x40086425')
-define(`DRM_IOCTL_NOUVEAU_GEM_CPU_FINI', `0x40046483')
-define(`DRM_IOCTL_NOUVEAU_GEM_CPU_PREP', `0x40086482')
-define(`DRM_IOCTL_NOUVEAU_GEM_INFO', `0xc0286484')
-define(`DRM_IOCTL_NOUVEAU_GEM_NEW', `0xc0306480')
-define(`DRM_IOCTL_NOUVEAU_GEM_PUSHBUF', `0xc0406481')
-define(`DRM_IOCTL_OMAP_GEM_CPU_FINI', `0x40106445')
-define(`DRM_IOCTL_OMAP_GEM_CPU_PREP', `0x40086444')
-define(`DRM_IOCTL_OMAP_GEM_INFO', `0xc0186446')
-define(`DRM_IOCTL_OMAP_GEM_NEW', `0xc0106443')
-define(`DRM_IOCTL_OMAP_GET_PARAM', `0xc0106440')
-define(`DRM_IOCTL_OMAP_SET_PARAM', `0x40106441')
-define(`DRM_IOCTL_PRIME_FD_TO_HANDLE', `0xc00c642e')
-define(`DRM_IOCTL_PRIME_HANDLE_TO_FD', `0xc00c642d')
-define(`DRM_IOCTL_QXL_ALLOC', `0xc0086440')
-define(`DRM_IOCTL_QXL_ALLOC_SURF', `0xc0186446')
-define(`DRM_IOCTL_QXL_CLIENTCAP', `0x40086445')
-define(`DRM_IOCTL_QXL_EXECBUFFER', `0x40106442')
-define(`DRM_IOCTL_QXL_GETPARAM', `0xc0106444')
-define(`DRM_IOCTL_QXL_MAP', `0xc0106441')
-define(`DRM_IOCTL_QXL_UPDATE_AREA', `0x40186443')
-define(`DRM_IOCTL_R128_BLIT', `0x4018644b')
-define(`DRM_IOCTL_R128_CCE_IDLE', `0x00006444')
-define(`DRM_IOCTL_R128_CCE_RESET', `0x00006443')
-define(`DRM_IOCTL_R128_CCE_START', `0x00006441')
-define(`DRM_IOCTL_R128_CCE_STOP', `0x40086442')
-define(`DRM_IOCTL_R128_CLEAR', `0x40146448')
-define(`DRM_IOCTL_R128_DEPTH', `0x4028644c')
-define(`DRM_IOCTL_R128_FLIP', `0x00006453')
-define(`DRM_IOCTL_R128_FULLSCREEN', `0x40046450')
-define(`DRM_IOCTL_R128_GETPARAM', `0xc0106452')
-define(`DRM_IOCTL_R128_INDICES', `0x4014644a')
-define(`DRM_IOCTL_R128_INDIRECT', `0xc010644f')
-define(`DRM_IOCTL_R128_INIT', `0x40786440')
-define(`DRM_IOCTL_R128_RESET', `0x00006446')
-define(`DRM_IOCTL_R128_STIPPLE', `0x4008644d')
-define(`DRM_IOCTL_R128_SWAP', `0x00006447')
-define(`DRM_IOCTL_R128_VERTEX', `0x40106449')
-define(`DRM_IOCTL_RADEON_ALLOC', `0xc0186453')
-define(`DRM_IOCTL_RADEON_CLEAR', `0x40206448')
-define(`DRM_IOCTL_RADEON_CMDBUF', `0x40206450')
-define(`DRM_IOCTL_RADEON_CP_IDLE', `0x00006444')
-define(`DRM_IOCTL_RADEON_CP_INIT', `0x40786440')
-define(`DRM_IOCTL_RADEON_CP_RESET', `0x00006443')
-define(`DRM_IOCTL_RADEON_CP_RESUME', `0x00006458')
-define(`DRM_IOCTL_RADEON_CP_START', `0x00006441')
-define(`DRM_IOCTL_RADEON_CP_STOP', `0x40086442')
-define(`DRM_IOCTL_RADEON_CS', `0xc0206466')
-define(`DRM_IOCTL_RADEON_FLIP', `0x00006452')
-define(`DRM_IOCTL_RADEON_FREE', `0x40086454')
-define(`DRM_IOCTL_RADEON_FULLSCREEN', `0x40046446')
-define(`DRM_IOCTL_RADEON_GEM_BUSY', `0xc008646a')
-define(`DRM_IOCTL_RADEON_GEM_CREATE', `0xc020645d')
-define(`DRM_IOCTL_RADEON_GEM_GET_TILING', `0xc00c6469')
-define(`DRM_IOCTL_RADEON_GEM_INFO', `0xc018645c')
-define(`DRM_IOCTL_RADEON_GEM_MMAP', `0xc020645e')
-define(`DRM_IOCTL_RADEON_GEM_OP', `0xc010646c')
-define(`DRM_IOCTL_RADEON_GEM_PREAD', `0xc0206461')
-define(`DRM_IOCTL_RADEON_GEM_PWRITE', `0xc0206462')
-define(`DRM_IOCTL_RADEON_GEM_SET_DOMAIN', `0xc00c6463')
-define(`DRM_IOCTL_RADEON_GEM_SET_TILING', `0xc00c6468')
-define(`DRM_IOCTL_RADEON_GEM_USERPTR', `0xc018646d')
-define(`DRM_IOCTL_RADEON_GEM_VA', `0xc018646b')
-define(`DRM_IOCTL_RADEON_GEM_WAIT_IDLE', `0x40086464')
-define(`DRM_IOCTL_RADEON_GETPARAM', `0xc0106451')
-define(`DRM_IOCTL_RADEON_INDICES', `0x4014644a')
-define(`DRM_IOCTL_RADEON_INDIRECT', `0xc010644d')
-define(`DRM_IOCTL_RADEON_INFO', `0xc0106467')
-define(`DRM_IOCTL_RADEON_INIT_HEAP', `0x400c6455')
-define(`DRM_IOCTL_RADEON_IRQ_EMIT', `0xc0086456')
-define(`DRM_IOCTL_RADEON_IRQ_WAIT', `0x40046457')
-define(`DRM_IOCTL_RADEON_RESET', `0x00006445')
-define(`DRM_IOCTL_RADEON_SETPARAM', `0x40106459')
-define(`DRM_IOCTL_RADEON_STIPPLE', `0x4008644c')
-define(`DRM_IOCTL_RADEON_SURF_ALLOC', `0x400c645a')
-define(`DRM_IOCTL_RADEON_SURF_FREE', `0x4004645b')
-define(`DRM_IOCTL_RADEON_SWAP', `0x00006447')
-define(`DRM_IOCTL_RADEON_TEXTURE', `0xc020644e')
-define(`DRM_IOCTL_RADEON_VERTEX', `0x40106449')
-define(`DRM_IOCTL_RADEON_VERTEX2', `0x4028644f')
-define(`DRM_IOCTL_RES_CTX', `0xc0106426')
-define(`DRM_IOCTL_RM_CTX', `0xc0086421')
-define(`DRM_IOCTL_RM_DRAW', `0xc0046428')
-define(`DRM_IOCTL_RM_MAP', `0x4028641b')
-define(`DRM_IOCTL_SAVAGE_BCI_CMDBUF', `0x40386441')
-define(`DRM_IOCTL_SAVAGE_BCI_EVENT_EMIT', `0xc0086442')
-define(`DRM_IOCTL_SAVAGE_BCI_EVENT_WAIT', `0x40086443')
-define(`DRM_IOCTL_SAVAGE_BCI_INIT', `0x40606440')
-define(`DRM_IOCTL_SET_CLIENT_CAP', `0x4010640d')
-define(`DRM_IOCTL_SET_MASTER', `0x0000641e')
-define(`DRM_IOCTL_SET_SAREA_CTX', `0x4010641c')
-define(`DRM_IOCTL_SET_UNIQUE', `0x40106410')
-define(`DRM_IOCTL_SET_VERSION', `0xc0106407')
-define(`DRM_IOCTL_SG_ALLOC', `0xc0106438')
-define(`DRM_IOCTL_SG_FREE', `0x40106439')
-define(`DRM_IOCTL_SIS_AGP_ALLOC', `0xc0206454')
-define(`DRM_IOCTL_SIS_AGP_FREE', `0x40206455')
-define(`DRM_IOCTL_SIS_AGP_INIT', `0xc0106453')
-define(`DRM_IOCTL_SIS_FB_ALLOC', `0xc0206444')
-define(`DRM_IOCTL_SIS_FB_FREE', `0x40206445')
-define(`DRM_IOCTL_SIS_FB_INIT', `0x40106456')
-define(`DRM_IOCTL_SWITCH_CTX', `0x40086424')
-define(`DRM_IOCTL_TEGRA_CLOSE_CHANNEL', `0xc0106446')
-define(`DRM_IOCTL_TEGRA_GEM_CREATE', `0xc0106440')
-define(`DRM_IOCTL_TEGRA_GEM_GET_FLAGS', `0xc008644d')
-define(`DRM_IOCTL_TEGRA_GEM_GET_TILING', `0xc010644b')
-define(`DRM_IOCTL_TEGRA_GEM_MMAP', `0xc0086441')
-define(`DRM_IOCTL_TEGRA_GEM_SET_FLAGS', `0xc008644c')
-define(`DRM_IOCTL_TEGRA_GEM_SET_TILING', `0xc010644a')
-define(`DRM_IOCTL_TEGRA_GET_SYNCPT', `0xc0106447')
-define(`DRM_IOCTL_TEGRA_GET_SYNCPT_BASE', `0xc0106449')
-define(`DRM_IOCTL_TEGRA_OPEN_CHANNEL', `0xc0106445')
-define(`DRM_IOCTL_TEGRA_SUBMIT', `0xc0586448')
-define(`DRM_IOCTL_TEGRA_SYNCPT_INCR', `0xc0086443')
-define(`DRM_IOCTL_TEGRA_SYNCPT_READ', `0xc0086442')
-define(`DRM_IOCTL_TEGRA_SYNCPT_WAIT', `0xc0106444')
-define(`DRM_IOCTL_UNBLOCK', `0xc0046413')
-define(`DRM_IOCTL_UNLOCK', `0x4008642b')
-define(`DRM_IOCTL_UPDATE_DRAW', `0x4018643f')
-define(`DRM_IOCTL_VERSION', `0xc0406400')
-define(`DRM_IOCTL_VIA_AGP_INIT', `0xc0086442')
-define(`DRM_IOCTL_VIA_ALLOCMEM', `0xc0206440')
-define(`DRM_IOCTL_VIA_BLIT_SYNC', `0x4008644f')
-define(`DRM_IOCTL_VIA_CMDBUFFER', `0x40106448')
-define(`DRM_IOCTL_VIA_CMDBUF_SIZE', `0xc00c644b')
-define(`DRM_IOCTL_VIA_DEC_FUTEX', `0x40106445')
-define(`DRM_IOCTL_VIA_DMA_BLIT', `0x4030644e')
-define(`DRM_IOCTL_VIA_DMA_INIT', `0xc0206447')
-define(`DRM_IOCTL_VIA_FB_INIT', `0xc0086443')
-define(`DRM_IOCTL_VIA_FLUSH', `0x00006449')
-define(`DRM_IOCTL_VIA_FREEMEM', `0x40206441')
-define(`DRM_IOCTL_VIA_MAP_INIT', `0xc0286444')
-define(`DRM_IOCTL_VIA_PCICMD', `0x4010644a')
-define(`DRM_IOCTL_VIA_WAIT_IRQ', `0xc018644d')
-define(`DRM_IOCTL_WAIT_VBLANK', `0xc018643a')
-define(`DVD_AUTH', `0x00005392')
-define(`DVD_READ_STRUCT', `0x00005390')
-define(`DVD_WRITE_STRUCT', `0x00005391')
-define(`ECCGETLAYOUT', `0x81484d11')
-define(`ECCGETSTATS', `0x80104d12')
-define(`ENI_MEMDUMP', `0x40106160')
-define(`ENI_SETMULT', `0x40106167')
-define(`EVIOCGEFFECTS', `0x80044584')
-define(`EVIOCGID', `0x80084502')
-define(`EVIOCGKEYCODE', `0x80084504')
-define(`EVIOCGKEYCODE_V2', `0x80284504')
-define(`EVIOCGRAB', `0x40044590')
-define(`EVIOCGREP', `0x80084503')
-define(`EVIOCGVERSION', `0x80044501')
-define(`EVIOCREVOKE', `0x40044591')
-define(`EVIOCRMFF', `0x40044581')
-define(`EVIOCSCLOCKID', `0x400445a0')
-define(`EVIOCSFF', `0x40304580')
-define(`EVIOCSKEYCODE', `0x40084504')
-define(`EVIOCSKEYCODE_V2', `0x40284504')
-define(`EVIOCSREP', `0x40084503')
-define(`F2FS_IOC_START_ATOMIC_WRITE', `0xf501')
-define(`F2FS_IOC_COMMIT_ATOMIC_WRITE', `0xf502')
-define(`F2FS_IOC_START_VOLATILE_WRITE', `0xf503')
-define(`F2FS_IOC_RELEASE_VOLATILE_WRITE', `0xf504')
-define(`F2FS_IOC_ABORT_VOLATILE_WRITE', `0xf505')
-define(`F2FS_IOC_GARBAGE_COLLECT', `0xf506')
-define(`F2FS_IOC_WRITE_CHECKPOINT', `0xf507')
-define(`F2FS_IOC_DEFRAGMENT', `0xf508')
-define(`F2FS_IOC_MOVE_RANGE', `0xf509')
-define(`F2FS_IOC_FLUSH_DEVICE', `0xf50a')
-define(`F2FS_IOC_GARBAGE_COLLECT_RANGE', `0xf50b')
-define(`F2FS_IOC_GET_FEATURES', `0xf50c')
-define(`F2FS_IOC_SET_PIN_FILE', `0xf50d')
-define(`F2FS_IOC_GET_PIN_FILE', `0xf50e')
-define(`F2FS_IOC_PRECACHE_EXTENTS', `0xf50f')
-define(`F2FS_IOC_RESIZE_FS', `0xf510')
-define(`F2FS_IOC_GET_COMPRESS_BLOCKS', `0xf511')
-define(`F2FS_IOC_RELEASE_COMPRESS_BLOCKS', `0xf512')
-define(`F2FS_IOC_RESERVE_COMPRESS_BLOCKS', `0xf513')
-define(`F2FS_IOC_SEC_TRIM_FILE', `0xf514')
-define(`F2FS_IOC_GET_COMPRESS_OPTION', `0xf515')
-define(`F2FS_IOC_SET_COMPRESS_OPTION', `0xf516')
-define(`F2FS_IOC_DECOMPRESS_FILE', `0xf517')
-define(`F2FS_IOC_COMPRESS_FILE', `0xf518')
-define(`FAT_IOCTL_GET_ATTRIBUTES', `0x80047210')
-define(`FAT_IOCTL_GET_VOLUME_ID', `0x80047213')
-define(`FAT_IOCTL_SET_ATTRIBUTES', `0x40047211')
-define(`FBIGET_BRIGHTNESS', `0x80044603')
-define(`FBIGET_COLOR', `0x80044605')
-define(`FBIO_ALLOC', `0x00004613')
-define(`FBIOBLANK', `0x00004611')
-define(`FBIO_CURSOR', `0xc0684608')
-define(`FBIO_FREE', `0x00004614')
-define(`FBIOGETCMAP', `0x00004604')
-define(`FBIOGET_CON2FBMAP', `0x0000460f')
-define(`FBIOGET_CONTRAST', `0x80044601')
-define(`FBIO_GETCONTROL2', `0x80084689')
-define(`FBIOGET_DISPINFO', `0x00004618')
-define(`FBIOGET_FSCREENINFO', `0x00004602')
-define(`FBIOGET_GLYPH', `0x00004615')
-define(`FBIOGET_HWCINFO', `0x00004616')
-define(`FBIOGET_VBLANK', `0x80204612')
-define(`FBIOGET_VSCREENINFO', `0x00004600')
-define(`FBIOPAN_DISPLAY', `0x00004606')
-define(`FBIOPUTCMAP', `0x00004605')
-define(`FBIOPUT_CON2FBMAP', `0x00004610')
-define(`FBIOPUT_CONTRAST', `0x40044602')
-define(`FBIOPUT_MODEINFO', `0x00004617')
-define(`FBIOPUT_VSCREENINFO', `0x00004601')
-define(`FBIO_RADEON_GET_MIRROR', `0x80084003')
-define(`FBIO_RADEON_SET_MIRROR', `0x40084004')
-define(`FBIO_WAITEVENT', `0x00004688')
-define(`FBIO_WAITFORVSYNC', `0x40044620')
-define(`FBIPUT_BRIGHTNESS', `0x40044603')
-define(`FBIPUT_COLOR', `0x40044606')
-define(`FBIPUT_HSYNC', `0x40044609')
-define(`FBIPUT_VSYNC', `0x4004460a')
-define(`FDCLRPRM', `0x00000241')
-define(`FDDEFPRM', `0x40200243')
-define(`FDEJECT', `0x0000025a')
-define(`FDFLUSH', `0x0000024b')
-define(`FDFMTBEG', `0x00000247')
-define(`FDFMTEND', `0x00000249')
-define(`FDFMTTRK', `0x400c0248')
-define(`FDGETDRVPRM', `0x80800211')
-define(`FDGETDRVSTAT', `0x80500212')
-define(`FDGETDRVTYP', `0x8010020f')
-define(`FDGETFDCSTAT', `0x80280215')
-define(`FDGETMAXERRS', `0x8014020e')
-define(`FDGETPRM', `0x80200204')
-define(`FDMSGOFF', `0x00000246')
-define(`FDMSGON', `0x00000245')
-define(`FDPOLLDRVSTAT', `0x80500213')
-define(`FDRAWCMD', `0x00000258')
-define(`FDRESET', `0x00000254')
-define(`FDSETDRVPRM', `0x40800290')
-define(`FDSETEMSGTRESH', `0x0000024a')
-define(`FDSETMAXERRS', `0x4014024c')
-define(`FDSETPRM', `0x40200242')
-define(`FDTWADDLE', `0x00000259')
-define(`FDWERRORCLR', `0x00000256')
-define(`FDWERRORGET', `0x80280217')
-define(`FE_DISEQC_RECV_SLAVE_REPLY', `0x800c6f40')
-define(`FE_DISEQC_RESET_OVERLOAD', `0x00006f3e')
-define(`FE_DISEQC_SEND_BURST', `0x00006f41')
-define(`FE_DISEQC_SEND_MASTER_CMD', `0x40076f3f')
-define(`FE_DISHNETWORK_SEND_LEGACY_CMD', `0x00006f50')
-define(`FE_ENABLE_HIGH_LNB_VOLTAGE', `0x00006f44')
-define(`FE_GET_EVENT', `0x80286f4e')
-define(`FE_GET_FRONTEND', `0x80246f4d')
-define(`FE_GET_INFO', `0x80a86f3d')
-define(`FE_GET_PROPERTY', `0x80106f53')
-define(`FE_READ_BER', `0x80046f46')
-define(`FE_READ_SIGNAL_STRENGTH', `0x80026f47')
-define(`FE_READ_SNR', `0x80026f48')
-define(`FE_READ_STATUS', `0x80046f45')
-define(`FE_READ_UNCORRECTED_BLOCKS', `0x80046f49')
-define(`FE_SET_FRONTEND', `0x40246f4c')
-define(`FE_SET_FRONTEND_TUNE_MODE', `0x00006f51')
-define(`FE_SET_PROPERTY', `0x40106f52')
-define(`FE_SET_TONE', `0x00006f42')
-define(`FE_SET_VOLTAGE', `0x00006f43')
-define(`FIBMAP', `0x00000001')
-define(`FIFREEZE', `0xc0045877')
-define(`FIGETBSZ', `0x00000002')
-define(`FIOASYNC', `0x00005452')
-define(`FIOCLEX', ifelse(target_arch, mips, 0x00006601, 0x00005451))
-define(`FIOGETOWN', `0x00008903')
-define(`FIONBIO', `0x00005421')
-define(`FIONCLEX', ifelse(target_arch, mips, 0x00006602, 0x00005450))
-define(`FIONREAD', ifelse(target_arch, mips, 0x0000467f, 0x0000541b))
-define(`FIOQSIZE', `0x00005460')
-define(`FIOSETOWN', `0x00008901')
-define(`FITHAW', `0xc0045878')
-define(`FITRIM', `0xc0185879')
-define(`FS_IOC32_GETFLAGS', `0x80046601')
-define(`FS_IOC32_GETVERSION', `0x80047601')
-define(`FS_IOC32_SETFLAGS', `0x40046602')
-define(`FS_IOC32_SETVERSION', `0x40047602')
-define(`FS_IOC_ADD_ENCRYPTION_KEY', `0xc0506617')
-define(`FS_IOC_ENABLE_VERITY', `0x6685')
-define(`FS_IOC_FIEMAP', `0xc020660b')
-define(`FS_IOC_FSGETXATTR', `0x801c581f')
-define(`FS_IOC_FSSETXATTR', `0x401c5820')
-define(`FS_IOC_GET_ENCRYPTION_POLICY', `0x400c6615')
-define(`FS_IOC_GET_ENCRYPTION_POLICY_EX', `0xc0096616')
-define(`FS_IOC_GET_ENCRYPTION_PWSALT', `0x40106614')
-define(`FS_IOC_GETFLAGS', `0x80086601')
-define(`FS_IOC_GETVERSION', `0x80087601')
-define(`FS_IOC_MEASURE_VERITY', `0x6686')
-define(`FS_IOC_REMOVE_ENCRYPTION_KEY', `0xc0406618')
-define(`FS_IOC_SET_ENCRYPTION_POLICY', `0x800c6613')
-define(`FS_IOC_SETFLAGS', `0x40086602')
-define(`FS_IOC_SETVERSION', `0x40087602')
-define(`FSL_HV_IOCTL_DOORBELL', `0xc008af06')
-define(`FSL_HV_IOCTL_GETPROP', `0xc028af07')
-define(`FSL_HV_IOCTL_MEMCPY', `0xc028af05')
-define(`FSL_HV_IOCTL_PARTITION_GET_STATUS', `0xc00caf02')
-define(`FSL_HV_IOCTL_PARTITION_RESTART', `0xc008af01')
-define(`FSL_HV_IOCTL_PARTITION_START', `0xc010af03')
-define(`FSL_HV_IOCTL_PARTITION_STOP', `0xc008af04')
-define(`FSL_HV_IOCTL_SETPROP', `0xc028af08')
-define(`FUNCTIONFS_CLEAR_HALT', `0x00006703')
-define(`FUNCTIONFS_ENDPOINT_DESC', `0x80096782')
-define(`FUNCTIONFS_ENDPOINT_REVMAP', `0x00006781')
-define(`FUNCTIONFS_FIFO_FLUSH', `0x00006702')
-define(`FUNCTIONFS_FIFO_STATUS', `0x00006701')
-define(`FUNCTIONFS_INTERFACE_REVMAP', `0x00006780')
-define(`FW_CDEV_IOC_ADD_DESCRIPTOR', `0xc0182306')
-define(`FW_CDEV_IOC_ALLOCATE', `0xc0202302')
-define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE', `0xc018230d')
-define(`FW_CDEV_IOC_ALLOCATE_ISO_RESOURCE_ONCE', `0x4018230f')
-define(`FW_CDEV_IOC_CREATE_ISO_CONTEXT', `0xc0202308')
-define(`FW_CDEV_IOC_DEALLOCATE', `0x40042303')
-define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE', `0x4004230e')
-define(`FW_CDEV_IOC_DEALLOCATE_ISO_RESOURCE_ONCE', `0x40182310')
-define(`FW_CDEV_IOC_FLUSH_ISO', `0x40042318')
-define(`FW_CDEV_IOC_GET_CYCLE_TIMER', `0x8010230c')
-define(`FW_CDEV_IOC_GET_CYCLE_TIMER2', `0xc0182314')
-define(`FW_CDEV_IOC_GET_INFO', `0xc0282300')
-define(`FW_CDEV_IOC_GET_SPEED', `0x00002311')
-define(`FW_CDEV_IOC_INITIATE_BUS_RESET', `0x40042305')
-define(`FW_CDEV_IOC_QUEUE_ISO', `0xc0182309')
-define(`FW_CDEV_IOC_RECEIVE_PHY_PACKETS', `0x40082316')
-define(`FW_CDEV_IOC_REMOVE_DESCRIPTOR', `0x40042307')
-define(`FW_CDEV_IOC_SEND_BROADCAST_REQUEST', `0x40282312')
-define(`FW_CDEV_IOC_SEND_PHY_PACKET', `0xc0182315')
-define(`FW_CDEV_IOC_SEND_REQUEST', `0x40282301')
-define(`FW_CDEV_IOC_SEND_RESPONSE', `0x40182304')
-define(`FW_CDEV_IOC_SEND_STREAM_PACKET', `0x40282313')
-define(`FW_CDEV_IOC_SET_ISO_CHANNELS', `0x40102317')
-define(`FW_CDEV_IOC_START_ISO', `0x4010230a')
-define(`FW_CDEV_IOC_STOP_ISO', `0x4004230b')
-define(`GADGETFS_CLEAR_HALT', `0x00006703')
-define(`GADGETFS_FIFO_FLUSH', `0x00006702')
-define(`GADGETFS_FIFO_STATUS', `0x00006701')
-define(`GADGET_GET_PRINTER_STATUS', `0x80016721')
-define(`GADGET_SET_PRINTER_STATUS', `0xc0016722')
-define(`GENWQE_EXECUTE_DDCB', `0xc0e8a532')
-define(`GENWQE_EXECUTE_RAW_DDCB', `0xc0e8a533')
-define(`GENWQE_GET_CARD_STATE', `0x8004a524')
-define(`GENWQE_PIN_MEM', `0xc020a528')
-define(`GENWQE_READ_REG16', `0x8010a522')
-define(`GENWQE_READ_REG32', `0x8010a520')
-define(`GENWQE_READ_REG64', `0x8010a51e')
-define(`GENWQE_SLU_READ', `0xc038a551')
-define(`GENWQE_SLU_UPDATE', `0xc038a550')
-define(`GENWQE_UNPIN_MEM', `0xc020a529')
-define(`GENWQE_WRITE_REG16', `0x4010a523')
-define(`GENWQE_WRITE_REG32', `0x4010a521')
-define(`GENWQE_WRITE_REG64', `0x4010a51f')
-define(`GET_ARRAY_INFO', `0x80480911')
-define(`GET_BITMAP_FILE', `0x90000915')
-define(`GET_DISK_INFO', `0x80140912')
-define(`GIGASET_BRKCHARS', `0x40064702')
-define(`GIGASET_CONFIG', `0xc0044701')
-define(`GIGASET_REDIR', `0xc0044700')
-define(`GIGASET_VERSION', `0xc0104703')
-define(`GIO_CMAP', `0x00004b70')
-define(`GIO_FONT', `0x00004b60')
-define(`GIO_FONTX', `0x00004b6b')
-define(`GIO_SCRNMAP', `0x00004b40')
-define(`GIO_UNIMAP', `0x00004b66')
-define(`GIO_UNISCRNMAP', `0x00004b69')
-define(`GSMIOC_DISABLE_NET', `0x00004703')
-define(`GSMIOC_ENABLE_NET', `0x40344702')
-define(`GSMIOC_GETCONF', `0x804c4700')
-define(`GSMIOC_SETCONF', `0x404c4701')
-define(`HCIBLOCKADDR', `0x400448e6')
-define(`HCIDEVDOWN', `0x400448ca')
-define(`HCIDEVRESET', `0x400448cb')
-define(`HCIDEVRESTAT', `0x400448cc')
-define(`HCIDEVUP', `0x400448c9')
-define(`HCIGETAUTHINFO', `0x800448d7')
-define(`HCIGETCONNINFO', `0x800448d5')
-define(`HCIGETCONNLIST', `0x800448d4')
-define(`HCIGETDEVINFO', `0x800448d3')
-define(`HCIGETDEVLIST', `0x800448d2')
-define(`HCIINQUIRY', `0x800448f0')
-define(`HCISETACLMTU', `0x400448e3')
-define(`HCISETAUTH', `0x400448de')
-define(`HCISETENCRYPT', `0x400448df')
-define(`HCISETLINKMODE', `0x400448e2')
-define(`HCISETLINKPOL', `0x400448e1')
-define(`HCISETPTYPE', `0x400448e0')
-define(`HCISETRAW', `0x400448dc')
-define(`HCISETSCAN', `0x400448dd')
-define(`HCISETSCOMTU', `0x400448e4')
-define(`HCIUNBLOCKADDR', `0x400448e7')
-define(`HDA_IOCTL_GET_WCAP', `0xc0084812')
-define(`HDA_IOCTL_PVERSION', `0x80044810')
-define(`HDA_IOCTL_VERB_WRITE', `0xc0084811')
-define(`HDIO_DRIVE_CMD', `0x0000031f')
-define(`HDIO_DRIVE_RESET', `0x0000031c')
-define(`HDIO_DRIVE_TASK', `0x0000031e')
-define(`HDIO_DRIVE_TASKFILE', `0x0000031d')
-define(`HDIO_GET_32BIT', `0x00000309')
-define(`HDIO_GET_ACOUSTIC', `0x0000030f')
-define(`HDIO_GET_ADDRESS', `0x00000310')
-define(`HDIO_GET_BUSSTATE', `0x0000031a')
-define(`HDIO_GET_DMA', `0x0000030b')
-define(`HDIO_GETGEO', `0x00000301')
-define(`HDIO_GET_IDENTITY', `0x0000030d')
-define(`HDIO_GET_KEEPSETTINGS', `0x00000308')
-define(`HDIO_GET_MULTCOUNT', `0x00000304')
-define(`HDIO_GET_NICE', `0x0000030c')
-define(`HDIO_GET_NOWERR', `0x0000030a')
-define(`HDIO_GET_QDMA', `0x00000305')
-define(`HDIO_GET_UNMASKINTR', `0x00000302')
-define(`HDIO_GET_WCACHE', `0x0000030e')
-define(`HDIO_OBSOLETE_IDENTITY', `0x00000307')
-define(`HDIO_SCAN_HWIF', `0x00000328')
-define(`HDIO_SET_32BIT', `0x00000324')
-define(`HDIO_SET_ACOUSTIC', `0x0000032c')
-define(`HDIO_SET_ADDRESS', `0x0000032f')
-define(`HDIO_SET_BUSSTATE', `0x0000032d')
-define(`HDIO_SET_DMA', `0x00000326')
-define(`HDIO_SET_KEEPSETTINGS', `0x00000323')
-define(`HDIO_SET_MULTCOUNT', `0x00000321')
-define(`HDIO_SET_NICE', `0x00000329')
-define(`HDIO_SET_NOWERR', `0x00000325')
-define(`HDIO_SET_PIO_MODE', `0x00000327')
-define(`HDIO_SET_QDMA', `0x0000032e')
-define(`HDIO_SET_UNMASKINTR', `0x00000322')
-define(`HDIO_SET_WCACHE', `0x0000032b')
-define(`HDIO_SET_XFER', `0x00000306')
-define(`HDIO_TRISTATE_HWIF', `0x0000031b')
-define(`HDIO_UNREGISTER_HWIF', `0x0000032a')
-define(`HE_GET_REG', `0x40106160')
-define(`HIDIOCAPPLICATION', `0x00004802')
-define(`HIDIOCGCOLLECTIONINDEX', `0x40184810')
-define(`HIDIOCGCOLLECTIONINFO', `0xc0104811')
-define(`HIDIOCGDEVINFO', `0x801c4803')
-define(`HIDIOCGFIELDINFO', `0xc038480a')
-define(`HIDIOCGFLAG', `0x8004480e')
-define(`HIDIOCGRAWINFO', `0x80084803')
-define(`HIDIOCGRDESC', `0x90044802')
-define(`HIDIOCGRDESCSIZE', `0x80044801')
-define(`HIDIOCGREPORT', `0x400c4807')
-define(`HIDIOCGREPORTINFO', `0xc00c4809')
-define(`HIDIOCGSTRING', `0x81044804')
-define(`HIDIOCGUCODE', `0xc018480d')
-define(`HIDIOCGUSAGE', `0xc018480b')
-define(`HIDIOCGUSAGES', `0xd01c4813')
-define(`HIDIOCGVERSION', `0x80044801')
-define(`HIDIOCINITREPORT', `0x00004805')
-define(`HIDIOCSFLAG', `0x4004480f')
-define(`HIDIOCSREPORT', `0x400c4808')
-define(`HIDIOCSUSAGE', `0x4018480c')
-define(`HIDIOCSUSAGES', `0x501c4814')
-define(`HOT_ADD_DISK', `0x00000928')
-define(`HOT_GENERATE_ERROR', `0x0000092a')
-define(`HOT_REMOVE_DISK', `0x00000922')
-define(`HPET_DPI', `0x00006805')
-define(`HPET_EPI', `0x00006804')
-define(`HPET_IE_OFF', `0x00006802')
-define(`HPET_IE_ON', `0x00006801')
-define(`HPET_INFO', `0x80186803')
-define(`HPET_IRQFREQ', `0x40086806')
-define(`HSC_GET_RX', `0x400c6b14')
-define(`HSC_GET_TX', `0x40106b16')
-define(`HSC_RESET', `0x00006b10')
-define(`HSC_SEND_BREAK', `0x00006b12')
-define(`HSC_SET_PM', `0x00006b11')
-define(`HSC_SET_RX', `0x400c6b13')
-define(`HSC_SET_TX', `0x40106b15')
-define(`I2OEVTGET', `0x8068690b')
-define(`I2OEVTREG', `0x400c690a')
-define(`I2OGETIOPS', `0x80206900')
-define(`I2OHRTGET', `0xc0186901')
-define(`I2OHTML', `0xc0306909')
-define(`I2OLCTGET', `0xc0186902')
-define(`I2OPARMGET', `0xc0286904')
-define(`I2OPARMSET', `0xc0286903')
-define(`I2OPASSTHRU', `0x8010690c')
-define(`I2OPASSTHRU32', `0x8008690c')
-define(`I2OSWDEL', `0xc0306907')
-define(`I2OSWDL', `0xc0306905')
-define(`I2OSWUL', `0xc0306906')
-define(`I2OVALIDATE', `0x80046908')
-define(`I8K_BIOS_VERSION', `0x80046980')
-define(`I8K_FN_STATUS', `0x80086983')
-define(`I8K_GET_FAN', `0xc0086986')
-define(`I8K_GET_SPEED', `0xc0086985')
-define(`I8K_GET_TEMP', `0x80086984')
-define(`I8K_MACHINE_ID', `0x80046981')
-define(`I8K_POWER_STATUS', `0x80086982')
-define(`I8K_SET_FAN', `0xc0086987')
-define(`IB_USER_MAD_ENABLE_PKEY', `0x00001b03')
-define(`IB_USER_MAD_REGISTER_AGENT', `0xc01c1b01')
-define(`IB_USER_MAD_REGISTER_AGENT2', `0xc0281b04')
-define(`IB_USER_MAD_UNREGISTER_AGENT', `0x40041b02')
-define(`IDT77105_GETSTAT', `0x40106132')
-define(`IDT77105_GETSTATZ', `0x40106133')
-define(`IIOCDBGVAR', `0x0000497f')
-define(`IIOCDRVCTL', `0x00004980')
-define(`IIOCGETCPS', `0x00004915')
-define(`IIOCGETDVR', `0x00004916')
-define(`IIOCGETMAP', `0x00004911')
-define(`IIOCGETPRF', `0x0000490f')
-define(`IIOCGETSET', `0x00004908')
-define(`IIOCNETAIF', `0x00004901')
-define(`IIOCNETALN', `0x00004920')
-define(`IIOCNETANM', `0x00004905')
-define(`IIOCNETASL', `0x00004913')
-define(`IIOCNETDIF', `0x00004902')
-define(`IIOCNETDIL', `0x00004914')
-define(`IIOCNETDLN', `0x00004921')
-define(`IIOCNETDNM', `0x00004906')
-define(`IIOCNETDWRSET', `0x00004918')
-define(`IIOCNETGCF', `0x00004904')
-define(`IIOCNETGNM', `0x00004907')
-define(`IIOCNETGPN', `0x00004922')
-define(`IIOCNETHUP', `0x0000490b')
-define(`IIOCNETLCR', `0x00004917')
-define(`IIOCNETSCF', `0x00004903')
-define(`IIOCSETBRJ', `0x0000490d')
-define(`IIOCSETGST', `0x0000490c')
-define(`IIOCSETMAP', `0x00004912')
-define(`IIOCSETPRF', `0x00004910')
-define(`IIOCSETSET', `0x00004909')
-define(`IIOCSETVER', `0x0000490a')
-define(`IIOCSIGPRF', `0x0000490e')
-define(`IIO_GET_EVENT_FD_IOCTL', `0x80046990')
-define(`IMADDTIMER', `0x80044940')
-define(`IMCLEAR_L2', `0x80044946')
-define(`IMCTRLREQ', `0x80044945')
-define(`IMDELTIMER', `0x80044941')
-define(`IMGETCOUNT', `0x80044943')
-define(`IMGETDEVINFO', `0x80044944')
-define(`IMGETVERSION', `0x80044942')
-define(`IMHOLD_L1', `0x80044948')
-define(`IMSETDEVNAME', `0x80184947')
-define(`INCFS_IOCTL_CREATE_FILE', `0x0000671e')
-define(`INCFS_IOCTL_READ_SIGNATURE', `0x0000671f')
-define(`INCFS_IOCTL_FILL_BLOCKS', `0x00006720')
-define(`INCFS_IOCTL_PERMIT_FILL', `0x00006721')
-define(`INCFS_IOCTL_GET_FILLED_BLOCKS', `0x00006722')
-define(`INCFS_IOCTL_CREATE_MAPPED_FILE', `0x00006723')
-define(`INCFS_IOCTL_GET_BLOCK_COUNT', `0x00006724')
-define(`INCFS_IOCTL_GET_READ_TIMEOUTS', `0x00006725')
-define(`INCFS_IOCTL_SET_READ_TIMEOUTS', `0x00006726')
-define(`INCFS_IOCTL_GET_LAST_READ_ERROR', `0x00006727')
-define(`IOCTL_EVTCHN_BIND_INTERDOMAIN', `0x00084501')
-define(`IOCTL_EVTCHN_BIND_UNBOUND_PORT', `0x00044502')
-define(`IOCTL_EVTCHN_BIND_VIRQ', `0x00044500')
-define(`IOCTL_EVTCHN_NOTIFY', `0x00044504')
-define(`IOCTL_EVTCHN_RESET', `0x00004505')
-define(`IOCTL_EVTCHN_UNBIND', `0x00044503')
-define(`IOCTL_MEI_CONNECT_CLIENT', `0xc0104801')
-define(`IOCTL_VMCI_CTX_ADD_NOTIFICATION', `0x000007af')
-define(`IOCTL_VMCI_CTX_GET_CPT_STATE', `0x000007b1')
-define(`IOCTL_VMCI_CTX_REMOVE_NOTIFICATION', `0x000007b0')
-define(`IOCTL_VMCI_CTX_SET_CPT_STATE', `0x000007b2')
-define(`IOCTL_VMCI_DATAGRAM_RECEIVE', `0x000007ac')
-define(`IOCTL_VMCI_DATAGRAM_SEND', `0x000007ab')
-define(`IOCTL_VMCI_GET_CONTEXT_ID', `0x000007b3')
-define(`IOCTL_VMCI_INIT_CONTEXT', `0x000007a0')
-define(`IOCTL_VMCI_NOTIFICATIONS_RECEIVE', `0x000007a6')
-define(`IOCTL_VMCI_NOTIFY_RESOURCE', `0x000007a5')
-define(`IOCTL_VMCI_QUEUEPAIR_ALLOC', `0x000007a8')
-define(`IOCTL_VMCI_QUEUEPAIR_DETACH', `0x000007aa')
-define(`IOCTL_VMCI_QUEUEPAIR_SETPAGEFILE', `0x000007a9')
-define(`IOCTL_VMCI_QUEUEPAIR_SETVA', `0x000007a4')
-define(`IOCTL_VMCI_SET_NOTIFY', `0x000007cb')
-define(`IOCTL_VMCI_SOCKETS_GET_AF_VALUE', `0x000007b8')
-define(`IOCTL_VMCI_SOCKETS_GET_LOCAL_CID', `0x000007b9')
-define(`IOCTL_VMCI_SOCKETS_VERSION', `0x000007b4')
-define(`IOCTL_VMCI_VERSION', `0x0000079f')
-define(`IOCTL_VMCI_VERSION2', `0x000007a7')
-define(`IOCTL_VM_SOCKETS_GET_LOCAL_CID', `0x000007b9')
-define(`IOCTL_WDM_MAX_COMMAND', `0x800248a0')
-define(`IOCTL_XENBUS_BACKEND_EVTCHN', `0x00004200')
-define(`IOCTL_XENBUS_BACKEND_SETUP', `0x00004201')
-define(`ION_IOC_ALLOC', `0xc0204900')
-define(`ION_IOC_CUSTOM', `0xc0104906')
-define(`ION_IOC_FREE', `0xc0044901')
-define(`ION_IOC_IMPORT', `0xc0084905')
-define(`ION_IOC_MAP', `0xc0084902')
-define(`ION_IOC_SHARE', `0xc0084904')
-define(`ION_IOC_SYNC', `0xc0084907')
-define(`ION_IOC_TEST_DMA_MAPPING', `0x402049f1')
-define(`ION_IOC_TEST_KERNEL_MAPPING', `0x402049f2')
-define(`ION_IOC_TEST_SET_FD', `0x000049f0')
-define(`IOW_GETINFO', `0x8028c003')
-define(`IOW_READ', `0x4008c002')
-define(`IOW_WRITE', `0x4008c001')
-define(`IPMICTL_GET_MAINTENANCE_MODE_CMD', `0x8004691e')
-define(`IPMICTL_GET_MY_ADDRESS_CMD', `0x80046912')
-define(`IPMICTL_GET_MY_CHANNEL_ADDRESS_CMD', `0x80046919')
-define(`IPMICTL_GET_MY_CHANNEL_LUN_CMD', `0x8004691b')
-define(`IPMICTL_GET_MY_LUN_CMD', `0x80046914')
-define(`IPMICTL_GET_TIMING_PARMS_CMD', `0x80086917')
-define(`IPMICTL_RECEIVE_MSG', `0xc030690c')
-define(`IPMICTL_RECEIVE_MSG_TRUNC', `0xc030690b')
-define(`IPMICTL_REGISTER_FOR_CMD', `0x8002690e')
-define(`IPMICTL_REGISTER_FOR_CMD_CHANS', `0x800c691c')
-define(`IPMICTL_SEND_COMMAND', `0x8028690d')
-define(`IPMICTL_SEND_COMMAND_SETTIME', `0x80306915')
-define(`IPMICTL_SET_GETS_EVENTS_CMD', `0x80046910')
-define(`IPMICTL_SET_MAINTENANCE_MODE_CMD', `0x4004691f')
-define(`IPMICTL_SET_MY_ADDRESS_CMD', `0x80046911')
-define(`IPMICTL_SET_MY_CHANNEL_ADDRESS_CMD', `0x80046918')
-define(`IPMICTL_SET_MY_CHANNEL_LUN_CMD', `0x8004691a')
-define(`IPMICTL_SET_MY_LUN_CMD', `0x80046913')
-define(`IPMICTL_SET_TIMING_PARMS_CMD', `0x80086916')
-define(`IPMICTL_UNREGISTER_FOR_CMD', `0x8002690f')
-define(`IPMICTL_UNREGISTER_FOR_CMD_CHANS', `0x800c691d')
-define(`IVTVFB_IOC_DMA_FRAME', `0x401856c0')
-define(`IVTV_IOC_DMA_FRAME', `0x404056c0')
-define(`IVTV_IOC_PASSTHROUGH_MODE', `0x400456c1')
-define(`IXJCTL_AEC_GET_LEVEL', `0x000071cd')
-define(`IXJCTL_AEC_START', `0x400471cb')
-define(`IXJCTL_AEC_STOP', `0x000071cc')
-define(`IXJCTL_CARDTYPE', `0x800471c1')
-define(`IXJCTL_CID', `0x800871d4')
-define(`IXJCTL_CIDCW', `0x400871d9')
-define(`IXJCTL_DAA_AGAIN', `0x400471d2')
-define(`IXJCTL_DAA_COEFF_SET', `0x400471d0')
-define(`IXJCTL_DRYBUFFER_CLEAR', `0x000071e7')
-define(`IXJCTL_DRYBUFFER_READ', `0x800871e6')
-define(`IXJCTL_DSP_IDLE', `0x000071c5')
-define(`IXJCTL_DSP_RESET', `0x000071c0')
-define(`IXJCTL_DSP_TYPE', `0x800471c3')
-define(`IXJCTL_DSP_VERSION', `0x800471c4')
-define(`IXJCTL_DTMF_PRESCALE', `0x400471e8')
-define(`IXJCTL_FILTER_CADENCE', `0x400871d6')
-define(`IXJCTL_FRAMES_READ', `0x800871e2')
-define(`IXJCTL_FRAMES_WRITTEN', `0x800871e3')
-define(`IXJCTL_GET_FILTER_HIST', `0x400471c8')
-define(`IXJCTL_HZ', `0x400471e0')
-define(`IXJCTL_INIT_TONE', `0x400871c9')
-define(`IXJCTL_INTERCOM_START', `0x400471fd')
-define(`IXJCTL_INTERCOM_STOP', `0x400471fe')
-define(`IXJCTL_MIXER', `0x400471cf')
-define(`IXJCTL_PLAY_CID', `0x000071d7')
-define(`IXJCTL_PORT', `0x400471d1')
-define(`IXJCTL_POTS_PSTN', `0x400471d5')
-define(`IXJCTL_PSTN_LINETEST', `0x000071d3')
-define(`IXJCTL_RATE', `0x400471e1')
-define(`IXJCTL_READ_WAIT', `0x800871e4')
-define(`IXJCTL_SC_RXG', `0x400471ea')
-define(`IXJCTL_SC_TXG', `0x400471eb')
-define(`IXJCTL_SERIAL', `0x800471c2')
-define(`IXJCTL_SET_FILTER', `0x400871c7')
-define(`IXJCTL_SET_FILTER_RAW', `0x400871dd')
-define(`IXJCTL_SET_LED', `0x400471ce')
-define(`IXJCTL_SIGCTL', `0x400871e9')
-define(`IXJCTL_TESTRAM', `0x000071c6')
-define(`IXJCTL_TONE_CADENCE', `0x400871ca')
-define(`IXJCTL_VERSION', `0x800871da')
-define(`IXJCTL_VMWI', `0x800471d8')
-define(`IXJCTL_WRITE_WAIT', `0x800871e5')
-define(`JSIOCGAXES', `0x80016a11')
-define(`JSIOCGAXMAP', `0x80406a32')
-define(`JSIOCGBTNMAP', `0x84006a34')
-define(`JSIOCGBUTTONS', `0x80016a12')
-define(`JSIOCGCORR', `0x80246a22')
-define(`JSIOCGVERSION', `0x80046a01')
-define(`JSIOCSAXMAP', `0x40406a31')
-define(`JSIOCSBTNMAP', `0x44006a33')
-define(`JSIOCSCORR', `0x40246a21')
-define(`KCOV_DISABLE', `0x00006365')
-define(`KCOV_ENABLE', `0x00006364')
-define(`KCOV_INIT_TRACE', `0x80086301')
-define(`KDADDIO', `0x00004b34')
-define(`KDDELIO', `0x00004b35')
-define(`KDDISABIO', `0x00004b37')
-define(`KDENABIO', `0x00004b36')
-define(`KDFONTOP', `0x00004b72')
-define(`KDGETKEYCODE', `0x00004b4c')
-define(`KDGETLED', `0x00004b31')
-define(`KDGETMODE', `0x00004b3b')
-define(`KDGKBDIACR', `0x00004b4a')
-define(`KDGKBDIACRUC', `0x00004bfa')
-define(`KDGKBENT', `0x00004b46')
-define(`KDGKBLED', `0x00004b64')
-define(`KDGKBMETA', `0x00004b62')
-define(`KDGKBMODE', `0x00004b44')
-define(`KDGKBSENT', `0x00004b48')
-define(`KDGKBTYPE', `0x00004b33')
-define(`KDKBDREP', `0x00004b52')
-define(`KDMAPDISP', `0x00004b3c')
-define(`KDMKTONE', `0x00004b30')
-define(`KDSETKEYCODE', `0x00004b4d')
-define(`KDSETLED', `0x00004b32')
-define(`KDSETMODE', `0x00004b3a')
-define(`KDSIGACCEPT', `0x00004b4e')
-define(`KDSKBDIACR', `0x00004b4b')
-define(`KDSKBDIACRUC', `0x00004bfb')
-define(`KDSKBENT', `0x00004b47')
-define(`KDSKBLED', `0x00004b65')
-define(`KDSKBMETA', `0x00004b63')
-define(`KDSKBMODE', `0x00004b45')
-define(`KDSKBSENT', `0x00004b49')
-define(`KDUNMAPDISP', `0x00004b3d')
-define(`KIOCSOUND', `0x00004b2f')
-define(`KVM_ALLOCATE_RMA', `0x8008aea9')
-define(`KVM_ARM_PREFERRED_TARGET', `0x8020aeaf')
-define(`KVM_ARM_SET_DEVICE_ADDR', `0x4010aeab')
-define(`KVM_ARM_VCPU_INIT', `0x4020aeae')
-define(`KVM_ASSIGN_DEV_IRQ', `0x4040ae70')
-define(`KVM_ASSIGN_PCI_DEVICE', `0x8040ae69')
-define(`KVM_ASSIGN_SET_INTX_MASK', `0x4040aea4')
-define(`KVM_ASSIGN_SET_MSIX_ENTRY', `0x4010ae74')
-define(`KVM_ASSIGN_SET_MSIX_NR', `0x4008ae73')
-define(`KVM_CHECK_EXTENSION', `0x0000ae03')
-define(`KVM_CREATE_DEVICE', `0xc00caee0')
-define(`KVM_CREATE_IRQCHIP', `0x0000ae60')
-define(`KVM_CREATE_PIT', `0x0000ae64')
-define(`KVM_CREATE_PIT2', `0x4040ae77')
-define(`KVM_CREATE_SPAPR_TCE', `0x400caea8')
-define(`KVM_CREATE_VCPU', `0x0000ae41')
-define(`KVM_CREATE_VM', `0x0000ae01')
-define(`KVM_DEASSIGN_DEV_IRQ', `0x4040ae75')
-define(`KVM_DEASSIGN_PCI_DEVICE', `0x4040ae72')
-define(`KVM_DIRTY_TLB', `0x4010aeaa')
-define(`KVM_ENABLE_CAP', `0x4068aea3')
-define(`KVM_GET_API_VERSION', `0x0000ae00')
-define(`KVM_GET_CLOCK', `0x8030ae7c')
-define(`KVM_GET_CPUID2', `0xc008ae91')
-define(`KVM_GET_DEBUGREGS', `0x8080aea1')
-define(`KVM_GET_DEVICE_ATTR', `0x4018aee2')
-define(`KVM_GET_DIRTY_LOG', `0x4010ae42')
-define(`KVM_GET_EMULATED_CPUID', `0xc008ae09')
-define(`KVM_GET_FPU', `0x81a0ae8c')
-define(`KVM_GET_IRQCHIP', `0xc208ae62')
-define(`KVM_GET_LAPIC', `0x8400ae8e')
-define(`KVM_GET_MP_STATE', `0x8004ae98')
-define(`KVM_GET_MSR_INDEX_LIST', `0xc004ae02')
-define(`KVM_GET_MSRS', `0xc008ae88')
-define(`KVM_GET_NR_MMU_PAGES', `0x0000ae45')
-define(`KVM_GET_ONE_REG', `0x4010aeab')
-define(`KVM_GET_PIT', `0xc048ae65')
-define(`KVM_GET_PIT2', `0x8070ae9f')
-define(`KVM_GET_REG_LIST', `0xc008aeb0')
-define(`KVM_GET_REGS', `0x8090ae81')
-define(`KVM_GET_SREGS', `0x8138ae83')
-define(`KVM_GET_SUPPORTED_CPUID', `0xc008ae05')
-define(`KVM_GET_TSC_KHZ', `0x0000aea3')
-define(`KVM_GET_VCPU_EVENTS', `0x8040ae9f')
-define(`KVM_GET_VCPU_MMAP_SIZE', `0x0000ae04')
-define(`KVM_GET_XCRS', `0x8188aea6')
-define(`KVM_GET_XSAVE', `0x9000aea4')
-define(`KVM_HAS_DEVICE_ATTR', `0x4018aee3')
-define(`KVM_INTERRUPT', `0x4004ae86')
-define(`KVM_IOEVENTFD', `0x4040ae79')
-define(`KVM_IRQFD', `0x4020ae76')
-define(`KVM_IRQ_LINE', `0x4008ae61')
-define(`KVM_IRQ_LINE_STATUS', `0xc008ae67')
-define(`KVM_KVMCLOCK_CTRL', `0x0000aead')
-define(`KVM_NMI', `0x0000ae9a')
-define(`KVM_PPC_ALLOCATE_HTAB', `0xc004aea7')
-define(`KVM_PPC_GET_HTAB_FD', `0x4020aeaa')
-define(`KVM_PPC_GET_PVINFO', `0x4080aea1')
-define(`KVM_PPC_GET_SMMU_INFO', `0x8250aea6')
-define(`KVM_PPC_RTAS_DEFINE_TOKEN', `0x4080aeac')
-define(`KVM_REGISTER_COALESCED_MMIO', `0x4010ae67')
-define(`KVM_REINJECT_CONTROL', `0x0000ae71')
-define(`KVM_RUN', `0x0000ae80')
-define(`KVM_S390_ENABLE_SIE', `0x0000ae06')
-define(`KVM_S390_INITIAL_RESET', `0x0000ae97')
-define(`KVM_S390_INTERRUPT', `0x4010ae94')
-define(`KVM_S390_SET_INITIAL_PSW', `0x4010ae96')
-define(`KVM_S390_STORE_STATUS', `0x4008ae95')
-define(`KVM_S390_UCAS_MAP', `0x4018ae50')
-define(`KVM_S390_UCAS_UNMAP', `0x4018ae51')
-define(`KVM_S390_VCPU_FAULT', `0x4008ae52')
-define(`KVM_SET_BOOT_CPU_ID', `0x0000ae78')
-define(`KVM_SET_CLOCK', `0x4030ae7b')
-define(`KVM_SET_CPUID', `0x4008ae8a')
-define(`KVM_SET_CPUID2', `0x4008ae90')
-define(`KVM_SET_DEBUGREGS', `0x4080aea2')
-define(`KVM_SET_DEVICE_ATTR', `0x4018aee1')
-define(`KVM_SET_FPU', `0x41a0ae8d')
-define(`KVM_SET_GSI_ROUTING', `0x4008ae6a')
-define(`KVM_SET_GUEST_DEBUG', `0x4048ae9b')
-define(`KVM_SET_IDENTITY_MAP_ADDR', `0x4008ae48')
-define(`KVM_SET_IRQCHIP', `0x8208ae63')
-define(`KVM_SET_LAPIC', `0x4400ae8f')
-define(`KVM_SET_MEMORY_ALIAS', `0x4020ae43')
-define(`KVM_SET_MEMORY_REGION', `0x4018ae40')
-define(`KVM_SET_MP_STATE', `0x4004ae99')
-define(`KVM_SET_MSRS', `0x4008ae89')
-define(`KVM_SET_NR_MMU_PAGES', `0x0000ae44')
-define(`KVM_SET_ONE_REG', `0x4010aeac')
-define(`KVM_SET_PIT', `0x8048ae66')
-define(`KVM_SET_PIT2', `0x4070aea0')
-define(`KVM_SET_REGS', `0x4090ae82')
-define(`KVM_SET_SIGNAL_MASK', `0x4004ae8b')
-define(`KVM_SET_SREGS', `0x4138ae84')
-define(`KVM_SET_TSC_KHZ', `0x0000aea2')
-define(`KVM_SET_TSS_ADDR', `0x0000ae47')
-define(`KVM_SET_USER_MEMORY_REGION', `0x4020ae46')
-define(`KVM_SET_VAPIC_ADDR', `0x4008ae93')
-define(`KVM_SET_VCPU_EVENTS', `0x4040aea0')
-define(`KVM_SET_XCRS', `0x4188aea7')
-define(`KVM_SET_XSAVE', `0x5000aea5')
-define(`KVM_SIGNAL_MSI', `0x4020aea5')
-define(`KVM_TPR_ACCESS_REPORTING', `0xc028ae92')
-define(`KVM_TRANSLATE', `0xc018ae85')
-define(`KVM_UNREGISTER_COALESCED_MMIO', `0x4010ae68')
-define(`KVM_X86_GET_MCE_CAP_SUPPORTED', `0x8008ae9d')
-define(`KVM_X86_SET_MCE', `0x4040ae9e')
-define(`KVM_X86_SETUP_MCE', `0x4008ae9c')
-define(`KVM_XEN_HVM_CONFIG', `0x4038ae7a')
-define(`KYRO_IOCTL_OVERLAY_CREATE', `0x00006b00')
-define(`KYRO_IOCTL_OVERLAY_OFFSET', `0x00006b04')
-define(`KYRO_IOCTL_OVERLAY_VIEWPORT_SET', `0x00006b01')
-define(`KYRO_IOCTL_SET_VIDEO_MODE', `0x00006b02')
-define(`KYRO_IOCTL_STRIDE', `0x00006b05')
-define(`KYRO_IOCTL_UVSTRIDE', `0x00006b03')
-define(`LIRC_GET_FEATURES', `0x80046900')
-define(`LIRC_GET_LENGTH', `0x8004690f')
-define(`LIRC_GET_MAX_FILTER_PULSE', `0x8004690b')
-define(`LIRC_GET_MAX_FILTER_SPACE', `0x8004690d')
-define(`LIRC_GET_MAX_TIMEOUT', `0x80046909')
-define(`LIRC_GET_MIN_FILTER_PULSE', `0x8004690a')
-define(`LIRC_GET_MIN_FILTER_SPACE', `0x8004690c')
-define(`LIRC_GET_MIN_TIMEOUT', `0x80046908')
-define(`LIRC_GET_REC_CARRIER', `0x80046904')
-define(`LIRC_GET_REC_DUTY_CYCLE', `0x80046906')
-define(`LIRC_GET_REC_MODE', `0x80046902')
-define(`LIRC_GET_REC_RESOLUTION', `0x80046907')
-define(`LIRC_GET_SEND_CARRIER', `0x80046903')
-define(`LIRC_GET_SEND_DUTY_CYCLE', `0x80046905')
-define(`LIRC_GET_SEND_MODE', `0x80046901')
-define(`LIRC_NOTIFY_DECODE', `0x00006920')
-define(`LIRC_SET_MEASURE_CARRIER_MODE', `0x4004691d')
-define(`LIRC_SET_REC_CARRIER', `0x40046914')
-define(`LIRC_SET_REC_CARRIER_RANGE', `0x4004691f')
-define(`LIRC_SET_REC_DUTY_CYCLE', `0x40046916')
-define(`LIRC_SET_REC_DUTY_CYCLE_RANGE', `0x4004691e')
-define(`LIRC_SET_REC_FILTER', `0x4004691c')
-define(`LIRC_SET_REC_FILTER_PULSE', `0x4004691a')
-define(`LIRC_SET_REC_FILTER_SPACE', `0x4004691b')
-define(`LIRC_SET_REC_MODE', `0x40046912')
-define(`LIRC_SET_REC_TIMEOUT', `0x40046918')
-define(`LIRC_SET_REC_TIMEOUT_REPORTS', `0x40046919')
-define(`LIRC_SET_SEND_CARRIER', `0x40046913')
-define(`LIRC_SET_SEND_DUTY_CYCLE', `0x40046915')
-define(`LIRC_SET_SEND_MODE', `0x40046911')
-define(`LIRC_SET_TRANSMITTER_MASK', `0x40046917')
-define(`LIRC_SETUP_END', `0x00006922')
-define(`LIRC_SETUP_START', `0x00006921')
-define(`LIRC_SET_WIDEBAND_RECEIVER', `0x40046923')
-define(`LOGGER_FLUSH_LOG', `0x0000ae04')
-define(`LOGGER_GET_LOG_BUF_SIZE', `0x0000ae01')
-define(`LOGGER_GET_LOG_LEN', `0x0000ae02')
-define(`LOGGER_GET_NEXT_ENTRY_LEN', `0x0000ae03')
-define(`LOGGER_GET_VERSION', `0x0000ae05')
-define(`LOGGER_SET_VERSION', `0x0000ae06')
-define(`LOOP_CHANGE_FD', `0x00004c06')
-define(`LOOP_CLR_FD', `0x00004c01')
-define(`LOOP_CONFIGURE', `0x00004c0a')
-define(`LOOP_CTL_ADD', `0x00004c80')
-define(`LOOP_CTL_GET_FREE', `0x00004c82')
-define(`LOOP_CTL_REMOVE', `0x00004c81')
-define(`LOOP_GET_STATUS', `0x00004c03')
-define(`LOOP_GET_STATUS64', `0x00004c05')
-define(`LOOP_SET_BLOCK_SIZE', `0x00004c09')
-define(`LOOP_SET_CAPACITY', `0x00004c07')
-define(`LOOP_SET_DIRECT_IO', `0x00004c08')
-define(`LOOP_SET_FD', `0x00004c00')
-define(`LOOP_SET_STATUS', `0x00004c02')
-define(`LOOP_SET_STATUS64', `0x00004c04')
-define(`MATROXFB_GET_ALL_OUTPUTS', `0x80086efb')
-define(`MATROXFB_GET_AVAILABLE_OUTPUTS', `0x80086ef9')
-define(`MATROXFB_GET_OUTPUT_CONNECTION', `0x80086ef8')
-define(`MATROXFB_GET_OUTPUT_MODE', `0xc0086efa')
-define(`MATROXFB_SET_OUTPUT_CONNECTION', `0x40086ef8')
-define(`MATROXFB_SET_OUTPUT_MODE', `0x40086efa')
-define(`MBXFB_IOCG_ALPHA', `0x8018f401')
-define(`MBXFB_IOCS_ALPHA', `0x4018f402')
-define(`MBXFB_IOCS_PLANEORDER', `0x8002f403')
-define(`MBXFB_IOCS_REG', `0x400cf404')
-define(`MBXFB_IOCX_OVERLAY', `0xc030f400')
-define(`MBXFB_IOCX_REG', `0xc00cf405')
-define(`MCE_GETCLEAR_FLAGS', `0x80044d03')
-define(`MCE_GET_LOG_LEN', `0x80044d02')
-define(`MCE_GET_RECORD_LEN', `0x80044d01')
-define(`MEDIA_IOC_DEVICE_INFO', `0xc1007c00')
-define(`MEDIA_IOC_ENUM_ENTITIES', `0xc1007c01')
-define(`MEDIA_IOC_ENUM_LINKS', `0xc0287c02')
-define(`MEDIA_IOC_SETUP_LINK', `0xc0347c03')
-define(`MEMERASE', `0x40084d02')
-define(`MEMERASE64', `0x40104d14')
-define(`MEMGETBADBLOCK', `0x40084d0b')
-define(`MEMGETINFO', `0x80204d01')
-define(`MEMGETOOBSEL', `0x80c84d0a')
-define(`MEMGETREGIONCOUNT', `0x80044d07')
-define(`MEMGETREGIONINFO', `0xc0104d08')
-define(`MEMISLOCKED', `0x80084d17')
-define(`MEMLOCK', `0x40084d05')
-define(`MEMREADOOB', `0xc0104d04')
-define(`MEMREADOOB64', `0xc0184d16')
-define(`MEMSETBADBLOCK', `0x40084d0c')
-define(`MEMUNLOCK', `0x40084d06')
-define(`MEMWRITE', `0xc0304d18')
-define(`MEMWRITEOOB', `0xc0104d03')
-define(`MEMWRITEOOB64', `0xc0184d15')
-define(`MEYEIOC_G_PARAMS', `0x800676c0')
-define(`MEYEIOC_QBUF_CAPT', `0x400476c2')
-define(`MEYEIOC_S_PARAMS', `0x400676c1')
-define(`MEYEIOC_STILLCAPT', `0x000076c4')
-define(`MEYEIOC_STILLJCAPT', `0x800476c5')
-define(`MEYEIOC_SYNC', `0xc00476c3')
-define(`MFB_GET_ALPHA', `0x80014d00')
-define(`MFB_GET_AOID', `0x80084d04')
-define(`MFB_GET_GAMMA', `0x80014d01')
-define(`MFB_GET_PIXFMT', `0x80044d08')
-define(`MFB_SET_ALPHA', `0x40014d00')
-define(`MFB_SET_AOID', `0x40084d04')
-define(`MFB_SET_BRIGHTNESS', `0x40014d03')
-define(`MFB_SET_CHROMA_KEY', `0x400c4d01')
-define(`MFB_SET_GAMMA', `0x40014d01')
-define(`MFB_SET_PIXFMT', `0x40044d08')
-define(`MGSL_IOCCLRMODCOUNT', `0x00006d0f')
-define(`MGSL_IOCGGPIO', `0x80106d11')
-define(`MGSL_IOCGIF', `0x00006d0b')
-define(`MGSL_IOCGPARAMS', `0x80306d01')
-define(`MGSL_IOCGSTATS', `0x00006d07')
-define(`MGSL_IOCGTXIDLE', `0x00006d03')
-define(`MGSL_IOCGXCTRL', `0x00006d16')
-define(`MGSL_IOCGXSYNC', `0x00006d14')
-define(`MGSL_IOCLOOPTXDONE', `0x00006d09')
-define(`MGSL_IOCRXENABLE', `0x00006d05')
-define(`MGSL_IOCSGPIO', `0x40106d10')
-define(`MGSL_IOCSIF', `0x00006d0a')
-define(`MGSL_IOCSPARAMS', `0x40306d00')
-define(`MGSL_IOCSTXIDLE', `0x00006d02')
-define(`MGSL_IOCSXCTRL', `0x00006d15')
-define(`MGSL_IOCSXSYNC', `0x00006d13')
-define(`MGSL_IOCTXABORT', `0x00006d06')
-define(`MGSL_IOCTXENABLE', `0x00006d04')
-define(`MGSL_IOCWAITEVENT', `0xc0046d08')
-define(`MGSL_IOCWAITGPIO', `0xc0106d12')
-define(`MIC_VIRTIO_ADD_DEVICE', `0xc0087301')
-define(`MIC_VIRTIO_CONFIG_CHANGE', `0xc0087305')
-define(`MIC_VIRTIO_COPY_DESC', `0xc0087302')
-define(`MMC_IOC_CMD', `0xc048b300')
-define(`MMTIMER_GETBITS', `0x00006d04')
-define(`MMTIMER_GETCOUNTER', `0x80086d09')
-define(`MMTIMER_GETFREQ', `0x80086d02')
-define(`MMTIMER_GETOFFSET', `0x00006d00')
-define(`MMTIMER_GETRES', `0x80086d01')
-define(`MMTIMER_MMAPAVAIL', `0x00006d06')
-define(`MSMFB_BLIT', `0x40046d02')
-define(`MSMFB_GRP_DISP', `0x40046d01')
-define(`MTDFILEMODE', `0x00004d13')
-define(`MTIOCGET', `0x80306d02')
-define(`MTIOCPOS', `0x80086d03')
-define(`MTIOCTOP', `0x40086d01')
-define(`MTRRIOC_ADD_ENTRY', `0x40104d00')
-define(`MTRRIOC_ADD_PAGE_ENTRY', `0x40104d05')
-define(`MTRRIOC_DEL_ENTRY', `0x40104d02')
-define(`MTRRIOC_DEL_PAGE_ENTRY', `0x40104d07')
-define(`MTRRIOC_GET_ENTRY', `0xc0184d03')
-define(`MTRRIOC_GET_PAGE_ENTRY', `0xc0184d08')
-define(`MTRRIOC_KILL_ENTRY', `0x40104d04')
-define(`MTRRIOC_KILL_PAGE_ENTRY', `0x40104d09')
-define(`MTRRIOC_SET_ENTRY', `0x40104d01')
-define(`MTRRIOC_SET_PAGE_ENTRY', `0x40104d06')
-define(`NBD_CLEAR_QUE', `0x0000ab05')
-define(`NBD_CLEAR_SOCK', `0x0000ab04')
-define(`NBD_DISCONNECT', `0x0000ab08')
-define(`NBD_DO_IT', `0x0000ab03')
-define(`NBD_PRINT_DEBUG', `0x0000ab06')
-define(`NBD_SET_BLKSIZE', `0x0000ab01')
-define(`NBD_SET_FLAGS', `0x0000ab0a')
-define(`NBD_SET_SIZE', `0x0000ab02')
-define(`NBD_SET_SIZE_BLOCKS', `0x0000ab07')
-define(`NBD_SET_SOCK', `0x0000ab00')
-define(`NBD_SET_TIMEOUT', `0x0000ab09')
-define(`NCP_IOC_CONN_LOGGED_IN', `0x00006e03')
-define(`NCP_IOC_GETCHARSETS', `0xc02a6e0b')
-define(`NCP_IOC_GETDENTRYTTL', `0x40046e0c')
-define(`NCP_IOC_GET_FS_INFO', `0xc0286e04')
-define(`NCP_IOC_GET_FS_INFO_V2', `0xc0306e04')
-define(`NCP_IOC_GETMOUNTUID', `0x40026e02')
-define(`NCP_IOC_GETMOUNTUID2', `0x40086e02')
-define(`NCP_IOC_GETOBJECTNAME', `0xc0186e09')
-define(`NCP_IOC_GETPRIVATEDATA', `0xc0106e0a')
-define(`NCP_IOC_GETROOT', `0x400c6e08')
-define(`NCP_IOC_LOCKUNLOCK', `0x80146e07')
-define(`NCP_IOC_NCPREQUEST', `0x80106e01')
-define(`NCP_IOC_SETCHARSETS', `0x802a6e0b')
-define(`NCP_IOC_SETDENTRYTTL', `0x80046e0c')
-define(`NCP_IOC_SETOBJECTNAME', `0x80186e09')
-define(`NCP_IOC_SETPRIVATEDATA', `0x80106e0a')
-define(`NCP_IOC_SETROOT', `0x800c6e08')
-define(`NCP_IOC_SET_SIGN_WANTED', `0x40046e06')
-define(`NCP_IOC_SIGN_INIT', `0x80186e05')
-define(`NCP_IOC_SIGN_WANTED', `0x80046e06')
-define(`NET_ADD_IF', `0xc0066f34')
-define(`NET_GET_IF', `0xc0066f36')
-define(`NET_REMOVE_IF', `0x00006f35')
-define(`NILFS_IOCTL_CHANGE_CPMODE', `0x40106e80')
-define(`NILFS_IOCTL_CLEAN_SEGMENTS', `0x40786e88')
-define(`NILFS_IOCTL_DELETE_CHECKPOINT', `0x40086e81')
-define(`NILFS_IOCTL_GET_BDESCS', `0xc0186e87')
-define(`NILFS_IOCTL_GET_CPINFO', `0x80186e82')
-define(`NILFS_IOCTL_GET_CPSTAT', `0x80186e83')
-define(`NILFS_IOCTL_GET_SUINFO', `0x80186e84')
-define(`NILFS_IOCTL_GET_SUSTAT', `0x80306e85')
-define(`NILFS_IOCTL_GET_VINFO', `0xc0186e86')
-define(`NILFS_IOCTL_RESIZE', `0x40086e8b')
-define(`NILFS_IOCTL_SET_ALLOC_RANGE', `0x40106e8c')
-define(`NILFS_IOCTL_SET_SUINFO', `0x40186e8d')
-define(`NILFS_IOCTL_SYNC', `0x80086e8a')
-define(`NS_ADJBUFLEV', `0x00006163')
-define(`NS_GETPSTAT', `0xc0106161')
-define(`NS_SETBUFLEV', `0x40106162')
-define(`NVME_IOCTL_ADMIN_CMD', `0xc0484e41')
-define(`NVME_IOCTL_ID', `0x00004e40')
-define(`NVME_IOCTL_IO_CMD', `0xc0484e43')
-define(`NVME_IOCTL_SUBMIT_IO', `0x40304e42')
-define(`NVRAM_INIT', `0x00007040')
-define(`NVRAM_SETCKS', `0x00007041')
-define(`OLD_PHONE_RING_START', `0x00007187')
-define(`OMAPFB_CTRL_TEST', `0x40044f2e')
-define(`OMAPFB_GET_CAPS', `0x800c4f2a')
-define(`OMAPFB_GET_COLOR_KEY', `0x40104f33')
-define(`OMAPFB_GET_DISPLAY_INFO', `0x80204f3f')
-define(`OMAPFB_GET_OVERLAY_COLORMODE', `0x803c4f3b')
-define(`OMAPFB_GET_UPDATE_MODE', `0x40044f2b')
-define(`OMAPFB_GET_VRAM_INFO', `0x80204f3d')
-define(`OMAPFB_LCD_TEST', `0x40044f2d')
-define(`OMAPFB_MEMORY_READ', `0x80184f3a')
-define(`OMAPFB_MIRROR', `0x40044f1f')
-define(`OMAPFB_QUERY_MEM', `0x40084f38')
-define(`OMAPFB_QUERY_PLANE', `0x40444f35')
-define(`OMAPFB_SET_COLOR_KEY', `0x40104f32')
-define(`OMAPFB_SET_TEARSYNC', `0x40084f3e')
-define(`OMAPFB_SET_UPDATE_MODE', `0x40044f28')
-define(`OMAPFB_SETUP_MEM', `0x40084f37')
-define(`OMAPFB_SETUP_PLANE', `0x40444f34')
-define(`OMAPFB_SYNC_GFX', `0x00004f25')
-define(`OMAPFB_UPDATE_WINDOW', `0x40444f36')
-define(`OMAPFB_UPDATE_WINDOW_OLD', `0x40144f2f')
-define(`OMAPFB_VSYNC', `0x00004f26')
-define(`OMAPFB_WAITFORGO', `0x00004f3c')
-define(`OMAPFB_WAITFORVSYNC', `0x00004f39')
-define(`OSD_GET_CAPABILITY', `0x80106fa1')
-define(`OSD_SEND_CMD', `0x40206fa0')
-define(`OSIOCGNETADDR', `0x800489e1')
-define(`OSIOCSNETADDR', `0x400489e0')
-define(`OSS_GETVERSION', `0x80044d76')
-define(`OTPGETREGIONCOUNT', `0x40044d0e')
-define(`OTPGETREGIONINFO', `0x400c4d0f')
-define(`OTPLOCK', `0x800c4d10')
-define(`OTPSELECT', `0x80044d0d')
-define(`PACKET_CTRL_CMD', `0xc0185801')
-define(`PERF_EVENT_IOC_DISABLE', `0x00002401')
-define(`PERF_EVENT_IOC_ENABLE', `0x00002400')
-define(`PERF_EVENT_IOC_ID', `0x80082407')
-define(`PERF_EVENT_IOC_PERIOD', `0x40082404')
-define(`PERF_EVENT_IOC_REFRESH', `0x00002402')
-define(`PERF_EVENT_IOC_RESET', `0x00002403')
-define(`PERF_EVENT_IOC_SET_FILTER', `0x40082406')
-define(`PERF_EVENT_IOC_SET_OUTPUT', `0x00002405')
-define(`PHN_GET_REG', `0xc0087000')
-define(`PHN_GETREG', `0xc0087005')
-define(`PHN_GET_REGS', `0xc0087002')
-define(`PHN_GETREGS', `0xc0287007')
-define(`PHN_NOT_OH', `0x00007004')
-define(`PHN_SET_REG', `0x40087001')
-define(`PHN_SETREG', `0x40087006')
-define(`PHN_SET_REGS', `0x40087003')
-define(`PHN_SETREGS', `0x40287008')
-define(`PHONE_BUSY', `0x000071a1')
-define(`PHONE_CAPABILITIES', `0x00007180')
-define(`PHONE_CAPABILITIES_CHECK', `0x40087182')
-define(`PHONE_CAPABILITIES_LIST', `0x80087181')
-define(`PHONE_CPT_STOP', `0x000071a4')
-define(`PHONE_DIALTONE', `0x000071a3')
-define(`PHONE_DTMF_OOB', `0x40047199')
-define(`PHONE_DTMF_READY', `0x80047196')
-define(`PHONE_EXCEPTION', `0x8004719a')
-define(`PHONE_FRAME', `0x4004718d')
-define(`PHONE_GET_DTMF', `0x80047197')
-define(`PHONE_GET_DTMF_ASCII', `0x80047198')
-define(`PHONE_GET_TONE_OFF_TIME', `0x0000719f')
-define(`PHONE_GET_TONE_ON_TIME', `0x0000719e')
-define(`PHONE_GET_TONE_STATE', `0x000071a0')
-define(`PHONE_HOOKSTATE', `0x00007184')
-define(`PHONE_MAXRINGS', `0x40017185')
-define(`PHONE_PLAY_CODEC', `0x40047190')
-define(`PHONE_PLAY_DEPTH', `0x40047193')
-define(`PHONE_PLAY_LEVEL', `0x00007195')
-define(`PHONE_PLAY_START', `0x00007191')
-define(`PHONE_PLAY_STOP', `0x00007192')
-define(`PHONE_PLAY_TONE', `0x4001719b')
-define(`PHONE_PLAY_VOLUME', `0x40047194')
-define(`PHONE_PLAY_VOLUME_LINEAR', `0x400471dc')
-define(`PHONE_PSTN_GET_STATE', `0x000071a5')
-define(`PHONE_PSTN_LINETEST', `0x000071a8')
-define(`PHONE_PSTN_SET_STATE', `0x400471a4')
-define(`PHONE_QUERY_CODEC', `0xc00871a7')
-define(`PHONE_REC_CODEC', `0x40047189')
-define(`PHONE_REC_DEPTH', `0x4004718c')
-define(`PHONE_REC_LEVEL', `0x0000718f')
-define(`PHONE_REC_START', `0x0000718a')
-define(`PHONE_REC_STOP', `0x0000718b')
-define(`PHONE_REC_VOLUME', `0x4004718e')
-define(`PHONE_REC_VOLUME_LINEAR', `0x400471db')
-define(`PHONE_RING', `0x00007183')
-define(`PHONE_RINGBACK', `0x000071a2')
-define(`PHONE_RING_CADENCE', `0x40027186')
-define(`PHONE_RING_START', `0x40087187')
-define(`PHONE_RING_STOP', `0x00007188')
-define(`PHONE_SET_TONE_OFF_TIME', `0x4004719d')
-define(`PHONE_SET_TONE_ON_TIME', `0x4004719c')
-define(`PHONE_VAD', `0x400471a9')
-define(`PHONE_WINK', `0x400471aa')
-define(`PHONE_WINK_DURATION', `0x400471a6')
-define(`PIO_CMAP', `0x00004b71')
-define(`PIO_FONT', `0x00004b61')
-define(`PIO_FONTRESET', `0x00004b6d')
-define(`PIO_FONTX', `0x00004b6c')
-define(`PIO_SCRNMAP', `0x00004b41')
-define(`PIO_UNIMAP', `0x00004b67')
-define(`PIO_UNIMAPCLR', `0x00004b68')
-define(`PIO_UNISCRNMAP', `0x00004b6a')
-define(`PMU_IOC_CAN_SLEEP', `0x80084205')
-define(`PMU_IOC_GET_BACKLIGHT', `0x80084201')
-define(`PMU_IOC_GET_MODEL', `0x80084203')
-define(`PMU_IOC_GRAB_BACKLIGHT', `0x80084206')
-define(`PMU_IOC_HAS_ADB', `0x80084204')
-define(`PMU_IOC_SET_BACKLIGHT', `0x40084202')
-define(`PMU_IOC_SLEEP', `0x00004200')
-define(`PPCLAIM', `0x0000708b')
-define(`PPCLRIRQ', `0x80047093')
-define(`PPDATADIR', `0x40047090')
-define(`PPEXCL', `0x0000708f')
-define(`PPFCONTROL', `0x4002708e')
-define(`PPGETFLAGS', `0x8004709a')
-define(`PPGETMODE', `0x80047098')
-define(`PPGETMODES', `0x80047097')
-define(`PPGETPHASE', `0x80047099')
-define(`PPGETTIME', `0x80107095')
-define(`PPNEGOT', `0x40047091')
-define(`PPPIOCATTACH', `0x743d')
-define(`PPPIOCATTCHAN', `0x7438')
-define(`PPPIOCBUNDLE', `0x7481')
-define(`PPPIOCCONNECT', `0x743a')
-define(`PPPIOCDETACH', `0x743c')
-define(`PPPIOCDISCONN', `0x7439')
-define(`PPPIOCGASYNCMAP', `0x7458')
-define(`PPPIOCGCALLINFO', `0x7480')
-define(`PPPIOCGCHAN', `0x7437')
-define(`PPPIOCGCOMPRESSORS', `0x7486')
-define(`PPPIOCGDEBUG', `0x7441')
-define(`PPPIOCGFLAGS', `0x745a')
-define(`PPPIOCGIDLE', `0x743f')
-define(`PPPIOCGIFNAME', `0x7488')
-define(`PPPIOCGL2TPSTATS', `0x7436')
-define(`PPPIOCGMPFLAGS', `0x7482')
-define(`PPPIOCGMRU', `0x7453')
-define(`PPPIOCGNPMODE', `0x744c')
-define(`PPPIOCGRASYNCMAP', `0x7455')
-define(`PPPIOCGUNIT', `0x7456')
-define(`PPPIOCGXASYNCMAP', `0x7450')
-define(`PPPIOCNEWUNIT', `0x743e')
-define(`PPPIOCSACTIVE', `0x7446')
-define(`PPPIOCSASYNCMAP', `0x7457')
-define(`PPPIOCSCOMPRESS', `0x744d')
-define(`PPPIOCSCOMPRESSOR', `0x7487')
-define(`PPPIOCSDEBUG', `0x7440')
-define(`PPPIOCSFLAGS', `0x7459')
-define(`PPPIOCSMAXCID', `0x7451')
-define(`PPPIOCSMPFLAGS', `0x7483')
-define(`PPPIOCSMPMRU', `0x7485')
-define(`PPPIOCSMPMTU', `0x7484')
-define(`PPPIOCSMRRU', `0x743b')
-define(`PPPIOCSMRU', `0x7452')
-define(`PPPIOCSNPMODE', `0x744b')
-define(`PPPIOCSPASS', `0x7447')
-define(`PPPIOCSRASYNCMAP', `0x7454')
-define(`PPPIOCSXASYNCMAP', `0x744f')
-define(`PPPIOCXFERUNIT', `0x744e')
-define(`PPPOEIOCDFWD', `0x0000b101')
-define(`PPPOEIOCSFWD', `0x4008b100')
-define(`PPRCONTROL', `0x80017083')
-define(`PPRDATA', `0x80017085')
-define(`PPRELEASE', `0x0000708c')
-define(`PPRSTATUS', `0x80017081')
-define(`PPSETFLAGS', `0x4004709b')
-define(`PPSETMODE', `0x40047080')
-define(`PPSETPHASE', `0x40047094')
-define(`PPSETTIME', `0x40107096')
-define(`PPS_FETCH', `0xc00870a4')
-define(`PPS_GETCAP', `0x800870a3')
-define(`PPS_GETPARAMS', `0x800870a1')
-define(`PPS_KC_BIND', `0x400870a5')
-define(`PPS_SETPARAMS', `0x400870a2')
-define(`PPWCONTROL', `0x40017084')
-define(`PPWCTLONIRQ', `0x40017092')
-define(`PPWDATA', `0x40017086')
-define(`PPYIELD', `0x0000708d')
-define(`PROTECT_ARRAY', `0x00000927')
-define(`PTP_CLOCK_GETCAPS', `0x80503d01')
-define(`PTP_ENABLE_PPS', `0x40043d04')
-define(`PTP_EXTTS_REQUEST', `0x40103d02')
-define(`PTP_PEROUT_REQUEST', `0x40383d03')
-define(`PTP_PIN_GETFUNC', `0xc0603d06')
-define(`PTP_PIN_SETFUNC', `0x40603d07')
-define(`PTP_SYS_OFFSET', `0x43403d05')
-define(`RAID_AUTORUN', `0x00000914')
-define(`RAID_VERSION', `0x800c0910')
-define(`RAW_GETBIND', `0x0000ac01')
-define(`RAW_SETBIND', `0x0000ac00')
-define(`REISERFS_IOC_UNPACK', `0x4008cd01')
-define(`RESTART_ARRAY_RW', `0x00000934')
-define(`RFCOMMCREATEDEV', `0x400452c8')
-define(`RFCOMMGETDEVINFO', `0x800452d3')
-define(`RFCOMMGETDEVLIST', `0x800452d2')
-define(`RFCOMMRELEASEDEV', `0x400452c9')
-define(`RFCOMMSTEALDLC', `0x400452dc')
-define(`RFKILL_IOCTL_NOINPUT', `0x00005201')
-define(`RNDADDENTROPY', `0x40085203')
-define(`RNDADDTOENTCNT', `0x40045201')
-define(`RNDCLEARPOOL', `0x00005206')
-define(`RNDGETENTCNT', `0x80045200')
-define(`RNDGETPOOL', `0x80085202')
-define(`RNDZAPENTCNT', `0x00005204')
-define(`ROCCATIOCGREPSIZE', `0x800448f1')
-define(`RTC_AIE_OFF', `0x00007002')
-define(`RTC_AIE_ON', `0x00007001')
-define(`RTC_ALM_READ', `0x80247008')
-define(`RTC_ALM_SET', `0x40247007')
-define(`RTC_EPOCH_READ', `0x8008700d')
-define(`RTC_EPOCH_SET', `0x4008700e')
-define(`RTC_IRQP_READ', `0x8008700b')
-define(`RTC_IRQP_SET', `0x4008700c')
-define(`RTC_PIE_OFF', `0x00007006')
-define(`RTC_PIE_ON', `0x00007005')
-define(`RTC_PLL_GET', `0x80207011')
-define(`RTC_PLL_SET', `0x40207012')
-define(`RTC_RD_TIME', `0x80247009')
-define(`RTC_SET_TIME', `0x4024700a')
-define(`RTC_UIE_OFF', `0x00007004')
-define(`RTC_UIE_ON', `0x00007003')
-define(`RTC_VL_CLR', `0x00007014')
-define(`RTC_VL_READ', `0x80047013')
-define(`RTC_WIE_OFF', `0x00007010')
-define(`RTC_WIE_ON', `0x0000700f')
-define(`RTC_WKALM_RD', `0x80287010')
-define(`RTC_WKALM_SET', `0x4028700f')
-define(`RUN_ARRAY', `0x400c0930')
-define(`S5P_FIMC_TX_END_NOTIFY', `0x00006500')
-define(`SAA6588_CMD_CLOSE', `0x40045202')
-define(`SAA6588_CMD_POLL', `0x80045204')
-define(`SAA6588_CMD_READ', `0x80045203')
-define(`SCSI_IOCTL_DOORLOCK', `0x00005380')
-define(`SCSI_IOCTL_DOORUNLOCK', `0x00005381')
-define(`SCSI_IOCTL_GET_BUS_NUMBER', `0x00005386')
-define(`SCSI_IOCTL_GET_IDLUN', `0x00005382')
-define(`SCSI_IOCTL_GET_PCI', `0x00005387')
-define(`SCSI_IOCTL_PROBE_HOST', `0x00005385')
-define(`SET_ARRAY_INFO', `0x40480923')
-define(`SET_BITMAP_FILE', `0x4004092b')
-define(`SET_DISK_FAULTY', `0x00000929')
-define(`SET_DISK_INFO', `0x00000924')
-define(`SG_EMULATED_HOST', `0x00002203')
-define(`SG_GET_ACCESS_COUNT', `0x00002289')
-define(`SG_GET_COMMAND_Q', `0x00002270')
-define(`SG_GET_KEEP_ORPHAN', `0x00002288')
-define(`SG_GET_LOW_DMA', `0x0000227a')
-define(`SG_GET_NUM_WAITING', `0x0000227d')
-define(`SG_GET_PACK_ID', `0x0000227c')
-define(`SG_GET_REQUEST_TABLE', `0x00002286')
-define(`SG_GET_RESERVED_SIZE', `0x00002272')
-define(`SG_GET_SCSI_ID', `0x00002276')
-define(`SG_GET_SG_TABLESIZE', `0x0000227f')
-define(`SG_GET_TIMEOUT', `0x00002202')
-define(`SG_GET_TRANSFORM', `0x00002205')
-define(`SG_GET_VERSION_NUM', `0x00002282')
-define(`SG_IO', `0x00002285')
-define(`SG_NEXT_CMD_LEN', `0x00002283')
-define(`SG_SCSI_RESET', `0x00002284')
-define(`SG_SET_COMMAND_Q', `0x00002271')
-define(`SG_SET_DEBUG', `0x0000227e')
-define(`SG_SET_FORCE_LOW_DMA', `0x00002279')
-define(`SG_SET_FORCE_PACK_ID', `0x0000227b')
-define(`SG_SET_KEEP_ORPHAN', `0x00002287')
-define(`SG_SET_RESERVED_SIZE', `0x00002275')
-define(`SG_SET_TIMEOUT', `0x00002201')
-define(`SG_SET_TRANSFORM', `0x00002204')
-define(`SI4713_IOC_MEASURE_RNL', `0xc01c56c0')
-define(`SIOCADDDLCI', `0x00008980')
-define(`SIOCADDMULTI', `0x00008931')
-define(`SIOCADDRT', `0x0000890b')
-define(`SIOCATMARK', `0x00008905')
-define(`SIOCBONDCHANGEACTIVE', `0x00008995')
-define(`SIOCBONDENSLAVE', `0x00008990')
-define(`SIOCBONDINFOQUERY', `0x00008994')
-define(`SIOCBONDRELEASE', `0x00008991')
-define(`SIOCBONDSETHWADDR', `0x00008992')
-define(`SIOCBONDSLAVEINFOQUERY', `0x00008993')
-define(`SIOCBRADDBR', `0x000089a0')
-define(`SIOCBRADDIF', `0x000089a2')
-define(`SIOCBRDELBR', `0x000089a1')
-define(`SIOCBRDELIF', `0x000089a3')
-define(`SIOCDARP', `0x00008953')
-define(`SIOCDELDLCI', `0x00008981')
-define(`SIOCDELMULTI', `0x00008932')
-define(`SIOCDELRT', `0x0000890c')
-define(`SIOCDEVPRIVATE', `0x000089f0')
-define(`SIOCDEVPRIVATE_1', `0x000089f1')
-define(`SIOCDEVPRIVATE_2', `0x000089f2')
-define(`SIOCDEVPRIVATE_3', `0x000089f3')
-define(`SIOCDEVPRIVATE_4', `0x000089f4')
-define(`SIOCDEVPRIVATE_5', `0x000089f5')
-define(`SIOCDEVPRIVATE_6', `0x000089f6')
-define(`SIOCDEVPRIVATE_7', `0x000089f7')
-define(`SIOCDEVPRIVATE_8', `0x000089f8')
-define(`SIOCDEVPRIVATE_9', `0x000089f9')
-define(`SIOCDEVPRIVATE_A', `0x000089fa')
-define(`SIOCDEVPRIVATE_B', `0x000089fb')
-define(`SIOCDEVPRIVATE_C', `0x000089fc')
-define(`SIOCDEVPRIVATE_D', `0x000089fd')
-define(`SIOCDEVPRIVATE_E', `0x000089fe')
-define(`SIOCDEVPRIVLAST', `0x000089ff')
-define(`SIOCDIFADDR', `0x00008936')
-define(`SIOCDRARP', `0x00008960')
-define(`SIOCETHTOOL', `0x00008946')
-define(`SIOCGARP', `0x00008954')
-define(`SIOCGHWTSTAMP', `0x000089b1')
-define(`SIOCGIFADDR', `0x00008915')
-define(`SIOCGIFBR', `0x00008940')
-define(`SIOCGIFBRDADDR', `0x00008919')
-define(`SIOCGIFCONF', `0x00008912')
-define(`SIOCGIFCOUNT', `0x00008938')
-define(`SIOCGIFDSTADDR', `0x00008917')
-define(`SIOCGIFENCAP', `0x00008925')
-define(`SIOCGIFFLAGS', `0x00008913')
-define(`SIOCGIFHWADDR', `0x00008927')
-define(`SIOCGIFINDEX', `0x00008933')
-define(`SIOCGIFMAP', `0x00008970')
-define(`SIOCGIFMEM', `0x0000891f')
-define(`SIOCGIFMETRIC', `0x0000891d')
-define(`SIOCGIFMTU', `0x00008921')
-define(`SIOCGIFNAME', `0x00008910')
-define(`SIOCGIFNETMASK', `0x0000891b')
-define(`SIOCGIFPFLAGS', `0x00008935')
-define(`SIOCGIFSLAVE', `0x00008929')
-define(`SIOCGIFTXQLEN', `0x00008942')
-define(`SIOCGIFVLAN', `0x00008982')
-define(`SIOCGIWAP', `0x00008b15')
-define(`SIOCGIWAPLIST', `0x00008b17')
-define(`SIOCGIWAUTH', `0x00008b33')
-define(`SIOCGIWENCODE', `0x00008b2b')
-define(`SIOCGIWENCODEEXT', `0x00008b35')
-define(`SIOCGIWESSID', `0x00008b1b')
-define(`SIOCGIWFRAG', `0x00008b25')
-define(`SIOCGIWFREQ', `0x00008b05')
-define(`SIOCGIWGENIE', `0x00008b31')
-define(`SIOCGIWMODE', `0x00008b07')
-define(`SIOCGIWNAME', `0x00008b01')
-define(`SIOCGIWNICKN', `0x00008b1d')
-define(`SIOCGIWNWID', `0x00008b03')
-define(`SIOCGIWPOWER', `0x00008b2d')
-define(`SIOCGIWPRIV', `0x00008b0d')
-define(`SIOCGIWRANGE', `0x00008b0b')
-define(`SIOCGIWRATE', `0x00008b21')
-define(`SIOCGIWRETRY', `0x00008b29')
-define(`SIOCGIWRTS', `0x00008b23')
-define(`SIOCGIWSCAN', `0x00008b19')
-define(`SIOCGIWSENS', `0x00008b09')
-define(`SIOCGIWSPY', `0x00008b11')
-define(`SIOCGIWSTATS', `0x00008b0f')
-define(`SIOCGIWTHRSPY', `0x00008b13')
-define(`SIOCGIWTXPOW', `0x00008b27')
-define(`SIOCGMIIPHY', `0x00008947')
-define(`SIOCGMIIREG', `0x00008948')
-define(`SIOCGNETADDR', `0x800489e1')
-define(`SIOCGPGRP', `0x00008904')
-define(`SIOCGRARP', `0x00008961')
-define(`SIOCGSTAMP', `0x00008906')
-define(`SIOCGSTAMPNS', `0x00008907')
-define(`SIOCIWFIRST', `0x00008b00')
-define(`SIOCIWFIRSTPRIV_01', `0x00008be1')
-define(`SIOCIWFIRSTPRIV_02', `0x00008be2')
-define(`SIOCIWFIRSTPRIV_03', `0x00008be3')
-define(`SIOCIWFIRSTPRIV_04', `0x00008be4')
-define(`SIOCIWFIRSTPRIV_05', `0x00008be5')
-define(`SIOCIWFIRSTPRIV_06', `0x00008be6')
-define(`SIOCIWFIRSTPRIV_07', `0x00008be7')
-define(`SIOCIWFIRSTPRIV_08', `0x00008be8')
-define(`SIOCIWFIRSTPRIV_09', `0x00008be9')
-define(`SIOCIWFIRSTPRIV_0A', `0x00008bea')
-define(`SIOCIWFIRSTPRIV_0B', `0x00008beb')
-define(`SIOCIWFIRSTPRIV_0C', `0x00008bec')
-define(`SIOCIWFIRSTPRIV_0D', `0x00008bed')
-define(`SIOCIWFIRSTPRIV_0E', `0x00008bee')
-define(`SIOCIWFIRSTPRIV_0F', `0x00008bef')
-define(`SIOCIWFIRSTPRIV', `0x00008be0')
-define(`SIOCIWFIRSTPRIV_10', `0x00008bf0')
-define(`SIOCIWFIRSTPRIV_11', `0x00008bf1')
-define(`SIOCIWFIRSTPRIV_12', `0x00008bf2')
-define(`SIOCIWFIRSTPRIV_13', `0x00008bf3')
-define(`SIOCIWFIRSTPRIV_14', `0x00008bf4')
-define(`SIOCIWFIRSTPRIV_15', `0x00008bf5')
-define(`SIOCIWFIRSTPRIV_16', `0x00008bf6')
-define(`SIOCIWFIRSTPRIV_17', `0x00008bf7')
-define(`SIOCIWFIRSTPRIV_18', `0x00008bf8')
-define(`SIOCIWFIRSTPRIV_19', `0x00008bf9')
-define(`SIOCIWFIRSTPRIV_1A', `0x00008bfa')
-define(`SIOCIWFIRSTPRIV_1B', `0x00008bfb')
-define(`SIOCIWFIRSTPRIV_1C', `0x00008bfc')
-define(`SIOCIWFIRSTPRIV_1D', `0x00008bfd')
-define(`SIOCIWFIRSTPRIV_1E', `0x00008bfe')
-define(`SIOCIWLASTPRIV', `0x00008bff')
-define(`SIOCKILLADDR', `0x00008939')
-define(`SIOCMKCLIP', `0x000061e0')
-define(`SIOCOUTQNSD', `0x0000894b')
-define(`SIOCPROTOPRIVATE', `0x000089e0')
-define(`SIOCPROTOPRIVATE_1', `0x000089e1')
-define(`SIOCPROTOPRIVATE_2', `0x000089e2')
-define(`SIOCPROTOPRIVATE_3', `0x000089e3')
-define(`SIOCPROTOPRIVATE_4', `0x000089e4')
-define(`SIOCPROTOPRIVATE_5', `0x000089e5')
-define(`SIOCPROTOPRIVATE_6', `0x000089e6')
-define(`SIOCPROTOPRIVATE_7', `0x000089e7')
-define(`SIOCPROTOPRIVATE_8', `0x000089e8')
-define(`SIOCPROTOPRIVATE_9', `0x000089e9')
-define(`SIOCPROTOPRIVATE_A', `0x000089ea')
-define(`SIOCPROTOPRIVATE_B', `0x000089eb')
-define(`SIOCPROTOPRIVATE_C', `0x000089ec')
-define(`SIOCPROTOPRIVATE_D', `0x000089ed')
-define(`SIOCPROTOPRIVATE_E', `0x000089ee')
-define(`SIOCPROTOPRIVLAST', `0x000089ef')
-define(`SIOCRTMSG', `0x0000890d')
-define(`SIOCSARP', `0x00008955')
-define(`SIOCSHWTSTAMP', `0x000089b0')
-define(`SIOCSIFADDR', `0x00008916')
-define(`SIOCSIFATMTCP', `0x00006180')
-define(`SIOCSIFBR', `0x00008941')
-define(`SIOCSIFBRDADDR', `0x0000891a')
-define(`SIOCSIFDSTADDR', `0x00008918')
-define(`SIOCSIFENCAP', `0x00008926')
-define(`SIOCSIFFLAGS', `0x00008914')
-define(`SIOCSIFHWADDR', `0x00008924')
-define(`SIOCSIFHWBROADCAST', `0x00008937')
-define(`SIOCSIFLINK', `0x00008911')
-define(`SIOCSIFMAP', `0x00008971')
-define(`SIOCSIFMEM', `0x00008920')
-define(`SIOCSIFMETRIC', `0x0000891e')
-define(`SIOCSIFMTU', `0x00008922')
-define(`SIOCSIFNAME', `0x00008923')
-define(`SIOCSIFNETMASK', `0x0000891c')
-define(`SIOCSIFPFLAGS', `0x00008934')
-define(`SIOCSIFSLAVE', `0x00008930')
-define(`SIOCSIFTXQLEN', `0x00008943')
-define(`SIOCSIFVLAN', `0x00008983')
-define(`SIOCSIWAP', `0x00008b14')
-define(`SIOCSIWAUTH', `0x00008b32')
-define(`SIOCSIWCOMMIT', `0x00008b00')
-define(`SIOCSIWENCODE', `0x00008b2a')
-define(`SIOCSIWENCODEEXT', `0x00008b34')
-define(`SIOCSIWESSID', `0x00008b1a')
-define(`SIOCSIWFRAG', `0x00008b24')
-define(`SIOCSIWFREQ', `0x00008b04')
-define(`SIOCSIWGENIE', `0x00008b30')
-define(`SIOCSIWMLME', `0x00008b16')
-define(`SIOCSIWMODE', `0x00008b06')
-define(`SIOCSIWNICKN', `0x00008b1c')
-define(`SIOCSIWNWID', `0x00008b02')
-define(`SIOCSIWPMKSA', `0x00008b36')
-define(`SIOCSIWPOWER', `0x00008b2c')
-define(`SIOCSIWPRIV', `0x00008b0c')
-define(`SIOCSIWRANGE', `0x00008b0a')
-define(`SIOCSIWRATE', `0x00008b20')
-define(`SIOCSIWRETRY', `0x00008b28')
-define(`SIOCSIWRTS', `0x00008b22')
-define(`SIOCSIWSCAN', `0x00008b18')
-define(`SIOCSIWSENS', `0x00008b08')
-define(`SIOCSIWSPY', `0x00008b10')
-define(`SIOCSIWSTATS', `0x00008b0e')
-define(`SIOCSIWTHRSPY', `0x00008b12')
-define(`SIOCSIWTXPOW', `0x00008b26')
-define(`SIOCSMIIREG', `0x00008949')
-define(`SIOCSNETADDR', `0x400489e0')
-define(`SIOCSPGRP', `0x00008902')
-define(`SIOCSRARP', `0x00008962')
-define(`SIOCWANDEV', `0x0000894a')
-define(`SISFB_COMMAND', `0xc054f305')
-define(`SISFB_GET_AUTOMAXIMIZE', `0x8004f303')
-define(`SISFB_GET_AUTOMAXIMIZE_OLD', `0x80046efa')
-define(`SISFB_GET_INFO', `0x811cf301')
-define(`SISFB_GET_INFO_OLD', `0x80046ef8')
-define(`SISFB_GET_INFO_SIZE', `0x8004f300')
-define(`SISFB_GET_TVPOSOFFSET', `0x8004f304')
-define(`SISFB_GET_VBRSTATUS', `0x8004f302')
-define(`SISFB_GET_VBRSTATUS_OLD', `0x80046ef9')
-define(`SISFB_SET_AUTOMAXIMIZE', `0x4004f303')
-define(`SISFB_SET_AUTOMAXIMIZE_OLD', `0x40046efa')
-define(`SISFB_SET_LOCK', `0x4004f306')
-define(`SISFB_SET_TVPOSOFFSET', `0x4004f304')
-define(`SNAPSHOT_ALLOC_SWAP_PAGE', `0x80083314')
-define(`SNAPSHOT_ATOMIC_RESTORE', `0x00003304')
-define(`SNAPSHOT_AVAIL_SWAP_SIZE', `0x80083313')
-define(`SNAPSHOT_CREATE_IMAGE', `0x40043311')
-define(`SNAPSHOT_FREE', `0x00003305')
-define(`SNAPSHOT_FREE_SWAP_PAGES', `0x00003309')
-define(`SNAPSHOT_FREEZE', `0x00003301')
-define(`SNAPSHOT_GET_IMAGE_SIZE', `0x8008330e')
-define(`SNAPSHOT_PLATFORM_SUPPORT', `0x0000330f')
-define(`SNAPSHOT_POWER_OFF', `0x00003310')
-define(`SNAPSHOT_PREF_IMAGE_SIZE', `0x00003312')
-define(`SNAPSHOT_S2RAM', `0x0000330b')
-define(`SNAPSHOT_SET_SWAP_AREA', `0x400c330d')
-define(`SNAPSHOT_UNFREEZE', `0x00003302')
-define(`SNDCTL_COPR_HALT', `0xc0144307')
-define(`SNDCTL_COPR_LOAD', `0xcfb04301')
-define(`SNDCTL_COPR_RCODE', `0xc0144303')
-define(`SNDCTL_COPR_RCVMSG', `0x8fa44309')
-define(`SNDCTL_COPR_RDATA', `0xc0144302')
-define(`SNDCTL_COPR_RESET', `0x00004300')
-define(`SNDCTL_COPR_RUN', `0xc0144306')
-define(`SNDCTL_COPR_SENDMSG', `0xcfa44308')
-define(`SNDCTL_COPR_WCODE', `0x40144305')
-define(`SNDCTL_COPR_WDATA', `0x40144304')
-define(`SNDCTL_DSP_BIND_CHANNEL', `0xc0045041')
-define(`SNDCTL_DSP_CHANNELS', `0xc0045006')
-define(`SNDCTL_DSP_GETBLKSIZE', `0xc0045004')
-define(`SNDCTL_DSP_GETCAPS', `0x8004500f')
-define(`SNDCTL_DSP_GETCHANNELMASK', `0xc0045040')
-define(`SNDCTL_DSP_GETFMTS', `0x8004500b')
-define(`SNDCTL_DSP_GETIPTR', `0x800c5011')
-define(`SNDCTL_DSP_GETISPACE', `0x8010500d')
-define(`SNDCTL_DSP_GETODELAY', `0x80045017')
-define(`SNDCTL_DSP_GETOPTR', `0x800c5012')
-define(`SNDCTL_DSP_GETOSPACE', `0x8010500c')
-define(`SNDCTL_DSP_GETSPDIF', `0x80045043')
-define(`SNDCTL_DSP_GETTRIGGER', `0x80045010')
-define(`SNDCTL_DSP_MAPINBUF', `0x80105013')
-define(`SNDCTL_DSP_MAPOUTBUF', `0x80105014')
-define(`SNDCTL_DSP_NONBLOCK', `0x0000500e')
-define(`SNDCTL_DSP_POST', `0x00005008')
-define(`SNDCTL_DSP_PROFILE', `0x40045017')
-define(`SNDCTL_DSP_RESET', `0x00005000')
-define(`SNDCTL_DSP_SETDUPLEX', `0x00005016')
-define(`SNDCTL_DSP_SETFMT', `0xc0045005')
-define(`SNDCTL_DSP_SETFRAGMENT', `0xc004500a')
-define(`SNDCTL_DSP_SETSPDIF', `0x40045042')
-define(`SNDCTL_DSP_SETSYNCRO', `0x00005015')
-define(`SNDCTL_DSP_SETTRIGGER', `0x40045010')
-define(`SNDCTL_DSP_SPEED', `0xc0045002')
-define(`SNDCTL_DSP_STEREO', `0xc0045003')
-define(`SNDCTL_DSP_SUBDIVIDE', `0xc0045009')
-define(`SNDCTL_DSP_SYNC', `0x00005001')
-define(`SNDCTL_FM_4OP_ENABLE', `0x4004510f')
-define(`SNDCTL_FM_LOAD_INSTR', `0x40285107')
-define(`SNDCTL_MIDI_INFO', `0xc074510c')
-define(`SNDCTL_MIDI_MPUCMD', `0xc0216d02')
-define(`SNDCTL_MIDI_MPUMODE', `0xc0046d01')
-define(`SNDCTL_MIDI_PRETIME', `0xc0046d00')
-define(`SNDCTL_SEQ_CTRLRATE', `0xc0045103')
-define(`SNDCTL_SEQ_GETINCOUNT', `0x80045105')
-define(`SNDCTL_SEQ_GETOUTCOUNT', `0x80045104')
-define(`SNDCTL_SEQ_GETTIME', `0x80045113')
-define(`SNDCTL_SEQ_NRMIDIS', `0x8004510b')
-define(`SNDCTL_SEQ_NRSYNTHS', `0x8004510a')
-define(`SNDCTL_SEQ_OUTOFBAND', `0x40085112')
-define(`SNDCTL_SEQ_PANIC', `0x00005111')
-define(`SNDCTL_SEQ_PERCMODE', `0x40045106')
-define(`SNDCTL_SEQ_RESET', `0x00005100')
-define(`SNDCTL_SEQ_RESETSAMPLES', `0x40045109')
-define(`SNDCTL_SEQ_SYNC', `0x00005101')
-define(`SNDCTL_SEQ_TESTMIDI', `0x40045108')
-define(`SNDCTL_SEQ_THRESHOLD', `0x4004510d')
-define(`SNDCTL_SYNTH_CONTROL', `0xcfa45115')
-define(`SNDCTL_SYNTH_ID', `0xc08c5114')
-define(`SNDCTL_SYNTH_INFO', `0xc08c5102')
-define(`SNDCTL_SYNTH_MEMAVL', `0xc004510e')
-define(`SNDCTL_SYNTH_REMOVESAMPLE', `0xc00c5116')
-define(`SNDCTL_TMR_CONTINUE', `0x00005404')
-define(`SNDCTL_TMR_METRONOME', `0x40045407')
-define(`SNDCTL_TMR_SELECT', `0x40045408')
-define(`SNDCTL_TMR_SOURCE', `0xc0045406')
-define(`SNDCTL_TMR_START', `0x00005402')
-define(`SNDCTL_TMR_STOP', `0x00005403')
-define(`SNDCTL_TMR_TEMPO', `0xc0045405')
-define(`SNDCTL_TMR_TIMEBASE', `0xc0045401')
-define(`SNDRV_COMPRESS_AVAIL', `0x801c4321')
-define(`SNDRV_COMPRESS_DRAIN', `0x00004334')
-define(`SNDRV_COMPRESS_GET_CAPS', `0xc0c44310')
-define(`SNDRV_COMPRESS_GET_CODEC_CAPS', `0xeb884311')
-define(`SNDRV_COMPRESS_GET_METADATA', `0xc0244315')
-define(`SNDRV_COMPRESS_GET_PARAMS', `0x80784313')
-define(`SNDRV_COMPRESS_IOCTL_VERSION', `0x80044300')
-define(`SNDRV_COMPRESS_NEXT_TRACK', `0x00004335')
-define(`SNDRV_COMPRESS_PARTIAL_DRAI
